auto-import changelog data from squid-2.4.STABLE3-1.7.2.src.rpm

Mon Feb 18 2002 Bill Nottingham <notting@redhat.com>
- 2.4.STABLE3 + patches
- turn off HTCP at request of maintainers
- leave SNMP enabled in the build, but disabled in the default config
Fri Jan 25 2002 Tim Powers <timp@redhat.com>
- rebuild against new libssl
Wed Jan 09 2002 Tim Powers <timp@redhat.com>
- automated rebuild
Mon Jan 07 2002 Florian La Roche <Florian.LaRoche@redhat.de>
- require linuxdoc-tools instead of sgml-tools
Tue Sep 25 2001 Bill Nottingham <notting@redhat.com>
- update to 2.4.STABLE2
This commit is contained in:
cvsdist 2004-09-09 12:37:50 +00:00
parent f078d2f692
commit f4c5442577
4 changed files with 289 additions and 129 deletions

View File

@ -1 +1 @@
squid-2.4.STABLE1-src.tar.gz squid-2.4.STABLE3-src.tar.gz

365
FAQ.sgml
View File

@ -237,7 +237,7 @@ gives information on our operational mesh of caches.
<url url="http://www.squid-cache.org/Doc/FAQ/" name="The Squid FAQ"> (uh, you're reading it). <url url="http://www.squid-cache.org/Doc/FAQ/" name="The Squid FAQ"> (uh, you're reading it).
<item> <item>
<url url="http://cache.is.co.za" name="Oskar's Squid Users Guide">. <url url="http://squid-docs.sourceforge.net/latest/html/book1.htm" name="Oskar's Squid Users Guide">.
<item> <item>
<url url="http://www.ircache.net/Cache/FAQ/" name="The Information Resource Caching FAQ"> <url url="http://www.ircache.net/Cache/FAQ/" name="The Information Resource Caching FAQ">
@ -417,7 +417,7 @@ The following people have made contributions to this document:
<item> <item>
<url url="mailto:nazard@man-assoc.on.ca" name="Doug Nazar"> <url url="mailto:nazard@man-assoc.on.ca" name="Doug Nazar">
<item> <item>
<url url="mailto:hno@hem.passagen.se" name="Henrik Nordstrom"> <url url="mailto:hno@squid-cache.org" name="Henrik Nordstrom">
<item> <item>
<url url="mailto:mark@rts.com.au" name="Mark Reynolds"> <url url="mailto:mark@rts.com.au" name="Mark Reynolds">
<item> <item>
@ -1864,7 +1864,7 @@ You can use the <em/no_cache/ access list to make Squid never cache any response
<p> <p>
With Squid-2.4 and later you can use the ``null'' storage module: With Squid-2.4 and later you can use the ``null'' storage module:
<verb> <verb>
cache_dir null -1 1000 cache_dir null /null
</verb> </verb>
<sect1>Can I prevent users from downloading large files? <sect1>Can I prevent users from downloading large files?
@ -2023,7 +2023,7 @@ for each user. For example:
gopher_proxy:http://mycache.example.com:3128/ gopher_proxy:http://mycache.example.com:3128/
</verb> </verb>
<sect1>Redundant Auto-Proxy-Configuration <sect1>Redundant Proxy Auto-Configuration
<P> <P>
There's one nasty side-effect to using auto-proxy scripts: if you start There's one nasty side-effect to using auto-proxy scripts: if you start
@ -2089,6 +2089,13 @@ DHCP.
name="Rodney van den Oever"> name="Rodney van den Oever">
</quote> </quote>
<sect1>Proxy Auto-Configuration with URL Hashing
<p>
The
<url url="http://naragw.sharp.co.jp/sps/" name="Sharp Super Proxy Script page">
contains a lot of good information about hash-based proxy auto-configuration
scripts. With these you can distribute the load between a number
of caching proxies.
<sect1>Microsoft Internet Explorer configuration <sect1>Microsoft Internet Explorer configuration
<P> <P>
@ -3473,10 +3480,10 @@ Squid does not allow
you to purge objects unless it is configured with access controls you to purge objects unless it is configured with access controls
in <em/squid.conf/. First you must add something like in <em/squid.conf/. First you must add something like
<verb> <verb>
acl PURGE method purge acl PURGE method PURGE
acl localhost src 127.0.0.1 acl localhost src 127.0.0.1
http_access allow purge localhost http_access allow PURGE localhost
http_access deny purge http_access deny PURGE
</verb> </verb>
The above only allows purge requests which come from the local host and The above only allows purge requests which come from the local host and
denies all other purge requests. denies all other purge requests.
@ -4020,7 +4027,7 @@ represents the maximum size your Squid process has reached.
<label id="malloc-death"> <label id="malloc-death">
<P> <P>
by <url url="mailto:hno@hem.passagen.se" name="Henrik Nordstrom"> by <url url="mailto:hno@squid-cache.org" name="Henrik Nordstrom">
<P> <P>
Messages like "FATAL: xcalloc: Unable to allocate 4096 blocks of 1 bytes!" Messages like "FATAL: xcalloc: Unable to allocate 4096 blocks of 1 bytes!"
@ -5296,16 +5303,35 @@ the client's IP address. The <em/src/ ACL is preferred over <em/srcdomain/
because it does not require address-to-name lookups for each request. because it does not require address-to-name lookups for each request.
<sect1>I set up my access controls, but they don't work! why? <sect1>I set up my access controls, but they don't work! why?<label id="acl-debug">
<P> <p>
You can debug your access control configuration by setting the If ACLs are giving you problems and you don't know why they
<em/debug_options/ parameter in <em/squid.conf/ and aren't working, you can use this tip to debug them.
watching <em/cache.log/ as requests are made. The access control <p>
routes correspond to debug section 28, so you might enter: In <em>squid.conf</em> enable debugging for section 33 at level 2.
