[squid-users] Delay Class 3 - Squid (Amos Jeffries)

Jorge Visentini jorgevisentini at gmail.com
Mon Oct 27 17:28:02 UTC 2014


Hello Amos Jeffries!

I tried to use three parameters, but it did not work.

I did not understand why this is giving error...




2014-10-27 14:40 GMT-02:00 <squid-users-request at lists.squid-cache.org>:

> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Delay Class 3 - Squid (Amos Jeffries)
>    2. Re: Delay Class 3 - Squid (Amos Jeffries)
>    3. Re: Filtering keywords on google search (Cassiano Martin)
>    4. how to obtain info about actual active downloads?
>       (Frantisek Hanzlik)
>    5. Re: how to obtain info about actual active downloads?
>       (Antony Stone)
>    6. Re: how to obtain info about actual active downloads?
>       (Leonardo Rodrigues)
>    7. Re: Kerberos Authentication Failing for Windows 7+ with BH
>       gss_accept_sec_context() failed (Pedro Lobo)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 28 Oct 2014 01:01:34 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Delay Class 3 - Squid
> Message-ID: <544E341E.7080801 at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
> > Hello!
> >
> > Sorry my english.
> >
> > I'm racking my brain to figure out why the error.
> >
> > I've used a long time ago a rule delay pool but this time I am not
> > able to implement ...
> >
> > In my squid.conf looks like this:
> >
> > delay_pools 1 delay_class 1 3 delay_parameters 1 50000/50000
> > 24000/24000
>
> http://www.squid-cache.org/Doc/config/delay_parameters/
>
> class 1 pools only have one speed parameter. Not two.
>
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUTjQeAAoJELJo5wb/XPRjm0IH/3Fwh9VhfFOhpMfn1Z20ii2b
> 49SC9fhyMmVfoNdm49uOY9txb/7VDQpfRtb4yvNcAJJ+t0soNRlz8wcYrvJHeu52
> HMG1te3wySXVZgar/DzQbsI/k15Ar2uuUVmJJ/rkQextBjftqXF7HLXo6kBNRLG7
> xcwSSrtGy9SIY8yOZflz+4ANJr5Z1Fme1w2Cp88UXXBLuKXZ3JNeQrte06aRpJkn
> KwWQwSLwv3KGF48PbuLRD2M8flA/eFkoqg0VK0CRzjytGwxb/b0OIE9shl/GH2A0
> oEcWVowZHqAXSsSbbpW9GIyNpKoxjndY80VBijaTvvXj+tBQK2DaIse7e7NaEGc=
> =tJHs
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 28 Oct 2014 01:06:13 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Delay Class 3 - Squid
> Message-ID: <544E3535.7050805 at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 28/10/2014 1:01 a.m., Amos Jeffries wrote:
> > On 28/10/2014 12:57 a.m., Jorge Visentini wrote:
> >> Hello!
> >
> >> Sorry my english.
> >
> >> I'm racking my brain to figure out why the error.
> >
> >> I've used a long time ago a rule delay pool but this time I am
> >> not able to implement ...
> >
> >> In my squid.conf looks like this:
> >
> >> delay_pools 1 delay_class 1 3 delay_parameters 1 50000/50000
> >> 24000/24000
> >
> > http://www.squid-cache.org/Doc/config/delay_parameters/
> >
> > class 1 pools only have one speed parameter. Not two.
> >
>
> Meh, sorry. I mean class 3 has 3 parameters.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUTjU1AAoJELJo5wb/XPRjHYAIAI2oAOpjZTgsTlbdz20LZW+k
> XAAAnm8QgJSDBI7ErmZAJ7AxJILfi2PR2M60411mN5AgrVYulofUriTebS13bguR
> g0aoFmVMBj003T70sNZWwSgyf18Gr9ewu5X6sOSu1IdQg6M9VMJFaUUMs+FFy2bs
> IOqfhEhkcszlz0wrmY+xhAxR7mm8qWenrRk47W6rQR90p5Ml5m6ha0cCyTMTo46H
> euojiX3JHvbFa3NtoOiNTmNOK7ZVt6bE/KTDSGobx6ehNtsUgKQgMBfyQ9ET2269
> x8/MBDBjpK3JSld0UF3CjTkF8eWZHLAC+/Y6ZRR1vY6ihXi5B4yK7+Ve0ZvK5eU=
> =7r5y
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 27 Oct 2014 11:05:33 -0200
> From: Cassiano Martin <cassiano at polaco.pro.br>
> To: Job <Job at colliniconsulting.it>
> Cc: "squid-users at squid-cache.org" <squid-users at squid-cache.org>
> Subject: Re: [squid-users] Filtering keywords on google search
> Message-ID:
>         <
> CAOoxthNmWSP7Xck4BpNxOO-wNNsGe3e4jkXgfvsLffeSbk9f2A at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I have some proof of concept on my github. it can be done thought  DNS
> hijacking. I modified a version of tinyproxy to enforce safe search.
> you can check it out on https://github.com/polaco1782/tinyproxy
>
> 2014-10-25 9:49 GMT-02:00 Job <Job at colliniconsulting.it>:
> > Hello, since Google switch definitely on SSL connection it seems there
> is no way to filter semantic (with danguardian, squidguard or squid).
> >
> > SSL Bump can help in this case, both on explicit or transparent proxying?
> >
> > Is there another way to filter searches (and image searches!)?
> >
> > Thank you!
> > Francesco
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 27 Oct 2014 14:32:39 +0100
> From: Frantisek Hanzlik <franta at hanzlici.cz>
> To: Squid users list <squid-users at squid-cache.org>
> Subject: [squid-users] how to obtain info about actual active
>         downloads?
> Message-ID: <544E4977.3050705 at hanzlici.cz>
> Content-Type: text/plain; charset=UTF-8
>
> Please, what is best way for determining who squid clients (their
> PC IP addresses) have which downloads active?
> I want it to determine which clients burden our slow internet line.
> Examining 'access.log' does not help much in this case, because users
> can download large files and it may take a few minutes or hours (e.g.
> in case of consuming some audio/video streams).
>
> I tried inspecting informations in 'Client-side Active Requests' menu
> in cachemgr.cgi, where are paragraphs as:
>
> Connection: 0x7f442037aa48
>         FD 94, read 5892, wrote 148211583
>         FD desc: Reading next request
>         in: buf 0x7f440efc9150, offset 0, size 4096
>         remote: 192.168.1.44:1631
>         local: 192.168.1.254:3128
>         nrequests: 7
> uri http://ice.abradio.cz/prachen64.mp3
> logType TCP_MISS
> out.offset 148178800, out.size 148179207
> req_sz 724
> entry 0x7f440d5d6220/A1AD3A830E803B23F9295A9BCB9C1949
> start 1414389495.929684 (18515.473233 seconds ago)
> username
> delay_pool 0
>
> which seems to contain the necessary items and it would not be a big
> problem adjust them to shorter form using e.g. awk or sed script,
> and this informations is possible obtain in batch with some as:
>
> wget -q -O - '
> http://localhost/Squid/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=active_requests
> '
> or
> lynx -dump '
> http://localhost/Squid/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=active_requests
> '
>
> But is this the correct way? Or Squid offers other tools for this
> case? Or is possible cachemgr.cgi supply/enwrap with some filter
> which output needed info in some customized format?
> We are using squid-3.3.13/Linux i686 now, it run on our LAN internet
> router, LAN has approx. twenty PCs.
>
> Thanks in advance, Franta Hanzlik
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 27 Oct 2014 14:47:00 +0100
> From: Antony Stone <Antony.Stone at squid.open.source.it>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] how to obtain info about actual active
>         downloads?
> Message-ID: <201410271447.00509.Antony.Stone at squid.open.source.it>
> Content-Type: Text/Plain;  charset="utf-8"
>
> On Monday 27 October 2014 at 14:32:39 (EU time), Frantisek Hanzlik wrote:
>
> > Please, what is best way for determining who squid clients (their
> > PC IP addresses) have which downloads active?
> > I want it to determine which clients burden our slow internet line.
> > Examining 'access.log' does not help much in this case, because users
> > can download large files and it may take a few minutes or hours (e.g.
> > in case of consuming some audio/video streams).
>
> I would use the tool 'iptraf', either running on your squid server, or on a
> machine which can sniff your internal network traffic (possibly with the
> use of a
> spanning port on the switch).
>
> That can give you real-time bandwidth measurements per IP address.
>
> Regards,
>
>
> Antony.
>
> --
> Anything that improbable is effectively impossible.
>
>  - Murray Gell-Mann, Nobel Prizewinner in Physics
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 27 Oct 2014 14:37:43 -0200
> From: Leonardo Rodrigues <leolistas at solutti.com.br>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] how to obtain info about actual active
>         downloads?
> Message-ID: <544E74D7.2030104 at solutti.com.br>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 27/10/14 11:47, Antony Stone wrote:
> > On Monday 27 October 2014 at 14:32:39 (EU time), Frantisek Hanzlik wrote:
> >
> >> Please, what is best way for determining who squid clients (their
> >> PC IP addresses) have which downloads active?
> >> I want it to determine which clients burden our slow internet line.
> >> Examining 'access.log' does not help much in this case, because users
> >> can download large files and it may take a few minutes or hours (e.g.
> >> in case of consuming some audio/video streams).
> > I would use the tool 'iptraf', either running on your squid server, or
> on a
> > machine which can sniff your internal network traffic (possibly with the
> use of a
> > spanning port on the switch).
> >
> > That can give you real-time bandwidth measurements per IP address.
> >
>
>      I use this script:
>
> http://samm.kiev.ua/sqstat/
>
>      Set it to auto-update on 15/15 seconds, for example, and you'll
> have a great and easy way to evaluate active connections and high
> bandwidth use connections.
>
> --
>
>
>         Atenciosamente / Sincerily,
>         Leonardo Rodrigues
>         Solutti Tecnologia
>         http://www.solutti.com.br
>
>         Minha armadilha de SPAM, NÃO mandem email
>         gertrudes at solutti.com.br
>         My SPAMTRAP, do not email it
>
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 27 Oct 2014 16:39:17 +0000
> From: "Pedro Lobo" <palobo at gmail.com>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: squid-users at squid-cache.org
> Subject: Re: [squid-users] Kerberos Authentication Failing for Windows
>         7+ with BH gss_accept_sec_context() failed
> Message-ID: <94F74226-F24B-4910-95B7-B86ACE815995 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey Everybody,
>
> Seems as though I celebrated too soon on Saturday. Today things are back
> to not working for Windows 7+ machines and XP/2003 machines are working
> just fine.
>
> I've also checked the permissions on the keytab file and they haven't
> changed since Saturday, so it's not that... ARGH!!!!
>
> Craving ideas and solutions right now... Pilot users are less than
> satisfied ;)
>
> Cheers,
> Pedro
>
> On 25 Oct 2014, at 14:13, Markus Moeller wrote:
>
> > Hi Pedro,
> >
> > I wonder if he upper case in the name is a problem. Can you try
> >
> > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
> -r -s GSS_C_NO_NAME
> >
> > instead of
> >
> > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
> -r -s HTTP/proxy01tst.fake.net
> >
> > Markus
> >
> > "Pedro Lobo" <palobo at gmail.com> wrote in message
> news:FD6832B9-3F1F-48C6-A76F-47A224F1697B at gmail.com...
> > Hi Markus,
> >
> > I used msktutil to create the keytab.
> >
> > msktutil -c -s HTTP/proxy01tst.fake.net -h proxy01tst.fake.net -k
> /etc/squid3/PROXY.keytab --computer-name proxy01-tst --upn HTTP/
> proxy01tst.fake.net --server srv01.fake.net --verbose
> > Output of klist -ekt:
> >
> > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (arcfour-hmac)
> > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes128-cts-hmac-sha1-96)
> > 2 10/24/2014 22:59:50 proxy01-tst$@FAKE.NET (aes256-cts-hmac-sha1-96)
> > 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
> > 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET
> (aes128-cts-hmac-sha1-96)
> > 2 10/24/2014 22:59:50 HTTP/proxy01tst.FAKE.net at FAKE.NET
> (aes256-cts-hmac-sha1-96)
> > 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET (arcfour-hmac)
> > 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET
> (aes128-cts-hmac-sha1-96)
> > 2 10/24/2014 22:59:50 host/proxy01tst.FAKE.net at FAKE.NET
> (aes256-cts-hmac-sha1-96)
> > Yep, using MIT Kerberos
> >
> > Thanks in advance for any help.
> >
> > Cheers,
> > Pedro
> >
> > On 25 Oct 2014, at 1:26, Markus Moeller wrote:
> >
> > Hi Pedro,
> >
> > How did you create your keytab ? What does klist –ekt <squid.keytab>
> show ( I assume you use MIT Kerberos) ?
> >
> > Markus
> >
> > "Pedro Lobo" palobo at gmail.com wrote in message
> news:40E1E0E7-50C6-4117-94AA-50B06573430A at gmail.com...
> > Hi Squid Gurus,
> >
> > I'm at my wit's end and in dire need of some squid expertise.
> >
> > We've got a production environment with a couple of squid 2.7 servers
> using NTLM and basic authentication. Recently though, we decided to upgrade
> and I'm now setting up squid 3.3 with Kerberos and NTLM Fallback. I've
> followed just about every guide I could find and in my testing environment,
> things were working great. Now that I've hooked it up to the main domain,
> things are awry.
> >
> > If I use a machine that's not part of the domain, NTLM kicks in and I
> can surf the web fine. If I use a Windows XP or Windows Server 2003,
> kerberos works just fine, however, if I use a machine Windows 7, 8 or 2008
> server, I keep getting a popup asking me to authenticate and even then,
> it's and endless loop until it fails. My cache.log is littered with:
> >
> > negotiate_kerberos_auth.cc(200): pid=1607 :2014/10/24 23:03:01|
> negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more information.
> > 2014/10/24 23:03:01| ERROR: Negotiate Authentication validating user.
> Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
> failure. Minor code may provide more information. '
> > The odd thing, is that this has worked before. Help me Obi Wan... You're
> my only hope! :)
> >
> > Current Setup
> > Squid 3.3 running on Ubuntu 14.04 server. It's connected to a 2003
> server with function level 2000 (I know, we're trying to fase out the older
> servers).
> >
> > krb5.conf
> >
> > [libdefaults]
> > default_realm = FAKE.NET
> > dns_lookup_kdc = yes
> > dns_lookup_realm = yes
> > ticket_lifetime = 24h
> > default_keytab_name = /etc/squid3/PROXY.keytab
> >
> > ; for Windows 2003
> > default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> > permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> >
> > [realms]
> > FAKE.NET = {
> > kdc = srv01.fake.net
> > kdc = srv02.fake.net
> > kdc = srv03.fake.net
> > admin_server = srv01.fake.net
> > default_domain = fake.net
> > }
> >
> > [domain_realm]
> > .fake.net = FAKE.NET
> > fake.net = FAKE.NET
> >
> > [logging]
> > kdc = FILE:/var/log/kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/krb5lib.log
> > squid.conf
> >
> > auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d
> -r -s HTTP/proxy01tst.fake.net
> > auth_param negotiate children 20 startup=0 idle=1
> > auth_param negotiate keep_alive off
> >
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=FAKE.NET
> > auth_param ntlm children 10
> > auth_param ntlm keep_alive off
> > Cheers,
> > Pedro
> >
> > Cumprimentos
> > Pedro Lobo
> > Solutions Architect | System Engineer
> >
> > pedro.lobo at pt.clara.net
> > Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
> >
> > Claranet Portugal
> > Ed. Parque Expo
> > Av. D. João II, 1.07-2.1, 4º Piso
> > 1998-014 Lisboa
> > www.claranet.pt
> >
> > Empresa certificada ISO 9001, ISO 20000 e ISO 27001
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> ------------------------------------------------------------------------------
> >
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> > Cumprimentos
> > Pedro Lobo
> > Solutions Architect | System Engineer
> >
> > pedro.lobo at pt.clara.net
> > Tlm.: +351 939 528 827 | Tel.: +351 214 127 314
> >
> > Claranet Portugal
> > Ed. Parque Expo
> > Av. D. João II, 1.07-2.1, 4º Piso
> > 1998-014 Lisboa
> > www.claranet.pt
> >
> >
> >
> >
> >
> > Empresa certificada ISO 9001, ISO 20000 e ISO 27001
> >
> >
> >
> >
> >
> --------------------------------------------------------------------------------
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20141027/219e87ff/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 536 bytes
> Desc: OpenPGP digital signature
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20141027/219e87ff/attachment.sig
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 2, Issue 97
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141027/cdb0b866/attachment-0001.html>


More information about the squid-users mailing list