Squid has gone kaput - Mandriva

This is a discussion on Squid has gone kaput - Mandriva ; Here's an odd thing: I ran updates on my server after a rather lengthy period of not updating -- I hate it when the lying bastage mirrors stop working, but anyway... After this lengthy upgrade, Squid stopped working. The process ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: Squid has gone kaput

  1. Squid has gone kaput

    Here's an odd thing: I ran updates on my server after a rather lengthy
    period of not updating -- I hate it when the lying bastage mirrors stop
    working, but anyway...

    After this lengthy upgrade, Squid stopped working. The process was
    still up, but when I configured the browser to use the proxy, it claimed
    it couldn't find the proxy I had configured.

    I looked at the config files and everything seemed okay. I checked the
    logs and it looked like there was a failure related to how it was
    resolving http. I'd like to be more articulate about that error, but I
    punted and uninstalled/reinstalled squid and squidGuard from the
    main_update repositories.

    The reinstall went okay, but now I'm getting these in the cache.log:

    2007/04/04 16:33:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
    2007/04/04 16:33:08| Accepting HTCP messages on port 4827, FD 20.
    2007/04/04 16:33:08| Accepting SNMP messages on port 3401, FD 21.
    2007/04/04 16:33:08| WCCP Disabled.
    2007/04/04 16:33:08| Pinger socket opened on FD 22
    2007/04/04 16:33:08| Ready to serve requests.
    2007/04/04 16:33:08| WARNING: url_rewriter #5 (FD 10) exited
    2007/04/04 16:33:08| WARNING: url_rewriter #4 (FD 9) exited
    2007/04/04 16:33:08| WARNING: url_rewriter #3 (FD 8) exited
    2007/04/04 16:33:08| Too few url_rewriter processes are running
    FATAL: The url_rewriter helpers are crashing too rapidly, need help!

    Squid Cache (Version 2.6.STABLE1): Terminated abnormally.

    I think I've seen that before, but I can't for the life of me find it in
    Google.

    Anybody remember what this is about?

    Thanks.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    perl < /dev/bdsm
    you have a /dev/bdsm?
    sure, it's a pseudosadomasochistic random number generator

    --
    Posted via a free Usenet account from http://www.teranews.com


  2. Re: Squid has gone kaput

    Mark Adams wrote:
    > Here's an odd thing: I ran updates on my server after a rather lengthy
    > period of not updating -- I hate it when the lying bastage mirrors stop
    > working, but anyway...
    >
    > After this lengthy upgrade, Squid stopped working. The process was
    > still up, but when I configured the browser to use the proxy, it claimed
    > it couldn't find the proxy I had configured.
    >
    > I looked at the config files and everything seemed okay. I checked the
    > logs and it looked like there was a failure related to how it was
    > resolving http. I'd like to be more articulate about that error, but I
    > punted and uninstalled/reinstalled squid and squidGuard from the
    > main_update repositories.
    >
    > The reinstall went okay, but now I'm getting these in the cache.log:
    >
    > 2007/04/04 16:33:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
    > 2007/04/04 16:33:08| Accepting HTCP messages on port 4827, FD 20.
    > 2007/04/04 16:33:08| Accepting SNMP messages on port 3401, FD 21.
    > 2007/04/04 16:33:08| WCCP Disabled.
    > 2007/04/04 16:33:08| Pinger socket opened on FD 22
    > 2007/04/04 16:33:08| Ready to serve requests.
    > 2007/04/04 16:33:08| WARNING: url_rewriter #5 (FD 10) exited
    > 2007/04/04 16:33:08| WARNING: url_rewriter #4 (FD 9) exited
    > 2007/04/04 16:33:08| WARNING: url_rewriter #3 (FD 8) exited
    > 2007/04/04 16:33:08| Too few url_rewriter processes are running
    > FATAL: The url_rewriter helpers are crashing too rapidly, need help!
    >
    > Squid Cache (Version 2.6.STABLE1): Terminated abnormally.


    Your url_rewrite_program is failing.

    Comment out url_rewrite_program and maybe url_rewrite_children
    and see if squid works.

    Looks like squidGuard is broken.

    What does 'squidGuard -d -c /path/to/your/squidguard.conf' show ?
    Anything interesting in /var/log/squidGuard/squidGuard.{error,log} ?


