Lee :
> It says this proxy does not support rock when I manually enable it. Squid
> is installed on pfSense plus with an arm processor.
> Sent from my iPhone
>
> On Jan 15, 2025, at 20:09, Andrey K wrote:
>
>
> Hello, Jonathan,
>
> > I can’t do workers 3 on my sy
Hello, Jonathan,
> I can’t do workers 3 on my system because I would have to disable the
cache as it won’t do rock cache. This system does not support rock cache.
Why do you think that your system does not support the rock cache?
As far as I know, the rock cache is a feature of squid, not the ope
Hello,
I am sorry to interrupt the conversation, but in my opinion, the ACL used in
the policy is fast, as stated in the documentation (
https://www.squid-cache.org/Doc/config/acl/):
acl aclname dstdomain [-n] .foo.com ...
# Destination server from URL [fast]
So the configuration is re
Hello, Slag,
The symptoms look like you are suffering from the bug:
https://bugs.squid-cache.org/show_bug.cgi?id=5352
The solution is applying the patch:
https://github.com/measurement-factory/squid/commit/6567eac.patch
Kind regards,
Ankor.
чт, 14 нояб. 2024 г. в 21:31, Alex Rousskov <
rou
Hello, Matus,
Thank you very much for the information.
Kind regards,
Ankor.
пт, 13 сент. 2024 г. в 22:27, Matus UHLAR - fantomas :
> On 12.09.24 09:28, Andrey K wrote:
> >I found that my SQUID proxy periodically sends HTTP-GET requests to the
> >parent proxy for /squid-i
Hello,
I found that my SQUID proxy periodically sends HTTP-GET requests to the
parent proxy for /squid-internal-dynamic/netdb endpoint:
7 25.167034632 myproxyIP → parentproxyIP TCP 76 47420 → 3128[SYN] Seq=0
8 25.268121443 parentproxyIP → myproxyIP TCP 76 3128 → 47420[SYN, ACK]
9 25.268197532 mypr
t,
> make startup and idle parameters the same as the maximum number of
> children.
>
>
> HTH,
>
> Alex.
> P.S. The credit for highlighting the correlation between winbindd errors
> and "auth_param ntlm children 500
Hello, Andre,
Your logs say:
> winbindd: Exceeding 500 client connections, no idle connection found
So In addition to Francesco's suggestion, you can try to increase the
"winbind max clients" parameter in your smb.conf
Your squid.conf record:
auth_param ntlm children 500 startup=5 idle=1
limits
Hello, Jonathan,
> curl http://localhost:3128/squid-internal-mgr/info
> Where would I place the password?
I use the following configuration:
http_access allow localhost manager
cachemgr_passwd redacted config
The command to read the current running config is:
curl localhost:3128/squid-internal
Hello, Jonathan,
>> Does anyone know the path to this file "modified file
'src/client_side_request.cc" so I can test it with the patches application
if it doesn’t work no big deal I can just restore it to to prior and or use
an older boot environment
You can find it in the squid sources:
tar -tvz
Amos, thanks for the answer,
We will be waiting for full support of the TLS key logging.
Kind regards,
Ankor
сб, 27 апр. 2024 г. в 10:52, Amos Jeffries :
> On 25/04/24 19:57, Andrey K wrote:
> > Hello,
> >
> > Does squid 6.9 allow you to log TLS 1.3 keys
Hello,
Does squid 6.9 allow you to log TLS 1.3 keys so that you can then decrypt
traffic using Wireshark?
I found that there was an issue earlier with using tls_key_log to decrypt
TLS 1.3:
https://lists.squid-cache.org/pipermail/squid-users/2022-January/024424.html
I tried using tls_key_log on Sq
vid Touzeau :
> Anyway to remove these entries from the log ?
>
> Le 31/01/2024 à 10:01, Andrey K a écrit :
>
> Hello, David,
>
> group values in your logs are BASE64-encoded binary AD-groups SIDs.
> You can try to decode them by a simple perl script sid-reader
Hello, David,
group values in your logs are BASE64-encoded binary AD-groups SIDs.
You can try to decode them by a simple perl script sid-reader.pl (see
below):
echo AQUAAAUVCkdDGG1JBGW2KqEShhgBAA== | base64 -d | perl
sid-reader.pl
And finally convert SID to a group name:
wbinfo -s S-01
чт, 7 дек. 2023 г. в 18:40, Andrey K :
> Hello, Amos,
>
> Thank you for your comments.
> I must have described the scenario incorrectly, I'll try again in more
> detail.
>
>
> Let's say we have a system that collects information that a user logged in
> to a comp
ual.
The described process is definitely not authorization, it is rather user
identification.
I hope I've cleared things up a bit.
Kind regards,
Ankor.
чт, 7 дек. 2023 г. в 13:39, Amos Jeffries :
> On 7/12/23 15:34, Andrey K wrote:
> > Hello,
> >
> > I was interested
Hello,
I was interested if I can configure some custom external helper that will
be called before any authentication helpers and can perform user
identification/authentication based on the client src-IP address.
It can look up in the external system information about the user logged in
to the IP a
Hello, Norman,
I faced the problem too.
For myself, I modified the authorisation script (ext_wbinfo_group_acl - it
is a simple Perl code) and cache some user groups membership in a Memcache.
The script tries first of all to get the information from the cache, and if
it is not there, then get it fr
023-11-16 07:48, Andrey K wrote:
>
> > I have slightly patched the negotiate_kerberos_pac.cc to
> > implement ResourceGropIds-block parsing.
>
> Please consider posting tested changes as a GitHub Pull Request:
> https://wiki.squid-cache.org/MergeProcedure#pull-request
>
&g
Hello,
I found that negotiate_kerberos_auth helper does not see domain local AD
groups.
As it turned out, helper parses only GroupIds and ExtraSids pac-blocks,
while the information about domain local groups is placed in the
ResourceGropIds pac-block.
I have slightly patched the negotiate_kerberos
Hello, Flashdown,
As you can see in your access.log, your client tried to connect not to a
DNS hostname but directly to IPv6 address:
1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
4129 CONNECT *[ff00::]:443* - HIER_NONE/- text/html
So, I suppose that your DNS configuration
Hello,
I had the same crushes. A network dump showed me that crushes occurred when
clients tried to access IPv6 http-resources.
I blocked these requests at the beginning of the proxy policy.
The following configuration seems to be a workaround for me:
acl urldst_ipv6 url_regex ^http://\[
http_acc
Hello, Alex,
The suggested workaround works correctly.
Thank you very much!
Kind regards
Ankor.
пн, 26 июн. 2023 г. в 17:11, Andrey K :
> Hello, Alex,
>
> Thank you very much!
>
> I will try the suggested workaround and share results.
>
> Kind regards,
> Ank
Hello, Alex,
Thank you very much!
I will try the suggested workaround and share results.
Kind regards,
Ankor.
пн, 26 июн. 2023 г. в 16:49, Alex Rousskov :
> On 6/23/23 08:05, Andrey K wrote:
>
> > A link to the uploaded ALL,9 log is: ...
>
> Your Squid is suffering
ime to take a
look at ALL,9 log.
Kind regards,
Ankor.
чт, 22 июн. 2023 г. в 20:11, Alex Rousskov :
> On 6/22/23 04:59, Andrey K wrote:
>
> > I reproduced the issue in the test environment.
> > I configured my squid with the debug_options: ALL,1 28,9
> > and ran th
Hello, Alex,
Thank you very much!
Kind regards,
Ankor
чт, 22 июн. 2023 г. в 05:23, Alex Rousskov :
> On 4/5/23 09:27, Alex Rousskov wrote:
> > On 4/5/23 06:07, Andrey K wrote:
> >
> >> Previously, caching was disabled on our proxy servers. Now we need to
> &
caching mechanisms squid is so simple to configure and
> it really leaves dust
> behind to all many other cache mechanisms.
>
> Thanks,
> Eliezer
>
>
> From: squid-users On Behalf
> Of Andrey K
> Sent: Tuesday, June 6, 2023 16:08
> To: Alex Rousskov
> Cc: squid
and better the
> scenario.
>
> Eliezer
>
> From: squid-users On Behalf
> Of Andrey K
> Sent: Friday, June 9, 2023 10:03
> To: Squid Users ; Amos Jeffries <
> squ...@treenet.co.nz>
> Subject: [squid-users] Using tcp_outgoing_address with ACL
>
> Hello,
>
&
Hello,
We use the tcp_outgoing_address feature to access some hosts using a
dedicated source IP address.
acl domdst_SIProxy dstdomain
"/data/squid.user/etc/squid/categories/domdst_SIProxy"
tcp_outgoing_address 10.72.235.129 domdst_SIProxy
It works fine, but logs are flooded with warnings
of RAM, I can configure a sufficient amount of
cache_mem, say 2 MB to provide caching of video broadcasts.
Kind regards,
Ankor.
>
> пн, 5 июн. 2023 г. в 17:31, Alex Rousskov <
> rouss...@measurement-factory.com>:
>
>> On 6/2/23 03:29, Andrey K wrote:
>>
&g
rds,
Ankor.
чт, 1 июн. 2023 г. в 19:15, Alex Rousskov :
> On 6/1/23 05:20, Andrey K wrote:
>
> > > The next step I would recommend is to study the very first cache miss
> > > _after_ the 500 or 200 concurrent threads test. Doing so may shed
> light
>
tifyFoundObject: StoreEntry is NULL - MISS
2023/06/01 11:30:34.556 kid7| 83,7| LogTags.cc(57) update: TAG_NONE to
TCP_MISS
The file that squid tried to read /data/squid.user/cache_map does not
exist. I use a cache_dir file /data/squid.user/cache/rock. I suppose that
file /data/squid.user/cache_ma
resources on the public internet that have a robust infrastructure.
I will conduct the longer tests next week.
Kind regards,
Ankor.
*squid.conf*
workers 21
sslcrtd_program /data/squid.user/usr/lib/squid/security_file_certgen -s
/data/squid.user/var/lib/squid/ssl_db -M 20MB
sslcrtd_children
Hello,
We need to configure a dedicated proxy server to provide caching of online
video broadcasts in order to reduce the load on the uplink proxy.
Hundreds of users will access the same video-chunks simultaneously.
I developed a simple configuration for the test purposes (it is shown
below).
The
se my question: is it possible to configure squid so that it
caches files with the extension ".ts" despite the caching control headers
passed by OCS and serves user requests from the cache?
Kind regards,
Ankor.
вт, 25 апр. 2023 г. в 17:53, Amos Jeffries :
> On 25/04/2023 9:45 pm, An
Hello,
We are trying to cache some resources, but they respond in the header with
the attributes that prevent caching:
Content-Type: video/MP2T
*Expires: Thu, 01 Jan 1970 00:00:01 GMT*
*Cache-Control: no-cache*
Cache: HIT
X-Cached-Since: 2023-04-25T07:43:41+00:00
Thus, we see TCP_MISS in the log
ires, $lastmod) = map {"".localtime($_)}
@_[0..3];
my($swap_file_sz, $refcount, $flags) = ($_[4], $_[5], $_[6]);
return {timestamp => $timestamp, lastref => $lastref, expires =>
$expires, lastmod => $lastmod, swap_file_sz => $swap_file_sz, refcount =>
$refcount, flags =
/Features/LargeRockStore
Maybe there is a more detailed description of the internal rock data
structures?
I could try to write a script that reads the necessary information from the
cache_dir file.
Kind regards,
Ankor.
ср, 5 апр. 2023 г. в 16:27, Alex Rousskov :
> On 4/5/23 06:07, Andrey K wr
Hello,
Previously, caching was disabled on our proxy servers. Now we need to cache
some content (files about 10 MB in size).
So we changed the squid.conf:
#Disable caching
#cache deny all
#no_cache deny all
#cache_mem 0
cache_dir ufs /data/squid/cache 32000 16 256 max-size=1200
We have 24 w
On 20/02/2023 7:24 pm, Andrey K wrote:
> > Hello Amos,
> >
> > Thank you for your recommendations.
> > I modified negotiate_wrapper_auth to parse NTLM tokens and to set the
> > user attribute in AV-pairs,
> > so now I can configure the desired logging using acl n
7:29 am, Amos Jeffries wrote:
> > On 17/02/2023 7:29 pm, Andrey K wrote:
> >> Hello,
> >>
> >> I would like to disable logging of 407-errors, except when the
> >> username is known.
> >> Is it possible to configure?
> >
> > Assuming
Hello,
I would like to disable logging of 407-errors, except when the username is
known.
Is it possible to configure?
I have now the log configured:
acl http-407 http_status 407
access_log daemon:/var/log/squid/access.log logformat=extended-squid
on-error=drop !http-407
But I would also like to
Hello Amos,
You helped me very much.
Kind regards
Ankor
вт, 31 янв. 2023 г. в 12:37, Amos Jeffries :
> On 31/01/2023 9:16 pm, Andrey K wrote:
> > Hello Amos,
> >
> > Thank you for the idea to write a wrapper script.
> >
> > As NTLM-helper returns &q
ibute and copping it to the username:
auth_user_request->user()->username(userLabel) in the case of returned
Helper::Error;
By the way, what are these acronyms for (YR, KK, TT, AF, BH, NA, LD)?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 08:54, Amos Jeffries :
> On 31/01/2023 6:13 pm, Andrey
.
Is there any other possibility to log username and source IP address in
such NTLM-failed authentication attempts?
Kind regards,
Ankor.
вт, 31 янв. 2023 г. в 07:56, Andrey K :
> Hello Amos,
>
> Thank you for the information.
>
> I turned on squid debug_options 84,9 and see i
вт, 31 янв. 2023 г. в 07:09, Amos Jeffries :
> On 31/01/2023 4:55 pm, Andrey K wrote:
> > Hello,
> >
> > I need to log failed Proxy-authentication attempts. The log
> > information should contain timestamp, username and client IP address.
> > 407-records in the
Hello,
I need to log failed Proxy-authentication attempts. The log information
should contain timestamp, username and client IP address.
407-records in the access.log file do not contain username if
NTLM-authentication is used.
I was wondering if it is possible to set up such a configuration?
Kin
Yes, it works.
Thank you very much!
вт, 13 дек. 2022 г. в 15:11, Francesco Chemolli :
>
>
> On Tue, Dec 13, 2022 at 12:57 PM Andrey K wrote:
>
>> Hello,
>>
>> I wonder if there is a way to show SQUID running config.
>> The configuration in the squid
Hello,
I wonder if there is a way to show SQUID running config.
The configuration in the squid.conf may be outdated because it can already
have been changed without SQUID reconfiguration at the time of viewing.
I saw this feature in squidclient -p 3128 mgr:menu, but this item marked as
hidden:
co
Hello ludovit,
We experienced the similar problems of crashing squid with "signal 6 and
status 0" symptoms in the /var/log/messages. There were hundreds of crashes
per hour during the working hours. There were also many crashes during
night hours. And I had no idea what the cause of the problem wa
50 matches
Mail list logo
