Yassin CHOUCHANE | 22 Oct 11:38 2014
Picon

Probléme Squid to Java application

Hello,
i have an web java application, and i need no cache to this application
but  i can add no cache to him
the url of my applications :
http://srv-java.e.t:6666/forms/frmservlet?

in acces.log i have this denied :

1413969949.072      0 124.100.1.2 TCP_DENIED/407 3892 GET
http://srv-java.e.t:6666/forms/frmservlet? - HIER_NONE/- text/html

i have added on my squid.conf this ACL :

acl NoCachedSites dstdomain srv-java.e.t
acl our_servers src 2.10.3.1

i have added the ip of server and the dstdomain, but squid continue to
block this java application can u have a tips to don't block this java
applicaiton with squid please ?

thans to all
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Eugene M. Zheganin | 22 Oct 08:02 2014
Picon

3.3.x -> 3.4.x: huge performance regression

Hi.

I was using the 3.4.x branch for quite some time, it was working just
fine on small installations.
Yesterday I upgraded my largest cache installation from 3.3.13 to 3.4.8
(same config, diskd, NTLM/GSS-SPNEGO auth helpers, external helpers).
Today morning I noticed that squid is spiking to 100% of CPU and almost
isn't serving any traffic. Restart didn't help, squid is serving pages
while continuing to consume CPU, load grows, until it's at 100%, and
after some time my users are unable to open any page from Internet. This
is sad, so I downgraded to 3.3.13. CPU consumption went back to 20-35%
and everything is back to normal.

In order to understand what's happening I did some dtrace profiling to
see what is squid busy with, taking the consideration, that measuring
the same amount of connect()/socket() syscalls should give same amount
of squid work, but the results were totally different on one number of
such syscalls.

Anyone to comment ?

Thanks.
Eugene.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Job | 22 Oct 00:42 2014
Picon

Squid in captive portal and reconfigure


Hello,

integrating squid in a captive portal environment, i have to setup different profiles in order to apply
restrictions dinamically.

The squid -k reconfigure kill active sessione/connections?

I tried when downloading a file, it stops for one/two seconds and then continues download, but i am not sure
if sessiones are dropped/renewed.

Thank you,
Francesco
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Mike | 21 Oct 18:40 2014
Picon

Question about squid 3.5.x and SSL

I was reading through the release notes for squid 3.5, and in section 
2.4 regarding HTTPS, it mentions "When Squid is built with the GnuTLS 
encryption library the tool is able to open TLS (or SSL/3.0) connections 
to servers", and the wording makes me think that when openssl is in use, 
squid cannot open TLS/SSL connections to servers...

So my question is if it will still properly able to open TLS/SSL 
connections to server when openssl is in use (like we currently are 
using with 3.4.6 and ssl_bump)? Or is gnutls recommended for use with 
squid 3.5.x (despite its massive bugs and vulnerabilities compared to 
openssl)?

and my last question, regarding squid usage by people on HTTPS websites, 
what are some primary differences of using gnutls versus openssl?

Thanks!
Mike
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Eugene M. Zheganin | 21 Oct 18:11 2014
Picon

assertion failed: "lm_request->waiting"

Hi.

Is someone getting this too ? I get this with sad regularity:

# grep lm_request /var/log/squid/cache.log
2014/10/06 14:32:12 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"
2014/10/07 16:06:10 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"
2014/10/16 16:28:48 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"
2014/10/17 14:32:34 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"
2014/10/17 14:33:09 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"
2014/10/21 12:25:18 kid1| assertion failed: UserRequest.cc:229: 
"lm_request->waiting"

each time squid crashes.
I filed a http://bugs.squid-cache.org/show_bug.cgi?id=4104, but noone 
got interesed.
I accept, this happens only on one of many installations. Probably 
someone knows a workaround ?

Thanks.
Eugene.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
(Continue reading)

lionxyes@gmail.com | 21 Oct 09:52 2014
Picon

Question about compiling and loading ecap-adapter module on windows


Hi.  I‘m coming again.

Now, I have compiled squid-3.3.3 with --enable-ecap option successfully on cygwin and run it 
successfully on windows.
But, there are another question about compiling ecap-adapter module?

I'm not sure that I should ask this question here, maybe I should ask eCAP developer.
but I think that I should try it firstly.

OK!
Question 1:  Does it need compile ecap-adapter module as .dll file if I want use ecap-adapter module on windows.
Question 2:  If it need, How to do it and do I shoud ask eCAP developer? Now, when I compile ecap-adapter module(ecap_adapter_sample-0.2.1.tar.gz
directly on cygwin. I just get .a .la file. Here is some output message when I make it.

------------------------------------------------------output message-----------------------------------------------------------
Making all in src
make[1]: Entering directory '/usr/src/ecap_adapter_sample-0.2.1/src'
make all-am
make[2]: Entering directory '/usr/src/ecap_adapter_sample-0.2.1/src'
/bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I../src -I/usr/local/include -g -O3 -Wall -Wwrite-strings -Woverloaded-virtual -pipe -MT adapter_minimal.lo -MD -MP -MF .deps/adapter_minimal.Tpo -c -o adapter_minimal.lo adapter_minimal.cc
libtool: compile: g++ -DHAVE_CONFIG_H -I../src -I/usr/local/include -g -O3 -Wall -Wwrite-strings -Woverloaded-virtual -pipe -MT adapter_minimal.lo -MD -MP -MF .deps/adapter_minimal.Tpo -c adapter_minimal.cc -DDLL_EXPORT -DPIC -o .libs/adapter_minimal.o
libtool: compile: g++ -DHAVE_CONFIG_H -I../src -I/usr/local/include -g -O3 -Wall -Wwrite-strings -Woverloaded-virtual -pipe -MT adapter_minimal.lo -MD -MP -MF .deps/adapter_minimal.Tpo -c adapter_minimal.cc -o adapter_minimal.o >/dev/null 2>&1
mv -f .deps/adapter_minimal.Tpo .deps/adapter_minimal.Plo
/bin/sh ../libtool --tag=CXX --mode=link g++ -g -O3 -Wall -Wwrite-strings -Woverloaded-virtual -pipe -module -avoid-version -L/usr/local/lib -lecap -o ecap_adapter_minimal.la -rpath /usr/local/lib adapter_minimal.lo

*** Warning: This system can not link to static lib archive /usr/local/lib/libecap.la.
*** I have the capability to make that library automatically link in when
*** you link to this library. But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** But as you try to build a module library, libtool will still create
*** a static module, that should work as long as the dlopening application
*** is linked with the -dlopen flag to resolve symbols at runtime.
libtool: link: warning: undefined symbols not allowed in i686-pc-cygwin shared libraries
libtool: link: /usr/bin/ar cru .libs/ecap_adapter_minimal.a adapter_minimal.o
libtool: link: ranlib .libs/ecap_adapter_minimal.a
libtool: link: ( cd ".libs" && rm -f "ecap_adapter_minimal.la" && ln -s "../ecap_adapter_minimal.la" "ecap_adapter_minimal.la" ) 
------------------------------------------------------output message end-----------------------------------------------------------

Please give some help. Thank you.

HDM1991
lionxyes <at> gmail.com
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Riccardo Castellani | 21 Oct 08:04 2014
Picon

R: Re: Skype settings

I'm saying about Skype settings in 'tools' - 'connection options' menu, I'm 
confused how to set Skype ports if I'm using Squid as proxy server.
If you need 
other info I'm ready to explain ...

>----Messaggio originale----
>Da: 
squid3 <at> treenet.co.nz
>Data: 21-ott-2014 7.39
>A: 
>Ogg: Re: [squid-users] Skype 
settings
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 21/10/2014 6:
25 p.m., Riccardo Castellani wrote:
>> I'm using Squid and it's unique access 
to go out to Internet. I
>> created rules for Skype traffic but I'd like to 
understand how to
>> set its ports because my unique access way to Intenret is 
proxy on
>> 3128. I have firewall which is block all ports.
>> 
>> My settings:

>> 
>> Use port XXXXX for incoming connections (yes) use port 80 and 443
>> for 
additional incoming connections
>> 
>> prosy settings:
>> 
>> HTTPS
>> 
>> 
host: myproxy port: 3128 I have no authentication method
>> 
>> With Squid 
proxy what's correctly setting for Skype ?
>
>Uhm. Picture me confused.
>
>Lets 
see ... you have a proxy. You also have a firewall configured to
>block all 
traffic. And you want to run Skype.
>
>Something is configured with some XX 
port and also running as a HTTP
>(port 80) and HTTPS (port 443) web server.
>
>

>Can you clarify what you are talking about please?
> naming the software or 
control panel in each point instead of saying
>"it", "my" and "I" would be a 
good start,
> also a clear statement of what you want the "all working" 
situation
>to be.
>
>Amos
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.
0.22 (MingW32)
>