  3. Re: Squid has gone kaput

    Mark Adams wrote:
    > Here's an odd thing: I ran updates on my server after a rather lengthy
    > period of not updating -- I hate it when the lying bastage mirrors stop
    > working, but anyway...
    >
    > After this lengthy upgrade, Squid stopped working. The process was
    > still up, but when I configured the browser to use the proxy, it claimed
    > it couldn't find the proxy I had configured.
    >
    > I looked at the config files and everything seemed okay. I checked the
    > logs and it looked like there was a failure related to how it was
    > resolving http. I'd like to be more articulate about that error, but I
    > punted and uninstalled/reinstalled squid and squidGuard from the
    > main_update repositories.
    >
    > The reinstall went okay, but now I'm getting these in the cache.log:
    >
    > 2007/04/04 16:33:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
    > 2007/04/04 16:33:08| Accepting HTCP messages on port 4827, FD 20.
    > 2007/04/04 16:33:08| Accepting SNMP messages on port 3401, FD 21.
    > 2007/04/04 16:33:08| WCCP Disabled.
    > 2007/04/04 16:33:08| Pinger socket opened on FD 22
    > 2007/04/04 16:33:08| Ready to serve requests.
    > 2007/04/04 16:33:08| WARNING: url_rewriter #5 (FD 10) exited
    > 2007/04/04 16:33:08| WARNING: url_rewriter #4 (FD 9) exited
    > 2007/04/04 16:33:08| WARNING: url_rewriter #3 (FD 8) exited
    > 2007/04/04 16:33:08| Too few url_rewriter processes are running
    > FATAL: The url_rewriter helpers are crashing too rapidly, need help!
    >
    > Squid Cache (Version 2.6.STABLE1): Terminated abnormally.
    >
    > I think I've seen that before, but I can't for the life of me find it in
    > Google.
    >
    > Anybody remember what this is about?
    >
    > Thanks.
    >

    Okay, I've overcome the above problem and squid/squidGuard are now up
    and running. Problem is, the proxy isn't working.

    There's nothing in any of the logs concerning the problem, it just sits
    there and the web page you are trying to browse times out instead of
    loading.

    And oh joy, the new 2.6 version of Squid is not compatible with Webmin.
    There is no gui to help configure this mess.

    Aye carumba.

    Any ideas?

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    You humans are all alike.

    --
    Posted via a free Usenet account from http://www.teranews.com


  4. Re: Squid has gone kaput

    Mark Adams wrote:
    >
    > Okay, I've overcome the above problem and squid/squidGuard are now up
    > and running. Problem is, the proxy isn't working.
    >
    > There's nothing in any of the logs concerning the problem, it just sits
    > there and the web page you are trying to browse times out instead of
    > loading.
    >
    > And oh joy, the new 2.6 version of Squid is not compatible with Webmin.
    > There is no gui to help configure this mess.


    I find 'gvim' is a nice GUI for setting up text files.

    >
    > Aye carumba.
    >
    > Any ideas?


    Are you using your old squid.conf (with the redirect_program /
    url_rewrite_program change) or did you modify the new squid.conf
    to suit your purposes ?

    As you probably know, out of the box squid only allows access
    to localhost.

    What does the following show ?

    sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf


    Anything interesting in /var/log/squid/... logs ?


  5. Re: Squid has gone kaput

    foo wrote:
    > Mark Adams wrote:
    >>
    >> Okay, I've overcome the above problem and squid/squidGuard are now up
    >> and running. Problem is, the proxy isn't working.
    >>
    >> There's nothing in any of the logs concerning the problem, it just
    >> sits there and the web page you are trying to browse times out instead
    >> of loading.
    >>
    >> And oh joy, the new 2.6 version of Squid is not compatible with
    >> Webmin. There is no gui to help configure this mess.

    >
    > I find 'gvim' is a nice GUI for setting up text files.
    >


    I can use vi to edit text just fine, but Webmin makes it much easier to
    see what you actually have going on.

    >>
    >> Aye carumba.
    >>
    >> Any ideas?

    >
    > Are you using your old squid.conf (with the redirect_program /
    > url_rewrite_program change) or did you modify the new squid.conf
    > to suit your purposes ?


    I'm modifying the new config file.

    >
    > As you probably know, out of the box squid only allows access
    > to localhost.


    I think I've covered all that in the new config file. The only glaring
    discrepancy I found was the change in nomenclature for
    "url_rewrite_program".

    >
    > What does the following show ?
    >
    > sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf


    http_port 3128
    http_port 8080
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl Apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    access_log /var/log/squid/access.log squid
    url_rewrite_program /usr/bin/squidGuard -d -c /etc/squid/squidGuard.conf
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl mynetwork src 192.168.1.0/255.255.255.0
    acl alexa src "/etc/squid/bad_1s"
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow mynetwork
    acl our_networks src 192.168.1.0/24
    http_access allow our_networks
    http_access allow localhost
    http_reply_access allow all
    icp_access allow all
    cache_effective_user squid
    cache_effective_group squid
    visible_hostname shuttle.adams-lan.local
    deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
    coredump_dir /var/spool/squid

    See anything obvious in there?

    > Anything interesting in /var/log/squid/... logs ?
    >

    # tail cache.log
    2007-04-05 03:03:13 [23521] init urllist
    /usr/share/squidGuard-1.2.0/db/custom/local-block/urls
    2007-04-05 03:03:13 [23521] loading dbfile
    /usr/share/squidGuard-1.2.0/db/custom/local-block/urls.db
    2007-04-05 03:03:13 [23521] squidGuard 1.2.0 started (1175763793.731)
    2007-04-05 03:03:13 [23521] squidGuard ready for requests (1175763793.765)
    2007/04/05 03:31:33| NETDB state saved; 0 entries, 0 msec
    2007/04/05 04:47:43| NETDB state saved; 0 entries, 0 msec
    2007/04/05 05:45:24| NETDB state saved; 0 entries, 0 msec
    2007/04/05 06:26:32| icmpSend: send: (111) Connection refused
    2007/04/05 06:26:32| Closing Pinger socket on FD 21
    2007/04/05 06:52:13| NETDB state saved; 0 entries, 0 msec


    # tail store.log
    1175775995.543 RELEASE -1 FFFFFFFF 3EEAC5A822E56A486957BB03BC0F6DA2 302
    1175775995 -1 -1 unknown 0/0 GET
    http://global.msads.net/ads/pronws/im.png
    1175775995.543 RELEASE -1 FFFFFFFF 0AE2D19C3E79685A94C9C78972303A9B 302
    1175775995 -1 -1 unknown 0/0 GET
    http://rad.msn.com/ADSAdClient31.dll?
    1175775995.564 RELEASE -1 FFFFFFFF 5B42B5E049715ABC82CFA2E7EFC275B4 302
    1175775995 -1 -1 unknown 0/0 GET
    http://rad.msn.com/ADSAdClient31.dll?
    1175775995.593 RELEASE -1 FFFFFFFF 47C61FB2132D4855E30060028FAC4CFA 302
    1175775995 -1 -1 unknown 0/0 GET
    http://rad.msn.com/ADSAdClient31.dll?
    1175775995.685 RELEASE -1 FFFFFFFF D415BA7F91C798E138358EA85C1AF776 503
    1175775995 0 1175775995 text/html 1084/1084 GET
    http://192.168.1.105/ads.shtml
    1175775995.690 RELEASE -1 FFFFFFFF 968B40EB890C97906B7C8A56C68ABB34 503
    1175775995 0 1175775995 text/html 1084/1084 GET
    http://192.168.1.105/ads.shtml
    1175775995.690 RELEASE -1 FFFFFFFF F10D73891891C14F796EBB8917859637 503
    1175775995 0 1175775995 text/html 1084/1084 GET
    http://192.168.1.105/ads.shtml
    1175775995.718 RELEASE -1 FFFFFFFF 769A5181BCD7D349375F223163220CB9 503
    1175775995 0 1175775995 text/html 1084/1084 GET
    http://192.168.1.105/ads.shtml
    1175775995.805 RELEASE -1 FFFFFFFF 91744EBBC427014DBD8F7B2E6C91BF8C 503
    1175775995 0 1175775995 text/html 1084/1084 GET
    http://192.168.1.105/ads.shtml
    1175775996.333 RELEASE -1 FFFFFFFF CCA984DF1BE2C638982283B955CB19A4 200
    1175775995 -1 1175775995 text/xml 4995/4995 POST
    http://storage.msn.com/storageservic...izedstore.asmx

    # tail access.log
    1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
    http://global.msads.net/ads/pronws/im.png - NONE/- -
    1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
    http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
    http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
    http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
    http://storage.msn.com/storageservic...izedstore.asmx -
    DIRECT/207.46.219.35 text/xml


    I'm no expert on this, but I don't see anything in any log (I checked
    syslog too) that indicates a problem -- the proxy just isn't accepting
    connections.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    Many a wife thinks her husband is the world's greatest lover.
    But she can never catch him at it.

    --
    Posted via a free Usenet account from http://www.teranews.com


  6. Re: Squid has gone kaput

    Mark Adams wrote:
    >>
    >> sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf

    >
    > http_port 3128
    > http_port 8080
    > hierarchy_stoplist cgi-bin ?
    > acl QUERY urlpath_regex cgi-bin \?
    > cache deny QUERY
    > acl Apache rep_header Server ^Apache
    > broken_vary_encoding allow apache
    > access_log /var/log/squid/access.log squid
    > url_rewrite_program /usr/bin/squidGuard -d -c /etc/squid/squidGuard.conf


    The '-d' should be removed so errors go to log files instead of stderr.

