On 23/10/2015 10:43 a.m., Job wrote:
> Hello,
>
> sometimes, for about half an hour, tour Squid becomes unstable and, by typing
> "top -s", Squid is taking the 100% of the CPU.
>
> In Squid's access.log, i see lots of entry like this:
>
> "Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.25
On 23/10/2015 4:21 p.m., SaRaVanAn wrote:
> I tried by disabling internal dns in squid. Still i am seeing the same
> problem.
> What else can be looked at ? Its really makes user experience bad if he
> tries URL for the first time.
Internal DNS in Suqid has very little to do with this. The DNS he
On 23/10/2015 8:33 a.m., Keith White wrote:
> Added the debug options and grabbed the following after the 407 message was
> returned to the client. Is there anything specific I should be looking for?
>
> Thanks,
>
> Keith
>
>
> 2015/10/22 12:24:50.573 kid1| Starting new ntlmauthenticator help
I tried by disabling internal dns in squid. Still i am seeing the same
problem.
What else can be looked at ? Its really makes user experience bad if he
tries URL for the first time.
Regards,
Saravanan N
On Thu, Oct 22, 2015 at 7:34 PM, SaRaVanAn
wrote:
> I am using Squid version 3.1.20 runni
I am using Squid version 3.1.20 running on Intel I7 processor with 16GB
RAM. Even on connecting a single client I could able to reproduce this
problem.
2015/10/22 20:34:23.146| ipcache_nbgethostbyname: Name 'mail.com'.
DNS start time
2015/10/22 20:34:23.146| ipcache_nb
The simplest way is to use fail2ban.
What OS are you using?
it is possible an attack but it's not 100%.
What you can do is to also disable access using the proxy to this
destination IP and address.
100% CPU in many cases is not something odd but you can try fail2ban
with a special rule to block
On 10/22/2015 03:53 PM, Leon wrote:
> I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that
> inspect TLS handshake between client and server then allow the connection
> only when following two requirements are met:
>
> 1. The server address must be in our whitelist, an
Hi,
I'm using Squid 3.5. What I'm going to do is setting up a forward proxy that
inspect TLS handshake between client and server then allow the connection
only when following two requirements are met:
1. The server address must be in our whitelist, and the server must
provide a correct server
Hello,
sometimes, for about half an hour, tour Squid becomes unstable and, by typing
"top -s", Squid is taking the 100% of the CPU.
In Squid's access.log, i see lots of entry like this:
"Thu";"Oct";"22";"11:45:17";"2015";"21328";"192.168.1.250";"TCP_MISS/000";"0";"GET";"http://192.168.1.254:808
What version of squid are you using now?
Squid 3.1.20 is very old and it is recommended to use newer versions.
If you are having specific troubles I think you figure out the issues
pretty fast.
What hardware are you using for you squid? is it a VM? RAM? CPU?Disk?
How many clients? Have you used
Added the debug options and grabbed the following after the 407 message was
returned to the client. Is there anything specific I should be looking for?
Thanks,
Keith
2015/10/22 12:24:50.573 kid1| Starting new ntlmauthenticator helpers...
2015/10/22 12:24:50.574 kid1| 28,4| Acl.cc(70) Authenti
On 23/10/15 07:47, SaRaVanAn wrote:
> There is always a ~2 second delay between the request coming to our
> system and going out of Squid. Suppose if a page has lot of embedded
> URL's it's taking more time with squid in place.Suppose If I disable
> squid the page loads very fast in client browser.
Hi ,
we have been using squid 3.1.20 comes with debian wheezy 7. We could see
there is a peformance hit in http traffic when we use Squid.
For each HTTP GET request coming from client to proxy server, Squid takes
nearly 2 seconds to generate HTTP GET in order to establish a connection
with server.
Em 22/10/15 06:08, Amos Jeffries escreveu:
On 22/10/2015 7:13 a.m., Leonardo Rodrigues wrote:
It sounds to me that you are not so much wanting to cache only big
things, you are wanting to cache only certain sites which contain mostly
big things.
The best way to confgure that is with the cache d
I was able to confirm that ntlm_auth worked for the squid user. We currently
use BlueCoat proxies so IE is definitely configured to use integrated
authentication. No cache_effective* in the config. I will enable debugging and
see what is happening as well as enable Kerberos.
Thanks,
Keith
-
On 23/10/2015 3:01 a.m., luizca...@gmail.com wrote:
> Here is the config I am currently using based on your suggestion earlier.
> However it does not start. I have also added some questions to each for
> verification purposes to make sure I am understanding what is actually going
> on.
>
> http
On 23/10/2015 3:08 a.m., Athos Fiolo wrote:
> Hi Amos.
>
>> Please check if a helper lookup is being performed on each request as well
>> as new nonce generated.
>
> I guess you are right, but I don't know how to solve it.
> cache.log doesn’t show restarts for the heelper, even if only 1/5 helpe
Hi Amos.
> Please check if a helper lookup is being performed on each request as well as
> new nonce generated.
I guess you are right, but I don't know how to solve it.
cache.log doesn’t show restarts for the heelper, even if only 1/5 helper is
started.
The output log of the helper shows no cac
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
BTW - you omit many important settings from squid.conf.default. You
configuration is so dangerous.
22.10.15 20:01, luizca...@gmail.com пишет:
> Here is the config I am currently using based on your suggestion earlier.
> However it does not
start.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Never - I repeat, never! - Do not copy other people's pieces config, if
you do not understand what they mean.
It is not necessary to engage in copy-paste. In the case of
configurations need to thoroughly understand what you are doing.
net_bump is
Here is the config I am currently using based on your suggestion earlier.
However it does not start. I have also added some questions to each for
verification purposes to make sure I am understanding what is actually going on.
https_port 4827 intercept ssl-bump generate-host-certificates=on
dyn
On 23/10/2015 1:43 a.m., Athos Fiolo wrote:
> Hi Amos.
> Thanks for your reply.
>
> Squid Cache: Version 3.4.8
>
> On:
> Linux version 3.16.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version
> 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)
>
> Maybe a known and so
Hi Amos.
Thanks for your reply.
Squid Cache: Version 3.4.8
On:
Linux version 3.16.0-4-amd64 (debian-ker...@lists.debian.org) (gcc version
4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)
Maybe a known and solved bug?
Athos Fiolo
Software Engineer
afi...@came.com
CAME S
did any one try range_offset_limit with https url's ?
squid crash and restart with assertion error ...
same as ...
http://squid-web-proxy-cache.1019090.n4.nabble.com/assertion-failed-comm-cc-178-quot-fd-table-conn-gt-fd-halfClosedReader-NULL-quot-tt4670979.html
--
View this message in context
acl yt-loop dstdomain .googlevideo.com
acl type-yt rep_mime_type text/plain
store_miss deny yt-loop type-yt
send_hit deny yt-loop type-yt
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816p4673857.html
Sent from the Squid - Users ma
On 22/10/2015 10:58 p.m., Athos Fiolo wrote:
> Hi, I'm facing a problem with the digest auth server responses.
>
> Client requests a page, server responds with 407 + nonce, client gets the
> page correctly.
The garbage interval is only about how often Squid attempts to discard
already obsolete n
On 23/10/2015 12:02 a.m., Sebastian Kirschner wrote:
> Hi Amos ,
>
> thanks for your reply.
>
> Maybe we got an misunderstanding or I have an "false" opinion of the sentence
> I quoted before.
>
> I thought you could say to me what for checks would definitely performed in
> "standard" installa
On 23/10/2015 12:01 a.m., Christophe Donatsch wrote:
> Dear squid-users,
>
> Our infrastructure rely on squid as a reverse-proxy to serve most of our web
> applications. Our tests show that squid won't correctly handle an HTTP
> request
> to initiate a WebSocket connection. We'd like to know i
Hi Amos ,
thanks for your reply.
Maybe we got an misunderstanding or I have an "false" opinion of the sentence I
quoted before.
I thought you could say to me what for checks would definitely performed in
"standard" installation with openssl,
not only that you believe that the X.509 certificat
Sebastian Kirschner möchte die Nachricht "squid-users Digest, Vol 14, Issue 73"
zurückrufen.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Dear squid-users,
Our infrastructure rely on squid as a reverse-proxy to serve most of our web
applications. Our tests show that squid won't correctly handle an HTTP request
to initiate a WebSocket connection. We'd like to know if we are missing
something, or if the support of WebSocket is pla
Hi Amos ,
thanks for your reply.
Maybe we got an misunderstanding or I have an "false" opinion of the sentence I
quoted before.
I thought you could say to me what for checks would definitely performed in
"standard" installation with openssl,
not only that you believe that the X.509 certificat
22.10.15 15:58, Amos Jeffries пишет:
On 21/10/2015 4:53 p.m., Dan Charlesworth wrote:
I’m getting these very frequently for api.github.com and github.com
I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they
only return the one IP when I do an nslookup as well …
Any
We are using CentOS release 6.6 (Final) 64bit.
Squid Cache: Version 3.5.10
Service Name: squid
configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share/squid'
'--includedir=/usr/include' '--libdir=/usr/li
Ah-ha. Thanks for digging into that a bit Amos.
In my case 8.8.8.8 is the tertiary server, so I’m surprised it’s being used at
all. Could be a local DNS server is forwarding to it, though.
I’ll remove that from the equation tomorrow and see how it fares.
Cheers
> On 22 Oct 2015, at 8:58 PM, Am
On 21/10/2015 4:53 p.m., Dan Charlesworth wrote:
> I’m getting these very frequently for api.github.com and github.com
>
> I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they
> only return the one IP when I do an nslookup as well …
>
> Any updates from your end, Roel?
Hi, I'm facing a problem with the digest auth server responses.
Client requests a page, server responds with 407 + nonce, client gets the page
correctly.
At every "200 OK" response the server sends a "Proxy-Authentication-Info:
nextnonce ..." header, even if the "nonce_garbage_interval" is 5 min
Thank you Amos,
I'll take a look.
Bye
2015-10-20 7:20 GMT+02:00 Amos Jeffries :
> On 20/10/2015 3:47 a.m., Carlo Filippetto wrote:
> > Hi all,
> >
> > I can find several messages on 'cache.log" file with this message:
> >
> > 2015/10/19 16:42:54 kid1| helperHandleRead: unexpected read from
> red
On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote:
> Hi,
>
> I have a question regarding the SSL Server Certificate Validator.
>
> In the Wiki is written:
> "The helper will be optionally consulted after an internal OpenSSL validation
> we do now, regardless of that validation results."
>
> Wh
On 22/10/2015 10:33 a.m., Alex Samad wrote:
> Would it be fair to say best practice is to get kerbose working in favour
> of ntlm ?
Best Practice is not to have NTLM at all. In the same way that its best
practice not to use 8-bit (1 letter) passwords.
NTLM was formally deprecated in 2006 by MS.
On 22/10/2015 10:00 a.m., HackXBack wrote:
> sorry not deny but make it miss and not hit
> with
> store_miss
> send_hit
>
Then you are wanting the same as what kinkie provided, but with
store_miss instead of http_reply_access.
You know it really helps if you read the documentation. Which is
part
On 22/10/2015 7:43 a.m., Sebastien.Boulianne wrote:
> Hi all,
>
> Im looking to use my Remote Desktop Gateway with my Squid.
> I tried this config but it didnt work.
>
> ### SITE
> cache_peer site.domain.qc.ca parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=site
> acl sit
On 22/10/2015 7:52 a.m., Sebastien.Boulianne wrote:
> Hi again,
>
> I would like to change the Squid'slogo that appear on an ccess denied page...
> I replace the picture /usr/share/squid/icons/SN.png but it didnt work.
>
> What did I miss ?
The other config files that sit next to squid.conf.
On
On 22/10/2015 8:21 a.m., Keith White wrote:
>
> I have squid running on Centos 7 and am trying to setup AD
> authentication. I have samba/winbindd installed and the system was added
> to the domain with authconfig. I have tested authentication with
> auth_ntlm and that works. I have also tested gr
On 22/10/2015 7:31 a.m., luizcasey wrote:
>
>
> Hello, So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https.
What you have actually configured is a whitelist with MUCH narrower
criteria than that.
> If the UID is
> squid,apache, or
On 22/10/2015 7:13 a.m., Leonardo Rodrigues wrote:
>
> Hi,
>
> I have a running setup for proxying only 'big' files, like Windows
> Update, Apple Updates and some other very specific URLs. That's working
> just fine, no problem on that.
>
> For avoiding caching small things on the UR
46 matches
Mail list logo
