From d0eb5932697fed6016441573b3480648e04dcf47 Mon Sep 17 00:00:00 2001 From: cvsdist Date: Thu, 9 Sep 2004 12:36:20 +0000 Subject: [PATCH] =?UTF-8?q?auto-import=20changelog=20data=20from=20squid-2?= =?UTF-8?q?.3.STABLE4-9.7.src.rpm=20Thu=20Jul=2012=202001=20Bill=20Notting?= =?UTF-8?q?ham=20=20-=20build=20for=207.0=20(security?= =?UTF-8?q?=20fix=20in=20accel=5Fonly=5Faccess=20patch)=20Fri=20Mar=2002?= =?UTF-8?q?=202001=20Nalin=20Dahyabhai=20=20-=20rebuild?= =?UTF-8?q?=20in=20new=20environment=20Tue=20Feb=2006=202001=20Trond=20Eiv?= =?UTF-8?q?ind=20Glomsr=F8d=20=20-=20improve=20i18n=20-=20?= =?UTF-8?q?make=20the=20initscript=20use=20the=20standard=20OK/FAILED=20Tu?= =?UTF-8?q?e=20Jan=2023=202001=20Bill=20Nottingham=20?= =?UTF-8?q?=20-=20change=20i18n=20mechanism=20Fri=20Jan=2019=202001=20Bill?= =?UTF-8?q?=20Nottingham=20=20-=20fix=20path=20referen?= =?UTF-8?q?ces=20in=20QUICKSTART=20(#15114)=20-=20fix=20initscript=20trans?= =?UTF-8?q?lations=20(#24086)=20-=20fix=20shutdown=20logic=20(#24234),=20p?= =?UTF-8?q?atch=20from=20=20-=20add=20/etc/sysconfig/squid=20f?= =?UTF-8?q?or=20daemon=20options=20&=20shutdown=20timeouts=20-=20three=20m?= =?UTF-8?q?ore=20bugfixes=20from=20the=20Squid=20people=20-=20update=20FAQ?= =?UTF-8?q?.sgml=20-=20build=20and=20ship=20auth=20modules=20(#23611)=20Th?= =?UTF-8?q?u=20Jan=2011=202001=20Bill=20Nottingham=20?= =?UTF-8?q?=20-=20initscripts=20translations=20Mon=20Jan=2008=202001=20Bil?= =?UTF-8?q?l=20Nottingham=20=20-=20add=20patch=20to=20?= =?UTF-8?q?use=20mkstemp=20(greg@wirex.com)=20Fri=20Dec=2001=202000=20Bill?= =?UTF-8?q?=20Nottingham=20=20-=20rebuild=20because=20?= =?UTF-8?q?of=20broken=20fileutils=20Sat=20Nov=2011=202000=20Bill=20Nottin?= =?UTF-8?q?gham=20=20-=20fix=20the=20acl=20matching=20?= =?UTF-8?q?cases=20(only=20need=20the=20second=20patch)=20Tue=20Nov=2007?= =?UTF-8?q?=202000=20Bill=20Nottingham=20=20-=20add=20?= =?UTF-8?q?two=20patches=20to=20fix=20domain=20ACLs=20-=20add=202=20bugfix?= =?UTF-8?q?=20patches=20from=20the=20squid=20people?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- FAQ.sgml | 791 +++++++++++++++++++++++++++++++++++------------- squid.init | 41 ++- squid.spec | 88 +++++- squid.sysconfig | 8 + 4 files changed, 705 insertions(+), 223 deletions(-) create mode 100644 squid.sysconfig diff --git a/FAQ.sgml b/FAQ.sgml index d31e450..7fefc87 100644 --- a/FAQ.sgml +++ b/FAQ.sgml @@ -2,15 +2,23 @@
+ SQUID Frequently Asked Questions -Duane Wessels, © 2001 Duane Wessels, Frequently Asked Questions (with answers!) about the Squid Internet Object Cache software. + +

+You can download the FAQ as +, and +. +

+ About Squid, this FAQ, and other Squid information resources @@ -241,12 +249,34 @@ Yeah, its extremely incomplete. I assure you this is the most recent version. -Does Squid support SSL? +Does Squid support SSL/HTTPS/TLS?

-Squid can proxy SSL requests. By default, Squid will forward all -SSL requests directly to their origin servers. In firewall configurations, -Squid will forward all SSL requests to one other proxy, defined with -the +Normally, when your browser comes across an +The browser opens an SSL connection directly to the origin +server. +The browser tunnels the request through Squid with the + +

+The +and (expired). +

+Squid can not (yet) encrypt or decrypt such connections, however. +Some folks are working on a patch, using OpenSSL, that allows Squid to do this. + What's the legal status of Squid?

@@ -314,114 +344,9 @@ Year bug">. This is not strictly a Year-2000 bug; it would happen on the first Can I pay someone for Squid support?

-Yep. The following companies will support Squid for you: +Yep. Please see the . - - - -We provide commercial Squid support; we -frequently deploy squids in caching proxy, transparent caching -proxy, httpd accelerator, and hierarchical modes, for a wide variety -of corporate and public sector clients, including members of the -Fortune 500. Inquires can be directed to . - - -We are supporting the complete SA territory and speak Portuguese, -Spanish, English and German. We are experienced in compiling Squid for -SCO and FreeBSD. We do custom configurations, OS and cache fine tuning, -maintenance and remote adminstration. Also we can help setting your -server into existing hierarchies giving you best performance. Contact -us on or send -some e-mail to our address. - - - provides commercial Squid support. We are specialized in installing -Squid Proxy Systems on Linux machines. Please contact us by sending an -e-mail to . - - - provides a version -of Squid and an accompanying library modified to support push as well as -the traditional pull. We support our software and traditional Squid. -Contact us at info@pushcache.com. - - - are supporting squid, apache, -linux and other public license software for professional use in germany. -. - - -Plugged In Software provides commercial support for Squid, Apache, -sendmail, Samba, RedHat Linux and other Open Source (TM) software. For -further information, please see or email our . - - - provides -managed firewall solutions and support for Squid proxies running -under linux based firewalls. For further information, contact: - -Garry Thorpe -Chief Engineer -NEC Australia -Ph +61 2 6250 8749 -Email: garry.thorpe@nec.com.au - - - -Linux Manages! also provides support for squid caches on Linux. We do -installations, maintenance, linking squids into existing hierarchies, -remote support and tuning of the cache to the customer's needs. -Contact address is linux@thing.at. - - -We provide commercial support for Squid, SCO UNIX, Cisco, Apache, -Sendmail and RedHat Linux . Specially Squid and Linux based Transparent -Caches. We also build and provide support for LANs. For further -information, please email us at: wizards@brain.net.pk - - -ATRC provides commercial squid support on Linux in Pakistan -Our web address is: and . -Email : knehal@bigfoot.com - - - -We provide commercial support for Squid, SCO UNIX, Cisco, Apache, Sendmail and -any kind of Linux. Find us at: E-mail us at: info@edpweb.com. - - -, located -in Cambridge, Ontario, Canada. - - -Snerpa provides commercial Squid Support since 1995. We specialize -in Linux solutions and we provide the Web content control database for Squid. You can -contact us at . - - - - -

-If you know someone who takes money for supporting Squid, let us know and -we will add their information here. Squid FAQ contributors

@@ -530,10 +455,7 @@ This document is copyrighted (2000) by Duane Wessels.

This document was written in SGML and converted with the . This document is available in -, -, and -. + name="SGML-Tools package">. Want to contribute? Please write in SGML... @@ -624,6 +546,11 @@ available at In addition to gcc, you may also want or need to install the What else do I need to compile Squid? +

+You will need installed +on your system. + Do you have pre-compiled binaries available? @@ -1710,7 +1637,7 @@ The following settings are important: icp_port 0 cache_host localhost.home.nl parent 8080 0 default - acl HOME dstdomain home.nl + acl HOME dstdomain .home.nl never_direct deny HOME This tells Squid to use the parent for all domains other than +Can I make Squid go direct for some sites? +

+Sure, just use the +For example, if you want Squid to connect directly to +acl hotmail dstdomain .hotmail.com +always_direct allow hotmail + + @@ -3673,8 +3611,10 @@ that matching requests are NOT CACHED, in addition to being fetched directly. How can I delete and recreate a cache directory?

-Deleting an existing cache directory is easy to do. Unfortunately, -it may require a brief interruption of service. +Deleting an existing cache directory is not too difficult. Unfortunately, +you can't simply change squid.conf and then reconfigure. You can't +stop using a cache_dir while Squid is running. Also note +that Squid requires at least one cache_dir to run. @@ -3682,14 +3622,30 @@ Edit your -You can not delete a cache directory from a running Squid process. -Thus, you can not simply reconfigure squid. You must +If you don't have any cache_dir lines in your squid.conf, +then Squid was using the default. You'll need to add a new +cache_dir line because Squid will continue to use +the default otherwise. You can add a small, temporary directory, fo +example: + +/usr/local/squid/cachetmp .... + +If you add a new cache_dir you have to run squid -z +to initialize that directory. + + +Remeber that +you can not delete a cache directory from a running Squid process; +you can not simply reconfigure squid. You must shutdown Squid: squid -k shutdown -Once Squid exits, you may immediately start it up again. If you +Once Squid exits, you may immediately start it up again. Since you +deleted the old cache_dir from squid.conf, Squid won't +try to access that directory. +If you use the RunCache script, Squid should start up again automatically. Now Squid is no longer using the cache directory that you removed @@ -3698,12 +3654,13 @@ information with the cache manager. From the command line, type: client mgr:storedir - -

+ Now that Squid is not using the cache directory, you can +

The procedure is similar to recreate the directory. @@ -4874,6 +4831,182 @@ reasons: Access Controls

+Squid's access control scheme is relatively comprehensive and difficult +for some people to understand. There are two different components: ACL elements +

+Note: The information here is current for version 2.4. +

+Squid knows about the following types of ACL elements: + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+Notes: + +

+Not all of the ACL elements can be used with all types of access lists (described below). +For example, +The +The SNMP ACL element and access list require the --enable-snmp configure option. + +

+Some ACL elements can cause processing delays. For example, use of +Each ACL element is assigned a unique +You can't give the same name to two different types of ACL elements. It will generate a syntax error. + +

+You can put different values for the same ACL name on different lines. Squid combines them into +one list. + +Access Lists +

+There are a number of different access lists: + + + + + + + + + + + + + + +

+Notes: + +

+An access list +An access list consists of one or more access list rules. + +

+Access list rules are checked in the order they are written. List searching terminates as soon as one +of the rules is a match. + +

+If a rule has multiple ACL elements, it uses AND logic. In other +words, +If none of the rules are matched, then the default action is the + + acl all src 0/0 + http_access deny all + + + +How do allow my clients to use the cache? +

+Define an ACL that corresponds to your client's IP addresses. +For example: + + acl myclients src 172.16.5.0/24 + +Next, allow those clients in the + http_access allow myclients + + +how do I configure Squid not to cache a specific server? +

+ + acl someserver dstdomain .someserver.com + no_cache deny someserver + + + How do I implement an ACL ban list?

@@ -5171,7 +5304,7 @@ the neighbor ACL's first in the list of - + Snerpa, an ISP in Iceland operates a DNS-database of @@ -5342,6 +5475,47 @@ http_access allow M2 http_access deny all +Debugging ACLs +

+If ACLs are giving you problems and you don't know why they +aren't working, you can use this tip to debug them. +

+In squid.conf enable debugging for section 32 at level 2. +For example: + +debug_options ALL,1 32,2 + +The restart or reconfigure squid. +

+From now on, your Can I limit the number of connections from a client? +

+Yes, use the +acl losers src 1.2.3.0/24 +acl 5CONN maxconn 5 +http_access deny 5CONN losers + +

+Given the above configuration, when a client whose source IP address +is in the 1.2.3.0/24 subnet tries to establish 6 or more connections +at once, Squid returns an error page. Unless you use the + +Note, the +Also note that you could use Troubleshooting @@ -5357,7 +5531,7 @@ HTTP requests and forward them to a HTTP server, but it will not honor proxy requests. If you want your cache to also accept proxy-HTTP requests then you must enable this feature: - http_accel_with_proxy on + httpd_accel_with_proxy on Alternately, you may have misconfigured one of your ACLs. Check the Linux

-Start with Dancer's , but realize that -this information is specific to the Linux 2.0.36 kernel. +Dancer has a , but +this information seems specific to the Linux 2.0.36 kernel. + +

+Henrik has a page.

You also might want to @@ -5670,6 +5847,11 @@ this restriction, returning an error for any host with underscore in the hostname. The best solution is to complain to the hostmaster of the offending site, and ask them to rename their host. +

+See also the +. +

Some people have noticed that @@ -5832,23 +6014,42 @@ section 2 of your Unix manual for a list of all error codes. These are caused by misbehaving Web clients attempting to use persistent connections. Squid-1.1 does not support persistent connections. -How come Squid doesn't work with NTLM Authorization. +Does Squid work with NTLM Authentication?

-We are not sure. We were unable to find any detailed information -on NTLM (thanks Microsoft!), but here is our best guess: + will +support Microsoft NTLM authentication. However, there are some +limits on our support: We cannot proxy connections to a origin +server that use NTLM authentication, but we can act as a web +accelerator or proxy server and authenticate the client connection +using NTLM. + +

+We support NT4, Samba, and Windows 2000 Domain Controllers. For +more information get squid 2.5 and run ./configure --help. + +

+Why we cannot proxy NTLM even though we can use it. +Quoting from summary at the end of the browser authentication section in +: + +In summary, Basic authentication does not require an implicit end-to-end +state, and can therefore be used through a proxy server. Windows NT +Challenge/Response authentication requires implicit end-to-end state and +will not work through a proxy server. +

Squid transparently passes the NTLM request and response headers between -clients and servers. The encrypted challenge and response strings most likely -encode the IP address of the client. Because the proxy is passing these -strings and is connected with a different IP address, the authentication -scheme breaks down. -This implies that if NTLM authentication works at all with proxy caches, the proxy -would need to intercept the NTLM headers and process them itself. - -

-Henrik Nordstrom adds the following information about NTLM: +clients and servers. NTLM relies on a single end-end connection (possibly +with men-in-the-middle, but a single connection every step of the way. This +implies that for NTLM authentication to work at all with proxy caches, the +proxy would need to tightly link the client-proxy and proxy-server links, as +well as understand the state of the link at any one time. NTLM through a +CONNECT might work, but we as far as we know that hasn't been implemented +by anyone, and it would prevent the pages being cached - removing the value +of the proxy.

NTLM authentication is carried entirely inside the HTTP protocol, but is @@ -5856,15 +6057,15 @@ different from Basic authentication in many ways. -It is dependent on the IP addresses of both the server and the -client, and thus cannot be proxied by a application level proxy (not -even Microsoft Proxy server). +It is dependent on a stateful end-to-end connection which collides with +RFC 2616 for proxy-servers to disjoin the client-proxy and proxy-server +connections. -It is only taking place once per connection, not per request. Once -the connection is authenticated then all future requests on the same -connection inherities the authentication. The connection must be -reestablished to set up other authentication. +It is only taking place once per connection, not per request. Once the +connection is authenticated then all future requests on the same connection +inherities the authentication. The connection must be reestablished to set +up other authentication or re-identify the user.

@@ -5879,8 +6080,7 @@ The reasons why it is not implemented in Netscape is probably: that it cannot be proxied. There exists an open internet standard which does mostly the same but -without the shortcomings or platform dependencies: Digest -authentication. +without the shortcomings or platform dependencies: . @@ -6687,6 +6887,52 @@ kill -HUP 83619 The reconfigure process creates a new PID file automatically. +FATAL: getgrnam failed to find groupid for effective group 'nogroup' +

+You are probably starting Squid as root. Squid is trying to find +a group-id that doesn't have any special priveleges that it will +run as. The default is /etc/group. There is a good chance that ``Unsupported Request Method and Protocol'' for +Note: The information here is current for version 2.3. +

+This is correct. Squid does not know what to do with an +Normally, when you type an +The browser opens an SSL connection directly to the origin +server. +The browser tunnels the request through Squid with the + +

+The +and (expired). + +Squid uses 100% CPU +

+There may be many causes for this. +

+Andrew Doroshenko reports that removing /dev/null, or +mounting a filesystem with the nodev option, can cause +Squid to use 100% of CPU. His suggested solution is to ``touch /dev/null.'' + + How does Squid work? @@ -7143,15 +7389,15 @@ For Squid-2 the refresh algorithm has been slightly modified to give the - if (CLIENT_MAX_AGE) - if (OBJ_AGE > CLIENT_MAX_AGE) - return STALE if (EXPIRES) { if (EXPIRES <= NOW) return STALE else return FRESH } + if (CLIENT_MAX_AGE) + if (OBJ_AGE > CLIENT_MAX_AGE) + return STALE if (OBJ_AGE > CONF_MAX) return STALE if (OBJ_DATE > OBJ_LASTMOD) { @@ -7532,6 +7778,15 @@ of reasons, including: allows it, Squid sometimes continues to fetch aborted requests from the server-side, without sending any data to the client-side. + + Some range requests, in combination with Squid bugs, can + consume more bandwidth on the server-side than on the + client-side. In a range request, the client is asking for + only some part of the object. Squid may decide to retrieve + the whole object anyway, so that it can be used later on. + This means downloading more from the server than sending + to the client. You can affect this behavior with + the What does ``Disabling use of private keys'' mean? @@ -8246,8 +8501,8 @@ diff -p -u -r1.40 -r1.41 * SUCH DAMAGE. * * @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94 -- * $Id: FAQ.sgml,v 1.1 2004/09/09 12:36:11 cvsdist Exp $ -+ * $Id: FAQ.sgml,v 1.1 2004/09/09 12:36:11 cvsdist Exp $ +- * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $ ++ * $Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $ */ #include @@ -8632,6 +8887,34 @@ access errors. You may want to test your redirector program outside of squid with a big input list, taken from your files from the redirector program. +Redirector interface is broken re IDENT values +

+ +I added a redirctor consisting of + + +#! /bin/sh +/usr/bin/tee /tmp/squid.log + + +and many of the redirector requests don't have a username in the +ident field. + + +

+Squid does not delay a request to wait for an ident lookup, +unless you use the ident ACLs. Thus, it is very likely that +the ident was not available at the time of calling the redirector, +but became available by the time the request is complete and +logged to access.log. +

+If you want to block requests waiting for ident lookup, try something +like this: + +acl foo ident REQUIRED +http_access allow foo + + Cache Digests @@ -9345,6 +9628,46 @@ this writing (July 1999.)

Getting transparent caching to work requires four distinct steps: + + + + + +http_port 8080 +httpd_accel_host virtual +httpd_accel_port 80 +httpd_accel_with_proxy on +httpd_accel_uses_host_header on + + + + + - - - - - - - http_port 8080 - httpd_accel_host virtual - httpd_accel_port 80 - httpd_accel_with_proxy on - httpd_accel_uses_host_header on - by

+You need to configure your kernel for ipchains. +Configuring Linux kernels is beyond the scope of +this FAQ. One way to do it is: + + # cd /usr/src/linux + # make menuconfig + +

The following shows important kernel features to include: [*] Network firewalls @@ -10015,10 +10309,44 @@ You must include the IP: always defragment, otherwise it prevents you from using the REDIRECT chain.

-The following script is used to configure ipchains: +You can use this script as a template for your own - #Send all traffic destined to port 80 to squid on port 8081 - /sbin/ipchains -A input -p tcp -s 10.0.3.22/16 -d 0/0 80 -j REDIRECT 8081 + #!/bin/sh + # rc.firewall Linux kernel firewalling rules + # Leon Brooks (leon at brooks dot fdns dot net) + FW=/sbin/ipchains + ADD="$FW -A" + + # Flush rules, for testing purposes + for i in I O F # A # If we enabled accounting too + do + ${FW} -F $i + done + + # Default policies: + ${FW} -P input REJECT # Incoming policy: reject (quick error) + ${FW} -P output ACCEPT # Output policy: accept + ${FW} -P forward DENY # Forwarding policy: deny + + # Input Rules: + + # Loopback-interface (local access, eg, to local nameserver): + ${ADD} input -j ACCEPT -s localhost/32 -d localhost/32 + + # Local Ethernet-interface: + + # Redirect to Squid proxy server: + ${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080 + + # Accept packets from local network: + ${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0 + + # Only required for other types of traffic (FTP, Telnet): + + # Forward localnet with masquerading (udp and tcp, no icmp!): + ${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0 + ${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0

@@ -10123,9 +10451,8 @@ Contributors: and

CISCO's Web Cache Coordination Protocol V1.0 is supported in squid -2.3 and later. Due to licencing requirements squid is not able to -support WCCP V2.0. If CISCO chooses to open WCCP V2 and relax the -licensing terms, Squid may be able to support it in the future. +2.3 and later. support WCCP V2.0. Now that WCCP V2 is an open protocol, +Squid may be able to support it in the future. Configuring your Router @@ -10181,6 +10508,19 @@ and +IOS 12.3 problems +

+Some people report problems with WCCP and IOS 12.3. They see +truncated or fragmented GRE packets arriving at the cache. Apparently +it works if you disable Cisco Express Forwarding for the interface: + +conf t +ip cep # some systems may need 'ip cep global' +int Ethernet0/0 +no ip route-cache cef +CTRL Z + + Configuring FreeBSD

@@ -10212,6 +10552,10 @@ Once your kernel is installed you will need to Configuring Linux 2.2 +

+Al Blake has written a . +

There are currently two methods for supporting WCCP with Linux 2.2. A specific purpose module. Or the standard Linux GRE tunneling @@ -10300,6 +10644,13 @@ IOS releases: 12.0(anything) or later +What about WCCPv2? +

+Cisco has published WCCPv2 as an (expires Jan 2001). +At this point, Squid does not support WCCPv2, but anyone +is welcome to code it up and contribute to the Squid project. + Transparent caching with Foundry L4 switches

by . @@ -10550,8 +10901,11 @@ We use .

-To get instruction on using MRTG with Squid please visit the -. +To get instruction on using MRTG with Squid please visit these pages: + + + + Where can I get more information/discussion about Squid and SNMP? @@ -11648,7 +12002,7 @@ You do it in /etc/system with lines like this: set msgsys:msginfo_msgmax=2049 set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgmni=31 -set msgsys:msginfo_msgsz=64 +set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgtql=1024

@@ -11760,14 +12114,39 @@ set shmsys:shminfo_shmseg=16 Sometimes shared memory and message queues aren't released when Squid exits. -

-Insert this command into your ipcs | grep '^[mq]' | awk '{printf "ipcrm -%s %s\n", $1, $2}' | /bin/sh +What are the Q1 and Q2 parameters? +

+In the source code, these are called +cache_dir diskd -1 /cache1 1024 16 256 64 72 + +

+If there are more than Q1 messages outstanding, then the main Squid +process ``blocks'' for a little bit until the diskd process services +some of the messages and sends back some replies. +

+If there are more than Q2 messages outstanding, then Squid will +intentionally fail to open disk files for reading and writing. +This is a load-shedding mechanism. If your cache gets really really +busy and the disks can not keep up, Squid bypasses the disks until +the load goes down again. +

+Reasonable values for Q1 and Q2 are 64 and 72, respectively. + Authentication @@ -11876,7 +12255,7 @@ You can control the expiration time with the Are passwords stored in clear text or ecrypted? +Are passwords stored in clear text or encrypted?

Squid stores cleartext passwords in itsmemory cache.

@@ -11916,7 +12295,7 @@ name="A Tao of Regular Expressions"> and name="Newbie's page">. -$Id: FAQ.sgml,v 1.1 2004/09/09 12:36:11 cvsdist Exp $ +$Id: FAQ.sgml,v 1.2 2004/09/09 12:36:20 cvsdist Exp $