diff --git a/.cvsignore b/.cvsignore index ab64fb1..e4eaa76 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -squid-2.3.STABLE4-src.tar.gz +squid-2.4.STABLE1-src.tar.gz diff --git a/FAQ.sgml b/FAQ.sgml index 7fefc87..b8be7e5 100644 --- a/FAQ.sgml +++ b/FAQ.sgml @@ -82,7 +82,7 @@ for the most recent versions.

Squid is the result of efforts by numerous individuals from the Internet community. - of the National Laboratory for Applied Network Research (funded by the National Science Foundation) leads code development. @@ -127,10 +127,11 @@ For more specific information, please see . If you encounter any platform-specific problems, please let us know by sending email to -. Does Squid run on Windows NT? +

Recent versions of Squid will . +

+ +and have Squid NT pages, including +binaries and patches. + +

+ + What Squid mailing lists are available?

- squid-users@ircache.net: general discussions about the + squid-users@squid-cache.org: general discussions about the Squid cache software. Subscribe via -. +. About This Document

@@ -1844,6 +1852,40 @@ acl hotmail dstdomain .hotmail.com always_direct allow hotmail +Can I make Squid proxy only, without caching anything? +

+Sure, there are few things you can do. +

+You can use the + acl all src 0/0 + no_cache deny all + +

+With Squid-2.4 and later you can use the ``null'' storage module: + + cache_dir null -1 1000 + + +Can I prevent users from downloading large files? +

+You can set the global +If the HTTP response coming from the server has a +Some responses don't have +Note that ``creative'' user-agents will still be able to download +really large files through the cache using HTTP/1.1 range requests. @@ -3268,6 +3310,22 @@ directory of the Squid source distribution. The usage is file numbers are read on stdin, and pathnames are printed on stdout. +Can I use +Sort of. You can use cached. +

+Cached responses are logged with the SWAPOUT tag. +Uncached responses are logged with the RELEASE tag. +

+However, your +analysis must also consider that when a cached response is removed +from the cache (for example due to cache replacement) it is also +logged in @@ -4987,7 +5045,7 @@ the -How do allow my clients to use the cache? +How do I allow my clients to use the cache?

Define an ACL that corresponds to your client's IP addresses. For example: @@ -5422,6 +5480,18 @@ http_access allow FOO WORKING http_access deny FOO +How can I allow some users to use the cache at specific times? +

+ +acl USER1 proxy_auth Dick +acl USER2 proxy_auth Jane +acl DAY time 06:00-18:00 +http_access allow USER1 DAY +http_access deny USER1 +http_access allow USER2 !DAY +http_access deny USER2 + + Problems with IP ACL's that have complicated netmasks

Note: The information here is current for version 2.3. @@ -5507,6 +5577,10 @@ at once, Squid returns an error page. Unless you use the +The Note, the I'm trying to deny +In Squid-2.3 we changed the way that Squid matches subdomains. +There is a difference between +acl yuck dstdomain .foo.com +http_access deny yuck + +To be safe, you probably want to list both forms in your +access lists, for example: + +acl yuck dstdomain .foo.com foo.com +http_access deny yuck + + +I want to customize, or make my own error messages. +

+You can customize the existing error messages as described in +. +You can also create new error messages and use these in conjunction +with the +For example, lets say you want your users to see a special message +when they request something that matches your pornography list. +First, create a file named ERR_NO_PORNO in the +/usr/local/squid/etc/errors directory. That file might +contain something like this: + +<p> +Our company policy is to deny requests to known porno sites. If you +feel you've received this message in error, please contact +the support staff (support@this.company.com, 555-1234). + +

+Next, set up your access controls as follows: + +acl porn url_regex "/usr/local/squid/etc/porno.txt" +deny_info ERR_NO_PORNO porn +http_access deny porn +(additional http_access lines ...) + + Troubleshooting @@ -6172,7 +6291,7 @@ Should produce something like: Sending in Squid bug reports

-Bug reports for Squid should be sent to the . Any bug report must include The Squid version @@ -6569,9 +6688,13 @@ Forwarding loops are detected by examining the NOTE: -A pair of caches which have the same When Squid detects a forwarding loop, it is logged to the /dev/null, or mounting a filesystem with the nodev option, can cause Squid to use 100% of CPU. His suggested solution is to ``touch /dev/null.'' +Webmin's +Mikael Andersson reports that clicking on Webmin's +Changing the path to use Squid's own Segment Violation at startup or upon first request + +

+Some versions of GCC (notably 2.95.1 through 2.95.3) have bugs +with compiler optimization. These GCC bugs may cause NULL pointer +accesses in Squid, resulting in a ``FATAL: Received Segment +Violation...dying'' message and a core dump. +

+You can work around these GCC bugs by disabling compiler +optimization. The best way to do that is start with a clean +source tree and set the CC options specifically: + +% cd squid-x.y +% make distclean +% setenv CFLAGS='-g -Wall' +% ./configure ... + +

+To check that you did it right, you can search for AC_CFLAGS in +src/Makefile: + +% grep AC_CFLAGS src/Makefile +AC_CFLAGS = -g -Wall + +Now when you recompile, GCC won't try to optimize anything: + +% make +Making all in lib... +gcc -g -Wall -I../include -I../include -c rfc1123.c +...etc... + +

+NOTE: some people worry that disabling compiler optimization will +negatively impact Squid's performance. The impact should be +negligible, unless your cache is really busy and already runs +at a high CPU usage. For most people, the compiler optimization +makes little or no difference at all. + +urlParse: Illegal character in hostname 'proxy.mydomain.com:8080proxy.mydomain.com' +

+By Yomler of fnac.net +

+A combination of a bad configuration of Internet Explorer and any +application which use the cydoor DLLs will produce the entry in the log. +See for a complete list. +

+The bad configuration of IE is the use of a active configuration script +(proxy.pac) and an active or inactive, but filled proxy settings. IE will +only use the proxy.pac. Cydoor aps will use both and will generate the errors. +

+Disabling the old proxy settings in IE is not enought, you should delete +them completely and only use the proxy.pac for example. + @@ -7983,6 +8172,53 @@ local end of the client's TCP connection. Since the local address isn't really local (its some far away origin server's IP address), the + +So why bind in that way? If you know you are transparent proxying, then why +not bind the local endpoint to the host's (intranet) IP address? Why make +the masses suffer needlessly? + +

+Because thats just how ident works. +Please read , +in particular the RESTRICTIONS section. + +dnsSubmit: queue overload, rejecting blah +

+This means that you are using external +To alleviate this condition, you need to either (1) increase the number +of +Note that in some versions, Squid limits What are FTP passive connections? +

+by Colin Campbell +

+Ftp uses two data streams, one for passing commands around, the other for +moving data. The command channel is handled by the ftpd listening on port +21. +

+The data channel varies depending on whether you ask for passive ftp or +not. When you request data in a non-passive environment, you client tells +the server ``I am listening on <ip-address> <port>.'' The server then +connects FROM port 20 to the ip address and port specified by your client. +This requires your "security device" to permit any host outside from port +20 to any host inside on any port > 1023. Somewhat of a hole. +

+In passive mode, when you request a data transfer, the server tells the +client ``I am listening on <ip address> <port>.'' Your client then connects +to the server on that IP and port and data flows. + + @@ -8501,8 +8737,8 @@ diff -p -u -r1.40 -r1.41 * SUCH DAMAGE. * * @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94 -- * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $ -+ * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $ +- * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $ ++ * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $ */ #include @@ -8742,6 +8978,22 @@ source unless you know exactly what you are doing, as this can easily render the system unuseable. +Can't connect to some sites through Squid +

+When using Squid, some sites may give erorrs such as +``(111) Connection refused'' or ``(110) Connection timed out'' +although these sites work fine without going through Squid. +

+Some versions of linux implement + (ECN) and this can cause +some TCP connections to fail. You can disable ECN with +the following command: + +echo 0 >/proc/sys/net/ipv4/tcp_ecn + +

+See also the . HP-UX @@ -9611,7 +9863,7 @@ solve the ``big scale'' problem. -Transparent Caching/Proxying +Interception Caching/Proxying

@@ -9713,11 +9965,11 @@ users, which you can do with Squid in this configuration. -Transparent caching for Solaris, SunOS, and BSD systems +Interception caching for Solaris, SunOS, and BSD systems Install IP Filter

First, get and install the -. Configure ipnat @@ -9774,12 +10026,12 @@ Add these lines to Thanks to . -Transparent caching with Linux +Interception caching with Linux 2.0 and ipfwadm

by -

. @@ -9964,8 +10216,125 @@ am quite pleased with the results. See also . +Interception caching with Linux 2.2 and ipchains +

+by +

+You need to configure your kernel for ipchains. +Configuring Linux kernels is beyond the scope of +this FAQ. One way to do it is: + + # cd /usr/src/linux + # make menuconfig + +

+The following shows important kernel features to include: + + [*] Network firewalls + [ ] Socket Filtering + [*] Unix domain sockets + [*] TCP/IP networking + [ ] IP: multicasting + [ ] IP: advanced router + [ ] IP: kernel level autoconfiguration + [*] IP: firewalling + [ ] IP: firewall packet netlink device + [*] IP: always defragment (required for masquerading) + [*] IP: transparent proxy support + +

+You must include the IP: always defragment, otherwise it prevents +you from using the REDIRECT chain. -Transparent caching with Cisco routers +

+You can use this script as a template for your own + #!/bin/sh + # rc.firewall Linux kernel firewalling rules + # Leon Brooks (leon at brooks dot fdns dot net) + FW=/sbin/ipchains + ADD="$FW -A" + + # Flush rules, for testing purposes + for i in I O F # A # If we enabled accounting too + do + ${FW} -F $i + done + + # Default policies: + ${FW} -P input REJECT # Incoming policy: reject (quick error) + ${FW} -P output ACCEPT # Output policy: accept + ${FW} -P forward DENY # Forwarding policy: deny + + # Input Rules: + + # Loopback-interface (local access, eg, to local nameserver): + ${ADD} input -j ACCEPT -s localhost/32 -d localhost/32 + + # Local Ethernet-interface: + + # Redirect to Squid proxy server: + ${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080 + + # Accept packets from local network: + ${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0 + + # Only required for other types of traffic (FTP, Telnet): + + # Forward localnet with masquerading (udp and tcp, no icmp!): + ${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0 + ${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0 + + +

+Also, +notes that with 2.0.x kernels you don't need to enable packet forwarding, +but with the 2.1.x and 2.2.x kernels using ipchains you do. Packet +forwarding is enabled with the following command: + + echo 1 > /proc/sys/net/ipv4/ip_forward + + +Interception caching with Linux 2.4 and netfilter +

+NOTE: this information comes from Daniel Kiracofe's +. +

+You may need to build a new kernel. Be sure to enable +all of these options (none of them as modules): + +Networking support +Sysctl support +Network packet filtering +TCP/IP networking +Connection tracking (Under ``IP: Netfilter Configuration'' in menuconfig) +IP tables support +Full NAT +REDIRECT target support +/proc filesystem support + +

+You must say NO to ``Fast switching'' +

+After building the kernel, install it and reboot. +

+You may need to enable packet forwarding (e.g. in your startup scripts): + +echo 1 > /proc/sys/net/ipv4/ip_forward + +

+Use the +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 + + + +Interception caching with Cisco routers

by @@ -10053,7 +10422,7 @@ Conversely, this set has worse performance, but works for all protocols: access-list 110 deny tcp any any -Transparent caching with LINUX 2.0.29 and CISCO IOS 11.1 +Interception caching with LINUX 2.0.29 and CISCO IOS 11.1

Just for kicks, here's an email message posted to squid-users @@ -10064,7 +10433,7 @@ and Squid running on Linux. by

-Here is how I have Transparent proxying working for me, in an environment +Here is how I have Interception proxying working for me, in an environment where my router is a Cisco 2501 running IOS 11.1, and Squid machine is running Linux 2.0.33. @@ -10187,10 +10556,10 @@ avoids the most common loops. If you are using ipfilter then you should also use transproxyd in front of Squid. Squid does not yet know how to interface to ipfilter -(patches are welcome: squid-bugs@ircache.net). +(patches are welcome: squid-bugs@squid-cache.org). -Transparent caching with FreeBSD +Interception caching with FreeBSD

by Duane Wessels @@ -10277,88 +10646,7 @@ and the -Transparent caching with Linux and ipchains -

-by -

-You need to configure your kernel for ipchains. -Configuring Linux kernels is beyond the scope of -this FAQ. One way to do it is: - - # cd /usr/src/linux - # make menuconfig - -

-The following shows important kernel features to include: - - [*] Network firewalls - [ ] Socket Filtering - [*] Unix domain sockets - [*] TCP/IP networking - [ ] IP: multicasting - [ ] IP: advanced router - [ ] IP: kernel level autoconfiguration - [*] IP: firewalling - [ ] IP: firewall packet netlink device - [*] IP: always defragment (required for masquerading) - [*] IP: transparent proxy support - -

-You must include the IP: always defragment, otherwise it prevents -you from using the REDIRECT chain. - -

-You can use this script as a template for your own - #!/bin/sh - # rc.firewall Linux kernel firewalling rules - # Leon Brooks (leon at brooks dot fdns dot net) - FW=/sbin/ipchains - ADD="$FW -A" - - # Flush rules, for testing purposes - for i in I O F # A # If we enabled accounting too - do - ${FW} -F $i - done - - # Default policies: - ${FW} -P input REJECT # Incoming policy: reject (quick error) - ${FW} -P output ACCEPT # Output policy: accept - ${FW} -P forward DENY # Forwarding policy: deny - - # Input Rules: - - # Loopback-interface (local access, eg, to local nameserver): - ${ADD} input -j ACCEPT -s localhost/32 -d localhost/32 - - # Local Ethernet-interface: - - # Redirect to Squid proxy server: - ${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080 - - # Accept packets from local network: - ${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0 - - # Only required for other types of traffic (FTP, Telnet): - - # Forward localnet with masquerading (udp and tcp, no icmp!): - ${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0 - ${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0 - - -

-Also, -notes that with 2.0.x kernels you don't need to enable packet forwarding, -but with the 2.1.x and 2.2.x kernels using ipchains you do. Packet -forwarding is enabled with the following command: - - echo 1 > /proc/sys/net/ipv4/ip_forward - - -Transparent caching with ACC Tigris digital access server +Interception caching with ACC Tigris digital access server

by

@@ -10594,6 +10882,11 @@ address seems to work. HTTP packets. <Host-IP> is the IP address of your cache, and <interface> is the network interface that receives those packets (probably eth0). +Joe Cooper's Patch +

+Joe Cooper has a patch for Linux 2.2.18 kernel on his +. + WCCP Specific Module

@@ -10651,7 +10944,7 @@ name="Internet Draft"> (expires Jan 2001). At this point, Squid does not support WCCPv2, but anyone is welcome to code it up and contribute to the Squid project. -Transparent caching with Foundry L4 switches +Interception caching with Foundry L4 switches

by .

@@ -10860,7 +11153,7 @@ in 2.2.

You can test if your Squid supports SNMP with the ). +). Note that you have to specify the SNMP port, which in Squid defaults to 3401. @@ -10876,8 +11169,8 @@ then it is working ok, and you should be able to make nice statistics out of it.

For an explanation of what every string (OID) does, you should -refer to the . +refer to the . What can I use SNMP and Squid for?

@@ -10890,21 +11183,24 @@ frequently. Why not let MRTG do it for you? How can I use SNMP with Squid?

-There are a number of tools that you can use to monitor Squid via SNMP. A very popular one -is MRTG, there are however a number of others. To learn what they are and to get additional -documentation, please visit the . +There are a number of tools that you can use to monitor Squid via +SNMP. Many people use MRTG. Another good combination is plus . You might be able to find more +information at the . + MRTG

-We use -to query Squid through its . +Some people use +to query Squid through its SNMP interface.

To get instruction on using MRTG with Squid please visit these pages: - Where can I get more information/discussion about Squid and SNMP? @@ -11048,7 +11344,7 @@ the password file as an argument. For example:

After all that, you should be able to start up Squid. If we left something out, or -haven't been clear enough, please let us know (squid-faq@ircache.net). +haven't been clear enough, please let us know (squid-faq@squid-cache.org). Why does proxy-auth reject all users with Squid-2.2?

@@ -11501,6 +11797,7 @@ will be empty. Customizable Error Messages +

Squid-2 lets you customize your error messages. The source distribution includes error messages in different languages. You can select the @@ -11752,7 +12049,7 @@ get stuck in a forwarding loop. Wget

is a -command-line Web client. It supports recursive retrievals and +command-line Web client. It supports HTTP and FTP URLs, recursive retrievals, and HTTP proxies. echoping @@ -11861,30 +12158,37 @@ and What is DISKD?

-DISKD refers to some features in Squid-2.4 to improve Disk I/O performance. -The basic idea is that each Does it perform better?

-Yes. We benchmarked Squid-2.4 with DISKD at the -. -The results are also described . -At the bakeoff, we got 160 req/sec with diskd. Without diskd, we'd have gotten about 40 req/sec. +Yes. We benchmarked Squid-2.4 with DISKD at the . The results are also described . At the bakeoff, we +got 160 req/sec with diskd. Without diskd, we'd have gotten about +40 req/sec. -What do I need to use it? +How do I use it?

- - - Squid-2.4 - - Your operating system must support message queues. - - Your operating system must support shared memory. - +You need to run Squid version or later. +Your operating system must support message queues, and shared memory. +

+To configure Squid for DISKD, use the +% ./configure --enable-storeio=diskd,ufs + + +FATAL: Unknown cache_dir type 'diskd' +

+You didn't put If I use DISKD, do I have to wipe out my current cache?

@@ -11990,6 +12294,15 @@ message queue parameters except to modify the include files and build a new kernel. On my system, the file is /usr/src/linux/include/linux/msg.h. +

+Stefan Köpsell reports that if you compile sysctl support +into your kernel, then you can change the following values: + +kernel.msgmnb +kernel.msgmni +kernel.msgmax + + Solaris

Refer to /usr/src/linux/include/asm-i386/shmparam.h Oh, it looks like you can change /proc/sys/kernel/shmmax. +

+Stefan Köpsell reports that if you compile sysctl support +into your kernel, then you can change the following values: + +kernel.shmall +kernel.shmmni +kernel.shmmax + + Solaris

@@ -12132,20 +12454,24 @@ These numbers refer to the number of oustanding requests on a message queue. They are specified on the -cache_dir diskd -1 /cache1 1024 16 256 64 72 +cache_dir diskd /cache1 1024 16 256 Q1=72 Q2=64

-If there are more than Q1 messages outstanding, then the main Squid -process ``blocks'' for a little bit until the diskd process services -some of the messages and sends back some replies. -

-If there are more than Q2 messages outstanding, then Squid will +If there are more than Q1 messages outstanding, then Squid will intentionally fail to open disk files for reading and writing. This is a load-shedding mechanism. If your cache gets really really busy and the disks can not keep up, Squid bypasses the disks until the load goes down again.

-Reasonable values for Q1 and Q2 are 64 and 72, respectively. +If there are more than Q2 messages outstanding, then the main Squid +process ``blocks'' for a little bit until the diskd process services +some of the messages and sends back some replies. +

+Q1 should be larger than Q2. You want Squid to get to the +``blocking'' condition before it gets to the ``refuse to open files'' +condition. +

+Reasonable values for Q1 and Q2 are 72 and 64, respectively. @@ -12173,6 +12499,15 @@ the user to enter a name and password. The name and password are encoded, and sent in the +NOTE: The name and password are encoded using ``base64'' +(See section 11.1 of ). However, base64 is a binary-to-text encoding only, +it does NOT encrypt the information it encodes. This means that +the username and password are essentially ``cleartext'' between +the browser and the proxy. Therefore, you probably should not use +the same username and password that you would use for your account login. +

Authentication is actually performed outside of main Squid process. When Squid starts, it spawns a number of authentication subprocesses. @@ -12294,8 +12629,51 @@ name="A Tao of Regular Expressions"> and . + + +Security Concerns + +Open-access proxies +

+Squid's default configuration file denies all client requests. It is the +administrator's responsibility to configure Squid to allow access only +to trusted hosts and/or users. +

+If your proxy allows access from untrusted hosts or users, you can be +sure that people will find and abuse your service. Some people +will use your proxy to make their browsing anonymous. Others will +intentionally use your proxy for transactions that may be illegal +(such as credit card fraud). A number of web sites exist simply +to provide the world with a list of open-access HTTP proxies. You +don't want to end up on this list. +

+Be sure to carefully design your access control scheme. You should +also check it from time to time to make sure that it works as you +expect. + +Mail relaying +

+SMTP and HTTP are rather similar in design. This, unfortunately, may +allow someone to relay an email message through your HTTP proxy. To +prevent this, you must make sure that your proxy denies HTTP requests +to port 25, the SMTP port. +

+Squid is configured this way by default. The default -$Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $ +http_access deny !Safe_ports +(additional http_access lines ...) + +

+Do NOT add port 25 to ). You may +want to make a cron job that regularly verifies that your proxy blocks +access to port 25. + + +$Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $