Re: [squid-users] errors when building with ssl-crtd for CentOS 6
On 10/08/2012 1:55 a.m., Dan Charlesworth wrote: Hi Apparently I'm having the exact same issue as Michael was in this thread: http://www.squid-cache.org/mail-archive/squid-users/201204/0016.html Differences are: - I'm using 3.1.20 - I'm using CentOS 6.3 with openssl-1.0.0-20 - I'm building an RPM via mock This is the configure section from the spec file: %configure \ --libexecdir=%{_libdir}/squid \ --localstatedir=/var \ --datadir=%{_datadir}/squid \ --sysconfdir=%{_sysconfdir}/squid \ --with-logdir='$(localstatedir)/log/squid' \ --with-pidfile='$(localstatedir)/run/squid.pid' \ --disable-dependency-tracking \ --enable-arp-acl \ --enable-follow-x-forwarded-for \ --enable-auth=basic,digest,ntlm,negotiate \ --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth \ --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \ --enable-digest-auth-helpers=password,ldap,eDirectory \ --enable-negotiate-auth-helpers=squid_kerb_auth \ --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group \ --enable-cache-digests \ --enable-cachemgr-hostname=localhost \ --enable-delay-pools \ --enable-epoll \ --enable-icap-client \ --enable-ident-lookups \ %ifnarch ppc64 ia64 x86_64 s390x --with-large-files \ %endif --enable-linux-netfilter \ --enable-referer-log \ --enable-removal-policies=heap,lru \ --enable-snmp \ --enable-ssl \ --enable-ssl-crtd \ --enable-storeio=aufs,diskd,ufs \ --enable-useragent-log \ --enable-wccpv2 \ --enable-esi \ --with-aio \ --with-default-user=squid \ --with-filedescriptors=65535 \ --with-maxfd=65535 \ --with-dl \ --with-openssl \ Errors (the first few lines): certificate_db.cc: In member function 'void Ssl::CertificateDb::load()': certificate_db.cc:404: error: 'index_serial_hash_LHASH_HASH' was not declared in this scope certificate_db.cc:404: error: 'index_serial_cmp_LHASH_COMP' was not declared in this scope certificate_db.cc:407: error: 'index_name_hash_LHASH_HASH' was not declared in this scope certificate_db.cc:407: error: 'index_name_cmp_LHASH_COMP' was not declared in this scope certificate_db.cc: In member function 'bool Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)' certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'void* sk_value(const _STACK*, int) I don't quite understand what Michael did to work-around it. I would just like to know if this can be worked around given my environment and if so, how exactly? He installed a different verioon of OpenSSL and used the --with-openssl= configure option to tell Squid exactly which library to build against. The early 1.0.0 had symbol issues and all signs are pointing at those -fips libraries being patched with ABI breaking stuff. Amos
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 10/08/2012 7:36 a.m., Davide Alberani wrote: On Thu, Aug 9, 2012 at 1:16 AM, Amos Jeffries squ...@treenet.co.nz wrote: I'm trying squid 3.2 (since I'll need some of the new features), but I'm having troubles using it in intercept mode, when used along with an upstream proxy. Which 3.2 release number please? that matters a LOT. Pardon; it was a 3.2.0.18; I'll try with the latest version as soon as possible and I'll post the results. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... Thank you very much for all the hints about the configuration! In 3.2 the default action when no cache_peer_access at all is configured, is to attempt to use the peer. I see. FYI: I'm having to bump out a new .20 package due to another issue. You may wish to wait for that to improve the peer selection for interception proxies. Maybe we have a bug in FIRSTUP_PARENT selection not checking the cache_peer_access properly. I'll do some tests in the next days, and let you know the results. What's the best debug_options to use, to analyze the FIRSTUP_PARENT selection? Hm,. most of this is not containing debug messages so its tricky. Access Controls and peer selection levels would be best I think. Amos
Re: [squid-users] squid 3.2.0.19 compilation problem
It looks like somebody has patched your particular library 1.0.0 beta3 to back-port something? No idea if somebody patched openssl. My system is CentOS Linux release 6.0. Also, I guess the compilation error invalid conversion from ‘void*’ to ‘const _STACK* will be thrown by higher version of g++ compiler (= 4.4 ) due to its more stricter checking. Regards, Nipun Talukdar Bangalore On Thu, Aug 9, 2012 at 7:04 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 10/08/2012 12:35 a.m., nipun_mlist Assam wrote: Fixed the compilation issue. I guess it is safe to use the check #if OPENSSL_VERSION_NUMBER = 0x1003L instead. This check is there in many files. I modified only certificate_db.cc. If we know the exact openssl version from where these lhash, safestack etc. headers got modified, then this check can be made more appropriate. They were changed by the upstream OpenSSL project in version 1.0.0d (which uses ABI numbers 0x1040L to 0x104fL). It looks like somebody has patched your particular library 1.0.0 beta3 to back-port something? Amos Regards, Nipun Talukdar Bangalore India On Thu, Aug 9, 2012 at 4:39 PM, nipun_mlist Assam nipunml...@gmail.com wrote: Hi Amos, OPENSSL_VERSION_NUMBER is 0x1003L I replaced (in certificate_db.cc) #if OPENSSL_VERSION_NUMBER = 0x104fL with #if OPENSSL_VERSION_NUMBER = 0x1003L . Now I get the below problem: (compiler used is g++ (GCC) 4.4.4 20100726 (Red Hat 4.4.4-13) ) certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteInvalidCertificate()’: certificate_db.cc:523: error: invalid conversion from ‘void*’ to ‘const _STACK*’ certificate_db.cc:523: error: initializing argument 1 of ‘void* sk_value(const _STACK*, int)’ certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteOldestCertificate()’: certificate_db.cc:554: error: invalid conversion from ‘void*’ to ‘const _STACK*’ certificate_db.cc:554: error: initializing argument 1 of ‘void* sk_value(const _STACK*, int)’ certificate_db.cc: In member function ‘bool Ssl::CertificateDb::deleteByHostname(const std::string)’: certificate_db.cc:571: error: invalid conversion from ‘void*’ to ‘const _STACK*’ certificate_db.cc:571: error: initializing argument 1 of ‘void* sk_value(const _STACK*, int)’ On Thu, Aug 9, 2012 at 4:22 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 09.08.2012 20:04, nipun_mlist Assam wrote: Hi All, I am facing compilation problem with squid 3.2.0.19. This fails because of some changes in openssl header lhash.h (generally installs in /usr/icnlude/openssl/lhash.h). I used openssl 1.0.0 (OpenSSL 1.0.0-fips) for building squid. The lhash.h header has slightly different macros in openssl 1.0.0 and openssl 0.9.8. That is failing the build. I believe if we fix these macro calls, squid should compile without any problem. Most probably there won't be any issue with any other openssl APIs used by squid and squid hopefully works just fine with openssl 1.0.0 as well. My question here is, if anybody fixed the problem already and if squid works works with openssl 1.0.0 also. Could you please search your openssl .h files for the *exact* ABI version number and report back please. It should look like #define OPENSSL_VERSION_NUMBER ... Amos -- Regards, Nipun -- Regards, Nipun
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
certificate_db.cc: In member function 'bool Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)' certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'void* sk_value(const _STACK*, int) I don't quite understand what Michael did to work-around it. I would just like to know if this can be worked around given my environment and if so, how exactly? He installed a different verioon of OpenSSL and used the --with-openssl= configure option to tell Squid exactly which library to build against. The early 1.0.0 had symbol issues and all signs are pointing at those -fips libraries being patched with ABI breaking stuff. One more way to fix this is, . replace all #if OPENSSL_VERSION_NUMBER = 0x104fL with #if OPENSSL_VERSION_NUMBER = your-openssl-abi-version and replace all const char **row = (const char **)sk_OPENSSL_PSTRING_value(... with const char **row = (const char **)sk_value((const _STACK *)(... -- Regards, Nipun
[squid-users] Re: squid_kerb_auth High CPU load.
Hooray!!! I solved my problem with squid_kerb_auth!!! The problem was not in architecture, as I wrongly supposed. The problem is SELINUX, even in permissive mode it make a big CPU pressure.
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
Thanks Nipun. A patch is going to be a much better option for me given the difficulty of dealing with building RPMs and mock environments etc. I understand part 2 of your suggestions but I'm unsure how to find out what my abl version is if I run openssl version I get the following output: OpenSSL 1.0.0-fips 29 Mar 2010 Should I be replacing all instances of '0x104fL' with '1.0.0-fips' in certificate_db.cc? Sorry - Im pretty new to this. Thanks On 10/08/2012, at 7:30 PM, nipun_mlist Assam nipunml...@gmail.com wrote: certificate_db.cc: In member function 'bool Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)' certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'void* sk_value(const _STACK*, int) I don't quite understand what Michael did to work-around it. I would just like to know if this can be worked around given my environment and if so, how exactly? He installed a different verioon of OpenSSL and used the --with-openssl= configure option to tell Squid exactly which library to build against. The early 1.0.0 had symbol issues and all signs are pointing at those -fips libraries being patched with ABI breaking stuff. One more way to fix this is, . replace all #if OPENSSL_VERSION_NUMBER = 0x104fL with #if OPENSSL_VERSION_NUMBER = your-openssl-abi-version and replace all const char **row = (const char **)sk_OPENSSL_PSTRING_value(... with const char **row = (const char **)sk_value((const _STACK *)(... -- Regards, Nipun
[squid-users] Re: squid_kerb_auth High CPU load.
Good news. Thank you for sharing. Markus Viorel Robu viorelr...@yahoo.com wrote in message news:loom.20120810t112710-...@post.gmane.org... Hooray!!! I solved my problem with squid_kerb_auth!!! The problem was not in architecture, as I wrongly supposed. The problem is SELINUX, even in permissive mode it make a big CPU pressure.
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
ABI version is defined in opensslv.h. Something like #define OPENSSL_VERSION_NUMBER 0x1003L Generally openssl header files install in /usr/include/openssl/ Regards, Nipun On Fri, Aug 10, 2012 at 3:44 PM, Dan Charlesworth d...@getbusi.com wrote: Thanks Nipun. A patch is going to be a much better option for me given the difficulty of dealing with building RPMs and mock environments etc. I understand part 2 of your suggestions but I'm unsure how to find out what my abl version is if I run openssl version I get the following output: OpenSSL 1.0.0-fips 29 Mar 2010 Should I be replacing all instances of '0x104fL' with '1.0.0-fips' in certificate_db.cc? Sorry - Im pretty new to this. Thanks On 10/08/2012, at 7:30 PM, nipun_mlist Assam nipunml...@gmail.com wrote: certificate_db.cc: In member function 'bool Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)' certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'void* sk_value(const _STACK*, int) I don't quite understand what Michael did to work-around it. I would just like to know if this can be worked around given my environment and if so, how exactly? He installed a different verioon of OpenSSL and used the --with-openssl= configure option to tell Squid exactly which library to build against. The early 1.0.0 had symbol issues and all signs are pointing at those -fips libraries being patched with ABI breaking stuff. One more way to fix this is, . replace all #if OPENSSL_VERSION_NUMBER = 0x104fL with #if OPENSSL_VERSION_NUMBER = your-openssl-abi-version and replace all const char **row = (const char **)sk_OPENSSL_PSTRING_value(... with const char **row = (const char **)sk_value((const _STACK *)(... -- Regards, Nipun -- Regards, Nipun Talukdar Bangalore
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 8/9/2012 4:47 AM, Amos Jeffries wrote: On 09.08.2012 12:32, Eliezer Croitoru wrote: On 8/9/2012 2:16 AM, Amos Jeffries wrote: Releases 3.2.0.14-3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... and let say i want to loosen it a bit more? How much more? to relay known dangerous traffic to peers as if it were safe? or just to obey never_direct? flag it as safe... because it is a local one that is safe. i am talking only on http traffic and not https. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
Thanks again. Turns out what you pasted is the same ABI my CentOS 6.3 = environment. I made a patch (attached) based on your suggestions but the build is = failing on the following errors: certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:439: error: invalid conversion from 'void*' to 'const = _STACK*' certificate_db.cc:439: error: initializing argument 1 of 'void* = sk_value(const _STACK*, int)' certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteOldestCertificate()': certificate_db.cc:478: error: expected ')' before ';' token certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteByHostname(const std::string)': certificate_db.cc:504: error: invalid conversion from 'void*' to 'const = _STACK*' certificate_db.cc:504: error: initializing argument 1 of 'void* = sk_value(const _STACK*, int)' Anything else I can try? Thanks --- src/ssl/certificate_db.cc 2012-06-08 21:20:21.0 +1000 +++ src/ssl/certificate_db.cc 2012-08-10 20:43:37.0 +1000 @@ -394,7 +394,7 @@ corrupt = true; // Create indexes in db. -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L if (!corrupt !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) corrupt = true; @@ -434,7 +434,7 @@ return false; bool removed_one = false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L for (int i = 0; i sk_OPENSSL_PSTRING_num(db.get()-data); i++) { const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()-data, i)); #else @@ -445,7 +445,7 @@ if (!sslDateIsInTheFuture(current_row[cnlExp_date])) { std::string filename(cert_full + / + current_row[cnlSerial] + .pem); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L sk_OPENSSL_PSTRING_delete(db.get()-data, i); #else sk_delete(db.get()-data, i); @@ -467,22 +467,22 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L if (sk_OPENSSL_PSTRING_num(db.get()-data) == 0) #else if (sk_num(db.get()-data) == 0) #endif return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL -const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()-data, 0); +#if OPENSSL_VERSION_NUMBER = 0x1003L +const char **row = (const char **)sk_value((const _STACK *)(db.get()-data, 0); #else const char **row = (const char **)sk_value(db.get()-data, 0); #endif std::string filename(cert_full + / + row[cnlSerial] + .pem); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L sk_OPENSSL_PSTRING_delete(db.get()-data, 0); #else sk_delete(db.get()-data, 0); @@ -499,7 +499,7 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L for (int i = 0; i sk_OPENSSL_PSTRING_num(db.get()-data); i++) { const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()-data, i)); #else @@ -509,7 +509,7 @@ if (host == current_row[cnlName]) { std::string filename(cert_full + / + current_row[cnlSerial] + .pem); FileLocker cert_locker(filename); -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L sk_OPENSSL_PSTRING_delete(db.get()-data, i); #else sk_delete(db.get()-data, i); On 10/08/2012, at 8:32 PM, nipun_mlist Assam nipunml...@gmail.com wrote: ABI version is defined in opensslv.h. Something like #define OPENSSL_VERSION_NUMBER 0x1003L Generally openssl header files install in /usr/include/openssl/ Regards, Nipun On Fri, Aug 10, 2012 at 3:44 PM, Dan Charlesworth d...@getbusi.com wrote: Thanks Nipun. A patch is going to be a much better option for me given the difficulty of dealing with building RPMs and mock environments etc. I understand part 2 of your suggestions but I'm unsure how to find out what my abl version is if I run openssl version I get the following output: OpenSSL 1.0.0-fips 29 Mar 2010 Should I be replacing all instances of '0x104fL' with '1.0.0-fips' in certificate_db.cc? Sorry - Im pretty new to this. Thanks On 10/08/2012, at 7:30 PM, nipun_mlist Assam nipunml...@gmail.com wrote: certificate_db.cc: In member function 'bool Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:441: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'int sk_num(const _STACK*)' certificate_db.cc:442: error: cannot convert 'stack_st_OPENSSL_PSTRING*' to 'const _STACK*' for argument '1' to 'void*
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 10/08/2012 10:54 p.m., Eliezer Croitoru wrote: On 8/9/2012 4:47 AM, Amos Jeffries wrote: On 09.08.2012 12:32, Eliezer Croitoru wrote: On 8/9/2012 2:16 AM, Amos Jeffries wrote: Releases 3.2.0.14-3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... and let say i want to loosen it a bit more? How much more? to relay known dangerous traffic to peers as if it were safe? or just to obey never_direct? flag it as safe... because it is a local one that is safe. i am talking only on http traffic and not https. Please try 3.2.0.19 with this extra patch: http://ww.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch It removes the preference bias for ORIGINAL_DST over peers. Amos
Re: [squid-users] squid_ldap_group (Group into Group)
Hi Eugene, yes, that's true, but this only works together the program squid_kerb_auth. So this require my computer inside a domain. I need that it works with a popup to type username and password. I tried: - to use squid_kerb_auth with the parameter auth_param basic program (DOESN'T WORK) - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search. It authenticates but doesn't search. (DOESN'T WORK) - to use auth_param negotiate program squid_kerb_auth with squid_kerb_ldap to search, with my computer inside a domain. (IT WORKS!) But without username/password popup. Is there some way to join Authentication via Popup + Recursive Query? Thanks Guys. On Fri, Aug 10, 2012 at 12:57 AM, Eugene M. Zheganin eug...@zhegan.in wrote: Hi. On 10.08.2012 01:10, Rickifer Barros wrote: Hi squid users, I have a question about the helper squid_ldap_group whose don't find in the internet. I'm testing it and I noticed that it don't recognize groups inside group, but only read users inside group. The command I'm using is like this: external_acl_type AD_GROUP %LOGIN /usr/lib/squid3/squid_ldap_group -R -P -b dc=domain,dc=yyy -D cn=user,dc=domain,dc=yyy -w password -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=example,dc=domain,dc=yyy)) -h yyy.yyy.yyy.yyy Is there a way to squid_ldap_group to read the groups into the other group? Afaik, the only way to let the squid know about nested groups is to use a squid_kerb_ldap instead of the squid_ldap_group. Eugene.
[squid-users] Re: squid_ldap_group (Group into Group)
Hi Rickifer, squid_kerb_ldap does not require squid_kerb_auth. You can use command line options for ldap and a default realm. ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ] [-N Netbios-Realm-List] [-m Max-Depth] [-u Ldap-User] [-p Ldap-Password] [-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g Group-Realm-List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List Markus Rickifer Barros rickiferbar...@gmail.com wrote in message news:CAD1agDxyKH0acW1u84ysDVVGQnf2vUajR4xhnOH=d=m4fxj...@mail.gmail.com... Hi Eugene, yes, that's true, but this only works together the program squid_kerb_auth. So this require my computer inside a domain. I need that it works with a popup to type username and password. I tried: - to use squid_kerb_auth with the parameter auth_param basic program (DOESN'T WORK) - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search. It authenticates but doesn't search. (DOESN'T WORK) - to use auth_param negotiate program squid_kerb_auth with squid_kerb_ldap to search, with my computer inside a domain. (IT WORKS!) But without username/password popup. Is there some way to join Authentication via Popup + Recursive Query? Thanks Guys. On Fri, Aug 10, 2012 at 12:57 AM, Eugene M. Zheganin eug...@zhegan.in wrote: Hi. On 10.08.2012 01:10, Rickifer Barros wrote: Hi squid users, I have a question about the helper squid_ldap_group whose don't find in the internet. I'm testing it and I noticed that it don't recognize groups inside group, but only read users inside group. The command I'm using is like this: external_acl_type AD_GROUP %LOGIN /usr/lib/squid3/squid_ldap_group -R -P -b dc=domain,dc=yyy -D cn=user,dc=domain,dc=yyy -w password -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=example,dc=domain,dc=yyy)) -h yyy.yyy.yyy.yyy Is there a way to squid_ldap_group to read the groups into the other group? Afaik, the only way to let the squid know about nested groups is to use a squid_kerb_ldap instead of the squid_ldap_group. Eugene.
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
I made a patch (attached) based on your suggestions but the build is = failing on the following errors: certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:439: error: invalid conversion from 'void*' to 'const = _STACK*' certificate_db.cc:439: error: initializing argument 1 of 'void* = sk_value(const _STACK*, int)' certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteOldestCertificate()': Which squid version you are using ? I am attaching my patch for certifiacate_db.cc (for squid version squid-3.2.0.19). It should compile Regards, Nipun diff -ur squid-3.2.0.19/src/ssl/certificate_db.cc squid-3.2.0.19_sslcompilefix/src/ssl/certificate_db.cc --- squid-3.2.0.19/src/ssl/certificate_db.cc2012-08-02 05:14:34.0 -0700 +++ squid-3.2.0.19_sslcompilefix/src/ssl/certificate_db.cc 2012-08-09 05:25:19.362601312 -0700 @@ -450,7 +450,7 @@ corrupt = true; // Create indexes in db. -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L if (!corrupt !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) corrupt = true; @@ -489,7 +489,7 @@ void Ssl::CertificateDb::deleteRow(const char **row, int rowIndex) { const std::string filename(cert_full + / + row[cnlSerial] + .pem); -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L sk_OPENSSL_PSTRING_delete(db.get()-data, rowIndex); #else sk_delete(db.get()-data, rowIndex); @@ -497,7 +497,7 @@ const Columns db_indexes[]={cnlSerial, cnlName}; for (unsigned int i = 0; i countof(db_indexes); ++i) { -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L if (LHASH_OF(OPENSSL_STRING) *fieldIndex = db.get()-index[db_indexes[i]]) lh_OPENSSL_STRING_delete(fieldIndex, (char **)row); #else @@ -518,9 +518,9 @@ return false; bool removed_one = false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L for (int i = 0; i sk_OPENSSL_PSTRING_num(db.get()-data); ++i) { -const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()-data, i)); +const char ** current_row = ((const char **)sk_value((const _STACK *)(db.get()-data), i)); #else for (int i = 0; i sk_num(db.get()-data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()-data, i)); @@ -543,15 +543,15 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L if (sk_OPENSSL_PSTRING_num(db.get()-data) == 0) #else if (sk_num(db.get()-data) == 0) #endif return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL -const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()-data, 0); +#if OPENSSL_VERSION_NUMBER = 0x1003L +const char **row = (const char **)sk_value((const _STACK *)(db.get()-data), 0); #else const char **row = (const char **)sk_value(db.get()-data, 0); #endif @@ -566,9 +566,9 @@ if (!db) return false; -#if OPENSSL_VERSION_NUMBER = 0x104fL +#if OPENSSL_VERSION_NUMBER = 0x1003L for (int i = 0; i sk_OPENSSL_PSTRING_num(db.get()-data); ++i) { -const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()-data, i)); +const char ** current_row = ((const char **)sk_value((const _STACK *)(db.get()-data), i)); #else for (int i = 0; i sk_num(db.get()-data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()-data, i));
Re: [squid-users] squid_ldap_group (Group into Group)
On 10/08/2012 11:55 p.m., Rickifer Barros wrote: Hi Eugene, yes, that's true, but this only works together the program squid_kerb_auth. So this require my computer inside a domain. I need that it works with a popup to type username and password. I tried: - to use squid_kerb_auth with the parameter auth_param basic program (DOESN'T WORK) Taking Basic auth scheme and sending its credentials format to Kerbros scheme helper - FAIL. - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search. It authenticates but doesn't search. (DOESN'T WORK) Taking a Basic auth format username and looking up Kerberos groups with it. could work, but Basic auth usernames do not normally have the @DOMAIN syntax part. You will need to check users are logging in with that and its not being stripped away anywhere. - to use auth_param negotiate program squid_kerb_auth with squid_kerb_ldap to search, with my computer inside a domain. (IT WORKS!) But without username/password popup. Kerberos is designed to operate without a popup. Move the computer outside the domain and is might work only with popups. Or it might not. Is there some way to join Authentication via Popup + Recursive Query? They are completely separate operations. external_acl_type (group lookup) does authorization. Taking the username and checking groups. username can come from any authentication type, or even be non-authenticated. The only thing that matters is whether the username presented by Squid to the helper is of a format which matches somethign in the groups database. Amos
Re: [squid-users] errors when building with ssl-crtd for CentOS 6
I'm using 3.1.20 but I figured out where my patch was wrong from your example. All working now! Thanks again for your help. Cheers Dan On 10/08/2012, at 10:11 PM, nipun_mlist Assam nipunml...@gmail.com wrote: I made a patch (attached) based on your suggestions but the build is = failing on the following errors: certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteInvalidCertificate()': certificate_db.cc:439: error: invalid conversion from 'void*' to 'const = _STACK*' certificate_db.cc:439: error: initializing argument 1 of 'void* = sk_value(const _STACK*, int)' certificate_db.cc: In member function 'bool = Ssl::CertificateDb::deleteOldestCertificate()': Which squid version you are using ? I am attaching my patch for certifiacate_db.cc (for squid version squid-3.2.0.19). It should compile Regards, Nipun certificate_db_cc_compile_fix_patch.txt
Re: [squid-users] squid_ldap_group (Group into Group)
It Worked!!! Thank you Guys for all your tips... I got this with the command lines: FOR AUTHENTICATION: auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b dc=domain,dc=yyy -D cn=user,ou=example,dc=domain,dc=yyy -w password -f sAMAccountName=%s -h IP_LDAP_SERVER auth_param basic children 5 auth_param basic realm DOMAIN auth_param basic credentialsttl 5 minutes auth_param basic casesensitive off FOR RECURSIVE LDAP SEARCH: external_acl_type AD_GROUP ttl=300 negative_ttl=300 %LOGIN /usr/lib/squid3/squid_kerb_ldap -D DOMAIN.YYY -g gr...@domain.yyy SQUID ACLs: acl ACL_X external AD_GROUP http_access allow ACL_X One more time, Thank you very much. Cheers. Rickifer Barros On Fri, Aug 10, 2012 at 9:17 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 10/08/2012 11:55 p.m., Rickifer Barros wrote: Hi Eugene, yes, that's true, but this only works together the program squid_kerb_auth. So this require my computer inside a domain. I need that it works with a popup to type username and password. I tried: - to use squid_kerb_auth with the parameter auth_param basic program (DOESN'T WORK) Taking Basic auth scheme and sending its credentials format to Kerbros scheme helper - FAIL. - to use squid_ldap_auth to autenticate and squid_kerb_ldap to search. It authenticates but doesn't search. (DOESN'T WORK) Taking a Basic auth format username and looking up Kerberos groups with it. could work, but Basic auth usernames do not normally have the @DOMAIN syntax part. You will need to check users are logging in with that and its not being stripped away anywhere. - to use auth_param negotiate program squid_kerb_auth with squid_kerb_ldap to search, with my computer inside a domain. (IT WORKS!) But without username/password popup. Kerberos is designed to operate without a popup. Move the computer outside the domain and is might work only with popups. Or it might not. Is there some way to join Authentication via Popup + Recursive Query? They are completely separate operations. external_acl_type (group lookup) does authorization. Taking the username and checking groups. username can come from any authentication type, or even be non-authenticated. The only thing that matters is whether the username presented by Squid to the helper is of a format which matches somethign in the groups database. Amos
[squid-users] 100% CPU
Hi folks, I'm using: Squid Cache version 3.0.STABLE13 for i686-suse-linux This cache has been running well for at least a couple years, or more. As of yesterday, my squid process started using 100% CPU and users on the proxy are experiencing extremely slow Internet speeds. I've disabled caching (thinking it was maybe a cache issue), but the problem remains. I've tried strace on the squid process, but I don't know what I'm even looking for. As for syscalls, I see lots of reads and writes. It seems to be a particular user, or number of users running something through the proxy that is causing the CPU to spike. This morning everything was find for a couple hours with users on it...CPU was behaving...then within a minute or so it spiked and remained pegged at 100%. Would a video or audio stream cause something like this? A very large download? Thanks, Matt
[squid-users] squidguard not blocking
squidguard correctly blocks when I run from the command line: [root squidguard]# echo http://www.porn.com/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/aggressive/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/hacking/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/religion/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/spyware/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/violence/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) 2012-08-10 17:45:22 [28923] source not found 2012-08-10 17:45:22 [28923] no ACL matching source, using default http://localhost/block.html -/- - GET 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] squidguard not blocking
On 8/10/2012 9:34 PM, J Webster wrote: squidguard correctly blocks when I run from the command line: [root squidguard]# echo http://www.porn.com/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d SNIP Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf it should be enough and by the load change the url rewrite child process numbers. you must have the squid user access to the binary file and the db. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] squid 3.2 intercept and upstream proxy not working
On 8/10/2012 2:32 PM, Amos Jeffries wrote: On 10/08/2012 10:54 p.m., Eliezer Croitoru wrote: On 8/9/2012 4:47 AM, Amos Jeffries wrote: On 09.08.2012 12:32, Eliezer Croitoru wrote: On 8/9/2012 2:16 AM, Amos Jeffries wrote: Releases 3.2.0.14-3.2.0.18 have a standing block preventing requests with conflicting destination IP and destination domain name being passed to peers. Release 3.2.0.19 loosens that block to allow it, but only if the clients original destination IP (ORIGINAL_DST) is non-contactable by the proxy. BUT, ... checking your config file there is a bigger problem, and a relatively large amount of useless ACL checks ... and let say i want to loosen it a bit more? How much more? to relay known dangerous traffic to peers as if it were safe? or just to obey never_direct? flag it as safe... because it is a local one that is safe. i am talking only on http traffic and not https. Please try 3.2.0.19 with this extra patch: http://ww.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch the link should be: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch and it works like a charm. :) now I noticed that the url_rewrite_concurrency was changed and it's nice. maybe an options can be added to the build of 3.2 to use some safty modes on cache_peer? or maybe a flag that will mark cache_peer as safe? Thanks, Eliezer It removes the preference bias for ORIGINAL_DST over peers. Amos -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] squidguard not blocking
Check access.log and verify whether the traffic is passing through squid from the client machine. -Sent via Blackberry -Original Message- From: J Webster jw.jwebs...@gmail.com Date: Fri, 10 Aug 2012 20:34:31 To: squid-users@squid-cache.org Subject: [squid-users] squidguard not blocking squidguard correctly blocks when I run from the command line: [root squidguard]# echo http://www.porn.com/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/aggressive/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/hacking/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/religion/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/spyware/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/violence/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) 2012-08-10 17:45:22 [28923] source not found 2012-08-10 17:45:22 [28923] no ACL matching source, using default http://localhost/block.html -/- - GET 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] squidguard not blocking
it is, I get the server IP address when browsing and log is full of HIT MISS lines etc On 10 Aug 2012, at 22:30, Go Wow gow...@gmail.com wrote: Check access.log and verify whether the traffic is passing through squid from the client machine. -Sent via Blackberry -Original Message- From: J Webster jw.jwebs...@gmail.com Date: Fri, 10 Aug 2012 20:34:31 To: squid-users@squid-cache.org Subject: [squid-users] squidguard not blocking squidguard correctly blocks when I run from the command line: [root squidguard]# echo http://www.porn.com/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/aggressive/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/hacking/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/religion/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/spyware/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/violence/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) 2012-08-10 17:45:22 [28923] source not found 2012-08-10 17:45:22 [28923] no ACL matching source, using default http://localhost/block.html -/- - GET 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] squidguard not blocking
Is squidguard log config in squidguard.conf file? If not config the log and watch the log whether the traffic is hitting SG or not. I feel there some config issue in SG. Let us see your config files and client IP or username. -Sent via Blackberry -Original Message- From: J Webster jw.jwebs...@gmail.com Date: Fri, 10 Aug 2012 23:21:54 To: gow...@gmail.comgow...@gmail.com Cc: squid-users@squid-cache.orgsquid-users@squid-cache.org Subject: Re: [squid-users] squidguard not blocking it is, I get the server IP address when browsing and log is full of HIT MISS lines etc On 10 Aug 2012, at 22:30, Go Wow gow...@gmail.com wrote: Check access.log and verify whether the traffic is passing through squid from the client machine. -Sent via Blackberry -Original Message- From: J Webster jw.jwebs...@gmail.com Date: Fri, 10 Aug 2012 20:34:31 To: squid-users@squid-cache.org Subject: [squid-users] squidguard not blocking squidguard correctly blocks when I run from the command line: [root squidguard]# echo http://www.porn.com/ - - GET | squidGuard -c /etc/squid/squidguard.conf -d 2012-08-10 17:45:22 [28923] New setting: dbhome: /var/lib/squidguard 2012-08-10 17:45:22 [28923] New setting: logdir: /var/log/squidguard 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/porn/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/porn/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/porn/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/aggressive/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/aggressive/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/aggressive/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/hacking/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/hacking/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/hacking/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/religion/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/religion/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/religion/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/spyware/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/spyware/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/spyware/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/violence/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/violence/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/violence/urls.db 2012-08-10 17:45:22 [28923] init domainlist /var/lib/squidguard/weapons/domains 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/domains.db 2012-08-10 17:45:22 [28923] init urllist /var/lib/squidguard/weapons/urls 2012-08-10 17:45:22 [28923] loading dbfile /var/lib/squidguard/weapons/urls.db 2012-08-10 17:45:22 [28923] squidGuard 1.3 started (1344617122.190) 2012-08-10 17:45:22 [28923] squidGuard ready for requests (1344617122.193) 2012-08-10 17:45:22 [28923] source not found 2012-08-10 17:45:22 [28923] no ACL matching source, using default http://localhost/block.html -/- - GET 2012-08-10 17:45:22 [28923] squidGuard stopped (1344617122.193) Does the url rewriter need to be further up the squid.conf? It is right at the end of the conf file at the moment: url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Re: [squid-users] 100% CPU
On 11/08/2012 3:05 a.m., Hank Disuko wrote: Hi folks, I'm using: Squid Cache version 3.0.STABLE13 for i686-suse-linux This cache has been running well for at least a couple years, or more. As of yesterday, my squid process started using 100% CPU and users on the proxy are experiencing extremely slow Internet speeds. I've disabled caching (thinking it was maybe a cache issue), but the problem remains. Okay. Sometimes it is garbage collection on large caches which sucks up CPU. This test eliminates that. I've tried strace on the squid process, but I don't know what I'm even looking for. As for syscalls, I see lots of reads and writes. It seems to be a particular user, or number of users running something through the proxy that is causing the CPU to spike. This morning everything was find for a couple hours with users on it...CPU was behaving...then within a minute or so it spiked and remained pegged at 100%. Would a video or audio stream cause something like this? A very large download? Or lots of downloads. Or someone hit one of the DoS vulnerabilities which have been found and fixed since that release came out. *please* upgrade your Squid. 3.0 is several years past its end-of-life. At minimum please upgrade to 3.0.STABLE26 to avoid the worst DoS vulnerabilities. NOTE: free support is only available for the current Squid releases. Amos