For example:
<verb> <verb>
debug_options ALL,1 28,9 debug_options ALL,1 33,2
</verb> </verb>
Then restart or reconfigure squid.
<p>
From now on, your <em/cache.log/ should contain a line for every
request that explains if it was allowed, or denied, and which
ACL was the last one that it matched.
<p>
If this does not give you sufficient information to nail down the
problem you can also enable detailed debug information on ACL processing
<verb>
debug_options ALL,1 33,2 28,9
</verb>
Then restart or reconfigure squid as above.
<p>
From now on, your <em/cache.log/ should contain detailed traces
of all access list processing. Be warned that this can be quite
some lines per request.
<p>See also <ref id="debug" name="11.20 Debug Squid">
<sect1>Proxy-authentication and neighbor caches <sect1>Proxy-authentication and neighbor caches
<P> <P>
@ -5546,20 +5572,9 @@ http_access deny all
</verb> </verb>
<sect1>Debugging ACLs <sect1>Debugging ACLs
<p> <p>
If ACLs are giving you problems and you don't know why they See <ref id="acl-debug" name="1.9 I set up my access controls, but they don't work! why?"> and <ref id="debug" name="11.20 Debugging Squid">.
aren't working, you can use this tip to debug them.
<p>
In <em>squid.conf</em> enable debugging for section 32 at level 2.
For example:
<verb>
debug_options ALL,1 32,2
</verb>
The restart or reconfigure squid.
<p>
From now on, your <em/cache.log/ should contain a line for every
request that explains if it was allowed, or denied, and which
ACL was the last one that it matched.
<sect1>Can I limit the number of connections from a client? <sect1>Can I limit the number of connections from a client?
<p> <p>
@ -5601,12 +5616,6 @@ you should write
acl yuck dstdomain .foo.com acl yuck dstdomain .foo.com
http_access deny yuck http_access deny yuck
</verb> </verb>
To be safe, you probably want to list both forms in your
access lists, for example:
<verb>
acl yuck dstdomain .foo.com foo.com
http_access deny yuck
</verb>
<sect1>I want to customize, or make my own error messages. <sect1>I want to customize, or make my own error messages.
<p> <p>
@ -5926,7 +5935,7 @@ If the peer is multihomed, it is sending packets out an interface
which is not advertised in the DNS. Unfortunately, this is a which is not advertised in the DNS. Unfortunately, this is a
configuration problem at the peer site. You can tell them to either configuration problem at the peer site. You can tell them to either
add the IP address interface to their DNS, or use Squid's add the IP address interface to their DNS, or use Squid's
'udp_outgoing_address' option to force the replies "udp_outgoing_address" option to force the replies
out a specific interface. For example: out a specific interface. For example:
<P> <P>
<em/on your parent squid.conf:/ <em/on your parent squid.conf:/
@ -6314,6 +6323,13 @@ due to one of the following reasons:
<item> <item>
Resource Limits. The shell has limits on the size of a coredump Resource Limits. The shell has limits on the size of a coredump
file. You may need to increase the limit. file. You may need to increase the limit.
<item>
sysctl options. On FreeBSD, you won't get a coredump from
programs that call setuid() and/or setgid() (like Squid sometimes does)
unless you enable this option:
<verb>
# sysctl -w kern.sugid_coredump=1
</verb>
<item> <item>
No debugging symbols. No debugging symbols.
The Squid binary must have debugging symbols in order to get The Squid binary must have debugging symbols in order to get
@ -6435,7 +6451,50 @@ If possible, you might keep the coredump file around for a day or
two. It is often helpful if we can ask you to send additional two. It is often helpful if we can ask you to send additional
debugger output, such as the contents of some variables. debugger output, such as the contents of some variables.
<sect1>Debugging Squid <P>If you CANNOT get Squid to leave a core file for you then one of
the following approaches can be used<label ID="nocore">
<P>First alternative is to start Squid under the contol of GDB
<verb>
% gdb /path/to/squid
handle SIGPIPE pass nostop noprint
run -DNYCd3
[wait for crash]
backtrace
quit
</verb>
<P>The drawback from the above is that it isn't really suitable to run on a
production system as Squid then won't restart automatically if it
crashes. The good news is that it is fully possible to automate the
process above to automatically get the stack trace and then restart
Squid. Here is a short automated script that should work:
<verb>
#!/bin/sh
trap "rm -f $$.gdb" 0
cat <<EOF >$$.gdb
handle SIGPIPE pass nostop noprint
run -DNYCd3
backtrace
quit
EOF
while sleep 2; do
gdb -x $$.gdb /path/to/squid 2>&1 | tee -a squid.out
done
</verb>
<P>Other options if the above cannot be done is to:
<P>a) Build Squid with the --enable-stacktraces option, if support exists for your OS (exists for Linux glibc on Intel, and Solaris with some extra libraries..)
<P>b) Run Squid using the "catchsegv" tool. (Linux glibc Intel)
<P>but these approaches does not by far provide as much details as using
gdb.
<sect1>Debugging Squid<label id="debug">
<P> <P>
If you believe you have found a non-fatal bug (such as incorrect HTTP If you believe you have found a non-fatal bug (such as incorrect HTTP
@ -6677,7 +6736,7 @@ A forwarding loop is when a request passes through one proxy more than
once. You can get a forwarding loop if once. You can get a forwarding loop if
<itemize> <itemize>
<item>a cache forwards requests to itself. This might happen with <item>a cache forwards requests to itself. This might happen with
transparent caching (or server acceleration) configurations. interception caching (or server acceleration) configurations.
