rpms/squid
7
0
Fork 0
Code Issues Pull Requests Releases Activity

auto-import squid-2.4.STABLE1-4 from squid-2.4.STABLE1-4.src.rpm

Browse Source
This commit is contained in:
cvsdist 2004-09-09 12:36:55 +00:00
parent d4c19ac096
commit 703f3d3fd8
4 changed files with 597 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
squid-2.3.STABLE4-src.tar.gz
squid-2.4.STABLE1-src.tar.gz

686
FAQ.sgml
View File

@ -82,7 +82,7 @@ for the most recent versions.
<P>
Squid is the result of efforts by numerous individuals from
the Internet community.
<url url="mailto:wessels@ircache.net"
<url url="mailto:wessels@squid-cache.org"
name="Duane Wessels">
of the National Laboratory for Applied Network Research (funded by
the National Science Foundation) leads code development.
@ -127,10 +127,11 @@ For more specific information, please see
<url url="http://www.squid-cache.org/platforms.html" name="platforms.html">.
If you encounter any platform-specific problems, please
let us know by sending email to
<url url="mailto:squid-bugs@ircache.net"
<url url="mailto:squid-bugs@squid-cache.org"
name="squid-bugs">.
<sect1>Does Squid run on Windows NT?
<label id="squid-NT">
<P>
Recent versions of Squid will <em/compile and run/ on Windows/NT
with the
@ -149,12 +150,20 @@ Thanks to LogiSense for making the code available as required by the GPL terms.
is working on a Windows NT port as well. You can find more information from him
at <url url="http://www.ideal.net.au/~collinsdial/Squid2.4.htm" name="his page">.
<p>
<url url="http://serassio.interfree.it/SquidNT.htm" name="Guido Serassio">
and <url url="http://www.phys-iasi.ro/users/romeo/squidnt.htm" name="Romeo Anghelache"> have Squid NT pages, including
binaries and patches.
<p>
<sect1>What Squid mailing lists are available?
<P>
<itemize>
<item> squid-users@ircache.net: general discussions about the
<item> squid-users@squid-cache.org: general discussions about the
Squid cache software. Subscribe via
<it/squid-users-request@ircache.net/.
<it/squid-users-subscribe@squid-cache.org/.
Previous messages are available for browsing at
<url url="http://www.squid-cache.org/mail-archive/squid-users/"
@ -164,26 +173,26 @@ and also at <url url="http://marc.theaimsgroup.com/?l=squid-users&amp;r=1&amp;w=
<item>
squid-users-digest: digested (daily) version of
above. Subscribe via
<it/squid-users-digest-request@ircache.net/.
<it/squid-users-digest-subscribe@squid-cache.org/.
<item>
squid-announce@ircache.net: A receive-only list for
squid-announce@squid-cache.org: A receive-only list for
announcements of new versions.
Subscribe via
<it/squid-announce-request@ircache.net/.
<it/squid-announce-subscribe@squid-cache.org/.
<item>
<it/squid-bugs@ircache.net/:
<it/squid-bugs@squid-cache.org/:
A closed list for sending us bug reports.
Bug reports received here are given priority over
those mentioned on squid-users.
<item>
<it/squid@ircache.net/:
<it/squid@squid-cache.org/:
A closed list for sending us feed-back and ideas.
<item>
<it/squid-faq@ircache.net/:
<it/squid-faq@squid-cache.org/:
A closed list for sending us feed-back, updates, and additions to
the Squid FAQ.
</itemize>
@ -207,11 +216,10 @@ the IETF. It may be resurrected some day, you never know!
<sect1>I can't figure out how to unsubscribe from your mailing list.
<P>
All of our mailing lists have ``-request'' addresses that you must
All of our mailing lists have ``-subscribe'' and ``-unsubscribe''
addresses that you must
use for subscribe and unsubscribe requests. To unsubscribe from
the squid-users list, you send a message to <em/squid-users-request@ircache.net/
and in the subject and/or body of your message, you put the magic word
``unsubscribe.''
the squid-users list, you send a message to <em/squid-users-unsubscribe@squid-cache.org/.
<sect1>What Squid web pages are available?
<P>
@ -445,8 +453,8 @@ The following people have made contributions to this document:
</itemize>
<P>
Please send corrections, updates, and comments to:
<url url="mailto:squid-faq@ircache.net"
name="squid-faq@ircache.net">.
<url url="mailto:squid-faq@squid-cache.org"
name="squid-faq@squid-cache.org">.
<sect1>About This Document
<P>
@ -1844,6 +1852,40 @@ acl hotmail dstdomain .hotmail.com
always_direct allow hotmail
</verb>
<sect1>Can I make Squid proxy only, without caching anything?
<p>
Sure, there are few things you can do.
<p>
You can use the <em/no_cache/ access list to make Squid never cache any response:
<verb>
acl all src 0/0
no_cache deny all
</verb>
<p>
With Squid-2.4 and later you can use the ``null'' storage module:
<verb>
cache_dir null -1 1000
</verb>
<sect1>Can I prevent users from downloading large files?
<p>
You can set the global <em/reply_body_max_size/ parameter. This option
controls the largest HTTP message body that will be sent to a cache
client for one request.
<p>
If the HTTP response coming from the server has a <tt/Content-length/
header, then Squid compares the content-length value to the
<em/reply_body_max_size/ value. If the content-length is larger,
the server connection is closed and the user receives an error
message from Squid.
<p>
Some responses don't have <tt/Content-length/
headers. In this case, Squid counts how many bytes are written
to the client. Once the limit is reached, the client's connection
is simply closed.
<p>
Note that ``creative'' user-agents will still be able to download
really large files through the cache using HTTP/1.1 range requests.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -3268,6 +3310,22 @@ directory of the Squid source distribution. The usage is
file numbers are read on stdin, and pathnames are printed on
stdout.
<sect1>Can I use <em/store.log/ to figure out if a response was cachable?
<p>
Sort of. You can use <em/store.log/ to find out if a particular response
was <em>cached</em>.
<p>
Cached responses are logged with the SWAPOUT tag.
Uncached responses are logged with the RELEASE tag.
<p>
However, your
analysis must also consider that when a cached response is removed
from the cache (for example due to cache replacement) it is also
logged in <em/store.log/ with the RELEASE tag. To differentiate these
two, you can look at the filenumber (3rd) field. When an uncachable
response is released, the filenumber is FFFFFFFF (-1). Any other
filenumber indicates a cached response was released.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -4987,7 +5045,7 @@ the <em/all/ ACL. For example:
</verb>
<sect1>How do allow my clients to use the cache?
<sect1>How do I allow my clients to use the cache?
<p>
Define an ACL that corresponds to your client's IP addresses.
For example:
@ -5422,6 +5480,18 @@ http_access allow FOO WORKING
http_access deny FOO
</verb>
<sect1>How can I allow some users to use the cache at specific times?
<p>
<verb>
acl USER1 proxy_auth Dick
acl USER2 proxy_auth Jane
acl DAY time 06:00-18:00
http_access allow USER1 DAY
http_access deny USER1
http_access allow USER2 !DAY
http_access deny USER2
</verb>
<sect1>Problems with IP ACL's that have complicated netmasks
<p>
<em>Note: The information here is current for version 2.3.</em>
@ -5507,6 +5577,10 @@ at once, Squid returns an error page. Unless you use the
<em/deny_info/ feature, the error message will just say ``access
denied.''
<p>
The <em/maxconn/ ACL requires the client_db feature. If you've
disabled client_db (for example with <em/client_db off/) then
<em/maxconn/ ALCs will not work.
<p>
Note, the <em/maxconn/ ACL type is kind of tricky because it
uses less-than comparison. The ACL is a match when the number
of established connections is <em/greater/ than the value you
@ -5516,6 +5590,51 @@ ACL with <em/http_access allow/.
Also note that you could use <em/maxconn/ in conjunction with
a user type (ident, proxy_auth), rather than an IP address type.
<sect1>I'm trying to deny <em/foo.com/, but it's not working.
<p>
In Squid-2.3 we changed the way that Squid matches subdomains.
There is a difference between <em/.foo.com/ and <em/foo.com/. The
first matches any domain in <em/foo.com/, while the latter matches
only ``foo.com'' exactly. So if you want to deny <em/bar.foo.com/,
you should write
<verb>
acl yuck dstdomain .foo.com
http_access deny yuck
</verb>
To be safe, you probably want to list both forms in your
access lists, for example:
<verb>
acl yuck dstdomain .foo.com foo.com
http_access deny yuck
</verb>
<sect1>I want to customize, or make my own error messages.
<p>
You can customize the existing error messages as described in
<ref id="custom-err-msgs" name="Customizable Error Messages">.
You can also create new error messages and use these in conjunction
with the <em/deny_info/ option.
<p>
For example, lets say you want your users to see a special message
when they request something that matches your pornography list.
First, create a file named ERR_NO_PORNO in the
<em>/usr/local/squid/etc/errors</em> directory. That file might
contain something like this:
<verb>
&lt;p&gt;
Our company policy is to deny requests to known porno sites. If you
feel you've received this message in error, please contact
the support staff (support@this.company.com, 555-1234).
</verb>
<p>
Next, set up your access controls as follows:
<verb>
acl porn url_regex "/usr/local/squid/etc/porno.txt"
deny_info ERR_NO_PORNO porn
http_access deny porn
(additional http_access lines ...)
</verb>
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Troubleshooting
@ -6172,7 +6291,7 @@ Should produce something like:
<sect1>Sending in Squid bug reports
<P>
Bug reports for Squid should be sent to the <url url="mailto:squid-bugs@ircache.net"
Bug reports for Squid should be sent to the <url url="mailto:squid-bugs@squid-cache.org"
name="squid-bugs alias">. Any bug report must include
<itemize>
<item>The Squid version
@ -6569,9 +6688,13 @@ Forwarding loops are detected by examining the <em/Via/ request header.
Each cache which "touches" a request must add its hostname to the
<em/Via/ header. If a cache notices its own hostname in this header
for an incoming request, it knows there is a forwarding loop somewhere.
<p>
NOTE:
A pair of caches which have the same <em/visible_hostname/ value
will report forwarding loops.
Squid may report a forwarding loop if a request goes through
two caches that have the same <em/visible_hostname/ value.
If you want to have multiple machines with the same
<em/visible_hostname/ then you must give each machine a different
<em/unique_hostname/ so that forwarding loops are correctly detected.
<P>
When Squid detects a forwarding loop, it is logged to the <em/cache.log/
@ -6932,6 +7055,72 @@ Andrew Doroshenko reports that removing <em>/dev/null</em>, or
mounting a filesystem with the <em>nodev</em> option, can cause
Squid to use 100% of CPU. His suggested solution is to ``touch /dev/null.''
<sect1>Webmin's <em/cachemgr.cgi/ crashes the operating system
<p>
Mikael Andersson reports that clicking on Webmin's <em/cachemgr.cgi/
link creates numerous instances of <em/cachemgr.cgi/ that quickly
consume all available memory and brings the system to its knees.