>iQEcBAEBAgAGBQJURfGTAAoJELJo5wb/XPRjUu8H/3oeHCtoS0oK5qsNtK/kgX0S

>SG33fYe5RbV3gf1usz96q2LnLvV9hkZ7sEZt4lSEw0GD9rCIc1omy4D4CZQQQuHk

>rmsKWrpwDi69hyCJjO4pHPJMmZFVixjqYRztNw+Gs77bgCx9MenCP0ghqSICOnHT

>Gud4YVSX5pRH2kP39QDslFxpk3bWtRnhNv8a6nxudYvNK5HXHGgGjLnjlcbgkL3Y

>DZYQWcB3v5T95PD9a8FKU1ptWrhNqHkQZ+H2xMsIME1kdJJc4fCIGh7/0RkZ/oWL

>0l6Fmby0Tj6Mj6dUWSEaB0IEpfpY8KJZpvOJu1AQt2QK9lWBtJhb8tSwmhMDdqs=
>=Lr15
>-----
END PGP SIGNATURE-----
>_______________________________________________
>squid-
users mailing list
>squid-users <at> lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users>

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
saleh madi | 21 Oct 07:55 2014

squid 2.7 TPROXY not working

Hello,

I have compiled squid 2.7stable9 with TPROXY patch, but the TPROXY seem not working. The traffic arrived to
squid, but when I try to open a website from the client browser I got no response "time Out". 

Note: traffic forwarder is Cisco Router with PBR (Policy Based Routing).

Please see below the Squid logs:

2014/10/20 22:36:20| parseHttpRequest: Complete request received
2014/10/20 22:36:20| commSetTimeout: FD 33 timeout 900
2014/10/20 22:36:20| removing 905 bytes; conn->in.offset = 0
2014/10/20 22:36:20| clientSetKeepaliveFlag: http_ver = 1.1
2014/10/20 22:36:20| clientSetKeepaliveFlag: method = GET
2014/10/20 22:36:20| The request GET http://www.cnn.com/ is ALLOWED, because it matched 'network'
2014/10/20 22:36:20| clientRedirectStart: 'http://www.cnn.com/'
2014/10/20 22:36:20| clientRedirectDone: 'http://www.cnn.com/' result=NULL
2014/10/20 22:36:20| clientInterpretRequestHeaders: REQ_NOCACHE = NOT SET
2014/10/20 22:36:20| clientInterpretRequestHeaders: REQ_CACHABLE = SET
2014/10/20 22:36:20| clientInterpretRequestHeaders: REQ_HIERARCHICAL = SET
2014/10/20 22:36:20| clientProcessRequest: GET 'http://www.cnn.com/'
2014/10/20 22:36:20| clientProcessRequest2: storeGet() MISS
2014/10/20 22:36:20| clientProcessRequest: TCP_MISS for 'http://www.cnn.com/'
2014/10/20 22:36:20| clientProcessMiss: 'GET http://www.cnn.com/'
2014/10/20 22:36:20| fwdStart: 'http://www.cnn.com/'
2014/10/20 22:36:20| fwdStartComplete: http://www.cnn.com/
2014/10/20 22:36:20| fwdConnectStart: http://www.cnn.com/
2014/10/20 22:36:20| fwdConnectStart: got addr 0.0.0.0, tos 0
2014/10/20 22:36:20| fwdConnectStart: setting outgoing.s_addr=0A16212C (will set TRANSPARENT)
2014/10/20 22:36:20| comm_openex: FD 34 is a new socket
2014/10/20 22:36:20| commSetTransparent: FD 34
2014/10/20 22:36:20| comm_add_close_handler: FD 34, handler=0x4373c0, data=0xc02648
2014/10/20 22:36:20| commSetTimeout: FD 34 timeout 60
2014/10/20 22:36:20| commConnectStart: FD 34, www.cnn.com:80
2014/10/20 22:36:20| comm_add_close_handler: FD 34, handler=0x42b240, data=0xc02878
2014/10/20 22:36:20| commSetSelect: FD 6 type 1
2014/10/20 22:36:20| commSetEvents(fd=6)
2014/10/20 22:36:20| commSetSelect: FD 33 type 1
2014/10/20 22:36:20| commSetEvents(fd=33)
2014/10/20 22:36:20| fwdStart: 'http://squid2:65534/squid-internal-periodic/store_digest'
2014/10/20 22:36:20| fwdStartComplete: http://squid2:65534/squid-internal-periodic/store_digest
2014/10/20 22:36:20| fwdConnectStart: http://squid2:65534/squid-internal-periodic/store_digest
2014/10/20 22:36:20| fwdConnectStart: got addr 0.0.0.0, tos 0
2014/10/20 22:36:20| comm_openex: FD 35 is a new socket
2014/10/20 22:36:20| comm_add_close_handler: FD 35, handler=0x4373c0, data=0xc05c38
2014/10/20 22:36:20| commSetTimeout: FD 35 timeout 60
2014/10/20 22:36:20| commConnectStart: FD 35, squid2:65534
2014/10/20 22:36:20| comm_add_close_handler: FD 35, handler=0x42b240, data=0xc05d88
2014/10/20 22:36:20| connect FD 35: (115) Operation now in progress
2014/10/20 22:36:20| commConnectHandle: FD 35: COMM_INPROGRESS
2014/10/20 22:36:20| commSetSelect: FD 35 type 2
2014/10/20 22:36:20| commSetEvents(fd=35)
2014/10/20 22:36:20| comm_select: timeout 0
2014/10/20 22:36:20| do_comm_select: 1 fds ready
2014/10/20 22:36:20| comm_call_handlers(): got fd=35 read_event=0 write_event=4
F->read_handler=(nil) F->write_handler=0x42b350
2014/10/20 22:36:20| comm_remove_close_handler: FD 35, handler=0x42b240, data=0xc05d88
2014/10/20 22:36:20| commSetTimeout: FD 35 timeout -1
2014/10/20 22:36:20| commConnectFree: FD 35
2014/10/20 22:36:20| fwdConnectDone: FD 35: 'http://squid2:65534/squid-internal-periodic/store_digest'
2014/10/20 22:36:20| fwdDispatch: FD -1: Fetching 'GET http://squid2:65534/squid-internal-periodic/store_digest'
2014/10/20 22:36:20| httpStart: "GET http://squid2:65534/squid-internal-periodic/store_digest"
2014/10/20 22:36:20| comm_add_close_handler: FD 35, handler=0x447d40, data=0xc05cb8
2014/10/20 22:36:20| httpSendRequest: FD 35: httpState 0xc05cb8.
2014/10/20 22:36:20| commSetTimeout: FD 35 timeout 900
2014/10/20 22:36:20| commSetSelect: FD 35 type 1
2014/10/20 22:36:20| commSetEvents(fd=35)
....