<item>a pair or group of caches forward requests to each other. This can <item>a pair or group of caches forward requests to each other. This can
happen when Squid uses ICP, Cache Digests, or the ICMP RTT database happen when Squid uses ICP, Cache Digests, or the ICMP RTT database
to select a next-hop cache. to select a next-hop cache.
@ -6949,7 +7008,7 @@ than a proper close.
You probably don't need to worry about them, unless you receive You probably don't need to worry about them, unless you receive
a lot of user complaints relating to SSL sites. a lot of user complaints relating to SSL sites.
<p> <p>
<url url="raj at cup dot hp dot com" name="Rick Jones"> notes that <url url="mailto:raj at cup dot hp dot com" name="Rick Jones"> notes that
if the server is running a Microsoft TCP stack, clients if the server is running a Microsoft TCP stack, clients
receive RST segments whenever the listen queue overflows. In other words, receive RST segments whenever the listen queue overflows. In other words,
if the server is really busy, new connections receive the reset message. if the server is really busy, new connections receive the reset message.
@ -7061,12 +7120,10 @@ Mikael Andersson reports that clicking on Webmin's <em/cachemgr.cgi/
link creates numerous instances of <em/cachemgr.cgi/ that quickly link creates numerous instances of <em/cachemgr.cgi/ that quickly
consume all available memory and brings the system to its knees. consume all available memory and brings the system to its knees.
<p> <p>
Changing the path to use Squid's own <em/cachemgr.cgi/ fixes Joe Cooper reports this to be caused by SSL problems in some browsers
this problem. You can change the path by logging into the (mainly Netscape 6.x/Mozilla) if your Webmin is SSL enabled. Try with
Webmin GUI, select <em/Servers/ then <em/Squid Proxy Cache/. another browser such as Netscape 4.x or Microsoft IE, or disable SSL
Next select <em/Module Config/. From here you'll be encryption in Webmin.
able to enter the pathname to the <em/cachemgr.cgi/ that came
with Squid.
<sect1>Segment Violation at startup or upon first request <sect1>Segment Violation at startup or upon first request
@ -7121,6 +7178,29 @@ only use the proxy.pac. Cydoor aps will use both and will generate the errors.
Disabling the old proxy settings in IE is not enought, you should delete Disabling the old proxy settings in IE is not enought, you should delete
them completely and only use the proxy.pac for example. them completely and only use the proxy.pac for example.
<sect1>Requests for international domain names does not work
<p>
By Henrik Nordström
<p>
Some people have asked why requests for domain names using national
symbols as "supported" by the certain domain registrars does not work
in Squid. This is because there as of yet is no standard on how to
manage national characters in the current Internet protocols such
as HTTP or DNS. The current Internet standards is very strict
on what is an acceptable hostname and only accepts A-Z a-z 0-9 and -
in Internet hostname labels. Anything outside this is outside
the current Internet standards and will cause interoperability
issues such as the problems seen with such names and Squid.
<p>
When there is a consensus in the DNS and HTTP standardization groups
on how to handle international domain names Squid will be changed to
support this if any changes to Squid will be required.
<p>
If you are interested in the progress of the standardization process
for international domain names please see the <url
url="http://www.ietf.org/html.charters/idn-charter.html" name="IETF idn">
working group or it's <url url="http://www.i-d-n.net/" name="dedicated
page">.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
@ -8040,7 +8120,16 @@ some other replacement algorithms by using the <em/--enable-heap-replacement/
configure option. Currently, the heap replacement code supports two configure option. Currently, the heap replacement code supports two
additional algorithms: LFUDA, and GDS. additional algorithms: LFUDA, and GDS.
<p> <p>
The heap replacement code was contributed by John Dilley and others With Squid version 2.4 and later you should use this configure option:
<verb>
./configure --enable-removal-policies=heap
</verb>
<p>
Then, in <em/squid.conf/, you can select different policies with the
<em/cache_replacement_policy/ option. See the <em/squid.conf/ comments
for details.
<p>
The LFUDA and GDS replacement code was contributed by John Dilley and others
from Hewlett-Packard. Their work is described in these papers: from Hewlett-Packard. Their work is described in these papers:
<enum> <enum>
<item> <item>
@ -8174,7 +8263,7 @@ the <em/bind()/ system call fails. Squid handles this as a failed
ident lookup. ident lookup.
<p> <p>
<it> <it>
So why bind in that way? If you know you are transparent proxying, then why So why bind in that way? If you know you are interception proxying, then why
not bind the local endpoint to the host's (intranet) IP address? Why make not bind the local endpoint to the host's (intranet) IP address? Why make
the masses suffer needlessly? the masses suffer needlessly?
</it> </it>
@ -8631,7 +8720,7 @@ for more than 4 hours.
<P> <P>
Because the problem appears to be with IPFilter I would guess that you Because the problem appears to be with IPFilter I would guess that you
would only run into this issue if you are trying to run Squid as a would only run into this issue if you are trying to run Squid as a
transparent proxy using IPFilter. That makes sense. If there is anyone interception proxy using IPFilter. That makes sense. If there is anyone
with information that would indicate my finding are incorrect I am willing with information that would indicate my finding are incorrect I am willing
to investigate further. to investigate further.
@ -8737,8 +8826,8 @@ diff -p -u -r1.40 -r1.41
* SUCH DAMAGE. * SUCH DAMAGE.