    > refresh_pattern ^ftp: 1440 20% 10080
    > refresh_pattern ^gopher: 1440 0% 1440
    > refresh_pattern . 0 20% 4320
    > acl all src 0.0.0.0/0.0.0.0
    > acl manager proto cache_object
    > acl localhost src 127.0.0.1/255.255.255.255
    > acl to_localhost dst 127.0.0.0/8
    > acl SSL_ports port 443 563
    > acl Safe_ports port 80 # http
    > acl Safe_ports port 21 # ftp
    > acl Safe_ports port 443 563 # https, snews
    > acl Safe_ports port 70 # gopher
    > acl Safe_ports port 210 # wais
    > acl Safe_ports port 1025-65535 # unregistered ports
    > acl Safe_ports port 280 # http-mgmt
    > acl Safe_ports port 488 # gss-http
    > acl Safe_ports port 591 # filemaker
    > acl Safe_ports port 777 # multiling http
    > acl CONNECT method CONNECT
    > acl mynetwork src 192.168.1.0/255.255.255.0
    > acl alexa src "/etc/squid/bad_1s"


    The alexa acl is not used.

    > http_access allow manager localhost
    > http_access deny manager
    > http_access deny !Safe_ports
    > http_access deny CONNECT !SSL_ports
    > http_access allow mynetwork
    > acl our_networks src 192.168.1.0/24
    > http_access allow our_networks


    2 acl's for the same subnet, mynetwork and our_networks.

    > http_access allow localhost
    > http_reply_access allow all
    > icp_access allow all
    > cache_effective_user squid
    > cache_effective_group squid
    > visible_hostname shuttle.adams-lan.local
    > deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
    > coredump_dir /var/spool/squid
    >
    > See anything obvious in there?


    Nothing real obvious.

    Try removing the acl and access for the duplicate
    our_networks and alexa.

    Comment out url_rewrite_program.
    When squid is working, add squidGuard and you'll know
    if squidGuard or squid is the problem.

    I have a vague memory of squidGuard causing me problems
    in the distant past and it being not obvious to fix.

    >
    >> Anything interesting in /var/log/squid/... logs ?
    >>

    >
    > # tail access.log
    > 1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
    > http://global.msads.net/ads/pronws/im.png - NONE/- -
    > 1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
    > http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    > 1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
    > http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    > 1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
    > http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    > 1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
    > http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    > 1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
    > http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    > 1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
    > http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    > 1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
    > http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    > 1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
    > http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    > 1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
    > http://storage.msn.com/storageservic...izedstore.asmx -
    > DIRECT/207.46.219.35 text/xml


    I wonder if this is new or old log entries, try 'tail -f access.log'
    when using the proxy.
    Does "ads.shtml" work OK on your local web server ?

  7. Re: Squid has gone kaput

    foo wrote:
    > Mark Adams wrote:
    >>>

    snip!

    Before we get started, I tinkered with the config enough to get the
    proxy to work from the server -- I can configure Firefox to use the
    proxy and browse as expected. Here are the lines I inserted/altered to
    get it to work:

    http_access allow manager localhost
    http_access allow Safe_ports
    ######http_access deny manager <<<<<<< commented out
    # Deny requests to unknown ports
    ######http_access deny !Safe_ports
    http_access allow !Safe_ports <<<<<<<<< Changed it to allow
    # Deny CONNECT to other than SSL ports
    ######http_access deny CONNECT !SSL_ports
    http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
    http_access allow mynetwork

    Still can't browse through the proxy from the client.

    >> acl Safe_ports port 280 # http-mgmt
    >> acl Safe_ports port 488 # gss-http
    >> acl Safe_ports port 591 # filemaker
    >> acl Safe_ports port 777 # multiling http
    >> acl CONNECT method CONNECT
    >> acl mynetwork src 192.168.1.0/255.255.255.0
    >> acl alexa src "/etc/squid/bad_1s"

    >
    > The alexa acl is not used.
    >
    >> http_access allow manager localhost
    >> http_access deny manager
    >> http_access deny !Safe_ports
    >> http_access deny CONNECT !SSL_ports
    >> http_access allow mynetwork
    >> acl our_networks src 192.168.1.0/24
    >> http_access allow our_networks

    >
    > 2 acl's for the same subnet, mynetwork and our_networks.
    >
    >> http_access allow localhost
    >> http_reply_access allow all
    >> icp_access allow all
    >> cache_effective_user squid
    >> cache_effective_group squid
    >> visible_hostname shuttle.adams-lan.local
    >> deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
    >> coredump_dir /var/spool/squid
    >>
    >> See anything obvious in there?

    >
    > Nothing real obvious.
    >
    > Try removing the acl and access for the duplicate
    > our_networks and alexa.
    >


    Done. It made no difference.

    > Comment out url_rewrite_program.
    > When squid is working, add squidGuard and you'll know
    > if squidGuard or squid is the problem.
    >
    > I have a vague memory of squidGuard causing me problems
    > in the distant past and it being not obvious to fix.


    I've had it commented out all day.

    >
    >>
    >>> Anything interesting in /var/log/squid/... logs ?
    >>>

    >>
    >> # tail access.log
    >> 1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
    >> http://global.msads.net/ads/pronws/im.png - NONE/- -
    >> 1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
    >> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    >> 1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
    >> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    >> 1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
    >> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
    >> 1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
    >> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    >> 1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
    >> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    >> 1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
    >> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    >> 1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
    >> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    >> 1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
    >> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    >> 1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
    >> http://storage.msn.com/storageservic...izedstore.asmx -
    >> DIRECT/207.46.219.35 text/xml

    >
    > I wonder if this is new or old log entries, try 'tail -f access.log'
    > when using the proxy.


    It doesn't change -- doesn't register anything new when I attempt to go
    to Google on a client machine configured to use the proxy. I'm pretty
    sure that means it's an old log, but it's stamped

    -rw-r----- 1 squid squid 533009 Apr 5 20:00 access.log

    Looks to me as if it's logging browsing activity on the server, but not
    the client.

    Currently says:

    # tail -f access.log
    1175823733.255 0 192.168.1.105 TCP_MISS/503 1581 GET
    http://www.shuttle.adams-lan.local/favicon.ico -
    DIRECT/www.shuttle.adams-lan.local text/html
    1175823757.060 105 192.168.1.105 TCP_MISS/503 1436 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
    1175823837.594 120419 192.168.1.105 TCP_MISS/503 1428 GET
    http://www.localhost.com/ - DIRECT/10.11.12.13 text/html
    1175824274.609 105 192.168.1.105 TCP_MISS/503 1428 GET
    http://192.168.1.105/10000 - DIRECT/192.168.1.105 text/html
    1175824553.666 0 192.168.1.105 TCP_MISS/503 0 CONNECT
    192.168.1.105:443 - DIRECT/192.168.1.105 -
    1175824553.835 0 192.168.1.105 TCP_MISS/503 0 CONNECT
    192.168.1.105:443 - DIRECT/192.168.1.105 -
    1175824569.617 0 192.168.1.105 TCP_MISS/503 0 CONNECT
    192.168.1.105:443 - DIRECT/192.168.1.105 -
    1175824841.419 146 192.168.1.105 TCP_MISS/503 1547 GET
    http://www.192.168.1.105/ads.shtml - DIRECT/www.192.168.1.105 text/html
    1175824841.507 0 192.168.1.105 TCP_MISS/503 1551 GET
    http://www.192.168.1.105/favicon.ico - DIRECT/www.192.168.1.105 text/html
    1175824854.021 50 192.168.1.105 TCP_MISS/200 1298 GET
    http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html

    Notice the reference to ads.shtml.

    BTW, it looks as if the client is getting into the proxy, then the proxy
    is reporting back that the website is taking too long to respond. Now,
    does that mean that the proxy just isn't allowing information back into
    the client? I'm getting really confused here.

    > Does "ads.shtml" work OK on your local web server ?


    Browsing to 192.168.1.105/ads.shtml from a browser on the server gets me
    my custom blocked page. From the client, it times out.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    Remember to say hello to your bank teller.

    --
    Posted via a free Usenet account from http://www.teranews.com


  8. Re: Squid has gone kaput

    Mark Adams wrote:
    > foo wrote:
    >> Mark Adams wrote:
    >>>>

    > snip!
    >
    > Before we get started, I tinkered with the config enough to get the
    > proxy to work from the server -- I can configure Firefox to use the
    > proxy and browse as expected. Here are the lines I inserted/altered to
    > get it to work:
    >
    > http_access allow manager localhost
    > http_access allow Safe_ports
    > ######http_access deny manager <<<<<<< commented out


    Weird, I wonder if everyone agrees on who localhost is.

    > # Deny requests to unknown ports
    > ######http_access deny !Safe_ports
    > http_access allow !Safe_ports <<<<<<<<< Changed it to allow


    Your Safe_ports looked OK, I would think "deny !Safe_ports" is correct.

    > # Deny CONNECT to other than SSL ports
    > ######http_access deny CONNECT !SSL_ports
    > http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow


    Again, I would think "deny CONNECT !SSL_ports" is correct.

    > BTW, it looks as if the client is getting into the proxy, then the proxy
    > is reporting back that the website is taking too long to respond. Now,
    > does that mean that the proxy just isn't allowing information back into
    > the client? I'm getting really confused here.
    >
    >> Does "ads.shtml" work OK on your local web server ?

    >
    > Browsing to 192.168.1.105/ads.shtml from a browser on the server gets me
    > my custom blocked page. From the client, it times out.


    So a browser on the same system as squid works, but browsers on external
    systems do not contact squid at all.

    Are you using explicit proxy settings in the external browsers
    or are you redirecting port 80 to 3128 (or 8080) via iptables
    on your internal interface.
    (redirecting via iptables makes it a transparent proxy).

    If your old config used the httpd_accel.... settings, this has
    also changed. You now use the "transparent" option on http_port.

    You may need also "httpd_accel_no_pmtu_disc on"

  9. Re: Squid has gone kaput

    Mark Adams wrote:
    > foo wrote:
    >> Mark Adams wrote:
    >>>>

    > snip!
    >
    > Before we get started, I tinkered with the config enough to get the
    > proxy to work from the server -- I can configure Firefox to use the
    > proxy and browse as expected. Here are the lines I inserted/altered to
    > get it to work:
    >
    > http_access allow manager localhost
    > http_access allow Safe_ports
    > ######http_access deny manager <<<<<<< commented out
    > # Deny requests to unknown ports
    > ######http_access deny !Safe_ports
    > http_access allow !Safe_ports <<<<<<<<< Changed it to allow
    > # Deny CONNECT to other than SSL ports
    > ######http_access deny CONNECT !SSL_ports
    > http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
    > http_access allow mynetwork
    >
    > Still can't browse through the proxy from the client.
    >


    One more thing, try "always_direct allow all".
    I forgot about that one.

  10. Re: Squid has gone kaput

    foo wrote:
    > Mark Adams wrote:
    >> foo wrote:
    >>> Mark Adams wrote:
    >>>>>

    >> snip!
    >>
    >> Before we get started, I tinkered with the config enough to get the
    >> proxy to work from the server -- I can configure Firefox to use the
    >> proxy and browse as expected. Here are the lines I inserted/altered
    >> to get it to work:
    >>
    >> http_access allow manager localhost# ping localhost

    PING shuttle.adams-lan.local (127.0.0.1) 56(84) bytes of data.
    64 bytes from shuttle.adams-lan.local (127.0.0.1): icmp_seq=1 ttl=64
    time=0.058 ms

    >> http_access allow Safe_ports
    >> ######http_access deny manager <<<<<<< commented out

    >
    > Weird, I wonder if everyone agrees on who localhost is.
    >


    Is there a test? The hosts file on the server includes this line:


    127.0.0.1 shuttle.adams-lan.local shuttle localhost

    Pinging localhost looks good:

    # ping localhost
    PING shuttle.adams-lan.local (127.0.0.1) 56(84) bytes of data.
    64 bytes from shuttle.adams-lan.local (127.0.0.1): icmp_seq=1 ttl=64
    time=0.058 ms


    >> # Deny requests to unknown ports
    >> ######http_access deny !Safe_ports
    >> http_access allow !Safe_ports <<<<<<<<< Changed it to allow

    >
    > Your Safe_ports looked OK, I would think "deny !Safe_ports" is correct.
    >
    >> # Deny CONNECT to other than SSL ports
    >> ######http_access deny CONNECT !SSL_ports
    >> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow

    >
    > Again, I would think "deny CONNECT !SSL_ports" is correct.


    Okay, on a whim I went back in and changed those two lines back to their
    defaults (deny). After "squid -k reconfigure" it seems the browser on
    the server still works as it is supposed to. So disregard this --
    denying those ports has no effect on the proxies functioning. Needless
    to say, the client machine still can't get through the proxy.

    >
    >> BTW, it looks as if the client is getting into the proxy, then the
    >> proxy is reporting back that the website is taking too long to
    >> respond. Now, does that mean that the proxy just isn't allowing
    >> information back into the client? I'm getting really confused here.
    >>
    >>> Does "ads.shtml" work OK on your local web server ?

    >>
    >> Browsing to 192.168.1.105/ads.shtml from a browser on the server gets
    >> me my custom blocked page. From the client, it times out.

    >
    > So a browser on the same system as squid works, but browsers on external
    > systems do not contact squid at all.


    That is correct -- clients receive a time out.

    >
    > Are you using explicit proxy settings in the external browsers
    > or are you redirecting port 80 to 3128 (or 8080) via iptables
    > on your internal interface.
    > (redirecting via iptables makes it a transparent proxy).


    I am configuring the connection settings in the browser to connect to
    the proxy on port 8080. I am identifying the proxy server by IP address.
    I've tried it by hostname and that hostname does appear in the
    client's hosts file, but it makes no difference. I'm sticking with IP
    just because I have a wee bit more faith in it.

    >
    > If your old config used the httpd_accel.... settings, this has


    The httpd_accel option was set to off in the old config and is currently
    off by default in the new config.

    >> also changed. You now use the "transparent" option on http_port.
    >>

    > You may need also "httpd_accel_no_pmtu_disc on"


    I just tried that. It made no difference.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    The cost of living is going up, and the chance of living is going down.

    --
    Posted via a free Usenet account from http://www.teranews.com


  11. Re: Squid has gone kaput

    Mark Adams wrote:
    >>
    >> So a browser on the same system as squid works, but browsers on external
    >> systems do not contact squid at all.

    >
    > That is correct -- clients receive a time out.
    >
    >>
    >> Are you using explicit proxy settings in the external browsers
    >> or are you redirecting port 80 to 3128 (or 8080) via iptables
    >> on your internal interface.
    >> (redirecting via iptables makes it a transparent proxy).

    >
    > I am configuring the connection settings in the browser to connect to
    > the proxy on port 8080. I am identifying the proxy server by IP address.
    > I've tried it by hostname and that hostname does appear in the client's
    > hosts file, but it makes no difference. I'm sticking with IP just
    > because I have a wee bit more faith in it.


    Does 'netstat -an | grep -i listen | grep 8080' show your squid
    listening on the correct IP address.

    If not, you should use iport for http_port (instead of just port).


  12. Re: Squid has gone kaput

    foo wrote:
    > Mark Adams wrote:
    >> foo wrote:
    >>> Mark Adams wrote:
    >>>>>

    >> snip!
    >>
    >> Before we get started, I tinkered with the config enough to get the
    >> proxy to work from the server -- I can configure Firefox to use the
    >> proxy and browse as expected. Here are the lines I inserted/altered
    >> to get it to work:
    >>
    >> http_access allow manager localhost
    >> http_access allow Safe_ports
    >> ######http_access deny manager <<<<<<< commented out
    >> # Deny requests to unknown ports
    >> ######http_access deny !Safe_ports
    >> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
    >> # Deny CONNECT to other than SSL ports
    >> ######http_access deny CONNECT !SSL_ports
    >> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
    >> http_access allow mynetwork
    >>
    >> Still can't browse through the proxy from the client.
    >>

    >
    > One more thing, try "always_direct allow all".
    > I forgot about that one.


    Okay, hold the phone:

    In an effort to do SOMETHING on my end, I exported the proxy into my
    environment (export http_proxy="http://192.168.1.105:8080") on the
    client and fired up Lynx just to see what would happen.

    Guess what -- Lynx had no problem browsing the Internet.

    Given this, I suspected Firefox as the culprit. I fired up Mozilla
    Seamonkey and configured the proxy connection in it. Surely the fact
    that these are both built around the Gecko engine (at least I think they
    still are) will tell the tale. It worked just fine. Grrr.

    Same thing with Konqueror. Grrr, grrr.

    Back to Firefox. I disabled Foxyproxy -- and lo, the angels did smile
    and it worketh like the most slippery of owl mucous.

    So what we appear to have here is a bug in a Firefox add-on. I'm
    tempted to complain somewhere, but I'm too tired. I've fought this thing
    all day and I'm just done.

    Foo, thanks for holding my hand through this. I appreciate your
    patience. The suggestions you made were good ones. It's been more than a
    year since I set Squid/squidGuard up and I learned a little by
    revisiting them today. Bottom line: Squid is caching and squidGuard is
    redirect... er rewriting urls.

    Have a good one, and thanks again.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    The biggest difference between time and space is that you can't reuse time.
    -- Merrick Furst

    --
    Posted via a free Usenet account from http://www.teranews.com


  13. Re: Squid has gone kaput

    foo wrote:
    > Mark Adams wrote:
    >>>
    >>> So a browser on the same system as squid works, but browsers on external
    >>> systems do not contact squid at all.

    >>
    >> That is correct -- clients receive a time out.
    >>
    >>>
    >>> Are you using explicit proxy settings in the external browsers
    >>> or are you redirecting port 80 to 3128 (or 8080) via iptables
    >>> on your internal interface.
    >>> (redirecting via iptables makes it a transparent proxy).

    >>
    >> I am configuring the connection settings in the browser to connect to
    >> the proxy on port 8080. I am identifying the proxy server by IP
    >> address. I've tried it by hostname and that hostname does appear in
    >> the client's hosts file, but it makes no difference. I'm sticking
    >> with IP just because I have a wee bit more faith in it.

    >
    > Does 'netstat -an | grep -i listen | grep 8080' show your squid
    > listening on the correct IP address.
    >
    > If not, you should use iport for http_port (instead of just port).
    >


    No, I checked that earlier -- squid is listening on 8080.

    BTW, it's resolved. See my other message.

    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    "I don't mind going nowhere as long as it's an interesting path."
    -- Ronald Mabbitt

    --
    Posted via a free Usenet account from http://www.teranews.com


  14. RESOLVED: Re: Squid has gone kaput

    This is just a bump because I forgot to put "RESOLVED" in the subject.

    Sorry to waste the space.

    Mark Adams wrote:
    > foo wrote:
    >> Mark Adams wrote:
    >>> foo wrote:
    >>>> Mark Adams wrote:
    >>>>>>
    >>> snip!
    >>>
    >>> Before we get started, I tinkered with the config enough to get the
    >>> proxy to work from the server -- I can configure Firefox to use the
    >>> proxy and browse as expected. Here are the lines I inserted/altered
    >>> to get it to work:
    >>>
    >>> http_access allow manager localhost
    >>> http_access allow Safe_ports
    >>> ######http_access deny manager <<<<<<< commented out
    >>> # Deny requests to unknown ports
    >>> ######http_access deny !Safe_ports
    >>> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
    >>> # Deny CONNECT to other than SSL ports
    >>> ######http_access deny CONNECT !SSL_ports
    >>> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
    >>> http_access allow mynetwork
    >>>
    >>> Still can't browse through the proxy from the client.
    >>>

    >>
    >> One more thing, try "always_direct allow all".
    >> I forgot about that one.

    >
    > Okay, hold the phone:
    >
    > In an effort to do SOMETHING on my end, I exported the proxy into my
    > environment (export http_proxy="http://192.168.1.105:8080") on the
    > client and fired up Lynx just to see what would happen.
    >
    > Guess what -- Lynx had no problem browsing the Internet.
    >
    > Given this, I suspected Firefox as the culprit. I fired up Mozilla
    > Seamonkey and configured the proxy connection in it. Surely the fact
    > that these are both built around the Gecko engine (at least I think they
    > still are) will tell the tale. It worked just fine. Grrr.
    >
    > Same thing with Konqueror. Grrr, grrr.
    >
    > Back to Firefox. I disabled Foxyproxy -- and lo, the angels did smile
    > and it worketh like the most slippery of owl mucous.
    >
    > So what we appear to have here is a bug in a Firefox add-on. I'm
    > tempted to complain somewhere, but I'm too tired. I've fought this thing
    > all day and I'm just done.
    >
    > Foo, thanks for holding my hand through this. I appreciate your
    > patience. The suggestions you made were good ones. It's been more than a
    > year since I set Squid/squidGuard up and I learned a little by
    > revisiting them today. Bottom line: Squid is caching and squidGuard is
    > redirect... er rewriting urls.
    >
    > Have a good one, and thanks again.
    >



    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    My life is a patio of fun!

    --
    Posted via a free Usenet account from http://www.teranews.com


  15. Re: Squid has gone kaput

    Mark Adams wrote:
    > # squidGuard -d -c /etc/squid/squidGuard.conf
    > 2007-04-04 21:18:07 [13163] init iplist
    > /usr/share/squidGuard-1.2.0/db/privilegedsource/ips
    > 2007-04-04 21:18:07 [13163] init domainlist
    > /usr/share/squidGuard-1.2.0/db/ads/domains
    > 2007-04-04 21:18:07 [13163] loading dbfile
    > /usr/share/squidGuard-1.2.0/db/ads/domains.db
    > 2007-04-04 21:18:07 [13163] init urllist
    > /usr/share/squidGuard-1.2.0/db/ads/urls
    > 2007-04-04 21:18:07 [13163] loading dbfile
    > /usr/share/squidGuard-1.2.0/db/ads/urls.db
    > 2007-04-04 21:18:07 [13163] init domainlist
    > /usr/share/squidGuard-1.2.0/db/aggressive/domains
    > 2007-04-04 21:18:07 [13163] loading dbfile
    > /usr/share/squidGuard-1.2.0/db/aggressive/domains.db


    It looks like you are using the blacklist from



    These haven't been updated since 2005-11-19, so may not be much use any
    more! I've changed over to



    Mark Atherton

  16. Re: Squid has gone kaput

    Mark Atherton wrote:
    > Mark Adams wrote:
    >> # squidGuard -d -c /etc/squid/squidGuard.conf
    >> 2007-04-04 21:18:07 [13163] init iplist
    >> /usr/share/squidGuard-1.2.0/db/privilegedsource/ips
    >> 2007-04-04 21:18:07 [13163] init domainlist
    >> /usr/share/squidGuard-1.2.0/db/ads/domains
    >> 2007-04-04 21:18:07 [13163] loading dbfile
    >> /usr/share/squidGuard-1.2.0/db/ads/domains.db
    >> 2007-04-04 21:18:07 [13163] init urllist
    >> /usr/share/squidGuard-1.2.0/db/ads/urls
    >> 2007-04-04 21:18:07 [13163] loading dbfile
    >> /usr/share/squidGuard-1.2.0/db/ads/urls.db
    >> 2007-04-04 21:18:07 [13163] init domainlist
    >> /usr/share/squidGuard-1.2.0/db/aggressive/domains
    >> 2007-04-04 21:18:07 [13163] loading dbfile
    >> /usr/share/squidGuard-1.2.0/db/aggressive/domains.db

    >
    > It looks like you are using the blacklist from
    >
    >
    >
    >
    > These haven't been updated since 2005-11-19, so may not be much use any
    > more! I've changed over to
    >
    >
    >
    > Mark Atherton


    Ah, thanks for the tip. I have made that change in my script.


    --
    Mark E. Adams, 2004 -- drop the "dot" to email me.
    http://adamslan.shyper.com -*- Mandriva User# 263042

    CONSIDER: ===========---------,,,,,,,,,............. . . . . .
    A man does not look behind the door unless he has stood there himself.
    -- Du Bois

    --
    Posted via a free Usenet account from http://www.teranews.com


+ Reply to Thread