<p>
Changing the path to use Squid's own <em/cachemgr.cgi/ fixes
this problem. You can change the path by logging into the
Webmin GUI, select <em/Servers/ then <em/Squid Proxy Cache/.
Next select <em/Module Config/. From here you'll be
able to enter the pathname to the <em/cachemgr.cgi/ that came
with Squid.
<sect1>Segment Violation at startup or upon first request
<p>
Some versions of GCC (notably 2.95.1 through 2.95.3) have bugs
with compiler optimization. These GCC bugs may cause NULL pointer
accesses in Squid, resulting in a ``FATAL: Received Segment
Violation...dying'' message and a core dump.
<p>
You can work around these GCC bugs by disabling compiler
optimization. The best way to do that is start with a clean
source tree and set the CC options specifically:
<verb>
% cd squid-x.y
% make distclean
% setenv CFLAGS='-g -Wall'
% ./configure ...
</verb>
<p>
To check that you did it right, you can search for AC_CFLAGS in
<em>src/Makefile</em>:
<verb>
% grep AC_CFLAGS src/Makefile
AC_CFLAGS = -g -Wall
</verb>
Now when you recompile, GCC won't try to optimize anything:
<verb>
% make
Making all in lib...
gcc -g -Wall -I../include -I../include -c rfc1123.c
...etc...
</verb>
<p>
NOTE: some people worry that disabling compiler optimization will
negatively impact Squid's performance. The impact should be
negligible, unless your cache is really busy and already runs
at a high CPU usage. For most people, the compiler optimization
makes little or no difference at all.
<sect1>urlParse: Illegal character in hostname 'proxy.mydomain.com:8080proxy.mydomain.com'
<p>
By Yomler of fnac.net
<p>
A combination of a bad configuration of Internet Explorer and any
application which use the cydoor DLLs will produce the entry in the log.
See <url url="http://www.cydoor.com/" name="cydoor.com"> for a complete list.
<p>
The bad configuration of IE is the use of a active configuration script
(proxy.pac) and an active or inactive, but filled proxy settings. IE will
only use the proxy.pac. Cydoor aps will use both and will generate the errors.
<p>
Disabling the old proxy settings in IE is not enought, you should delete
them completely and only use the proxy.pac for example.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -7983,6 +8172,53 @@ local end of the client's TCP connection. Since the local address
isn't really local (its some far away origin server's IP address),
the <em/bind()/ system call fails. Squid handles this as a failed
ident lookup.
<p>
<it>
So why bind in that way? If you know you are transparent proxying, then why
not bind the local endpoint to the host's (intranet) IP address? Why make
the masses suffer needlessly?
</it>
<p>
Because thats just how ident works.
Please read <url url="ftp://ftp.isi.edu/in-notes/rfc931.txt" name="RFC 931">,
in particular the RESTRICTIONS section.
<sect1>dnsSubmit: queue overload, rejecting blah
<p>
This means that you are using external <em/dnsserver/ processes
for lookups, and all processes are busy, and Squid's pending queue
is full. Each <em/dnsserver/ program can only handle one request
at a time. When all <em/dnsserver/ processes are busy, Squid queues
up requests, but only to a certain point.
<p>
To alleviate this condition, you need to either (1) increase the number
of <em/dnsserver/ processes by changing the value for <em/dns_children/
in your config file, or (2) switch to using Squid's internal DNS client
code.
<p>
Note that in some versions, Squid limits <em/dns_children/ to 32. To
increase it beyond that value, you would have to edit the source code.
<sect1>What are FTP passive connections?
<p>
by Colin Campbell
<p>
Ftp uses two data streams, one for passing commands around, the other for
moving data. The command channel is handled by the ftpd listening on port
21.
<p>
The data channel varies depending on whether you ask for passive ftp or
not. When you request data in a non-passive environment, you client tells
the server ``I am listening on &lt;ip-address&gt; &lt;port&gt;.'' The server then
connects FROM port 20 to the ip address and port specified by your client.
This requires your "security device" to permit any host outside from port
20 to any host inside on any port &gt; 1023. Somewhat of a hole.
<p>
In passive mode, when you request a data transfer, the server tells the
client ``I am listening on &lt;ip address&gt; &lt;port&gt;.'' Your client then connects
to the server on that IP and port and data flows.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -8501,8 +8737,8 @@ diff -p -u -r1.40 -r1.41
* SUCH DAMAGE.
*
* @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94
- * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $
+ * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $
- * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $
+ * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $
*/
#include <sys/param.h>
@ -8742,6 +8978,22 @@ source unless you know exactly what you are doing, as this can easily
render the system unuseable.
</enum>
<sect2>Can't connect to some sites through Squid
<p>
When using Squid, some sites may give erorrs such as
``(111) Connection refused'' or ``(110) Connection timed out''
although these sites work fine without going through Squid.
<p>
Some versions of linux implement
<url url="ftp://ftp.isi.edu/in-notes/rfc2481.txt" name="Explicit
Congestion Notification"> (ECN) and this can cause
some TCP connections to fail. You can disable ECN with
the following command:
<verb>
echo 0 >/proc/sys/net/ipv4/tcp_ecn
</verb>
<p>
See also the <url url="http://answerpointe.cctec.com/maillists/nanog/historical/0104/msg00714.html" name="thread on the NANOG mailing list">.
<sect1>HP-UX
@ -9611,7 +9863,7 @@ solve the ``big scale'' problem.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Transparent Caching/Proxying
<sect>Interception Caching/Proxying
<label id="trans-caching">
<P>
@ -9713,11 +9965,11 @@ users, which you can do with Squid in this configuration.