* *
* @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94 * @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94
- * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $ - * $Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $
+ * $Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $ + * $Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $
*/ */
#include <sys/param.h> #include <sys/param.h>
@ -8829,6 +8918,19 @@ to the following will appear:
/dev/da2a on /usr/local/squid/cache (ufs, local, noatime, soft-updates, writes: sync 70 async 225) /dev/da2a on /usr/local/squid/cache (ufs, local, noatime, soft-updates, writes: sync 70 async 225)
</verb> </verb>
<sect2>Internal DNS problems with jail environment
<p>
Some users report problems with running Squid in the jail environment. Specifically,
Squid logs messages like:
<verb>
2001/10/12 02:08:49| comm_udp_sendto: FD 4, 192.168.1.3, port 53: (22) Invalid argument
2001/10/12 02:08:49| idnsSendQuery: FD 4: sendto: (22) Invalid argument
</verb>
<p>
You can eliminate the problem by putting the jail's network interface
address in the 'udp_outgoing_addr' configuration option
in <em>squid.conf</em>.
<sect1>OSF1/3.2 <sect1>OSF1/3.2
<P> <P>
@ -8985,15 +9087,45 @@ When using Squid, some sites may give erorrs such as
although these sites work fine without going through Squid. although these sites work fine without going through Squid.
<p> <p>
Some versions of linux implement Some versions of linux implement
<url url="ftp://ftp.isi.edu/in-notes/rfc2481.txt" name="Explicit <url url="http://www.aciri.org/floyd/ecn.html" name="Explicit
Congestion Notification"> (ECN) and this can cause Congestion Notification"> (ECN) and this can cause
some TCP connections to fail. You can disable ECN with some TCP connections to fail when contacting some sites with broken firewalls
or broken TCP/IP implementations.
To work around such broken sites you can disable ECN with
the following command: the following command:
<verb> <verb>
echo 0 >/proc/sys/net/ipv4/tcp_ecn echo 0 >/proc/sys/net/ipv4/tcp_ecn
</verb> </verb>
<p> <p>
See also the <url url="http://answerpointe.cctec.com/maillists/nanog/historical/0104/msg00714.html" name="thread on the NANOG mailing list">. Found this on the FreeBSD mailing list:
<quote>
<p>
From: Robert Watson
<p>
As Bill Fumerola has indicated, and I thought I'd follow up in with a bit
more detail, the behavior you're seeing is the result of a bug in the
FreeBSD IPFW code. FreeBSD did a direct comparison of the TCP header flag
field with an internal field in the IPFW rule description structure.
Unfortunately, at some point, someone decided to overload the IPFW rule
description structure field to add a flag representing "ESTABLISHED". They
used a flag value that was previously unused by the TCP protocol (which
doesn't make it safer, just less noticeable). Later, when that flag was
allocated for ECN (Endpoint Congestion Notification) in TCP, and Linux
began using ECN by default, the packets began to match ESTABLISHED rules
regardless of the other TCP header flags. This bug was corrected on the
RELENG_4 branch, and security advisory for the bug was released. This
was, needless to say, a pretty serious bug, and good example of why you
should be very careful to compare only the bits you really mean to, and
should seperate packet state from protocol state in management structures,
as well as make use of extensive testing to make sure rules actually have
the effect you describe.
</quote>
<p>
See also the <url url="http://answerpointe.cctec.com/maillists/nanog/historical/0104/msg00714.html" name="thread on the NANOG mailing list">,
<url url="ftp://ftp.isi.edu/in-notes/rfc3168.txt" name="RFC3168 &quot;The Addition of Explicit Congestion Notification (ECN) to IP, PROPOSED STANDARD&quot;">
or <url url="http://www.aciri.org/floyd/ecn.html" name="Sally Floyd's page on ECN and problems related to it">
<sect1>HP-UX <sect1>HP-UX
@ -9055,7 +9187,7 @@ their own implementation.
<P> <P>
A redirector allows the administrator to control the locations to which A redirector allows the administrator to control the locations to which
his users goto. Using this in conjunction with transparent proxies his users goto. Using this in conjunction with interception proxies
allows simple but effective porn control. allows simple but effective porn control.
<sect1>How does it work? <sect1>How does it work?
@ -9103,7 +9235,7 @@ it may be desirable to return an HTTP "301" or "302" redirect message
to the client. This is now possible with Squid version 1.1.19. to the client. This is now possible with Squid version 1.1.19.
<P> <P>
Simply modify your redirector program to append either "301:" or "302:" Simply modify your redirector program to prepend either "301:" or "302:"
before the new URL. For example, the following script might be used before the new URL. For example, the following script might be used
to direct external clients to a secure Web server for internal documents: to direct external clients to a secure Web server for internal documents:
<verb> <verb>
@ -9878,7 +10010,7 @@ information. However, the following instructions are correct as of
this writing (July 1999.) this writing (July 1999.)
<P> <P>
Getting transparent caching to work requires four distinct steps: Getting interception caching to work requires four distinct steps:
<enum> <enum>
<item> <item>
@ -9950,17 +10082,17 @@ forwarding commands.
<item>In the <em/httpd_accel_host/ option, <em/virtual/ is the magic word! <item>In the <em/httpd_accel_host/ option, <em/virtual/ is the magic word!
<item>The <em/httpd_accel_with_proxy on/ is required to enable transparent <item>The <em/httpd_accel_with_proxy on/ is required to enable interception
proxy mode; essentially in transparent proxy mode Squid thinks it is acting proxy mode; essentially in interception proxy mode Squid thinks it is acting
both as an accelerator (hence accepting packets for other IPs on port 80) and both as an accelerator (hence accepting packets for other IPs on port 80) and
a caching proxy (hence serving files out of cache.) a caching proxy (hence serving files out of cache.)
<item> You <bf/must/ use <em/httpd_accel_uses_host_header on/ to get <item> You <bf/must/ use <em/httpd_accel_uses_host_header on/ to get
the cache to work properly in transparent mode. This enables the cache the cache to work properly in interception mode. This enables the cache
to index its stored objects under the true hostname, as is done in a to index its stored objects under the true hostname, as is done in a
normal proxy, rather than under the IP address. This is especially normal proxy, rather than under the IP address. This is especially
important if you want to use a parent cache hierarchy, or to share important if you want to use a parent cache hierarchy, or to share
cache data between transparent proxy users and non-transparent proxy cache data between interception proxy users and non-interception proxy
users, which you can do with Squid in this configuration. users, which you can do with Squid in this configuration.
</itemize> </itemize>
@ -10195,7 +10327,7 @@ not host names and demon aren't generally asked for IP addresses by other
users; users;
<item> <item>
Linux kernel 2.0.30 is a no-no as transparent proxying is broken (I use Linux kernel 2.0.30 is a no-no as interception proxying is broken (I use
2.0.29); 2.0.29);
<item> <item>
@ -10380,7 +10512,7 @@ Apply the route map to the ethernet interface.
<P> <P>
<url url="mailto:morgan@curtin.net" name="Bruce Morgan"> notes that <url url="mailto:morgan@curtin.net" name="Bruce Morgan"> notes that
there is a Cisco bug relating to transparent proxying using IP there is a Cisco bug relating to interception proxying using IP
policy route maps, that causes NFS and other applications to break. policy route maps, that causes NFS and other applications to break.
Apparently there are two bug reports raised in Cisco, but they are Apparently there are two bug reports raised in Cisco, but they are
not available for public dissemination. not available for public dissemination.
@ -10426,7 +10558,7 @@ Conversely, this set has worse performance, but works for all protocols:
<P> <P>
Just for kicks, here's an email message posted to squid-users Just for kicks, here's an email message posted to squid-users
on how to make transparent proxying work with a Cisco router on how to make interception proxying work with a Cisco router
and Squid running on Linux. and Squid running on Linux.
<P> <P>
@ -10439,7 +10571,7 @@ running Linux 2.0.33.
<P> <P>
Many thanks to the following individuals and the squid-users list for Many thanks to the following individuals and the squid-users list for
helping me get redirection and transparent proxying working on my helping me get redirection and interception proxying working on my
Cisco/Linux box. Cisco/Linux box.
<itemize> <itemize>
@ -10529,16 +10661,16 @@ this in /etc/rc.d/rc.local
<P> <P>
I am using I am using
<url url="/Versions/1.1/1.1.20/" name="v1.1.20 of Squid"> with <url url="/Versions/1.1/1.1.20/" name="v1.1.20 of Squid"> with
<url url="http://hem.passagen.se/hno/squid/squid-1.1.20.host&lowbar;and&lowbar;virtual.patch" <url url="http://devel.squid-cache.org/hno/patches/squid-1.1.20.host&lowbar;and&lowbar;virtual.patch"
name="Henrik's patch"> name="Henrik's patch">
installed. You will want to install this patch if using a setup similar installed. You will want to install this patch if using a setup similar
to mine. to mine.
<sect1>The cache is trying to connect to itself... <sect1>The cache is trying to connect to itself...
<P> <P>
by <url url="mailto:hno@hem.passagen.se" name="Henrik Nordstrom"> by <url url="mailto:hno@squid-cache.org" name="Henrik Nordstrom">
<P> <P>
I think almost everyone who have tried to build a transparent proxy I think almost everyone who have tried to build a interception proxy
setup have been bitten by this one. setup have been bitten by this one.
<P> <P>
@ -10548,7 +10680,7 @@ Measures you can take:
Deny Squid from fetching objects from itself (using ACL lists). Deny Squid from fetching objects from itself (using ACL lists).
<item> <item>
Apply a small patch that prevents Squid from looping infinitely Apply a small patch that prevents Squid from looping infinitely
(available from <url url="http://hem.passagen.se/hno/squid/" name="Henrik's Squid Patches">) (available from <url url="http://devel.squid-cache.org/hno/" name="Henrik's Squid Patches">)
<item> <item>
Don't run Squid on port 80, and redirect port 80 not destined for Don't run Squid on port 80, and redirect port 80 not destined for
the local machine to Squid (redirection == ipfilter/ipfw/ipfadm). This the local machine to Squid (redirection == ipfilter/ipfw/ipfadm). This
@ -10564,7 +10696,7 @@ front of Squid. Squid does not yet know how to interface to ipfilter
<P> <P>
by Duane Wessels by Duane Wessels
<P> <P>
I set out yesterday to make transparent caching work with Squid and I set out yesterday to make interception caching work with Squid and
FreeBSD. It was, uh, fun. FreeBSD. It was, uh, fun.
<P> <P>
It was relatively easy to configure a cisco to divert port 80 It was relatively easy to configure a cisco to divert port 80
@ -10650,7 +10782,7 @@ and the <em/squid.conf/ lines are:
<P> <P>
by <url url="mailto:John.Saunders@scitec.com.au" name="John Saunders"> by <url url="mailto:John.Saunders@scitec.com.au" name="John Saunders">
<P> <P>
This is to do with configuring transparent proxy This is to do with configuring interception proxy
for an ACC Tigris digital access server (like a CISCO 5200/5300 for an ACC Tigris digital access server (like a CISCO 5200/5300
or an Ascend MAX 4000). I've found that doing this in the NAS or an Ascend MAX 4000). I've found that doing this in the NAS
reduces traffic on the LAN and reduces processing load on the reduces traffic on the LAN and reduces processing load on the
@ -10836,7 +10968,7 @@ Finally add "OPTION GRE" to your kernel config file and rebuild
your kernel. Note, the <em/opt_gre.h/ file is your kernel. Note, the <em/opt_gre.h/ file is
created when you run <em/config/. created when you run <em/config/.
