[squid-users] squid listen on UDP for * or 0.0.0.0

[Ahmad Alzaeem]

Hello Folks

,
Wondering why I see squid listening on UDP sockets. And how can I disable that 
behavior?


Here is a sample capture :

ss -lup

NCONN   00  
*:62408  *:*   
users:(("squid",pid=304626,fd=12))
UNCONN   00 
 *:62421  *:*   
users:(("squid",pid=89500,fd=7))
UNCONN   00 
 *:62439  *:*   
users:(("squid",pid=506816,fd=12))
UNCONN   00 
 *:62440  *:*   
users:(("squid",pid=889812,fd=12))
UNCONN   00 
 *:62441  *:*   
users:(("squid",pid=561342,fd=13))
UNCONN   00 
 *:62448  *:*   
users:(("squid",pid=90497,fd=7))
UNCONN   00 
 *:62467  *:*   
users:(("squid",pid=89345,fd=7))
UNCONN   00 
 *:62481  *:*   
users:(("squid",pid=48730,fd=13))
UNCONN   00 
 *:62491  *:*   
users:(("squid",pid=88914,fd=7))
UNCONN   00 
 *:62504  *:*   
users:(("squid",pid=74449,fd=7))
UNCONN   00 
 *:62505  *:*   
users:(("squid",pid=89517,fd=7))
UNCONN   00 
 *:62507  *:*   
users:(("squid",pid=89077,fd=7))
UNCONN   00 
 *:62534  *:*   
users:(("squid",pid=70608,fd=7))
UNCONN   00 
 *:62543  *:*   
users:(("squid",pid=63323,fd=7))
UNCONN   00 
 *:62582  *:*   
users:(("squid",pid=89292,fd=7))
UNCONN   00 
 *:62606  *:*   
users:(("squid",pid=89037,fd=7))
UNCONN   00 
 *:62635  *:*   
users:(("squid",pid=89569,fd=7))
UNCONN   00 
 *:62636  *:*   
users:(("squid",pid=305076,fd=13))
UNCONN   00 
 *:62683  *:*   
users:(("squid",pid=304108,fd=13))

Sometimes the DNS resolutions fail on the server due to port conflict with 
squid.
I think it wont be a problem if it listen to same squid IP , but listening to * 
( all sockets) will make an issues
Any way to figure out the issue above ?

BR

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] force squid to kill current connection after reconfigure

[Ahmad Alzaeem]

Hello Team ,
Sometimes we need to change the tcp_outgoing addresses acl .
We edit it and reconfigure squid , but the current connection still work on the 
old ips of tcp_outgoing until the browser is completely closed and reopened .
Is there a way we can kill old sessions/connections in the old  tcp_outgoing 
after applying reconfigure ?

Tried with server_persistent_connections off , but did not make a change .

Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Eliezer,
I reported many times that squid 4. x does not support delay pools and never 
got a patch or fix.

Squid5 is buggy and not stable and keeps crashing and with DNS  resolution it's 
not stable.


Squid 4 is stable but does not support delay pools.
Squid 3.5.x is stable and supports delay pools

That’s the summary.



From: squid-users  on behalf of 
ngtech1...@gmail.com 
Date: Monday, July 11, 2022 at 1:55 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

I really don’t know what to say.
I am not using delay pools so I cannot say anything about that.

About DNS IPV4/IPV6 I am not sure what you are referring to.
Can you please refer me to the bug report on these?
It should be testable.
I have not seen anything about this in my environment until now so I am pretty 
confused.

Thanks,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: Ahmad Alzaeem <0xf...@gmail.com>
Sent: Monday, 11 July 2022 22:53
To: ngtech1...@gmail.com; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid 3.x on Centos8 not working

None of squid4.x support delay pools .

Squid5.x is full of bugs with DNS IPV4/IPV6 Because of the eyeball feature.

Thanks


From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 on behalf of ngtech1...@gmail.com<mailto:ngtech1...@gmail.com> 
mailto:ngtech1...@gmail.com>>
Date: Monday, July 11, 2022 at 12:37 PM
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> 
mailto:squid-users@lists.squid-cache.org>>
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

What is preventing you from using 4.x or 5.x?

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users 
mailto:squid-users-boun...@lists.squid-cache.org>>
 On Behalf Of Ahmad Alzaeem
Sent: Tuesday, 28 June 2022 16:29
To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] squid 3.x on Centos8 not working


Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

None of squid4.x support delay pools .

Squid5.x is full of bugs with DNS IPV4/IPV6 Because of the eyeball feature.

Thanks


From: squid-users  on behalf of 
ngtech1...@gmail.com 
Date: Monday, July 11, 2022 at 12:37 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
Hey Ahmad,

What is preventing you from using 4.x or 5.x?

Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Tuesday, 28 June 2022 16:29
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid 3.x on Centos8 not working


Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

-protection 
-Wa,--noexecstack -Wa,--generate-missing-build-notes=yes 
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN 
-DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM 
-DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG 
-DPURIFY -DDEVRANDOM="\"/dev/urandom\"" 
-DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines:  rdrand dynamic



openssl3 version -a
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
built on: Wed Mar 16 21:52:03 2022 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe 
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS 
-fexceptions -fstack-protector-strong -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-Wa,--noexecstack -Wa,--generate-missing-build-notes=yes 
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN 
-DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY 
-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.0.1-20220316\"" 
-DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-3"
MODULESDIR: "/usr/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffef3eb:0x21cbfbb



Thanks

From: squid-users  on behalf of Alex 
Rousskov 
Date: Monday, July 11, 2022 at 10:20 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid 3.x on Centos8 not working
On 7/11/22 09:38, Ahmad Alzaeem wrote:

> Anyone in the Dev team to help me out?

In most cases, folks should not be using Squid v3. It is not a supported
Squid version.

You may be able to get your Squid to build by avoiding the -Werror
compiler flag (e.g., by ./configuring Squid with
--disable-strict-error-checking).


HTH,

Alex.



> *From: *Ahmad Alzaeem <0xf...@gmail.com>
> *Date: *Tuesday, June 28, 2022 at 6:28 AM
> *To: *squid-users@lists.squid-cache.org 
> *Subject: *squid 3.x on Centos8 not working
>
> Hello Folks ,
>
> Trying to compile squid 3.x on Centos8 but have an errors below seems in
> SMBLIB .
>
> Squid ver :
>
> squid-3.5.28
>
> GCC ver :
>
> gcc -v
>
> Using built-in specs.
>
> COLLECT_GCC=gcc
>
> COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
>
> OFFLOAD_TARGET_NAMES=nvptx-none
>
> OFFLOAD_TARGET_DEFAULT=1
>
> Target: x86_64-redhat-linux
>
> Configured with: ../configure --enable-bootstrap
> --enable-languages=c,c++,fortran,lto --prefix=/usr
> --mandir=/usr/share/man --infodir=/usr/share/info
> --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared
> --enable-threads=posix --enable-checking=release --enable-multilib
> --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions
> --enable-gnu-unique-object --enable-linker-build-id
> --with-gcc-major-version-only --with-linker-hash-style=gnu
> --enable-plugin --enable-initfini-array --with-isl --disable-libmpx
> --enable-offload-targets=nvptx-none --without-cuda-driver
> --enable-gnu-indirect-function --enable-cet --with-tune=generic
> --with-arch_32=x86-64 --build=x86_64-redhat-linux
>
> Thread model: posix
>
> gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
>
> we are using ./configure  with default flags  ,  and have the errors below :
>
> make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
>
> depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
>
> /bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H
> -I../.. -I../../include -I../../lib -I../../src -I../../include
> -I../../lib  -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes
> -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe -D_REENTRANT
> -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF $depbase.Tpo -c -o rfcnb-io.lo
> rfcnb-io.c &&\
>
> mv -f $depbase.Tpo $depbase.Plo
>
> libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include
> -I../../lib -I../../src -I../../include -I../../lib -Wall
> -Wpointer-arith -Wwrite-strings -Wmissing-prototypes
> -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe -D_REENTRANT
> -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c
> rfcnb-io.c  -fP

Re: [squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Folks ,
Anyone in the Dev team to help me out?

Thanks

From: Ahmad Alzaeem <0xf...@gmail.com>
Date: Tuesday, June 28, 2022 at 6:28 AM
To: squid-users@lists.squid-cache.org 
Subject: squid 3.x on Centos8 not working

Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c  -fPIC -DPIC -o .libs/session.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2

[squid-users] squid 3.x on Centos8 not working

[Ahmad Alzaeem]

Hello Folks ,

Trying to compile squid 3.x on Centos8 but have an errors below seems in SMBLIB 
.

Squid ver :
squid-3.5.28

GCC ver :

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap 
--enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla 
--enable-shared --enable-threads=posix --enable-checking=release 
--enable-multilib --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-gnu-unique-object 
--enable-linker-build-id --with-gcc-major-version-only 
--with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl 
--disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-gnu-indirect-function --enable-cet --with-tune=generic 
--with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)

we are using ./configure  with default flags  ,  and have the errors below :


make[2]: Entering directory '/root/squid-3.5.28/lib/rfcnb'
depbase=`echo rfcnb-io.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD 
-MP -MF $depbase.Tpo -c -o rfcnb-io.lo rfcnb-io.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c  -fPIC -DPIC -o .libs/rfcnb-io.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-io.lo -MD -MP -MF .deps/rfcnb-io.Tpo -c 
rfcnb-io.c -o rfcnb-io.o >/dev/null 2>&1
depbase=`echo rfcnb-util.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo 
-MD -MP -MF $depbase.Tpo -c -o rfcnb-util.lo rfcnb-util.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c  -fPIC -DPIC -o .libs/rfcnb-util.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT rfcnb-util.lo -MD -MP -MF .deps/rfcnb-util.Tpo -c 
rfcnb-util.c -o rfcnb-util.o >/dev/null 2>&1
depbase=`echo session.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H   -I../.. 
-I../../include -I../../lib -I../../src -I../../include-I../../lib  -Wall 
-Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations 
-Wcomments -Wshadow -Werror -pipe -D_REENTRANT -Wall -g -O2 -MT session.lo -MD 
-MP -MF $depbase.Tpo -c -o session.lo session.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c  -fPIC -DPIC -o .libs/session.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I../.. -I../../include -I../../lib 
-I../../src -I../../include -I../../lib -Wall -Wpointer-arith -Wwrite-strings 
-Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow -Werror -pipe 
-D_REENTRANT -Wall -g -O2 -MT session.lo -MD -MP -MF .deps/session.Tpo -c 
session.c -o session.o >/dev/null 2>&1
/bin/sh ../../libtool  --tag=CC   --mode=link gcc -Wall -Wpointer-arith 
-Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Wshadow 
-Werror -pipe -D_REENTRANT -Wall -g -O2  -g 

Re: [squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

Hello team and Alex .

Any updates on this ?
Any squid4.x support delay pools for now ?


I tried a lot and none of them support delay pools !!!

From: squid-users  on behalf of Alex 
Rousskov 
Date: Saturday, March 5, 2022 at 1:07 PM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] is there any squid 4.x version has delay_pools 
working?
On 3/5/22 13:43, Ahmad Alzaeem wrote:
> Hello ,
>
> No SSL Pump .
> we use CONNECTmethod.
> squid accepts the directive, but it has no real affect.
>
> the same config on 3.x worked fine.
>
> Im sure 100 % , none of squid 4.x worked with delay pools with me.

Sounds like Bug 4913 to me:
https://bugs.squid-cache.org/show_bug.cgi?id=4913

I do not know whether the latest summary there is still accurate, but I
know that the underlying code is (still) badly broken.

Alex.



>> On Feb 24, 2022, at 11:58 PM, Eliezer Croitoru wrote:
>>
>> Hey Ahmad,
>> Can you please give more details on the specific issue or issues you
>> have verified in 4.17?
>> What exactly doesn’t work in delay_pools? Plain HTTP download or
>> upload speed?
>> Is it only on HTTP or also on CONNECT or HTTPS or SSL-BUMP connections?
>> Eliezer
>>
>>   * I was thinking about creating a webinar about Squid ssl(TLS) bump
>>
>> 
>> Eliezer Croitoru
>> NgTech, Tech Support
>> Mobile: +972-5-28704261
>> Email:ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
>> *From:*squid-users > <mailto:squid-users-boun...@lists.squid-cache.org>>*On Behalf Of*Ahmad
>> Alzaeem
>> *Sent:*Friday, February 25, 2022 02:14
>> *To:*squid-users@lists.squid-cache.org
>> <mailto:squid-users@lists.squid-cache.org>
>> *Subject:*[squid-users] is there any squid 4.x version has delay_pools
>> working?
>> I tried many squid 4.x versions and none of them has delay_pools to work .
>> I have it to work on 3.x versions .
>> is there any specific 4.x version that ws tested with delay pools to
>> work ?
>> i would like to report it as bug at least in squid-4.17
>> <http://www.squid-cache.org/Versions/v4/squid-4.17-RELEASENOTES.html> which
>> i tested today .
>> Regards
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> <mailto:squid-users@lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users
>> <http://lists.squid-cache.org/listinfo/squid-users>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] is there a way to tell squid to write external ip even that external ip not attached into the machine ?

[Ahmad Alzaeem]

Hello Eliezer
I thought it could be done by editing squid src file  like to skip inet address 
lookup .

Thanks


From: squid-users  on behalf of 
Eliezer Croitoru 
Date: Friday, May 13, 2022 at 8:21 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] is there a way to tell squid to write external ip 
even that external ip not attached into the machine ?
Hey Ahmad,

You should use a tproxy port with a PROXY protocol support and acls.
With these you can try to push traffic to the network from a local process that 
will write the right details to squid that will generate a fake source ip.

And since you have asked I assume you are not familiar enough with this kind of 
setup so it’s crucial you will understand what are doing
before trying and testing it since at might not work as you expect.

All The Bests,
Eliezer


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Friday, May 13, 2022 16:13
To: squid-users@lists.squid-cache.org; Amos Jeffries 
Subject: [squid-users] is there a way to tell squid to write external ip even 
that external ip not attached into the machine ?


Hello Guys ,
We are testing squid with a project such as we need squid to write and proceed 
with tcp_outgoing address address even its not attached to the machine by 
ifconfig or ip add  ?

After some tests we found that squid wont write the external Ip to be pushed 
out the network card interface if the ip address is not added to the machine .

Is there anyway to bypass this checkout and let squid ignore checking the 
external ips if attached or not attached ?
Not sure if from config or may be editing src files .


Many Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] is there a way to tell squid to write external ip even that external ip not attached into the machine ?

[Ahmad Alzaeem]

Hello Guys ,
We are testing squid with a project such as we need squid to write and proceed 
with tcp_outgoing address address even its not attached to the machine by 
ifconfig or ip add  ?

After some tests we found that squid wont write the external Ip to be pushed 
out the network card interface if the ip address is not added to the machine .

Is there anyway to bypass this checkout and let squid ignore checking the 
external ips if attached or not attached ?
Not sure if from config or may be editing src files .


Many Thanks



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid3/4 compilation error with Centos8/RH8

[Ahmad Alzaeem]

Hello Eliezer Croitoru ,
Thank you for your reply ,

Indeed I need to build it from source with custom compile flags .

Is there anyway to overcome the error I sent earlier ?


Thanks


From: squid-users  on behalf of 
Eliezer Croitoru 
Date: Monday, May 2, 2022 at 11:59 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] squid3/4 compilation error with Centos8/RH8
Try to use the next SRPM:
https://www.ngtech.co.il/repo/centos/8/SRPMS/squid-4.17-8.el8.src.rpm

Good Luck,


Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com<mailto:ngtech1...@gmail.com>

From: squid-users  On Behalf Of 
Ahmad Alzaeem
Sent: Monday, May 2, 2022 21:25
To: squid-users@lists.squid-cache.org
Subject: [squid-users] squid3/4 compilation error with Centos8/RH8




Hello Team ,
I found I only was able to build squid 5.x on Centos8/RH8 –  (Not able to build 
3.x or 4.x )
I was able to build  squid 3.x and 4.x on RH7/Centos7 .

It seems Its libssl error or so based on compilation error below (not sure if 
need to upgrade or downgrade GCC)

//
cache_cf.o: In function `parseOneConfigFile(char const*, unsigned int)':
cache_cf.cc:(.text+0x805): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xc2b): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xd78): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0x10a4): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parseConfigFileOrThrow(char const*)':
cache_cf.cc:(.text+0x1295): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x142e): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
cache_cf.o: In function `dump_acl(StoreEntry*, char const*, ACL*)':
cache_cf.cc:(.text+0x3bc5): undefined reference to 
`ACL::dumpOptions[abi:cxx11]()'
cache_cf.o: In function `parse_address(Ip::Address*)':
cache_cf.cc:(.text+0x3f7a): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_acl_tos(acl_tos**)':
cache_cf.cc:(.text+0x432e): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_access(HeaderManglers**)':
cache_cf.cc:(.text+0x49d7): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.cc:(.text+0x4a6d): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_replace(HeaderManglers**)':
cache_cf.cc:(.text+0x4cc5): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x4d5b): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
client_side.o: In function `EVP_PKEY_up_ref':
client_side.cc:(.text.EVP_PKEY_up_ref[EVP_PKEY_up_ref]+0x34): undefined 
reference to `CRYPTO_add_lock'
client_side.o: In function `X509_up_ref':
client_side.cc:(.text.X509_up_ref[X509_up_ref]+0x34): undefined reference to 
`CRYPTO_add_lock'
anyp/.libs/libanyp.a(PortCfg.o): In function 
`Security::ServerOptions::sk_X509_NAME_free_wrapper::operator()(stack_st_X509_NAME*)':
PortCfg.cc:(.text._ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME[_ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME]+0x22):
 undefined reference to `sk_pop_free'
security/.libs/libsecurity.a(PeerOptions.o): In function 
`Security::PeerOptions::createBlankContext() const':
PeerOptions.cc:(.text+0x1896): undefined reference to `SSLv23_client_method'
security/.libs/libsecurity.a(ServerOptions.o): In function 
`Security::ServerOptions::createBlankContext() const':
ServerOptions.cc:(.text+0xb4a): undefined reference to `SSLv23_server_method'
security/.libs/libsecurity.a(ServerOptions.o): In function `X509_CRL_up_ref':
ServerOptions.cc:(.text.X509_CRL_up_ref[X509_CRL_up_ref]+0x36): undefined 
reference to `CRYPTO_add_lock'
security/.libs/libsecurity.a(Session.o): In function `tls_write_method(int, 
char const*, int)':
Session.cc:(.text+0x677): undefined reference to `SSL_state'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::MaybeSetupRsaCallback(std::shared_ptr&)':
support.cc:(.text+0x6c9): undefined reference to `SSL_CTX_set_tmp_rsa_callback'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::matchX509CommonNames(x509_st*, void*, int (*)(void*, asn1_string_st*))':
support.cc:(.text+0x855): undefined reference to `sk_num'
support.cc:(.text+0x872): undefined reference to `sk_value'
support.cc:(.text+0x8c2): undefined reference to `sk_pop_free'
support.cc:(.text+0x8eb): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_verify_cb(int, 
x509_store_ctx_st*)':
support.cc:(.text+0x19be): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_free_CertChain(void*, 
void*, crypto_ex_data_st*, int, long, void*)':
support.cc:(.text+0x1ead): undefined reference to `sk_pop_free'

[squid-users] squid3/4 compilation error with Centos8/RH8

[Ahmad Alzaeem]

Hello Team ,
I found I only was able to build squid 5.x on Centos8/RH8 –  (Not able to build 
3.x or 4.x )
I was able to build  squid 3.x and 4.x on RH7/Centos7 .

It seems Its libssl error or so based on compilation error below (not sure if 
need to upgrade or downgrade GCC)

//
cache_cf.o: In function `parseOneConfigFile(char const*, unsigned int)':
cache_cf.cc:(.text+0x805): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xc2b): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0xd78): undefined reference to `Debug::Start[abi:cxx11](int, 
int)'
cache_cf.cc:(.text+0x10a4): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parseConfigFileOrThrow(char const*)':
cache_cf.cc:(.text+0x1295): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x142e): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
cache_cf.o: In function `dump_acl(StoreEntry*, char const*, ACL*)':
cache_cf.cc:(.text+0x3bc5): undefined reference to 
`ACL::dumpOptions[abi:cxx11]()'
cache_cf.o: In function `parse_address(Ip::Address*)':
cache_cf.cc:(.text+0x3f7a): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_acl_tos(acl_tos**)':
cache_cf.cc:(.text+0x432e): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_access(HeaderManglers**)':
cache_cf.cc:(.text+0x49d7): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.cc:(.text+0x4a6d): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o: In function `parse_http_header_replace(HeaderManglers**)':
cache_cf.cc:(.text+0x4cc5): undefined reference to 
`Debug::Start[abi:cxx11](int, int)'
cache_cf.o:cache_cf.cc:(.text+0x4d5b): more undefined references to 
`Debug::Start[abi:cxx11](int, int)' follow
client_side.o: In function `EVP_PKEY_up_ref':
client_side.cc:(.text.EVP_PKEY_up_ref[EVP_PKEY_up_ref]+0x34): undefined 
reference to `CRYPTO_add_lock'
client_side.o: In function `X509_up_ref':
client_side.cc:(.text.X509_up_ref[X509_up_ref]+0x34): undefined reference to 
`CRYPTO_add_lock'
anyp/.libs/libanyp.a(PortCfg.o): In function 
`Security::ServerOptions::sk_X509_NAME_free_wrapper::operator()(stack_st_X509_NAME*)':
PortCfg.cc:(.text._ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME[_ZN8Security13ServerOptions25sk_X509_NAME_free_wrapperclEP18stack_st_X509_NAME]+0x22):
 undefined reference to `sk_pop_free'
security/.libs/libsecurity.a(PeerOptions.o): In function 
`Security::PeerOptions::createBlankContext() const':
PeerOptions.cc:(.text+0x1896): undefined reference to `SSLv23_client_method'
security/.libs/libsecurity.a(ServerOptions.o): In function 
`Security::ServerOptions::createBlankContext() const':
ServerOptions.cc:(.text+0xb4a): undefined reference to `SSLv23_server_method'
security/.libs/libsecurity.a(ServerOptions.o): In function `X509_CRL_up_ref':
ServerOptions.cc:(.text.X509_CRL_up_ref[X509_CRL_up_ref]+0x36): undefined 
reference to `CRYPTO_add_lock'
security/.libs/libsecurity.a(Session.o): In function `tls_write_method(int, 
char const*, int)':
Session.cc:(.text+0x677): undefined reference to `SSL_state'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::MaybeSetupRsaCallback(std::shared_ptr&)':
support.cc:(.text+0x6c9): undefined reference to `SSL_CTX_set_tmp_rsa_callback'
ssl/.libs/libsslsquid.a(support.o): In function 
`Ssl::matchX509CommonNames(x509_st*, void*, int (*)(void*, asn1_string_st*))':
support.cc:(.text+0x855): undefined reference to `sk_num'
support.cc:(.text+0x872): undefined reference to `sk_value'
support.cc:(.text+0x8c2): undefined reference to `sk_pop_free'
support.cc:(.text+0x8eb): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_verify_cb(int, 
x509_store_ctx_st*)':
support.cc:(.text+0x19be): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `ssl_free_CertChain(void*, 
void*, crypto_ex_data_st*, int, long, void*)':
support.cc:(.text+0x1ead): undefined reference to `sk_pop_free'
ssl/.libs/libsslsquid.a(support.o): In function `Ssl::Initialize()':
support.cc:(.text+0x2084): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x20b0): undefined reference to `SSL_CTX_get_ex_new_index'
support.cc:(.text+0x20df): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x210c): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2139): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2166): undefined reference to `SSL_get_ex_new_index'
support.cc:(.text+0x2193): undefined reference to `SSL_get_ex_new_index'
ssl/.libs/libsslsquid.a(support.o):support.cc:(.text+0x21c0): more undefined 
references to `SSL_get_ex_new_index' follow
ssl/.libs/libsslsquid.a(support.o): In function 
`sslGetUserCertificateChainPEM(ssl_st*)':

Re: [squid-users] squid5 Happy Eyeballs - Is it possible to enable IPV4 only or IPV6 only ?

[Ahmad Alzaeem]

Hello Alex ,
Thanks for the nice info .
I will consider what you said .


Thanks


From: Alex Rousskov 
Date: Monday, May 2, 2022 at 8:38 AM
To: Ahmad Alzaeem <0xf...@gmail.com>, Squid Users 

Subject: Re: [squid-users] squid5 Happy Eyeballs - Is it possible to enable 
IPV4 only or IPV6 only ?
On 5/1/22 23:49, Ahmad Alzaeem wrote:

> sometime the IPV4
> instance receive DNS resolution of the destination as IPV6 and the
> connection fails !!
>
> sometimes the IPV4 instance receive the DNS resolution of the
> destination as IPV6 and the connection fail .
>
> Is there any option we can do based on the environment above ?


Without Squid code modifications, your options are:

* Use a custom DNS resolver (configuration) that never sends IPv4
address records to an IPv6-only Squid. Use a custom DNS resolver
(configuration) that never sends IPv6 address records to an IPv4-only
Squid. Configure each Squid to use the right resolver (see dns_nameservers).

* Disable IPv6 support in IPv4-only Squid at ./configure time. This does
not help with the IPv6-only Squid and has other negative side effects. I
do not recommend this option.


 > Like maybe we disable eyeballs or preserving it while add an option
 > like DNS A records or DNS  records .

It would be possible to enhance Squid by adding a configuration option
that disables (certain) A or  queries, but proper modifications are
not trivial and nobody has done them yet:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid5 Happy Eyeballs - Is it possible to enable IPV4 only or IPV6 only ?

[Ahmad Alzaeem]

Hello Team ,

Testing squid5.x .
Still have a question in a case of running multiple instances (IPV4/IPV6) on 
same machine .
Such as •  One instance that run as IPV4 only while other instance run as IPV6 
only .

I found that squid5.x is ignoring dns_v4_first .
And based on the algorithm and how it works , sometime  the IPV4 instance 
receive DNS resolution of the destination as IPV6 and the connection fails !!

sometimes the IPV4 instance receive the DNS resolution of the destination as 
IPV6 and the connection fail .

Is there any option we can do based on the environment above ?
Like maybe we disable eyeballs or preserving it while add an option like DNS A 
records or DNS  records .

Thanks




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Amos ,

Config file is based on IP auth and user/pass auth .
But I want to minimize the CPU hit of my config file as much as possible .

Version : Squid 5.3

###

squid.conf

acl RDP-Domain-controller src 77.90.230.0/24 77.90.228.0/24 77.90.225.0/24 
77.90.210.0/24 77.90.193.0/24 77.90.145.0/24 77.90.112.0/24 88.21.95.0/24 
88.21.94.0/24 88.21.76.0/24 88.21.75.0/24 88.21.72.0/24 88.21.36.0/24 
88.21.34.0/24 88.21.199.0/24 88.21.193.0/24 88.21.192.0/24 88.21.137.0/24 
88.21.135.0/24 88.21.132.0/24 88.21.131.0/24 88.21.129.0/24 88.21.128.0/24 
88.21.126.0/24 88.21.121.0/24 88.21.120.0/24 88.108.9.0/24 88.108.45.0/24
http_access allow RDP-Domain-controller

acl googleaccess dstdomain .google.com .google.ad .google.ae .google.com.af 
.google.com.ag .google.com.ai .google.al .google.am .google.co.ao 
.google.com.ar .google.as .google.at .google.com.au .google.az .google.ba 
.google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi 
.google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt 
.google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf 
.google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn 
.google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy 
.google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz


acl FTP proto FTP
http_access deny FTP
http_access deny manager
#
acl URN proto URN
http_access deny URN
###
#
visible_hostname squid
###
# Lockdown Procedures
auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
acl ncsa_users proxy_auth REQUIRED
auth_param basic children 50
auth_param basic realm login squid Login
http_access deny ncsa_users googleaccess
http_access allow ncsa_users
auth_param basic casesensitive on
#
cache_effective_user squid
cache_effective_group squid
##
server_persistent_connections off
client_persistent_connections off
cache deny all
###
http_port  66.4.223.238:45000 name=45000
http_port  66.4.223.238:45001 name=45001
http_port  66.4.223.238:45002 name=45002
http_port  66.4.223.238:45003 name=45003
#
acl user45000 myportname 45000
acl user45001 myportname 45001
acl user45002 myportname 45002
acl user45003 myportname 45003
#
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ba16:10cc:3d9f:6d8f user45000
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:ca27:f465:986e:6dfc user45001
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:27de:fec7:49fc:3113 user45002
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:698a:d044:d39e:ffe7 user45003
tcp_outgoing_address 2a0f:3fc6:f1f1:459e:bc96:9e75:6653:76ac user45004






From: squid-users  on behalf of Amos 
Jeffries 
Date: Friday, April 1, 2022 at 1:51 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] Squid 3-5 CPU optimization and best practise .
FYI; CPU in Squid is primarily consumed by two things:


1) parsing and processing HTTP message headers.

The only thing you can do about this is detect and reject unwanted
traffic as early as possible.

Your OS firewall is obviously the early line of defense. Preventing
unwanted network ranges from reaching Squid listening ports saves Squid
from spending CPU cycles looking up details about those unwanted clients.

Then for clients who are potentially valid the default http_access rules
reject dangerous traffic quickly and efficiently. Make sure any custom
http_access rules are listed *after* those ones. Then see (2).



2) processing access controls (ACL checks).

To optimize this needs attention to what order ACLs are tested in versus
how complex they are to process.

How many CPU cycles are consumed managing any resources they or other
processes they trigger is also important.

If you want a free optimization review please post your full squid.conf
(just without the documentation comments and empty lines). Then we can
point out any performance tricks you may not yet be using.




Beyond those two you are getting into "advanced admin" levels of
performance optimization. Where YMMV, Alex has mentioned. Every network
is different so none of us can say a specific thing to do that will be
better for you.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Alex ,
Thanks for your reply ,

I thought as long as squid is only as forward proxy only and no https , we may 
disable some built in squid features that is not required in my purpose for 
getting lower CPU consumption such as use minimum squid functions .

We don’t have any bottleneck in squid .
The only issue is when there is a very high traffic that will use the CPU at 
higher scale .
So my only goal is decrease squid CPU consumption as much as I can .

So I build local dns server to fasten the lookup , but still don’t see any rich 
topics online for my goal .


Thanks



From: squid-users  on behalf of Alex 
Rousskov 
Date: Thursday, March 31, 2022 at 8:59 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] Squid 3-5 CPU optimization and best practise .
On 3/31/22 11:04, Ahmad Alzaeem wrote:

> My main question is , is there any major changes in squid 5 that make it
> faster than squid 3 or squid 4 in terms of low CPU usage?

I do not recall any _major_ changes in that area, but the http_port
worker-queues option may be of interest to those looking for performance
optimizations.


> Is there any best practice I can use to lower the cpu usage or response
> time ?

YMMV, but I would start by using (the right number of) SMP workers with
cpu_affinity_map and worker-queues. More on that at
https://wiki.squid-cache.org/Features/SmpScale#How_to_configure_SMP_Squid_for_top_performance.3F

Beyond that, one would have to analyze your Squid performance to find
out performance bottleneck(s) and then try to eliminate them or reduce
their impact.


> Like Deny caching on the HDD or server_persistent_connections off
>   similar directives

Disabling persistent connections will make things _worse_ in many cases
but YMMV. Whether cache_dirs (and even shared memory cache) slow down or
speed up an average response depends on your environment -- measure and
adjust/remove accordingly.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3-5 CPU optimization and best practise .

[Ahmad Alzaeem]

Hello Team ,
I’m just making a research about the major changes in squid in terms of fast 
response and Low CPU compensation but I have not found more info on Wiki or 
what’s new .
https://wiki.squid-cache.org/Squid-5

The main usage is proxy with no ssl pump .
My main question is , is there any major changes in squid 5 that make it faster 
than squid 3 or squid 4 in terms of low CPU usage ?



Is there any best practice I can use to lower the cpu usage or response time ?
Like Deny caching on the HDD or server_persistent_connections off  similar 
directives





Thanks


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

Hello ,

No SSL Pump .
we use CONNECTmethod.
squid accepts the directive, but it has no real affect.

the same config on 3.x worked fine.

Im sure 100 % , none of squid 4.x worked with delay pools with me.


Thanks 


> On Feb 24, 2022, at 11:58 PM, Eliezer Croitoru  wrote:
> 
> Hey Ahmad,
>  
> Can you please give more details on the specific issue or issues you have 
> verified in 4.17?
> What exactly doesn’t work in delay_pools? Plain HTTP download or upload speed?
> Is it only on HTTP or also on CONNECT or HTTPS or SSL-BUMP connections?
>  
> Eliezer
>  
> I was thinking about creating a webinar about Squid ssl(TLS) bump
>  
> 
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
>  
> From: squid-users  On Behalf Of 
> Ahmad Alzaeem
> Sent: Friday, February 25, 2022 02:14
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] is there any squid 4.x version has delay_pools working?
>  
> I tried many squid 4.x versions and none of them has delay_pools to work .
> I have it to work on 3.x versions .
>  
> is there any specific 4.x version that ws tested with delay pools to work ?
>  
>  
> i would like to report it as bug at least in squid-4.17 
> <http://www.squid-cache.org/Versions/v4/squid-4.17-RELEASENOTES.html> which i 
> tested today .
>  
> Regards 
>  
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] is there any squid 4.x version has delay_pools working?

[Ahmad Alzaeem]

I tried many squid 4.x versions and none of them has delay_pools to work .
I have it to work on 3.x versions .

is there any specific 4.x version that ws tested with delay pools to work ?


i would like to report it as bug at least in squid-4.17 
 which i 
tested today .

Regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Here is debug result :



2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(1375) parseHttpRequest: 
Prepare absolute URL from 
2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(2106) clientParseRequests: 
local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 flags=1: done parsing 
a request
2020/05/25 12:04:58.043 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x43d98a0 add 
request 1 0x41e43f0*4
2020/05/25 12:04:58.043 kid1| 33,5| Http1Server.cc(188) buildHttpRequest: 
normalize 1 Host header using analytics.yopify.com:443
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(641) clientSetKeepaliveFlag: 
http_ver = HTTP/1.1
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(642) clientSetKeepaliveFlag: 
method = CONNECT
2020/05/25 12:04:58.043 kid1| 33,3| http/Stream.h(141) mayUseConnection: This 
0x41e43f0 marked 1
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: 
comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 
55332
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: 
comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 
55332
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(2119) clientParseRequests: 
Not parsing new requests, as this request may need the connection
2020/05/25 12:04:58.044 kid1| 33,5| AsyncJob.cc(154) callEnd: Http1::Server 
status out: [ job690]
2020/05/25 12:04:58.044 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving 
Server::doClientRead(local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 
flags=1, data=0x43d9858)
2020/05/25 12:04:58.056 kid1| 17,3| FwdState.cc(1339) GetMarkingsToServer: from 
45.150.17.10 netfilter mark 0
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: 
Attempt open socket for: 45.150.17.10
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: 
Opened socket local=45.150.17.10 remote=[::] FD 542 flags=1 : family=2, type=1, 
protocol=6
2020/05/25 12:04:58.064 kid1| 33,4| client_side.cc(2510) httpAccept: 
local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: accepted
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
ConnStateData::connStateClosed constructed, this=0x4024ec0 [call6687]
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
Http1::Server::requestTimeout constructed, this=0x422ab40 [call6688]
2020/05/25 12:04:58.064 kid1| 33,4| Server.cc(90) readSomeData: 
local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: reading 
request...
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall 
Server::doClientRead constructed, this=0x4025c50 [call6689]



I see mark 0 and mark 1 , Dont see any 0xd7 or so .

Thanks 

> On May 25, 2020, at 10:02 AM, Amos Jeffries  wrote:
> 
> [NP: it would help if you replied through the list instead of directly
> to me, even as a CC. Your messages keep getting diverted to spam folder. ]
> 
> On 25/05/20 4:26 am, Ahmad Alzaeem wrote:
>> Hi Amos , 
>> 
>> Sorry I'm confused a a bit …
>> 
>> Are my results expected not to work with below :
>> 
>> 
>> qos_flows mark local-hit=0xd7
>> qos_flows mark local-miss=0xd7
>> 
>> 
>> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
>> -A OUTPUT -m connmark --mark 0xd7 -j ACCEPT
>> 
>> ?
> 
> Squid should be MARK'ing packets with 0xd7.
> 
> Those iptables rules should match the packets MARK'ed with 0xd7.
> 
> Whether those statements are of any relevance depends on where your
> iptables rules are configured in relation to all other rules and chains
> your iptables is processing.
> 
> 
>> 
>> Do I need to edit squid/iptables ?
>> 
> 
> Probably iptables. But not enough info to say how.
> 
> 
> You asked about how to debug Squid MARK'ing earlier. What were the
> results of that? did you see Squid doing any marking?
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hi Amos , 

Sorry I'm confused a a bit …

Are my results expected not to work with below :


qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7


-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd7 -j ACCEPT

?

Do I need to edit squid/iptables ?


Thanks 


> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Tested on both OS below :

Centos 7.7  64 bits  & Centos 6.10


Same result , squid is not marking traffic .

Is there a way to run squid into debug mode and debug to see if its making DSCP 
or not ?



Thanks 



> On May 24, 2020, at 3:15 AM, Eliezer Croitoru  wrote:
> 
> What OS?
>  
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>  
> From: Ahmad Alzaeem <mailto:0xf...@gmail.com>
> Sent: Saturday, May 23, 2020 11:40 PM
> To: Squid Users <mailto:squid-users@lists.squid-cache.org>
> Subject: Re: [squid-users] Squid marking QOS and matching marks with linux 
> iptables problem !
>  
> Hello Folks , any one in the mailing list can help me on the case ?
>  
> Thanks 
>  
>  
> > On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com 
> > <mailto:0xf...@gmail.com>> wrote:
> > 
> > Hello Folks ,
> > 
> > Im trying to mark outgoing squid request based on Mark linux matching .
> > 
> > I added to squid conf :
> > 
> > qos_flows mark local-hit=0xd7
> > qos_flows mark local-miss=0xd7
> > 
> > -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> > 
> > But on iptables there is no match with the mark 0xd7 
> > 
> > 
> > Im testing  marking with squid and matching with iptables  but its not 
> > matching , always statistics = 0 on linux iptables  That mean  its not 
> > matched .
> > 
> > Squid version is 4.8
> > Also squid was complied with '--enable-zph-qos’ flag 
> > 
> > So not sure if I need specific config for squid .
> > 
> > Following :
> > 
> > https://wiki.squid-cache.org/Features/QualityOfService 
> > <https://wiki.squid-cache.org/Features/QualityOfService>
> > 
> > Based on it we need kernel patch for TOS , but I dont need TOS ,  I just 
> > need Layer 3 DSP , Linux mark rule based .
> > 
> > 
> > i even tried to match traffic by mark and connmark and both did not help .
> > 
> > -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> > -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
> > 
> > 
> > So both rules above was not able to pickup squid marking .
> > 
> > Any helping Team on this case ?
> > 
> > 
> > Thank you
>  
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hello Folks , any one in the mailing list can help me on the case ?

Thanks 


> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> Hello Folks ,
> 
> Im trying to mark outgoing squid request based on Mark linux matching .
> 
> I added to squid conf :
> 
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> 
> But on iptables there is no match with the mark 0xd7 
> 
> 
> Im testing  marking with squid and matching with iptables  but its not 
> matching , always statistics = 0 on linux iptables  That mean  its not 
> matched .
> 
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag 
> 
> So not sure if I need specific config for squid .
> 
> Following :
> 
> https://wiki.squid-cache.org/Features/QualityOfService
> 
> Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
> Layer 3 DSP , Linux mark rule based .
> 
> 
> i even tried to match traffic by mark and connmark and both did not help .
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
> 
> 
> So both rules above was not able to pickup squid marking .
> 
> Any helping Team on this case ?
> 
> 
> Thank you

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid marking QOS and matching marks with linux iptables problem !

[Ahmad Alzaeem]

Hello Folks ,

Im trying to mark outgoing squid request based on Mark linux matching .

I added to squid conf :

qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT

But on iptables there is no match with the mark 0xd7 


Im testing  marking with squid and matching with iptables  but its not matching 
, always statistics = 0 on linux iptables  That mean  its not matched .

Squid version is 4.8
Also squid was complied with '--enable-zph-qos’ flag 

So not sure if I need specific config for squid .

Following :

https://wiki.squid-cache.org/Features/QualityOfService

Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
Layer 3 DSP , Linux mark rule based .


i even tried to match traffic by mark and connmark and both did not help .

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd4 -j ACCEPT


So both rules above was not able to pickup squid marking .

Any helping Team on this case ?


Thank you 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with QOS marking

[Ahmad Alzaeem]

Following :

https://wiki.squid-cache.org/Features/QualityOfService 
<https://wiki.squid-cache.org/Features/QualityOfService>

Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need 
Layer 3 DSP , Linux mark rule based .


Thanks 


> On May 20, 2020, at 1:19 AM, Ahmad Alzaeem <0xf...@gmail.com> wrote:
> 
> Hello Folks ,
> 
> Im trying to mark outgoing squid request based on Mark linux matching .
> 
> I added to squid conf :
> 
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> 
> But on iptables there is no match with the mark d7 
> 
> 
> Im testing  marking with squid and matching with iptables  but its not 
> matching , always statistics = 0 on linux iptables  That mean  its not 
> matched .
> 
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag 
> 
> So not sure if I need specific config for squid .
> 
> Thanks 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with QOS marking

[Ahmad Alzaeem]

Hello Folks ,

Im trying to mark outgoing squid request based on Mark linux matching .

I added to squid conf :

qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT

But on iptables there is no match with the mark d7 


Im testing  marking with squid and matching with iptables  but its not matching 
, always statistics = 0 on linux iptables  That mean  its not matched .

Squid version is 4.8
Also squid was complied with '--enable-zph-qos’ flag 

So not sure if I need specific config for squid .

Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

Hello Amos ,
You are correct , but are plan is using IPV6 as possible .
As I said the IPV6 of dual stack as like 98 % IPV6 . 

My question is how squid or under which circumstances can go to IPV4 as long as 
IPV6 dual stack exist ? How come it used 98 % for FB  IPV6 destinations as an 
example and 2 % FB IPV4 destinations .

Is it random process or DNS answers type ?
 Also Have not found squid directives for this area .


Is there an option to tell squid use  DNS reply from DNS for certain 
websites always or even with certain squid process  ? And others non Dual stack 
use default case ?

Many Thanks .

> On Feb 20, 2020, at 7:31 AM, Amos Jeffries  wrote:
> 
> On 20/02/20 3:41 am, Ahmad Alzaeem wrote:
>> We just need IPV4-IPV6 conversation system to for an ISP that has ran out of 
>> ipv4 .
>> So we need to minimize IPV4 usage with them .
>> 
> 
> Stopping Squid from contacting IPv4 servers will not solve that problem
> in any significant way.
> 
> On the other hand using Squid in its default dual-stack form with one
> single IPv4 address. All clients can get full access to the HTTP web by
> having them contact Squid over whichever IP version they support and
> Squid does the IPv4 server part.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

We just need IPV4-IPV6 conversation system to for an ISP that has ran out of 
ipv4 .
So we need to minimize IPV4 usage with them .


Thanks 


> On Feb 19, 2020, at 5:33 PM, Alex Rousskov  
> wrote:
> 
> On 2/19/20 8:47 AM, Ahmad Alzaeem wrote:
> 
>> Is there an option for squid to use IPV6 for outgoing and always skip
>> IPV4 of websites resolving address ?
> 
> AFAIK, there is no such option. You might be able to fake it by denying
> requests on IPv4-destined connections (via Squid ACLs and/or at the OS
> level), in hope that requests on those denied connections will be
> reforwarded, but I would not recommend this clumsy approach.
> 
> However, it is easy to add a DNS forwarder that would immediately
> respond to all Squid A queries with an empty set of IPv4 addresses. If
> you cannot configure BIND/etc. to do that, then it would only take a few
> lines of code to write such a forwarder in Perl/etc. using existing DNS
> resolver libraries -- you do not need a generic forwarder; only
> something that can handle Squid queries...
> 
> What are you going to do with sites that have no IPv6 addresses?
> 
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Is there an option to completely disable IPV4 outgoing address for Squid

[Ahmad Alzaeem]

Say we want to have Testing IPV4-IPV6 access for An ISP .
We want to access squid over IPV4 , 
DNS server ip on squid is 8.8.8.8

But we want dns queries only solved with IPV6 address so that squid don’t 
pickup any ipv4 destination for website .

I tried dns_v4_1st directive to be off but I had like 98 % of results with IPV6 
but still like 2 % results as IPV4 .
So as an example , if I say Facebook is IPV4/IPV6 .
I was able to get 98 % destination of FB as IPV6 , but very low results on IPV4 
ip addresses .

Is there an option for squid to use IPV6 for outgoing and always skip IPV4 of 
websites resolving address ?


Thanks 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to match website subdomains and all others root domains

[Ahmad Alzaeem]

Hello folks ,
How can I match all subdomains of google and all roots urls of google such as 

google.com 
google.co.uk 
Google.eu
google.us 

With an all ?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TCP incoming requests Traffic Normalization

[Ahmad Alzaeem]

Hello Folks .

I have about 10x sources or different ip addresses  and sending requests to 
squid  .

imagine we have 10 servers and sending burst in sometimes due to nature of 
Traffic  ….i have a sensitive APP on squid that must be equalized to handle 
only 50 req/sec . “ No more “

i just want to equalize all incoming requests which can be in some seconds 60  
, 40 , 90 , 100 , 50 to have steady 50 req/sec on squid equally and even if we 
need to delay some packs  its ok , just keep squid handle 50 req/sec  of those 
incoming requests no  more .

i know squid can limit connections and Drop connections above threshold , but i 
need only to discipline and Buffer and try to decrease dropped requests as 
possible and normalize all incoming requests to be steady 50 req/sec inside 
squid whatever there is burst outside or higher than 50 .

So again just need to apply that on “ new requests “ not on already “ 
established “ connections .

Let me know Guys if squid can do something like that or we need 3rd party 
outside squid .


Kind regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid log responce time %6tr or %tr ?

[Ahmad Alzaeem]

Hello Team ,

based on wiki :
http://www.squid-cache.org/Doc/config/logformat/ 

tr is responce time , but im confused on why default response time configured 
as %6tr not %tr 

#
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is Squid 4.9 gone?

[Ahmad Alzaeem]

Perfect Amos 

Sent from my iPhone

> On Dec 20, 2019, at 11:35 AM, Amos Jeffries  wrote:
> 
> On 20/12/19 9:03 pm, netadmin wrote:
>> 
>> At the address:
>> http://www.squid-cache.org/Versions/
>> the latest version appears as 4.8 although I am running 4.9!
>> What happened to version 4.9?
> 
> 
> I'm not entirely certain what happened there. I suspect it was just an
> oversight on my part not copying the files from the release directory to
> the web server. That has now been corrected.
> 
> As to why you could be running a version not available on the www site;
> Vendors pull their release code from any one (or several) different
> sources we provide them - our public git repository, FTP servers, or
> rsync servers.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[--Ahmad--]

Hi Alex ,

Thank you for your precious info .


You Said 
“”
Yes, you can. Squid logs CONNECT headers and also HTTP headers of
incoming and outgoing decrypted HTTPS requests. Squid does not see (and
cannot log) HTTP headers of encrypted traffic inside CONNECT tunnels
that are not bumped using the SslBump feature, of course.
“”


Can you tell me example of headers of “Connect headers” and headers inside “ 
connect Tunnel “ ?



> On Dec 2, 2019, at 10:31 PM, Alex Rousskov  
> wrote:
> 
> Yes, you can. Squid logs CONNECT headers and also HTTP headers of
> incoming and outgoing decrypted HTTPS requests. Squid does not see (and
> cannot log) HTTP headers of encrypted traffic inside CONNECT tunnels
> that are not bumped using the SslBump feature, of course.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Can I do same  thing for https ?

Thanks 

Sent from my iPhone

> On Dec 2, 2019, at 10:03 PM, Alex Rousskov  
> wrote:
> 
> On 12/2/19 1:31 PM, Ahmad Alzaeem wrote:
> 
>> Is it possible to run it from squid ?
> 
> Packet catpure is usually better, especially for plain HTTP traffic, but
> you can also get raw HTTP headers in cache.log if you set debug_options
> in squid.conf to ALL,2
> 
> Alex.
> 
> 
>>>> On Dec 2, 2019, at 8:58 PM, Antony Stone 
>>>>  wrote:
>>> 
>>> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:
>>> 
>>>> Hello Tem ,
>>>> 
>>>> How can i debug Headers that is between squid——> website request made
>>> 
>>> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, 
>>> looking at the external interface (ie: the one pointing to the website/s).
>>> 
>>>> i need to see what squid send headers to website
>>>> and what website reply o squid .
>>> 
>>> So long as you're doing HTTP (as per your example) and not HTTPS, any 
>>> packet 
>>> sniffer and protocol analyser (wireshark is *very* good at this) will show 
>>> you 
>>> this quite easily.
>>> 
>>> 
>>> Antony.
>>> 
>>> -- 
>>> Atheism is a non-prophet-making organisation.
>>> 
>>>  Please reply to the list;
>>>please *don't* CC me.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Thank you for that .

Is it possible to run it from squid ?

Thanks 

Sent from my iPhone

> On Dec 2, 2019, at 8:58 PM, Antony Stone  
> wrote:
> 
> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:
> 
>> Hello Tem ,
>> 
>> How can i debug Headers that is between squid——> website request made
> 
> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, 
> looking at the external interface (ie: the one pointing to the website/s).
> 
>> i need to see what squid send headers to website
>> and what website reply o squid .
> 
> So long as you're doing HTTP (as per your example) and not HTTPS, any packet 
> sniffer and protocol analyser (wireshark is *very* good at this) will show 
> you 
> this quite easily.
> 
> 
> Antony.
> 
> -- 
> Atheism is a non-prophet-making organisation.
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] debug headers between squid --> website

[Ahmad Alzaeem]

Hello Tem ,

How can i debug Headers that is between squid——> website request made 

say we have this simple topology 

pc ——squid —— website


—> As an example if i run curl  some website   from my device connecting to 
squid proxy .


$ curl -x  x.x.8.187:xx433 -U abc:abc ifconfig.io/ip  -vv
*   Trying 108.61.8.187...
* TCP_NODELAY set
* Connected to x.x.8.187 (x.x.8.187) port xx433 (#0)
* Proxy auth using Basic with user 'ben'
> GET http://ifconfig.io/ip HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Mon, 02 Dec 2019 17:30:42 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Set-Cookie: __cfduid=d639c4bd01a9f8c32f0de7cb09f40671575307842; expires=Wed, 
01-Jan-20 17:30:42 GMT; path=/; domain=.ifconfig.io; HttpOnly
< CF-Cache-Status: DYNAMIC
< Alt-Svc: h3-23=":443"; ma=86400
< Server: cloudflare
< CF-RAY: 53ef07bd8d28efed-EWR
< X-Cache: MISS from squid
< Via: 1.1 xyz (squid)
< Connection: keep-alive
< 
11.22.33.44
* Connection #0 to host x.x.8.187 left intact


i believe this is negotiation  above is from  pc <—> squid .


How can i see this kind of debug or header in case of squid— website level ?

i need to see what squid send headers to website 
and what website reply o squid .



Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit new req/sec on squid to X per sec

[--Ahmad--]

Hi Amos , Thank you for your reply ,



We ll you correct corresponding to TCP/HTTP .

but my main concern is here its just POST/GET with single reply from our API 
server .

Its  just one TCP connection  one HTTP connection .


But yes i will work on other solutions since squid is not the right place for 
that .

Thanks a lot ! 


> On Nov 27, 2019, at 3:20 PM, Amos Jeffries  wrote:
> 
> On 28/11/19 1:03 am, --Ahmad-- wrote:
>> Hello Amos , Thank you for your response .
>> 
>> we have an APP behind squid http APP that will crash if # of (req/sec ) 
>> exceeded X .
>> it won’t crash about Already established session , it only care about new 
>> req/sec hitting squid .
>> 
> 
> That does not make sense. Any server (aka. app *behind* Squid) does not
> see all requests *arriving* at Squid, only the ones Squid sends to it.
> 
> 
>> I think its doable by iptables , but i really was hopping we can do it from 
>> squid level .
>> 
> 
> iptables would be right if you actually mean new TCP connections per second.
> 
> If you actually mean HTTP requests per second, then you would need
> Squid. But since this is completely counter to the goals of a proxy
> (*increasing* req/sec) you will need an external_acl_type helper to
> delay requests.
> 
> In current Squid we have a helper called ext_delayer_acl which delays
> each request by a fixed amount of time. You may be able to use that as
> the basis of one that does what you need.
> 
> 
>> 
>> so you can imagine http req/sec or tcp req/sec same here as squid is
> being used only on http protocol .
> 
> 
> Er, that does not make sense. HTTP protocol has infinite number of
> requests per single TCP connection. There is no equivalence.
> 
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Testing

[Ahmad Alzaeem]

Testing 123 .
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] limit new req/sec on squid to X per sec

[--Ahmad--]

Hello Amos , Thank you for your response .

we have an APP behind squid http APP that will crash if # of (req/sec ) 
exceeded X .
it won’t crash about Already established session , it only care about new 
req/sec hitting squid .

I think its doable by iptables , but i really was hopping we can do it from 
squid level .

so you can imagine http req/sec or tcp req/sec same here as squid is being used 
only on http protocol .


Let me know your thoughts .


Thanks 


> On Nov 27, 2019, at 2:57 PM, Amos Jeffries  wrote:
> 
> On 27/11/19 6:31 pm, --Ahmad-- wrote:
>> Hello Folks ,
>> 
>> 
>> im looking for limiting TCP req/sec on squid to X speed .
>> 
> 
> TCP does not make requests.
> 
>> 
>> say i have an instance running .
>> 
>> 
>> i want to limit it to 100 req/sec for “new connections “ not  just for 
>> concurrent connections .
>> 
> 
> req/sec is an HTTP term to Squid. It has nothing to do with "connections".
> 
> The part where you say "not just for concurrent connections" implies
> that is something Squid does, does not match up with any existing Squid
> behaviour or features. Squid does not limit req/sec for anything.
> 
> Squid can limit *bytes* per second. Or limit total connections a given
> client has open concurrently.
> 
> 
>> so if connection is old or “ established “ its out of the game .
> 
> In HTTP terms there is no such thing as a connection.
> 
> In TCP terms a connection is established as soon as it exists. If you
> mean the TCP handshake process, that is a thing for firewall rules to
> control. Squid cannot prevent SYN packets being sent to it.
> 
> 
> If you mean something else, then please define this concept you have of
> "new connection".
> 
> 
>> if the connection is new , all new should be limited to 100 req/sec .
>> 
>> i made search on all max_conn but it seems count “concurrent sessions “ even 
>> old +  new .
>> 
>> is there a way in squid to limit only new sessions ?
>> 
> 
> Sessions are a very different thing to connections.
> 
> max_conn as its name should indicate sets the maximum connection count a
> client can open *concurrently*.
> 
> 
> Why exactly do you want this?
> 
> What problem will it solve?
> 
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] limit new req/sec on squid to X per sec

[--Ahmad--]

Hello Folks ,


im looking for limiting TCP req/sec on squid to X speed .


say i have an instance running .


i want to limit it to 100 req/sec for “new connections “ not  just for 
concurrent connections .

so if connection is old or “ established “ its out of the game .
if the connection is new , all new should be limited to 100 req/sec .

i made search on all max_conn but it seems count “concurrent sessions “ even 
old +  new .

is there a way in squid to limit only new sessions ?


Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Send to Cache Peer based on Header Access if not matched .

[--Ahmad--]

Hello Floks ,


i have squid ACL/TCP Outgoing based on incoming header .

as an example below :


acl requestheader5000 req_header X-Proxy 1.2.3.4
acl requestheader5001 req_header X-Proxy 1.2.3.5
acl requestheader5002 req_header X-Proxy 1.2.3.6
acl requestheader5003 req_header X-Proxy 1.2.3.7

#

tcp_outgoing_address 1.2.3.4 requestheader5000
tcp_outgoing_address 1.2.3.5 requestheader5001
tcp_outgoing_address 1.2.3.6 requestheader5002
tcp_outgoing_address 1.2.3.7 requestheader5003


So if an incoming request with X-Proxy header 1.2.3.4 , it will match the Acl 
requestheader5000 and will have outgoing address as 1.2.3.4 . ——> no problem 
here .



Now Say the incoming X-Proxy header was 9.9.9.9 which is a value not matched in 
the current ACL .

How can we let squid to send those Type of requests  “ not match with ACL “ to 
remote Cache peer squid in case not  “ matched X-proxy header”  ?





Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with Java Problem - Idrac 6 Hp servers

[--Ahmad--]

rver(HttpClient.java:558)
at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1156)
at 
sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1040)
at 
sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1038)
at java.security.AccessController.doPrivileged(Native Method)
at 
java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)
at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1037)
at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at 
sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)
at 
sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1484)
at 
sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1482)
at java.security.AccessController.doPrivileged(Native Method)
at 
java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1481)
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)




com.sun.deploy.net.FailedDownloadException: Unable to load resource: 
https://10.0.10.22:443/software/avctKVM.jar
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)



> On Nov 13, 2019, at 11:09 PM, Matus UHLAR - fantomas  
> wrote:
> 
> On 12.11.19 16:20, --Ahmad-- wrote:
>> i have HP server which access it over IDRAC https and need java support .
> 
> you don't need java support. Apparently your java needs to be configured
> with proxy. And maybe the proxy needs to allow access to idrac ports.
> for that you must have rejection in proxy logs.
> 
>> i have proxy in same lan .
>> proxy ip is 10.0.0.200
>> ip of Idrac is 10.0.0.70
>> 
>> 
>> i can’t access Console of Idrac using squid , that’d what i need to do  .
>> 
>> i need to be ale to access server Console “ which need java” too .
>> 
>> so not sure if its possible or not .
>> 
>> again its over https so i believe its listed already in squid safe ports
>> 
>> let me know your thoughts .
>> 
>> Kind regards
>> 
>> 
>> 
>>> On Nov 10, 2019, at 10:55 PM, Matus UHLAR - fantomas  
>>> wrote:
>>> 
>>> listed in ssl_ports probably.
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk <mailto:uh...@fantomas.sk> ; 
> http://www.fantomas.sk/ <http://www.fantomas.sk/>
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Fighting for peace is like fucking for virginity...
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid with Java Problem - Idrac 6 Hp servers

[--Ahmad--]

Hi ,

i have HP server which access it over IDRAC https and need java support .

i have proxy in same lan .
proxy ip is 10.0.0.200
ip of Idrac is 10.0.0.70 


i can’t access Console of Idrac using squid , that’d what i need to do  .

i need to be ale to access server Console “ which need java” too .

so not sure if its possible or not .

again its over https so i believe its listed already in squid safe ports 

let me know your thoughts .

Kind regards 



> On Nov 10, 2019, at 10:55 PM, Matus UHLAR - fantomas  
> wrote:
> 
> listed in ssl_ports probably.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid with Java Problem - Idrac 6 Hp servers

[--Ahmad--]

Hello Folks ,

i have a severs who run java and we need to access it from IDRAC console .

squid is 4.8 not able to get it work .
always i have error of java prompt , Unable to launch application .

if i use without proxy it work , if i use with squid it don’t work .

tried to add the directive below :

#
acl Java browser Java/1.4 Java/1.5 Java/1.6  Java/1.7  Java/1.8  Java/1.9
http_access allow Java




Let me know Guys if there is a way to get it work or its not possible .

Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay pools not working with squid 4.x , and more Question !!

[--Ahmad--]

Hi Alex thanks for info .
so i can confirm 100 % its a bug 

bec same config exactly work on 3.5

if you recommend me any thing 4.x that work with delay pools or 5.x i would be 
thankful ! 


and thank you very much when you answered me about SMP and delay pools .

all is clear , Looking forward to hearing that bug fixed .

Thanks a lot .

> On Sep 22, 2019, at 5:07 PM, Alex Rousskov  
> wrote:
> 
> On 9/22/19 6:25 AM, --Ahmad-- wrote:
> 
>> i tested squid 4.8 and delay pools not working with it at all .
>> i reverted back to squid 3.5.x and i had delay pools working .
> 
>> Q1- do squid 4 support delay pools ?
> 
> It should. If it does not, there is a bug somewhere.
> 
> 
>> Q2- with squid 3.5.x we have SMP about 4 childs , and we are running delay 
>> pools .
>> does that mean speed ( with all 4 instances ) is 1/1 Mbps
>> or speed ( with all 4 instances ) is 4/4  Mbps?
> 
> According to [1], delay pools are not SMP-aware yet so you are
> essentially configuring individual worker limits: Workers do not share
> their limits and pools with each other. Hence, the effective Squid
> instance limit is, very approximately, the aggregate of those configured
> individual worker limits. For example, if each worker is limited by
> 1Mbps, then the 4-worker instance may produce up to 4Mbps traffic.
> 
> In reality, since individual workers usually receive different amounts
> of traffic (especially until [2] is unblocked), the effective instance
> limit will be more than 1Mbps and less than 4Mbps.
> 
> [1] https://wiki.squid-cache.org/Features/SmpScale#What_can_workers_share.3F
> 
> [2] https://github.com/squid-cache/squid/pull/369
> 
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Delay pools not working with squid 4.x , and more Question !!

[--Ahmad--]

Hi Amos but squid 4.8  did not get the config below to work :


delay_pools 1
delay_class 1 1
delay_parameters 1 3500/3500
delay_access 1 allow minh


but on squid 3.5 it worked .

Plz For Q2 , what will be speed if we have  4 worker

is it above ? or above * 4 ?

Thanks 



> On Sep 22, 2019, at 1:46 PM, Amos Jeffries  wrote:
> 
> On 22/09/19 10:25 pm, --Ahmad-- wrote:
>> Hello Folks ,
>> 
>> i tested squid 4.8 and delay pools not working with it at all .
>> i reverted back to squid 3.5.x and i had delay pools working .
>> 
>> Q1- do squid 4 support delay pools ?
>> 
> 
> Yes.
> 
>> 
>> Q2- with squid 3.5.x we have SMP about 4 childs , and we are running delay 
>> pools .
>> 
>> say i limited in the main config file 1/1 Mbps 
>> 
> 
> What did you configure *exactly*?
> 
>> does that mean speed ( with all 4 instances ) is 1/1 Mbps
>> or
>> speed ( with all 4 instances ) is 4/4  Mbps
>> 
>> ?
> 
> Neither.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Delay pools not working with squid 4.x , and more Question !!

[--Ahmad--]

Hello Folks ,

i tested squid 4.8 and delay pools not working with it at all .
i reverted back to squid 3.5.x and i had delay pools working .

Q1- do squid 4 support delay pools ?


Q2- with squid 3.5.x we have SMP about 4 childs , and we are running delay 
pools .

say i limited in the main config file 1/1 Mbps 

does that mean speed ( with all 4 instances ) is 1/1 Mbps
or
 speed ( with all 4 instances ) is 4/4  Mbps

?


Many Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid email using curl/smtp using squid

[--Ahmad--]

 ?



> On 7 Sep 2019, at 23:24, --Ahmad--  wrote:
> 
> Hello Team 
> 
> i enabled port port in squid for mailing  in squid ssl ports 587.
> 
> 
> 
> curl  --url 'smtp://smtp.gmail.com:587' --ssl-reqd --mail-from 
> '@gcom' --mail-rcpt 'y...@gmail.com'  --upload-file mail.txt 
> --user '...@gmail.com:mm' --insecure  -x  5.5.152.44:32000 -U 
> xpostfix:xpostfix -vv
> 
> here what i get in squid  error :
> 
> 07/Sep/2019:16:23:59 -0400  0 1.1.124.243 - 2.2.152.44 32000 
> TCP_DENIED_REPLY/403 290 PUT ://smtp.gmail.com:587/mail.txt - HIER_NONE/ - - -
> 
> if i remove squid section :
> 
> -x  5.5.152.44:32000 -U xpostfix:xpostfix
> 
> im able to send the email .
> 
> 
> anything else do i need to do in squid ?
> 
> 
> Thanks 
> 
> 
> 
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid email using curl/smtp using squid

[--Ahmad--]

Hello Team 

i enabled port port in squid for mailing  in squid ssl ports 587.



curl  --url 'smtp://smtp.gmail.com:587' --ssl-reqd --mail-from '@gcom' 
--mail-rcpt 'y...@gmail.com'  --upload-file mail.txt --user 
'...@gmail.com:mm' --insecure  -x  5.5.152.44:32000 -U 
xpostfix:xpostfix -vv

here what i get in squid  error :

07/Sep/2019:16:23:59 -0400  0 1.1.124.243 - 2.2.152.44 32000 
TCP_DENIED_REPLY/403 290 PUT ://smtp.gmail.com:587/mail.txt - HIER_NONE/ - - -

if i remove squid section :

-x  5.5.152.44:32000 -U xpostfix:xpostfix

im able to send the email .


anything else do i need to do in squid ?


Thanks 






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cache peer , force peer to use dns ipv4 not ipv6

[--Ahmad--]

Hello Team , thank you for replies .


http_port 10.61.8.189:1 name=1
acl 1 myportname 1
never_direct allow 1
cache_peer 192.247.37.193 parent 12847 0 no-query  round-robin no-digest 
no-tproxy proxy-only name=peer1
cache_peer_access peer1 allow 1
cache_peer_access peer1 deny all


Amos do you mean name should be 192.247.37.193 now name=peer1 ?
is that what you mean ?



Thanks 


> On 3 Sep 2019, at 11:23, Amos Jeffries  wrote:
> 
> Put the IPv4 address of the peer into the cache_peer line instead of its

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] cache peer , force peer to use dns ipv4 not ipv6

[--Ahmad--]

Hello Team ,

just wondering .

using cache peer to FWD request to upstream squid .

the problem is sometimes the Upstream go to destination over ipv6 .

is there an option can be used to force the peer to use ipv4 dns ?

agian , we dont have an access to upstream upstream  , just wondering can we do 
something our side ?

Thanks 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] outgoing address for DNS queries per instance

[--Ahmad--]

Nice ! 

Thanks Amos ! 

> On 5 Aug 2019, at 12:57, Amos Jeffries  wrote:
> 
> On 5/08/19 9:33 pm, --Ahmad-- wrote:
>> Hello folks 
>> i have 3 squid instances and i want to have different external ip for each 
>> squid instance .
>> 
>> i believed acls of dst ip of dns should work .
>> but i even tested it didnt with the outgoing address .
>> 
>> dns_nameservers 8.8.8.8
>> acl next dst 8.8.8.8
>> tcp_outgoing_address 100.100.100.100 next
>> 
>> 
>> but the problem when i do debug , the src ip that reach 8.8.8.8 is no 
>> 100.100.100.100 and its only the ip address of the main machine .
>> 
>> any help ?
> 
> 
> DNS uses <http://www.squid-cache.org/Doc/config/udp_outgoing_address/ 
> <http://www.squid-cache.org/Doc/config/udp_outgoing_address/>>.
> Despite the directive name, it is also used for DNS-TCP traffic.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] outgoing address for DNS queries per instance

[--Ahmad--]

Hello folks 
i have 3 squid instances and i want to have different external ip for each 
squid instance .

i believed acls of dst ip of dns should work .
but i even tested it didnt with the outgoing address .

dns_nameservers 8.8.8.8
acl next dst 8.8.8.8
tcp_outgoing_address 100.100.100.100 next


but the problem when i do debug , the src ip that reach 8.8.8.8 is no 
100.100.100.100 and its only the ip address of the main machine .

any help ?

Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logformat for squid5 ?

[--Ahmad--]

ok in squid 3.x
>> logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs %> %   11.11.81.74 50223
then destination ip and port of squid sender connected to > 22.158.182 11961
Dst URL  —>www.googletagservices.com:443 
<http://www.googletagservices.com:443/> 
User of the connection ——> mwckpf
IP resolution of the destination ——> www.googletagservices.com 172.217.15.66
last thing the external ip address for that connection ———> 22.22.158.182



Now on squid5.x
i add 
>> logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs %> % On 1 Aug 2019, at 16:55, Alex Rousskov  
> wrote:
> 
> On 8/1/19 9:23 AM, --Ahmad-- wrote:
>> i use :
>> logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs %> %> 
>> in squid 3.x and its working fine , but in 5.x it dont work as i want 
> 
> We still do not have enough information to understand the problem you
> are trying to solve. Please be specific. For example, describe a
> transaction that logs X in v3.5 and Y in v5, and, unless it is really
> obvious from X and Y, please explain why you want X and not Y.
> 
> Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] logformat for squid5 ?

[--Ahmad--]

i use :
logformat squid %tl %6tr %>a %>p %>la %>lp %Ss/%03Hs % On 1 Aug 2019, at 15:55, --Ahmad--  wrote:
> 
> Hello folks 
> 
> any news for logformat directive for squid 5.x ?
> or any alternative thing to it ?
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] logformat for squid5 ?

[--Ahmad--]

Hello folks 

any news for logformat directive for squid 5.x ?
or any alternative thing to it ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] dns_v4_first off for squid Squid Cache: Version 5.0.0-20190715-rd3527ec67

[--Ahmad--]

Hello Folks .

i have a problem with IPV6 when i moved to squid Squid Cache: Version 
5.0.0-20190715-rd3527ec67.

in squid 3.5 when i put :
dns_v4_first off 
i have all resolution of domains for ipv6 as 1st priority then ipv4 .

but …
when i have squid 5.x.x

seems this directive not effective bec i keep have all domains to be ipv4 1st .


can you check for me if its config or squid version ?


Kind regards 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] error:transaction-end-before-headers on squid 5.x

[--Ahmad--]

Hello folks .

recently i moved to squid 5 to get some features .

but i have new errors such as :

error:transaction-end-before-headers

in access log file .


is it related to bug ?


Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid external address to be sequential from list of addresses

[--Ahmad--]

Hello Folks ,
wondering  …. i need squid to have sequential outgoing addresses over specified 
list .

say i want an ip:port for that connection .
and have pool of 10 address .
is it possible with squid to match 1st ip as external for 1st request .
2nd ip for 2nd request .

3rd ip for 3rd request 

until reach end , then the cycle span again ?

im thinking of how can do it   with marking acl or so ?

Thanks  
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Alex you have been helpful a-lot .

i would appreciate your help & Amos for what you provided .

Thanks for your kind support .

you have simplified all what i need .


Kind regards 


> On 19 Jul 2019, at 23:03, Alex Rousskov  
> wrote:
> 
> reply_header_add Start "%___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Alex .. indeed i asked many questions and you already solved me old issues . i 
do apologise for that Drop .
here is what we are going to achieve .


in simple :

i want to have external random addressees from list of addresses .
and in the same time i want a header like “start” header  who can be sent from 
squid to Host with tag.

say i have 10 ips 
i want random external over them .
and i want single  on each those 10 ips be sent back to Host.
if external was ip1 , then “start header” should be A
if external was ip2 , then “start header” should be b
if external was ip3 , then “start header” should be c
if external was ip4 , then “start header” should be d

and so on .


Thanks and again Guys you have been much helpful .


Thanks 


> On 19 Jul 2019, at 16:08, Alex Rousskov  
> wrote:
> 
> On 7/19/19 8:53 AM, --Ahmad-- wrote:
> 
>> is there any way can i let header acl stop on the 1st MATCH ?
> 
> Yes, your reply_header_add ACLs effectively stop on the first match,
> using the annotation trick. That part of your configuration is probably
> working. The primary problem is elsewhere.
> 
> 
>> do you have any other thing can we do to achieve what im looking for
>> based on my config below ?
> 
> FWIW, I do not know what you are looking for. I even checked earlier
> emails on this thread and could not find that information. Can you
> (re)state your goals using the following template?
> 
> "When Squid receives a client request with HTTP header X, I want Squid
> to forward that request using outgoing TCP address Y, and then add HTTP
> header Z to the response that Squid sends to the client."
> 
> Replace X, Y, and Z with your actual requirements. Adjust as needed,
> including removing any unnecessary parts.
> 
> Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hi Guys , Thank you a lot for your cooperation .

is there any way can i let header acl stop on the 1st MATCH ?

do you have any other thing can we do to achieve what im looking for based on 
my config below ?


Thanks 





> On 19 Jul 2019, at 13:04, Amos Jeffries  wrote:
> 
> To make the IP based on the "a" existence you have to ... base it on the
> "a" - not on some random number.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hi Alex .

Strange: Your outgoing address decisions appear to be random, completely 
independent from your Start values. Is that what you want?
yes , it suppose to have header as i configured the acls .


>  12.13.200.13 --->D
>  12.13.200.12 >C
>  12.13.200.14  ——>E

Not 

> 12.13.200.13 --> B
> 12.13.200.14 --> a
> 12.13.200.12 ---> E


I see nothing in your configuration that would tie outgoing address to Start 
values. Where did you configure Squid to use "D" for .13 or vice versa?
May im wrong in config , i thought that my config above like :


###
dns_nameservers 1.0.0.1
acl markProcessed annotate_client processed=yes
acl markedProcessed note processed yes
#
acl half1 random 1/5

reply_header_add start "a" !markedProcessed half1 markProcessed

tcp_outgoing_address 12.13.200.10 half1


But may be im wrong with config and im open now to any suggestions to change 
the config to get it working as i mentioned above with headers .


Thanks 




> On 19 Jul 2019, at 5:44, Alex Rousskov  
> wrote:
> 
> Strange: Your outgoing address decisions appear to be random, completely 
> independent from your Start values. Is that what you want?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Ok , here we Go :

###
dns_nameservers 1.0.0.1
acl markProcessed annotate_client processed=yes
acl markedProcessed note processed yes
#
acl half1 random 1/5
acl half10001 random 1/4
acl half10002 random 1/3
acl half10003 random 1/2
acl half10004 random 1/1

reply_header_add start "a" !markedProcessed half1 markProcessed
reply_header_add start "B" !markedProcessed half10001 markProcessed
reply_header_add start "C" !markedProcessed half10002 markProcessed
reply_header_add start "D" !markedProcessed half10003 markProcessed
reply_header_add start "E" !markedProcessed half10004 markProcessed
#
tcp_outgoing_address 12.13.200.10 half1
tcp_outgoing_address 12.13.200.11 half10001
tcp_outgoing_address 12.13.200.12 half10002
tcp_outgoing_address 12.13.200.13 half10003
tcp_outgoing_address 12.13.200.14 half10004
#






Curl Testing :


root:~ user$ curl -x 12.13.200.250:2000-U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:11 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: E
< 
12.13.200.12
* Connection #0 to host 12.13.200.250 left intact




root:~ user$ curl -x 12.13.200.250:2000-U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:12 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: B
< 
12.13.200.13
* Connection #0 to host 12.13.200.250 left intact




root:~ user$ curl -x 12.13.200.250:2000-U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:13 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 38
< Connection: keep-alive
< start: a
< 
12.13.200.14
* Connection #0 to host 12.13.200.250 left intact
root:~ user$ 




Look @ results above i made 3 tests .


12.13.200.13 --> B
12.13.200.14 --> a
12.13.200.12 ---> E

And those are wrong ….


above are wrong reply values , the correct should be as below based on the Acls 
we configured .



 12.13.200.13 --->D
 12.13.200.12 >C
 12.13.200.14  >E


i hope its clear now :)

Thanks and looking forward to hear from you .





> On 18 Jul 2019, at 23:08, Alex Rousskov  
> wrote:
> 
> On 7/18/19 3:48 PM, --Ahmad-- wrote:
>> Any recommendation alex ?
> 
> I recommend isolating the problem to the minimum number of transactions
> (probably one or two in your case) and then posting your Squid
> configuration, actual transaction headers, and an explanation why those
> actual headers are wrong (and what headers you expected to see).
> 
> Alex.
> 
> 
>>> On 17 Jul 2019, at 18:36, Alex Rousskov  
>>> wrote:
>>> 
>>> On 7/17/19 10:40 AM, --Ahmad-- wrote:
>>> 
>>>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
>>> 
>>>> do i need to recompile squid to enable this kind of ACLS ?
>>> 
>>> These ACLs are only supported in the development version of Squid
>>> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
>>> 
>>> Alex.
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Any recommendation alex ?

im sure 100 % i have made same as you asked but still i get wrong results .

i can see 1 result , but its wrong .


Thanks 


> On 17 Jul 2019, at 18:36, Alex Rousskov  
> wrote:
> 
> On 7/17/19 10:40 AM, --Ahmad-- wrote:
> 
>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
> 
>> do i need to recompile squid to enable this kind of ACLS ?
> 
> These ACLs are only supported in the development version of Squid
> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
> 
> Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hi Alex thanks for info .

well have compiled squid 5 
and i made exact steps as you mentioned .

now i have delayed responce with single header info .

but its wrong value .  not correct reply header !!!

so instead of  getting START A i see START B or E and so on .





> On 17 Jul 2019, at 18:36, Alex Rousskov  
> wrote:
> 
> On 7/17/19 10:40 AM, --Ahmad-- wrote:
> 
>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
> 
>> do i need to recompile squid to enable this kind of ACLS ?
> 
> These ACLs are only supported in the development version of Squid
> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
> 
> Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Thanks Alex , i tried your acl not recognised !

2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'


do i need to recompile squid to enable this kind of ACLS ?




> On 17 Jul 2019, at 16:05, Alex Rousskov  
> wrote:
> 
> markProcessed

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hi Amos , Thank you for you info .

indeed i read about reply header ACL That :

##
One or more Squid ACLs may be specified to restrict header
injection to matching responses. As always in squid.conf, all
ACLs in the ACL list must be satisfied for the insertion to
happen. The reply_header_add option supports fast ACLs only.

See also: request_header_add.
#

im not sure what do i need to let the output single value and not multiple 
values .

about your Question :
> 1- why mutiple replies do we recieve not single reply ?

What do you mean by "multiple replies" ?
> i mean i would like the result to be as below :

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: A
< 
12.13.100.1
* Connection #0 to host 12.13.100.250 left intact



* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: B
< 
12.13.100.2
* Connection #0 to host 12.13.100.250 left intact




* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: C
< 
12.13.100.3
* Connection #0 to host 12.13.100.250 left intact


* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: D
< 
12.13.100.4
* Connection #0 to host 12.13.100.250 left intact



###


Check the 4 tests above … those i want the result to be .
if i have external ip 12.13.100.4 , the Header should  be single and = < start: 
D
if i go external 12.13.100.3 ,the Header should  be single and = < start: C
if i go external 12.13.100.2 ,the Header should  be single and = < start: B
if i go external 12.13.100.1 ,the Header should  be single and = < start: B


SO basically i want 1 answer matching the acl :

acl half1 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1



as  you see above the ACLS above should be matching single values not multiple 
values .

and when i get multiple headers replies it doesnt satisfying my needs .


what do you think amos ?


Thanks agian 


> On 17 Jul 2019, at 14:42, Amos Jeffries  wrote:
> 
> On 17/07/19 9:41 pm, --Ahmad-- wrote:
>> Hi Alex, 
>> acl half1 random 1/10
>> acl half10001 random 1/9
>> acl half10002 random 1/8
>> acl half10003 random 1/7
>> acl half10004 random 1/6
>> acl half10005 random 1/5
>> acl half10006 random 1/4
>> acl half10007 random 1/3
>> acl half10008 random 1/2
>> acl half10009 random 1/1
>> 
>> reply_header_add start "A" half1
>> reply_header_add start "B" half10001
>> reply_header_add start "C" half10002
>> reply_header_add start "D" half10003
>> reply_header_add start "E" half10004
>> reply_header_add start "

Re: [squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hi Alex, 
acl half1 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1

reply_header_add start "A" half1
reply_header_add start "B" half10001
reply_header_add start "C" half10002
reply_header_add start "D" half10003
reply_header_add start "E" half10004
reply_header_add start "F" half10005
reply_header_add start "G" half10006
reply_header_add start "H" half10007
reply_header_add start "I" half10008
reply_header_add start "J" half10009
##
tcp_outgoing_address 12.13.100.1 half1
tcp_outgoing_address 12.13.100.2 half10001
tcp_outgoing_address 12.13.100.3 half10002
tcp_outgoing_address 12.13.100.4 half10003
tcp_outgoing_address 12.13.100.5 half10004
tcp_outgoing_address 12.13.100.6 half10005
tcp_outgoing_address 12.13.100.7 half10006
tcp_outgoing_address 12.13.100.8 half10007
tcp_outgoing_address 12.13.100.9 half10008
tcp_outgoing_address 12.13.100.10 half10009



 curl -x 12.13.100.250:2000-U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: G
< start: F
< start: E
< start: E
< 
12.13.100.2 
* Connection #0 to host 12.13.100.250 left intact



another Hit :


 curl -x 12.13.100.250:2000-U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: F
< start: A
< start: J
< start: I
< 
12.13.100.6



so as you see above , i have multiple replied headers not single one .
and the replied header even are wrong .
so wrong multiple results i do recieve .


my questions is :

1- why mutiple replies do we recieve not single reply ?
2- why the recieved replies are wrong , i expect single reply based on my 
random acls we setup . ?

do we need other stuff with random acl to have it work with header directive ?




Thank You 


> On 17 Jul 2019, at 7:10, Alex Rousskov  
> wrote:
> 
> On 7/16/19 6:11 PM, --Ahmad-- wrote:
> 
>> Possible to user reply_header_add directive with acl random access list?
> 
> Yes, it is possible.
> 
> 
>> i read that reply_header_add only need fast acl and im not sure if random 
>> acl is fast/slow
> 
> The random ACL is fast. GitHub pull requests that add that missing info
> to the random ACL documentation in src/cf.data.pre are welcomed.
> https://wiki.squid-cache.org/MergeProcedure
> 
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Possible to user reply_header_add directive with acl random access list ?

[--Ahmad--]

Hello folks ,
want to ask .
Possible to user reply_header_add directive with acl random access list ?

i read that reply_header_add only need fast acl and im not sure if random acl 
is fast/slow based on below :

http://www.squid-cache.org/Doc/config/reply_header_add/
and
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs

so indeed i would like i can match reply_header_add with some random acls .

i tried some samples and i got an unexpected/Wrong results .

let me know your thoughts for that issue .

kind regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tcp_outgoing_address acl based on - incoming header Flag

[--Ahmad--]

Hi Alex Thank you very much .


i ask is it possible we have it as variable ?

and tcp_outgoing_address to match acl as variable header from incoming packs ?



> On 15 Jul 2019, at 22:00, Alex Rousskov  
> wrote:
> 
> acl requestsWithStartEqual1p1p1p1 req_header Start ^1[.]1[.]1[.]1$
>  ...
>  tcp_outgoing_address 1.1.1.1 requestsWithStartEqual1p1p1p1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] tcp_outgoing_address acl based on - incoming header Flag

[--Ahmad--]

Hello Team .

i want to ask how can i adapt external ip address in squid based on incoming 
requests .

say i have squid with ips :
1.1.1.1
2.2.2.2
3.3.3.3

##

a client with src ip 192.168.1.200 will connect to squid port 3128 .
client will initiate a header called start with value = 1.1.1.1

how can i let squid make tcp_outgoing_address with the value in the incoming 
header  ?

can i put the value of incoming header as acl  variable and get it 
tcp_outoging_address as variable ?


note that incoming requests only numeric values IPV4 string .


Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] allowing headers per ip and block headers on others

[--Ahmad--]

i want it when squid access / contact with 1.2.3.4


Thanks 



> On 13 Jul 2019, at 12:36, Matus UHLAR - fantomas  wrote:
> 
> when accessing 1.2.3.4 or whn your client is 1.2.3.4?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] allowing headers per ip and block headers on others

[--Ahmad--]

hello folks .

say i have a set of rules to block some certain types of headers  as below :

header_access Pragma deny all
header_access Keep-Alive deny all


but i want those above two headers allowed when accessing ip 1.2.3.4

is my config below is correct ? i tested but didn’t work 

acl allowip src 1.2.3.4
##
header_access Pragma allow allowip all
header_access Keep-Alive allow allowip all
header_access Pragma deny all
header_access Keep-Alive deny all
###


any idea ?


Thanks 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Useragent request/reply headers with squid .

[--Ahmad--]

ok if my question is not suitable or dangerous  ….  i do apologise .

i will try to google it myself  .


Thank you for your time .






> On 15 Jun 2019, at 12:41, Antony Stone  
> wrote:
> 
> On Saturday 15 June 2019 at 11:37:29, --Ahmad-- wrote:
> 
>> Guys im just trying to understand HTTP protocol and squid as GW for
>> internet .
> 
> Hm, "understand" or "break" :) ?
> 
>> i just want to know how can squid deal with headers .
> 
> You *have* read the warning / advice at
> http://www.squid-cache.org/Doc/config/request_header_access/
> "Doing this VIOLATES the HTTP standard.  Enabling this feature could make you 
> liable for problems which it causes." ?
> 
>> i just want to know how can squid prevent useragent from browser being sent
>> to website
> 
> Why?  What is your purpose for this?
> 
> 
> Antony.
> 
> -- 
> I still maintain the point that designing a monolithic kernel in 1991 is a 
> fundamental error.  Be thankful you are not my student.  You would not get a 
> high grade for such a design :-)
> - Andrew Tanenbaum to Linus Torvalds
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Useragent request/reply headers with squid .

[--Ahmad--]

Guys im just trying to understand HTTP protocol and squid as GW for internet .

i just want to know how can squid deal with headers .

i just want to know how can squid prevent useragent from browser being sent to 
website 

Thanks 




> On 15 Jun 2019, at 12:10, Walter H.  wrote:
> 
> On 15.06.2019 10:57, --Ahmad-- wrote:
>> 
>> Hello Folks ,
>> 
>> im trying to disable user agent info to be leaked out of squid using :
>> 
>> request_header_access User-Agent deny all
>> reply _header_access User-Agent deny all
>> 
>> squid very 3.5.x
>> 
> the reply_header_access is sensless, remove it
> and add the following
> 
> request_header_replace User-Agent Mozilla/5.0
> 
> but be aware the mass of website admins might rely on this, and you would not 
> get a reply anyway ...
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Useragent request/reply headers with squid .

[--Ahmad--]

Hello Folks ,

im trying to disable user agent info to be leaked out of squid using :

request_header_access User-Agent deny all
reply _header_access User-Agent deny all

squid very 3.5.x


but when i test sending the user agent info via curl info it seems squid is not 
removing it and passing it to the server 

curl -xx.x.x.x:19000-U pass:pass  -X POST 
https://uploadbeta.com/api/parse-user-agent/ -d 
"s=nUser-Agent:%20Mozilla/4.0%20(compatible;%20MSIE%207.0;%20linux%20NT%206.1)”

result ——> {"platform":"linux","browser":"MSIE","version":"7.0”}


as you see above i tried with squid to disable useragent , but in curl it seems 
squid leaked it 

any idea why squid leaking useragent ?



Thanks 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High response times with Squid

[Ahmad, Sarfaraz]

Thanks for all the pointers :) I figured it out. Seamless.com's PTR lookups are 
slow and end up in SERVFAIL. 
And that was causing the delay here. I purged that ACL and it's all good.


-Original Message-
From: Amos Jeffries  
Sent: Friday, February 15, 2019 9:24 AM
To: Ahmad, Sarfaraz ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] High response times with Squid

On 14/02/19 11:38 pm, Ahmad, Sarfaraz wrote:
> Hi again,
> I made some progress on this.
> To reiterate, I am peeking at the SNI and then bump all connections to 
> the origin server in context of this problem. ( the origin server is 
> seamless.com )
> 
> Here are the new findings ,
> 1) The 20sec lag is noticed even when I splice the connection.
> 2) It 99% has to do with the following slow ACL acl.
> 
> acl deny_explicit_dstdomain dstdomain 
> "/etc/squid/acls/deny_explicit_dstdomain"
> 
> I see PTR lookups failing when Squid tries to validate my ACLs. When I 
> disable that ACL, the 20second lag is gone. So I am pretty confident that 
> subsequent PTR lookups are causing the delay here.
> I don't see a configuration directive with which I can configure how many 
> times Squid retries the lookup.
> I see one that sets the timeout though (dns_timeout  defaults 30 seconds).
> 
> Could you guys give me some pointers on what could be happening here ?

Only repeat back to you what you have described to us ... DNS PTR lookups are 
slow.

Your squid.conf is needed to know where those lookups are happening and see if 
any can be avoided.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High response times with Squid

[Ahmad, Sarfaraz]

Hi again,
I made some progress on this.
To reiterate, I am peeking at the SNI and then bump all connections to the 
origin server in context of this problem. ( the origin server is seamless.com )

Here are the new findings ,
1) The 20sec lag is noticed even when I splice the connection.
2) It 99% has to do with the following slow ACL acl.

acl deny_explicit_dstdomain dstdomain "/etc/squid/acls/deny_explicit_dstdomain"

I see PTR lookups failing when Squid tries to validate my ACLs. When I disable 
that ACL, the 20second lag is gone. So I am pretty confident that subsequent 
PTR lookups are causing the delay here.
I don't see a configuration directive with which I can configure how many times 
Squid retries the lookup.
I see one that sets the timeout though (dns_timeout  defaults 30 seconds).

Could you guys give me some pointers on what could be happening here ?

Regards,
Ahmad


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Saturday, February 9, 2019 10:20 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] High response times with Squid

On 8/02/19 7:30 pm, Ahmad, Sarfaraz wrote:
> Hi,
> 
>  
> 
> I am using Squid 4.5 with WCCP. Intercepting SSL by peeking at step1 
> and then deciding to either splice or bump upon the SNI.
> 
> I am noticing a weird behavior for some of my TCP connections.  Squid 
> is taking over 20s to decide what do with the ClientHello sent by the 
> browser. It is only after 20s that it decides to send out a 
> ClientHello to the origin server and at the same time reply to the 
> client with a ServerHello.
> 
> This behavior is hard to reproduce and only some clients are affected.
> 
>  
> 
> I will try to summarize what I see in cache.log with ALL, 6 debug options.
> 
>  
> 
> 1)  Squid's INTERCEPTION thread/program receives a TCP SYN from 
> workstation.
> 
> 2019/02/06 17:23:19.070 kid1| 89,5| Intercept.cc(405) Lookup: address
> BEGIN: me/client= *:*23129, destination/me=
> *:*58232
> 

No. This is looking up the original TCP dst-IP:port in the kernel NAT tables.


>  
> 
> 2)  Squid becomes the origin server and sets up the TCP connection.
> 

No. The local= log values are a simple statement of the TCP packet values 
received from the NAT system at (1). Squid is an MITM in this setup, so the 
client *thinks* it is talking to the origin.

Being an MITM Squid is designed to operate as transparently as possible, but at 
no time has the abilities of the origin server.


> 2019/02/06 17:23:19.070 kid1| 5,5| AsyncCall.cc(93) ScheduleCall:
> TcpAcceptor.cc(339) will call
> httpsAccept(local*=*:443
> remote=*:*58232 FD 40 flags=33, MXID_1101703) 
> [call34733258]
> 

...
> 
> 8)  No ServerHello has been sent back to the client yet, Squid 
> starts a TCP connection with the origin server
> 
> 2019/02/06 17:23:19.110 kid1| 5,4| AsyncJob.cc(123) callStart:
> Comm::ConnOpener status in: [ job2971439]
> 
> 2019/02/06 17:23:19.110 kid1| 5,5| ConnOpener.cc(350) doConnect:
> local=0.0.0.0 remote*=:*443 flags=1:
> Comm::OK - connected
> 
> 2019/02/06 17:23:19.110 kid1| 5,4| ConnOpener.cc(155) cleanFd:
> local=0.0.0.0 remote=<*ORIGIN_SERVER_ON_THE_INTERNET*>:443 flags=1 
> closing temp FD 50
> 
>  
> 
> 9)  Squid starts a TLS session with the remote/origin server, 
> sends the ClientHello. A total of 0.4 seconds in Squid sending 
> clienthello to origin server. This is probably when Squid decides to 
> send back the ServerHello to the browser.

Don't guess. Check.

Either you have step2 / client-first bumping - in which case the Squid 
serverHello would have been sent to the client at (7).

Or, you have step3 / server-first bumping - in which case Squid cannot send a 
serverHello to the client until it has received the origin's serverHello. Which 
still has not yet been received despite your trace ending here.

...
> 
> 2019/02/06 17:23:19.111 kid1| 83,5| PeerConnector.cc(123) initialize:
> local=**:44498 remote=**:443 
> FD
> 50 flags=1, session=0x14899390
> 
>  
> 
> So somewhere between Step 8 and Step 9, Squid is taking over 20s.
> 

There is only 1 millisecond between those steps.

The client connection was received at 17:23:19.070, your (9) finished at
17:23:19.111 -> so there is your 0.41 seconds. If there is any 20s gap for this 
transaction it is later in the log part you have not shown.


> 
> What could possibly be keeping it busy ?
> 

Other transactions? Nothing?

What is going on at (9) is *preparing* to send a TLS clientHello. At the point 
your log stops it still has not actually been written to the network.

There is actually still a good half of the SSl-Bump process to happen:
 - assemble the Squid clientHello bytes,
 - send that to origin
 - receive origin serverHello
 - valida

Re: [squid-users] Problem rtmp traffic through Squid

[Ahmad, Sarfaraz]

Did you add them to "safe_ports" acl ? ( assuming you have one )

Look here some more inputs,
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-conf-blocking-live-video-stream-td4680866.html



From: squid-users  On Behalf Of 
? ?? 
Sent: Wednesday, February 13, 2019 5:56 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Problem rtmp traffic through Squid

Hello! In our organization, we use squid proxy server. And we found a problem 
with viewing webinars that run on adobe Flash. Network engineers found out that 
rtmp traffic on port 1935 bypasses the proxy server, which is specified in the 
browser settings. In this connection, the site does not work media content. The 
same problem is covered on the Adobe website 
https://forums.adobe.com/thread/905051
Can you help with providing information on configuring squid to work with adobe 
Flash?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] High response times with Squid

[Ahmad, Sarfaraz]

| client_side.cc(3324) startPeekAndSplice: 
Peek and splice at step2 done. Start forwarding the request!!!
2019/02/06 17:23:19.107 kid1| 17,3| FwdState.cc(340) Start: 
':443'



8)  No ServerHello has been sent back to the client yet, Squid starts a TCP 
connection with the origin server
2019/02/06 17:23:19.110 kid1| 5,4| AsyncJob.cc(123) callStart: Comm::ConnOpener 
status in: [ job2971439]
2019/02/06 17:23:19.110 kid1| 5,5| ConnOpener.cc(350) doConnect: local=0.0.0.0 
remote=:443 flags=1: Comm::OK - connected
2019/02/06 17:23:19.110 kid1| 5,4| ConnOpener.cc(155) cleanFd: local=0.0.0.0 
remote=:443 flags=1 closing temp FD 50


9)  Squid starts a TLS session with the remote/origin server, sends the 
ClientHello. A total of 0.4 seconds in Squid sending clienthello to origin 
server. This is probably when Squid decides to send back the ServerHello to the 
browser.
2019/02/06 17:23:19.110 kid1| 83,5| Session.cc(103) NewSessionObject: SSL_new 
session=0x14899390
2019/02/06 17:23:19.111 kid1| 83,5| bio.cc(616) squid_bio_ctrl: 0x1492ef80 
104(6001, 0x7ffc32a6e884)
2019/02/06 17:23:19.111 kid1| 83,5| Session.cc(162) CreateSession: link FD 50 
to TLS session=0x14899390
2019/02/06 17:23:19.111 kid1| 83,5| PeerConnector.cc(123) initialize: 
local=:44498 remote=:443 FD 50 
flags=1, session=0x14899390

So somewhere between Step 8 and Step 9, Squid is taking over 20s.

What could possibly be keeping it busy ?
I have external ACL helpers but they work just fine. Average service time is 
1ms. Squid has not even spawning all helpers that it has been configured to do. 
(not exhausted the upper limit).
DNS resolution is also good. All CPU/MEM resources look just fine and again 
this affects only a subset of the traffic.  I don't have the failure logs from 
when this actually happens.


UPDATE: This problem statement seems local to a few websites. Outside of the 
proxy, those websites quite quickly as is expected.

Any thoughts on where to look ?  other bits and pieces I could check ?  I have 
jumbo frames enabled (9000 bytes) but am running the proxies at L2 1500 MTU.

-Ahmad



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

[Ahmad, Sarfaraz]

I think almost every time squid opens a TCP connection, It also tried to open a 
raw socket of type AF_NETLINK. Syscall pasted below.
All that I can make sense of this is that Squid is trying to engage with 
iptables subsystem somehow ?
I have SELinux enforcing and would like to know what Squid is trying to do 
before figuring out how to allow that.

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 90
socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied)

I am using WCCP and TLS interception with Squid 4.0.24 release. Everything 
works as expected except auditd is getting spammed with denial messages.
type=AVC msg=audit(1543478005.027:49455970): avc:  denied  { getattr } for  
pid=13766 comm="squid" scontext=system_u:system_r:squid_t:s0 tcontext=sys
tem_u:system_r:squid_t:s0 tclass=netlink_socket

Any thoughts ?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

Dear Amos thats not correct at all .

i no longer need help on my question .



i apologise if i make any disturbance .

Thank you all guys .



> On 3 Oct 2018, at 21:12, Amos Jeffries  wrote:
> 
> Lets be blunt then ...
> 
> Most of the things I see you asking about are ways to make the Squid
> software unidentifiable as being Squid.
> 
> Your earlier queries could be mistaken attempts to use Squid as an
> "anonymous proxy" for evading local legal issues.
> 
> 
> This request though is to obfuscate details right down to names of ABI
> symbols used when building Squid. Details which are only visible to the
> person or people compiling Squid, not even people looking at binary code
> of the built binaries ever see those names.
> 
> 
> The obvious conclusion one is led to by the extreme nature of that
> changing and the details you provided so far - is that you likely intend
> to take the Squid code and present it as some proprietary software of
> your own making. In direct violation of the GPL copyright and great
> disrespect for the many hundreds of contributors whose work has built
> Squid over the past 40 years.
> 
> Yet you are expecting our community of people who use and care about
> Squid to assist your doing such an action.
> 
> 
> Neither that nor other less likely scenarios I can think give me any
> confidence that this is a reasonable way to spend my time. So no, I will
> not be helping you with this.
> 
> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

Guys i apologise if im making any disturbance .
consider this question answered .

thank you all for your time .

> On 3 Oct 2018, at 19:37, Amos Jeffries  wrote:
> 
> On 4/10/18 4:07 AM, --Ahmad-- wrote:
>> @Amos
>> 
>> can you help me ?
>> 
> 
> 
> @Ahmed, can you ask reasonable questions with supporting detail?
> 
> 
> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

i just want to have my own copy that i can  run under my name  i put 


thats all 



> On 3 Oct 2018, at 19:37, Amos Jeffries  wrote:
> 
> On 4/10/18 4:07 AM, --Ahmad-- wrote:
>> @Amos
>> 
>> can you help me ?
>> 
> 
> 
> @Ahmed, can you ask reasonable questions with supporting detail?
> 
> 
> Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

@Amos

can you help me ?


Thanks

> On 2 Oct 2018, at 10:40, Amos Jeffries  wrote:
> 
> On 2/10/18 7:02 PM, Alex Crow wrote:
>> What about this?
>> 
>> http://www.squid-cache.org/Doc/config/via/
>> 
> 
> Irrelevant?
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

@ Atenciosamente 


im not forcing you to give us help , BTW  thank you for your magic words !




> On 1 Oct 2018, at 23:08, Leonardo Rodrigues  wrote:
> 
> Em 01/10/18 10:08, --Ahmad-- escreveu:
>> i just need to have something not squid to run it on linux
>> 
>> i dont want squid
>> 
> 
> so don't run squid ?!?! If someone finding that you're running squid and 
> that's a problem to you, don't run it, period :)
> 
> 
> -- 
> 
> 
>   Atenciosamente / Sincerily,
>   Leonardo Rodrigues
>   Solutti Tecnologia
>   http://www.solutti.com.br
> 
>   Minha armadilha de SPAM, NÃO mandem email
>   gertru...@solutti.com.br
>   My SPAMTRAP, do not email it
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

no problem at all antony 



just want to try something new .

thats all




> On 1 Oct 2018, at 16:52, Antony Stone  
> wrote:
> 
> On Monday 01 October 2018 at 15:08:37, --Ahmad-- wrote:
> 
>> i just need to have something not squid to run it on linux
>> 
>> i dont want squid
>> 
>> i want identical thing to all stuff
>> 
>> want to use other word than squid in footprints and config files
> 
> What problems does the word "Squid" create for you?
> 
> It's still not clear what you are trying to achieve by making such a change.
> 
> 
> Antony.
> 
>>> On 1 Oct 2018, at 1:50, Alex Rousskov wrote:
>>> 
>>> On 09/30/2018 12:55 PM, --Ahmad-- wrote:
>>>> i want to change everything in squid config files and rename it to
>>>> ahmad.
>>> 
>>> Generally useful Squid code modifications should be discussed on the
>>> squid-dev mailing list, not squid-users. The modification you are
>>> describing is not generally useful so it is probably out of Squid
>>> Project support scope.
>>> 
>>> However, if you formulate the actual problem you are trying to solve,
>>> then somebody on this mailing list may know a solution that does not
>>> include blind (and, in some cases, illegal) changes of Squid sources.
>>> 
>>> What are you trying to accomplish? In other words, what problem do you
>>> think replacing "squid" to "ahmad" in Squid sources would solve?
>>> 
>>> Alex.
> 
> -- 
> I want to build a machine that will be proud of me.
> 
> - Danny Hillis, creator of The Connection Machine
> 
>   Please reply to the list;
> please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users 
> <http://lists.squid-cache.org/listinfo/squid-users>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] want to change squid name

[--Ahmad--]

i just need to have something not squid to run it on linux 

i dont want squid

i want identical thing to all stuff

want to use other word than squid in footprints and config files

can you help ?



> On 1 Oct 2018, at 1:50, Alex Rousskov  
> wrote:
> 
> On 09/30/2018 12:55 PM, --Ahmad-- wrote:
> 
>> i want to change everything in squid config files and rename it to ahmad.
> 
> Generally useful Squid code modifications should be discussed on the
> squid-dev mailing list, not squid-users. The modification you are
> describing is not generally useful so it is probably out of Squid
> Project support scope.
> 
> However, if you formulate the actual problem you are trying to solve,
> then somebody on this mailing list may know a solution that does not
> include blind (and, in some cases, illegal) changes of Squid sources.
> 
> What are you trying to accomplish? In other words, what problem do you
> think replacing "squid" to "ahmad" in Squid sources would solve?
> 
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] want to change squid name

[--Ahmad--]

Hey  Folks 
my question may be crazy a little bit .

i want to change everything in squid config files and rename it to ahmad.

so i want change eveverythingeytng in folders , files  from squid  to —> 
stinger  and have stinger conf files and run instance as stinger instead of 
squid .

so i changed recursively everything and replace squid with “stinger”



here what i made :

find /root/squid-3.5.22 -type f -exec sed -i -e 's/squid/stinger/g' {} \;
find /root/squid-3.5.22 -type f -exec sed -i -e 's/Squid/Stinger/g' {} \;
find /root/squid-3.5.22 -type f -exec sed -i -e 's/SQUID/STINGER/g' {} \;

find . -iname "*squid*" -exec rename squid stinger '{}' \;
find . -iname "*squid*" -exec rename squid stinger '{}' \;
find . -iname "*squid*" -exec rename Squid Stinger '{}' \;

###





 but compilation give me error 



lo heap.lo iso3307.lo radix.lo rfc1035.lo rfc1123.lo rfc2671.lo rfc3596.lo 
Splay.lo stub_memaccount.lo util.lo xusleep.lo  
libtool: link: /usr/bin/ar cru .libs/libmiscutil.a .libs/MemPool.o 
.libs/MemPoolChunked.o .libs/MemPoolMalloc.o .libs/getfullhostname.o 
.libs/heap.o .libs/iso3307.o .libs/radix.o .libs/rfc1035.o .libs/rfc1123.o 
.libs/rfc2671.o .libs/rfc3596.o .libs/Splay.o .libs/stub_memaccount.o 
.libs/util.o .libs/xusleep.o 
libtool: link: ranlib .libs/libmiscutil.a
libtool: link: ( cd ".libs" && rm -f "libmiscutil.la" && ln -s 
"../libmiscutil.la" "libmiscutil.la" )
make[2]: Leaving directory `/root/squid-3.5.22/lib'
make[1]: Leaving directory `/root/squid-3.5.22/lib'
Making all in libltdl
make[1]: Entering directory `/root/squid-3.5.22/libltdl'
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /root/squid-3.5.22/cfgaux/missing 
aclocal-1.15 -I m4
/root/squid-3.5.22/cfgaux/missing: line 81: aclocal-1.15: command not found
WARNING: 'aclocal-1.15' is missing on your system.
 You should only need it if you modified 'acinclude.m4' or
 'configure.ac' or m4 files included by 'configure.ac'.
 The 'aclocal' program is part of the GNU Automake package:
 <http://www.gnu.org/software/automake>
 It also requires GNU Autoconf, GNU m4 and Perl in order to run:
 <http://www.gnu.org/software/autoconf>
 <http://www.gnu.org/software/m4/>
 <http://www.perl.org/>
make[1]: *** [aclocal.m4] Error 127
make[1]: Leaving directory `/root/squid-3.5.22/libltdl'
make: *** [all-recursive] Error 1
[root@li1802-227 squid-3.5.22]# 



any help ?









___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid fails to bump where there are too many DNS names in SAN field

[Ahmad, Sarfaraz]

Tested with Squid-4.2 and ended with same results. 
How do we proceed here ?


-Original Message-
From: Alex Rousskov  
Sent: Tuesday, September 4, 2018 9:14 PM
To: Ahmad, Sarfaraz ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid fails to bump where there are too many DNS 
names in SAN field

On 09/04/2018 02:00 AM, Ahmad, Sarfaraz wrote:

> 2018/09/04 12:45:46.112 kid1| 24,5| BinaryTokenizer.cc(47) want: 520 more 
> bytes for Handshake.msg_body.octets occupying 16900 bytes @90 in 0xfa4d70;
> 2018/09/04 12:45:46.112 kid1| 83,5| PeerConnector.cc(451) noteWantRead: 
> local=10.240.180.31:43716 remote=103.243.13.183:443 FD 15 flags=1


Translation: Squid did not read enough data from the server to finish
parsing TLS server handshake. Squid needs to read at least 520 more
bytes from FD 15.


> Later on after about 10 secs

> 2018/09/04 12:45:58.124 kid1| 83,5| bio.cc(140) read: FD 12 read 0 <= 65535

And end-of-file on the wrong/different connection.


My recommendations remain the same, but please follow Amos advice and
upgrade to the latest v4 first.

Please note that I do _not_ recommend analyzing ALL,9 logs. On average,
such analysis by non-developers wastes more time than it saves.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid fails to bump where there are too many DNS names in SAN field

[Ahmad, Sarfaraz]

Forgot to mention, this is with Squid-4.0.24.

-Original Message-
From: Ahmad, Sarfaraz 
Sent: Tuesday, September 4, 2018 1:04 PM
To: 'Amos Jeffries' ; squid-users@lists.squid-cache.org
Cc: 'rouss...@measurement-factory.com' 
Subject: RE: [squid-users] Squid fails to bump where there are too many DNS 
names in SAN field

With debug_options ALL,9 and retrieving just this page, I found the following 
relevant loglines (this is with an explicit CONNECT request) ,

2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(30) SBuf: SBuf6005084 created
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
TLSPlaintext.type=22 occupying 1 bytes @91 in 0xfa4d38;
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
TLSPlaintext.version.major=3 occupying 1 bytes @92 in 0xfa4d38;
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
TLSPlaintext.version.minor=3 occupying 1 bytes @93 in 0xfa4d38;
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
TLSPlaintext.fragment.length=16384 occupying 2 bytes @94 in 0xfa4d38;
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(38) SBuf: SBuf6005085 created from 
id SBuf6005054
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(74) got: 
TLSPlaintext.fragment.octets= <16384 OCTET Bytes fit here> 
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(70) ~SBuf: SBuf6005085 destructed
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(57) got: TLSPlaintext 
occupying 16389 bytes @91 in 0xfa4d38;
2018/09/04 12:45:46.112 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 16384 for 
SBuf6005052
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(886) cow: SBuf6005052 new size:16470
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(857) reAlloc: SBuf6005052 new size: 
16470
2018/09/04 12:45:46.112 kid1| 24,9| MemBlob.cc(56) MemBlob: constructed, 
this=0x1dd2860 id=blob1555829 reserveSize=16470
2018/09/04 12:45:46.112 kid1| 24,8| MemBlob.cc(101) memAlloc: blob1555829 
memAlloc: requested=16470, received=16470
2018/09/04 12:45:46.112 kid1| 24,7| SBuf.cc(865) reAlloc: SBuf6005052 new store 
capacity: 16470
2018/09/04 12:45:46.112 kid1| 24,7| SBuf.cc(85) assign: assigning SBuf6005056 
from SBuf6005052
2018/09/04 12:45:46.112 kid1| 24,9| MemBlob.cc(82) ~MemBlob: destructed, 
this=0x1dd27a0 id=blob1555826 capacity=65535 size=8208
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(30) SBuf: SBuf6005086 created
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
Handshake.msg_type=11 occupying 1 bytes @86 in 0xfa4d70;
2018/09/04 12:45:46.112 kid1| 24,7| BinaryTokenizer.cc(65) got: 
Handshake.msg_body.length=16900 occupying 3 bytes @87 in 0xfa4d70;
2018/09/04 12:45:46.112 kid1| 24,5| BinaryTokenizer.cc(47) want: 520 more bytes 
for Handshake.msg_body.octets occupying 16900 bytes @90 in 0xfa4d70;
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(70) ~SBuf: SBuf6005086 destructed
2018/09/04 12:45:46.112 kid1| 24,8| SBuf.cc(70) ~SBuf: SBuf6005084 destructed
2018/09/04 12:45:46.112 kid1| 83,5| Handshake.cc(532) parseHello: need more data
2018/09/04 12:45:46.112 kid1| 83,7| bio.cc(168) stateChanged: FD 15 now: 0x1002 
23RSHA (SSLv2/v3 read server hello A)
2018/09/04 12:45:46.112 kid1| 83,5| PeerConnector.cc(451) noteWantRead: 
local=10.240.180.31:43716 remote=103.243.13.183:443 FD 15 flags=1
2018/09/04 12:45:46.112 kid1| 5,3| comm.cc(559) commSetConnTimeout: 
local=10.240.180.31:43716 remote=103.243.13.183:443 FD 15 flags=1 timeout 60
2018/09/04 12:45:46.112 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 15, type=1, 
handler=1, client_data=0x2818f58, timeout=0
2018/09/04 12:45:46.112 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x2818f58
2018/09/04 12:45:46.112 kid1| 83,7| AsyncJob.cc(154) callEnd: 
Ssl::PeekingPeerConnector status out: [ FD 15 job194701]
2018/09/04 12:45:46.112 kid1| 83,7| AsyncCallQueue.cc(57) fireNext: leaving 
Security::PeerConnector::negotiate()
Later on after about 10 secs

2018/09/04 12:45:58.124 kid1| 83,7| AsyncJob.cc(123) callStart: 
Ssl::PeekingPeerConnector status in: [ FD 12 job194686]
2018/09/04 12:45:58.124 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0xf67698
2018/09/04 12:45:58.124 kid1| 83,5| PeerConnector.cc(187) negotiate: 
SSL_connect session=0x122c430
2018/09/04 12:45:58.124 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 65535 for 
SBuf6002798
2018/09/04 12:45:58.124 kid1| 24,8| SBuf.cc(886) cow: SBuf6002798 new size:82887
2018/09/04 12:45:58.124 kid1| 24,8| SBuf.cc(857) reAlloc: SBuf6002798 new size: 
82887
2018/09/04 12:45:58.124 kid1| 24,9| MemBlob.cc(56) MemBlob: constructed, 
this=0x1dd27a0 id=blob1555830 reserveSize=82887
2018/09/04 12:45:58.124 kid1| 24,8| MemBlob.cc(101) memAlloc: blob1555830 
memAlloc: requested=82887, received=82887
2018/09/04 12:45:58.124 kid1| 24,7| SBuf.cc(865) reAlloc: SBuf6002798 new store 
capacity: 82887
2018/09/04 12:45:58.124 kid1| 24,8| SBuf.cc(139) rawAppendStart: SBuf6002798 
start appending up to 65535 bytes
2018/09/04 12:45:58.124 kid1| 83,5| bio.cc(140) read: FD 12 read 0 <= 65535
2018/09

Re: [squid-users] Squid fails to bump where there are too many DNS names in SAN field

[Ahmad, Sarfaraz]

llocating 0x110b508
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x17c3f18
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x17c3f18
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x17c3f18
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x17c3f18
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(351) cbdataInternalLock: 
0x110b508=1
2018/09/04 12:45:58.125 kid1| 83,5| PeerConnector.cc(559) callBack: TLS setup 
ended for local=10.240.180.31:43674 remote=103.243.13.183:443 FD 12 flags=1
2018/09/04 12:45:58.125 kid1| 5,5| comm.cc(1030) comm_remove_close_handler: 
comm_remove_close_handler: FD 12, AsyncCall=0x1635fc0*2
2018/09/04 12:45:58.125 kid1| 9,5| AsyncCall.cc(56) cancel: will not call 
Security::PeerConnector::commCloseHandler [call2844544] because 
comm_remove_close_handler
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0x1f6b778
2018/09/04 12:45:58.125 kid1| 17,4| AsyncCall.cc(93) ScheduleCall: 
PeerConnector.cc(572) will call FwdState::ConnectedToPeer(0x1f6b778, 
local=10.240.180.31:43674 remote=103.243.13.183:443 FD 12 flags=1, 
0x110b508/0x110b508) [call2844542]
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(419) cbdataReferenceValid: 
0xf67698
2018/09/04 12:45:58.125 kid1| 93,5| AsyncJob.cc(139) callEnd: 
Security::PeerConnector::negotiate() ends job [ FD 12 job194686]
2018/09/04 12:45:58.125 kid1| 83,5| PeerConnector.cc(48) ~PeerConnector: 
Security::PeerConnector destructed, this=0xf67698
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(383) cbdataInternalUnlock: 
0xf67698=2
2018/09/04 12:45:58.125 kid1| 45,9| cbdata.cc(383) cbdataInternalUnlock: 
0xf67698=1
2018/09/04 12:45:58.125 kid1| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob 
destructed, this=0xf67750 type=Ssl::PeekingPeerConnector [job194686]

Again as this is with an explicit CONNECT request, I do get ERR_CANNOT_FORWARD 
and that error page uses a certificate signed for www.extremetech.com by my 
internal CA without any thing in SAN field guessing ssl_crtd isn't crashing 
here unlike the previous bugreport.
Anything from these loglines ?

Regards,
Sarfaraz


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, September 4, 2018 10:10 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid fails to bump where there are too many DNS 
names in SAN field

On 4/09/18 10:39 AM, Alex Rousskov wrote:
> On 09/03/2018 01:34 AM, Ahmad, Sarfaraz wrote:
> 
>> interception/MITM appears to fail where remote certificates from 
>> origin servers have way too many dnsnames in the SAN field.
>>
>> I have noticed this behavior with at least these 2 websites. In both 
>> the cases, my setup would be bumping the connections.
>>
>> https://www.pcmag.com/
>> https://www.extremetech.com/
> 
>> I will have to file a bug ?
> 

Does it look like a reoccurance of this bug?
 <https://bugs.squid-cache.org/show_bug.cgi?id=3665>

We did not have a concrete confirmation that the exact issue was permanently 
gone, it may have just been shifted to larger more obscure SAN field values.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid fails to bump where there are too many DNS names in SAN field

[Ahmad, Sarfaraz]

Hi,

I am using Squid in an interception role with WCCP.
I am peeking at Step1 to read the SNI and determining whether to splice or bump.

That interception/MITM appears to fail where remote certificates from origin 
servers have way too many dnsnames in the SAN field.
I have noticed this behavior with at least these 2 websites. In both the cases, 
my setup would be bumping the connections. (Obviously otherwise we won't be 
having this problem with splicing.)

https://www.pcmag.com/
https://www.extremetech.com/


The RFC doesn't set an upper bound on the number of dnsnames you can set in the 
SAN field.
If I splice these domains/URLs, browsers don't complain either. So this seems 
local to Squid.

Points to note:

1)  Even though openssl s_client can connect/negotiate just fine, Squid 
doesn't.

2)  This is the behavior that I gather from a packet capture.

a.   My client (say a workstation XYZ) tried to connect to 
103.243.13.183:443 (That is https://www.extremetech.com)

b.   WCCP ships packet to the proxy over GRE tunnel and a TCP connection 
with the proxy acting as the origin server is established.

c.   XYZ sends ClientHello to the proxy.

d.   Squid starts conversing the origin server and sends a ClientHello.

e.   Origin server replies with ServerHello, ServerKeyExchange, Certificate 
packets, Squid just waits endlessly.

f.The client, XYZ, ends up sending a FIN packet after ClientHello, 
since Squid doesn't revert back with a ServerHello.

I will have to file a bug ?

Regards,
Sarfaraz




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] internet squid with https and just for domain resolution not for caching or so

[--Ahmad--]

Dear Folks .

i ask here 

if i wan to enable squid into intercpt/transparent or transparent TCP_connect 

i dont want to decrypt the message 

all what i need say client requested google.com 

i can from router to send the packet to the proxy server via PBR or so and all 
what i need is squid intercept this msg and do the name resolution and based on 
it , it has the tcp_outgoing address as IPV6 address

agian  dont  want any certificate error or so 

possible ?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] tcp_miss_aborted driving me crazy !

[--Ahmad--]

Hello Folks :

i have frequent Down on website that using it for IPV6 outgoing addresses :
below logs as you see , some have TCP_Miss and some have problems as 
TCP_MISS_ABORTED .

the TCP_MISS_ABORTED seems down request and i dont know whats the wrong there 
as long i see the name is resolved of website and we can ping it 

based on logs below , the   website ip address  is — 
>2400:cb00:2048:1::681b:99de 


21/Aug/2018:16:26:42 -0400   5575 94.130.239.213 36722 184.75.223.131 13071 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5673 94.130.239.213 52172 184.75.223.131 13022 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5673 94.130.239.213 43942 184.75.223.131 13026 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5673 94.130.239.213 49560 184.75.223.131 13010 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5673 94.130.239.213 37166 184.75.223.131 13001 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5673 94.130.239.213 47320 184.75.223.131 13015 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:42 -0400   5707 94.130.239.213 60090 184.75.223.131 13016 
TCP_MISS/200 425 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:36 -0400  38905 94.130.239.213 38342 184.75.223.131 11807 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:36 -0400  38884 94.130.239.213 39622 184.75.223.131 11718 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:36 -0400  38843 94.130.239.213 40526 184.75.223.131 11852 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:36 -0400  38781 94.130.239.213 42524 184.75.223.131 11893 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:36 -0400  38724 94.130.239.213 48742 184.75.223.131 11552 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 
21/Aug/2018:16:26:35 -0400  38656 94.130.239.213 55278 184.75.223.131 11913 
TCP_MISS_ABORTED/0 0 GET http://extlikes.org/ip.php - HIER_DIRECT/ extlikes.org 
2400:cb00:2048:1::681b:99de 



as you see above , some request go ok and others dont go , and i hope i find 
explanation why the TCP_miss aborted occurs as long as i can ping it from an 
iPV6 address .
my outgoing  addresses are IPV6 

all is IPV6 purse addresses , 

looking forward to help me out 

kind regards 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

[Ahmad, Sarfaraz]

>> Your guess is wrong. The TCP level setup is only between Squid and the 
>> client. It has to have completed before the TLS stuff can begin.
So when does Squid start setting up the TCP connection with the origin server ? 
After setting up a TCP connection with client and identifying it to be TLS ? 

What would this log message likely mean then ? I was reading that as 78477ms 
was the time it took for Squid to connect to 173.194.142.186 on port 443 and 
Squid and client(not the origin server) had already established a TCP 
connection beforehand (while it(squid) tries connecting to the remote server on 
port 443).
1533612202.312  78477  NONE_ABORTED/000 0 CONNECT 173.194.142.186:443 - 
HIER_NONE/- -

That would imply two things.
1) It took a lot of time for clients to set up a TCP connection with Squid 
given Chrome's dev tools 
2) Second, Squid took a while to establish a connection with origin server. 

Moreover, my ICAP settings look like this,
icap_service localicap reqmod_precache icap://127.0.0.1:1345/reqmod bypass=on 
routing=off on-overload=wait

ICAP would come into the picture only after I see a GET request in the 
access.log, right? 

Regards,
Sarfaraz

-Original Message-
From: Amos Jeffries  
Sent: Tuesday, August 7, 2018 9:04 PM
To: Ahmad, Sarfaraz ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response 
time but the internet access itself looks okay

On 08/08/18 02:14, Ahmad, Sarfaraz wrote:
> I cannot reproduce this. This is intermittent.  In Chrome's dev tools, 
> it appeared to take over 20 secs to setup the TCP connection.
> I am SSL bumping all TLS connections unless they match certain ACLs.
> So it is safe to assume that the vast majority of the traffic was 
> bumped.
> 
> I don't see any TLS handshake failure messages in cache.log. I think 
> the access.log messages I posted earlier are fake CONNECT requests 
> created using TCP-level info (the response time logged there is 
> directly proportionate to what I see in Chrome's dev tools). Guessing 
> that Squid would send TCP SYN-ACK only after it receives SYN-ACK from 
> remote/origin server.

Your guess is wrong. The TCP level setup is only between Squid and the client. 
It has to have completed before the TLS stuff can begin.

The first fake-CONNECT is done after TCP connection setup to see whether the 
client is allowed to perform TLS inside it - and how Squid handles that TLS.


> I don’t think ICAP(reqmod) would come into the picture yet either 
> (assuming that even the TCP connections have not been set up yet) so 
> that is safe to rule out. Am I right here ?

You are right about that in relation to TCP.

But TCP is already over and done with by the time the fake-CONNECT gets 
generated. So wrong about ICAP's lack of involvement - it may (or not) be.

NP: The only thing fake about the early CONNECT's is that the client did not 
actually generate it. They are handled in Squid same as a regular CONNECT 
message would be.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

[Ahmad, Sarfaraz]

I cannot reproduce this. This is intermittent.  In Chrome's dev tools, it 
appeared to take over 20 secs to setup the TCP connection.
I am SSL bumping all TLS connections unless they match certain ACLs. So it is 
safe to assume that the vast majority of the traffic was bumped.

I don't see any TLS handshake failure messages in cache.log. I think the 
access.log messages I posted earlier are fake CONNECT requests created using 
TCP-level info (the response time logged there is directly proportionate to 
what I see in Chrome's dev tools). Guessing that Squid would send TCP SYN-ACK 
only after it receives SYN-ACK from remote/origin server.
I don’t think ICAP(reqmod) would come into the picture yet either (assuming 
that even the TCP connections have not been set up yet) so that is safe to rule 
out. Am I right here ?

Also restarting squid service fixed this.  I had a python script running in the 
background that was able to GET a webpage using requests module(timeout set to 
30) but Squid apparently couldn't even set up a TCP connection.

- Sarfaraz



-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, August 7, 2018 6:04 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid returns NONE_ABORTED/000 and high response 
time but the internet access itself looks okay

On 07/08/18 21:55, Ahmad, Sarfaraz wrote:
> Hi,
> 
>  
> 
> I am WCCPv2 for redirecting traffic to Squid.
> 

Squid version?

> Intermittently I see these messages in access.log and the internet for 
> clients goes away.
> 
>  
> 
> 1533612202.312  79102  NONE_ABORTED/000 0 CONNECT 
> 198.22.156.64:443
> - HIER_NONE/- -
> 
> 1533612202.312  82632  NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
> 
> 1533612202.312  16030  NONE_ABORTED/000 0 CONNECT 
> 172.217.15.67:443
> - HIER_NONE/- -
> 
> 1533612202.312  78477  NONE_ABORTED/000 0 CONNECT
> 173.194.142.186:443 - HIER_NONE/- -
> 
>  
> 
> But I can access internet on the host running squid itself just fine 
> yet Squid reports those messages with high response times (the second column).
> 
...>  
> 
> We use an ICAP service. Could that play a role here ?

A lot of things *might* play a role there.

> 
> Any thoughts ?

Trace the traffic.

What did the client actually send to Squid?
  It's probably not a port-80 style CONNECT request.

What does Squid send back to the client?

Does Squid complete the TLS handshake?

What are your SSL-Bump settings?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid returns NONE_ABORTED/000 and high response time but the internet access itself looks okay

[Ahmad, Sarfaraz]

Hi,

I am WCCPv2 for redirecting traffic to Squid.
Intermittently I see these messages in access.log and the internet for clients 
goes away.

1533612202.312  79102  NONE_ABORTED/000 0 CONNECT 198.22.156.64:443 - 
HIER_NONE/- -
1533612202.312  82632  NONE_ABORTED/000 0 CONNECT 173.194.142.186:443 - 
HIER_NONE/- -
1533612202.312  16030  NONE_ABORTED/000 0 CONNECT 172.217.15.67:443 - 
HIER_NONE/- -
1533612202.312  78477  NONE_ABORTED/000 0 CONNECT 173.194.142.186:443 - 
HIER_NONE/- -

But I can access internet on the host running squid itself just fine yet Squid 
reports those messages with high response times (the second column).
I gather from 
http://lists.squid-cache.org/pipermail/squid-users/2016-February/009295.html 
that HIER_NONE implies no remote server was contacted. (or could be contacted ?)

Note: I replaced internal IP addresses with  tag. Please don't get confused.

We use an ICAP service. Could that play a role here ?
Any thoughts ?

Regards,
Sarfaraz
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users