</itemize>
<sect1>Transparent caching for Solaris, SunOS, and BSD systems
<sect1>Interception caching for Solaris, SunOS, and BSD systems
<sect2>Install IP Filter
<P>
First, get and install the
<url url="ftp://coombs.anu.edu.au/pub/net/ip-filter/"
<url url="http://coombs.anu.edu.au/ipfilter/"
name="IP Filter package">.
<sect2>Configure ipnat
@ -9774,12 +10026,12 @@ Add these lines to <em/squid.conf/:
<P>
Thanks to <url url="mailto:q@fan.net.au" name="Quinton Dolan">.
<sect1>Transparent caching with Linux
<sect1>Interception caching with Linux 2.0 and ipfwadm
<label id="trans-linux-1">
<P>
by <url url="mailto:Rodney.van.den.Oever@tip.nl" name="Rodney van den Oever">
<P><bf/Note:/ Transparent proxying does NOT work with Linux&nbsp;2.0.30!
<P><bf/Note:/ Interception proxying does NOT work with Linux&nbsp;2.0.30!
Linux&nbsp;2.0.29 is known to work well. If you're using a more recent
kernel, like 2.2.X, then you should probably use an ipchains configuration,
<ref id="trans-linux-2" name="as described below">.
@ -9964,8 +10216,125 @@ am quite pleased with the results.
See also <url url="http://www.unxsoft.com/transproxy.html"
name="Daniel Kiracofe's page">.
<sect1>Interception caching with Linux 2.2 and ipchains
<label id="trans-linux-2">
<P>
by <url url="mailto:Support@dnet.co.uk" name="Martin Lyons">
<P>
You need to configure your kernel for ipchains.
Configuring Linux kernels is beyond the scope of
this FAQ. One way to do it is:
<verb>
# cd /usr/src/linux
# make menuconfig
</verb>
<p>
The following shows important kernel features to include:
<verb>
[*] Network firewalls
[ ] Socket Filtering
[*] Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[ ] IP: advanced router
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[ ] IP: firewall packet netlink device
[*] IP: always defragment (required for masquerading)
[*] IP: transparent proxy support
</verb>
<P>
You must include the <em>IP: always defragment</em>, otherwise it prevents
you from using the REDIRECT chain.
<sect1>Transparent caching with Cisco routers
<P>
You can use this script as a template for your own <em/rc.firewall/
to configure ipchains:
<verb>
#!/bin/sh
# rc.firewall Linux kernel firewalling rules
# Leon Brooks (leon at brooks dot fdns dot net)
FW=/sbin/ipchains
ADD="$FW -A"
# Flush rules, for testing purposes
for i in I O F # A # If we enabled accounting too
do
${FW} -F $i
done
# Default policies:
${FW} -P input REJECT # Incoming policy: reject (quick error)
${FW} -P output ACCEPT # Output policy: accept
${FW} -P forward DENY # Forwarding policy: deny
# Input Rules:
# Loopback-interface (local access, eg, to local nameserver):
${ADD} input -j ACCEPT -s localhost/32 -d localhost/32
# Local Ethernet-interface:
# Redirect to Squid proxy server:
${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080
# Accept packets from local network:
${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0
# Only required for other types of traffic (FTP, Telnet):
# Forward localnet with masquerading (udp and tcp, no icmp!):
${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0
${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0
</verb>
<P>
Also, <url url="mailto:andrew@careless.net" name="Andrew Shipton">
notes that with 2.0.x kernels you don't need to enable packet forwarding,
but with the 2.1.x and 2.2.x kernels using ipchains you do. Packet
forwarding is enabled with the following command:
<verb>
echo 1 > /proc/sys/net/ipv4/ip_forward
</verb>
<sect1>Interception caching with Linux 2.4 and netfilter
<label id="trans-linux-3">
<P>
NOTE: this information comes from Daniel Kiracofe's
<url url="http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html"
name="Transparent Proxy with Squid mini-HOWTO">.
<p>
You may need to build a new kernel. Be sure to enable
all of these options (none of them as modules):
<itemize>
<item>Networking support
<item>Sysctl support
<item>Network packet filtering
<item>TCP/IP networking
<item>Connection tracking (Under ``IP: Netfilter Configuration'' in menuconfig)
<item>IP tables support
<item>Full NAT
<item>REDIRECT target support
<item>/proc filesystem support
</itemize>
<p>
You must say NO to ``Fast switching''
<p>
After building the kernel, install it and reboot.
<p>
You may need to enable packet forwarding (e.g. in your startup scripts):
<verb>
echo 1 > /proc/sys/net/ipv4/ip_forward
</verb>
<p>
Use the <em/iptables/ command to make your kernel intercept HTTP connections
and send them to Squid:
<verb>
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
</verb>
<sect1>Interception caching with Cisco routers
<P>
by <url url="mailto:John.Saunders@scitec.com.au" name="John Saunders">
@ -10053,7 +10422,7 @@ Conversely, this set has worse performance, but works for all protocols:
access-list 110 deny tcp any any
</verb>
<sect1>Transparent caching with LINUX 2.0.29 and CISCO IOS 11.1
<sect1>Interception caching with LINUX 2.0.29 and CISCO IOS 11.1
<P>
Just for kicks, here's an email message posted to squid-users
@ -10064,7 +10433,7 @@ and Squid running on Linux.
by <url url="mailto:signal@shreve.net" name="Brian Feeny">
<P>
Here is how I have Transparent proxying working for me, in an environment
Here is how I have Interception proxying working for me, in an environment
where my router is a Cisco 2501 running IOS 11.1, and Squid machine is
running Linux 2.0.33.
@ -10187,10 +10556,10 @@ avoids the most common loops.