Once your kernel is installed you will need to Once your kernel is installed you will need to
<ref id="trans-freebsd" name="configure FreeBSD for transparent proxying">. <ref id="trans-freebsd" name="configure FreeBSD for interception proxying">.
<sect2>Configuring Linux 2.2 <sect2>Configuring Linux 2.2
@ -10918,7 +11050,7 @@ Finally you will need to load the module:
<P> <P>
The machine should now be striping the GRE encapsulation from any packets The machine should now be striping the GRE encapsulation from any packets
recieved and requeuing them. The system will also need to be configured recieved and requeuing them. The system will also need to be configured
for transparent proxying, either with <ref id="trans-linux-1" name="ipfwadm"> for interception proxying, either with <ref id="trans-linux-1" name="ipfwadm">
or with <ref id="trans-linux-2" name="ipchains">. or with <ref id="trans-linux-2" name="ipchains">.
<sect2>Configuring Others <sect2>Configuring Others
@ -10948,12 +11080,12 @@ is welcome to code it up and contribute to the Squid project.
<p> <p>
by <url url="mailto:signal at shreve dot net" name="Brian Feeny">. by <url url="mailto:signal at shreve dot net" name="Brian Feeny">.
<p> <p>
First, configure Squid for transparent caching as detailed First, configure Squid for interception caching as detailed
at the <ref id="trans-caching" name="beginning of this section">. at the <ref id="trans-caching" name="beginning of this section">.
<p> <p>
Next, configure Next, configure
the Foundry layer 4 switch to the Foundry layer 4 switch to
transparently redirect traffic to your Squid box or boxes. By default, redirect traffic to your Squid box or boxes. By default,
the Foundry the Foundry
redirects to port 80 of your squid box. This can redirects to port 80 of your squid box. This can
be changed to a different port if needed, but won't be covered be changed to a different port if needed, but won't be covered
@ -10975,7 +11107,7 @@ squid2.foo.com 192.168.1.11
<p> <p>
We will assume you have various workstations, customers, etc, plugged We will assume you have various workstations, customers, etc, plugged
into the switch for which you want them to be transparently proxied. into the switch for which you want them to be intercepted and sent to Squid.
The squid caches themselves should be plugged into the switch as well. The squid caches themselves should be plugged into the switch as well.
Only the interface that the router is connected to is important. Where you Only the interface that the router is connected to is important. Where you
put the squid caches or other connections does not matter. put the squid caches or other connections does not matter.
@ -11037,6 +11169,12 @@ howto that would apply for most people, not meant to be a comprehensive
manual of how to configure a Foundry switch. I can however revise this manual of how to configure a Foundry switch. I can however revise this
with any information necessary if people feel it should be included. with any information necessary if people feel it should be included.
<sect1>Can I use <em/proxy_auth/ with interception?
<p>
No, you cannot. With interception proxying, the client thinks
it is talking to an origin server and would never send the
<em/Proxy-authorization/ request header.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% --> <!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>SNMP <sect>SNMP
@ -11279,14 +11417,14 @@ new disk and leave the existing ones in place.
<sect1>Squid 2 performs badly on Linux <sect1>Squid 2 performs badly on Linux
<P> <P>
by <url url="mailto:hno@hem.passagen.se" name="Henrik Nordstrom"> by <url url="mailto:hno@squid-cache.org" name="Henrik Nordstrom">
<P> <P>
You may have enabled Asyncronous I/O with the <em/--enable-async-io/ You may have enabled Asyncronous I/O with the <em/--enable-async-io/
configure option. configure option.
Be careful when using threads on Linux. Most versions of libc5 and Be careful when using threads on Linux. Most versions of libc5 and
early versions of glibc have problems with threaded applications. I very early versions of glibc have problems with threaded applications.
would not recommend <em/--enable-async-io/ on Linux unless your system I would not recommend <em/--enable-async-io/ on Linux unless your system
uses a recent version of glibc. uses glibc 2.1.3 or later.
<P> <P>
You should also know that <em/--enable-async-io/ is not optimal unless You should also know that <em/--enable-async-io/ is not optimal unless
@ -11549,7 +11687,7 @@ network.
<P> <P>
For our local access we use a dstdomain ACL, and for delay pool exceptions For our local access we use a dstdomain ACL, and for delay pool exceptions
we use a dst ACL as well since the delay pool ACL processing is done using we use a dst ACL as well since the delay pool ACL processing is done using
'fast lookups', which means (among other things) it won't wait for a DNS "fast lookups", which means (among other things) it won't wait for a DNS
lookup if it would need one. lookup if it would need one.
<P> <P>
@ -12081,7 +12219,7 @@ squid.conf.
<P> <P>
<url url="http://www.transproxy.nlc.net.au/" name="transproxy"> <url url="http://www.transproxy.nlc.net.au/" name="transproxy">
is a program used in conjunction with the Linux Transparent Proxy is a program used in conjunction with the Linux Transparent Proxy
networking feature, and ipfwadm, to transparently proxy HTTP and networking feature, and ipfwadm, to intercept HTTP and
other requests. Transproxy is written by <url url="mailto:john@nlc.net.au" name="John Saunders">. other requests. Transproxy is written by <url url="mailto:john@nlc.net.au" name="John Saunders">.
<sect2>Iain's redirector package <sect2>Iain's redirector package
@ -12207,32 +12345,45 @@ queue parameters for Squid. Message queue implementations
normally have the following parameters: normally have the following parameters:
<descrip> <descrip>
<tag/MSGMNB/ <tag/MSGMNB/
Maximum number of bytes in a single queue. Maximum number of bytes per message queue.
<tag/MSGMNI/ <tag/MSGMNI/
Maximum number of message queue identifiers. Maximum number of message queue identifiers (system wide).
<tag/MSGSEG/ <tag/MSGSEG/
Maximum number of message segments. Maximum number of message segments per queue.
<tag/MSGMAX/ <tag/MSGSSZ/
Maximum size of a message segment. Size of a message segment.
<tag/MSGTQL/ <tag/MSGTQL/
Maximum number of messages in the whole system. Maximum number of messages (system wide).
<tag/MSGMAX/
Maximum size of a whole message. On some systems you may need to
increase this limit. On other systems, you may not be able
to change it.
</descrip> </descrip>
<p> <p>
The messages between Squid and diskd are 32 bytes. Thus, MSGMAX The messages between Squid and diskd are 32 bytes for 32-bit CPUs
should be 32 or greater. You may want to set it to a larger and 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater.
value, just to be safe. You may want to set it to a larger value, just to be safe.
<p> <p>
We'll have two queues for each <em/cache_dir/ -- one in each direction. We'll have two queues for each <em/cache_dir/ -- one in each direction.
So, MSGMNI needs to be at least two times the number of <em/cache_dir/'s. So, MSGMNI needs to be at least two times the number of <em/cache_dir/'s.
<p>
I've found that 75 messages per queue is about the limit of decent performance.
If each diskd message consists of just one segment (depending on your
value of MSGSSZ), then MSGSEG should be greater than 75.
<p> <p>
MSGMNB and MSGTQL affect how many messages can be in the queues MSGMNB and MSGTQL affect how many messages can be in the queues
at one time. I've found that 75 messages per queue is about at one time. Diskd messages shouldn't be
the limit of decent performance. Thus, MSGMNB must be more than 40 bytes, but let's use 64 bytes to be safe. MSGMNB
at least 75*MSGMAX, and MSGTQL must be at least 75 times should be at least 64*75. I recommend rounding up to the nearest
the number of <em/cache_dir/'s. power of two, or 8192.
<p>
MSGTQL should be at least 75 times the number of <em/cache_dir/'s
that you'll have.
<sect2>FreeBSD <sect2>FreeBSD
<p> <p>
@ -12245,11 +12396,11 @@ options SYSVMSG
You can set the parameters in the kernel as follows. This is just You can set the parameters in the kernel as follows. This is just
an example. Make sure the values are appropriate for your system: an example. Make sure the values are appropriate for your system:
<verb> <verb>
options MSGMNB=16384 # max # of bytes in a queue options MSGMNB=8192 # max # of bytes in a queue
options MSGMNI=41 # number of message queue identifiers options MSGMNI=40 # number of message queue identifiers
options MSGSEG=2049 # number of message segments options MSGSEG=512 # number of message segments per queue
options MSGSSZ=64 # size of a message segment options MSGSSZ=64 # size of a message segment
options MSGTQL=512 # max messages in system options MSGTQL=2048 # max messages in system
</verb> </verb>
<sect2>Digital Unix <sect2>Digital Unix
@ -12258,9 +12409,9 @@ Message queue support seems to be in the kernel
by default. Setting the options is as follows: by default. Setting the options is as follows:
<verb> <verb>
options MSGMNB="8192" # max # bytes on queue options MSGMNB="8192" # max # bytes on queue
options MSGMNI="31" # # of message queue identifiers options MSGMNI="40" # # of message queue identifiers
options MSGMAX="2049" # max message size options MSGMAX="2048" # max message size
options MSGTQL="1024" # # of system message headers options MSGTQL="2048" # # of system message headers
</verb> </verb>
<p> <p>
@ -12274,9 +12425,9 @@ If you have a newer version (DU64), then you can probably use
To change them make a file like this called ipc.stanza: To change them make a file like this called ipc.stanza:
<verb> <verb>
ipc: ipc:
msg-max = 2049 msg-max = 2048
msg-mni = 31 msg-mni = 40
msg-tql = 1024 msg-tql = 2048
msg-mnb = 8192 msg-mnb = 8192
</verb> </verb>
then run then run
@ -12312,11 +12463,11 @@ name="Demangling Message Queues"> in Sunworld Magazine.
I don't think the above article really tells you how to set the parameters. I don't think the above article really tells you how to set the parameters.
You do it in <em>/etc/system</em> with lines like this: You do it in <em>/etc/system</em> with lines like this:
<verb> <verb>
set msgsys:msginfo_msgmax=2049 set msgsys:msginfo_msgmax=2048
set msgsys:msginfo_msgmnb=8192 set msgsys:msginfo_msgmnb=8192
set msgsys:msginfo_msgmni=31 set msgsys:msginfo_msgmni=40
set msgsys:msginfo_msgssz=64 set msgsys:msginfo_msgssz=64
set msgsys:msginfo_msgtql=1024 set msgsys:msginfo_msgtql=2048
</verb> </verb>
<p> <p>
Of course, you must reboot whenever you modify <em>/etc/system</em> Of course, you must reboot whenever you modify <em>/etc/system</em>
@ -12673,7 +12824,7 @@ want to make a cron job that regularly verifies that your proxy blocks
access to port 25. access to port 25.
<verb> <verb>
$Id: FAQ.sgml,v 1.3 2004/09/09 12:36:55 cvsdist Exp $ $Id: FAQ.sgml,v 1.4 2004/09/09 12:37:50 cvsdist Exp $
</verb> </verb>
</article> </article>
<!-- LocalWords: SSL MSIE Netmanage Chameleon WebSurfer unchecking remotehost <!-- LocalWords: SSL MSIE Netmanage Chameleon WebSurfer unchecking remotehost

View File

@ -1 +1 @@
6a3977716571a8459cf66b96306f7c05 squid-2.4.STABLE1-src.tar.gz 5fdaf22d66d7b776325902adc0fd438d squid-2.4.STABLE3-src.tar.gz

View File

@ -1,8 +1,8 @@
Summary: The Squid proxy caching server. Summary: The Squid proxy caching server.
Name: squid Name: squid
Version: 2.4.STABLE1 Version: 2.4.STABLE3
Release: 6 Release: 1.7.2
Serial: 6 Serial: 7
License: GPL License: GPL
Group: System Environment/Daemons Group: System Environment/Daemons
Source: http://www.squid-cache.org/Squid/v2/squid-%{version}-src.tar.gz Source: http://www.squid-cache.org/Squid/v2/squid-%{version}-src.tar.gz
@ -14,15 +14,11 @@ Patch0: squid-2.1-make.patch
Patch1: squid-2.4-config.patch Patch1: squid-2.4-config.patch
Patch2: squid-perlpath.patch Patch2: squid-perlpath.patch
Patch3: squid-location.patch Patch3: squid-location.patch
Patch10: squid-2.4.stable1-diskd_fixed_path.patch Patch10: squid-2.4.STABLE3-SNMP_memory_leaks.patch
Patch11: squid-2.4.stable1-force_valid_blksize.patch Patch11: squid-2.4.STABLE3-ftp_coredump.patch
Patch12: squid-2.4.stable1-high_cpu_with_peers.patch Patch12: squid-2.4.STABLE3-htcp_off.patch
Patch13: squid-2.4.stable1-htcp_assertion_fix.patch
Patch14: squid-2.4.stable1-kill_parent_on_child_sigkill.patch
Patch15: squid-2.4.stable1-wrong_sign_on_timestamp_check.patch
Patch16: squid-2.4stable-ftpcrash.path
BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRoot: %{_tmppath}/%{name}-%{version}-root
Prereq: /sbin/chkconfig logrotate shadow-utils /etc/init.d Prereq: /sbin/chkconfig logrotate shadow-utils
Requires: bash >= 2.0 Requires: bash >= 2.0
BuildPrereq: openjade sgml-tools openldap-devel pam-devel BuildPrereq: openjade sgml-tools openldap-devel pam-devel
Obsoletes: squid-novm Obsoletes: squid-novm
@ -45,13 +41,9 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch1 -p1 -b .config %patch1 -p1 -b .config
%patch2 -p1 -b .perlpath %patch2 -p1 -b .perlpath
%patch3 -p1 %patch3 -p1
%patch10 -p0 -b .diskd %patch10 -p1 -b .snmp
%patch11 -p0 -b .force_valid_blksize %patch11 -p1 -b .ftp
%patch12 -p0 -b .cpu_peer %patch12 -p1 -b .htcp
%patch13 -p0 -b .htcp
%patch14 -p0 -b .kill_parent
%patch15 -p0 -b .timestamp
%patch16 -p0 -b .ftp-crash
%build %build
%configure \ %configure \
@ -60,7 +52,7 @@ lookup program (dnsserver), a program for retrieving FTP data
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \ --enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" \ --enable-storeio="aufs,coss,diskd,ufs" \
--enable-delay-pools --enable-linux-netfilter \ --enable-delay-pools --enable-linux-netfilter \
--enable-htcp --enable-carp --with-pthreads \ --enable-carp --with-pthreads \
--enable-auth-modules="LDAP,NCSA,PAM,SMB,MSNT" # --enable-icmp --enable-auth-modules="LDAP,NCSA,PAM,SMB,MSNT" # --enable-icmp
# Some versions of autoconf fail to detect sys/resource.h correctly; # Some versions of autoconf fail to detect sys/resource.h correctly;
@ -143,7 +135,7 @@ rm -rf $RPM_BUILD_ROOT
%config /etc/squid/mib.txt %config /etc/squid/mib.txt
/etc/squid/squid.conf.default /etc/squid/squid.conf.default
/etc/squid/mime.conf.default /etc/squid/mime.conf.default
/etc/squid/errors %config(noreplace) /etc/squid/errors
/usr/lib/squid /usr/lib/squid
/usr/sbin/squid /usr/sbin/squid
/usr/sbin/client /usr/sbin/client
@ -257,6 +249,23 @@ if [ "$1" -ge "1" ] ; then
fi fi
%changelog %changelog
* Mon Feb 18 2002 Bill Nottingham <notting@redhat.com>
- 2.4.STABLE3 + patches
- turn off HTCP at request of maintainers
- leave SNMP enabled in the build, but disabled in the default config
* Fri Jan 25 2002 Tim Powers <timp@redhat.com>
- rebuild against new libssl
* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Mon Jan 07 2002 Florian La Roche <Florian.LaRoche@redhat.de>
- require linuxdoc-tools instead of sgml-tools
* Tue Sep 25 2001 Bill Nottingham <notting@redhat.com>
- update to 2.4.STABLE2
* Mon Sep 24 2001 Bill Nottingham <notting@redhat.com> * Mon Sep 24 2001 Bill Nottingham <notting@redhat.com>
- add patch to fix FTP crash - add patch to fix FTP crash