Nabble - Squid - Users

Trying to authenticate a user only once per working day

2009-12-19T20:24:24Z

Hi,

I wish to authenticate (NTLM) our users only once per working day:

authenticate_ip_shortcircuit_ttl 8 hours

When the user browses for the first time, he will be authenticated and his
IP will be cached so that, for the next 8 hours, Squid believes that
requests coming from this IP belong to that user. Now comes the tricky part:
if that user logs off and somebody else logs in before those 8 hours expire,
Squid would mistakenly associate the same IP with the previous identity. As
our IE browsers are pre-configured with a standard home page, and the new
user couldn't avoid opening it before being able to go elsewhere, I tried
enforcing (re)authentication for the home page:

acl HOME_PAGE url_regex -i homepage.intranet
authenticate_ip_shortcircuit_access deny HOME_PAGE

It didn't work.
Does authenticate_ip_shortcircuit_access accept only IP acl's ?

cache_peer and HTTP/1.1 in squid3

2009-12-19T09:03:25Z

Hi, I have webservers on virtual interfaces and SQUID3 in accelerator
on interface with public IP on port 80. I am using "cache_peer" to
forward request to webservers from internet.
This is what I have in configuration file

cache_peer 192.168.0.1 parent 80 0 no-query originserver no-digest name=server1
cache_peer 192.168.0.2 parent 80 0 no-query originserver no-digest name=server2

acl srvone dstdomain binpot.eu
http_access allow srvone
cache_peer_access server1 allow srvone
cache_peer_access server1 deny all

acl srvtwo dstdomain parky.binpot.eu
http_access allow srvtwo
cache_peer_access server2 allow srvtwo
cache_peer_access server2 deny all

It works, but it uses HTTP 1.0 for contact webservers. I want to use
HTTP 1.1. How to achieve this? Or better, how to just forward
_unchanged request_ from internet to webserver and than _unchanged
request_ from webserver to client? I know squid 2.6 has some
experimental HTTP 1.1 support for this, but I want to use squid3.

R: [squid-users] NTLM v2

2009-12-18T13:54:02Z

Hi,

You are already using NTLMv2.

As you can read in the provided documentation, mswin_ntlm_auth.exe supports both NTLM/NTLMv2.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Gold Certified Partner
Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135 Fax. : +39.011.9781115
Email: guido.serassio@...
WWW: http://www.acmeconsulting.it

> -----Messaggio originale-----
> Da: Ho, Oiling [mailto:oiling.ho@...]
> Inviato: venerdì 18 dicembre 2009 22.20
> A: squid-users@...
> Oggetto: [squid-users] NTLM v2
>
> Hi,
>
> I am running squid 2.7 on windows and it is configured to use NTLM
> authentication. Does any know how to configure it to use NTLM v2 on
> windows?
>
> Thanks,
> Oiling
>
>
>
> ==========================================================================
> =====
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>
> ==========================================================================
> =====
>

NTLM v2

2009-12-18T13:19:31Z

Hi,

I am running squid 2.7 on windows and it is configured to use NTLM
authentication. Does any know how to configure it to use NTLM v2 on
windows?

Thanks,
Oiling

===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================

Problems with squid_ldap_auth

2009-12-18T10:18:39Z

HI,

i installed squid-3.1.0.15 from ports on FreeBSD 7.2-RELEASE-p4.

I am trying to integrate it with Active Directory ( windows 2008 ).

Cache.log didnt show any erros but when i try to access any site it
ask my username and password but i cannot authenticate myself.

At squid.conf i have this lines:

# As linhas abaixo se referem a autenticacao de users no AD
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b
"DC=autopass" -D "cn=autopass\squid,DC=autopass" -w "mypass" -h
192.168.9.12:389

# ACL externa para autentica\xe7\xe3o nas bases LDAP do PDC
external_acl_type ldap_group %LOGIN
/usr/local/libexec/squid/squid_ldap_group -R -b "dc=autopass" -D "cn
=squid,ou=Users,dc=autopass" -w "mypass" -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=
%a,ou=Autopass_Internet,dc=autopass))" -h 192.168.9.12

When I run this at console i got no reply.

/usr/local/libexec/squid/squid_ldap_auth -b "DC=autopass" -D
"cn=autopass\squid,DC=autopass" -w "mypass" -h 192.168.9.12:389

I cant use ldapsearch too.

caos# ldapsearch -b "DC=autopass" -D "cn=autopass\squid,DC=autopass"
-w "mypass" -h 192.168.9.12:389
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
AcceptSecurityContext error, data 525, v1772
caos#

access.log
192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
192.168.9.173 - rasouza [18/Dec/2009:15:33:29 -0200] "GET
http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE
192.168.9.173 - rasouza [18/Dec/2009:15:33:31 -0200] "GET
http://www.google.com.br/ HTTP/1.1" 407 4345 TCP_DENIED:NONE

No firewalls, i can access port 389 of my AD.

Can anyone help me please?

thanks

RE: Digest authentication not working

2009-12-18T06:14:55Z

I cannot connect to the internet via squid anymore, I got "Access
Denied" using squidclient, it works if I am using Basic.

-----Original Message-----
From: Amos Jeffries [mailto:squid3@...]
Sent: Thursday, December 17, 2009 7:11 PM
To: squid-users@...
Subject: Re: [squid-users] Digest authentication not working

Ho, Oiling wrote:

> Hi,
>
> I setup squid on my PC as my proxy server, I am able to run the squid
> client to access the internet. However, when I configure it to use
> digest authentication, it stops working, this is in my squid.conf:
>
> auth_param digest program c:/squid/libexec/digest_pw_auth.exe
> c:/squid/etc/digest_password
> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server auth_param
> digest nonce_garbage_interval 5 minutes auth_param digest
> nonce_max_duration 30 minutes auth_param digest nonce_max_count 50
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
>
> I used htdigest and created a password file, does anyone know what is
> wrong?
>

Please define "stops working". Does the PC turn off or what?

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================

RE: any work arounds for bug 2176

2009-12-18T01:47:28Z

Reposted for info to the list, without the attachments that cause the list to bounce the message

-----Original Message-----
From: Bill Allison
Sent: 18 December 2009 09:43
To: 'Amos Jeffries'; Brett Lymn
Cc: squid-users@...
Subject: RE: [squid-users] any work arounds for bug 2176

"I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail."

Correction after further testing...

I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail, and even then only sometimes, in repeated tests with the same file being uploaded.

Other times the browser reports "The connection was reset" and tcpdump shows that the proxy sent a FIN to the server then to the client in response to the second 401 from the server. THe server closes the connection but the client continues sending a POST and the proxy then sends the client a string of RSTs.

For info "Invalid Verb" is issued by http.sys in IIS 6.0, in response to receiving a header that is not strictly rfc-compliant (including truncated).

Attached as requested is my squid.conf and tcpdumps of the Invalid Verb and RST failure cases.

Unlike Brett I'm very much a novice C coder but I'm perfectly happy to patch, compile and test if it helps generate a solution.

Regards
Bill A.

-----Original Message-----
From: Amos Jeffries [mailto:squid3@...]
Sent: 17 December 2009 09:10
To: Brett Lymn
Cc: Bill Allison; squid-users@...
Subject: Re: [squid-users] any work arounds for bug 2176

Brett Lymn wrote:
> On Wed, Dec 16, 2009 at 07:57:21AM -0600, Bill Allison wrote:
>> Sorry - that was misleading. I've had
>> persistent_connection_after_error set on throughout my testing.
>
> I don't have that in my config file at all so I would guess it is at
> the default.
>

Which is off. Now I'm confused.

>> I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail.
>>
>
> I only tried a large-ish document. We did observe the same strange
> limit that Bill has seen when we tested without the patch applied,
> under a certain "magic" threshold the document would upload - the
> threshold seemed to be around the 50k mark, over that threshold we
> would just get popups.
>
>> I'd like to correlate network traces with debug output and would
>> appreciate suggestions as to which debug_options would include all
>> possibly relevant info
>>
>
> I am a C coder and may have some time to do some debugging on this
> between christmas and new year so, Amos, if you have any thoughts or
> hints as to where to go looking I can certainly have a stab at it.
>

Thank you. Any help at all would be great.

I *think* the relevant code is off src/client_side_reply.cc, but what to look for is where I'm currently stuck. The keep_alive values resolved things for you Brett but not Bill.

The variable nature of the threshold looks like some timing between actions triggering the bug vs the rate at which Squid is sucking the request in.

AFAIK popups only occur when the client gets sent two re-auth challenges. Which in the un-patched Squid was caused by the first half-authenticated link being closed by Squid before auth could complete. Then the second link being challenged for more auth would cause popup.

I think the next step is to find out what the difference between your two setups is exactly:
* squid.conf
* headers between Squid and the POSTing app.
* headers between Squid and the web server.

Particularly in what reply headers are going back. That should give us a little more of an idea what areas to look at.

If as you say the patch solved the issue but you saw the same thing earlier. Then I suspects it's probably a squid.conf detail being overlooked.

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

[ASK ] forwards and still carried src_address client??

2009-12-17T23:16:45Z

hi...
can my squid forwards the packet from client and still carried
src_address client to my router???

regard and sorry for my bad english :D

Re: Digest authentication not working

2009-12-17T16:11:18Z

Ho, Oiling wrote:

> Hi,
>
> I setup squid on my PC as my proxy server, I am able to run the squid
> client to access the internet. However, when I configure it to use
> digest authentication, it stops working, this is in my squid.conf:
>
> auth_param digest program c:/squid/libexec/digest_pw_auth.exe
> c:/squid/etc/digest_password
> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
>
> I used htdigest and created a password file, does anyone know what is
> wrong?
>

Please define "stops working". Does the PC turn off or what?

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

Re: Reverce proxy setup with neighboor support

2009-12-17T16:07:22Z

Nikolaos Pavlidis wrote:
> Hello all,
>
> Many thanks for the responses so far, I gave it a go without much
> success unfortunatelly.
>
> The errors:
>
> 2009/12/17 15:20:00| icmpSend: send: (111) Connection refused
> 2009/12/17 15:20:00| Closing Pinger socket on FD 18

The 'pinger' helper used to measure the optimal network link speeds and
distances needs to be installed specially with root privileges.
For self-installs it's done with "make install-pinger" for packaged
builds you may need to chown and chmod manually.

This is not a critical failure. It will only result in some lack of
optimal path discovery.

> 2009/12/17 15:20:02| WARNING: Forwarding loop detected for:
> Client: <cache1_IP> http_port: <cache2_IP>:80

You appear to have missed the part about preventing requests from the
peer being sent back there.

Or possibly unique_hostname is set to identical values on both Squid.
The default is for it to be set to the content of visible_hostname.

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

Re: Bug 2307 - fully qualified users LDAP domain in ICAP header

2009-12-17T15:58:37Z

Declan Caffrey wrote:
> Hi,
>
> http://bugs.squid-cache.org/show_bug.cgi?id=2307
>
> Does anyone know if this was ever implemented and if so what Release ?
>

The bug is still open so the short answer is:
No. Nobody has submitted a patch to implement that.

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

Re: Trying to cache Google Earth content with URL rewrite

2009-12-17T13:04:12Z

Em 17-12-2009 12:47, Jeremy LeBeau escreveu:

> I am trying to use the Store URL Rewrite feature to allow a squid
> server to cache Google Earth content for a low bandwidth installation.
> When I make the changes in the docs
> (http://wiki.squid-cache.org/Features/StoreUrlRewrite), squid crashes
> after starting. From the log, it appears that the helper as written
> is causing problems. Any suggestions as to what is wrong?
>
> Here is the info that I get in the log after startup:
>
> 2009/12/17 08:42:01| Starting Squid Cache version 2.7.STABLE6 for
> amd64-debian-linux-gnu...
> 2009/12/17 08:42:01| Process ID 1691
> 2009/12/17 08:42:01| With 1024 file descriptors available
> 2009/12/17 08:42:01| Using epoll for the IO loop
> 2009/12/17 08:42:01| DNS Socket created at 0.0.0.0, port 56901, FD 6
> 2009/12/17 08:42:01| Adding domain IonaGroup.local from /etc/resolv.conf
> 2009/12/17 08:42:01| Adding domain IonaGroup.local from /etc/resolv.conf
> 2009/12/17 08:42:01| Adding nameserver 192.168.3.1 from /etc/resolv.conf
> 2009/12/17 08:42:01| helperOpenServers: Starting 5 'store_url_rewrite' processes
> /usr/local/squidhelper/store_url_rewrite: 1: $: not found
> /usr/local/squidhelper/store_url_rewrite: 1: =: not found
> /usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
> 2009/12/17 08:42:01| User-Agent logging is disabled.
> 2009/12/17 08:42:01| Referer logging is disabled.
> /usr/local/squidhelper/store_url_rewrite: 1: $: not found
> /usr/local/squidhelper/store_url_rewrite: 1: =: not found
> /usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
> /usr/local/squidhelper/store_url_rewrite: 1: $: not found
> 2009/12/17 08:42:01| logfileOpen: opening log /var/log/squid/access.log
> /usr/local/squidhelper/store_url_rewrite: 1: =: not found
> /usr/local/squidhelper/store_url_rewrite: 1:
> /usr/local/squidhelper/store_url_rewrite: 3: $: not foundSyntax error:
> ")" unexpected
>
> /usr/local/squidhelper/store_url_rewrite: 1: =: not found
> /usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
> /usr/local/squidhelper/store_url_rewrite: 1: $: not found
> /usr/local/squidhelper/store_url_rewrite: 1: =: not found
> /usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
> 2009/12/17 08:42:01| Unlinkd pipe opened on FD 16
> 2009/12/17 08:42:01| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
> 2009/12/17 08:42:01| Target number of buckets: 425
> 2009/12/17 08:42:01| Using 8192 Store buckets
> 2009/12/17 08:42:01| Max Mem size: 8192 KB
> 2009/12/17 08:42:01| Max Swap size: 102400 KB
> 2009/12/17 08:42:01| Local cache digest enabled; rebuild/rewrite every
> 3600/3600 sec
> 2009/12/17 08:42:01| logfileOpen: opening log /var/log/squid/store.log
> 2009/12/17 08:42:01| Rebuilding storage in /var/spool/squid (DIRTY)
> 2009/12/17 08:42:01| Using Least Load store dir selection
> 2009/12/17 08:42:01| Set Current Directory to /var/spool/squid
> 2009/12/17 08:42:01| Loaded Icons.
> 2009/12/17 08:42:01| Accepting proxy HTTP connections at 0.0.0.0, port
> 3128, FD 18.
> 2009/12/17 08:42:01| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
> 2009/12/17 08:42:01| HTCP Disabled.
> 2009/12/17 08:42:01| WCCP Disabled.
> 2009/12/17 08:42:01| Ready to serve requests.
> 2009/12/17 08:42:01| WARNING: store_rewriter #1 (FD 7) exited
> 2009/12/17 08:42:01| WARNING: store_rewriter #2 (FD 8) exited
> 2009/12/17 08:42:01| WARNING: store_rewriter #3 (FD 9) exited
> 2009/12/17 08:42:01| Too few store_rewriter processes are running
> FATAL: The store_rewriter helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 2.7.STABLE6): Terminated abnormally.
> CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
> Memory usage for squid via mallinfo():
> total space in arena: 2380 KB
> Ordinary blocks: 2321 KB 5 blks
> Small blocks: 0 KB 1 blks
> Holding blocks: 396 KB 1 blks
> Free Small blocks: 0 KB
> Free Ordinary blocks: 58 KB
> Total in use: 2717 KB 98%
> Total free: 59 KB 2%
>
>
>

Edit your /usr/local/squidhelper/store_url_rewrite, and add '#!
/usr/bin/perl' (without quotes) as it's first line.
(Sorry by my english. I'm brazilian)

Digest authentication not working

2009-12-17T11:25:00Z

Hi,

I setup squid on my PC as my proxy server, I am able to run the squid
client to access the internet. However, when I configure it to use
digest authentication, it stops working, this is in my squid.conf:

auth_param digest program c:/squid/libexec/digest_pw_auth.exe
c:/squid/etc/digest_password
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

acl authenticated proxy_auth REQUIRED
http_access allow authenticated

I used htdigest and created a password file, does anyone know what is
wrong?

Thanks,
Oiling

===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================

Bug 2307 - fully qualified users LDAP domain in ICAP header

2009-12-17T08:46:38Z

Hi,

http://bugs.squid-cache.org/show_bug.cgi?id=2307

Does anyone know if this was ever implemented and if so what Release ?

If this isn't the best forum for this please point me in the right
direction.

Thanks,

Declan.

************************************************
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, you are notified that any disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Any views, opinions or advice contained in this e-mail are those of the sending individual and not necessarily those of the firm. It is possible for data transmitted by e-mail to be deliberately or accidentally corrupted or intercepted.

For this reason where the communication is by e-mail, J&E Davy does not accept any responsibility for any breach of confidence which may arise from the use of this medium. If you have received this e-mail in error please notify us immediately at mailto: helpdesk@... and delete this e-mail from your system
************************************************

Re: Reverce proxy setup with neighboor support

2009-12-17T07:49:30Z

Hello all,

Many thanks for the responses so far, I gave it a go without much
success unfortunatelly.

The errors:

2009/12/17 15:20:00| icmpSend: send: (111) Connection refused
2009/12/17 15:20:00| Closing Pinger socket on FD 18
2009/12/17 15:20:02| WARNING: Forwarding loop detected for:
Client: <cache1_IP> http_port: <cache2_IP>:80

On Thu, 2009-12-17 at 10:00 +1300, Amos Jeffries wrote:

> On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
> <Nikolaos.Pavlidis@...> wrote:
> > Hello all,
> >
> > I figured the easiest way to describe what I am trying to do is to...
> > draw it. First of all pardon my ignorance since I am relatively new to
> > squid. Any help will be much appreciated.
> >
> >
> > The Problem:
> >
> > Dec 9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> > for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> > internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0 Via:
> > 1.0 site1.domain.com:80 (squid) X-Forwarded-For: unknown Host:
> > <cache2_IP>:3128 Cache-Control: max-age=259200 Connection:
> > keep-alive
> >
> >
> >
> >
> > Reverse proxy Setup:
> >
> > O F5 load balanced vhost
> > | (DNS A name resolving site1.domain.com
> > | site2.domain.com
> > | site3.domain.com etc.)
> > |
> > |---------------|
> > | |
> > | |
> > cache1 O---------------O cache2
> > |
> > |
> > |
> > |
> > O---------------O--------------O
> > web1 web2 web3
> > site1 site3 site4
> > site2 site5
> >
> > Desired path:
> > 1. Request for site1
> > 2. F5 load balances request to cache1
> > 3. cache1 checks own cache
> > 4. if NO-HIT check cache2
> > 5. else go directly to web1
> >
>
> Excellent. This is a basic reverse-proxy with virtual hosting.
>
> The error you mentioned earlier indicates:
>
> 1. Request for site1
> 2. F5 load balances request to cache1
> 3. cache1: checks own cache
> 4. cache1: if NO-HIT check cache2
> 5. cache2: if NO-HIT check cache1
> 6. cache1: if NO-HIT check cache2 ... FAIL!!
> ...
>
>
> > Server:
> > 64bit SLES 11
> >
> > Configuration file (what I have done so far):
> >
> > # NETWORK OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> > http_port 80 accel defaultsite=site1.domain.com vhost
> > http_port 3128 accel defaultsite=site1.domain.com vhost
>
> There should be no need for port 3128 to be reverse-proxy as well.
> Dedicate that or another port to proxy-proxy communications.
>

Totally right, removed the whole line
"http_port 3128 accel defaultsite=site1.domain.com vhost"

> > visible_hostname site1.domain.com
> > offline_mode off
> >
> > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> > #
> >
> -----------------------------------------------------------------------------
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> >
> > # OPTIONS WHICH AFFECT THE CACHE SIZE
> > #
> >
> -----------------------------------------------------------------------------
> > cache_mem 512 MB
> > maximum_object_size 32 KB
> > maximum_object_size_in_memory 64 Kb
> >
> > # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> > #
> >
> -----------------------------------------------------------------------------
> > cache_dir aufs /var/cache/squid 61440 16 256
> > emulate_httpd_log on
> > logfile_rotate 100
> > logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> > "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> > access_log /var/log/squid/access.log combined
> > cache_log /var/log/squid/cache.log
> > cache_store_log /var/log/squid/store.log
> > debug_options ALL,1,33,3,20,3
> >
> > # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> > #
> >
> -----------------------------------------------------------------------------
> > auth_param basic children 10
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > # OPTIONS FOR TUNING THE CACHE
> > #
> >
> -----------------------------------------------------------------------------
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i \.css 1440 50% 2880 override-expire
> > refresh_pattern -i \.swf 1440 50% 2880 ignore-reload
> > override-expire
> > refresh_pattern . 1440 50% 4320 override-expire
> >
> > # ACCESS CONTROLS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > acl all src all
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl purge method PURGE
> > acl CONNECT method CONNECT
> > acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> > upgrade_http0.9 deny shoutcast
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> >
>
> Part 1 of the problem:
>
> You are running a reverse-proxy. All of these initial http_access rules
> are forward-proxy security restrictions. In the case of the "allow all" its
> attempting to bypass the regular forward-proxy config by turning it into an
> open proxy instead.
>
> The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
> need to be set right here above the forward-proxy config.
>
>
> > http_access allow manager localhost
> > http_access deny manager
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow all
>
> With the reverse-proxy config in the right place you can turn the basic
> security back on by changing that above line to "deny all"
>
> > http_reply_access allow all
> >
> > icp_access allow all
> >
> > ##########################################
> > ###### UNIVERSITY SERVICES ENTRIES ######
> > ##########################################
> >
> > cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> > cache_peer <cache2_IP> parent 3128 3130 proxy-only default
>
> Part 2 of the problem:
> The above config indicates that cache2 is the primary web server (on port
> 3128) with web1 as a backup source.
>
> I believe your setup needs cache1 and cache2 in a sibling relationship as
> 'alternative' backup sources of data to each other. Siblings are checked
> before parents but a failure at sibling is not fatal to locating the file.
>
> Also requests received in port 3128 (ie from a sibling) should be denied
> forwarding to the sibling.
>
> > acl sites_web1 dstdomain site1.domain.com site2.domain.com
> > http_access allow sites_web1
> > cache_peer_access web1 allow sites_web1
> > cache_peer_access web1 deny all
> >

Ok I gave it a go, looks like that:

# reverce-proxy configuration
#
-----------------------------------------------------------------------------

cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
cache_peer <cache2_IP> sibling 80 3130 proxy-only
acl sites_www dstdomain site1.domain.com site2.domain.com
acl from_cache2 src <cache2_IP>
cache_peer_access cache2 deny from_cache2
http_access allow sites_web1
cache_peer_access web1 allow sites_web1
cache_peer_access web1 deny all

# forward-proxy security restrictions
#
-----------------------------------------------------------------------------

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all
acl cache2 src <cache2_IP>
icp_access allow cache2
icp_access deny all

> > # ADMINISTRATIVE PARAMETERS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > shutdown_lifetime 3 second
> > httpd_suppress_version_string on
> > cache_mgr cachemgr@...
> >
> > # ICP OPTIONS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > log_icp_queries on
> >
> > # MISCELLANEOUS
> > #
> >
> -----------------------------------------------------------------------------
> >
> > memory_pools_limit 1024 MB
> >
> > # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> > #
> >
> -----------------------------------------------------------------------------
> >
> > coredump_dir /var/spool/squid
> >
> > -------------------------EO Configuration file -------------------------
> >
> > Any comments on the configuration would be much appreciated. Thank you
> > in advance.
> >
> > Kind regards,
> >
> > Nik

Many thanks in advance for all your help.

Kind regards,

Nik
--
Nikolaos Pavlidis BSc (Hons) MBCS NCLP CEH CHFI
Systems Administrator
University Of Bedfordshire
Park Square LU1 3JU
Luton, Beds, UK
Tel: +441582489277 (Ext 2277)

Trying to cache Google Earth content with URL rewrite

2009-12-17T06:47:04Z

I am trying to use the Store URL Rewrite feature to allow a squid
server to cache Google Earth content for a low bandwidth installation.
When I make the changes in the docs
(http://wiki.squid-cache.org/Features/StoreUrlRewrite), squid crashes
after starting. From the log, it appears that the helper as written
is causing problems. Any suggestions as to what is wrong?

Here is the info that I get in the log after startup:

2009/12/17 08:42:01| Starting Squid Cache version 2.7.STABLE6 for
amd64-debian-linux-gnu...
2009/12/17 08:42:01| Process ID 1691
2009/12/17 08:42:01| With 1024 file descriptors available
2009/12/17 08:42:01| Using epoll for the IO loop
2009/12/17 08:42:01| DNS Socket created at 0.0.0.0, port 56901, FD 6
2009/12/17 08:42:01| Adding domain IonaGroup.local from /etc/resolv.conf
2009/12/17 08:42:01| Adding domain IonaGroup.local from /etc/resolv.conf
2009/12/17 08:42:01| Adding nameserver 192.168.3.1 from /etc/resolv.conf
2009/12/17 08:42:01| helperOpenServers: Starting 5 'store_url_rewrite' processes
/usr/local/squidhelper/store_url_rewrite: 1: $: not found
/usr/local/squidhelper/store_url_rewrite: 1: =: not found
/usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
2009/12/17 08:42:01| User-Agent logging is disabled.
2009/12/17 08:42:01| Referer logging is disabled.
/usr/local/squidhelper/store_url_rewrite: 1: $: not found
/usr/local/squidhelper/store_url_rewrite: 1: =: not found
/usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
/usr/local/squidhelper/store_url_rewrite: 1: $: not found
2009/12/17 08:42:01| logfileOpen: opening log /var/log/squid/access.log
/usr/local/squidhelper/store_url_rewrite: 1: =: not found
/usr/local/squidhelper/store_url_rewrite: 1:
/usr/local/squidhelper/store_url_rewrite: 3: $: not foundSyntax error:
")" unexpected

/usr/local/squidhelper/store_url_rewrite: 1: =: not found
/usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
/usr/local/squidhelper/store_url_rewrite: 1: $: not found
/usr/local/squidhelper/store_url_rewrite: 1: =: not found
/usr/local/squidhelper/store_url_rewrite: 3: Syntax error: ")" unexpected
2009/12/17 08:42:01| Unlinkd pipe opened on FD 16
2009/12/17 08:42:01| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2009/12/17 08:42:01| Target number of buckets: 425
2009/12/17 08:42:01| Using 8192 Store buckets
2009/12/17 08:42:01| Max Mem size: 8192 KB
2009/12/17 08:42:01| Max Swap size: 102400 KB
2009/12/17 08:42:01| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2009/12/17 08:42:01| logfileOpen: opening log /var/log/squid/store.log
2009/12/17 08:42:01| Rebuilding storage in /var/spool/squid (DIRTY)
2009/12/17 08:42:01| Using Least Load store dir selection
2009/12/17 08:42:01| Set Current Directory to /var/spool/squid
2009/12/17 08:42:01| Loaded Icons.
2009/12/17 08:42:01| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 18.
2009/12/17 08:42:01| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
2009/12/17 08:42:01| HTCP Disabled.
2009/12/17 08:42:01| WCCP Disabled.
2009/12/17 08:42:01| Ready to serve requests.
2009/12/17 08:42:01| WARNING: store_rewriter #1 (FD 7) exited
2009/12/17 08:42:01| WARNING: store_rewriter #2 (FD 8) exited
2009/12/17 08:42:01| WARNING: store_rewriter #3 (FD 9) exited
2009/12/17 08:42:01| Too few store_rewriter processes are running
FATAL: The store_rewriter helpers are crashing too rapidly, need help!

Squid Cache (Version 2.7.STABLE6): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena: 2380 KB
Ordinary blocks: 2321 KB 5 blks
Small blocks: 0 KB 1 blks
Holding blocks: 396 KB 1 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 58 KB
Total in use: 2717 KB 98%
Total free: 59 KB 2%

RE: Squid does not start/shutdown properly

2009-12-17T04:30:51Z

Thanks for the tips.
The init script on the machine was wrong indeed. i now simply copied oveer the "working" script and changed th file locations.
best regards,

D.K.
--
IT-PARTNER - Martin U. Haneke
Fichtestraße 26
10967 Berlin
Tel: +49(30)200055-0
Tel: +49(30)200055-39

Re: any work arounds for bug 2176

2009-12-17T01:10:12Z

Brett Lymn wrote:
> On Wed, Dec 16, 2009 at 07:57:21AM -0600, Bill Allison wrote:
>> Sorry - that was misleading. I've had
>> persistent_connection_after_error set on throughout my testing.
>
> I don't have that in my config file at all so I would guess it is at
> the default.
>

Which is off. Now I'm confused.

>> I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail.
>>
>
> I only tried a large-ish document. We did observe the same strange
> limit that Bill has seen when we tested without the patch applied,
> under a certain "magic" threshold the document would upload - the
> threshold seemed to be around the 50k mark, over that threshold we
> would just get popups.
>
>> I'd like to correlate network traces with debug output and would appreciate suggestions as to which debug_options would include all possibly relevant info
>>
>
> I am a C coder and may have some time to do some debugging on this
> between christmas and new year so, Amos, if you have any thoughts or
> hints as to where to go looking I can certainly have a stab at it.
>

Thank you. Any help at all would be great.

I *think* the relevant code is off src/client_side_reply.cc, but what to
look for is where I'm currently stuck. The keep_alive values resolved
things for you Brett but not Bill.

The variable nature of the threshold looks like some timing between
actions triggering the bug vs the rate at which Squid is sucking the
request in.

AFAIK popups only occur when the client gets sent two re-auth
challenges. Which in the un-patched Squid was caused by the first
half-authenticated link being closed by Squid before auth could
complete. Then the second link being challenged for more auth would
cause popup.

I think the next step is to find out what the difference between your
two setups is exactly:
* squid.conf
* headers between Squid and the POSTing app.
* headers between Squid and the web server.

Particularly in what reply headers are going back. That should give us
a little more of an idea what areas to look at.

If as you say the patch solved the issue but you saw the same thing
earlier. Then I suspects it's probably a squid.conf detail being overlooked.

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

Re: squid on mac os?

2009-12-16T23:46:31Z

Hi all,
We developers would be interested in adding a MacOS node to the
BuildFarm (see the wiki page).
If anyone is willing to donate cpu cycles and hdd space, could they
please contact me?
Thanks

On 12/17/09, Chris Woodfield <rekoil@...> wrote:

> It can. Best bet is to install via the MacPorts packaging system, but normal
> configure/make/make install works for me too.
>
> -C
>
> On Dec 16, 2009, at 8:45 PM, Jeff Pang wrote:
>
>> Can squid be installed and run on a mac os box? Thanks.
>>
>> --
>> Jeff Pang
>> http://home.arcor.de/pangj/
>
>

--
/kinkie

Re: squid & http-1.1

2009-12-16T22:21:04Z

Amos Jeffries wrote:
> Something weird going on with office or the activation server and their
> use of 1.1 then. HTTP/1.1 is explicitly designed to not break when going
> through a non-1.1 middleware proxy.
---
When are they NOT doing something weird?

Re: Best Configuration for sibling peer

2009-12-16T22:15:12Z

Chris Robertson wrote:

> Kris wrote:
>> Chris Robertson wrote:
>>> Kris wrote:
>>>> Dear All,
>>>>
>>>> i have 4 proxy server with about 1000 request per second average ,
>>>> i have extra free nic in every server and i connected that 4 proxy
>>>> to 1 switch and give them 1 network ip. i set 4 proxy as SIBLING
>>>> each other. after few days i got problem like.
>>>>
>>>> 1. weird error log (sometimes)
>>>>
>>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>>> 2009/12/16 09:48:28| storeClientReadHeader: no URL!
>>>> 2009/12/16 09:48:29| storeClientReadHeader: no URL!
>>>>
>>>> 2. TCP Connection Failed
>>>>
>>>> 2009/12/16 09:45:15| TCP connection to 10.10.10.10
>>>> (10.10.10.10:3128) failed
>>>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11
>>>> (10.10.10.11:3128) failed
>>>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11
>>>> (10.10.10.11:3128) failed
>>>> 2009/12/16 09:45:28| TCP connection to 10.10.10.13
>>>> (10.10.10.13:3128) failed
>>>> 2009/12/16 09:45:36| TCP connection to 10.10.10.12
>>>> (10.10.10.12:3128) failed
>>>>
>>>> 3. sometimes it become hard to browse , but it going normal after i
>>>> disabled all SIBLING, if i enabled it will slow again.
>>>>
>>>> my file descriptor already 65535
>>>>
>>>> my peer config
>>>> # cache_peer 10.10.10.10 sibling 3128 3130 no-netdb-exchange
>>>> no-digest no-delay round-robin proxy-only
>>>> cache_peer 10.10.10.11 sibling 3128 3130 no-netdb-exchange
>>>> no-digest no-delay round-robin proxy-only
>>>> cache_peer 10.10.10.12 sibling 3128 3130 no-netdb-exchange
>>>> no-digest no-delay round-robin proxy-only
>>>> cache_peer 10.10.10.13 sibling 3128 3130 no-netdb-exchange
>>>> no-digest no-delay round-robin proxy-only
>>>>
>>>> any suggestion what best configuration for sibling peer ?
>>>
>>> I don't think that round-robin makes much sense with sibling
>>> selection. Either the a sibling has the object (and we grab the
>>> object from it) or it doesn't (and we grab the object directly).
>>>
>>> For myself, I use a line like...
>>>
>>> cache_peer proxypool-2.my.domain sibling 8080 3130 no-digest
>>>
>>> Chris
>>>
>>>
>> did you ever get message like " TCP Connection Failed" ? just curious
>> why i always got that message , peer connection use same network in
>> same switch.
>
> My peers use the same interface to talk to clients and each other. I
> don't see "TCP Connection Failed" messages. Hmmm... One thing you
> might try...
>
> acl myPeers src 10.10.10.0/24
> tcp_outgoing_address 10.10.10.10 myPeers
>
> ...to make sure it responds to the peers using the right interface.
>
> Chris
>
>
>

i have 1000 request hit per sec in every proxy , is that can be a cause ?

Re: Best Configuration for sibling peer

2009-12-16T22:13:04Z

Michael Bowe wrote:

>> -----Original Message-----
>> From: Kris [mailto:christian@...]
>>
>
> Hi Kris
>
>
>> 2. TCP Connection Failed
>>
>
> Are you running iptables?
> If so, is the conntrack table overflowing?
>
>
>> my peer config
>> # cache_peer 10.10.10.10 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>> cache_peer 10.10.10.11 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>> cache_peer 10.10.10.12 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>> cache_peer 10.10.10.13 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>>
>> any suggestion what best configuration for sibling peer ?
>>
>
> I'm not sure the above is going to give you good results.
>
> Enabling digest would save a lot of ICP traffic / lookups
>
> As pointed out by Chris, "round-robin" option is used with parent selection
> in the absence of ICP. But in your case you are using peers with ICP.
>
> If you are trying to prevent overlapping disk objects between the siblings
> then I reckon your syntax should just be something like this :
>
> cache_peer 10.10.10.1x sibling 3128 3130 proxy-only
>
> Michael.
>
>
>

i`m not use any iptables.

about proxy-only lines, isnt it good to disable proxy-only ? so the
proxy dont need to take same cache in sibling, it will save icp request
right ?

another question what ms should i use for these line ?

icp_query_timeout 2000
maximum_icp_query_timeout 2000

Re: any work arounds for bug 2176

2009-12-16T21:55:39Z

On Wed, Dec 16, 2009 at 07:57:21AM -0600, Bill Allison wrote:
> Sorry - that was misleading. I've had
> persistent_connection_after_error set on throughout my testing.

I don't have that in my config file at all so I would guess it is at
the default.

> I get the same error as Brett only when the body of the post is much greater than that which causes the post to fail.
>

I only tried a large-ish document. We did observe the same strange
limit that Bill has seen when we tested without the patch applied,
under a certain "magic" threshold the document would upload - the
threshold seemed to be around the 50k mark, over that threshold we
would just get popups.

> I'd like to correlate network traces with debug output and would appreciate suggestions as to which debug_options would include all possibly relevant info
>

I am a C coder and may have some time to do some debugging on this
between christmas and new year so, Amos, if you have any thoughts or
hints as to where to go looking I can certainly have a stab at it.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility. It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Re: Hardware/software suggestions (TPROXY)

2009-12-16T21:21:38Z

Michael Bowe wrote:

>> -----Original Message-----
>> From: Amos Jeffries [mailto:squid3@...]
>
> Hi Amos
>
>
>> If you get 4+ core hardware, a CARP model with one instance receiving
>> all requests and balancing across the other cores for actual storage
>> handling with 1+ disk per core scales extremely well.
>
> I'll go read up on CARP
>
> I wonder whether CARP + TPROXY would play together nicely though?

Good point.
Have not tried it but I expect they are able to work together. TPROXY in
3.1 works between peers.

It would just require some additional routing tricks to force packets
from the LB instance to go through a public interface and be
double-TPROXY'd on their way to the back-end. Avoiding use of the lo
interface which can't be bound to remote IPs.

Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15

RE: Best Configuration for sibling peer

2009-12-16T18:41:10Z

> -----Original Message-----
> From: Kris [mailto:christian@...]

Hi Kris

> 2. TCP Connection Failed

Are you running iptables?
If so, is the conntrack table overflowing?

> my peer config
> # cache_peer 10.10.10.10 sibling 3128 3130 no-netdb-exchange no-digest
> no-delay round-robin proxy-only
> cache_peer 10.10.10.11 sibling 3128 3130 no-netdb-exchange no-digest
> no-delay round-robin proxy-only
> cache_peer 10.10.10.12 sibling 3128 3130 no-netdb-exchange no-digest
> no-delay round-robin proxy-only
> cache_peer 10.10.10.13 sibling 3128 3130 no-netdb-exchange no-digest
> no-delay round-robin proxy-only
>
> any suggestion what best configuration for sibling peer ?

I'm not sure the above is going to give you good results.

Enabling digest would save a lot of ICP traffic / lookups

As pointed out by Chris, "round-robin" option is used with parent selection
in the absence of ICP. But in your case you are using peers with ICP.

If you are trying to prevent overlapping disk objects between the siblings
then I reckon your syntax should just be something like this :

cache_peer 10.10.10.1x sibling 3128 3130 proxy-only

Michael.

Re: squid on mac os?

2009-12-16T18:12:26Z

It can. Best bet is to install via the MacPorts packaging system, but normal configure/make/make install works for me too.

-C

On Dec 16, 2009, at 8:45 PM, Jeff Pang wrote:

> Can squid be installed and run on a mac os box? Thanks.
>
> --
> Jeff Pang
> http://home.arcor.de/pangj/

RE: Hardware/software suggestions (TPROXY)

2009-12-16T18:05:59Z

> -----Original Message-----
> From: Angelo Höngens [mailto:a.hongens@...]

Hi Angelo

Thanks for responding

> I didn't even know ISP's still used proxies in this century :D I assume
> you use them to save on bandwidth and improve the experience for the
> end-user?

Haha yeah well for example at one regional site transit is costing us $400+
per Mbps, so caching is still worthwhile for us.

> I'm still not sure about virtualizing or not.. It both has advantages
> and disadvantages..

Yes I would really need to build up a big server and compare CARP vs VMware.
Doesnt sound like anyone else has had much experience with this topic. The
servers I have been testing with under VMware seem to go OK, but its hard to
tell just how much overhead is incurred. Maybe running say 4 squid VMs on an
8 core server is a reasonably good way to share the load around though.

> I'm in a Dell only shop, and you can buy the R610 with any 1 or 2
> cpu's,
> it's a choice. (And probably cheaper than HP).

Nice to know. I was using their website and it didnt have an option for 1
CPU. I guess you just speak to the sales rep and get the quote more fully
customised. Thanks for the tip!

Michael.

RE: Hardware/software suggestions (TPROXY)

2009-12-16T18:05:46Z

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@...]

Hi Amos

> If you get 4+ core hardware, a CARP model with one instance receiving
> all requests and balancing across the other cores for actual storage
> handling with 1+ disk per core scales extremely well.

I'll go read up on CARP

I wonder whether CARP + TPROXY would play together nicely though?

> I'd be interested in hearing what req/sec you manage to achieve. We
> only
> have reported performances for up to 3.0 so far.

OK no worries, I will send through some info once we get our gear up and
running.

> > There are choices for the disk controller. Eg HP lets you choose
> between
> > 256M, 512M, 1G RAM on the supplied P410i RAID card. We wouldn't be
> running
> > any RAID, but would extra RAM on the card still be helpful with
> speeding up
> > disk access for squid?
>
> If the drives use it. Squid is not very helpful for things like that
> yet.

OK, rather than buying more RAID RAM it sounds like its probably better to
just put that money towards an additional spindle.

Michael.

Re: Best Configuration for sibling peer

2009-12-16T17:59:05Z

Kris wrote:

> Chris Robertson wrote:
>> Kris wrote:
>>> Dear All,
>>>
>>> i have 4 proxy server with about 1000 request per second average , i
>>> have extra free nic in every server and i connected that 4 proxy to
>>> 1 switch and give them 1 network ip. i set 4 proxy as SIBLING each
>>> other. after few days i got problem like.
>>>
>>> 1. weird error log (sometimes)
>>>
>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>>> 2009/12/16 09:48:28| storeClientReadHeader: no URL!
>>> 2009/12/16 09:48:29| storeClientReadHeader: no URL!
>>>
>>> 2. TCP Connection Failed
>>>
>>> 2009/12/16 09:45:15| TCP connection to 10.10.10.10
>>> (10.10.10.10:3128) failed
>>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11
>>> (10.10.10.11:3128) failed
>>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11
>>> (10.10.10.11:3128) failed
>>> 2009/12/16 09:45:28| TCP connection to 10.10.10.13
>>> (10.10.10.13:3128) failed
>>> 2009/12/16 09:45:36| TCP connection to 10.10.10.12
>>> (10.10.10.12:3128) failed
>>>
>>> 3. sometimes it become hard to browse , but it going normal after i
>>> disabled all SIBLING, if i enabled it will slow again.
>>>
>>> my file descriptor already 65535
>>>
>>> my peer config
>>> # cache_peer 10.10.10.10 sibling 3128 3130 no-netdb-exchange
>>> no-digest no-delay round-robin proxy-only
>>> cache_peer 10.10.10.11 sibling 3128 3130 no-netdb-exchange no-digest
>>> no-delay round-robin proxy-only
>>> cache_peer 10.10.10.12 sibling 3128 3130 no-netdb-exchange no-digest
>>> no-delay round-robin proxy-only
>>> cache_peer 10.10.10.13 sibling 3128 3130 no-netdb-exchange no-digest
>>> no-delay round-robin proxy-only
>>>
>>> any suggestion what best configuration for sibling peer ?
>>
>> I don't think that round-robin makes much sense with sibling
>> selection. Either the a sibling has the object (and we grab the
>> object from it) or it doesn't (and we grab the object directly).
>>
>> For myself, I use a line like...
>>
>> cache_peer proxypool-2.my.domain sibling 8080 3130 no-digest
>>
>> Chris
>>
>>
> did you ever get message like " TCP Connection Failed" ? just curious
> why i always got that message , peer connection use same network in
> same switch.

My peers use the same interface to talk to clients and each other. I
don't see "TCP Connection Failed" messages. Hmmm... One thing you
might try...

acl myPeers src 10.10.10.0/24
tcp_outgoing_address 10.10.10.10 myPeers

...to make sure it responds to the peers using the right interface.

Chris

squid on mac os?

2009-12-16T17:45:31Z

Can squid be installed and run on a mac os box? Thanks.

--
Jeff Pang
http://home.arcor.de/pangj/

Re: Best Configuration for sibling peer

2009-12-16T17:36:35Z

Chris Robertson wrote:

> Kris wrote:
>> Dear All,
>>
>> i have 4 proxy server with about 1000 request per second average , i
>> have extra free nic in every server and i connected that 4 proxy to 1
>> switch and give them 1 network ip. i set 4 proxy as SIBLING each
>> other. after few days i got problem like.
>>
>> 1. weird error log (sometimes)
>>
>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>> 2009/12/16 09:48:25| storeClientReadHeader: no URL!
>> 2009/12/16 09:48:28| storeClientReadHeader: no URL!
>> 2009/12/16 09:48:29| storeClientReadHeader: no URL!
>>
>> 2. TCP Connection Failed
>>
>> 2009/12/16 09:45:15| TCP connection to 10.10.10.10 (10.10.10.10:3128)
>> failed
>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11 (10.10.10.11:3128)
>> failed
>> 2009/12/16 09:45:22| TCP connection to 10.10.10.11 (10.10.10.11:3128)
>> failed
>> 2009/12/16 09:45:28| TCP connection to 10.10.10.13 (10.10.10.13:3128)
>> failed
>> 2009/12/16 09:45:36| TCP connection to 10.10.10.12 (10.10.10.12:3128)
>> failed
>>
>> 3. sometimes it become hard to browse , but it going normal after i
>> disabled all SIBLING, if i enabled it will slow again.
>>
>> my file descriptor already 65535
>>
>> my peer config
>> # cache_peer 10.10.10.10 sibling 3128 3130 no-netdb-exchange
>> no-digest no-delay round-robin proxy-only
>> cache_peer 10.10.10.11 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>> cache_peer 10.10.10.12 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>> cache_peer 10.10.10.13 sibling 3128 3130 no-netdb-exchange no-digest
>> no-delay round-robin proxy-only
>>
>> any suggestion what best configuration for sibling peer ?
>
> I don't think that round-robin makes much sense with sibling
> selection. Either the a sibling has the object (and we grab the
> object from it) or it doesn't (and we grab the object directly).
>
> For myself, I use a line like...
>
> cache_peer proxypool-2.my.domain sibling 8080 3130 no-digest
>
> Chris
>
>

did you ever get message like " TCP Connection Failed" ? just curious
why i always got that message , peer connection use same network in same
switch.

Re: Squid does not start/shutdown properly

2009-12-16T13:11:12Z

On Wed, 16 Dec 2009 12:00:08 -0900, Chris Robertson <crobertson@...>
wrote:
> david.kauffmann@... wrote:
>> I have two machines, both running squid3. One runs stable1 and the
other
>> stable19. The one running stable1 is on a virtual machine.
>> When i execute /etc/init.d/squid3 on both machines, this is what i get
on

>>
>> stable1:
>> /etc/init.d/squid3
>> Usage: /etc/init.d/squid3 {start|stop|reload|force-reload|restart}
>>
>
> Init scripts are not supplied with Squid. They are a nicety added by
> the distribution. /path/to/squid -k shutdown is the supported/expected
> method of stopping Squid. That said...
>
>> stable19:
>> /etc/init.d/squid3
>> Usage: /etc/init.d/squid3 { start | stop }
>>
>> Sometimes when i start the stable19 system, squid doesn't start giving
>> me an error, that there's already a running squid process. i suspect

this

>> has something to do with squid not shutting down properly.
>>
>> When i stop squid using /etc/init.d/squid3 stop on both machines, i get
>> no response at all on the stable19 platform.
>> But on the stable1 machine i get this when i stop squid:
>>
>> /etc/init.d/squid3 stop
>> * Stopping Squid HTTP Proxy 3.0 squid3
>> * Waiting...
>> * ...
>> * ...
>> * ...
>> * ...
>> * ...
>> * ...

>> [ OK ]
>>
[
>>
OK
>>
]
>>
>
> Either the init scripts on the two servers are different, or the compile

> options put an executable or a PID file in a location not expected by
> the init script.
>
>> I compiled the squid stable19 version myself. here are the compiler
>> options:
>> Version 3.0.STABLE19
>> configure options: '--build=i486-linux-gnu' '--prefix=/usr'
>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
>> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
>> '--disable-maintainer-mode' '--disable-dependency-tracking'

'--srcdir=.'
>> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
>> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline'
>> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd'
>> '--enable-removal-policies=lru,heap' '--enable-poll'
>> '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp'
>> '--enable-htcp' '--enable-select' '--enable-carp'
'--enable-large-files'
>> '--enable-underscores' '--enable-icap-client'
>> '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=all'
>> '--enable-ntlm-auth-helpers=SMB'
>> '--enable-digest-auth-helpers=ldap,password'
>>
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>> '--with-filedescriptors=65536' '--with-default-user=proxy'
>> '--enable-epoll' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu'

>> 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions'
>> 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2'
>> '--enable-http-violations'
>> The VM compiler options look like this:
>> Version 3.0.STABLE1
>> configure options: '--build=i486-linux-gnu' '--prefix=/usr'
>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
>> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
>> '--disable-maintainer-mode' '--disable-dependency-tracking'

'--srcdir=.'
>> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
>> '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline'
>> '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss,diskd'
>> '--enable-removal-policies=lru,heap' '--enable-poll'
>> '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp'
>> '--enable-htcp' '--enable-select' '--enable-carp'
'--enable-large-files'
>> '--enable-underscores' '--enable-icap-client'
>> '--enable-auth=basic,digest,ntlm'
>>
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM'
>> '--enable-ntlm-auth-helpers=SMB'
>> '--enable-digest-auth-helpers=ldap,password'
>>
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
>> '--with-filedescriptors=65536' '--with-default-user=proxy'
>> '--enable-epoll' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu'

>> 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions'
>> 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2'
>>
>> Do i have to reconfigure and rebuild my squid to get the same behaviour
>> on both machines?
>
> Probably not. Check the init script for mention of a PID file. Then
> have a look at http://www.squid-cache.org/Doc/config/pid_filename/.
>
> My assumption (based on the way my init scripts work) is that the script

> sends a shutdown signal to Squid and then periodically (once a second or

> so) checks for the presence of the PID file, writing out a period if it
> still exists. When Squid quits, it should remove the PID file. Once
> the PID file disappears the shutdown is successful. If the PID file is
> not where the init script expects, when the script is called to shut
> down Squid, it appears to not be running, so the script just exits.
>

Yes. I've been trying to track that down for a while.

I think the problem is a side effect of the auto-recovery code working
properly. If the child fails with any errors the master process identifies
the shutdown as a run-time failure and spawns a new child process.

Any bugs in the shutdown process can trigger this when a close is actually
wanted.

Amos

Re: Reverce proxy setup with neighboor support

2009-12-16T13:10:55Z

Nikolaos Pavlidis wrote:

> Hello all,
>
> I figured the easiest way to describe what I am trying to do is to...
> draw it. First of all pardon my ignorance since I am relatively new to
> squid. Any help will be much appreciated.
>
>
> The Problem:
>
> Dec 9 17:42:35 cache2 squid[27234]: WARNING: Forwarding loop detected
> for: Client: <cache1_IP> http_port: <cache2_IP>:3128 GET
> internal://site1.domain.com/squid-internal-dynamic/netdb HTTP/1.0 Via:
> 1.0 site1.domain.com:80 (squid) X-Forwarded-For: unknown Host:
> <cache2_IP>:3128 Cache-Control: max-age=259200 Connection:
> keep-alive
>
>
>
>
> Reverse proxy Setup:
>
> O F5 load balanced vhost
> | (DNS A name resolving site1.domain.com
> | site2.domain.com
> | site3.domain.com etc.)
> |
> |---------------|
> | |
> | |
> cache1 O---------------O cache2
> |
> |
> |
> |
> O---------------O--------------O
> web1 web2 web3
> site1 site3 site4
> site2 site5
>
> Desired path:
> 1. Request for site1
> 2. F5 load balances request to cache1
> 3. cache1 checks own cache
> 4. if NO-HIT check cache2
> 5. else go directly to web1
>
> Server:
> 64bit SLES 11
>
> Configuration file (what I have done so far):
>
>
>

SNIP

> cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> cache_peer <cache2_IP> parent 3128 3130 proxy-only default
>

Cache2_IP should be a sibling...

cache_peer <cache2_IP> sibling 3128 3130 proxy-only

...not a parent, and should not be set as the default. As it stands
now, cache1 is using it's sibling to get to the content (it's the
default parent, after all) and cache2 is using cache1 to pass the
request from cache1 to the content, which passes the request to
cache2... Whoops. Forwarding loop detected.

> acl sites_web1 dstdomain site1.domain.com site2.domain.com
> http_access allow sites_web1
> cache_peer_access web1 allow sites_web1
> cache_peer_access web1 deny all
>
> # ADMINISTRATIVE PARAMETERS
> #
> -----------------------------------------------------------------------------
>
> shutdown_lifetime 3 second
>

This is unlikely going to give Squid enough time to write out it's
logs. While the description indicates this directive might only affect
clients, open descriptors are also used for logs and cache objects.

> httpd_suppress_version_string on
> cache_mgr cachemgr@...
>
> # ICP OPTIONS
> #
> -----------------------------------------------------------------------------
>
> log_icp_queries on
>
> # MISCELLANEOUS
> #
> -----------------------------------------------------------------------------
>
> memory_pools_limit 1024 MB
>
> # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> #
> -----------------------------------------------------------------------------
>
> coredump_dir /var/spool/squid
>
> -------------------------EO Configuration file -------------------------
>
> Any comments on the configuration would be much appreciated. Thank you
> in advance.
>
> Kind regards,
>
> Nik
>

Chris

Re: Reverce proxy setup with neighboor support

2009-12-16T13:00:50Z

On Wed, 16 Dec 2009 11:50:26 +0000, "Nikolaos Pavlidis"
<Nikolaos.Pavlidis@...> wrote:

Excellent. This is a basic reverse-proxy with virtual hosting.

The error you mentioned earlier indicates:

1. Request for site1
2. F5 load balances request to cache1
3. cache1: checks own cache
4. cache1: if NO-HIT check cache2
5. cache2: if NO-HIT check cache1
6. cache1: if NO-HIT check cache2 ... FAIL!!
...

> Server:
> 64bit SLES 11
>
> Configuration file (what I have done so far):
>
> # NETWORK OPTIONS
> #
>
-----------------------------------------------------------------------------
> http_port 80 accel defaultsite=site1.domain.com vhost
> http_port 3128 accel defaultsite=site1.domain.com vhost

There should be no need for port 3128 to be reverse-proxy as well.
Dedicate that or another port to proxy-proxy communications.

> visible_hostname site1.domain.com
> offline_mode off
>
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> #
>
-----------------------------------------------------------------------------
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> #
>
-----------------------------------------------------------------------------
> cache_mem 512 MB
> maximum_object_size 32 KB
> maximum_object_size_in_memory 64 Kb
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> #
>
-----------------------------------------------------------------------------

> cache_dir aufs /var/cache/squid 61440 16 256
> emulate_httpd_log on
> logfile_rotate 100
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> access_log /var/log/squid/access.log combined
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> debug_options ALL,1,33,3,20,3
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> #
>

-----------------------------------------------------------------------------
> auth_param basic children 10
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> # OPTIONS FOR TUNING THE CACHE
> #
>
-----------------------------------------------------------------------------

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.css 1440 50% 2880 override-expire
> refresh_pattern -i \.swf 1440 50% 2880 ignore-reload
> override-expire
> refresh_pattern . 1440 50% 4320 override-expire
>
> # ACCESS CONTROLS
> #
>

-----------------------------------------------------------------------------

>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>

Part 1 of the problem:

You are running a reverse-proxy. All of these initial http_access rules
are forward-proxy security restrictions. In the case of the "allow all" its
attempting to bypass the regular forward-proxy config by turning it into an
open proxy instead.

The reverse proxy config (your "UNIVERSITY SERVICES ENTRIES" settings)
need to be set right here above the forward-proxy config.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow all

With the reverse-proxy config in the right place you can turn the basic
security back on by changing that above line to "deny all"

> http_reply_access allow all
>
> icp_access allow all
>
> ##########################################
> ###### UNIVERSITY SERVICES ENTRIES ######
> ##########################################
>
> cache_peer <web1_IP> parent 80 0 no-query originserver name=web1
> cache_peer <cache2_IP> parent 3128 3130 proxy-only default

Part 2 of the problem:
The above config indicates that cache2 is the primary web server (on port
3128) with web1 as a backup source.

I believe your setup needs cache1 and cache2 in a sibling relationship as
'alternative' backup sources of data to each other. Siblings are checked
before parents but a failure at sibling is not fatal to locating the file.

Also requests received in port 3128 (ie from a sibling) should be denied
forwarding to the sibling.

> acl sites_web1 dstdomain site1.domain.com site2.domain.com
> http_access allow sites_web1
> cache_peer_access web1 allow sites_web1
> cache_peer_access web1 deny all
>
> # ADMINISTRATIVE PARAMETERS
> #
>
-----------------------------------------------------------------------------
>
> shutdown_lifetime 3 second
> httpd_suppress_version_string on
> cache_mgr cachemgr@...
>
> # ICP OPTIONS
> #
>
-----------------------------------------------------------------------------
>
> log_icp_queries on
>
> # MISCELLANEOUS
> #
>
-----------------------------------------------------------------------------
>
> memory_pools_limit 1024 MB
>
> # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
> #
>
-----------------------------------------------------------------------------

>
> coredump_dir /var/spool/squid
>
> -------------------------EO Configuration file -------------------------
>
> Any comments on the configuration would be much appreciated. Thank you
> in advance.
>
> Kind regards,
>
> Nik

Re: Squid does not start/shutdown properly

2009-12-16T13:00:08Z

david.kauffmann@... wrote:
> I have two machines, both running squid3. One runs stable1 and the other stable19. The one running stable1 is on a virtual machine.
> When i execute /etc/init.d/squid3 on both machines, this is what i get on
>
> stable1:
> /etc/init.d/squid3
> Usage: /etc/init.d/squid3 {start|stop|reload|force-reload|restart}
>

Init scripts are not supplied with Squid. They are a nicety added by
the distribution. /path/to/squid -k shutdown is the supported/expected
method of stopping Squid. That said...

> stable19:
> /etc/init.d/squid3
> Usage: /etc/init.d/squid3 { start | stop }
>
> Sometimes when i start the stable19 system, squid doesn't start giving me an error, that there's already a running squid process. i suspect this has something to do with squid not shutting down properly.
>
> When i stop squid using /etc/init.d/squid3 stop on both machines, i get no response at all on the stable19 platform.
> But on the stable1 machine i get this when i stop squid:
>
> /etc/init.d/squid3 stop
> * Stopping Squid HTTP Proxy 3.0 squid3
> * Waiting...
> * ...
> * ...
> * ...
> * ...
> * ...
> * ... [ OK ]
> [ OK ]
>

Either the init scripts on the two servers are different, or the compile
options put an executable or a PID file in a location not expected by
the init script.

> I compiled the squid stable19 version myself. here are the compiler options:
> Version 3.0.STABLE19
> configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp' '--enable-htcp' '--enable-select' '--enable-carp' '--enable-large-files' '--enable-underscores' '--enable-icap-client' '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=all' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2' '--enable-http-violations'
> The VM compiler options look like this:
> Version 3.0.STABLE1
> configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,coss,diskd' '--enable-removal-policies=lru,heap' '--enable-poll' '--enable-delay-pools' '--enable-cache-digests' '--enable-snmp' '--enable-htcp' '--enable-select' '--enable-carp' '--enable-large-files' '--enable-underscores' '--enable-icap-client' '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--with-filedescriptors=65536' '--with-default-user=proxy' '--enable-epoll' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2' 'FFLAGS=-g -O2'
>
> Do i have to reconfigure and rebuild my squid to get the same behaviour on both machines?

Probably not. Check the init script for mention of a PID file. Then
have a look at http://www.squid-cache.org/Doc/config/pid_filename/.

My assumption (based on the way my init scripts work) is that the script
sends a shutdown signal to Squid and then periodically (once a second or
so) checks for the presence of the PID file, writing out a period if it
still exists. When Squid quits, it should remove the PID file. Once
the PID file disappears the shutdown is successful. If the PID file is
not where the init script expects, when the script is called to shut
down Squid, it appears to not be running, so the script just exits.

> is there an option that controls this behaviour in the squid.conf?
>
> D. K.
> --
> IT-PARTNER - Martin U. Haneke
> Fichtestraße 26
> 10967 Berlin
> Tel: +49(30)200055-0
> Tel: +49(30)200055-39
>

Chris