<item>
If you are using ipfilter then you should also use transproxyd in
front of Squid. Squid does not yet know how to interface to ipfilter
(patches are welcome: squid-bugs@ircache.net).
(patches are welcome: squid-bugs@squid-cache.org).
</itemize>
<sect1>Transparent caching with FreeBSD
<sect1>Interception caching with FreeBSD
<label id="trans-freebsd">
<P>
by Duane Wessels
@ -10277,88 +10646,7 @@ and the <em/squid.conf/ lines are:
httpd_accel_uses_host_header on
</verb>
<sect1>Transparent caching with Linux and ipchains
<label id="trans-linux-2">
<P>
by <url url="mailto:Support@dnet.co.uk" name="Martin Lyons">
<P>
You need to configure your kernel for ipchains.
Configuring Linux kernels is beyond the scope of
this FAQ. One way to do it is:
<verb>
# cd /usr/src/linux
# make menuconfig
</verb>
<p>
The following shows important kernel features to include:
<verb>
[*] Network firewalls
[ ] Socket Filtering
[*] Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[ ] IP: advanced router
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[ ] IP: firewall packet netlink device
[*] IP: always defragment (required for masquerading)
[*] IP: transparent proxy support
</verb>
<P>
You must include the <em>IP: always defragment</em>, otherwise it prevents
you from using the REDIRECT chain.
<P>
You can use this script as a template for your own <em/rc.firewall/
to configure ipchains:
<verb>
#!/bin/sh
# rc.firewall Linux kernel firewalling rules
# Leon Brooks (leon at brooks dot fdns dot net)
FW=/sbin/ipchains
ADD="$FW -A"
# Flush rules, for testing purposes
for i in I O F # A # If we enabled accounting too
do
${FW} -F $i
done
# Default policies:
${FW} -P input REJECT # Incoming policy: reject (quick error)
${FW} -P output ACCEPT # Output policy: accept
${FW} -P forward DENY # Forwarding policy: deny
# Input Rules:
# Loopback-interface (local access, eg, to local nameserver):
${ADD} input -j ACCEPT -s localhost/32 -d localhost/32
# Local Ethernet-interface:
# Redirect to Squid proxy server:
${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080
# Accept packets from local network:
${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0
# Only required for other types of traffic (FTP, Telnet):
# Forward localnet with masquerading (udp and tcp, no icmp!):
${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0
${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0
</verb>
<P>
Also, <url url="mailto:andrew@careless.net" name="Andrew Shipton">
notes that with 2.0.x kernels you don't need to enable packet forwarding,
but with the 2.1.x and 2.2.x kernels using ipchains you do. Packet
forwarding is enabled with the following command:
<verb>
echo 1 > /proc/sys/net/ipv4/ip_forward
</verb>
<sect1>Transparent caching with ACC Tigris digital access server
<sect1>Interception caching with ACC Tigris digital access server
<P>
by <url url="mailto:John.Saunders@scitec.com.au" name="John Saunders">
<P>
@ -10594,6 +10882,11 @@ address seems to work.
HTTP packets. &lt;Host-IP&gt; is the IP address of your cache, and
&lt;interface&gt; is the network interface that receives those packets (probably eth0).
<sect3>Joe Cooper's Patch
<p>
Joe Cooper has a patch for Linux 2.2.18 kernel on his
<url url="http://www.swelltech.com/pengies/joe/patches/" name="Squid page">.
<sect3>WCCP Specific Module
<P>
@ -10651,7 +10944,7 @@ name="Internet Draft"> (expires Jan 2001).
At this point, Squid does not support WCCPv2, but anyone
is welcome to code it up and contribute to the Squid project.
<sect1>Transparent caching with Foundry L4 switches
<sect1>Interception caching with Foundry L4 switches
<p>
by <url url="mailto:signal at shreve dot net" name="Brian Feeny">.
<p>
@ -10860,7 +11153,7 @@ in 2.2.
<P>
You can test if your Squid supports SNMP with the <em/snmpwalk/ program
(<em/snmpwalk/ is a part of the
<url url="http://www.ece.ucdavis.edu/ucd-snmp/" name="UCD-SNMP project">).
<url url="http://net-snmp.sourceforge.net/" name="NET-SNMP project">).
Note that you have to specify the SNMP port, which in Squid defaults to
3401.
<verb>
@ -10876,8 +11169,8 @@ then it is working ok, and you should be able to make nice statistics out of it.
<P>
For an explanation of what every string (OID) does, you should
refer to the <url url="http://www.ircache.net/Cache/cache-snmp/"
name="Cache SNMP web pages">.
refer to the <url url="/SNMP/"
name="Squid SNMP web pages">.
<sect1>What can I use SNMP and Squid for?
<P>
@ -10890,21 +11183,24 @@ frequently. Why not let MRTG do it for you?
<sect1>How can I use SNMP with Squid?
<p>
There are a number of tools that you can use to monitor Squid via SNMP. A very popular one
is MRTG, there are however a number of others. To learn what they are and to get additional
documentation, please visit the <url url="http://www.ircache.net/Cache/cache-snmp/"
name="Cache SNMP web pages">.
There are a number of tools that you can use to monitor Squid via
SNMP. Many people use MRTG. Another good combination is <url
url="http://net-snmp.sourceforge.net/" name="NET-SNMP"> plus <url
url="http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/"
name="RRDTool">. You might be able to find more
information at the <url url="/SNMP/"
name="Squid SNMP web pages">.
<sect2>MRTG
<P>
We use <url url="http://ee-staff.ethz.ch/&percnt;7eoetiker/webtools/mrtg/mrtg.html" name="MRTG">
to query Squid through its <url url="http://www.nlanr.net/Cache/cache-snmp/" name="SNMP interface">.
Some people use <url url="http://www.mrtg.org/" name="MRTG">
to query Squid through its SNMP interface.
<P>
To get instruction on using MRTG with Squid please visit these pages:
<enum>
<item><url url="http://unary.calvin.edu/squid.html" name="Squid + MRTG graphs">
<item><url url="http://www.ircache.net/Cache/cache-snmp/" name="Cache SNMP web pages">
</enum>
<sect1>Where can I get more information/discussion about Squid and SNMP?
@ -11048,7 +11344,7 @@ the password file as an argument. For example:
<P>
After all that, you should be able to start up Squid. If we left something out, or
haven't been clear enough, please let us know (squid-faq@ircache.net).
haven't been clear enough, please let us know (squid-faq@squid-cache.org).
<sect1>Why does proxy-auth reject all users with Squid-2.2?
<P>
@ -11501,6 +11797,7 @@ will be empty.
<sect1>Customizable Error Messages
<label id="custom-err-msgs">
<P>
Squid-2 lets you customize your error messages. The source distribution
includes error messages in different languages. You can select the
@ -11752,7 +12049,7 @@ get stuck in a forwarding loop.
<sect2>Wget
<P>
<url url="ftp://gnjilux.cc.fer.hr/pub/unix/util/wget/" name="Wget"> is a
command-line Web client. It supports recursive retrievals and
command-line Web client. It supports HTTP and FTP URLs, recursive retrievals, and
HTTP proxies.
<sect2>echoping
@ -11861,30 +12158,37 @@ and
<sect1>What is DISKD?
<p>
DISKD refers to some features in Squid-2.4 to improve Disk I/O performance.
The basic idea is that each <em/cache_dir/ has its own <em/diskd/ child process.
The diskd process performs all disk I/O operations (open, close, read, write, unlink)
for the cache_dir. Message queues are used to send requests and responses between
the Squid and diskd processes. Shared memory is used for chunks of data to
be read and written.
DISKD refers to some features in Squid-2.4 to improve Disk I/O
performance. The basic idea is that each <em/cache_dir/ has its
own <em/diskd/ child process. The diskd process performs all disk
I/O operations (open, close, read, write, unlink) for the cache_dir.
Message queues are used to send requests and responses between the
Squid and diskd processes. Shared memory is used for chunks of
data to be read and written.
<sect1>Does it perform better?
<p>
Yes. We benchmarked Squid-2.4 with DISKD at the
<url url="http://polygraph.ircache.net/Results/bakeoff-2/" name="Second IRCache Bake-Off">.
The results are also described <url url="/Benchmarking/bakeoff-02/" name="here">.
At the bakeoff, we got 160 req/sec with diskd. Without diskd, we'd have gotten about 40 req/sec.
Yes. We benchmarked Squid-2.4 with DISKD at the <url
url="http://polygraph.ircache.net/Results/bakeoff-2/" name="Second
IRCache Bake-Off">. The results are also described <url
url="/Benchmarking/bakeoff-02/" name="here">. At the bakeoff, we
got 160 req/sec with diskd. Without diskd, we'd have gotten about
40 req/sec.
<sect1>What do I need to use it?
<sect1>How do I use it?
<p>
<enum>
<item>
Squid-2.4
<item>
Your operating system must support message queues.
<item>
Your operating system must support shared memory.
</enum>
You need to run Squid version <url url="/Versions/v2/2.4" name="2.4"> or later.
Your operating system must support message queues, and shared memory.
<p>
To configure Squid for DISKD, use the <em/--enable-storeio/ option:
<verb>
% ./configure --enable-storeio=diskd,ufs
</verb>
<sect1>FATAL: Unknown cache_dir type 'diskd'
<p>
You didn't put <em/diskd/ in the list of storeio modules as described
above. You need to run <em/configure/ and and recompile Squid.
<sect1>If I use DISKD, do I have to wipe out my current cache?
<p>
@ -11990,6 +12294,15 @@ message queue parameters except to modify the include files
and build a new kernel. On my system, the file
is <em>/usr/src/linux/include/linux/msg.h</em>.
<p>
Stefan K&ouml;psell reports that if you compile sysctl support
into your kernel, then you can change the following values:
<itemize>
<item>kernel.msgmnb
<item>kernel.msgmni
<item>kernel.msgmax
</itemize>
<sect2>Solaris
<p>
Refer to <url url="http://www.sunworld.com/sunworldonline/swol-11-1997/swol-11-insidesolaris.html"
@ -12097,6 +12410,15 @@ is <em>/usr/src/linux/include/asm-i386/shmparam.h</em>
Oh, it looks like you can change <em/SHMMAX/ by writing
the file <em>/proc/sys/kernel/shmmax</em>.
<p>
Stefan K&ouml;psell reports that if you compile sysctl support
into your kernel, then you can change the following values:
<itemize>
<item>kernel.shmall
<item>kernel.shmmni
<item>kernel.shmmax
</itemize>
<sect2>Solaris
<p>
@ -12132,20 +12454,24 @@ These numbers refer to the number of oustanding requests on a message
queue. They are specified on the <em/cache_dir/ option line, after
the L1 and L2 directories:
<verb>
cache_dir diskd -1 /cache1 1024 16 256 64 72
cache_dir diskd /cache1 1024 16 256 Q1=72 Q2=64
</verb>
<p>
If there are more than Q1 messages outstanding, then the main Squid
process ``blocks'' for a little bit until the diskd process services
some of the messages and sends back some replies.
<p>
If there are more than Q2 messages outstanding, then Squid will
If there are more than Q1 messages outstanding, then Squid will
intentionally fail to open disk files for reading and writing.
This is a load-shedding mechanism. If your cache gets really really
busy and the disks can not keep up, Squid bypasses the disks until
the load goes down again.
<p>
Reasonable values for Q1 and Q2 are 64 and 72, respectively.
If there are more than Q2 messages outstanding, then the main Squid
process ``blocks'' for a little bit until the diskd process services
some of the messages and sends back some replies.
<p>
Q1 should be larger than Q2. You want Squid to get to the
``blocking'' condition before it gets to the ``refuse to open files''
condition.
<p>
Reasonable values for Q1 and Q2 are 72 and 64, respectively.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -12173,6 +12499,15 @@ the user to enter a name and password. The name and password are
encoded, and sent in the <em/Authorization/ header for subsequent
requests to the proxy.
<p>
<em>NOTE</em>: The name and password are encoded using ``base64''
(See section 11.1 of <url url="ftp://ftp.isi.edu/in-notes/rfc2616.txt"
name="RFC 2616">). However, base64 is a binary-to-text encoding only,
it does NOT encrypt the information it encodes. This means that
the username and password are essentially ``cleartext'' between
the browser and the proxy. Therefore, you probably should not use
the same username and password that you would use for your account login.
<p>
Authentication is actually performed outside of main Squid process.
When Squid starts, it spawns a number of authentication subprocesses.
@ -12294,8 +12629,51 @@ name="A Tao of Regular Expressions"> and
<url url="http://www.newbie.org/gazette/xxaxx/xprmnt02.html"
name="Newbie's page">.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Security Concerns
<sect1>Open-access proxies
<p>
Squid's default configuration file denies all client requests. It is the
administrator's responsibility to configure Squid to allow access only
to trusted hosts and/or users.
<p>
If your proxy allows access from untrusted hosts or users, you can be
sure that people will find and abuse your service. Some people
will use your proxy to make their browsing anonymous. Others will
intentionally use your proxy for transactions that may be illegal
(such as credit card fraud). A number of web sites exist simply
to provide the world with a list of open-access HTTP proxies. You
don't want to end up on this list.
<p>
Be sure to carefully design your access control scheme. You should
also check it from time to time to make sure that it works as you
expect.
<sect1>Mail relaying
<p>
SMTP and HTTP are rather similar in design. This, unfortunately, may
allow someone to relay an email message through your HTTP proxy. To
prevent this, you must make sure that your proxy denies HTTP requests
to port 25, the SMTP port.
<p>
Squid is configured this way by default. The default <em/squid.conf/
file lists a small number of trusted ports. See the <em/Safe_ports/
ACL in <em/squid.conf/. Your configuration file should always deny
unsafe ports early in the <em/http_access/ lists:
<verb>
$Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $
http_access deny !Safe_ports
(additional http_access lines ...)
</verb>
<p>
Do NOT add port 25 to <em/Safe_ports/ (unless your goal is to end
up in the <url url="http://mail-abuse.org/rbl/" name="RBL">). You may
want to make a cron job that regularly verifies that your proxy blocks
access to port 25.
<verb>
$Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $
</verb>
</article>
<!-- LocalWords: SSL MSIE Netmanage Chameleon WebSurfer unchecking remotehost

2
sources
View File

@ -1 +1 @@
c38c083f44c222a8d026fa129c30b98f squid-2.3.STABLE4-src.tar.gz
6a3977716571a8459cf66b96306f7c05 squid-2.4.STABLE1-src.tar.gz

125
squid.spec
View File

@ -1,9 +1,9 @@
Summary: The Squid proxy caching server.
Name: squid
Version: 2.3.STABLE4
Release: 10.7.1
Version: 2.4.STABLE1
Release: 4
Serial: 6
Copyright: GPL
License: GPL
Group: System Environment/Daemons
Source: http://www.squid-cache.org/Squid/v2/squid-%{version}-src.tar.gz
Source1: http://www.squid-cache.org/Squid/FAQ/FAQ.sgml
@ -11,24 +11,19 @@ Source2: squid.init
Source3: squid.logrotate
Source4: squid.sysconfig
Patch0: squid-2.1-make.patch
Patch1: squid-2.3-config.patch
Patch1: squid-2.4-config.patch
Patch2: squid-perlpath.patch
Patch3: squid-2.3.STABLE4-domainmatch.patch
Patch4: squid-mktemp.patch
Patch5: squid-location.patch
Patch10: squid-2.3.stable4-ftp_icon_not_found.patch
Patch11: squid-2.3.stable4-internal_dns_rcode_table_formatting.patch
Patch12: squid-2.3.stable4-invalid_ip_acl_entry.patch
Patch13: squid-2.3.stable4-ipfw_configure.patch
Patch14: squid-2.3.stable4-accel_only_access.patch
Patch15: squid-2.3.stable4-carp-assertion.patch
Patch16: squid-2.3.stable4-html_quoting.patch
Patch17: squid-2.3.stable4-snmp-community-null-pointer.patch
Patch18: squid-2.4stable-ftpcrash.path
BuildRoot: /var/tmp/squid-root
Patch3: squid-location.patch
Patch10: squid-2.4.stable1-diskd_fixed_path.patch
Patch11: squid-2.4.stable1-force_valid_blksize.patch
Patch12: squid-2.4.stable1-high_cpu_with_peers.patch
Patch13: squid-2.4.stable1-htcp_assertion_fix.patch
Patch14: squid-2.4.stable1-kill_parent_on_child_sigkill.patch
Patch15: squid-2.4.stable1-wrong_sign_on_timestamp_check.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Prereq: /sbin/chkconfig logrotate shadow-utils /etc/init.d
Requires: bash >= 2.0
BuildPrereq: jade sgml-tools
BuildPrereq: openjade sgml-tools openldap-devel pam-devel
Obsoletes: squid-novm
%description
@ -49,27 +44,23 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch0 -p1 -b .make
%patch1 -p1 -b .config
%patch2 -p1 -b .perlpath
%patch3 -p1 -b .acl2
cd src
%patch4 -p0 -b .mktemp
cd ..
%patch5 -p1
%patch10 -p0 -b .ftp-icon
%patch11 -p0 -b .dns
%patch12 -p0 -b .ip_acl
%patch13 -p0 -b .config
%patch14 -p0 -b .accel_only
%patch15 -p0 -b .carp
%patch16 -p0 -b .html_quote
%patch17 -p0 -b .snmp
%patch18 -p0 -b .ftp-crash
%patch3 -p1
%patch10 -p0 -b .diskd
%patch11 -p0 -b .force_valid_blksize
%patch12 -p0 -b .cpu_peer
%patch13 -p0 -b .htcp
%patch14 -p0 -b .kill_parent
%patch15 -p0 -b .timestamp
%build
%configure \
--exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
--localstatedir=/var --sysconfdir=/etc/squid \
--enable-poll --enable-snmp --enable-heap-replacement \
--enable-delay-pools # --enable-icmp
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" \
--enable-delay-pools --enable-linux-netfilter \
--enable-htcp --enable-carp --with-pthreads \
--enable-auth-modules="LDAP,NCSA,PAM,SMB,MSNT" # --enable-icmp
# Some versions of autoconf fail to detect sys/resource.h correctly;
# apparently because it generates a compiler warning.
@ -90,19 +81,19 @@ cp $RPM_SOURCE_DIR/FAQ.sgml faq
cd faq
sgml2html FAQ.sgml
cd ..
cd auth_modules
cd LDAP
make
cd ../NCSA
make
cd ../PAM
make
cd ../SMB
make SAMBAPREFIX=%{prefix}
cd ../getpwnam
make
cd ../..
#cd ..
#cd auth_modules
#cd LDAP
#make
#cd ../NCSA
#make
#cd ../PAM
#make
#cd ../SMB
#make SAMBAPREFIX=%{prefix}
#cd ../getpwnam
#make
#cd ../..
%install
rm -rf $RPM_BUILD_ROOT
@ -113,11 +104,7 @@ rm -rf $RPM_BUILD_ROOT
libexecdir=$RPM_BUILD_ROOT/usr/lib/squid
#install -m 4750 src/pinger $RPM_BUILD_ROOT/usr/lib/squid
install -m 755 auth_modules/PAM/pam_auth $RPM_BUILD_ROOT/usr/lib/squid
install -m 755 auth_modules/LDAP/squid_ldap_auth $RPM_BUILD_ROOT/usr/lib/squid
install -m 755 auth_modules/NCSA/ncsa_auth $RPM_BUILD_ROOT/usr/lib/squid
install -m 755 auth_modules/SMB/smb_auth $RPM_BUILD_ROOT/usr/lib/squid
install -m 755 auth_modules/getpwnam/getpwnam_auth $RPM_BUILD_ROOT/usr/lib/squid
mv $RPM_BUILD_ROOT/usr/sbin/*auth $RPM_BUILD_ROOT/usr/lib/squid
cd errors
rm -rf $RPM_BUILD_ROOT/etc/squid/errors
@ -148,21 +135,17 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%dir /etc/squid
%config(noreplace) /etc/squid/squid.conf
%config(noreplace) /etc/squid/mime.conf
%config(noreplace) /etc/sysconfig/squid
%config /etc/squid/mib.txt
/etc/squid/squid.conf.default
/etc/squid/mime.conf.default
/etc/squid/errors
/usr/lib/squid/errors
/usr/lib/squid/icons
/usr/lib/squid/dnsserver
/usr/lib/squid/unlinkd
/usr/lib/squid/*_auth
#%attr(4750,root,squid) /usr/lib/squid/pinger
/usr/lib/squid
/usr/sbin/squid
/usr/sbin/client
/usr/lib/squid/cachemgr.cgi
%config /etc/rc.d/init.d/squid
%config /etc/logrotate.d/squid
%doc faq/* README ChangeLog QUICKSTART doc/*
@ -262,19 +245,37 @@ fi
%preun
if [ $1 = 0 ] ; then
service squid stop >/dev/null 2>&1
rm -f /var/log/squid/*
/sbin/chkconfig --del squid
service squid stop >/dev/null 2>&1
fi
%postun
if [ $1 = 0 ] ; then
userdel squid
fi
if [ "$1" -ge "1" ] ; then
service squid condrestart >/dev/null 2>&1
fi
%changelog
* Mon Sep 24 2001 Bill Nottingham <notting@redhat.com>
- add patches to fix SNMP assertion, FTP crash
* Mon Jul 23 2001 Bill Nottingham <notting@redhat.com>
- add some buildprereqs (#49705)
* Sun Jul 22 2001 Bill Nottingham <notting@redhat.com>
- update FAQ
* Tue Jul 17 2001 Bill Nottingham <notting@redhat.com>
- own /etc/squid, /usr/lib/squid
* Tue Jun 12 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
- s/Copyright:/License:/
* Tue Apr 24 2001 Bill Nottingham <notting@redhat.com>
- update to 2.4.STABLE1 + patches
- enable some more configure options (#24981)
- oops, ship /etc/sysconfig/squid
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment