[squid-users] FTP relay with active client is broken?

Hello. Recently I gave FTP relay a try and it seems that it doesn't work out of the box :( I've seen a topic regarding passive mode (when squid puts real server's IP into 'Entering passive mode' message), however, I've solved this by writing a kernel module with custom netfilter hooks (th

Re: [squid-users] FTP relay with active client is broken?

p --dport 21 -j REDIRECT --to-port 2121 07.02.2017, 16:23, "Alex" : >   Hello. > >   Recently I gave FTP relay a try and it seems that it doesn't work out of > the box :( >   I've seen a topic regarding passive mode (when squid puts real server's IP > into 

Re: [squid-users] FTP relay with active client is broken?

7;, because there's no InterceptActive() check. But anyway, without COMM_TRANSPARENT it's useless. To sum up, I see some possible mistakes that may cause bugs in FTP relaying. I realise that probably I do something wrong also, however due to lack of documentation for FTP relay there&

Re: [squid-users] FTP relay with active client is broken?

Well, I can try to make a patch for this... Two questions: 1. I should send it to squid-dev, do I? 2. Source code for which version should I use: 4.0 or 3.5? 14.02.2017, 04:59, "Amos Jeffries" : > On 14/02/2017 1:18 a.m., Alex wrote: >>    Well, actually it looks like a bug i

Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

"good" address right after marking that IPv6 address as bad (at "restoreGoodness" line) when there was another good IP address available. It is as if Squid stored two identical IPv6 addresses (and not IPv4 ones), but that should not happen either. Alex. ___

Re: [squid-users] chunked transfer over sslbump

such tests): https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction Please note that Squid v5 is not officially supported and has more known security vulnerabilities than Squid v6. You should be using Squid v6. HTH,

Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

On 2024-01-09 05:56, Stephen Borrill wrote: On 09/01/2024 09:51, Stephen Borrill wrote: On 09/01/2024 03:41, Alex Rousskov wrote: On 2024-01-08 08:31, Stephen Borrill wrote: I'm trying to determine why squid 6.x (seen with 6.5) connected via IPv4-only periodically fails to connect t

Re: [squid-users] chunked transfer over sslbump

not the latest GCC version available to folks running Amazon Linux, but you may need to install some packages to get a more recent GCC version. Unfortunately, I cannot give specific instructions for Amazon Linux right now. HTH, Alex. HTTP/1.1 200 OK Date: Tue, 09 Jan 2024 15:41:3

Re: [squid-users] ICAP too many errors and suspensions

ave to decline this opportunity to discuss Squid source code modifications on the squid-users mailing list. If you want to disable service suspensions without understanding why ICAP transactions fail, then use a very large icap_service_failure_limit in squid.conf. HTH, Alex.

Re: [squid-users] chunked transfer over sslbump

and then trying with Squid v6.6 or newer. FWIW, if the problem persists in Squid v6, sharing debugging logs would be the next recommended step. HTH, Alex. Also want to point out that, squid connects to another non-squid proxy to reach internet. /cache_peer parent 0 no-query default/ On

Re: [squid-users] Is a workaround for SQUID-2023:9 to disable TRACE requests?

collapsed forwarding) may not be enough IMO. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] chunked transfer over sslbump

On 2024-01-12 09:21, Arun Kumar wrote: On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote: On 2024-01-10 09:21, Arun Kumar wrote: >> i) Retry seems to fetch one chunk of the response and not the complete. >> ii) Enabling sslbump and turning ICAP off, not help

Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

On 2024-01-16 06:01, Stephen Borrill wrote: The problem is no different with 6.6. Is there any more debugging I can provide, Alex? Yes, but I need to give you a patch that adds that (temporary) debugging first (assuming I fail to reproduce the problem in the lab). The ball is on my side

Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

d _set_ of DNS lookups. That set was previously formed from a usable DNS A response record (216.239.38.120) and an empty DNS response ("No DNS records"). Alex. 2024/01/16 15:40:06.409 kid1| 14,4| ipcache.cc(617) nbgethostbyname: forcesafesearch.google.com 2024/01/16 15:

Re: [squid-users] offline mode not working for me

s. The resulting certificate will not be based on AWS service info, but it looks like your client is ignorant enough to ignore related certificate problems. HTH, Alex. Hi, Hoping someone can help me with this issue that I have been struggling with for days now.   I am setting up squid on an

[squid-users] CONNECT Response Headers

Hey y'all, I'd like to be able to set headers on the response sent to a CONNECT request, but the documentation notes reply_header_add does not work for that - is there another option or a way to achieve this without needing to MITM the TLS? Th

Re: [squid-users] CONNECT Response Headers

On 2024-01-22 16:28, Alex Coomans wrote: I'd like to be able to set headers on the response sent to a CONNECT request, but the documentation notes reply_header_add does not work for that - is there another option or a way to achieve this without needing to MITM the TLS? AFAICT, Squid

Re: [squid-users] Long Group TAG in access.log when using kerberos

multiple annotations, prepend the annotation name so that it is easier (especially for humans) to extract the right annotation from the access log record: ... foo=%note{foo} bar=%note{bar} ... HTH, Alex. Le 31/01/2024 à 14:36, Andrey K a écrit : Hello, David, > Anyway to remove th

Re: [squid-users] Squid - Queue overflow

sappear. If the ERROR is still there after those two changes, it may be easier to triage it in a cleaner environment. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] does the logging of cache.log support the log modules like daemon, syslog, udp ...

at cache.log messages to emit, see "squid -X ...", debug_options, and cache_log_message. By default, Squid emits level-0/1 messages in most cases. If the above information is not in Squid wiki, please consider submitting a pull request that adds (a polished version of) it: https://github.c

Re: [squid-users] stale-if-error returning a 502

er setting debug_options to ALL,3. Searching for "refresh" and "handleIMSReply" may yield enough clues. HTH, Alex. # /etc/squid/squid.conf : acl to_aws dstdomain .amazonaws.com <http://amazonaws.com> acl from_local src localhost http_access allow to_aws http_acce

Re: [squid-users] chunked transfer over sslbump

policies you need to comply with, of course). This is the best I can offer. If that is not good enough, I hope that others can offer more/different help. Good luck, Alex. Also please suggest if we can tweak the below sslbump configuration, to make the chunked transfer work seamless. /http_port

Re: [squid-users] external icap issue with squid 5 and higher

docs/debug-sections.txt. HTH, Alex. Service is setup like this : icap_service service_req reqmod_precache icap://10.1.1.1:1344/icap bypass=1 Regards, *Yvain PAYEN* * **Pôle Opérations & Technologies *Equipe Infrastructure système T. +33 (0)5 57 57 01 85 (Poste 1185) M. +33 (0)7 87 30

Re: [squid-users] external icap issue with squid 5 and higher

). Thank you, Alex. 2024/02/02 17:40:41.943 kid1| 93,3| ModXact.cc(679) callException: bypassing 0x558f358fdae0*2 exception: check failed: readBuf.isEmpty() exception location: ModXact.cc(1219) stopParsing [FD 17;rp(1)S(2)YG/Rw job17] 2024/02/02 17:40:41.943

Re: [squid-users] external icap issue with squid 5 and higher

ithout any encapsulated HTTP body. That encapsulation matches the ICAP Encapsulated header. HTH, Alex. -Message d'origine- De : Alex Rousskov Envoyé : vendredi 2 février 2024 18:45 À : Yvain PAYEN ; squid-users@lists.squid-cache.org Objet : Re: [squid-users] external icap issue w

Re: [squid-users] New Squid prefers IPv4

t to investigate why your Squid favors IPv4. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] New Squid prefers IPv4

Eyeballs RFC/intent). As I said in my earlier response, it is easy to misinterpret Antony's high0-level summary. Please do not use it for low-level triage. See my response for details. HTH, Alex. ___ squid-users mailing list squid-users@l

Re: [squid-users] stale-if-error returning a 502

sharing a pointer to the current (or, better, ALL,9) compressed logs while reproducing the problem is (still) the best way forward IMO. Cheers, Alex. On Fri, 2 Feb 2024 at 11:20, Robin Carlisle wrote: Hi, thanks for your reply. I have been looking at : https://developer.mozi

Re: [squid-users] stale-if-error returning a 502

by configuring an explicit refresh_pattern rule with an explicit max-stale option (see squid.conf.documented for examples). I have not tested that theory either. HTH, Alex. On 2024-02-07 13:45, Robin Carlisle wrote: Hi, I have just started my enhanced logging journey and have a small snip

Re: [squid-users] stale-if-error returning a 502

do not have max-stale options at all, and, hence, Squid will use (explicit or default) max_stale directive instead. HTH, Alex. I am testing this right now # this should allow stale objects up to 1 year if allowed by Cache-Control repsonseheaders ... # ... setting both options just in

Re: [squid-users] stale-if-error returning a 502

ix for the underlying Squid bug was officially accepted and should become a part of v6.8 release (at least). Thank you, Alex. On Fri, 9 Feb 2024 at 14:31, Alex Rousskov wrote: On 2024-02-09 08:53, Robin Carlisle wrote: > I am trying the config workaround approach. Pleas

Re: [squid-users] Squid delay_access with external acl

cess allow fromUserThatShouldBeLimited markAsLimited !all delay_access 3 allow markedAsLimited HTH, Alex. On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote: Good Day! I try to make limitation bandwidth for some user group. I have an external acl which get the users from ldap datab

Re: [squid-users] Unable to filter javascript exchanges

upgrade to Squid v6 or later. The upgrade itself will not add a "check directive X when tunneling for a long time" feature though. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv4 addresses go missing - markAsBad wrong?

On 2024-02-12 06:46, Stephen Borrill wrote: On 16/01/2024 14:37, Alex Rousskov wrote: On 2024-01-16 06:01, Stephen Borrill wrote: The problem is no different with 6.6. Is there any more debugging I can provide, Alex? Yes, but I need to give you a patch that adds that (temporary) debugging

Re: [squid-users] squidclient ERR_ACCESS_DENIED

around. AFAIK[1], a Squid developer is working on improving this ugly situation, but that work takes time (and will not resurrect squidclient support in future Squid versions). HTH, Alex. [1] https://bugs.squid-cache.org/show_bug.cgi?id=5283 [2] https://lists.squid-cache.org/pipermail/s

Re: [squid-users] squidclient ERR_ACCESS_DENIED

. Cheers, Alex. (and of course replace port 3128 with whatever port you're using for Squid) Everything else is the same as previously. Also, the same applies to all other cachemgr reports: curl --silent --user squid_cachemgr_user:squd_cachemgr_password http://squid.host.name:3128/

Re: [squid-users] Squid delay_access with external acl

ed as expected). Good luck, Alex. Please check my config maybe i made a mistake. Or maybe have you any other solution? I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail address or get from ldap with external_acl_type overkvota children-max=10 children-startup=10 tt

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

up steps. Still, this log may contain some sensitive details, so share privately if needed. Thank you, Alex. and on the other 3 I have IPv6: ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 997651/(squid-

Re: [squid-users] Recommended squid settings when using IPS-based domain blocking

the latest Squid v6 and retesting. HTH, Alex. Initially the dns_timeout was set for 30 seconds. I reduced this, thinking that perhaps requests were building up or something along those lines. I set it to 5 seconds, but that just got us to a failure state faster. I also found the negative_dn

Re: [squid-users] Compilation error for v6.8

311 (Red Hat 8.3.1-3) (GCC) Note: I'm able to compile successfully v6.7 in same build environment. Please see Squid Bug 5349 for a fix: https://bugs.squid-cache.org/show_bug.cgi?id=5349 Alex. ___ squid-users mailing list squid-users@lists.squid-cach

Re: [squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles

empty pages". Please see Squid Bug 5352 for a work-in-progress fix that needs testing: https://bugs.squid-cache.org/show_bug.cgi?id=5352 Thank you, Alex. Unfortunately it is not deterministic, the page will appear the next time it is called up. I can't see anything conspicuous i

Re: [squid-users] Error during ICAP RESPMOD

nt details) may also be very useful. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error during ICAP RESPMOD

rpreting the snippets. If you want a more reliable diagnosis, then my earlier recommendation regarding sharing (privately if needed) the following information still stands: * compressed ALL,9 cache.log and * the problematic ICAP response in a raw packet capture format. HTH, Alex. On Monday, Ma

Re: [squid-users] ACL / http_access rules stop work using Squid 6+

same set of http_access rules for both Squid versions? Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL / http_access rules stop work using Squid 6+

line options and adjust standard error redirection (|&) as needed for your shell. Run the above command for both Squid v5 and v6 binaries. You should see output like this: 2024/03/29 13:31:05| Processing: http_access allow manager 2024

Re: [squid-users] Chrome auto-HTTPS-upgrade - not falling to http

merged as is, and I would not recommend using it in production (because of low-level bugs that will probably crash Squid in some cases), but testing it in the lab and providing feedback to authors may be useful: https://github.com/squid-cache/squid/pull/1668 HTH, Alex

Re: [squid-users] BWS after chunk-size

security risks of your Squid deployment or those around it. FWIW, we work in the background to better address this issue, but we are currently too busy with more important Squid problems to make good progress with that work. Alex. ___ squid-users

Re: [squid-users] Chrome auto-HTTPS-upgrade - not falling to http

like a completely separate issue. If you are suspecting that Squid should get certain intermediate certificates but does not, check Bugzilla, and, if there is no corresponding bug report, file a new one. HTH, Alex. Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a): On 2024-04-03 02:14, Lo

Re: [squid-users] Chrome auto-HTTPS-upgrade - not falling to http

use case is not applicable to this problem because your Squid is not using SslBump. It is SslBump actions that confuse Chrome (in some cases). Alex. acl SSL_ports port acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny

Re: [squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

t configuration for port(s) 3128, and your visible_hostname setting in squid.conf (if any). HTH, Alex. [1]: https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction ___ squid-users mailing list squid-users@lists.squid-

Re: [squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR

packet(s) in Wireshark. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR

configuration _error_. AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad configuration) after discovering this error instead of continuing as if nothing bad happened. I recommend addressing the underlying cause, even if this message is unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A

Re: [squid-users] SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR

accepted into _official_ Squid releases, then please follow https://wiki.squid-cache.org/MergeProcedure Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL / http_access rules stop work using Squid 6+

anted to mention that I was not (knowingly) ignoring you. > I have re-uploaded the cache.log files. The files have expired again. I have reviewed the diff you shared, but cannot make further progress without those test logs. Hopefully, your next list post reaches me. Alex. On 01/04/20

Re: [squid-users] Rock store limit

its. Please also note that large rock cache_dirs will take a long time to be indexed on Squid startup. Rock indexing is usually done in background, but it is still a significant performance expense. Optimizing indexing is an old item on our to-do list. HTH, Alex. cache_dir rock /cache

Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error

that lack of trust via a TLS alert. Did you configure the client to trust the certificate your Squid is using for bumping client connections? HTH, Alex. With old Squid 3.5 it worked with almost same config and certificate. ___ squid-users

Re: [squid-users] Squid 6.8 SSL_BUMP TLS Error

ave matched for the test transaction), but I would _start_ by checking that Squid is sending the certificate(s) you think it is sending. HTH, Alex. *Von:*squid-users *Im Auftrag von *Alex Rousskov *Gesendet:* Mittwoch, 17. April 2024 19:53 *An:* squid-users@lists.squid-cache.org *Betreff:*

Re: [squid-users] ACL / http_access rules stop work using Squid 6+

k that will include initial parsing in the log). The logs should detail at least one transaction that should evaluate most http_access rules. Such logs will address concern (A) as well, but you will probably have to share them privately if you are using production configuration/instance. HTH, Al

Re: [squid-users] Error from icap during respmod

{"activity":...} HTH, Alex. https://drive.google.com/file/d/19yirXfxKli7NXon4ewiy-v3GpLvECT1i/view?usp=sharing <https://drive.google.com/file/d/19yirXfxKli7NXon4ewiy-v3GpLvECT1i/view?usp=sharing> Squid configuration: icap_enable on icap_send_client_ip on icap_send_cl

Re: [squid-users] Error during ICAP RESPMOD

thread) supports and details the "HTTP body instead of an ICAP response header" theory I suggested further below (before you shared that log file). [1]: https://lists.squid-cache.org/pipermail/squid-users/2024-May/026634.html Alex. On Friday, March 22, 2024 at 11:02:51 PM EDT, Alex Rous

Re: [squid-users] Error from icap during respmod

rather complex wheel) use c-icap, but c-icap is written in C: https://c-icap.sourceforge.net/ Please note that if my triage is correct, then the issue here is not "compatibility" with Squid. It is a serious ICAP service bug or misconfiguration. Good luck, Alex. We want to impleme

Re: [squid-users] Squid returns a lot of ABORTED in access log and user navigation speed slows

today, but, in general, that directive should not be used (and the whole feature should be removed from Squid until it is properly implemented). I cannot currently answer your primary questions on this thread. I hope somebody else will guide you through this triage. Alex. On 15/05/2024

Re: [squid-users] Tune Squid proxy to handle 90k connection

etrics and experiment with all four different combinations across the two boolean directives (at least -- there are more directives that affect connection persistency). Doing this kind of research right is difficult! HTH, Alex. Best regards On 31/01/2022 14:52, Eliezer Croitoru wrote: Hey

Re: [squid-users] Tune Squid proxy to handle 90k connection

share that evidence and ask for configuration advice based on that evidence. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Tune Squid proxy to handle 90k connection

ously failed to get that message across since essentially the same question is still being asked. Alex. On 16/05/2024 21:34, Alex Rousskov wrote: On 17/05/24 02:23, Bolinhas André wrote: Has I explain, by default I set those directives to off to avoid high cpu consumption. Just FYI:

Re: [squid-users] Tune Squid proxy to handle 90k connection

On 2024-05-16 19:12, Jonathan Lee wrote: What about using COSS file system? Squid does not support COSS cache_dirs since v3.5. If Squid in question does disk caching, then rock cache_dirs may be the best bet. Alex. On May 16, 2024, at 15:10, Andre Bolinhas wrote:  Hi Well, the

Re: [squid-users] Question: cache_mem share among multiple squid instances with the same service_name in SMP mode

em (i.e. no chroot, jails, or similar isolation tricks for each Squid instance). Various OSes isolate shared memory segments differently, but many use file systems for some shared memory artifacts. If artifacts from different Squid instances clash, Squid behavior is undefined. HTH, Alex. Per

Re: [squid-users] Tune Squid proxy to handle 90k connection

On 2024-05-17 09:51, Andre Bolinhas wrote: Alex can you reply this please Already did. Please see https://lists.squid-cache.org/pipermail/squid-users/2024-May/026677.html Alex.  Hi Well, the performance and NTLM issues that I had with persistent connections goes back to squid 3.5 😳, so

Re: [squid-users] log_referrer question

ll. Would I need to reinstall, or is that no longer necessary in version 4.13? referer_log and the corresponding ./configure options have been removed long time ago, probably before v4.13 was released. HTH, Alex. *From:*squid-users *On Behalf Of *squid-users-requ...@lists.squid-cache.

Re: [squid-users] log_referrer question

the area is full of insurmountable difficulties and misleading advice. Avoid it if at all possible. HTH, Alex. -- Message: 1 Date: Tue, 21 May 2024 17:50:49 + From: Bobby Matznick mailto:bmatzn...@pbandt.bank>> To

Re: [squid-users] Adding an extra header to TLS connection

quot; attack on client-server traffic, using your minted certificates. You can search for Squid SslBump to get more information about this feature, but the area is full of insurmountable difficulties and misleading advice. Avoid it if at all possible! HTH, Alex. I've found information on ho

Re: [squid-users] Adding an extra header to TLS connection

n of Squid. FWIW, most of the basics are covered at https://wiki.squid-cache.org/Features/SslPeekAndSplice That page was written for a feature introduced in v3.5, but it is not specific to that Squid version. HTH, Alex. > On May 23, 2024, at 08:49, Alex Rousskov wrote: >

Re: [squid-users] Simulate connections for tuning squid?

"ab": Not designed for testing proxies but well-known and fairly simple. * Web Polygraph: Designed for testing proxies but has a steep learning curve and lacks fresh releases. * curl/wget/netcat: Not designed for testing performance but well-known and very simp

Re: [squid-users] Validation of IP address for SSL spliced connections

tic for other reasons) or be enhanced to use out-of-band validation tricks (that come with their own set of problems). Is there a way to configure squid to validate that the server certificate is valid for the host specified in the SNI header? IIRC, that validation happens autom

Re: [squid-users] Validation of IP address for SSL spliced connections

On 2024-05-29 17:06, Rik Theys wrote: On 5/29/24 5:29 PM, Alex Rousskov wrote: On 2024-05-29 05:01, Rik Theys wrote: acl allowed_clients src "/etc/squid/allowed_clients" acl allowed_domains dstdomain "/etc/squid/allowed_domains" http_access allow allowed_clients allowed

Re: [squid-users] Validation of IP address for SSL spliced connections

On 2024-05-30 02:30, Rik Theys wrote: On 5/29/24 11:31 PM, Alex Rousskov wrote: On 2024-05-29 17:06, Rik Theys wrote: On 5/29/24 5:29 PM, Alex Rousskov wrote: On 2024-05-29 05:01, Rik Theys wrote: squid doesn't seem to validate that the IP address we're connecting to is val

Re: [squid-users] IPv6 happy eyeball on dualstack host

y, somebody will (a) completely remove --disable-ipv6 and (b) improve startup probing code to make steps 1 and 3 completely unnecessary. We have recently done a couple of baby steps towards (a). HTH, Alex. though with dis command I can see IPv6 address as well. Also from same host, I am able to

Re: [squid-users] Upgrade path from squid 4.15 to 6.x

covered in release notes. When in doubt, ask (specific) questions. HTH, Alex. On Wed, Jun 5, 2024 at 3:20 PM Akash Karki (CONT) wrote: Hi Team, We are running on squid ver 4.15 and want to update to n-1 of the latest ver(I believe 6.9 is the latest ver). I want to

Re: [squid-users] [External Sender] Re: Upgrade path from squid 4.15 to 6.x

://www.squid-cache.org/Versions/ The following wiki pages may also contain useful info: https://wiki.squid-cache.org/Releases/Squid-5 https://wiki.squid-cache.org/Releases/Squid-6 HTH, Alex. On Wed, Jun 5, 2024 at 4:31 PM Alex Rousskov wrote: On 2024-06-05 10:30, Akash Karki (CONT) wrote

Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

: # SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is defined to be # SSL_OP_BIT(18) which is equal to (1 << 18) or 0x4 in hex. tls_outgoing_options options=0x4 Disclaimer: I have not tested the above and do not know whether adding that option achieves what you want to achieve. HTH,

Re: [squid-users] Howto enable openssl option UNSAFE_LEGACY_RENEGOTIATION ?

https://github.com/squid-cache/squid/pull/1839 I do not have a patch for the staring use case. HTH, Alex. I use a debian bookworm container and when I use openssl s_client without -legacy_server_connect I can't established a tls connection --snip-- root@tarski:/# openssl s_client -connect

Re: [squid-users] Error Question

the specific problem you are suffering from. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error Question

list thread and detail _that_ problem there. Thank you, Alex. On Jun 11, 2024, at 11:24, Jonathan Lee wrote: thanks i have enabled coredump_dir /var/squid/logs I will submit a dump as soon as it occurs again On Jun 11, 2024, at 11:17, Jonathan Lee wrote: I have attempted to upgrad

Re: [squid-users] Error Question

her issues. Glad to hear that! Alex. On Jun 11, 2024, at 14:00, Alex Rousskov wrote: On 2024-06-11 14:46, Jonathan Lee wrote: 2024-05-16 14:10:23 [60780] loading dbfile /var/db/squidGuard/Nick_Blocks/urls.db 2024/06/11 10:23:05 kid1| FATAL: Received Segment Violation...dying. 2024/06/11 10:

Re: [squid-users] Error Question

get an answer faster if you set coredump_dir in squid.conf to /var/crash, start Squid with that configuration, and then kill a running Squid worker with SIGABRT. HTH, Alex. On Jun 11, 2024, at 14:42, Alex Rousskov wrote: On 2024-06-11 17:06, Jonathan Lee wrote: I can’t locate the dump file

Re: [squid-users] Error Question

ds Beyond using a reasonable coredump_dir value in squid.conf, the system administration problems you need to solve to enable Squid core dumps are most likely not specific to Squid. HTH, Alex. It’s funny as soon as I enabled the sysctl command and set the directory it won’t crash anymore. I al

Re: [squid-users] Error Question

that). If same user does not expose the difference, start the test script from the directory where you told Squid to dump core. HTH, Alex. I have tested it with a sanity check with the help of FreeBSD forum users. However it just does not show a core dump for me on anything kill -11 ki

Re: [squid-users] Error Question

Squid, there is nothing more for us to do here (for now). Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users

[squid-users] Anybody still using src_as and dst_as ACLs?

respond (publicly or privately) and, if possible, please indicate whether you have verified that those ACLs are working correctly in your deployment environment. Thank you, Alex. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except

Re: [squid-users] Anybody still using src_as and dst_as ACLs?

onfiguration :-). Thank you, Alex. On Jun 16, 2024, at 17:00, Alex Rousskov wrote: Hello, Does anybody still have src_as and dst_as ACLs configured in their production Squids? There are several serious problems with those ACLs, and those problems have been present in Squid for man

Re: [squid-users] Anybody still using src_as and dst_as ACLs?

https://github.com/squid-cache/squid/commit/51c518d5 Thank you, Alex. On Jun 17, 2024, at 08:17, Alex Rousskov wrote: On 2024-06-16 19:46, Jonathan Lee wrote: I use them for ipv6 blocks they seem to work that way in 5.8 Just to double check that we are on the same page here, please sh

Re: [squid-users] url_rewrite (with rewrite-url): PinnedConnection failure results in total failure

g echoes may be difficult! It is also not clear whether the originally pinned Squid-to-server connection should be preserved in such cases (to be used for future non-redirected requests received on the same client-to-Squid connection, if any). Again, the correct answer may depend on the "p

Re: [squid-users] Requesting Help to debug my squid

eally need Ident, stop using Ident features[3] in squid.conf and disable Ident support when building Squid: ./configure --disable-ident-lookups ... If you do need Ident, consider writing an external_acl helper that performs Ident lookups and then disable native Ident support in Squid. HTH,

Re: [squid-users] FATAL: assertion failed: mem/PageStack.cc:159: "StoredNode().is_lock_free()"

uid/commit/7a5af8db HTH, Alex. I have filed a bug report with Openwrt at https://github.com/openwrt/packages/issues/24469 where someone suggested, "ramips has one CPU and the assert is that system pointers are not 64bit." Below are the logs for debug_options 54,9: 2024/06/27 19:48

Re: [squid-users] FATAL: assertion failed: mem/PageStack.cc:159: "StoredNode().is_lock_free()"

On 2024-06-28 01:38, Nishant Sharma wrote: On 27/06/24 23:06, Alex Rousskov wrote: and how your traffic tickles them, SMP Squid without atomic locks might become very slow! We do not (and, IMO, should not) optimize performance for environments without lock-free atomics! I see the following

Re: [squid-users] FATAL: assertion failed: mem/PageStack.cc:159: "StoredNode().is_lock_free()"

e., there can be no deadlocks due to mutexes). Disclaimer: I do not know what "lock ID" is in this context. HTH, Alex. I tried to go through config.log and could see the following messages which might or might not be related to this: ... ... ... configure:46036: checking for u

Re: [squid-users] FATAL: assertion failed: mem/PageStack.cc:159: "StoredNode().is_lock_free()"

On 2024-07-04 04:57, Nishant Sharma wrote: On 03/07/24 21:27, Alex Rousskov wrote: On 2024-07-03 09:27, Nishant Sharma wrote: Is there any change that we need to do in the configure script to check for the availability of 64 bit atomic lock and use 32 bit lock if not available? It is

Re: [squid-users] Squid as http to https forward proxy

routing all traffic to one HTTPS origin server cache_peer 127.0.0.1 parent 443 0 tls originserver \ name=MySecureOrigin \ no-query no-digest cache_peer_access MySecureOrigin allow all always_direct deny all never_direct allow all nonhierarchic

Re: [squid-users] Squid Cache Issues migration from 5.8 to 6.6

chives for previous discussions about it, and then provide as many details about it as you can (e.g., what traffic causes it and/or matching access.log records). HTH, Alex. Squid - Cache Logs Date-Time Message 31.12.1969 16:00:00 03.07.2024 10:54:34 kick abandoning conn7853 local=1

Re: [squid-users] Squid as http to https forward proxy

omeone please confirm if the given setup is in principle possible with Squid? If yes, which configuration needs to be done? On 04.07.24 10:36, Alex Rousskov wrote:    Yes, Squid should be able to forward plain text HTTP requests to a secure server. Use cache_peer directive with "tls" a

  1   2   3   4   5   6   7   8   9   10   >