Thank you and Best Regards,
Saleh
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Riccardo Castellani | 21 Oct 07:25 2014
Picon

Skype settings

I'm using Squid and it's unique access to go out to Internet.
I created rules 
for Skype traffic but I'd like to understand how to set its ports because my 
unique access way to Intenret is proxy on 3128.
I have firewall which is block 
all ports.

My settings:

Use port XXXXX for incoming connections
(yes) use 
port 80 and 443 for additional incoming connections

prosy settings:

HTTPS

host: myproxy 
port: 3128
I have no authentication method

With Squid proxy 
what's correctly setting for Skype ?
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries | 21 Oct 07:08 2014
Picon

Squid 3.5.0.1 beta is available


The Squid Software Foundation is very pleased to announce the
availability of the Squid-3.5.0.1 beta release!

   Thats right! The Squid Software Foundation is now formally
   in place as copyright representative (Squid remains GPLv2+
   with hundreds of individual copyright holders), and operator
   for the infrastructure used to assemble and publish this and
   later Squid versions.

This new 3.5 series of Squid brings useful new features and changes
providing improved performance over earlier release series.

More detailed descriptions of the major new features are available in
the release notes and wiki:
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
http://wiki.squid-cache.org/Squid-3.5

Detailed lists of the ./configure build and squid.conf changes can also
be found in the release notes.

This code is released as beta for wider testing purposes and potential
use. There are no more planned alterations to the existing features,
./configure options or squid.conf options.

All users of Squid-2.7 held back because of the Collapsed Forwarding
feature will be happy to know it has finally been ported in this
release. Please upgrade ASAP.

All developers of eCAP plugins need to be aware this release of Squid
supports libecap 1.0. This brings with it an end to some complications
plugins built against older libecap library versions had. This version
has some backward compatibility support, but plugins really should be
rebuilt against the new library for reliable behaviour.

Squid is now capable of accepting native FTP commands at an ftp_port
and relaying native FTP messages between FTP clients and FTP servers.
Some Squid modules (e.g., caching) do not currently work with native
FTP proxying, and many features have not even been tested for
compatibility.

Authentication helpers can now be passed arbitrary details in addition
to the credentials required for the HTTP authentication scheme.
 PLEASE NOTE: care needs to be taken when using this feature, it
*will* cause an increase in load on the authentication system
proportional to the variability of the extra details sent. In short,
it bypasses Squids' built-in DDoS and credential replay protection.
 The Store-ID and URL-rewrite helper interfaces are also extended with
matching abilities.

The Digest authentication, Store-ID, and URL-rewrite helpers packaged
with Squid have been updated to support concurrency channels. They
will auto-detect the channel-ID field and will produce the appropriate
response format. With these helpers concurrency may now be set to 0 or
any higher number as desired.
 Developers of third-party helpers still needing concurrency support
are encouraged to take a look and see how this auto-detection is done
for each interface. Concurrency on these interfaces is scheduled to be
enabled by default in a future release.

Named Services has now been extended to be available on all operating
systems, it has previously been a Windows-only feature. It restores
the ability to run multiple instances on the same machine even when
SMP support is being used. The squid.conf ${service_name} macro is
also added to simplify configuration file management.
 The ability intentionally includes some backward compatibility.
Whereas older Squid-3 SMP-aware versions may only have one instance of
themselves running in total, this feature allows the new version to
run alongside an older version by using a different service name.

Initial support for PROXY protocol, a more portable alternative to
X-Forwarded-For and Forwarded HTTP headers has been added in this
version. Currently only http_port uses the protocol wrapper to receive
traffic from a peer proxy or gateway device.

The squidclient tool has been through a minor overhaul in this version.
 Anyone utilizing its ability to 'ping' an HTTP server for uptime
monitoring need to be aware the command line options have now been
changed.
 HTTPS is now also supported if the GnuTLS library was available when
building Squid. OpenSSL-only builds of the tool do not have this feature.
 Run 'squidclient -h' for a quick summary of options or see the
Release Notes for more details.

Operating System support:

* Windows support has in recent times worked its way back into view
with both MinGW and Cygwin builds showing some success. Windows is now
being considered a supported OS again. So any and all assistance
building, testing and bug reports welcome. Just be aware that as this
is all a recent event Squid-3 as a whole is still considered beta on
this OS.

 * MacOS X is at risk of ending up in the sad situation Windows is
just vacating. Due to breakage in the shared memory API needed by
Squid for SMP support, along with a lack of interest from the MacOS
community in getting it fixed. If Squid on Mac is of importance to you
some assistance getting over that blocker problem is welcomed.

Major features dropped:
 * COSS support is officially purged from the code.

Rock store has been available for several versions, with COSS
operation broken for even longer. This version brings >32KB object
support to Rock store and thus removes the last potential need for COSS.

 * DNS helper API and dnsserver are officially purged from the code.

mDNS support has been available since Squid-3.4 and has no bug reports
across the entire series. Thus passing our criteria for stable, and
demonstrating the lack of need for the DNS helper.

All users are encouraged to give this Squid release a test run as soon
as time permits. All feedback welcome.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
if and when you are ready to make the switch to Squid-3.5

This new release can be downloaded from our HTTP or FTP servers

http://www.squid-cache.org/Versions/v3/3.5/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/

Amos Jeffries
Jason Haar | 21 Oct 00:22 2014
Picon

infinite loop on using SSL to connect to squid with ssl-bump

Hi there

Both Chrome and Firefox support talking to proxies using SSL (wpad type
"HTTPS" instead of "PROXY"). I'm trying to test that out against my
ssl-bump enabled squid proxy and it's causing an infinite loop

Basically if I do something like

(sleep 2;echo -ne "GET http://slashdot.org/ HTTP/1.0\r\n\r\n"; sleep
4)|openssl  s_client -connect localhost:3129

against a squid-3.4.8 proxy set up with

http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.cert 
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
https_port 3129 ssl-bump intercept
cert=/usr/local/squid/etc/squidCA.cert  capath=/etc/ssl/certs/ 
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL

squid immediately hits 100% CPU and blocks until I kill it. I turned on
debugging (owch - almost had to power cycle to get out of that!) and
what was happening was squid was trying to ssl-bump the 127.0.0.1:3129
connection itself - ie infinite loop

The only difference between the HTTP and HTTPS ports are "intercept" -
but that's needed for https_port to even work. http_port works just fine

I bet I'm simply missing something, any suggestions?

Thanks!

--

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane