--- squid-2.7.STABLE3.orig/debian/README.Debian +++ squid-2.7.STABLE3/debian/README.Debian @@ -0,0 +1,115 @@ + +The squid homepage is at http://www.squid-cache.org/ +Squid was downloaded from that site with HTTP. + +**** Configuration File **** + +The upstream squid.conf contains ACLs so that squid denies all +requests by default, forcing you to configure it first. The Debian +package allows access from 'localhost'. To use it you need to +configure your browser to use proxyserver 'localhost', port 3128. + +Please see /usr/share/doc/squid/example/squid.conf for documentation +on the configuration file. + +You can increase the maximum number of filedescriptors that squid +uses through /etc/default/squid. See the README.morefds file. + +You can also run squid with a userid different from root from the beginning +(no just dropping root privileges after running). To do so add a CHUID=user +line in /etc/default/squid where 'user' is the user you want squid to run +as. Please adjust permission accordingly, expecially for squid.conf that +is installed as root with permission set to 0600. + +The default /etc/squid/squid.conf file turns off icmp, htcp and snmp. + +Note that the syntax of the command line arguments to auth_ldap +changed in 2.4.2 (relative to 2.3.4-2 to 2.4.1-6). See README.ldap_auth + +**** Patches applied and build-time options **** + +A number of patches were applied using dpatch. A lot of them are Debian +specific, you will not find them outside of Debian (yet). + +cf.data.debian.patch Debian specific squid.conf patches +dfl-error-dir.patch Default error dir is under /usr/share/squid + for Debian +no_append_domain_localhost.patch + Don't apply "append_domain" setting to "localhost" + in unqualified URLs. +smb_auth.patch Read password with '-r' so backslashes work +syslog.patch Log to daemon.log instead of local4.log +unlinkd.patch Compile in unlinkd support even with async io +manpages.patch Fixed a wrong reference to the config file + + +Squid was compiled with the following options: + +config.status: + ./configure \ + --prefix=/usr \ + --exec_prefix=/usr \ + --bindir=/usr/sbin --sbindir=/usr/sbin \ + --libexecdir=/usr/lib/squid \ + --sysconfdir=/etc/squid \ + --localstatedir=/var/spool/squid \ + --datadir=/usr/share/squid \ + --enable-linux-netfilter [1] + --enable-storeio=ufs,aufs,diskd,null \ [1] + --enable-arp-acl \ [1] + --enable-removal-policies=lru,heap \ + --enable-snmp \ + --enable-delay-pools \ + --enable-htcp \ + --enable-poll \ + --enable-cache-digests \ + --enable-underscores \ + --enable-referer-log \ + --enable-useragent-log \ + --enable-auth="basic,digest,ntlm" \ + --enable-carp \ + --enable-large-files \ + $(arch)-debian-$(system) + +Where $(arch) is i386 or alpha or sparc etc and $(system) is linux or hurd. + +[1] For the Hurd squid is compiled without netfilter, arp-acl, + aufs and pthread support + +Furthermore the following flags were passed to the squid Makefile +to customize some locations: + +bindir = /usr/sbin +libexecdir = /usr/lib/squid +sysconfdir = /etc/squid +logdir = /var/log/squid +docdir = /usr/share/doc/squid +datadir = /usr/share/squid + +DEFAULTS = logdir=$(logdir) \ +DEFAULT_CACHE_LOG=$(logdir)/cache.log \ +DEFAULT_ACCESS_LOG=$(logdir)/access.log \ +DEFAULT_STORE_LOG=$(logdir)/store.log \ +DEFAULT_PID_FILE=/var/run/squid.pid \ +DEFAULT_SWAP_DIR=/var/spool/squid \ +DEFAULT_ICON_DIR=$(datadir)/icons \ +DEFAULT_ERROR_DIR=$(datadir)/errors/English \ +DEFAULT_MIME_TABLE=$(datadir)/mime.conf \ +DEFAULT_MIB_PATH=$(datadir)/mib.txt + +So squid uses the following paths: + +- configfile: /etc/squid/squid.conf +- binary: /usr/sbin/squid +- private dir: /usr/share/squid (mime.conf, error messages, modules) +- logfiles: /var/log/squid +- cache: /var/spool/squid + +**** TroubleShooting **** + +If you are in doubt as to why squid doesn't cache a certain +object or webpage, you can try the "cacheability service" at +http://www.ircache.net/cgi-bin/cacheability.py . It will check +an URL for you and tell you if it is or isn't cachable and why. + + -- Luigi Gangitano , Mon, 04 Aug 2004 18:08:00 +0200 --- squid-2.7.STABLE3.orig/debian/squid-cgi.8 +++ squid-2.7.STABLE3/debian/squid-cgi.8 @@ -0,0 +1,13 @@ +.TH SQUID-CGI 8 "Januari 1998" "Squid CGI Interface" "Debian Linux" +.SH NAME +squid-cgi \- CGI interface to squid +.SH SYNOPSIS +.B /usr/lib/cgi-bin/squid-cgi +.SH DESCRIPTION +.B Squid-cgi +is a CGI program that can be used as a WWW-based frontend to the +squid object cache. It should be run as a CGI script through your +WWW server. +.PP +.SH "SEE ALSO" +.BR squid (8) --- squid-2.7.STABLE3.orig/debian/squid.overrides +++ squid-2.7.STABLE3/debian/squid.overrides @@ -0,0 +1,7 @@ +squid: non-standard-dir-perm var/log/squid/ 0750 != 0755 +squid: non-standard-dir-perm var/spool/squid/ 0750 != 0755 +squid: non-standard-setuid-executable-perm usr/lib/squid/getpwnam_auth 2754 +squid: non-standard-setuid-executable-perm usr/lib/squid/pam_auth 2754 +squid: setgid-binary usr/lib/squid/pam_auth 2754 proxy/shadow +squid: setgid-binary usr/lib/squid/getpwnam_auth 2754 proxy/shadow + --- squid-2.7.STABLE3.orig/debian/getFAQ.sh +++ squid-2.7.STABLE3/debian/getFAQ.sh @@ -0,0 +1,9 @@ +#! /bin/sh +# +# Get the latest FAQ from the www.squid-cache.org site using lynx. +# + +cd doc || exit 1 +lynx -dump http://wiki.squid-cache.org/SquidFaq/CompleteFaq > CompleteFaq +lynx -dump http://wiki.squid-cache.org/SquidFaq/CacheManager > CacheManagerFaq + --- squid-2.7.STABLE3.orig/debian/preinst +++ squid-2.7.STABLE3/debian/preinst @@ -0,0 +1,55 @@ +#! /bin/sh + +set -e + +# Source debconf library. +. /usr/share/debconf/confmodule +db_version 2.0 + +case "$1" in + upgrade|install-upgrade) + ;; + abort-upgrade) + exit 0 + ;; +esac + +# +# See if we upgraded from < 2.5.5-3 and need to move config file +# +if ([ "$1" = upgrade ] && dpkg --compare-versions "$2" le '2.5.5-3' ) +then + if [ -e /etc/squid.conf ] + then + if [ ! -d /etc/squid ] + then + mkdir /etc/squid + fi + if [ -e /etc/squid/squid.conf ] + then + mv /etc/squid/squid.conf /etc/squid/squid.conf.dpkg-old + fi + mv /etc/squid.conf /etc/squid/squid.conf + touch /etc/squid/conffile-moved + fi +fi + +# +# Add the "proxy" user/group to /etc/passwd if needed. +# + +if ! grep -q "^proxy:" /etc/passwd +then + # + # Let's hope that this works; if /var/spool/squid is + # already present this fails :( + # + adduser --system --home /var/spool/squid --group proxy + # + # Change the shell so that cron jobs will work. + # (They run as root now, but you can never know). + # + chsh -s /bin/sh proxy +fi + +exit 0 --- squid-2.7.STABLE3.orig/debian/prerm.squid-cgi +++ squid-2.7.STABLE3/debian/prerm.squid-cgi @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +case "$1" in + remove|upgrade) + [ -L /usr/doc/squid-cgi ] && rm -f /usr/doc/squid-cgi + ;; + *) + ;; +esac + +exit 0 --- squid-2.7.STABLE3.orig/debian/watch +++ squid-2.7.STABLE3/debian/watch @@ -0,0 +1,2 @@ +version=2 +http://www.squid-cache.org/Versions/v2/2.7/squid-(.?\..?\.STABLE.{1,2})\.tar\.gz --- squid-2.7.STABLE3.orig/debian/squid.resolvconf +++ squid-2.7.STABLE3/debian/squid.resolvconf @@ -0,0 +1,4 @@ +#!/bin/sh + +# Make squid aware of changes to resolv.conf +invoke-rc.d squid reload || true --- squid-2.7.STABLE3.orig/debian/changelog +++ squid-2.7.STABLE3/debian/changelog @@ -0,0 +1,2221 @@ +squid (2.7.STABLE3-4.1~bpo40+1) etch-backports; urgency=low + + * Backport to etch + - Depend on libgssapi-dev instead of libgssglue-dev + + -- Luigi Gangitano Thu, 12 Feb 2009 00:59:54 +0100 + +squid (2.7.STABLE3-4.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Include upstream patch to fix DoS via error in request processing + code (Closes: #514142) + + -- Steffen Joeris Thu, 05 Feb 2009 18:28:57 +0000 + +squid (2.7.STABLE3-4) unstable; urgency=low + + * debian/rules + - Limit parallel building to the build: section (Closes: #512512) + + -- Luigi Gangitano Wed, 2 Feb 2009 02:53:03 +0100 + +squid (2.7.STABLE3-3) unstable; urgency=low + + * debian/patches/61-upgrade-http0.9-option + - Added upstream patch adding an option that fixes issue with streaming + (Closes: #512287) + + * debian/logrotate + - Removed reference to /usr/sbin/sarg-maint which is not in sarg anymore + (Closes: 462932) + + * debian/squid.overrides + - Updated override of lintian warnings for setgid binaries needed for auth + + * debian/squid.resolvconv + - Call init.d script using invoke-rc.d + + -- Luigi Gangitano Wed, 21 Jan 2009 01:35:06 +0100 + +squid (2.7.STABLE3-2) unstable; urgency=low + + * debian/squid.rc + - Added status action in rc script (Closes: #492131) + - Changed reload action to -k reconfigure (Closes: #506985) + + * debian/patches/01-cf.data.debian + - Added proper defaults to use as APT proxy (Closes: #491151) + + * debian/patches/59-forward-assert + - Added two upstream patches fixing asserts in forward.c (Closes: #503692) + + * debian/patches/60-dns-queue + - Added two upstream patches fixing DNS queue issues with stuck queries and + large DNS responses over TCP + + * debian/{postrm,postrm.squid-cgi,preinst,postinst} + - Added set -e line to make lintian happy + + * debian/postinst + - Removed path from squid invocation to make lintian happy + + * debian/rules + - Added standard interpretation of DEB_BUILD_OPTIONS=parallel=n + + * debian/control + - Bumped Standard-Version to 3.8.0 + + -- Luigi Gangitano Fri, 9 Jan 2009 05:29:31 +0200 + +squid (2.7.STABLE3-1) unstable; urgency=low + + * New upstream release (Closes:#489405) + + * debian/po/pt.po + - Updated Portuguese debconf translation, thanks to Luis Matos + (Closes: #488572) + + * debian/{control,rules} + - Enable kerberos auth support (Closes: #487880) + + * debian/patches/01-cf.data.debian + - Removed patch integrated upstream fixing extra whitespace + + -- Luigi Gangitano Sun, 06 Jul 2008 10:52:31 +0200 + +squid (2.7.STABLE2-2) unstable; urgency=low + + * debian/NEWS.Debian + - Added list of configuration directives changed in 2.7 + + -- Luigi Gangitano Sun, 01 Jun 2008 04:26:32 +0200 + +squid (2.7.STABLE2-1) unstable; urgency=low + + * New upstream release + - Removed previously integrate upstream patches + + 58-delay-pools-compile + - Added new unblocking log daemon logfile-daemon + + * debian/patches/01-cf.data.debian + - Removed extra white space in logformat example (Closes: #479904) + + * debian/squid.rc + - Added automatic coss file creation (Closes: #479441) + + * debian/{control,rules} + - Remove squidclient binary package, it will be provided by squid3 sources + + -- Luigi Gangitano Sun, 01 Jun 2008 02:50:48 +0200 + +squid (2.7.STABLE1-1) unstable; urgency=low + + * New upstream release (Closes: #483547) + + * debian/patches/01-cf.data.debian + - Adapted debian-specific configurations + + * debian/patches/58-delay-pools-compile + - Added a couple of upstream patches fixing compilaton of delay pools + + -- Luigi Gangitano Thu, 29 May 2008 16:56:26 +0200 + +squid (2.6.20-1) unstable; urgency=low + + * New upstream release + + * debian/po/eu.po + - Added Basque translation, thanks to Piarres Beobide + (Closes: #476737) + + -- Luigi Gangitano Sat, 03 May 2008 17:49:31 +0200 + +squid (2.6.19-1) unstable; urgency=low + + * New upstream release + + * debian/squid.rc + - Disable default to syslog, which does blocking writes. To re-enable + ovverride SQUID_ARGS in /etc/default/squid. (Closes: #462581) + + * debian/postinst.squidclient + - Removed empty postinst script + + * debian/rules + - Removed empty /usr/bin directory in squid package + + * debian/copyright + - Added upstream copyright notice + + -- Luigi Gangitano Sun, 30 Mar 2008 23:27:22 +0200 + +squid (2.6.18-1) unstable; urgency=low + + * New upstream release + - Updated watch file + + * debian/rules + - Fixed warning suppression in clean target + + * debian/control + - Moved homepage information to Homepage field + - Bumped Standard-Version to 3.7.3, no change needed + + -- Luigi Gangitano Fri, 11 Jan 2008 14:02:02 +0100 + +squid (2.6.17-1) unstable; urgency=low + + * New upstream release + - Updated watch file + + * debian/squid.rc + - Fixed startup when using COSS storage method (Closes: #446861) + - Fixed missing arguments when creating cache directory (Closes: #452230) + + * debian/control + - Changed libdb4.4-dev build-dependency to libdb-dev + + * debian/patches/07-manpage + - Fixed wrong reference to example config file (Closes: #451423) + + * debian/po/gl.po + - Updated Galician debconf translation, thanks to Jacobo Tarrio + (Closes: #444761) + + * debian/po/fi.po + - Updated Finnish debconf translation, thanks to Esko Arajärvi + (Closes: #453666) + + -- Luigi Gangitano Sun, 02 Dec 2007 20:02:55 +0100 + +squid (2.6.16-1) unstable; urgency=low + + * New upstream release + - Updated debian/watch + - Removed patches integreated upstream: + + debian/patches/57-capability-test + + * debian/patches/01-cf.data.pre + - Updated to match upstream changes in documentation + + -- Luigi Gangitano Fri, 21 Sep 2007 00:40:50 +0200 + +squid (2.6.15-2) unstable; urgency=low + + * debian/po/es.po + - Updated Spanish Debconf translation (thanks to Javier Fernandez-Sanguino) + + * debian/po/bg.po + - Updated Bulgarian Debconf translation (thanks to Damyan Ivanov) + (Closes: #441862) + + -- Luigi Gangitano Thu, 06 Sep 2007 16:17:35 +0200 + +squid (2.6.15-1) unstable; urgency=low + + * New upstream release + - Updated debian/watch + + * debian/patches/01-cf.data.pre + - Updated to match upstream changes in documentation + + * debian/patches/57-capability-test + - Added upstream patch fixing test for sys/capability.h + + * debian/control + - Removed unneeded dependency on essential package coreutils + + -- Luigi Gangitano Tue, 04 Sep 2007 16:40:35 +0200 + +squid (2.6.14-3) unstable; urgency=low + + * debian/po/it.po + - Updated Italian Debconf translation + + * debian/po/ca.po + - Updated Catalan Debconf translation (thanks to Miguel Gea Milvaques) + (Closes: #440404) + + * debian/po/vi.po + - Updated Vietnamese Debconf translation (thanks to Clytie Siddall) + + * debian/po/fr.po + - Updated French Debconf translation (thanks to Michel Grentzinger and + Christian Perrier) (Closes: #440503) + + * debian/po/sv.po + - Updated Swedish Debconf translation (thanks to Daniel Nylander) + + * debian/po/ta.po + - Updated Tamil Debconf translation (thanks to Tirumurti Vasudevan) + + * debian/po/de.po + - Updated German Debconf translation (thanks to Helge Kreutzmann) + (Closes: #440435) + + * debian/po/ru.po + - Updated Russian Debconf translation (thanks to Sergey Alyoshin) + + * debian/po/cs.po + - Updated Czech Debconf translation (thanks to Viktor Matys) + + * debian/po/ja.po + - Updated Japanese Debconf translation (thanks to Kenshi Muto) + (Closes: #440621) + + * debian/po/sk.po + - Added Slovak Debconf translation (thanks to Ivan Masár) + (Closes: #440726) + + * debian/control + - Changed squid-cgi dependency from apache to apache2 + + -- Luigi Gangitano Sat, 01 Sep 2007 02:05:04 +0200 + +squid (2.6.14-2) unstable; urgency=low + + * debian/watch + - Updated Debian version + + * debian/rules + - Removed unconditionl strip option on pam_auth and getpwnam_auth. + (Closes: #438043) + + * debian/templates + - Fixed minor error in debconf template (Closes: #428589) + + -- Luigi Gangitano Sun, 22 Jul 2007 19:03:10 +0200 + +squid (2.6.14-1) unstable; urgency=low + + * New upstream release + + * debian/patches/01-cf.data.debian + - Updated debian defaults reflecting upstream changes + + -- Luigi Gangitano Sun, 22 Jul 2007 15:35:48 +0200 + +squid (2.6.13-2) unstable; urgency=low + + - debian/rules + * Install NEWS.Debian with the right name (Closes: #426474) + + - debian/{templates,postinst,preinst,postinst.squid-cgi} + * Remove obsolete templates and checks (Closes: #423955) + + http_anonymizer + + anonymize_headers + + old_version + + cachemgr + + authenticate_program + + - debian/postinst.squid-cgi + * Removed, since unused + + - debian/{templates,control} + * Applied debconf templates patch from debian-l10n-english + contributors (thaks to Christian Perrier) (Closes: #427328) + + - debian/po/sv.po + * Updated Swedish debconf translation (thanks to Daniel Nylander) + (Closes: #427790) + + - debian/po/gl.po + * Updated Galician debconf translation (thanks to Jacobo Tarrio) + (Closes: #427767) + + - debian/po/bg.po + * Added Bulgarian debconf translation (thanks to Damyan Ivanov) + (Closes: #427761) + + - debian/po/ja.po + * Updated Japanese debconf translation (thanks to Kenshi Muto) + (Closes: #427863) + + - debian/po/es.po + * Updated Spanish debconf translation (thanks to Javier + Fernandez-Sanguino Pena) (Closes: #427869) + + - debian/po/cs.po + * Updated Czech debconf translation (thanks to Viktor Matys) + (Closes: #427926) + + - debian/po/ta.po + * Added Tamil debconf translation (thanks to Tirumurti Vasudevan) + (Closes: #428119) + + - debian/po/ca.po + * Updated Catalan debconf translation (thanks to Miguel Gea Milvaques) + (Closes: #428721) + + - debian/po/de.po + * Updated German debconf translation (thanks to Helge Kreutzmann) + (Closes: #428588) + + - debian/po/fr.po + * Updated French debconf translation (thanks to Michel Grentzinger) + (Closes: #428456) + + - debian/po/it.po + * Updated Italian debconf translation + + - debian/po/nl.po + * Updated Dutch debconf translation + + - debian/po/nl.po + * Updated French debconf translation (thanks to Michel Grentzinger) + (Closes: #428456) + + - debian/po/pt.po + * Updated Portugues debconf translation (thanks to Traduz - Portuguese + Translation Team) (Closes: #428200) + + - debian/po/pt_BR.po + * Updated Brazilian debconf translation (thanks to Herbert P Fortes Neto) + (Closes: #429868) + + - debian/po/ru.po + * Updated Russian debconf translation (thanks to Sergey Alyoshin) + (Closes: #429615) + + - debian/po/vi.po + * Updated Russian debconf translation (thanks to Clytie Siddall) + (Closes: #430628) + + -- Luigi Gangitano Sat, 29 Jun 2007 16:31:55 +0200 + +squid (2.6.13-1) unstable; urgency=low + + * New upstream release + + * debian/watch + - Updated local version to 2.6.STABLE13 + + * debian/{doc/FAQ*,getFAQ.sh,rules,doc/cachemgr.*} + - Updated FAQs and cachemgr documentation + - Compress documentation + + * debian/doc/README.maxfds + - Updated documentation on maximum filedescriptor setting + + * debian/doc/README.transparent-proxy + - Updated documentation on transparent proxy configuration in squid-2.5 + (Closes: #420168) + + * debian/po/pt_BR.po + - Updated Brazilian Portuguese (pt_BR) debconf translation, thanks to + André Luís Lopes (Closes: #421530) + + * debian/control + - Addedd suggestion on winbind to support NTLM authentication + + * debian/patches/01-cf.data.debian + - Reverted cache_effective_group patch enabling default support for + winbindd NTLM authentication (Closes: #307257) + + * debian/postinst + - Add proxy user to winbindd_priv group if winbind is installed + + * debian/templates + - Fixed templates to make lintian happy + + -- Luigi Gangitano Sat, 12 May 2007 17:21:05 +0200 + +squid (2.6.12-3) unstable; urgency=low + + * debian/rules + - Fix typo in ./configure invocation really setting MAXFD + (Closes: #421020) + + * debian/control + - Fix strict dependecy on squid-common (= ${Source-Version}) that makes + bin-NMU impossible + + -- Luigi Gangitano Sat, 28 Apr 2007 17:06:26 +0200 + +squid (2.6.12-2) unstable; urgency=low + + * Upload to unstable + + * debian/watch + - Updated local version to 2.6.STABLE12 + + -- Luigi Gangitano Tue, 27 Mar 2007 00:19:16 +0200 + +squid (2.6.12-1) experimental; urgency=low + + * New upstream release + - Fixes DoS caused by assertion on TRACE requests (Ref: CVE-2007-1560) + + -- Luigi Gangitano Mon, 26 Mar 2007 23:57:52 +0200 + +squid (2.6.11-1) experimental; urgency=low + + * New upstream release + - Fixes Release Notes reference to accelerated (Closes: #380447) + + -- Luigi Gangitano Sat, 17 Mar 2007 14:34:17 +0100 + +squid (2.6.10-1) experimental; urgency=low + + * New upstream release + - Removed patched integreated upstream: + + 51-htcp-assert.dpatch + + 52-hosts-overflow.dpatch + + 53-coss-assert.dpatch + + 54-aufs-assert.dpatch + + 55-ftp-segfault.dpatch + + 56-external-acl-crash.dpatch + + * debian/{rules,squid.rc,default.squid} + - Removed limit to 4096 maximum file descriptors. New limit 65536. + + * debian/rules + - Added --enable-follow-x-forwarded-for option (Closes: #408155) + - Moved MIB file to /usr/share/snmp/mibs (Closes: #310601) + + * debian/README.Debian + - Fixed wrong reference to /usr/share/doc/squid/examples/squid.conf + (Closes: #407710) + + * debian/patches/01-cf.data.pre.debian + - Added default extensions_method support for SVN (Closes: 413710) + + -- Luigi Gangitano Sat, 10 Mar 2007 21:09:44 +0100 + +squid (2.6.5-6) unstable; urgency=high + + * Urgency high due to security issue + + * debian/patches/57-trace-assert.dpatch + - Added upstream patch to fix DoS bug cause by assertion on TRACE requests + (SECURITY Ref: CVE-2007-1560) + + -- Luigi Gangitano Sat, 10 Mar 2007 20:43:42 +0100 + +squid (2.6.5-5) unstable; urgency=low + + * debian/rules + - Fixed permissions of /usr/lib/squid +s files (Closes: #413709) + + * debian/po/gl.po + - Added Galician debconf translation (Thanks to Jacobo Tarrio) + (Closes: #411829) + + -- Luigi Gangitano Sat, 10 Mar 2007 20:01:12 +0100 + +squid (2.6.5-4) unstable; urgency=high + + * Urgency high due to security issues + + * debian/patches/55-ftp-segfault.dpatch + - Added upstream patch fixing DoS on specially crafted ftp urls + (Closes: #407202) (Ref: SA23767) + + * debian/patches/56-external-acl-crash + - Added upstream patch fixing external-acl crashing on high load + conditions (Ref: CVE-2007-0248) + + -- Luigi Gangitano Wed, 17 Jan 2007 00:12:42 +0100 + +squid (2.6.5-3) unstable; urgency=low + + * debian/po/es.po + - Updated Spanish debconf translation, thanks to Javier Fernàndez-Sanguino + Peña (Closes: #402677) + + * debian/po/pt.po + - Added Portuguese debconf translation, thanks to Miguel Figueiredo + (Closes: #399929) + + -- Luigi Gangitano Wed, 27 Dec 2006 15:33:21 +0100 + +squid (2.6.5-2) unstable; urgency=low + + * debian/rules + - Remove mispelled configure option enablig TPROXY support + (TPROXY support is NOT enabled since it needs kernel patches which + are not in the kernel sources distributed by debian) + + * debian/control + - Upgraded Standard-Version to 3.7.2.2 (no change needed) + - Added Dependency on apache | httpd + + * debian/postinst + - Removed bashism + + * debian/squid.rc + - Added LSB INIT section + + * debian/squidclient.1 + - Fixed syntax errors in man page + + -- Luigi Gangitano Fri, 17 Nov 2006 13:52:58 +0100 + +squid (2.6.5-1) unstable; urgency=low + + * New upstream release + - Removed patched integreated upstream: + + 50-coss-compile.patch + + * debian/watch + - Updated local version + + * debian/patches/51-htcp-assert + - Included upstream patch fixing error with big htcp packets + + * debian/patches/52-hosts-overflow + - Included upstream patch fixing buffer overflow (Closes: #392866) + + * debian/patches/53-coss-assert + - Included upstream patch fixing error while restarting a coss-enabled squid + + * debian/patches/54-aufs-assert + - Included upstream patch removing an assert causing squid to fail while + using aufs + + -- Luigi Gangitano Mon, 6 Nov 2006 11:22:53 +0100 + +squid (2.6.4-2) unstable; urgency=low + + * debian/squid.rc + - Fixed invoke-rc.d call on upgrade (Closes: #392713) + + * debian/patches/50-coss-compile.patch + - Added upstream patch to fix compile time failure when aufs is enabled + and coss is not. (Closes: #390934) + + * debian/patches/01-cf.data.pre + - Reverted patch for default group setting. Make the default configuration + file setting the effective group instead setting it in sources. + (Closes: #381191) + + * debian/rules + - Enabled coss storage method for Debian GNU/KfreeBSD + - Added DEB_BUILD_OPTIONS dependent optimization and install options, + allowing for easy builing of unstripped binary packages as per Policy + 10.1. (Closes: #384616) + - Removed RunCache script installation + + -- Luigi Gangitano Fri, 13 Oct 2006 18:08:55 +0200 + +squid (2.6.4-1) unstable; urgency=low + + * New upstream release (Closes: #389536) + + * debian/rules + - Enabled coss store option + + -- Luigi Gangitano Tue, 26 Sep 2006 15:15:26 +0200 + +squid (2.6.3-1) unstable; urgency=low + + * New upstream release (Closes: #383763) + + * debian/control + - Update Build-Depend on libdb4.4-dev + + -- Luigi Gangitano Tue, 22 Aug 2006 19:34:59 +0200 + +squid (2.6.2-1) unstable; urgency=low + + * New upstream release + - Removed patches that have been integrated upstream: + + debian/patches/49-xstrdup + + debian/patches/48-kfreebsd-kqueue + - Fixes 100% CPU usage on diskd fail (Closes: #380181) + - Fixes error on double definition of redirectors (Closes: #370108) + + * debian/doc/FAQ* + - Updated FAQs + + -- Luigi Gangitano Wed, 2 Aug 2006 03:02:07 +0200 + + +squid (2.6.1-4) unstable; urgency=low + + * debian/control + - Added Replace: to squid-common (Closes: #379101) + - Removed the old squid-common Conflicts: statement on squid + + * debian/patches/49-xstrdup + - Added upstream patch that fixes an error on XSTRDUP + (Closes: #379586) + + -- Luigi Gangitano Thu, 27 Jul 2006 01:45:00 +0200 + + +squid (2.6.1-3) unstable; urgency=low + + * debian/patches/48-kfreebsd-kqueue + - Added user interface for kqueue() on GNU/kFreeBSD (Thanks to Petr + Salinger) (Closes: #377873) + + * debian/rules + - Disabled IPF support on GNU/kFreeBSD + - Install RELEASENOTES.html in /usr/share/doc + + * debian/NEWS.Debian + - Added notice on changes to configuration file and reference to the + RELEASENOTES.html file (Closes: #377950) + + -- Luigi Gangitano Wed, 12 Jul 2006 15:11:08 +0200 + + +squid (2.6.1-2) unstable; urgency=low + + * debian/control + - Added missing Build-Depends on libdb4.3-dev (Closes: #377473) + + -- Luigi Gangitano Sun, 9 Jul 2006 13:22:55 +0200 + +squid (2.6.1-1) unstable; urgency=low + + * New upstream version + - removed patches that have been integrated upstream: + debian/patches/47-httpreplydestroy.dpatch + + * debian/rules + - Removed build time upgrade of autoconf since config.{sub,guess} has been + updated upstream + - Enabled epoll() support on Linux and Kqueue support on KFreeBSD + - Enabled Linux TPROXY support for totally transparent proxy support + - Removed Winbind-based helpers building. Winbind is not supported + upstream anymore + - Moved documentation to squid-common + + * debian/postinst + - Fix configuration file for missing http_port directive + + -- Luigi Gangitano Mon, 3 Jul 2006 14:35:26 +0200 + +squid (2.5.14-2) unstable; urgency=low + + * debian/control + - Remove dependency on webmin-squid which is not in the archive anymore + - Bumped Standards-Version to 3.7.2 (no change required) + + -- Luigi Gangitano Wed, 14 Jun 2006 14:44:40 +0200 + +squid (2.5.14-1) unstable; urgency=low + + * New upstream release + + * debian/patches/47-httpreplydestroy + - Added upstream patch fixing assertion failure in HttpReply.c + + * debian/{prerm,postinst} + - Make squid restart in postinst instead of stopping in prerm + (Closes: #252467) + + -- Luigi Gangitano Fri, 9 Jun 2006 17:51:16 +0200 + +squid (2.5.13-2) unstable; urgency=low + + * debian/{rules,control} + - Added build-time upgrade of config.{guess,sub} for GNU/kFreeBSD + (Closes: #365211) + + * debian/po/ca.po + - Added Catalan debconf translation thanks to Miguel Gea Milvaques + (Closes: #365412) + + -- Luigi Gangitano Mon, 8 May 2006 20:22:47 +0200 + +squid (2.5.13-1) unstable; urgency=low + + * New upstream release + + -- Luigi Gangitano Sun, 19 Mar 2006 01:19:36 +0100 + +squid (2.5.12-4) unstable; urgency=low + + * The "Required is not essential" release + + * debian/control + - Added dependency on lsb-base (Closes: #347800, #347537) + + -- Luigi Gangitano Mon, 16 Jan 2006 07:21:55 +0100 + +squid (2.5.12-3) unstable; urgency=low + + * Rebuilt to fix missing .diff.gz file (Closes: #344404) + + * debian/squid.rc + - Fixed use of literal value (Closes: #344382) + + -- Luigi Gangitano Wed, 28 Dec 2005 17:30:49 +0100 + +squid (2.5.12-2) unstable; urgency=low + + * debian/control + - Removed circular dependency of squid-common on squid (Closes: #339904) + - Removed dependency on stat + + * debian/squid.rc + - Converted to use lsb init functions + + -- Luigi Gangitano Tue, 20 Dec 2005 20:45:11 +0100 + +squid (2.5.12-1) unstable; urgency=low + + * New upstream release + - removed patches that have been integrated upstream: + debian/patches/43-stathist-assert + debian/patches/44-sslconnect-segfault + debian/patches/45-store-assert + debian/patches/46-ntlm-scheme-assert + + * debian/rules + - Added debconf-updatepo in clean rule (Closes: #335542) + + * debian/po/fr.po + - Updated French debconf translation, thanks to Michel Grentzinger + (Closes: #337055) + + * debian/po/sv.po + - Added Swedish debconf translation, thanks to Daniel Nylander + (Closes: #330273) + + -- Luigi Gangitano Wed, 2 Nov 2005 14:29:51 +0100 + +squid (2.5.10-8) unstable; urgency=low + + * debian/changelog + - Fixed really old entries (1996) and make lintian happy + + * debian/copyright + - Fixed FSF address in copyright + + * debian/control + - Bumped Standards-Version to 3.6.2.0, no change needed + + -- Luigi Gangitano Fri, 21 Oct 2005 01:58:26 +0200 + +squid (2.5.10-7) unstable; urgency=high + + * Urgency high due to security issues + + * debian/patches/46-ntlm-scheme-assert + - Really enable this patch in 00list (thanks to Martin Pitt for pointing + this out) + + -- Luigi Gangitano Fri, 21 Oct 2005 00:42:51 +0200 + +squid (2.5.10-6) unstable; urgency=low + + * debian/patches/46-ntlm-scheme-assert + - Added upstream patch to fix potential DoS in NTLM authentication + (Ref: CAN-2005-2917) + + * debian/control + - Fixed typo in squid-cgi description (Closes: #327810) + + * debian/patches/ + - Removed patch files integrated upstream + + -- Luigi Gangitano Sat, 17 Sep 2005 21:44:53 +0200 + +squid (2.5.10-5) unstable; urgency=low + + * debian/control + - Added dependency on debconf-2.0 + + * debian/patches/44-sslconnect-segfault + - Added upstream patch to fix security issue in ssl connection handling + potentially causing DoS. (Ref. CAN-2005-2796) + + * debian/patches/45-store-assert + - Added upstream patch to fix security issue in store.c potentially + causing DoS (Ref. CAN-2005-2794) + + -- Luigi Gangitano Thu, 1 Sep 2005 02:01:45 +0200 + +squid (2.5.10-4) unstable; urgency=low + + * debian/changelog + - Fixed typos in various lines that caused lintian to scream + + -- Luigi Gangitano Fri, 26 Aug 2005 21:35:48 +0200 + +squid (2.5.10-3) unstable; urgency=low + + * debian/rules + - Dropped use of DEBIAN_HOST_GNU_{CPU,SYSTEM} since the dpkg transition + has broken them, preventing the MAXFD limit correction to 4096. Use + Used DEBIAN_ARCH_{OS,CPU} instead. (Closes: #322526) + + * debian/po/cs.po + - Added Czech debconf translation thanks to Miroslav Kure + (Closes: #320369) + + -- Luigi Gangitano Fri, 26 Aug 2005 20:37:47 +0200 + +squid (2.5.10-2) unstable; urgency=low + + * debian/patches/43-stathist-assert + - Added patch to fix assertion failure in StatHist.c + (Closes: #310642) + + * debian/po/vi.po + - Added Vietnamese debconf translation thanks to Clytie Siddall + (Closes: #318705) + + * debian/po/de.po + - Fixed path in German translation + (Closes: #313152) + + -- Luigi Gangitano Wed, 20 Jul 2005 01:07:52 +0200 + +squid (2.5.10-1) unstable; urgency=low + + * New upstream release + - removed patches that have been integrated upstream: + debian/patches/05-syslog + debian/patches/09-enable-large-files + debian/patches/22-cachemgr-acl + debian/patches/38-aufs-fixes + debian/patches/39-notinmemory + debian/patches/40-acl-error + debian/patches/41-2GB-assert + debian/patches/42-dns-query + + * debian/config + - Fixed check on cache_dir permissions when it is symlinked + (Closes: #312253) + + * debian/squid.rc + - Removed unused functions in rc script + + * debian/postinst + - Added check for statovverrides on log directory + (Closes: #309634) + + -- Luigi Gangitano Thu, 9 Jun 2005 17:41:26 +0200 + +squid (2.5.9-10) unstable; urgency=high + + * Urgency high to get the translation fix in sarge + + * debian/po/ru.po + - Updated Russian debconf translation (thanks to Yuriy Talakan) + (Closes: #310038) + + -- Luigi Gangitano Sun, 29 May 2005 23:16:50 +0200 + +squid (2.5.9-9) unstable; urgency=high + + * Urgency high due to security fixes + + * debian/patches/41-2GB-assert + - Added upstream patch to fix assertion failure + store_client.c:343: "storeSwapOutObjectBytesOnDisk(mem) > sc->copy_offset" + + * debian/patches/42-dns-query + - Added upstream patch to fix security issue with DNS response spoofing + + -- Luigi Gangitano Sat, 14 May 2005 18:41:06 +0200 + +squid (2.5.9-8) unstable; urgency=medium + + * Urgency medium due to upstream fixes that should go into sarge + + * debian/patches/39-notinmemory + - Updated upstream patch + + -- Luigi Gangitano Sun, 1 May 2005 00:53:00 +0200 + +squid (2.5.9-7) unstable; urgency=low + + * debian/patches/39-notinmemory + - Added upstream patch to fix assertion failure + store_swapin.c:45: "e->mem_status == NOT_IN_MEMORY + (Closes: #306072) + + * debian/patches/40-acl-error + - Added upstream patch fixing minor security issue in parsing acls + (Ref: CAN-2005-1345) + + * debian/patches/22-cachemgr-acl + - Updated to the upstream patch + + * debian/rules + - Install upstream cachemgr.conf instead of the old local one + + * debian/cachemgr.conf + - Removed local version not used anymore + + * debian/po/ja.po + - Updated debconf translation (thanks to Kenshi Muto) + (Closes: #306939) + + -- Luigi Gangitano Sat, 30 Apr 2005 12:09:59 +0200 + +squid (2.5.9-6) unstable; urgency=medium + + * Urgency still medium due to upstream fixes that should go into sarge + + * debian/patches/09-enable-large-files + - Updated again upstream patch, fixing failed assertion + store_swapout.c:232: "mem->inmem_lo == 0" + (Closes: #305387) + + -- Luigi Gangitano Thu, 21 Apr 2005 01:21:58 +0200 + +squid (2.5.9-5) unstable; urgency=medium + + * Urgency still medium due to upstream fixes that should go into sarge + + * debian/patches/09-enable-large-files + - Updated upstream patch, fixing race condition causing segfault + (Closes: #305387) + + -- Luigi Gangitano Wed, 20 Apr 2005 01:55:42 +0200 + +squid (2.5.9-4) unstable; urgency=medium + + * Urgency still medium due to upstream fixes that should go into sarge + + * debian/patches/09-enable-large-files + - Updated upstream patch, fixing crashes with diskd (Closes: #302634) + + * debian/patches/00list + - Reworked patch order + + -- Luigi Gangitano Sun, 3 Apr 2005 01:43:31 +0200 + +squid (2.5.9-3) unstable; urgency=medium + + * Urgency medium due to upstream fixes that should go into sarge + + * debian/patches/09-enable-large-files + - Substituded with official upstream patch for large file support. + This patch is definetly better than the one previously used. + + * debian/rules + - Changed configure option --enable-large-files to --with-large-files + + * debian/patches/38-aufs-fixes + - Added upstream patch fixing small issues with aufs and enhancing + performance + + -- Luigi Gangitano Fri, 1 Apr 2005 17:19:23 +0200 + +squid (2.5.9-2) unstable; urgency=medium + + * Urgency medium due to small security fix + + * debian/patches/37-setcookie.dpatch + - Added upstream patchto fix race condition with Set-Cookie headers + (Closes: #298053) + + * debian/watch + - Re-Updated watch file, this should really work + + -- Luigi Gangitano Tue, 8 Mar 2005 04:37:22 +0100 + +squid (2.5.9-1) unstable; urgency=low + + * New upstream release + - removed patches that have been integrated upstream: + debian/patches/30-amd64-gcc40-compile + debian/patches/36-dns-assert + + * debian/watch + - Updated watch file, this should work + + -- Luigi Gangitano Mon, 28 Feb 2005 03:06:18 +0100 + +squid (2.5.8-3) unstable; urgency=high + + * Urgency high due security fixes + + * debian/patches/36-dns-assert.dpatch + - Added upstream patch to fix DoS in DNS reply parsing + (Ref: CAN-2005-0446) + + -- Luigi Gangitano Thu, 17 Feb 2005 01:10:05 +0100 + +squid (2.5.8-2) unstable; urgency=low + + * debian/squid.rc + - Added db_stop call before invoke-rc.d (Closes: #294866) + + -- Luigi Gangitano Sat, 12 Feb 2005 18:14:34 +0100 + +squid (2.5.8-1) unstable; urgency=low + + * New upstream release + - removed patches that have been integrated upstream: + debian/patches/23-deny-internal-object-purge + debian/patches/24-gopher-html-parsing + debian/patches/25-wccp-dos + debian/patches/26-dns-memleak + debian/patches/27-ldap-spaces + debian/patches/28-fakeauth-memleak + debian/patches/29-fqdn-truncated + debian/patches/31-wccp-buffer-overflow + debian/patches/32-response-splitting + debian/patches/33-header-parsing + debian/patches/34-oversize-reply-header + debian/patches/35-empty-acl + + - Fixed 100% CPU usage on half closed PUT/POST requests + (Closes: #294551) + + * debian/squid.rc + - Applied patch from Thomas Hood to improve initscript output + (Closes: #294465) + + -- Luigi Gangitano Fri, 11 Feb 2005 18:33:13 +0100 + +squid (2.5.7-8) unstable; urgency=high + + * Urgency high due security fixes, previous version not yet in sarge and + this version makes just a litte change to dependencies + + * debian/control + - Added versioned depends on the same version of squid-common + (Closes: #293552, #293626) + + -- Luigi Gangitano Sat, 5 Feb 2005 01:52:03 +0100 + +squid (2.5.7-7) unstable; urgency=high + + * Urgency high due security fixes + + * debian/patches/34-oversize-reply-header.dpatch + - Added upstream patch to correct HTTP protocol mismatch introduced + by the header-parsing patch + (Ref: CAN-2005-0241) + + * debian/patches/35-empty-acl.dpatch + - Added upstream patch to fix minor security issues with 'empty' acls + (Ref: CAN-2005-0194) + + -- Luigi Gangitano Tue, 1 Feb 2005 18:00:16 +0100 + +squid (2.5.7-6) unstable; urgency=high + + * Urgency high due security fixes + + * debian/patches/01-cf.data.pre + - Explicitly set hosts_file to /etc/hosts (Closes: #185555) + + * debian/patches/31-wccp-buffer-overflow.dpatch + - Added upstream patch that fixes BoF in WCCP recvfrom() + (Ref: CAN-2005-0211) + + * debian/patches/32-response-splitting.dpatch + - Added upstream patch that fixes HTTP response splitting cache pollution + (Ref: CAN-2005-0175) + + * debian/patches/33-header-parsing.dpatch + - Added upstream patch to reject malformed HTTP requests and responses + (Ref: CAN-2005-0174) + + -- Luigi Gangitano Sat, 29 Jan 2005 17:44:49 +0100 + +squid (2.5.7-5) unstable; urgency=high + + * Urgency high due security fixes + + * Updated references in changelog to CAN advisories + + -- Luigi Gangitano Tue, 18 Jan 2005 22:40:19 +0100 + +squid (2.5.7-4) unstable; urgency=low + + * "A round of upstream patches" release + + * debian/patches/24-gopher-html-parsing + - Added upstream patch that fixes BoF in gopherToHTML() + (Ref: CAN-2005-0094) + + * debian/patches/25-wccp-dos + - Added upstream patch that fixes DoS in WCCP message handling + (Ref: CAN-2005-0095) + + * debian/patches/26-dns-memleak + - Added upstream patch that fixes memory leak in internal DNS resolver + + * debian/patches/27-ldap-spaces + - Added upstream patch that fixes minor security issues in LDAP account + handling + (Ref: CAN-2005-0173) + + * debian/patches/28-fakeauth-memleak + - Added upstream patch that fixes memory leak in fakeauth NTLM helper + + * debian/patches/29-fqdn-truncated + - Added upstream patch that fixes name truncation in compressed DNS + responses + + * debian/patches/30-amd64-gcc40-compile + - Added patch to compile squid on AMD64 with GCC-4.0 (Closes: #288542) + + -- Luigi Gangitano Mon, 17 Jan 2005 18:15:49 +0100 + +squid (2.5.7-3) unstable; urgency=low + + * debian/patches/07-manpage + - Removed, since now the config file is in /etc/squid + (Closes: #284791) + + * debian/patches/23-deny-internal-object-purge + - Added upstream patch that fixes internal object expiry + (Closes: #75468) + + * debian/po/de.po + - Updated German debconf translation (thanks to Jens Nachtigall) + (Closes: #283848) + + * debian/po/nl.po + - Updated Dutch debconf translation (thanks to Luk Claes) + (Closes: #281563) + + -- Luigi Gangitano Sat, 11 Dec 2004 16:37:23 +0100 + +squid (2.5.7-2) unstable; urgency=low + + * debian/watch + - Added debian watch file + + * debian/po/fr.po + - Updated French debconf translation (thanks to Christian Perrier) + (Closes: #279304) + + * debian/rules + - Added wbinfo_group external acl (Closes: #280895) + + -- Luigi Gangitano Thu, 28 Oct 2004 16:02:46 +0200 + +squid (2.5.7-1) unstable; urgency=medium + + * Urgency medium due to security issues + + * New upstream release + - removed patches that have been integrated upstream: + debian/patches/17-head + debian/patches/18-no-valid-dir + debian/patches/19-heap-segfault + debian/patches/20-ntlm-fetch-string + debian/patches/21-ntlm-noreuse-leak + + - Fixes Denial of Service in SNMP asn_parse_header module + (Ref: CAN-2004-0918) + + * debian/po/nl.po + - Updated Dutch debconf translation (Thanks to Luk Claes) + (Closes: #277763) + + -- Luigi Gangitano Fri, 22 Oct 2004 17:24:58 +0200 + +squid (2.5.6-11) unstable; urgency=medium + + * Urgency still medium due to RC bug fix in squid-cgi + + * debian/templates + - Applied patch to fix typos (thanks to Jens Nachtingal) + (Closes: #275524) + + * debian/po/de.po + - Updated german debconf translation (thanks to Jens Nachtingall) + (Closes: #275523) + + * debian/control + - Fix versioned build-depend on dpatch to fix FTBFS on alpha and sparc + + -- Luigi Gangitano Thu, 7 Oct 2004 20:36:55 +0200 + +squid (2.5.6-10) unstable; urgency=medium + + * Urgency medium due to RC bug fix in squid-cgi + + * debian/patches/22-cachemgr-acl + - Reworked code flow (thanks to Martin Schulze) + + * debian/cachemgr.conf + - Added comments at the start (again, thanks to Martin Schulze) + + * debian/control + - Add version to build-depend on dpatch to fix FTBFS on alpha and sparc + + -- Luigi Gangitano Thu, 7 Oct 2004 18:16:53 +0200 + +squid (2.5.6-9) unstable; urgency=medium + + * Urgency medium due to RC bug fix in squid-cgi + + * debian/patches/22-cachemgr-acl + - Added config file (/etc/squid/cachemgr.conf) checking to cachemgr.cgi + (Closes for sid/sarge: #133131) + Ref: CAN-2004-0913 + + * debian/cachemgr.conf + - Added default configuration file for squid-cgi + + * debian/templates + - Modified squid-cgi template with informations on the new config + file format + + * debian/po/it.po + - Updated italian debconf translation + + -- Luigi Gangitano Wed, 6 Oct 2004 19:47:19 +0200 + +squid (2.5.6-8) unstable; urgency=medium + + * Urgency medium due to DoS fix in ntlm_auth (this should really make it + into sarge) + + * debian/po/fr.po + Updated French translation (Closes: #267577) + + * debian/po/pt_BR.po + Updated Brazilian Portuguese translation (Closes: #267187) + + * debian/patches/20-ntlm-fetch-string + Added upstream patch that fixes DoS in ntlm authentication + (http://www.squid-cache.org/bugs/show_bug.cgi?id=1045) + Ref: CAN-2004-0832 + + * debian/patches/21-ntlm-noreuse-leak + Added upstream patch that fixes memory leak in ntlm authentication + with challenge reuse disabled + + -- Luigi Gangitano Sat, 28 Aug 2004 18:24:13 +0200 + +squid (2.5.6-7) unstable; urgency=medium + + * I should have checked upstream patches before -6 upload + + * Still urgency medium because of grave bug and upcoming sarge freeze. + + * debian/patches/19-heap-segfault + - Added upstream patches to fix segfaults with heap replacement policy + + -- Luigi Gangitano Mon, 9 Aug 2004 17:56:06 +0200 + +squid (2.5.6-6) unstable; urgency=medium + + * Urgency medium because of grave bug and upcoming sarge freeze. + + * debian/config + - Fix access to config file if config file does not exist + (Closes: #264595) + + -- Luigi Gangitano Mon, 9 Aug 2004 17:36:20 +0200 + +squid (2.5.6-5) unstable; urgency=low + + * debian/patches/18-no-valid-dir + - Added upstream patch to fix invalid store with ufs + + * debian/{templates,postinst,config,squid.rc} + - Added debconf question asking user to confirm before changing + owner/group of cache_dir (Closes: #259541) + - Removed permission fix from rc script. Will check only on upgrades + to avoid messing up filesystem when administrator selects wrong + values for cache_dir (See #259541 for an example) + + * debian/squid.rc + - Added support for CHUID in start-stop-daemon (Closes: #137122). Beware + of /etc/squid/squid.conf permissions if you use it! + + * debian/po/it.po + - Added italian debconf translation + + -- Luigi Gangitano Wed, 4 Aug 2004 15:11:12 +0200 + +squid (2.5.6-4) unstable; urgency=low + + * debian/patches/17-head + - Added upstream patch to fix stale informations returned on HEAD request + (Closes: #222499) + + * debian/patches/09-enable-large-files + - Re-enable upstream support for logfiles bigger than 2GB. If no side + effect shows up in a short time I'll close the bug (229327). + + * debian/preinst + - Removed warning for logfiles bigger than 2GB. + + -- Luigi Gangitano Wed, 4 Aug 2004 14:06:52 +0200 + +squid (2.5.6-3) unstable; urgency=low + + * debian/control + - Added dependency on coreutils to be abel to use /usr/bin/stat in postinst + + -- Luigi Gangitano Tue, 13 Jul 2004 16:56:30 +0200 + +squid (2.5.6-2) unstable; urgency=low + + * debian/postinst + - chown directories only if actual owernship doesn't match configfile + (Closes: #259217) + + -- Luigi Gangitano Tue, 13 Jul 2004 15:56:16 +0200 + +squid (2.5.6-1) unstable; urgency=low + + * New Upstream Release + - removed patches that have been integrated upstream: + debian/patches/16-range-offset-limit + debian/patches/15-dns-localhost + debian/patches/14-proxy-abuse + debian/patches/13-ntlm-overflow + debian/patches/12-post-assert + debian/patches/11-digest-blank + debian/patches/10-ntlm-assert + + -- Luigi Gangitano Sun, 11 Jul 2004 21:57:48 +0200 + +squid (2.5.5-7) unstable; urgency=low + + * debian/patches/13-ntlm-overflow + - Updated to officially released upstrem patch (Closes: #256666) + + -- Luigi Gangitano Mon, 28 Jun 2004 20:10:39 +0200 + +squid (2.5.5-6) unstable; urgency=low + + * debian/{squid.rc,postinst} + - Fixed permissions on files when upgrading/starting squid. Now it + uses cache_effective_user and cache_effective_group (Closes: #249292) + + * debian/patches/15-dns-localhost + - Added upstram patch for missing /etc/resolf.conf (Closes: #222262) + + * debian/patches/16-range-offset-limit + - Added upstram patch for -1 values in config (Closes: #242141) + + -- Luigi Gangitano Fri, 18 Jun 2004 18:30:33 +0200 + +squid (2.5.5-5) unstable; urgency=high + + * Urgency high because of security patch + + * debian/patches/13-ntlm-overflow + - Fix for CAN-2004-0541 (Closes: #253406) + + * debian/patches/14-proxy-abuse + - Added ustream patch for segmentation fault while writing cache.log + + -- Luigi Gangitano Thu, 10 Jun 2004 00:17:39 +0200 + +squid (2.5.5-4) unstable; urgency=low + + * debian/control + - Removed depdendecies on libssl-dev (linking GPL with SSL is not free) + (Closes: #251988) + + * debian/rules + - Removed --enable-ssl from configure + - Added --enable-carp to configure (Closes: #180884) + + * debian/{preinst,postrm,postinst} + - Moved configuration directory to /etc/squid (Closes: #83821) + + -- Luigi Gangitano Tue, 1 Jun 2004 23:30:32 +0200 + +squid (2.5.5-3) unstable; urgency=low + + * The 'Thanks to Robert Collins' Release + + * debian/patches/12-post-assert + - Added upstream patch to fix assertion failure in rare POST/PUT + conditions (Closes: #251702) + + * debian/control + - Added dependencies on libssl-dev + + * debian/rules + - Added --enable-ssl to configure (Closes: #180886) + + * debian/templates + - Fixed default for old_version question + + -- Luigi Gangitano Mon, 31 May 2004 22:15:15 +0200 + +squid (2.5.5-2) unstable; urgency=low + + * debian/control + - Added Suggest: on smbclient (Closes: #240316) + + * debian/patches/10-ntlm-assert.dpatch + - Added upstream patch to fix assert failure in ntlm_auth (Closes: #243540) + + * debian/patches/11-digest-blank + - Added upstream patch to fix segmentation fault in digest authentication + + -- Luigi Gangitano Mon, 19 Apr 2004 16:27:53 +0200 + +squid (2.5.5-1) unstable; urgency=low + + * New upstream release + - Integrated redirect login space patch + + * debian/control + - Added Suggest: on winbind >= 3.0.2 + + * debian/patches/01-cf.data.debian.dpatch + - Updated path to helpers + - Added note about ntlm_auth and Samba 3 + + * debian/patches/08-redirect_login_space.dpatch + - Removed since this patch has been integrated upstream + + * debian/po/es.po + - Added Spanish translation (Closes: #238024) + + * debian/po/fr.po + - Updated French translation (Closes: #238015) + + * debian/po/ja.po + - Updated Japanese translation (Closes: #237788) + + -- Luigi Gangitano Tue, 23 Mar 2004 17:25:16 +0100 + +squid (2.5.4-5) unstable; urgency=low + + * debian/patches/09-enable-large-files.dpatch + - Removed since side effects on file-related structures is not + verified + + * debian/control + - Split arch-independent files to squid-common (Closes: #233442) + + * debian/templates + - Fixed reference to example squid.conf (Closes: #228390) + - Added warning for logfiles bigger than 2GB + + -- Luigi Gangitano Tue, 17 Feb 2004 14:20:28 +0100 + +squid (2.5.4-4) unstable; urgency=low + + * debian/patches/09-enable-large-files.dpatch + - Added upstream CVS patch to enable logfiles > 2GB + + * debian/rules + - Added --enable-large-files option to configure + + -- Luigi Gangitano Wed, 4 Feb 2004 14:23:12 +0100 + +squid (2.5.4-3) unstable; urgency=low + + * debian/po/pt_BR.po + - Updated translation (Closes: #220909) + * debian/po/ru.po + - Updated translation (Closes: #219261) + + -- Luigi Gangitano Fri, 5 Dec 2003 02:10:56 +0100 + +squid (2.5.4-2) unstable; urgency=low + + * The 'Look at BTS before upload' release + * debian/patches/08-redirect_login_space.dpatch + - Added upstream patch to fix auth names with space characters + (Closes: #212639) + + -- Luigi Gangitano Thu, 25 Sep 2003 00:50:05 +0200 + +squid (2.5.4-1) unstable; urgency=low + + * The 'Cake' release + * New upstream release + - Added Spanish ERR_TOO_BIG translation (Closes: 143052) + - Integrated upstream patch 08-deny-info + * debian/po/fr.po + - Updated (Closes: #211812) + * debian/po/ja.po + - Added Japanese translation (Closes: #211965) + * debian/control + - Bumped Standard-Version to 3.6.1.0 (no not-debconf user interaction + was used, so no change needed) + + -- Luigi Gangitano Thu, 25 Sep 2003 00:31:02 +0200 + +squid (2.5.3-8) unstable; urgency=low + + * debian/postinst + - Added checks for unsupported anonymize_headers and fake_user_agent + options in config file (Closes: #187510) + * debian/templates + - Added note about unsupported anonymize_headers and fake_user_agent + options in config file + * debian/squid.rc + - Added check for cache_dir hierarchy and reconstruct it if missing + (this is on the road to solve #146472, please provide feedback) + * debian/conffiles + - Added resolvconf script + + -- Luigi Gangitano Tue, 9 Sep 2003 17:20:36 +0200 + +squid (2.5.3-7) unstable; urgency=low + + * debian/squid.resolvconf + - Added support for resolvconf (Closes: #200572) + * debian/rules + - Install file in /etc/resolvconf/update-libc.d + * debian/po/nl.po + - Added dutch debconf translation (Closes: #208239) + + -- Luigi Gangitano Tue, 9 Sep 2003 00:39:52 +0200 + +squid (2.5.3-6) unstable; urgency=low + + * debian/patches/08-deny_info.dpatch + - Upstream patch fixes segmentation fault when multiple deny_info + messages are defined in config file (Closes: #203946) + + -- Luigi Gangitano Mon, 18 Aug 2003 19:27:46 +0200 + +squid (2.5.3-5) unstable; urgency=low + + * debian/control + - Bumped Standard-Version to 3.6.0 + * debian/changelog + - Converted to UTF-8 to comply with Standard-Version 3.6.0 + * debian/patches/01-cf.data.debian.dpatch + - Fixed auth_paras paths in examples (Closes: #205222) + + -- Luigi Gangitano Tue, 18 Aug 2003 19:08:47 +0200 + +squid (2.5.3-4) unstable; urgency=low + + * Switch to gettext for debconf templates (Closes: #202271) + * debian/control + - Added Build-Depend on po-debconf + * debian/rules + - Handle templates merging + * debian/po/ + - Moved translations from debian/templates (via debconf-gettextize) + * debian/po/fr.po + - Added French template translation (Closes: #202272) + + -- Luigi Gangitano Mon, 21 Jul 2003 16:20:31 +0200 + +squid (2.5.3-3) unstable; urgency=low + + * debian/rules + - fixed configuration options to build null store module on hurd and not + aufs. + * debian/postinst + - use invoke-rc.d instead of starting squid via /etc/init.d/squid + (Closes: #200096) + * debian/patches/07-manpage + - Fixed wrong reference to /etc/squid/squid.conf (Closes: #200081) + * debian/README.Debian + - Clean up and resync with the current configuration. + - Added a note about the example file (Closes: #190970) + + -- Luigi Gangitano Mon, 7 Jul 2003 18:36:20 +0200 + +squid (2.5.3-2) unstable; urgency=low + + * debian/rules + - added config option to enable digest and ntlm authentication + (Closes: #188303) + - added config option to enable null and aufs store modules + (Closes: #160028) + + -- Luigi Gangitano Fri, 4 Jul 2003 17:28:33 +0200 + +squid (2.5.3-1) unstable; urgency=low + + * New upstream release + * debian/patches/07-ldap_auth_unavailable: + - Removed, patch has been integrated upstream + * debian/control: + - Bumped Standar-Version to 3.5.10 (no change needed) + + -- Luigi Gangitano Sat, 31 May 2003 18:25:27 +0200 + +squid (2.5.2-2) unstable; urgency=low + + * debian/control: + - Added versioned depend on debconf + * debian/patches/07-ldap_auth_unavailable + - Added patch to fix ldap_auth helper crash if LDAP server is + unreachable (closes: #186540) + + -- Luigi Gangitano Fri, 21 Mar 2003 13:30:31 +0100 + +squid (2.5.2-1) unstable; urgency=low + + * New upstream release + * Bumped Standard-Version to 3.5.9 + + -- Luigi Gangitano Tue, 18 Mar 2003 15:24:34 +0100 + +squid (2.5.1-8) unstable; urgency=low + + * Fixed permissions of sample config file (closes: #153649) + * Use dpatch to handle patches. + * Fixed missing Section and Priority fields in packages. + * Added Suggests for logcheck-database. (closes: #125799) + * Updated FAQs. + + -- Luigi Gangitano Wed, 12 Mar 2003 19:49:02 +0100 + +squid (2.5.1-7) unstable; urgency=low + + * Fixed README.Debian with new configuration + * Updated patches in debian/patches + + -- Luigi Gangitano Sun, 9 Mar 2003 20:21:48 +0100 + +squid (2.5.1-6) unstable; urgency=low + + * Upload to unstable (closes: #162832) + * Fixed typo in template + + -- Luigi Gangitano Sun, 9 Mar 2003 19:30:49 +0100 + +squid (2.5.1-5) experimental; urgency=low + + * Set ac_cv_func_setresuid to yes for any arch than sparc (fixes: #171245) + * Commented default auth_param settings from default configfile + * Added a debconf warning about new authentication directives + * Not published + + -- Luigi Gangitano Mon, 13 Jan 2003 16:26:57 +0100 + +squid (2.5.1-4) experimental; urgency=low + + * /etc/init.d/squid cleanup (closes: #153626, #156752) + * Authentication helpers added: + - digest_auth: password + - external_acl: ip_user, ldap_group, unix_group, winbind_group + - ntlm_auth: SMB, winbind + * CONFIG FILE FORMAT STILL INCOMPATIBLE WITH 2.4.x + + -- Luigi Gangitano Wed, 18 Dec 2002 22:23:52 +0100 + +squid (2.5.1-3) experimental; urgency=low + + * Moving read-only non-architecture specific file to /usr/share/squid + * Got the example config file back in place. + * Updated lintian override + * Authentication helpers added: + - basic_auth: YP, MSNT, winbind + * CONFIG FILE FORMAT STILL INCOMPATIBLE WITH 2.4.x + + -- Luigi Gangitano Wed, 11 Dec 2002 23:50:34 +0100 + +squid (2.5.1-2) experimental; urgency=low + + * Taking over squid with Miquel's approval + * Cleaning scripts (/usr/doc links removal, etc...) for subsequent + config file incompatibility handling. Please be patient. + * CONFIG FILE FORMAT STILL INCOMPATIBLE WITH 2.4.x + * Bump Standars-Version to 3.5.8 + * Removing custom man page for squid.8 (upstream provides one...) + + -- Luigi Gangitano Mon, 2 Dec 2002 00:21:40 +0100 + +squid (2.5.1-1) experimental; urgency=low + + * Experimental 2.5 version. A lot has changed in the config + file again; see http://www.squid-cache.org/Versions/v2/2.5/ \ + squid-2.5.STABLE1-RELEASENOTES.html + for more info. We need to either fix this automatically or + inform the user about it, but this version doesn't do it yet. + * Once more: INCOMPATIBLE CONFIG FILE FORMAT CHANGES !! + * FAQ needs to be updated I guess + + -- Miquel van Smoorenburg Tue, 29 Oct 2002 11:01:56 +0100 + +squid (2.4.7-1) unstable; urgency=high + + * New upstream release, fixes ftp/gopher buffer overflows. + * Enable ARP ACL support (fixes: #149312) + * Move examples back to /usr/share/doc/squid/examples. + Why put them in *&^*&^ /usr/share/squid ? No-one is going + to find them there. It broke postinst as well (fixes: #151657) + * Add localhost ACL to defaults, so that after installation + localhost is allowed to use the cache. + * Add 631 (cups) to Safe_ports (fixes: #150524) + + -- Miquel van Smoorenburg Thu, 4 Jul 2002 14:03:16 +0200 + +squid (2.4.6-1woody1) woody-proposed-updates; urgency=medium + + * Eduard Bloch: NMU, blessed by maintainer + * Eduard Bloch: Changed default permissions of squid.conf to 600, + closes: #122563 + * Eduard Bloch: New debconf question to ask before making changes in squid.conf, + closes: #144255 + * Eduard Bloch: changed expression not working with recent bash version, + potential FTBFS.. + * Eduard Bloch: make debconf-notice urgency=high + * Martin Loschwitz: debian/control: updated Standards-Version to 3.5.6.0 + * Martin Loschwitz: Fix the debconf-thingie for #144255 + * Martin Loschwitz: fixed some lintian warnings + * Martin Loschwitz: removed squid.conf from debian/conffiles + + -- Martin Loschwitz Thu, 30 May 2002 22:29:00 +0200 + +squid (2.4.6-1) unstable; urgency=high + + * New upstream version (2.4.5 was never released) that fixes a + security bug in the built-in DNS resolver. + * Turn off setresuid code again - on certain platforms (sparc) with + a 2.2 glibc and a 2.2 kernel it fails at runtime (?!) (closes: #137262) + * Fix PAM ttl bug (was fixed in 2.4.4, actually) (closes: #128692) + + -- Miquel van Smoorenburg Mon, 25 Mar 2002 15:47:34 +0100 + +squid (2.4.4-1) unstable; urgency=high + + * New upstream version with the "Coredup on certain ftp:// style URL's" + security fix. This version also fixes a memory leak in the SNMP code and + fixes in SNMP code are always good, certainly right now (closes: #134574) + * dropped htcp-off patch, now integrated in mainline. + * Set LC_ALL=POSIX in debian/rules (closes: #130231) + * Fix regexp in smb_auth.sh to read correct field from nmblookup + even if a wins server is defined in smb.conf (closes: #131300) + * Fix crash in debug.c when debug_options set to 11,3 (closes: #129262) + * remove duplicate diskd_program in src/cf.data.pre (closes: #124300) + * Add webdav SEARCH support (closes: #128693) + * Add Russian templates (closes: #114863) + + -- Miquel van Smoorenburg Tue, 19 Feb 2002 13:35:47 +0100 + +squid (2.4.3-2) unstable; urgency=medium + + * Change pipeline debug level in pipeline-shutup.patch to 2 instead + of 3 to match the upcoming squid-2.5 + * Take out icp_hit_stale.patch. It's not needed anymore, it has been + replaced by the "allow-miss" cache_peer option + * Change unlinkd to run for diskd too. In the future (2.5, 2.6?) + aufs might start to use unlinkd as well so then the entire + unlinkd.patch must be dropped. + + -- Miquel van Smoorenburg Thu, 13 Dec 2001 12:57:11 +0100 + +squid (2.4.3-1) unstable; urgency=medium + + * Add http://www.ircache.net/cgi-bin/cacheability.py to README.Debian + * Upgrade to 2.4.STABLE3 which fixes some filedescriptor leakage + and on-disk metadata corruption + * Compile with netfilter support for 2.4 kernels + + -- Miquel van Smoorenburg Thu, 29 Nov 2001 16:09:58 +0100 + +squid (2.4.2-1) unstable; urgency=high + + * Fix possible DOS attack on squid (closes: #113344) + * Fix build problems on Hurd (no pthreads) (closes: #108605) + * Update to latest version in stable series (2.4.STABLE2) + * Set umask to 027 in /etc/init.d/squid file, so that logfiles + and datafiles aren't created world-readable (closes: #107073) + * logrotate now shuts up if squid isn't running (closes: #105543) + * Install pam_auth module executable by user proxy, setgid shadow + so that it can read shadow password files (closes: #98694) + * Add brazilian debconf translation (closes: #105288) + * Drop LDAP searchbase patch - something similar is now included + in the upstream. Unfortunately with an incompatible syntax, + the debian patch uses "ldapauth server searchbase" the new + syntax is now "ldapauth -b searchbase server". + + -- Miquel van Smoorenburg Mon, 1 Oct 2001 14:52:38 +0200 + +squid (2.4.1-6) unstable; urgency=low + + * Add port 901 (SWAT) to Safe_ports (closes: #99384) + * Add "sharedscripts" to logrotate script (closes: #99356, #99230) + * Fix type in config file (closes: #98992) + * Update manpage (closes: #98294) + * Update usage summary in src/main.c (closes: #98293) + * Up max# of file descriptors in squid to 4096 (closes: #102483) + * Let squid-cgi depend on httpd|webmin-squid (closes: 100769) + + -- Miquel van Smoorenburg Tue, 3 Jul 2001 15:33:54 +0200 + +squid (2.4.1-5) unstable; urgency=low + + * Fix prerotate script in logrotate file (closes: #97247) + + -- Miquel van Smoorenburg Mon, 14 May 2001 13:12:30 +0200 + +squid (2.4.1-4) unstable; urgency=low + + * Applied the patches from http://www.squid-cache.org/Versions/v2/2.4/bugs/ + * Call sarg-maint in prerotate (closes: #93352). Also now conflicts + with sarg (<< 1.1.1-2) so that a sarg update is forced. + * Added German translation to debconf templates (closes: #93838) + * Compile with referer and useragent log (closes: #95094) + + -- Miquel van Smoorenburg Tue, 8 May 2001 13:47:18 +0200 + +squid (2.4.1-3) unstable; urgency=low + + * Now that pipelining is turned back on, "apt" is using it heavily + and that results in debugging garbage in the logfiles. Added + a patch ("pipeline-shutup.patch") to turn that off (closes: #91213) + + -- Miquel van Smoorenburg Tue, 27 Mar 2001 17:17:35 +0200 + +squid (2.4.1-2) unstable; urgency=low + + * Added libpam0g-dev to Build-Depends (closes: #90935) + * Added Depends: on logrotate, fix logrotate script (squid -k rotate) + + -- Miquel van Smoorenburg Mon, 26 Mar 2001 23:06:40 +0200 + +squid (2.4.1-1) unstable; urgency=low + + * New upstream release. + * Uses mkstemp (closes: #82758) + * Start using debconf + * Removed while loop from RunCache + * Check squid.conf for 2.1/2.2 stuff and upgrade (closes: #87754) + * Build with --enable-removal-policies=lru,heap (closes: #79205) + * Use logrotate instead of home-brew cron script + + -- Miquel van Smoorenburg Fri, 23 Mar 2001 04:43:44 +0100 + +squid (2.3.4-2) unstable; urgency=low + + * Add "exit 0" to cron.daily script (closes: #76734) + * By default allow cache access to clients from localhost (closes: #60850) + * Add customized LDAP module (closes: #68352). + + -- Miquel van Smoorenburg Mon, 27 Nov 2000 18:02:39 +0100 + +squid (2.3.4-1) unstable; urgency=low + + * Take the plunge and update to 2.3.STABLE4 even though Henrik + Nordstrom says he doesn't really trust it. Time will tell I guess. + Anyway it isn't that big an issue for woody. Hopefully 2.4 will + be released in time for woody. (closes: #60409) + * Applied squid-2.3.DEVEL3.httpd_accel_single_host-2.patch + * Applied squid-2.3.STABLE4-hno.20000819.patch + * Don't use append_domain for "localhost" (closes: #55974) + * Include some redirector examples (closes: #58767) + * Turn off pinger (closes: #65490) + * netdbExchangeHandleReply() fixed by new upstream version (closes: #66124) + * Apply icp_hit_stale patch by herbert@gondor.apana.org.au (closes: #67251) + * Read SMBPASS with read -r in smb_auth.sh (closes: #67418) + + -- Miquel van Smoorenburg Thu, 9 Nov 2000 17:45:06 +0100 + +squid (2.2.5-3) frozen unstable; urgency=medium + + * With a 2.2.14 kernel, the Alpha version works fine + (closes: #45003,#45036,#45043) + * Squid using only a few dirs is normal (closes: #49282) + * Syslog as LOG_DAEMON instead of LOCAL4, also delete LOG_CONSOLE + (closes: #53163) + * Remove comment in sample squid.conf about setting dns_children to 0 + (closes: #54568) + * Fix postinst (closes: #54692) + * New /etc/init.d/squid that doesn't use RunCache (closes: #55315) + * Always use httpd_accel_host even if httpd_accel_uses_host_header is set + + -- Miquel van Smoorenburg Wed, 2 Feb 2000 20:43:28 +0100 + +squid (2.2.5-2) unstable; urgency=low + + * Fix potential security bug. When using external authenticators + sometimes a user could get access to sites he shouldn't have access + to. Applied squid-2.2.stable5-newlines_in_auth.patch (closes: #49756) + * Also applied squid-2.2.stable5-ipcache_negative.patch + * And squid-2.2.stable5-no_cache.patch + * And squid-2.2.STABLE5.ignore_host_header.patch (closes: #50292) + * Added paragraph about unautorized use of squid-cgi to README.cachemgr + * Set SHELL to /bin/bash in debian/rules (closes: #50551) + * init.d script now greps squid.conf for cache_dir (closes: #47247) + * Enabled cache digests (closes: #47292, #47293) + * Use unlink() instead of safeunlink to remove pidfile (closes: #40501) + + -- Miquel van Smoorenburg Sat, 20 Nov 1999 15:20:20 +0100 + +squid (2.2.5-1) unstable; urgency=low + + * New upstream release + * enable USE_PROPER_MUTEX in src/aiops.c as per recommendation + of Henrik Nordstrom (see also debian/proper-mutex.patch). + * Use poll() instead of select() + * Add README.Debian (closes: #38592) + + -- Miquel van Smoorenburg Thu, 7 Oct 1999 13:25:33 +0200 + +squid (2.2.4-1) unstable; urgency=low + + * New upstream version. + * Fixes bugs: + #40418: squid: cannot compile from source + #41098: cron jobs (squid) + + -- Miquel van Smoorenburg Wed, 14 Jul 1999 14:46:11 +0200 + +squid (2.2.3-1) unstable; urgency=low + + * New upstream version. + * Enable delay pools option + * Fixes bugs: + #36899: squid: DEFAULT_SQUID_ERROR_DIR (defines.h) + #37077: squid: getpwnam authmodule missing + #37488: squid: htcp_port + + -- Miquel van Smoorenburg Fri, 28 May 1999 12:09:14 +0200 + +squid (2.2.2-1) unstable; urgency=low + + * New upstream version. + * Fixes bugs: + #36267 squid: cron.daily/squid still exists after package removal + #36029 squid: Please reenable snmp support + #34909 Squid's cron job seems to break policy 4.4 + #36013: squid: authentication modules + #32203 squid: squid crashes when prefetching http 1.1 pipelined requests + + -- Miquel van Smoorenburg Wed, 21 Apr 1999 11:41:55 +0200 + +squid (2.1.2-1) frozen unstable; urgency=medium + + * Includes squid-2.1.PATCH2-clientHandleIMSReply-leak.patch + * Fix include/autoconf.h after configure, so that HAVE_SETRESUID is + set to 0 again (ugh, libc6 is broken, and the squid workaround + is broken too ....) + * Make "pinger" program setuid root. + * Rewrote /etc/init.d/squid and RunCache + * Warn in postinst for squid.conf defaults + * Upload to both frozen and unstable, since I fixed a lot of + long-standing bugs with this release. + * Fixes: + #22586: Permissions on logfiles [was: Re: Suggestion for Squid] + #23427: start/stop script provides no means to add cmd line options to squid + #27804: squid: depends on libc >= 2.0.7u + #30436: default /etc/squid.conf file rejects connections from all machines. + #30802: man page glitches + + -- Miquel van Smoorenburg Thu, 17 Dec 1998 13:32:04 +0100 + +squid (2.1.1-1) unstable; urgency=low + + * New upstream version + * Added latest FAQ + * Added patch for "ftp site full" bug + + -- Miquel van Smoorenburg Wed, 2 Dec 1998 17:48:03 +0100 + +squid (2.0.2-1) unstable; urgency=low + + * Upgraded to 2.0.PATCH2 + * Added -N option to squid invocation in RunCache + * Added latest FAQ, updated all other docs for squid-2.0 + * Compiled without SNMP support + * Fixes: + #27905: squid spreads out an error + + -- Miquel van Smoorenburg Wed, 14 Oct 1998 15:08:45 +0200 + +squid (2.0-1) unstable; urgency=low + + * Official release version. + * Added a small patch/hack to allow spaces in URLs + * Changed default start level to 30 to at least accomodate + msqld (see Bug#27660) a bit + * Fixes squid-1.2 bugs: + #20357: squid: Bashism + #21601: squid: doesn't wait long enough when stopping + #23232: squid: RunCache doesn't close stdin, stdout, or stderr + #27444: squid repeats an error message nearly endless + + -- Miquel van Smoorenburg Thu, 8 Oct 1998 23:24:28 +0200 + +squid (1.2-beta25-1) experimental; urgency=low + + * New upstream version + + -- Miquel van Smoorenburg Sat, 26 Sep 1998 11:49:35 +0200 + +squid (1.2-beta23-1) experimental; urgency=low + + * New upstream version + * Added patch sets 1, 2 and 3 + + -- Miquel van Smoorenburg Thu, 30 Jul 1998 18:05:34 +0200 + +squid (1.2-beta22-2) experimental; urgency=low + + * Fix logfile rotation problem + * Added squid-1.2.beta22.aio_fd_leak.patch from Henrik Nordström, + see http://hem.passagen.se/hno/squid/ + * Use SIGQUIT/SIGTRAP instead of USR1/USR2 which are reserved + for LinuxThreads + + -- Miquel van Smoorenburg Mon, 6 Jul 1998 14:26:20 +0200 + +squid (1.2-beta22-1) experimental; urgency=low + + * Experimental beta version. + + -- Miquel van Smoorenburg Thu, 4 Jun 1998 17:20:01 +0200 + +squid (1.1.21-1) frozen unstable; urgency=medium + + * New bugfix-only upstream release + * Added latest FAQ + * Updated squidclient manual page + * Lintian-clean + * Fixes bugs: + #18428: squid: it possible to bypass ACLs + #17719: squid-cgi: /usr/doc/squid-cgi/copyright.gz should not be gzipped + #18168: squid-novm: documentation request + + -- Miquel van Smoorenburg Fri, 20 Mar 1998 13:55:08 +0100 + +squid (1.1.20-2) unstable; urgency=low + + * Now really fixed #16863: squid: does not recognize Host: header + * Added /usr/doc/squid/README.transparent-proxy + * Fixes: + #17057: squid: squid still does not recognize hosts: header + #14489: /usr/doc/$(PACKAGE)/copyright should not be compressed + + -- Miquel van Smoorenburg Wed, 21 Jan 1998 16:22:44 +0100 + +squid (1.1.20-1) unstable; urgency=low + + * New upstream version. + * Rewrote squid manpage, added squid-cgi manpage + * Now includes HTML FAQ + * Fixed bugs: + #16864: squid-cgi: Variety of issues + #16451: squid: /etc/cron.daily/squid is installed without execute permissio + #16716: squid: executable bit missing on /etc/cron.daily/squid + #16863: squid: does not recognize Host: header + * Cristoph: that last one was fixed in the upstream source. You need to + set "httpd_accel_uses_host_header" to "on" in squid.conf for it to work. + + -- Miquel van Smoorenburg Tue, 13 Jan 1998 00:37:12 +0100 + +squid (1.1.17-1) unstable; urgency=low + + * New upstream version. + * Applied ftpget.patch from Duane W. + * Added 2 binary packages: squidclient and squid-cgi + * Fixed debian/ files so that it can be used to build both squid + and squid-novm by only editting one var at the top of debian/rules + * Fixed bugs: + #10180: squid: you can't assume a log rotate depth of 7! + #11894: squid uses pidof + #10852: squid: squid-cgi package needed + + -- Miquel van Smoorenburg Thu, 30 Oct 1997 14:47:07 +0100 + +squid (1.1.16-1) unstable; urgency=low + + * New upstream version + * Compiled for glibc + * Call "squid -z" in postinst script to create directory structure + * fix pre/post inst/rm script to have a "case" statement with all + possible dpkg-arguments (every debian package should do this) + + -- Miquel van Smoorenburg Tue, 9 Sep 1997 11:20:36 +0200 + +squid (1.1.11-1) unstable; urgency=low + + * New upstream version. + * Applied 2 patches from squid-1.1.11 page at http://squid.nlanr.org/ + (long-dns-coredump.patch and config.h.in.patch) + + -- Miquel van Smoorenburg Fri, 25 Jul 1997 00:24:30 +0200 + +squid (1.1.10-1) unstable; urgency=low + + * Upgraded to new upstream version 1.1.10 + * Updated default config file to latest sample version + * Removed Recommends: web-browser, apache + * Added manpage for squidclient + + -- Miquel van Smoorenburg Thu, 8 May 1997 16:27:44 +0200 + +squid (1.1.9-1) unstable; urgency=low + + * Upgraded to new upstream version 1.1.9, plus maintenance patch. + * Use max. 1024 fd's if available instead of 256 + * Updated default config file to latest sample version + * Updated FAQ to latest version + * Compile in PROXY_AUTH code + * Fixed start/stop script to wait for squid to die at "stop" action + + -- Miquel van Smoorenburg Mon, 14 Apr 1997 13:49:56 +0200 + +squid (1.1.1-1) unstable; urgency=low + + * Upgraded to new upstream version 1.1.1 + * Fixed a bug with SQUID_MAXFD + * Beware: this version is NOT compatible with squid-1.0.x + + -- Miquel van Smoorenburg Wed, 18 Dec 1996 13:20:30 +0100 + +squid (1.0.20-1) frozen unstable; urgency=high + + * Upgraded to 1.0.20 - fixes SERIOUS trouble in 1.0.19 + * Changed default log_rotate factor to 0 + * cron script knows about this + * cron script is conffile now + + -- Miquel van Smoorenburg Mon, 11 Nov 1996 11:57:05 +0100 + +squid (1.0.19-1) unstable; urgency=low + + * Upgraded to 1.0.19 + + -- Miquel van Smoorenburg Wed, 30 Oct 1996 11:54:25 +0100 + +squid (1.0.18-1) unstable; urgency=low + + * Upgraded to 1.0.18 + + -- Miquel van Smoorenburg Tue, 29 Oct 1996 12:23:00 +0100 + +squid (1.0.17-1) unstable; urgency=low + + * Upgraded to 1.0.17 + * Fixed Bug#4613 (no conffiles) + + -- Miquel van Smoorenburg Sat, 28 Sep 1996 16:06:54 +0200 + +squid (1.0.16-1) unstable; urgency=low + + * Upgraded to 1.0.16 + * I took over this package from Craig Sanders + * New source format + + -- Miquel van Smoorenburg Fri, 20 Sep 1996 13:00:04 +0200 + +squid (1.0.12-1) unstable; urgency=low + + * Upgraded to 1.0.12 + * Changed cron.daily file again. + * Still an Interim release. (perhaps I'll take over). + Maintainer: Craig Sanders + Interim-By: Miquel van Smoorenburg + + -- Miquel van Smoorenburg Wed, 14 Aug 1996 12:13:24 +0200 + +squid (1.0.7-1) unstable; urgency=low + + * Upgraded to 1.0.7 + * Added cron.daily file + * squid runs as "proxy.proxy" user now. + * Interim release. + Maintainer: Craig Sanders + Interim-By: Miquel van Smoorenburg + + -- Miquel van Smoorenburg Wed, 14 Aug 1996 12:13:24 +0200 + +squid (1.0.beta16) stable; urgency=low + + * First debian release + * added debian package information + + -- Craig Sanders Fri, 14 Jun 1996 18:55:45 +0200 --- squid-2.7.STABLE3.orig/debian/postrm +++ squid-2.7.STABLE3/debian/postrm @@ -0,0 +1,45 @@ +#! /bin/sh + +set -e + +case "$1" in + remove) + ;; + purge) + if [ -e /usr/share/debconf/confmodule ]; then + # Source debconf library. + . /usr/share/debconf/confmodule + # Remove my changes to the db. + db_purge + fi + echo "Purging startup links .." + rm -f /etc/init.d/squid + update-rc.d squid remove > /dev/null + echo "Purging logfiles .." + rm -rf /var/log/squid + if [ -f /etc/squid/squid.conf ]; then + echo "Removing the config-file .." + rm -f /etc/squid/squid.conf + fi + if [ -f /etc/default/squid ]; then + rm -f /etc/default/squid + fi + + # + # We do not remove /var/spool/squid because that might + # take a lot of time. Most of the time it is on a seperate + # disk anyway and it is faster to do a mkfs on it.. + # + echo "Remove the proxy cache in /var/spool/squid yourself!" + ;; + failed-upgrade) + if (dpkg --compare-versions "$2" le '2.5.4-4' && [ -e /etc/squid/conffile-moved ]) + then + mv /etc/squid/squid.conf /etc/squid.conf + rm /etc/squid/conffile-moved + fi + ;; + upgrade|abort-install|abort-upgrade|disappear) + ;; +esac + --- squid-2.7.STABLE3.orig/debian/templates +++ squid-2.7.STABLE3/debian/templates @@ -0,0 +1,34 @@ +# These templates have been reviewed by the debian-l10n-english +# team +# +# If modifications/additions/rewording are needed, please ask +# for an advice to debian-l10n-english@lists.debian.org +# +# Even minor modifications require translation updates and such +# changes should be coordinated with translators and reviewers. + +Template: squid/fix_lines +Type: boolean +Default: true +_Description: Upgrade squid.conf automatically? + Incompatible settings have been found in the existing squid.conf file. + . + They will prevent Squid from starting or working correctly. + . + These settings can be corrected now. Please choose whether you want + to apply the needed changes. + +Template: squid/fix_cachedir_perms +Type: boolean +Default: false +_Description: Fix permissions of 'cache_dir'? + The values for 'cache_effective_user' and/or 'cache_effective_group' + in Squid's configuration file are incompatible with the owner/group of the cache + directories. + . + Please choose whether this should be fixed automatically. + . + However, please note that if you specified a cache directory + different from /var/spool/squid (such as /tmp), this could affect + any other programs using that directory. + --- squid-2.7.STABLE3.orig/debian/patches/70-DoS-request-processing.patch +++ squid-2.7.STABLE3/debian/patches/70-DoS-request-processing.patch @@ -0,0 +1,68 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## + +@DPATCH@ +--- ../old/squid-2.7.STABLE3/src/HttpMsg.c 2007-12-13 01:20:48.000000000 +0000 ++++ squid-2.7.STABLE3/src/HttpMsg.c 2009-02-04 17:48:30.000000000 +0000 +@@ -256,11 +256,11 @@ + + /* next should be 1 or more digits */ + maj = 0; +- for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])); i++) { ++ for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])) && maj < 65536; i++) { + maj = maj * 10; + maj = maj + (hmsg->buf[i]) - '0'; + } +- if (i >= hmsg->req_end) { ++ if (i >= hmsg->req_end || maj >= 65536) { + retcode = -1; + goto finish; + } +@@ -276,11 +276,16 @@ + /* next should be one or more digits */ + i++; + min = 0; +- for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])); i++) { ++ for (; i < hmsg->req_end && (xisdigit(hmsg->buf[i])) && min < 65536; i++) { + min = min * 10; + min = min + (hmsg->buf[i]) - '0'; + } + ++ if (min >= 65536) { ++ retcode = -1; ++ goto finish; ++ } ++ + /* Find whitespace, end of version */ + hmsg->v_end = i; + hmsg->v_len = hmsg->v_end - hmsg->v_start + 1; +--- ../old/squid-2.7.STABLE3/src/HttpStatusLine.c 2007-12-13 01:20:48.000000000 +0000 ++++ squid-2.7.STABLE3/src/HttpStatusLine.c 2009-02-04 17:47:49.000000000 +0000 +@@ -97,11 +97,11 @@ + /* Format: HTTP/x.x CRLF */ + s = start; + maj = 0; +- for (s = start; s < end && xisdigit(*s); s++) { ++ for (s = start; s < end && xisdigit(*s) && maj < 65536; s++) { + maj = maj * 10; + maj = maj + *s - '0'; + } +- if (s >= end) { ++ if (s >= end || maj >= 65536) { + debug(57, 7) ("httpStatusLineParse: Invalid HTTP reply status major.\n"); + return 0; + } +@@ -113,11 +113,11 @@ + s++; + /* next should be minor number */ + min = 0; +- for (; s < end && xisdigit(*s); s++) { ++ for (; s < end && xisdigit(*s) && min < 65536; s++) { + min = min * 10; + min = min + *s - '0'; + } +- if (s >= end) { ++ if (s >= end || min >= 65536) { + debug(57, 7) ("httpStatusLineParse: Invalid HTTP reply status version minor.\n"); + return 0; + } --- squid-2.7.STABLE3.orig/debian/patches/59-forward-assert.dpatch +++ squid-2.7.STABLE3/debian/patches/59-forward-assert.dpatch @@ -0,0 +1,92 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 59-forward-assert.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add two upstream patches fixing asserts in forward.c + +@DPATCH@ +diff -urNad squid~/src/forward.c squid/src/forward.c +--- squid~/src/forward.c 2008-07-06 10:52:16.000000000 +0200 ++++ squid/src/forward.c 2008-10-27 20:40:56.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: forward.c,v 1.131.2.3 2008/06/19 01:08:29 hno Exp $ ++ * $Id: forward.c,v 1.131.2.4 2008/07/10 09:48:41 hno Exp $ + * + * DEBUG: section 17 Request Forwarding + * AUTHOR: Duane Wessels +@@ -53,6 +53,7 @@ + static CNCB fwdConnectDone; + static int fwdCheckRetry(FwdState * fwdState); + static int fwdReforward(FwdState *); ++static void fwdRestart(void *); + static void fwdStartFail(FwdState *); + static void fwdLogReplyStatus(int tries, http_status status); + static OBJH fwdStats; +@@ -207,7 +208,7 @@ + } + } + /* use eventAdd to break potential call sequence loops and to slow things down a little */ +- eventAdd("fwdConnectStart", fwdConnectStart, fwdState, originserver ? 0.05 : 0.005, 0); ++ eventAdd("fwdRestart", fwdRestart, fwdState, originserver ? 0.05 : 0.005, 0); + return; + } + if (!fwdState->err && shutting_down) +@@ -571,7 +572,7 @@ + fwdState->request->pinned_connection = NULL; + fwdState->servers = fs->next; + fwdServerFree(fs); +- fwdConnectStart(fwdState); ++ fwdRestart(fwdState); + return; + } + #if LINUX_TPROXY +@@ -697,6 +698,16 @@ + } + + static void ++fwdRestart(void *data) ++{ ++ FwdState *fwdState = data; ++ if (fwdState->servers) ++ fwdConnectStart(fwdState); ++ else ++ fwdStartFail(fwdState); ++} ++ ++static void + fwdStartComplete(FwdServer * servers, void *data) + { + FwdState *fwdState = data; +diff -urNad squid~/src/peer_select.c squid/src/peer_select.c +--- squid~/src/peer_select.c 2008-07-06 10:52:18.000000000 +0200 ++++ squid/src/peer_select.c 2008-10-27 20:40:56.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: peer_select.c,v 1.134.2.3 2008/06/24 22:53:49 hno Exp $ ++ * $Id: peer_select.c,v 1.134.2.4 2008/07/10 09:48:41 hno Exp $ + * + * DEBUG: section 44 Peer Selection Algorithm + * AUTHOR: Duane Wessels +@@ -685,7 +685,7 @@ + p ? p->name : "DIRECT", + hier_strings[code]); + while (*FS) { +- if ((*FS)->peer == p) { ++ if ((*FS)->peer == p && (*FS)->code != PINNED) { + debug(44, 5) ("peerAddFwdServer: Skipping duplicate registration of %s\n", p ? p->name : "DIRECT"); + return; + } +diff -urNad squid~/src/store.c squid/src/store.c +--- squid~/src/store.c 2008-07-06 10:52:18.000000000 +0200 ++++ squid/src/store.c 2008-10-27 20:41:04.000000000 +0100 +@@ -1362,6 +1362,7 @@ + errorAppendEntry(e, err); + } else { + EBIT_SET(e->flags, ENTRY_ABORTED); ++ EBIT_CLR(e->flags, ENTRY_FWD_HDR_WAIT); + } + e->store_status = STORE_OK; + mem->object_sz = mem->inmem_hi; --- squid-2.7.STABLE3.orig/debian/patches/07-manpage.dpatch +++ squid-2.7.STABLE3/debian/patches/07-manpage.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh -e +## 07-manpage.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fixed wrong reference to /etc/squid/squid.conf + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch}" + +case "$1" in + -patch) patch $patch_opts -p1 < $0;; + -unpatch) patch $patch_opts -p1 -R < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad squid~/doc/squid.8.in squid/doc/squid.8.in +--- squid~/doc/squid.8.in 2007-04-09 12:23:41.000000000 +0200 ++++ squid/doc/squid.8.in 2007-12-02 20:18:49.000000000 +0100 +@@ -120,7 +120,7 @@ + allow access from any browser. + .RE + +-.I @DEFAULT_CONFIG_FILE@.default ++.I /usr/share/doc/squid/examples/squid.conf + .RS + Reference copy of the configuration file. Always kept up to date with + the version of Squid you are using. Use this to look up configuration --- squid-2.7.STABLE3.orig/debian/patches/02-dfl-error-dir.dpatch +++ squid-2.7.STABLE3/debian/patches/02-dfl-error-dir.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh -e +## 02-dfl-error-dir.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Default error dir is under /usr/share/squid for Debian + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi +case "$1" in + -patch) patch -f --no-backup-if-mismatch -p0 < $0;; + -unpatch) patch -f --no-backup-if-mismatch -R -p0 < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 +--- src/defines.h 2002-08-08 22:17:39.000000000 +0200 ++++ src/defines.h 2002-10-10 19:57:22.000000000 +0200 +@@ -219,7 +219,7 @@ + + /* were to look for errors if config path fails */ + #ifndef DEFAULT_SQUID_ERROR_DIR +-#define DEFAULT_SQUID_ERROR_DIR "/usr/local/squid/etc/errors" ++#define DEFAULT_SQUID_ERROR_DIR "/usr/share/squid/errors/English" + #endif + + /* gb_type operations */ --- squid-2.7.STABLE3.orig/debian/patches/06-unlinkd.dpatch +++ squid-2.7.STABLE3/debian/patches/06-unlinkd.dpatch @@ -0,0 +1,72 @@ +#! /bin/sh -e +## 06-unlinkd.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Only run unlinkd for diskd and ufs storage methods + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi +case "$1" in + -patch) patch -f --no-backup-if-mismatch -p0 < $0;; + -unpatch) patch -f --no-backup-if-mismatch -R -p0 < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 +--- src/main.c 2002-07-14 19:20:49.000000000 +0200 ++++ src/main.c 2002-10-10 19:49:04.000000000 +0200 +@@ -326,6 +326,21 @@ + asnFreeMemory(); + } + ++#if USE_UNLINKD ++static int ++needUnlinkd(void) ++{ ++ int i; ++ int r = 0; ++ for (i = 0; i < Config.cacheSwap.n_configured; i++) { ++ if (strcmp(Config.cacheSwap.swapDirs[i].type, "ufs") == 0 || ++ strcmp(Config.cacheSwap.swapDirs[i].type, "diskd") == 0) ++ r++; ++ } ++ return r; ++} ++#endif ++ + static void + mainReconfigure(void) + { +@@ -350,6 +365,9 @@ + #endif + redirectShutdown(); + authenticateShutdown(); ++#if USE_UNLINKD ++ unlinkdClose(); ++#endif + externalAclShutdown(); + storeDirCloseSwapLogs(); + errorClean(); +@@ -373,6 +391,9 @@ + #if USE_WCCP + wccpInit(); + #endif ++#if USE_UNLINKD ++ if (needUnlinkd()) unlinkdInit(); ++#endif + serverConnectionsOpen(); + if (theOutIcpConnection >= 0) { + if (!Config2.Accel.on || Config.onoff.accel_with_proxy) +@@ -516,7 +537,7 @@ + + if (!configured_once) { + #if USE_UNLINKD +- unlinkdInit(); ++ if (needUnlinkd()) unlinkdInit(); + #endif + urlInitialize(); + cachemgrInit(); --- squid-2.7.STABLE3.orig/debian/patches/04-smb-auth.dpatch +++ squid-2.7.STABLE3/debian/patches/04-smb-auth.dpatch @@ -0,0 +1,40 @@ +#! /bin/sh -e +## 04-smb-auth.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Read password with '-r' so backslashes work +## DP: Patch awk regexp to read correct field from nmblookup + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi +case "$1" in + -patch) patch -f --no-backup-if-mismatch -p0 < $0;; + -unpatch) patch -f --no-backup-if-mismatch -R -p0 < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 +--- helpers/basic_auth/SMB/smb_auth.sh 2001-01-08 00:36:46.000000000 +0100 ++++ helpers/basic_auth/SMB/smb_auth.sh 2002-10-10 19:45:33.000000000 +0200 +@@ -24,7 +24,7 @@ + read AUTHSHARE + read AUTHFILE + read SMBUSER +-read SMBPASS ++read -r SMBPASS + + # Find domain controller + echo "Domain name: $DOMAINNAME" +@@ -47,7 +47,7 @@ + addropt="" + fi + echo "Query address options: $addropt" +-dcip=`$SAMBAPREFIX/bin/nmblookup $addropt "$PASSTHROUGH#1c" | awk '/^[0-9.]+ / { print $1 ; exit }'` ++dcip=`$SAMBAPREFIX/bin/nmblookup $addropt "$PASSTHROUGH#1c" | awk '/^[0-9.]+\..+ / { print $1 ; exit }'` + echo "Domain controller IP address: $dcip" + [ -n "$dcip" ] || exit 1 + --- squid-2.7.STABLE3.orig/debian/patches/01-cf.data.debian.dpatch +++ squid-2.7.STABLE3/debian/patches/01-cf.data.debian.dpatch @@ -0,0 +1,213 @@ +#!/bin/sh -e +## 01-cf.data.debian.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Default configuration file for Debian. + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch}" + +case "$1" in + -patch) patch $patch_opts -p1 < $0;; + -unpatch) patch $patch_opts -p1 -R < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad squid~/src/cf.data.pre squid/src/cf.data.pre +--- squid~/src/cf.data.pre 2008-07-06 10:52:16.000000000 +0200 ++++ squid/src/cf.data.pre 2008-10-27 20:36:00.000000000 +0100 +@@ -125,7 +125,7 @@ + + Then, set this line to something like + +- auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd ++ auth_param basic program @DEFAULT_PREFIX@/lib/squid/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + + "children" numberofchildren + The number of authenticator processes to spawn. If you start too few +@@ -192,7 +192,7 @@ + + Then, set this line to something like + +- auth_param digest program @DEFAULT_PREFIX@/libexec/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass ++ auth_param digest program @DEFAULT_PREFIX@/lib/squid/digest_auth_pw @DEFAULT_PREFIX@/etc/digpass + + "children" numberofchildren + The number of authenticator processes to spawn. If you start too few +@@ -260,7 +260,7 @@ + By default, the ntlm authentication scheme is not used unless a + program is specified. + +- auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp ++ auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp + + "children" numberofchildren + The number of authenticator processes to spawn. If you start too few +@@ -665,7 +665,9 @@ + acl localnet src 172.16.0.0/12 # RFC1918 possible internal network + acl localnet src 192.168.0.0/16 # RFC1918 possible internal network + # +-acl SSL_ports port 443 ++acl SSL_ports port 443 # https ++acl SSL_ports port 563 # snews ++acl SSL_ports port 873 # rsync + acl Safe_ports port 80 # http + acl Safe_ports port 21 # ftp + acl Safe_ports port 443 # https +@@ -676,6 +678,10 @@ + acl Safe_ports port 488 # gss-http + acl Safe_ports port 591 # filemaker + acl Safe_ports port 777 # multiling http ++acl Safe_ports port 631 # cups ++acl Safe_ports port 873 # rsync ++acl Safe_ports port 901 # SWAT ++acl purge method PURGE + acl CONNECT method CONNECT + NOCOMMENT_END + DOC_END +@@ -709,6 +715,9 @@ + # Only allow cachemgr access from localhost + http_access allow manager localhost + http_access deny manager ++# Only allow purge requests from localhost ++http_access allow purge localhost ++http_access deny purge + # Deny requests to unknown ports + http_access deny !Safe_ports + # Deny CONNECT to other than SSL ports +@@ -724,7 +733,8 @@ + # Example rule allowing access from your local networks. + # Adapt localnet in the ACL section to list your (internal) IP networks + # from where browsing should be allowed +-http_access allow localnet ++#http_access allow localnet ++http_access allow localhost + + # And finally deny all other access to this proxy + http_access deny all +@@ -2137,7 +2147,7 @@ + NAME: maximum_object_size + COMMENT: (bytes) + TYPE: b_size_t +-DEFAULT: 4096 KB ++DEFAULT: 20480 KB + LOC: Config.Store.maxObjectSize + DOC_START + Objects larger than this size will NOT be saved on disk. The +@@ -2150,6 +2160,10 @@ + NOTE: if using the LFUDA replacement policy you should increase + this value to maximize the byte hit rate improvement of LFUDA! + See replacement_policy below for a discussion of this policy. ++ ++ NOTE 2: In Debian the default is raised to 20MB allowing cache ++ of Packages files in debian repositories. This makes squid a ++ proper proxy for APT. + DOC_END + + NAME: cache_swap_low +@@ -2385,7 +2399,7 @@ + + NAME: logfile_rotate + TYPE: int +-DEFAULT: 10 ++DEFAULT: 0 + LOC: Config.Log.rotateNumber + DOC_START + Specifies the number of logfile rotations to make when you +@@ -2401,6 +2415,9 @@ + purposes, so -k rotate uses another signal. It is best to get + in the habit of using 'squid -k rotate' instead of 'kill -USR1 + '. ++ ++ Note2, for Debian/Linux the default of logfile_rotate is ++ zero, since it includes external logfile-rotation methods. + DOC_END + + NAME: emulate_httpd_log +@@ -3029,6 +3046,7 @@ + refresh_pattern ^ftp: 1440 20% 10080 + refresh_pattern ^gopher: 1440 0% 1440 + refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 ++refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 + refresh_pattern . 0 20% 4320 + NOCOMMENT_END + DOC_END +@@ -3363,6 +3381,9 @@ + DOC_START + Squid only knows about standardized HTTP request methods. + You can add up to 20 additional "extension" methods here. ++NOCOMMENT_START ++extension_methods REPORT MERGE MKACTIVITY CHECKOUT ++NOCOMMENT_END + DOC_END + + NAME: request_entities +@@ -3753,12 +3774,12 @@ + + NAME: cache_effective_user + TYPE: string +-DEFAULT: nobody ++DEFAULT: proxy + LOC: Config.effectiveUser + DOC_START + If you start Squid as root, it will change its effective/real + UID/GID to the user specified below. The default is to change +- to UID to nobody. If you define cache_effective_user, but not ++ to UID to proxy. If you define cache_effective_user, but not + cache_effective_group, Squid sets the GID to the effective + user's default group ID (taken from the password file) and + supplementary group list from the from groups membership of +@@ -4395,12 +4416,15 @@ + NAME: snmp_port + TYPE: ushort + LOC: Config.Port.snmp +-DEFAULT: 3401 ++DEFAULT: 0 + IFDEF: SQUID_SNMP + DOC_START + Squid can now serve statistics and status information via SNMP. + By default it listens to port 3401 on the machine. If you don't + wish to use SNMP, set this to "0". ++ ++ Note: on Debian/Linux, the default is zero - you need to ++ set it to 3401 to enable it. + DOC_END + + NAME: snmp_access +@@ -4471,12 +4495,12 @@ + NAME: htcp_port + IFDEF: USE_HTCP + TYPE: ushort +-DEFAULT: 4827 ++DEFAULT: 0 + LOC: Config.Port.htcp + DOC_START + The port number where Squid sends and receives HTCP queries to +- and from neighbor caches. Default is 4827. To disable use +- "0". ++ and from neighbor caches. To turn it on you want to set it 4827. ++ By default it is set to "0" (disabled). + DOC_END + + NAME: log_icp_queries +@@ -5239,6 +5263,10 @@ + If append_domain is used, that domain will be added to + domain-local (i.e. not containing any dot character) host + definitions. ++ ++NOCOMMENT_START ++hosts_file /etc/hosts ++NOCOMMENT_END + DOC_END + + NAME: dns_testnames --- squid-2.7.STABLE3.orig/debian/patches/61-upgrade-http0.9-option.dpatch +++ squid-2.7.STABLE3/debian/patches/61-upgrade-http0.9-option.dpatch @@ -0,0 +1,200 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 61-upgrade-http0.9-option.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Upstream patch adding upgrade_http0.9 option to fix issues +## DP: with streaming through port 80 + +@DPATCH@ +diff -urNad squid~/src/HttpHeader.c squid/src/HttpHeader.c +--- squid~/src/HttpHeader.c 2008-05-29 16:55:20.000000000 +0200 ++++ squid/src/HttpHeader.c 2009-01-16 19:15:24.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: HttpHeader.c,v 1.99 2007/12/21 09:50:19 adrian Exp $ ++ * $Id: HttpHeader.c,v 1.99.2.1 2008/09/25 02:33:37 hno Exp $ + * + * DEBUG: section 55 HTTP Header + * AUTHOR: Alex Rousskov +@@ -129,6 +129,7 @@ + {"X-Forwarded-For", HDR_X_FORWARDED_FOR, ftStr}, + {"X-Request-URI", HDR_X_REQUEST_URI, ftStr}, + {"X-Squid-Error", HDR_X_SQUID_ERROR, ftStr}, ++ {"X-HTTP09-First-Line", HDR_X_HTTP09_FIRST_LINE, ftStr}, + {"Negotiate", HDR_NEGOTIATE, ftStr}, + #if X_ACCELERATOR_VARY + {"X-Accelerator-Vary", HDR_X_ACCELERATOR_VARY, ftStr}, +diff -urNad squid~/src/cf.data.pre squid/src/cf.data.pre +--- squid~/src/cf.data.pre 2009-01-16 19:14:32.000000000 +0100 ++++ squid/src/cf.data.pre 2009-01-16 19:15:24.000000000 +0100 +@@ -3269,6 +3269,29 @@ + broken_posts allow buggy_server + DOC_END + ++NAME: upgrade_http0.9 ++TYPE: acl_access ++DEFAULT: none ++LOC: Config.accessList.upgrade_http09 ++DOC_START ++ This access list controls when HTTP/0.9 responses is upgraded ++ to our current HTTP version. The default is to always upgrade. ++ ++ Some applications expect to be able to respond with non-HTTP ++ responses and clients gets confused if the response is upgraded. ++ For example SHOUTcast servers used for mp3 streaming. ++ ++ To enable some flexibility in detection of such applications ++ the first line of the response is available in the internal header ++ X-HTTP09-First-Line for use in the rep_header acl. ++ ++NOCOMMENT_START ++# Don't upgrade ShoutCast responses to HTTP ++acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] ++upgrade_http0.9 deny shoutcast ++NOCOMMENT_END ++DOC_END ++ + NAME: via + IFDEF: HTTP_VIOLATIONS + COMMENT: on|off +diff -urNad squid~/src/client_side.c squid/src/client_side.c +--- squid~/src/client_side.c 2008-07-06 10:52:18.000000000 +0200 ++++ squid/src/client_side.c 2009-01-16 19:15:24.000000000 +0100 +@@ -1934,8 +1934,8 @@ + LOCAL_ARRAY(char, bbuf, MAX_URL + 32); + String strVia = httpHeaderGetList(hdr, HDR_VIA); + snprintf(bbuf, MAX_URL + 32, "%d.%d %s", +- http->entry->mem_obj->reply->sline.version.major, +- http->entry->mem_obj->reply->sline.version.minor, ThisCache); ++ rep->sline.version.major, ++ rep->sline.version.minor, ThisCache); + strListAdd(&strVia, bbuf, ','); + httpHeaderDelById(hdr, HDR_VIA); + httpHeaderPutStr(hdr, HDR_VIA, strBuf(strVia)); +@@ -1995,13 +1995,6 @@ + /* try to grab the already-parsed header */ + rep = httpReplyClone(orig_rep); + if (rep->pstate == psParsed) { +- if (http->conn->port->http11) { +- /* enforce 1.1 reply version */ +- httpBuildVersion(&rep->sline.version, 1, 1); +- } else { +- /* enforce 1.0 reply version */ +- httpBuildVersion(&rep->sline.version, 1, 0); +- } + /* do header conversions */ + clientBuildReplyHeader(http, rep); + /* if we do ranges, change status to "Partial Content" */ +@@ -3005,17 +2998,41 @@ + { + HttpReply *rep = http->reply; + MemBuf mb; ++ int send_header = 1; + /* reset range iterator */ + http->range_iter.pos = HttpHdrRangeInitPos; + if (http->request->method == METHOD_HEAD) { + /* do not forward body for HEAD replies */ + http->flags.done_copying = 1; + } ++ if (http->http_ver.major < 1) ++ send_header = 0; ++ if (rep->sline.version.major < 1) { ++ if (send_header && Config.accessList.upgrade_http09) { ++ aclCheck_t *checklist = clientAclChecklistCreate(Config.accessList.upgrade_http09, http); ++ checklist->reply = rep; ++ if (aclCheckFast(Config.accessList.upgrade_http09, checklist) != 1) ++ send_header = 0; ++ aclChecklistFree(checklist); ++ } ++ httpHeaderDelById(&rep->header, HDR_X_HTTP09_FIRST_LINE); ++ } + /* init mb; put status line and headers */ +- if (http->http_ver.major >= 1) ++ if (send_header) { ++ if (http->conn->port->http11) { ++ /* enforce 1.1 reply version */ ++ httpBuildVersion(&rep->sline.version, 1, 1); ++ } else { ++ /* enforce 1.0 reply version */ ++ httpBuildVersion(&rep->sline.version, 1, 0); ++ } + mb = httpReplyPack(rep); +- else ++ } else { ++ debug(33, 2) ("HTTP/0.9 response, disable everything\n"); ++ http->request->flags.chunked_response = 0; ++ http->request->flags.proxy_keepalive = 0; + memBufDefInit(&mb); ++ } + if (Config.onoff.log_mime_hdrs) { + http->al.headers.reply = xmalloc(mb.size + 1); + xstrncpy(http->al.headers.reply, mb.buf, mb.size); +diff -urNad squid~/src/enums.h squid/src/enums.h +--- squid~/src/enums.h 2008-06-01 02:50:31.000000000 +0200 ++++ squid/src/enums.h 2009-01-16 19:15:24.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: enums.h,v 1.245.2.2 2008/05/27 12:49:39 hno Exp $ ++ * $Id: enums.h,v 1.245.2.3 2008/09/25 02:33:37 hno Exp $ + * + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ +@@ -261,6 +261,7 @@ + #endif + HDR_X_ERROR_URL, /* errormap, requested URL */ + HDR_X_ERROR_STATUS, /* errormap, received HTTP status line */ ++ HDR_X_HTTP09_FIRST_LINE, /* internal, first line of HTTP/0.9 response */ + HDR_FRONT_END_HTTPS, + HDR_PROXY_SUPPORT, + HDR_KEEP_ALIVE, +diff -urNad squid~/src/http.c squid/src/http.c +--- squid~/src/http.c 2008-07-06 10:52:17.000000000 +0200 ++++ squid/src/http.c 2009-01-16 19:15:24.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: http.c,v 1.439.2.6 2008/06/25 22:14:02 hno Exp $ ++ * $Id: http.c,v 1.439.2.7 2008/09/25 02:33:37 hno Exp $ + * + * DEBUG: section 11 Hypertext Transfer Protocol (HTTP) + * AUTHOR: Harvest Derived +@@ -432,6 +432,18 @@ + hdr_len = httpState->reply_hdr.size; + if (hdr_len > 4 && strncmp(httpState->reply_hdr.buf, "HTTP/", 5)) { + debug(11, 3) ("httpProcessReplyHeader: Non-HTTP-compliant header: '%s'\n", httpState->reply_hdr.buf); ++ { ++ char *t, *t2; ++ t = xstrdup(httpState->reply_hdr.buf); ++ t2 = strchr(t, '\n'); ++ if (t2) ++ *t2 = '\0'; ++ t2 = strchr(t, '\r'); ++ if (t2) ++ *t2 = '\0'; ++ httpHeaderPutStr(&reply->header, HDR_X_HTTP09_FIRST_LINE, t); ++ safe_free(t); ++ } + httpState->reply_hdr_state += 2; + httpState->chunk_size = -1; /* Terminated by EOF */ + httpState->reply_hdr.size = old_size; +@@ -972,7 +984,6 @@ + } else if (s == HTTP_INVALID_HEADER) { + MemBuf mb; + HttpReply *reply = entry->mem_obj->reply; +- httpReplyReset(reply); + httpBuildVersion(&reply->sline.version, 0, 9); + reply->sline.status = HTTP_OK; + httpHeaderPutTime(&reply->header, HDR_DATE, squid_curtime); +diff -urNad squid~/src/structs.h squid/src/structs.h +--- squid~/src/structs.h 2008-07-06 10:52:16.000000000 +0200 ++++ squid/src/structs.h 2009-01-16 19:15:24.000000000 +0100 +@@ -737,6 +737,7 @@ + #endif + acl_access *vary_encoding; + acl_access *auth_ip_shortcircuit; ++ acl_access *upgrade_http09; + } accessList; + acl_deny_info_list *denyInfoList; + struct _authConfig { --- squid-2.7.STABLE3.orig/debian/patches/03-no-append-domain-localhost.dpatch +++ squid-2.7.STABLE3/debian/patches/03-no-append-domain-localhost.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh -e +## 03-no-append-domain-localhost.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Don't apply "append_domain" setting to "localhost" in unqualified URLs + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi +case "$1" in + -patch) patch -f --no-backup-if-mismatch -p0 < $0;; + -unpatch) patch -f --no-backup-if-mismatch -R -p0 < $0;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1;; +esac + +exit 0 +--- src/url.c 2002-09-12 07:21:00.000000000 +0200 ++++ src/url.c 2002-10-10 19:37:43.000000000 +0200 +@@ -313,5 +313,5 @@ + } + #endif +- if (Config.appendDomain && !strchr(host, '.')) ++ if (Config.appendDomain && !strchr(host, '.')&& strcasecmp(host,"localhost") != 0) + strncat(host, Config.appendDomain, SQUIDHOSTNAMELEN); + /* remove trailing dots from hostnames */ --- squid-2.7.STABLE3.orig/debian/patches/smb_auth.README +++ squid-2.7.STABLE3/debian/patches/smb_auth.README @@ -0,0 +1,31 @@ +From: Jeff Licquia +Subject: squid: SMB auth proxy has problems with some passwords +To: submit@bugs.debian.org +X-Mailer: bug 3.2.7 +Message-Id: <20000718174501.0B4A132915@scinet.springfieldclinic.com> +Date: Tue, 18 Jul 2000 12:45:01 -0500 (CDT) + +Package: squid +Version: 2.2.5-2 +Severity: normal + + +The SMB authenticator doesn't handle passwords with backslashes in them +correctly. The fix appears to be easy; just put a -r in the "read SMBPASS" +line in smb_auth.sh. + + +From: John M Cooper +To: Debian Bug Tracking System +Subject: squid: smb_auth does not work with a wins server defined in smb.conf +Date: 28 Jan 2002 17:46:13 +0000 +Message-Id: <1012239973.15093.4.camel@johnclin> + +If you define a wins server in the file /etc/samba/smb.conf then the +smb_auth script gets the wrong Domain Controller IP address. + +There should be a change to mb_auth.sh at line 50 + +basically adding in the extra "\..+" stops the number of Wins servers +from being returned from the nmblookup command. + --- squid-2.7.STABLE3.orig/debian/patches/vms-ftp.patch.NOT-YET +++ squid-2.7.STABLE3/debian/patches/vms-ftp.patch.NOT-YET @@ -0,0 +1,101 @@ +diff -ruN squid-2.2.5.orig/src/ftp.c squid-2.2.5/src/ftp.c +--- squid-2.2.5.orig/src/ftp.c Wed Sep 22 23:22:50 1999 ++++ squid-2.2.5/src/ftp.c Thu Jan 6 14:12:42 2000 +@@ -461,6 +461,8 @@ + #define SCAN_FTP2 "%[0123456789:]" + #define SCAN_FTP3 "%[0123456789]-%[0123456789]-%[0123456789]" + #define SCAN_FTP4 "%[0123456789]:%[0123456789]%[AaPp]%[Mm]" ++#define SCAN_FTP5 "%s;%*d" ++#define SCAN_FTP6 "%[0123456789]-%s-%[0123456789]" + + static ftpListParts * + ftpListParseParts(const char *buf, struct _ftp_flags flags) +@@ -468,6 +470,7 @@ + ftpListParts *p = NULL; + char *t = NULL; + const char *ct = NULL; ++ char *q; + char *tokens[MAX_TOKENS]; + int i; + int n_tokens; +@@ -598,6 +601,32 @@ + p->type = '-'; + } + } ++ /* try it as a VMS listing */ ++ if (n_tokens > 3 && p->name == NULL && ++ sscanf(tokens[0], SCAN_FTP5, sbuf) == 1 && ++ /* FILENAME;ver */ ++ sscanf(tokens[2], SCAN_FTP6, sbuf, sbuf, sbuf) == 3) { ++ /* 8-SEP-1998 */ ++ if ((q = strstr(tokens[0], ".DIR;")) != NULL) { ++ p->type = 'd'; ++ *q = 0; ++ } else { ++ p->type = '-'; ++ p->size = atoi(tokens[1]); ++ } ++ snprintf(sbuf, 128, "%s %s", tokens[2], tokens[3]); ++ p->date = xstrdup(sbuf); ++ if ((p->name = xstrdup(tokens[0])) != NULL) { ++ /* Lowercase name and remove version. */ ++ for (q = p->name; *q; q++) { ++ *q = tolower(*q); ++ if (*q == ';') { ++ *q = 0; ++ break; ++ } ++ } ++ } ++ } + for (i = 0; i < n_tokens; i++) + xfree(tokens[i]); + if (p->name == NULL) +@@ -769,12 +798,14 @@ + char *sbuf; /* NULL-terminated copy of buf */ + char *end; + char *line; ++ char *p; + char *s; + char *t; + size_t linelen; + size_t usable; + StoreEntry *e = ftpState->entry; + int len = ftpState->data.offset; ++ int xx, is_vms = -1; + /* + * We need a NULL-terminated buffer for scanning, ick + */ +@@ -799,12 +830,32 @@ + for (; s < end; s += strcspn(s, crlf), s += strspn(s, crlf)) { + debug(9, 3) ("ftpParseListing: s = {%s}\n", s); + linelen = strcspn(s, crlf) + 1; ++ /* VMS splits listings of filenames > 19 characters over 2 lines. */ ++ if (is_vms > 0 && linelen > 2 && s + linelen < end) { ++ xx = 0; ++ for (p = s; *p && *p != '\r'; p++) { ++ if (*p == ' ' || *p == '\t') ++ break; ++ if (*p == ';') xx = 1; ++ } ++ if (*p == '\r' && xx) { ++ s[linelen - 3] = ' '; ++ s[linelen - 2] = ' '; ++ linelen = strcspn(s, crlf) + 1; ++ } ++ } + if (linelen < 2) + break; + if (linelen > 4096) + linelen = 4096; + xstrncpy(line, s, linelen); + debug(9, 7) ("ftpParseListing: {%s}\n", line); ++ /* VMS doesn't print "total" but "\r\nANONYMOUS:[000000]\r\n" */ ++ if (is_vms == 0 && sscanf(line, "%*s:[%d.%*s]", &xx) == 1) { ++ is_vms = 1; ++ continue; ++ } ++ if (is_vms < 0 && strncmp(line, crlf, 2) == 0) is_vms = 0; + if (!strncmp(line, "total", 5)) + continue; + t = ftpHtmlifyListEntry(line, ftpState); --- squid-2.7.STABLE3.orig/debian/patches/00README +++ squid-2.7.STABLE3/debian/patches/00README @@ -0,0 +1,24 @@ + +Upstream patches against the release, that will be integrated into +the next stable release (http://www.squid-cache.org/Versions/v2/2.5/bugs/) + +[currently none] + +Debian specific patches: +All patches that were in the debian squid-2.3.4 and squid-2.4.7 have been +applied to squid-2.5.1 as well, if they hadn't been integrated yet. + +cf.data.debian.patch Debian specific squid.conf patches +dfl-error-dir.patch Default error dir is under /usr/lib/squid for Debian +no_append_domain_localhost.patch + Don't apply "append_domain" setting to "localhost" + in unqualified URLs. +smb_auth.patch Read password with '-r' so backslashes work + Patch awk regexp to read correct field from nmblookup +syslog.patch Log to daemon.log instead of local4.log +unlinkd.patch Only run unlinkd for diskd and ufs storage methods + +Not applied (yet?): + +vms-ftp.patch.NOT-YET Not finished and not working + --- squid-2.7.STABLE3.orig/debian/patches/60-dns-queue.dpatch +++ squid-2.7.STABLE3/debian/patches/60-dns-queue.dpatch @@ -0,0 +1,115 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 60-dns-queue.dpatch by Luigi Gangitano +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Upstream patches fixing DNS queue issues + +@DPATCH@ +diff -urNad squid~/src/dns_internal.c squid/src/dns_internal.c +--- squid~/src/dns_internal.c 2008-05-29 16:55:34.000000000 +0200 ++++ squid/src/dns_internal.c 2008-10-27 20:47:06.000000000 +0100 +@@ -1,6 +1,6 @@ + + /* +- * $Id: dns_internal.c,v 1.63.2.5 2008/05/04 23:26:36 hno Exp $ ++ * $Id: dns_internal.c,v 1.63.2.7 2008/06/27 20:56:26 hno Exp $ + * + * DEBUG: section 78 DNS lookups; interacts with lib/rfc1035.c + * AUTHOR: Duane Wessels +@@ -98,6 +98,7 @@ + int nsends; + struct timeval start_t; + struct timeval sent_t; ++ struct timeval queue_t; + dlink_node lru; + IDNSCB *callback; + void *callback_data; +@@ -605,7 +606,7 @@ + q->buf, + q->sz); + q->nsends++; +- q->sent_t = current_time; ++ q->queue_t = q->sent_t = current_time; + if (x < 0) { + debug(50, 1) ("idnsSendQuery: FD %d: sendto: %s\n", + DnsSocket, xstrerror()); +@@ -704,9 +705,8 @@ + return; + } + if (n <= 0) { +- debug(78, 2) ("idnsReadTcp: Short response for %s.\n", q->name); +- dlinkDelete(&q->lru, &lru_list); +- idnsSendQuery(q); ++ debug(78, 1) ("idnsReadTcp: Short response from nameserver %d for %s.\n", ns + 1, q->name); ++ idnsTcpCleanup(q); + return; + } + fd_bytes(fd, n, FD_READ); +@@ -733,8 +733,7 @@ + if (errflag == COMM_ERR_CLOSING) + return; + if (errflag) { +- dlinkDelete(&q->lru, &lru_list); +- idnsSendQuery(q); ++ idnsTcpCleanup(q); + return; + } + commSetSelect(q->tcp_socket, COMM_SELECT_READ, idnsReadTcp, q, 0); +@@ -747,8 +746,9 @@ + idns_query *q = data; + short nsz; + if (status != COMM_OK) { +- dlinkDelete(&q->lru, &lru_list); +- idnsSendQuery(q); ++ int ns = (q->nsends - 1) % nns; ++ debug(78, 1) ("idnsSendTcpQuery: Failed to connect to DNS server %d using TCP\n", ns + 1); ++ idnsTcpCleanup(q); + return; + } + memBufInit(&buf, q->sz + 2, q->sz + 2); +@@ -774,6 +774,7 @@ + 0, + COMM_NONBLOCKING, + "DNS TCP Socket"); ++ q->queue_t = q->sent_t = current_time; + dlinkAdd(q, &q->lru, &lru_list); + commConnectStart(q->tcp_socket, + inet_ntoa(nameservers[ns].S.sin_addr), +@@ -837,7 +838,6 @@ + return; + } + if (q->rcode == 3 && q->do_searchpath && q->attempt < MAX_ATTEMPT) { +- assert(NULL == message->answer); + strcpy(q->name, q->orig); + if (q->domain < npc) { + strcat(q->name, "."); +@@ -934,16 +934,24 @@ + dlink_node *p = NULL; + idns_query *q; + event_queued = 0; ++ if (0 == nns) ++ /* name servers went away; reconfiguring or shutting down */ ++ return; + for (n = lru_list.tail; n; n = p) { +- if (0 == nns) +- /* name servers went away; reconfiguring or shutting down */ +- break; ++ p = n->prev; + q = n->data; +- if (tvSubDsec(q->sent_t, current_time) < Config.Timeout.idns_retransmit * 1 << ((q->nsends - 1) / nns)) ++ /* Anything to process in the queue? */ ++ if (tvSubDsec(q->queue_t, current_time) < Config.Timeout.idns_retransmit) + break; ++ /* Query timer expired? */ ++ if (tvSubDsec(q->sent_t, current_time) < Config.Timeout.idns_retransmit * 1 << ((q->nsends - 1) / nns)) { ++ dlinkDelete(&q->lru, &lru_list); ++ q->queue_t = current_time; ++ dlinkAdd(q, &q->lru, &lru_list); ++ continue; ++ } + debug(78, 3) ("idnsCheckQueue: ID %#04x timeout\n", + q->id); +- p = n->prev; + dlinkDelete(&q->lru, &lru_list); + if (tvSubDsec(q->start_t, current_time) < Config.Timeout.idns_query) { + idnsSendQuery(q); --- squid-2.7.STABLE3.orig/debian/patches/00list +++ squid-2.7.STABLE3/debian/patches/00list @@ -0,0 +1,10 @@ +01-cf.data.debian +02-dfl-error-dir +03-no-append-domain-localhost +04-smb-auth +06-unlinkd +07-manpage +59-forward-assert +60-dns-queue +61-upgrade-http0.9-option +70-DoS-request-processing.patch --- squid-2.7.STABLE3.orig/debian/rules +++ squid-2.7.STABLE3/debian/rules @@ -0,0 +1,390 @@ +#! /usr/bin/make -f +# +# debian/rules file for squid. +# + +# Version. +package = squid + +# Include dpatch stuff. +include /usr/share/dpatch/dpatch.make + +SHELL = /bin/bash +LC_ALL = POSIX + +DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) +DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) + +CFLAGS = -Wall -g +INSTALL = install +INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 +INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 +INSTALL_SCRIPT = $(INSTALL) -p -o root -g root -m 755 +INSTALL_DIR = $(INSTALL) -p -d -o root -g root -m 755 + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) +CFLAGS += -O0 +else +CFLAGS += -O2 +endif + +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) +INSTALL_PROGRAM += -s +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +endif + +# Take account of old dpkg-architecture output. +ifeq ($(DEB_HOST_ARCH_CPU),) + DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) + ifeq ($(DEB_HOST_ARCH_CPU),x86_64) + DEB_HOST_ARCH_CPU := amd64 + endif +endif +ifeq ($(DEB_HOST_ARCH_OS),) + DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM)) + ifeq ($(DEB_HOST_ARCH_OS),gnu) + DEB_HOST_ARCH_OS := hurd + endif +endif + +tmp = debian/tmp +bindir = /usr/sbin +libexecdir = /usr/lib/squid +sysconfdir = /etc/squid +logdir = /var/log/squid +docdir = /usr/share/doc/squid +datadir = /usr/share/squid +mibdir = /usr/share/snmp/mibs + +DEFAULTS = logdir=$(logdir) \ + DEFAULT_CACHE_LOG=$(logdir)/cache.log \ + DEFAULT_ACCESS_LOG=$(logdir)/access.log \ + DEFAULT_STORE_LOG=$(logdir)/store.log \ + DEFAULT_PID_FILE=/var/run/squid.pid \ + DEFAULT_SWAP_DIR=/var/spool/squid \ + DEFAULT_ICON_DIR=$(datadir)/icons \ + DEFAULT_ERROR_DIR=$(datadir)/errors/English \ + DEFAULT_MIME_TABLE=$(datadir)/mime.conf \ + DEFAULT_MIB_PATH=$(mibdir)/SQUID.txt + +# The HURD doesn't have pthreads yet. +ifeq ($(DEB_HOST_ARCH_OS), gnu) + with_pthreads = --enable-storeio=ufs,diskd,null + with_netfilter = + with_arp_acl = + with_epoll = +else +ifeq ($(DEB_HOST_ARCH_OS), kfreebsd) + with_pthreads = --enable-async-io --with-pthreads \ + --enable-storeio=ufs,aufs,coss,diskd,null + with_netfilter = + with_arp_acl = + with_epoll = --enable-kqueue +else + with_pthreads = --enable-async-io --with-pthreads \ + --enable-storeio=ufs,aufs,coss,diskd,null + with_netfilter = --enable-linux-netfilter + with_arp_acl = --enable-arp-acl + with_epoll = --enable-epoll +endif +endif + +# setresuid is broken on sparc +ifeq ($(DEB_HOST_ARCH_CPU), sparc) + opt_ac_cv_func_setresuid = ac_cv_func_setresuid=no +else + opt_ac_cv_func_setresuid = ac_cv_func_setresuid=yes +endif + +define checkdir + test -f src/squid.h +endef + + +# Build the binaries. +build: MAKEFLAGS += -j$(NUMJOBS) +build: patch config.status + $(checkdir) + $(MAKE) $(DEFAULTS) all + # Authentication modules + cd helpers/basic_auth/NCSA && make + cd helpers/basic_auth/SMB && make SAMBAPREFIX=/usr INSTALLBIN=/usr/lib/squid + cd helpers/basic_auth/PAM && make + cd helpers/basic_auth/LDAP && make + cd helpers/basic_auth/YP && make + cd helpers/basic_auth/MSNT && make + cd helpers/basic_auth/getpwnam && make + cd helpers/digest_auth/password && make + cd helpers/digest_auth/ldap && make + cd helpers/external_acl/ip_user && make + cd helpers/external_acl/ldap_group && make + cd helpers/external_acl/session && make + cd helpers/external_acl/unix_group && make + cd helpers/external_acl/wbinfo_group && make + cd helpers/ntlm_auth/SMB && make + touch build + +# Configure the package. +config.status: + + $(opt_ac_cv_func_setresuid) \ + ./configure \ + --prefix=/usr \ + --exec_prefix=/usr \ + --bindir=/usr/sbin --sbindir=/usr/sbin \ + --libexecdir=/usr/lib/squid \ + --sysconfdir=$(sysconfdir) \ + --localstatedir=/var/spool/squid \ + --datadir=/usr/share/squid \ + $(with_pthreads) \ + $(with_netfilter) \ + $(with_arp_acl) \ + $(with_epoll) \ + --enable-removal-policies=lru,heap \ + --enable-snmp \ + --enable-delay-pools \ + --enable-htcp \ + --enable-cache-digests \ + --enable-underscores \ + --enable-referer-log \ + --enable-useragent-log \ + --enable-auth="basic,digest,ntlm,negotiate" \ + --enable-negotiate-auth-helpers=squid_kerb_auth \ + --enable-carp \ + --enable-follow-x-forwarded-for \ + --with-large-files \ + --with-maxfd=65536 \ + $(DEB_HOST_ARCH_CPU)-debian-$(DEB_HOST_ARCH_OS) + +# Architecture independant files. +binary-indep: build checkroot + -rm -rf $(tmp) debian/files + $(checkdir) + # + # Build squid-common package. + # + $(INSTALL_DIR) $(tmp)/DEBIAN + $(INSTALL_DIR) $(tmp)/usr/share/doc/squid-common + $(INSTALL_FILE) ChangeLog $(tmp)/usr/share/doc/squid-common/changelog + $(INSTALL_FILE) debian/changelog \ + $(tmp)/usr/share/doc/squid-common/changelog.Debian + gzip -9f $(tmp)/usr/share/doc/squid-common/* + $(INSTALL_FILE) debian/copyright $(tmp)/usr/share/doc/squid-common + $(INSTALL_DIR) $(tmp)/usr/share/$(package) + $(INSTALL_DIR) $(tmp)/usr/share/squid/errors + $(INSTALL_DIR) $(tmp)/usr/share/squid/icons + $(INSTALL_DIR) $(tmp)/usr/share/snmp/mibs + $(INSTALL_FILE) src/mib.txt ./$(tmp)$(mibdir)/SQUID.txt + $(INSTALL_FILE) src/mime.conf.default ./$(tmp)$(datadir)/mime.conf + # + cp -R errors/* ./$(tmp)$(datadir)/errors + rm -f ./$(tmp)$(datadir)/errors/Makefile* + rm -f ./$(tmp)$(datadir)/errors/list + chmod 755 ./$(tmp)$(datadir)/errors/* + chmod 644 ./$(tmp)$(datadir)/errors/*/* + chown -R root:root ./$(tmp)$(datadir)/errors + $(INSTALL_FILE) icons/*.gif ./$(tmp)$(datadir)/icons + $(INSTALL_DIR) $(tmp)/usr/share/doc/$(package) + $(INSTALL_DIR) $(tmp)/usr/share/doc/$(package)/examples + $(INSTALL_FILE) debian/doc/README.auth_modules $(tmp)$(docdir) + $(INSTALL_FILE) helpers/basic_auth/SMB/README \ + $(tmp)$(docdir)/README.auth_module.smb_auth + umask 022; head -19 helpers/basic_auth/NCSA/ncsa_auth.c > \ + $(tmp)$(docdir)/README.auth_module.ncsa_auth + umask 022; head -56 helpers/basic_auth/PAM/pam_auth.c > \ + $(tmp)$(docdir)/README.auth_module.pam_auth + $(INSTALL_FILE) debian/README.ldap_auth \ + $(tmp)$(docdir)/README.auth_module.ldap_auth + $(INSTALL_FILE) helpers/basic_auth/MSNT/README.html \ + $(tmp)$(docdir)/README.auth_module.msnt_auth.html + umask 022; head -21 helpers/basic_auth/getpwnam/getpwnam_auth.c > \ + $(tmp)$(docdir)/README.auth_module.getpwnam_auth + umask 022; head -26 helpers/digest_auth/password/digest_pw_auth.c > \ + $(tmp)$(docdir)/README.auth_module.digest_pw_auth + $(INSTALL_FILE) helpers/external_acl/ip_user/README \ + $(tmp)$(docdir)/README.auth_module.ip_user + $(INSTALL_FILE) helpers/external_acl/ip_user/example.conf \ + $(tmp)$(docdir)/examples/ip_user-example.conf + $(INSTALL_FILE) helpers/external_acl/unix_group/README \ + $(tmp)$(docdir)/README.auth_module.unix_group + $(INSTALL_FILE) helpers/negotiate_auth/squid_kerb_auth/readme.txt \ + $(tmp)$(docdir)/README.squid_kerb_auth + $(INSTALL_FILE) CONTRIBUTORS QUICKSTART RELEASENOTES.html \ + README debian/doc/README.transparent-proxy \ + debian/doc/README.morefds doc/debug-sections.txt \ + $(tmp)/usr/share/doc/$(package) + $(INSTALL_FILE) debian/doc/CompleteFaq $(tmp)/usr/share/doc/$(package) + gzip -9f `find debian/tmp/usr/share/doc/squid/* | grep -v examples` + dpkg-gencontrol -isp -psquid-common + dpkg --build $(tmp) .. + rm -f debian/substvars + rm -rf $(tmp) + +# Make a binary package (.deb file) +binary-arch: build checkroot + # + # Build squid package. + # + $(INSTALL_DIR) $(tmp)/DEBIAN + $(INSTALL_DIR) $(tmp)/etc/squid + $(INSTALL_DIR) $(tmp)/etc/logrotate.d + $(INSTALL_DIR) $(tmp)/etc/init.d + $(INSTALL_DIR) $(tmp)/etc/resolvconf/update-libc.d + $(INSTALL_DIR) $(tmp)/usr/sbin + $(INSTALL_DIR) $(tmp)/usr/share/doc/$(package) + $(INSTALL_DIR) $(tmp)/usr/share/doc/$(package)/examples + $(INSTALL_DIR) $(tmp)/usr/lib/squid + $(INSTALL_DIR) $(tmp)/var/{log,spool} + install -m 750 -o proxy -g proxy -d $(tmp)/var/log/squid + install -m 750 -o proxy -g proxy -d $(tmp)/var/spool/squid + $(INSTALL_DIR) $(tmp)/usr/share/man/man8 + # + $(INSTALL_PROGRAM) src/squid $(tmp)/usr/sbin + $(INSTALL_PROGRAM) src/unlinkd src/fs/diskd-daemon src/logfile-daemon $(tmp)/usr/lib/squid + $(INSTALL_FILE) debian/logrotate $(tmp)/etc/logrotate.d/squid + $(INSTALL_SCRIPT) debian/squid.resolvconf $(tmp)/etc/resolvconf/update-libc.d/squid + $(INSTALL_PROGRAM) helpers/basic_auth/SMB/smb_auth $(tmp)$(libexecdir) + $(INSTALL_SCRIPT) helpers/basic_auth/SMB/smb_auth.sh $(tmp)$(libexecdir) + $(INSTALL_PROGRAM) helpers/basic_auth/NCSA/ncsa_auth $(tmp)$(libexecdir) + $(INSTALL_PROGRAM) -m 2754 -o proxy -g shadow \ + helpers/basic_auth/PAM/pam_auth $(tmp)$(libexecdir) + $(INSTALL_PROGRAM) helpers/basic_auth/LDAP/squid_ldap_auth \ + $(tmp)$(libexecdir)/ldap_auth + $(INSTALL_PROGRAM) helpers/basic_auth/YP/yp_auth \ + $(tmp)$(libexecdir)/yp_auth + $(INSTALL_PROGRAM) helpers/basic_auth/MSNT/msnt_auth \ + $(tmp)$(libexecdir)/msnt_auth + $(INSTALL_PROGRAM) -m 2754 -o proxy -g shadow \ + helpers/basic_auth/getpwnam/getpwname_auth \ + $(tmp)$(libexecdir)/getpwnam_auth + $(INSTALL_PROGRAM) helpers/digest_auth/password/digest_pw_auth \ + $(tmp)$(libexecdir)/digest_pw_auth + $(INSTALL_PROGRAM) helpers/external_acl/ip_user/ip_user_check \ + $(tmp)$(libexecdir)/ip_user_check + $(INSTALL_PROGRAM) helpers/external_acl/ldap_group/squid_ldap_group \ + $(tmp)$(libexecdir)/squid_ldap_group + $(INSTALL_FILE) helpers/external_acl/ldap_group/squid_ldap_group.8 \ + $(tmp)/usr/share/man/man8/squid_ldap_group.8 + $(INSTALL_PROGRAM) helpers/external_acl/session/squid_session \ + $(tmp)$(libexecdir)/squid_session + $(INSTALL_FILE) helpers/external_acl/session/squid_session.8 \ + $(tmp)/usr/share/man/man8/squid_session.8 + $(INSTALL_PROGRAM) helpers/external_acl/unix_group/squid_unix_group \ + $(tmp)$(libexecdir)/squid_unix_group + $(INSTALL_FILE) helpers/external_acl/unix_group/squid_unix_group.8 \ + $(tmp)/usr/share/man/man8/squid_unix_group.8 + $(INSTALL_SCRIPT) helpers/external_acl/wbinfo_group/wbinfo_group.pl \ + $(tmp)$(libexecdir)/wbinfo_group.pl + $(INSTALL_PROGRAM) helpers/ntlm_auth/SMB/ntlm_auth \ + $(tmp)$(libexecdir)/ntlm_auth + $(INSTALL_PROGRAM) helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth \ + $(tmp)$(libexecdir)/squid_kerb_auth + # the examples. Most have been removed from upstream :/ + $(INSTALL_FILE) src/squid.conf.default \ + $(tmp)/usr/share/doc/$(package)/examples/squid.conf + $(INSTALL_FILE) debian/default.squid \ + $(tmp)/usr/share/doc/$(package)/examples + + # + $(INSTALL_FILE) ChangeLog $(tmp)/usr/share/doc/$(package)/changelog + $(INSTALL_FILE) debian/changelog \ + $(tmp)/usr/share/doc/$(package)/changelog.Debian + $(INSTALL_FILE) debian/README.Debian \ + $(tmp)/usr/share/doc/$(package)/README.Debian + $(INSTALL_FILE) debian/NEWS.Debian \ + $(tmp)/usr/share/doc/$(package)/NEWS.Debian + gzip -9f `find debian/tmp/usr/share/doc/squid/* | grep -v examples` + $(INSTALL_FILE) debian/copyright $(tmp)/usr/share/doc/$(package) + $(INSTALL_FILE) doc/squid.8 $(tmp)/usr/share/man/man8 + gzip -9f $(tmp)/usr/share/man/man?/* + $(INSTALL_SCRIPT) debian/squid.rc $(tmp)/etc/init.d/squid + # + $(INSTALL_SCRIPT) debian/preinst $(tmp)/DEBIAN/preinst + $(INSTALL_SCRIPT) debian/postinst $(tmp)/DEBIAN/postinst + $(INSTALL_SCRIPT) debian/prerm $(tmp)/DEBIAN/prerm + $(INSTALL_SCRIPT) debian/postrm $(tmp)/DEBIAN/postrm + $(INSTALL_FILE) debian/conffiles $(tmp)/DEBIAN/conffiles + #$(INSTALL_FILE) debian/templates $(tmp)/DEBIAN/templates + po2debconf debian/templates > debian/templates.merged + $(INSTALL_FILE) debian/templates.merged $(tmp)/DEBIAN/templates + $(INSTALL_SCRIPT) debian/config $(tmp)/DEBIAN/config + + # overrides file + $(INSTALL_DIR) $(tmp)/usr/share/lintian/overrides/ + $(INSTALL_FILE) debian/squid.overrides \ + $(tmp)/usr/share/lintian/overrides/squid + + dpkg-shlibdeps $(tmp)/usr/sbin/* $(tmp)$(libexecdir)/* + dpkg-gencontrol -isp -p$(package) + dpkg --build $(tmp) .. + rm -f debian/substvars + rm -rf $(tmp) + # + # Generate squid-cgi package. + # + $(INSTALL_DIR) $(tmp)/DEBIAN + $(INSTALL_DIR) $(tmp)/etc/squid + $(INSTALL_DIR) $(tmp)/usr/lib/cgi-bin + $(INSTALL_DIR) $(tmp)/usr/share/doc/squid-cgi + $(INSTALL_DIR) $(tmp)/usr/share/man/man8 + # + $(INSTALL_FILE) tools/cachemgr.conf $(tmp)/etc/squid/cachemgr.conf + $(INSTALL_PROGRAM) tools/cachemgr.cgi $(tmp)/usr/lib/cgi-bin/ + $(INSTALL_FILE) debian/squid-cgi.8 $(tmp)/usr/share/man/man8 + $(INSTALL_FILE) ChangeLog $(tmp)/usr/share/doc/squid-cgi/changelog + $(INSTALL_FILE) debian/changelog \ + $(tmp)/usr/share/doc/squid-cgi/changelog.Debian + $(INSTALL_FILE) debian/doc/cachemgr.README \ + $(tmp)/usr/share/doc/squid-cgi/README.cachemgr + $(INSTALL_FILE) debian/doc/CacheManagerFaq \ + $(tmp)/usr/share/doc/squid-cgi/CacheManagerFaq + gzip -9f $(tmp)/usr/share/doc/squid-cgi/* + $(INSTALL_FILE) debian/copyright $(tmp)/usr/share/doc/squid-cgi + gzip -9f $(tmp)/usr/share/man/man8/* + $(INSTALL_DIR) $(tmp)/usr/share/doc/squid-cgi/examples + $(INSTALL_FILE) debian/doc/cachemgr.html \ + $(tmp)/usr/share/doc/squid-cgi/examples + # + $(INSTALL_SCRIPT) debian/postrm.squid-cgi $(tmp)/DEBIAN/postrm + $(INSTALL_SCRIPT) debian/prerm.squid-cgi $(tmp)/DEBIAN/prerm + $(INSTALL_FILE) debian/conffiles.squid-cgi $(tmp)/DEBIAN/conffiles + $(INSTALL_FILE) debian/templates.merged $(tmp)/DEBIAN/templates + dpkg-shlibdeps tools/cachemgr.cgi + dpkg-gencontrol -isp -psquid-cgi + dpkg --build $(tmp) .. + rm -rf $(tmp) + +# Clean up. +clean: clean1 unpatch +clean1: checkroot + [ ! -f Makefile ] || $(MAKE) distclean + rm -f helpers/basic_auth/NCSA/{Makefile,ncsa_auth.o,ncsa_auth} + rm -f helpers/basic_auth/SMB/{smb_auth.o,smb_auth} + rm -f helpers/basic_auth/PAM/{pam_auth.o,pam_auth} + rm -f helpers/basic_auth/YP/{Makefile,yp_auth,yp_auth.o,nis_support.o} + rm -f helpers/basic_auth/MSNT/{Makefile,msnt_auth,*.o} + rm -f helpers/basic_auth/LDAP/{Makefile,squid_ldap_auth,*.o} + rm -f helpers/basic_auth/getpwnam/{Makefile,getpwnam_auth.o,getpwnam_auth} + rm -f helpers/digest_auth/password/{Makefile,digest_pw_auth,digest_pw_auth.o} + rm -f helpers/external_acl/ip_user/{Makefile,ip_user,dict.o,main.o,match.o} + rm -f helpers/external_acl/ldap_group/{Makefile,squid_ldap_group,squid_ldap_group.o} + rm -f helpers/external_acl/unix_group/{Makefile,squid_unix_group,check_group.o} + rm -f helpers/ntlm_auth/SMB/{Makefile,ntlm_auth,*.o,smbval/*.o} + -rm -f build debian/{substvars,files,templates.merged} + rm -rf $(tmp) *~ + -find . -name '*.bak' -o -name '*~' | xargs -r rm -f -- + #cd icons && /bin/sh ./icons.shar + debconf-updatepo + +binary: binary-indep binary-arch + +checkroot: + $(checkdir) + test root = "`whoami`" + +dist: binary + dpkg-source -b + +.PHONY: binary binary-arch binary-indep clean checkroot clean1 patch unpatch --- squid-2.7.STABLE3.orig/debian/control +++ squid-2.7.STABLE3/debian/control @@ -0,0 +1,42 @@ +Source: squid +Section: web +Priority: optional +Maintainer: Luigi Gangitano +Homepage: http://www.squid-cache.org/ +Standards-Version: 3.8.0 +Build-Depends: libldap2-dev, libpam0g-dev, sharutils, dpatch (>= 2.0.9), po-debconf, libdb-dev, libgssapi-dev, libkrb5-dev + +Package: squid +Architecture: any +Section: web +Priority: optional +Pre-Depends: debconf (>= 1.2.9) | debconf-2.0 +Depends: ${shlibs:Depends}, netbase, adduser, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base +Conflicts: squid-novm, sarg (<< 1.1.1-2) +Replaces: squid-novm +Suggests: squidclient, squid-cgi, logcheck-database, resolvconf (>= 0.40), smbclient, winbind +Description: Internet object cache (WWW proxy cache) + This package provides the Squid Internet Object Cache developed by + the National Laboratory for Applied Networking Research (NLANR) and + Internet volunteers. + +Package: squid-common +Architecture: all +Section: web +Priority: optional +Replaces: squid (<< 2.6.1-1) +Description: Internet object cache (WWW proxy cache) - common files + This package provides the Squid Internet Object Cache developed by + the National Laboratory for Applied Networking Research (NLANR) and + Internet volunteers. + . + This package contains common files (errors and icons) + +Package: squid-cgi +Architecture: any +Section: web +Priority: optional +Depends: apache2 | httpd, ${shlibs:Depends}, debconf | debconf-2.0 +Description: Squid cache manager CGI program + This CGI program can be used to query and administrate a Squid proxy + cache through your web browser. --- squid-2.7.STABLE3.orig/debian/squid.RunCache +++ squid-2.7.STABLE3/debian/squid.RunCache @@ -0,0 +1,51 @@ +#!/bin/sh +# +# RunCache Run squid. Script used to restart it if it died. +# This is overly cautious - with new versions of +# squid, it just doesn't die. So we don't restart ;) +# +# Version: @(#)RunCache 2.10 23-Mar-2001 miquels@cistron.nl +# + +# +# Squid gets run with the arguments passed to "RunCache". +# Set some defaults args if none were passed. If a filename +# was passed, treat it as configfile location (backwards compat). +# +case "$1" in + "") + set -- -D -sNY + ;; + /*) + set -- -D -sNY -f "$1" + ;; +esac + +PIDFILE=/var/run/runcache.pid +PATH=/usr/lib/squid:/bin:/sbin:/usr/sbin:/usr/bin +export PATH +umask 022 + +# +# Just to be sure, check if squid is not already running. +# +if [ -f /var/run/squid.pid ] +then + spid=`cat /var/run/squid.pid` + kill -CONT $spid 2>/dev/null + if [ $? = 0 ] + then + #echo "RunCache: squid is already running." >&2 + exit 0 + fi +fi + +rm -f $PIDFILE +echo $$ > $PIDFILE + +# 23-Mar-2001 - removed the while loop. This whole script should be +# removed, but older /etc/init.d/squid scripts might still refer +# to it, alas. -- miquels. + +/usr/sbin/squid "$@" + --- squid-2.7.STABLE3.orig/debian/po/gl.po +++ squid-2.7.STABLE3/debian/po/gl.po @@ -0,0 +1,80 @@ +# Galician translation of squid's debconf templates +# This file is distributed under the same license as the squid package. +# Jacobo Tarrio , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-30 18:53+0100\n" +"Last-Translator: Jacobo Tarrio \n" +"Language-Team: Galician \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "¿Actualizar o ficheiro squid.conf automaticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Atopouse unha configuración incompatible no ficheiro squid.conf existente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Iso ha impedir que Squid se inicie ou funcione correctamente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Pódese corrixir esa configuración agora. Indique se quere aplicar os cambios " +"necesarios." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "¿Arranxar os permisos de \"cache_dir\"?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Os valores de \"cache_effective_user\" e/ou \"cache_effective_group\" no " +"ficheiro de configuración de Squid son incompatibles co propietario/grupo " +"dos directorios da caché." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Indique se quere que isto se arranxe automaticamente." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Nembargantes, teña en conta que se indicou un directorio de caché diferente " +"de /var/spool/squid (tal coma /tmp), isto pode afectar aos demais programas " +"que usen ese directorio." --- squid-2.7.STABLE3.orig/debian/po/ja.po +++ squid-2.7.STABLE3/debian/po/ja.po @@ -0,0 +1,87 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-03 16:46+0900\n" +"Last-Translator: Kenshi Muto \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "squid.conf を自動的に更新しますか?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "既存の squid.conf ファイルに、非互換の設定が見つかりました。" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "これらは Squid が正しく起動または開始するのを妨げることになります。" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"これらの設定は今正すことができます。必要な変更を適用してよいかどうか選んでく" +"ださい。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "'cache_dir' のパーミッションを修正しますか?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Squid の設定ファイルの 'cache_effective_user' および 'cache_effective_group' " +"の値が、キャッシュディレクトリのオーナ/グループと異なっています。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "これを自動的に修正するかどうかを選んでください。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"ただし、キャッシュディレクトリに /var/spool/squid とは異なるディレクトリ (/" +"tmp など) を選択しているときには、このディレクトリを使うその他のプログラムに" +"悪影響を及ぼす可能性があることに注意してください。" --- squid-2.7.STABLE3.orig/debian/po/es.po +++ squid-2.7.STABLE3/debian/po/es.po @@ -0,0 +1,274 @@ +# squid po debconf translation to spanish +# Copyright (C) 2004-2006 Software in the Public Interest +# This file is distributed under the same license as the squid package. +# +# Changes: +# - Initial translation +# Javi Castelo , 2004 +# - Update +# Javier Fernandez-Sanguino , 2006-2007 +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentacin de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traduccin al espaol, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traduccin de Debian al espaol +# http://www.debian.org/intl/spanish/coordinacion +# especialmente las notas de traduccin en +# http://www.debian.org/intl/spanish/notas +# +# - La gua de traduccin de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.5-2\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-05 01:09+0200\n" +"Last-Translator: Javier Fernandez-Sanguino \n" +"Language-Team: Debian Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Actualizar squid.conf automticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Se han encontrado definiciones incompatibles en el archivo squid.conf " +"actual." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Esto impedir que Squid se arranque o funcione correctamente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Ahora puede arreglarse la configuracin. Indique si quiere aplicar los " +"cambios que se necesitan introducir." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Arreglar los permisos de cache_dir?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Los valores de cache_effective_user y/o cache_effective_group en el " +"fichero de configuracin de Squid son incompatibles con el propietario/grupo " +"de los directorios de cach." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Indique si se debera arreglar este problema de forma automtica." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Tenga en cuenta que este cambio podra afectar a otros programas si ha " +"especificado un directorio cach que no sea /var/spool/squid (por ejemplo, " +"/tmp) y hay programas que lo utilizan." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "Se ha reemplazado la directiva http_anonymizer por header_replace y " +#~ "header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "La directiva http_anonymizer que exista en squid 2.1 y 2.2 desaparece " +#~ "en squid versin 2.3 y posteriores. Ha sido reemplazada por " +#~ "header_replace y header_access que proporcionan un control ms " +#~ "detallado sobre las cabeceras HTTP. Actualmente, squid no preserva ms el " +#~ "anonimato de las cabeceras HTTP de modo que probablemente desee subsanar " +#~ "sto. El nuevo formato se explica en el archivo de configuracin de la " +#~ "nueva versin 2.5, del cul probablemente tenga una copia en /usr/share/" +#~ "doc/squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "Se han reemplazado las directivas anonymize_headers y fake_user_agent " +#~ "por header_access y header_replace." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Las directivas anonymize_headers y fake_user_agent que existan en " +#~ "squid 2.3 y 2.4 desaparecen en squid versin 2.5 y posteriores. Han sido " +#~ "reemplazadas por header_replace y header_access que proporcionan un " +#~ "control ms especfico sobre las cabeceras HTTP. Ahora mismo su squid no " +#~ "va a seguir haciendo las cabeceras HTTP annimas, de modo que " +#~ "probablemente desee subsanar sto. El nuevo formato se explica en el " +#~ "archivo de configuracin de la nueva versin 2.5, del cul probablemente " +#~ "tendr una copia en /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "No hay una forma de actualizacin automtica a squid 2.5" + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " ADVERTENCIA SOBRE LA INSTALACION DE SQUID 2.5" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Usted est actualizando squid desde una versin 1.x a la versin 2.5. Las " +#~ "versiones 1.x y 2.5 NO son compatibles. La estructura del directorio de " +#~ "almacenamiento es diferente y el archivo squid.conf no es totalmente " +#~ "compatible." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Si conserva un directorio de almacenamiento antiguo, por favor salga " +#~ "AHORA y borre dicho directorio a mano (en /var/spool/squid). Luego " +#~ "reinstale esta versin de squid." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Asimismo, por favor acepte el nuevo archivo de configuracin. Despus de " +#~ "la actualizacin podr encontrar en /etc/squid.conf.dpkg-old su archivo " +#~ "de configuracin anterior. Entonces tiene que editar el archivo de " +#~ "configuracin nuevo a mano para que coincida con su configuracin " +#~ "anterior." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Desea salir ahora?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "" +#~ "squid-gui utiliza ahora un fichero de configuracin para las listas de " +#~ "control de acceso a destinos" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi utilizar ahora un fichero de configuracin antes de conectarse " +#~ "a un sistema destino. Slo se permitir contactar con los destinos " +#~ "permitidos. Aada los sistemas a los que quiere permitir el acceso en el " +#~ "fichero /etc/squid/cachemgr.conf, uno por lnea en el formato" + +#~ msgid " hostname:port" +#~ msgstr " nombre_de_sistema:puerto" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Se ha encontrado una configuracin incompatible en el archivo existente " +#~ "squid.conf; dicha configuracin impedir que squid inicie o funcione " +#~ "correctamente. Sin embargo, este instalador puede intentar modificarla " +#~ "para que funcione de nuevo. Desea aplicar los cambios?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "" +#~ "Se ha reemplazado la directiva authenticate_program por auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "La directiva authenticate_program que exista en las versiones 2.4 y " +#~ "anteriores de squid deja de estar presente en squid 2.5 y posteriores. " +#~ "Todas las directivas de autenticacin se han reemplazado por la directiva " +#~ "auth_param. Actualmente, squid no autentifica ya usuarios as que " +#~ "probablemente quiera cambiarlo. El nuevo formato se explica en el nuevo " +#~ "archivo de configuracin 2.5, del cul probablemente tenga una copia en /" +#~ "usr/share/doc/squid/examples/squid.conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Advertencia: squid puede fallar si el tamao de los archivos de registro " +#~ "supera los 2 GB." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid puede fallar si alguno de los archivos de registro alcanza un " +#~ "tamao superior a 2 GB. Por favor configure /etc/logrotate.d/squid " +#~ "conforme al trfico de su sitio de internet" + +#~ msgid "Warning: squid-cgi can be (ab)used from a remote host." +#~ msgstr "" +#~ "Advertencia: squid-cgi puede ser manipulado desde un servidor remoto." + +#~ msgid "" +#~ "This package contains a cgi-program that is installed and turned on by " +#~ "default. It can be abused from a remote host to connect to any other host/" +#~ "port with the connection originating from your webserver. Read /usr/share/" +#~ "doc/squid-cgi/README.cachemgr.gz for details!" +#~ msgstr "" +#~ "Este paquete contiene un programa cgi que se instala y activa por " +#~ "defecto. Puede ser manipulado desde un servidor remoto para conectarse a " +#~ "cualquier otro servidor/puerto con la conexin proveniente de su servidor " +#~ "web. Para mayor informacin lea /usr/share/doc/squid-cgi/README." +#~ "cachemgr.gz!" --- squid-2.7.STABLE3.orig/debian/po/vi.po +++ squid-2.7.STABLE3/debian/po/vi.po @@ -0,0 +1,86 @@ +# Vietnamese translation for squid. +# Copyright © 2007 Free Software Foundation, Inc. +# Clytie Siddall , 2005-2007. +# +msgid "" +msgstr "" +"Project-Id-Version: squid_2.6.14-3\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 15:30+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.7b1\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Tự động nâng cấp « squid.conf » không?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Tìm thấy thiết lập không tương thích trong tập tin cấu hình « squid.conf » " +"tồn tại." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "" +"Thiết lập này sẽ ngăn cản phần mềm Squid khởi chạy hay hoạt động một cách " +"đúng." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Có thể sửa chữa thiết lập này ngay bây giờ. Hãy chọn nếu bạn muốn áp dụng " +"những thay đổi cần thiết." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Sửa chữa quyền hạn của « cache_dir » không?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Giá trị cho « cache_effective_user » (người dùng có quyền truy cập bộ nhớ " +"tạm) và/hay « cache_effective_group » (nhóm như thế) trong tập tin cấu hình " +"của Squid không phải tương thích với người sở hữu/nhóm của các thư mục nhớ " +"tạm." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Hãy chọn có nên tự động sửa chữa trường hợp này hay không." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Tuy nhiên, ghi chú rằng nếu bạn đã ghi rõ một thư mục nhớ tạm khác với « /" +"var/spool/squid » (như « /tmp »), thiết lập này có thể tác động những chương " +"trình khác cũng dùng thư mục đó." --- squid-2.7.STABLE3.orig/debian/po/fi.po +++ squid-2.7.STABLE3/debian/po/fi.po @@ -0,0 +1,62 @@ +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.16-1\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-11-30 16:04+0200\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: Finland\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Päivitetäänkö squid.conf automaattisesti?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "Tiedostosta squid.conf on löydetty yhteensopimattomia asetuksia." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Ne estävät Squidia käynnistymästä tai toimimasta oikein." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "These settings can be corrected now. Please choose whether you want to apply the needed changes." +msgstr "Asetukset voidaan korjata nyt. Valitse haluatko, että tarvittavat muutokset tehdään." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Korjataanko ”cache_dir”:n oikeudet?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "The values for 'cache_effective_user' and/or 'cache_effective_group' in Squid's configuration file are incompatible with the owner/group of the cache directories." +msgstr "Squidin asetustiedostossa olevat arvot muuttujille ”cache_effective_user” tai ”cache_effective_group” ovat yhteensopimattomia varastohakemistojen omistajan tai ryhmän kanssa." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Valitse tulisiko tämä korjata automaattisesti." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "However, please note that if you specified a cache directory different from /var/spool/squid (such as /tmp), this could affect any other programs using that directory." +msgstr "Huomaa kuitenkin, että jos varastohakemisto on asetettu muuksi kuin /var/spool/squid (esimerkiksi /tmp), tämä saattaa vaikuttaa muihin kyseistä hakemistoa käyttäviin ohjelmiin." + --- squid-2.7.STABLE3.orig/debian/po/POTFILES.in +++ squid-2.7.STABLE3/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates --- squid-2.7.STABLE3.orig/debian/po/sk.po +++ squid-2.7.STABLE3/debian/po/sk.po @@ -0,0 +1,75 @@ +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.14-1\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-03 23:56+0100\n" +"Last-Translator: Ivan Masár \n" +"Language-Team: Slovak \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Aktualizovať squid.conf automaticky?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "V existujúcom súbore squid.conf sa našli nekompatibilné nastavenia." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Tieto budú brániť v správnom spustení alebo fungovaní Squid." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Tieto nastavenia sa teraz napravia. Prosím, zvoľte, či chcete použiť " +"potrebné zmeny." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Napraviť povolenia 'cache_dir'?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Hodnoty „cache_effective_user“ a/alebo „cache_effective_group“ v " +"konfiguračnom súbore programu Squid sú nekompatibilné s vlastníkom/skupinou " +"adresárov vyrovnávacej pamäte (cache)." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Prosím, zvoľte, či sa tento problém má napraviť automaticky." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Ale majte prosím na pamäti, že ak ste zadali odlišný adresár vyrovnávacej " +"pamäte ako /var/spool/squid (ako napr. /tmp), toto môže mať vplyv na všetky " +"ostatné programy, ktoré tento adresár používajú." --- squid-2.7.STABLE3.orig/debian/po/ca.po +++ squid-2.7.STABLE3/debian/po/ca.po @@ -0,0 +1,90 @@ +# translation of ca.po to catalan +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# +# Miguel Gea Milvaques , 2006. +# Miguel Gea Milvaques , 2007. +msgid "" +msgstr "" +"Project-Id-Version: ca\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 10:49+0200\n" +"Last-Translator: Miguel Gea Milvaques \n" +"Language-Team: catalan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Voleu actualitzar l'squid.conf automàticament?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "S'han trobat paràmetres incompatibles al fitxer squid.conf actual." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Aquests faran que l'Squid no s'engegue o que no funcione correctament." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Aquests paràmetres es poden corregir ara. Trieu si voleu aplicar els canvis " +"necessaris." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Voleu establir els permisos de «cache_dir»?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Els valors per «cache_effective_user» i/o «cache_effective_group» al vostre " +"fitxer de configuració són incompatibles amb l'usuari/grup del directori de " +"memòria cau. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Trieu si s'hauria de corregir automàticament." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Per altra banda, adoneu-vos que si especifiqueu un directori per la memòria " +"cau diferent de /var/spool/squid (per exemple el /tmp), podria afectar a " +"altres programes que utilitzen eixe directori." --- squid-2.7.STABLE3.orig/debian/po/eu.po +++ squid-2.7.STABLE3/debian/po/eu.po @@ -0,0 +1,82 @@ +# translation of eu.po to Euskara +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Piarres Beobide , 2008. +msgid "" +msgstr "" +"Project-Id-Version: eu\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2008-04-18 23:04+0200\n" +"Last-Translator: Piarres Beobide \n" +"Language-Team: Euskara \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Squid.conf aldiro bertsio-berritu?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "Ezarpen bateraezinak aurkitu dira dagoen squid.conf fitxategian." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Honek Squid-ek abiaraztea edo behar bezala funtzionatzea ezindu dezake." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Ezarpen horiek orain zuzendu daitezke. Mesedez hautatu nola ezarri nahi dituzu " +"beharrezko aldaketak." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "'cache_dir'-ren baimenak konpondu?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Squid konfigurazioko 'cache_effective_user' eta/edo " +"'cache_effective_group' balioak bateraezinak dira katxe direktorioen " +"jabe/taldearekin." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Mesedez hautatu hau automatikoki konpondu behar al den." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Hala ere, kontutan izan /var/spool/squid ez den beste katxe direktorio bat ezarri " +"baduzu (/tmp adibidez), honek direktorio hori erabiltzen duen beste edozein " +"programari eragin diezaiokeela." + --- squid-2.7.STABLE3.orig/debian/po/templates.pot +++ squid-2.7.STABLE3/debian/po/templates.pot @@ -0,0 +1,73 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" --- squid-2.7.STABLE3.orig/debian/po/sv.po +++ squid-2.7.STABLE3/debian/po/sv.po @@ -0,0 +1,194 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.5.10-6\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 16:57+0100\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Uppgradera squid.conf automatiskt?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "Inställningar som inte är kompatibla har hittats i den befintliga filen squid.conf." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "De kommer att förhindra att Squid startas eller fungerar korrekt." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "These settings can be corrected now. Please choose whether you want to apply the needed changes." +msgstr "Dessa inställninar kan nu rättas till. Välj huruvida du vill verkställa de nödvändiga ändringarna." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Rätta till rättigheterna på \"cache_dir\"?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "The values for 'cache_effective_user' and/or 'cache_effective_group' in Squid's configuration file are incompatible with the owner/group of the cache directories." +msgstr "Angivna värden för \"cache_effective_user\" och/eller \"cache_effective_group\" i Squids konfigurationsfil är inte kompatibla med ägaren/gruppen av cachekatalogerna." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Välj huruvida det här ska rättas till automatiskt." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "However, please note that if you specified a cache directory different from /var/spool/squid (such as /tmp), this could affect any other programs using that directory." +msgstr "Dock bör du observera att om du har angivit en cachekatalog som inte är /var/spool/squid (som exempelvis /tmp) kan det påverka alla andra program som använder den katalogen." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "http_anonymizer har blivit utbytt mot header_replace och header_access." +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "http_anonymizer som fanns i squid 2.1 och 2.2 finns inte längre i squid " +#~ "2.3 och uppåt. Den har blivit utbytt mot header_replace och header_access " +#~ "som ger en bättre kontroll av HTTP headers. Just nu använder din squid " +#~ "cache inte anonyma HTTP headers så du kanske vill åtgärda detta. Det nya " +#~ "formatet förklaras i den nya 2.5 konfigurationsfilen som du antagligen " +#~ "har en kopia av i /usr/share/doc/squid/examples/squid.conf." +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "anonymize_headers och fake_user_agent har blivit utbytta med " +#~ "header_access och header_replace." +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "anonymize_headers och fake_user_agent som tidigare fanns i squid 2.3 och " +#~ "2.4 finns inte längre i squid 2.5 och uppåt. De har nu blivit utbytta mot " +#~ "header_replace och header_access som ger en bättre kontroll över HTTP " +#~ "headers. Just nu använder din squid inte anonyma HTTP headers så du " +#~ "kanske vill rätta till detta. Det nya formatet är förklarat i den nya 2.5 " +#~ "konfigurationsfilen som du säkerligen har en kopia av i /usr/share/doc/" +#~ "squid/examples/squid.conf." +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Det finns ingen automatisk uppgradering till squid 2.5." +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " SQUID 2.5 INSTALLATIONSVARNING" +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Du uppgraderar squid från en 1.x version till version 2.5. 1.x och 2.5 är " +#~ "INTE kompatibla. Strukturen av cachen är annorlunda och " +#~ "konfigurationsfilen \"squid.conf\" är inte direkt kompatibel." +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Om du har en gammal cache mapp, vänligen avsluta NU och radera den gamla " +#~ "cachen manuellt (i /var/spool/squid). Installera sedan om denna version " +#~ "av squid." +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Kom i håg att efter uppgradering måste du ändra den nya " +#~ "konfigurationsfilen manuellt. Den gamla konfigurationen hittar du här \"/" +#~ "etc/squid.conf.dpkg-old\"." +#~ msgid "Do you want to quit now?" +#~ msgstr "Vill du verkligen avsluta nu?" +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "squid-cgi använder nu konfigurationsfilen för target ACL" +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi kontrollerar nu konfigurationsfilen före uppkoppling mot målet. " +#~ "Endast tillåtna mål kommer att kontaktas. Lägg till mål du vill kontakta " +#~ "i filen /etc/squid/cachemgr.conf, en per linje" +#~ msgid " hostname:port" +#~ msgstr " värdnamn:port" +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Inkompatibla inställningar har hittats i den existerande squid.conf " +#~ "filen. De förhindrar att squid starta eller fungerar korrekt. Det är " +#~ "möjligt att försöka att modifiera dem att fungera igen. Vill du göra " +#~ "ändringarna?" +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "authenticate_program har blivit utbytt mot auth_param." +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "authenticate_program som fanns i squid <= 2.4 finns inte längre i squid " +#~ "2.5 och uppåt. Alla authentication funktioner har blivit utbytta med " +#~ "auth_param. Just nu authentiserar inte din squid dina användare så du " +#~ "vill antagligen fixa detta. Det nya formatet är förklarat i den nya 2.5 " +#~ "konfigurationsfilen som du antagligen har en kopia av i /usr/share/doc/" +#~ "squid/examples/squid.conf." +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Varning: squid kan krascha när storleken på logfilen blir större än 2GB." +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid kan krascha om någon av logfilerna växer sig större än 2GB. " +#~ "Konfigurera /etc/logrotate.d/squid enligt dina önskemål." + + --- squid-2.7.STABLE3.orig/debian/po/de.po +++ squid-2.7.STABLE3/debian/po/de.po @@ -0,0 +1,234 @@ +# German translation of squid templates +# Sabine Hahn , 2004. +# Jens Nachtigall , 2004. +# Helge Kreutzmann , 2007. +# This file is distributed under the same license as the squid package. +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.12-4\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 15:11+0200\n" +"Last-Translator: Helge Kreutzmann \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Automatisches Upgrade von squid.conf durchführen?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"In der existierenden Datei squid.conf wurden inkompatible Einstellungen " +"gefunden." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "" +"Diese werden ein korrektes Starten und Funktionieren von Squid verhindern." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Diese Einstellungen können jetzt korrigiert werden. Bitte wählen Sie aus, ob " +"die benötigen Änderungen jetzt durchgeführt werden sollen." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Berechtigungen für »cache_dir« korrigieren?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Die Werte für »cache_effective_user« und/oder »cache_effective_group« in der " +"Konfigurationsdatei von Squid sind inkompatibel mit dem Eigentümer bzw. der " +"Gruppe des Cache-Verzeichnisses." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Bitte wählen Sie aus, ob dies automatisch korrigiert werden soll." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Falls Sie ein von /var/spool/squid abweichendes Cache-Verzeichnis angegeben " +"haben (z.B. /tmp), beachten Sie, dass dies andere Programme, die dieses " +"Verzeichnis verwenden, beinflussen könnte." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "Die Direktive http_anonymizer wurde durch header_replace und " +#~ "header_access ersetzt." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Die http_anonymizer-Direktive aus den Squid-Versionen 2.1 und 2.2 " +#~ "existiert in den Squid-Versionen 2.3 und höher nicht mehr. Sie wurde " +#~ "durch header_replace und header_access ersetzt, die eine feinere " +#~ "Kontrolle über HTTP-Header erlauben. Im Moment anonymisiert Ihr Squid die " +#~ "HTTP-Header nicht mehr, so dass Sie diese Sache wahrscheinlich beheben " +#~ "wollen. Das neue Format wird in der neuen 2.5er-Konfigurationsdatei in /" +#~ "usr/share/doc/squid/examples/squid.conf erklärt." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "Die Direktiven anonymize_headers und fake_user_agent wurden durch " +#~ "header_access und header_replace ersetzt." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Die Direktiven anonymize_headers und fake_user_agent aus den Squid-" +#~ "Versionen 2.3 und 2.4 existieren in den Squid-Versionen 2.5 und höher " +#~ "nicht mehr. Sie wurden durch header_replace und header_access ersetzt, " +#~ "die eine feinere Kontrolle über HTTP-Header erlauben. Im Moment " +#~ "anonymisiert Ihr Squid die HTTP-Header nicht mehr, so dass Sie diese " +#~ "Sache wahrscheinlich beheben wollen. Das neue Format wird in der neuen " +#~ "2.5er-Konfigurationsdatei erklärt, von der Sie unter /usr/share/doc/squid/" +#~ "examples/squid.conf wahrscheinlich eine Kopie haben." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Eine automatische Aktualisierung auf Squid 2.5 ist unmöglich." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " SQUID 2.5 INSTALLATIONS-WARNUNG" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Sie wollen ein Upgrade von einer 1.x Version auf Squid 2.5 durchführen. " +#~ "Diese Versionen sind zueinander inkompatibel. Die Struktur des Cache-" +#~ "Verzeichnisses ist verschieden; ebenfalls ist die Konfigurationsdatei " +#~ "»squid.conf« nicht vollständig kompatibel." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Wenn Sie ein altes Cache-Verzeichnis haben, dann beenden Sie die " +#~ "Installation jetzt bitte und entfernen dieses Verzeichnis von Hand (in /" +#~ "var/spool/squid). Anschließend installieren Sie diese Squid-Version neu." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Achten Sie auch auf die neue Konfigurationsdatei. Nach der Installation " +#~ "finden Sie die alte Version der Konfiguration unter »/etc/squid.conf.dpkg-" +#~ "old«. Passen Sie die neue Konfigurationsdatei dann entsprechend Ihrer " +#~ "Bedürfnisse von Hand an." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Installation beenden?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "" +#~ "squid-cgi benutzt nun eine Konfigurationsdatei als Zugangskontrollliste " +#~ "(»Access Control List«) für Zielhosts" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi liest nun eine Konfigurationsdatei, bevor eine Verbindung zum " +#~ "Ziel-Host aufgebaut wird. Nur zu erlaubten Hosts wird eine Verbindung " +#~ "hergestellt. Bitte führen Sie die Hosts, zu denen Sie eine Verbindung " +#~ "aufbauen wollen, in der Datei /etc/squid/cachemgr.conf auf. Jeweils einen " +#~ "pro Zeile in der Form" + +#~ msgid " hostname:port" +#~ msgstr " hostname:port" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "In Ihrer existierenden squid.conf wurden inkompatible Einstellungen " +#~ "gefunden. Sie führen dazu, dass squid nicht starten bzw. nicht korrekt " +#~ "funktionieren wird. Diese Einrichtung kann jedoch dafür sorgen die " +#~ "Einstellungen so zu verändern, dass sie wieder funktionieren. Sollen " +#~ "diese Änderungen durchgeführt werden?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "Die Direktive authenticate_program wurde durch auth_param ersetzt." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Die authenticate_program-Direktive aus den Squid-Versionen <= 2.4 " +#~ "existiert in den Squid-Versionen 2.5 und höher nicht mehr. Sie wurde " +#~ "durch auth_param ersetzt. Im Moment authentifiziert Ihr Squid Benutzer " +#~ "nicht mehr, so dass Sie diese Sache wahrscheinlich beheben wollen. Das " +#~ "neue Format wird in der neuen 2.5er-Konfigurationsdatei in /usr/share/doc/" +#~ "squid/examples/squid.conf erklärt." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Warnung: squid kann abstürzen, wenn Log-Dateien größer als 2 GB sind." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid kann abstürzen, falls eine seiner Log-Dateien größer als 2 GB wird. " +#~ "Bitte konfigurieren Sie /etc/logrotate.d/squid entsprechend dem Netzwerk-" +#~ "Verkehr Ihrer Site." --- squid-2.7.STABLE3.orig/debian/po/nl.po~ +++ squid-2.7.STABLE3/debian/po/nl.po~ @@ -0,0 +1,245 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.5.7-2\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2004-11-16 18:38+0100\n" +"Last-Translator: Luk Claes \n" +"Language-Team: Debian l10n Dutch \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "squid.conf automatisch opwaarderen?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +#| msgid "Fix permissions of cache_dir?" +msgid "Fix permissions of 'cache_dir'?" +msgstr "Permissies van cache_dir repareren?" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +#| msgid "" +#| "Values for cache_effective_user and/or cache_effective_group in config " +#| "file are incompatible with owner/group of cache directories. Do you want " +#| "to automatically fix permissions on cache directory?" +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"De waarden voor cache_effective_user en/of cache_effective_group in het " +"configuratiebestand zijn incompatibel met de gebruiker/groep van cache-" +"mappen. Wilt u de permissies van de cache-map automatisch laten repareren?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +#| msgid "" +#| "WARNING: If you specified a cache directory different from /var/spool/" +#| "squid and selected some other directory used by other programs (e.g. /" +#| "tmp), this could affect those programs." +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"WAARSCHUWING: als u een cache-map opgaf verschillend van /var/spool/squid en " +"u selecteerde een andere map die gebruikt wordt door andere programma's (v." +"b. /tmp), dan kan dit deze programma's beïnvloeden." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "De http_anonymizer-richtlijn is vervangen door header_replace en " +#~ "header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De http_anonymizer-richtlijn die aanwezig was in squid 2.1 en 2.2 bestaat " +#~ "niet meer in squid 2.3 en latere versies. Deze richtlijn is vervangen " +#~ "door header_replace en header_access die een preciezere controle toelaten " +#~ "over HTTP-headers. Op dit moment maakt squid uw gebruikers niet anoniem, " +#~ "u wil dit waarschijnlijk repareren. Het nieuwe formaat wordt uitgelegd in " +#~ "het nieuwe squid 2.5 configuratiebestand, waarvan u waarschijnlijk een " +#~ "kopie heeft in /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "De anonymize_headers- en fake_user_agent-richtlijnen zijn vervangen door " +#~ "header_access en header_replace" + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De anonymize_headers- en fake_user_agent-richtlijnen die aanwezig waren " +#~ "in squid 2.3 en 2.4 bestaan niet meer in squid 2.5 en latere versies. Ze " +#~ "zijn vervangen door header_replace en header_access die een preciezere " +#~ "controle toelaten over HTTP-headers. Op dit moment maakt squid uw " +#~ "gebruikers niet meer anoniem, u wil dit waarschijnlijk repareren. Het " +#~ "nieuwe formaat wordt uitgelegd in het nieuwe squid 2.5 " +#~ "configuratiebestand, waarvan u waarschijnlijk een kopie heeft in /usr/" +#~ "share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Er is geen automatisch opwaarderingspad voor squid 2.5." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " SQUID 2.5 INSTALLATIE WAARSCHUWING" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "U bent squid aan het opwaarderen van een 1.x versie naar de 2.5 versie. " +#~ "De 1.x en 2.5 versies zijn NIET compatibel. De structuur van de buffer " +#~ "map is verschillend en het configuratiebestand \"squid.conf\" is niet " +#~ "helemaal compatibel." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Als u nog een oude buffermap heeft, gelieve dan NU te stoppen en de oude " +#~ "buffer handmatig te verwijderen (/var/spool/squid). Herinstalleer daarna " +#~ "deze versie van squid." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Gelieve het nieuwe configuratiebestand te aanvaarden. Na het opwaarderen " +#~ "kan u uw oude configuratie bestand vinden in \"/etc/squid.conf.dpkg-old" +#~ "\". Dan kan u het nieuwe configuratiebestand handmatig veranderen om uw " +#~ "oude configuratie terug te krijgen." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Wilt u nu stoppen?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "squid-cgi gebruikt nu een configuratiebestand voor doel-ACL" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi controleert nu een configuratiebestand alvorens een verbinding " +#~ "op te zetten met de doelcomputer. Enkel toegestane doelen zullen worden " +#~ "gecontacteerd. Voeg computers waarmee u wilt contact leggen toe aan het " +#~ "bestand /etc/squid/cachemgr.conf, één per lijn in de vorm" + +#~ msgid " hostname:port" +#~ msgstr " computernaam:poort" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Er zijn incompatibele instellingen gevonden in het squid.conf-bestand; ze " +#~ "zullen squid verhinderen te starten of correct te werken. Deze setup kan " +#~ "ze proberen te wijzigen om opnieuw te werken. Wilt u de veranderingen " +#~ "toepassen?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "De authenticate_program-instelling is vervangen door auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De authenticate_program-richtlijn die aanwezig was in squid <= 2.4 " +#~ "bestaat niet meer in squid 2.5 en latere versies. Alle " +#~ "authenticatierichtlijnen zijn vervangen door auth_param. Op dit moment " +#~ "authenticeert uw squid geen gebruikers meer, u wil dit waarschijnlijk " +#~ "repareren. Het nieuwe formaat wordt uitgelegd in het nieuwe squid 2.5 " +#~ "configuratiebestand, waarvan u waarschijnlijk een kopie heeft in /usr/" +#~ "share/doc/squid/examples/squid.conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Waarschuwing: squid kan vastlopen wanneer de grootte van een logbestand " +#~ "meer is dan 2GB." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid kan vastlopen als één van de logbestanden groter wordt dan 2GB. " +#~ "Configureer /etc/logrotate.d/squid aangepast aan het verkeer op uw site." --- squid-2.7.STABLE3.orig/debian/po/it.po +++ squid-2.7.STABLE3/debian/po/it.po @@ -0,0 +1,92 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: squid_2.6.13-2\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-06-29 15:36+0200\n" +"Last-Translator: Luigi Gangitano \n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Aggiornare squid.conf automaticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Sono state trovate delle impostazioni non compatibili nella versione " +"corrente del file squid.conf." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Esse impediranno a Squid di avviarsi o funzionare correttamente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Queste impostazioni possono essere corrette ora. Per favore scegli se i " +"cambiamenti necessari devono essere applicati ora." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Correggo i permessi della 'cache_dir?'" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Il valore delle opzioni cache_effective_user e/o cache_effective_group nel " +"file di configurazione incompatibile con il proprietario/gruppo delle " +"directory di cache. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "" +"Per favore scegli se questi problemi devono essere corretti automaticamente." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Comunque, tieni presente che se hai impostato come directory di cache una " +"directory diversa da /var/spool/squid (per esempio /tmp), questa correzione " +"potrebbe interferire con il funzionamento degli altri programmi che " +"utilizzano quella directory." --- squid-2.7.STABLE3.orig/debian/po/fr.po +++ squid-2.7.STABLE3/debian/po/fr.po @@ -0,0 +1,81 @@ +# Translation of squid debconf templates to French +# Copyright (C) 2002-2007 Michel Grentzinger +# This file is distributed under the same license as the squid package. +# +msgid "" +msgstr "" +"Project-Id-Version: squid_2.5.10-7\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-06-11 23:21+0200\n" +"Last-Translator: Michel Grentzinger \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Faut-il automatiquement mettre à jour squid.conf ?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Des paramètres incompatibles ont été détectés dans le fichier squid.conf " +"actuel." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Ils empêcheront Squid de démarrer ou de fonctionner correctement." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Ces paramètres peuvent être modifiés à cette étape. Veuillez décider si vous " +"souhaitez appliquer les changements nécessaires." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Faut-il corriger les droits de « cache_dir » ?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Les valeurs pour « cache_effective_user » et « cache_effective_group » dans " +"le fichier de configuration de Squid sont incompatibles avec le propriétaire " +"et le groupe des répertoires de cache." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Veuillez confirmer si vous souhaitez régler ceci automatiquement." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Veuillez noter que si vous indiquez un répertoire de cache différent de /var/" +"spool/squid (p. ex. /tmp), cela peut affecter les autres programmes qui " +"utilisent ce répertoire." --- squid-2.7.STABLE3.orig/debian/po/ru.po +++ squid-2.7.STABLE3/debian/po/ru.po @@ -0,0 +1,219 @@ +# Translation of squid.po to Russian +# +# Yuriy Talakan' , 2005. +# +msgid "" +msgstr "" +"Project-Id-Version: squid_2.6.12_ru\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 18:57+0400\n" +"Last-Translator: Sergey Alyoshin \n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.9.1\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Обновить squid.conf автоматически?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "Найдены несовместимые настройки в существующем файле squid.conf." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Они будут мешать Squid запускаться или работать корректно." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Сейчас эти настройки могут быть исправлены. Пожалуйста, укажите, хотите ли " +"вы применить необходимые исправления." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Исправить права доступа к 'cache_dir' (кэш-директория)?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Значения 'cache_effective_user' и/или 'cache_effective_group' из файла " +"настроек Squid не соответствуют владельцу/группе кэш-директории." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Пожалуйста, укажите, следует ли это автоматически исправить." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Тем не менее, пожалуйста, заметьте, что если вы указали кэш-директорию " +"отличающуюся от /var/spool/squid (например, такую как /tmp), то это может " +"повлиять на любые другие программы, использующие эту директорию." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "Директива http_anonymizer была заменена на header_replace и header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Директива http_anonymizer, которая присутствовала в squid 2.1 и 2.2, не " +#~ "существует более в squid 2.3 и выше. Она была заменена директивами " +#~ "header_replace и header_access, которые обеспечивают более тонкий " +#~ "контроль над заголовками HTTP. Сейчас ваш squid не анонимизирует " +#~ "заголовки HTTP, так что вам скорее всего надо исправить это. Новый формат " +#~ "описан в новом файле настроек версии 2.5, копию которого вы можете найти " +#~ "в /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "Директивы anonymize_headers и fake_user_agent были заменены на " +#~ "header_access и header_replace." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Директивы anonymize_headers и fake_user_agent, которые присутствовали в " +#~ "squid 2.3 и 2.4, не существуют более в squid 2.5 и выше. Они были " +#~ "заменены директивами header_replace и header_access, которые обеспечивают " +#~ "более тонкий контроль над заголовками HTTP. Сейчас ваш squid не " +#~ "анонимизирует заголовки HTTP, так что вам скорее всего надо исправить " +#~ "это. Новый формат описан в новом файле настроек версии 2.5, копию " +#~ "которого вы можете найти в /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Не существует автоматического способа обновления до squid 2.5." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " ПРЕДУПРЕЖДЕНИЕ ПРИ УСТАНОВКЕ SQUID 2.5" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Вы обновляете squid от версии 1.x до версии 2.5. Версии 1.x и 2.5 " +#~ "НЕСОВМЕСТИМЫ. Изменилась структура кэш-директории и не полностью " +#~ "совместим файл настроек \"squid.conf\"." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Если у вас есть старая кэш-директория, выйдите СЕЙЧАС и удалите старый " +#~ "кэш вручную (в /var/spool/squid). Затем переустановите эту версию squid." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Также примите новый файл настроек. После обновления ваш старый файл можно " +#~ "найти в \"/etc/squid.conf.dpkg-old\". Затем вы должны вручную " +#~ "отредактировать новый файл до совпадения с вашей старой настройкой." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Желаете выйти сейчас?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "squid-cgi теперь использует файл настроек для контроля целей" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi теперь проверяет файл настроек перед подключением к целевому " +#~ "хосту. Соединение будет установлено только с разрешенными целями. " +#~ "Добавьте хосты, к которым вы хотите получить доступ, в файл /etc/squid/" +#~ "cachemgr.conf, по одному хосту на строке в формате" + +#~ msgid " hostname:port" +#~ msgstr " хост:порт" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Несовместимые настройки найдены в существующем файле squid.conf; они не " +#~ "позволят squid стартовать или корректно работать. Однако, эта " +#~ "установкаможет попробовать изменить их до работоспособного вида. Хотите " +#~ "принять изменения?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "Директива authenticate_program была заменена на auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Директива authenticate_program, которая присутствовала в squid <=2.4, не " +#~ "существует более в squid 2.5 и выше. Все директивы аутентификации были " +#~ "заменены на auth_param. Сейчас ваш squid не выполняет аутентификацию " +#~ "пользователей, так что вам скорее всего надо исправить это. Новый формат " +#~ "описан в новом файле настроек версии 2.5, копию которого вы можете найти " +#~ "в /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Предупреждение: squid может упасть, когда размер log-файла более 2GB." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid может упасть, когда любой log-файл вырастет более 2GB. Настройте /" +#~ "etc/logrotate.d/squid в соответствии с трафиком вашей системы." --- squid-2.7.STABLE3.orig/debian/po/pt_BR.po~ +++ squid-2.7.STABLE3/debian/po/pt_BR.po~ @@ -0,0 +1,85 @@ +# squid's po-debconf Brazilian Portuguese translation. +# Copyright (C) 2007, André Luís Lopes +# This file is distributed under the same license as the squid package. +# André Luís Lopes , 2007. +# Herbert P Fortes Neto , 2007. +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-06-09 15:00-0300\n" +"Last-Translator: Herbert P Fortes Neto \n" +"Language-Team: l10n-portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Atualizar arquivo squid.conf automaticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Configurações incompatíveis foram encontradas no arquivo squid.conf " +"existente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Elas irão impedir o Squid de iniciar ou funcionar de forma correta." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Essas configurações podem ser corrigidas agora. Por favor escolha se você " +"quer aplicar as mudanças necessárias." + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +#| msgid "Fix permissions of cache_dir?" +msgid "Fix permissions of 'cache_dir'?" +msgstr "Corrigir permissões de cache_dir?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Os valor para 'cache_effective_user' e/ou 'cache_effective_group' no arquivo " +"de configuração do Squid são incompatíveis com o dono/grupo dos diretórios " +"de cache. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Por favor escolha se isso deve ser corrigido automaticamente." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Contudo, por favor note que caso você tenha especificado um diretório de " +"cache diferente de /var/spool/squid (por exemplo, /tmp), isso poderá afetar " +"quaisquer outros programas que usam esse diretório." --- squid-2.7.STABLE3.orig/debian/po/ta.po +++ squid-2.7.STABLE3/debian/po/ta.po @@ -0,0 +1,80 @@ +# translation of squid 2.6.14-3.po to TAMIL +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Dr.T.Vasudevan , 2007. +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.14-3\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-01 19:26+0530\n" +"Last-Translator: Dr.T.Vasudevan \n" +"Language-Team: TAMIL \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "தானியங்கியாக squid.conf ஐ இற்றைப்படுத்தவா?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "இருப்பில் உள்ள squid.conf கோப்பில் இசைவில்லாத வடிவமைப்புகள் உள்ளன." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "அவை ஸ்க்விட் சரியாக துவங்குவதையும் இயங்குவதையும் தடுக்கலாம்." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"இந்த வடிவமைப்புகள் இப்போது சரி செய்யப்பட இயலும். தேவையான மற்றங்களை செய்யலாமா என " +"தேர்ந்தெடுங்கள்." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "'cache_dir' அடைவின் அனுமதிகளை சரி செய்யலாமா?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"ஸ்க்விட் வடிவமைப்பில் 'cache_effective_user' மற்றும்/அல்லது " +"'cache_effective_group' ஆகியவற்றின் மதிப்புகள் இடை மாற்று அடைவுகளின் உரிமையாளர்/" +"குழு உடன் இசைவில்லாது உள்ளது." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "தயை செய்து இவற்றை தானியங்கியாக சரி செய்யலாமா என தேர்ந்தெடுக்கவும். " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"எனினும் நீங்கள் /var/spool/squid அடைவை தவிர்த்து /tmp போன்ற அடைவை தேர்ந்தெடுத்தால் அந்த " +"அடைவை பயன் படுத்தும் மற்ற நிரல்களின் இயக்கத்தை பாதிக்கக் கூடும் என அறியவும்." --- squid-2.7.STABLE3.orig/debian/po/pt_BR.po +++ squid-2.7.STABLE3/debian/po/pt_BR.po @@ -0,0 +1,84 @@ +# squid's po-debconf Brazilian Portuguese translation. +# Copyright (C) 2007, André Luís Lopes +# This file is distributed under the same license as the squid package. +# André Luís Lopes , 2007. +# Herbert P Fortes Neto , 2007. +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-06-09 15:00-0300\n" +"Last-Translator: Herbert P Fortes Neto \n" +"Language-Team: l10n-portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Atualizar arquivo squid.conf automaticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Configurações incompatíveis foram encontradas no arquivo squid.conf " +"existente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Elas irão impedir o Squid de iniciar ou funcionar de forma correta." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Essas configurações podem ser corrigidas agora. Por favor escolha se você " +"quer aplicar as mudanças necessárias." + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +msgid "Fix permissions of 'cache_dir'?" +msgstr "Corrigir permissões de cache_dir?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Os valor para 'cache_effective_user' e/ou 'cache_effective_group' no arquivo " +"de configuração do Squid são incompatíveis com o dono/grupo dos diretórios " +"de cache. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Por favor escolha se isso deve ser corrigido automaticamente." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Contudo, por favor note que caso você tenha especificado um diretório de " +"cache diferente de /var/spool/squid (por exemplo, /tmp), isso poderá afetar " +"quaisquer outros programas que usam esse diretório." --- squid-2.7.STABLE3.orig/debian/po/bg.po +++ squid-2.7.STABLE3/debian/po/bg.po @@ -0,0 +1,80 @@ +# translation of bg.po to Bulgarian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Damyan Ivanov , 2007. +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-09-11 17:23+0300\n" +"Last-Translator: Damyan Ivanov \n" +"Language-Team: Bulgarian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Автоматично обновяване на squid.conf?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "В съществуващият squid.conf са открити несъвместими настройки." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Те ще попречат на Squid да се стартира и работи правилно." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Изберете дали желаете проблемните настройки да бъдат коригирани автоматично." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Коригиране на правата за достъп до „cache_dir“?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Стойностите за „cache_effective_user“ и/или „cache_effective_group“ във " +"файла с настройки на Squid са несъвместими със собственика/групата на " +"директориите на кеша." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Изберете дали това да бъде коригирано автоматично." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Ако за кеш-директория е указана директория, различна от /var/spool/squid " +"(например /tmp), промяната ще повлияе и на другите програми, използващи тази " +"директория." --- squid-2.7.STABLE3.orig/debian/po/pt.po +++ squid-2.7.STABLE3/debian/po/pt.po @@ -0,0 +1,228 @@ +# Portuguese translation for squid debconf messages. +# Copyright (C) Tiago Fernandes , 2006 +# This file is distributed under the same license as the Squid package. +# Tiago Fernandes , 2006 +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.6.5-1\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2008-06-29 21:43+0100\n" +"Last-Translator: Tiago Fernandes \n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Actualizar o squid.conf automaticamente?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Foram encontradas configurações incompatíveis no ficheiro squid.conf já " +"existente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Impedirão que o Squid inicie ou funcione correctamente." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Estas configurações podem ser corrigidas agora. Por favor, escolha quando " +"vai querer aplicar as alterações necessárias." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Reparar as permissões do cache_dir?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Os valores para 'cache_effective_user' e/ou 'cache_effective_group' no " +"ficheiro de configuração do Squid são incompatíveis com o dono/grupo dos " +"directórios de cache." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Por favor escolha quando deverá isto ser corrigido automaticamente." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Contudo, por favor note que se tiver especificado um directório de cache " +"diferente de /var/spool/squid (como /tmp), poderá afectar quaisquer outros " +"programas que utilizem esse directório." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "O parâmetro http_anonymizer foi substituído por header_replace e " +#~ "header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "O parâmetro http_anonymizer que estava presente no squid 2.1 e 2.2 já não " +#~ "existe no squid 2.3 e posteriores. Foi substituído por header_replace e " +#~ "header_access, que oferecem um controlo mais detalhado dos cabeçalhos " +#~ "HTTP. Neste momento, o seu squid já não torna os cabeçalhos HTTP " +#~ "anónimos, provavelmente vai querer corrigir isto. O novo formato é " +#~ "explicado no ficheiro de configuração da nova versão 2.5, do qual já deve " +#~ "ter uma cópia em /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "Os parâmetros anonymize_headers e fake_user_agent, foram substituidos por " +#~ "header_access e header_replace." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Os parâmetros anonymize_headers e fake_user_agent que estavam presentes " +#~ "no squid 2.3 e 2.4 já não existem no squid 2.5 e posteriores. Foram " +#~ "substituídos por header_replace e header_access, que oferecem um controlo " +#~ "mais detalhado dos cabeçalhos HTTP. O novo formato é explicado no " +#~ "ficheiro de configuração da nova versão 2.5, do qual já deve ter uma " +#~ "cópia em /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "" +#~ "Não existe forma automática de actualizar o squid para a versão 2.5." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " SQUID 2.5 AVISO DE INSTALAÇÃO" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Está a actualizar o squid versão 1.x para uma versão 2.5. As versões 1.x " +#~ "e 2.5, NÃO são compatíveis. A estrutura dos directórios é diferente e o " +#~ "ficheiro de configuração \"squid.conf\" não é inteiramente compatível." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Se tem um directório antigo de cache, por favor, saia AGORA e remova " +#~ "manualmente o ficheiros antigos de cache (em /var/spool/squid). Depois, " +#~ "reinstale esta versão do squid." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Por favor, aceite também o novo ficheiro de configuração. Depois da " +#~ "actualização, pode encontrar o seu antigo ficheiro de configuração em \"/" +#~ "etc/squid.conf.dpkg-old\". Terá depois que editar manualmente o novo " +#~ "ficheiro de configuração para ficar de acordo com a configuração antiga." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Quer sair agora ?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "" +#~ "O squid-cgi agora utiliza o ficheiro de configuração para encontrar ACL" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "O squid-cgi agora verifica o ficheiro de configuração antes de se ligar " +#~ "um servidor. Apenas servidores permitidos serão contactados. Por favor, " +#~ "acrescente ao ficheiro /etc/squid/cachemgr.conf os servidores a que quer " +#~ "aceder, um por linha." + +#~ msgid " hostname:port" +#~ msgstr "nome_da_máquina:porta" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Foram encontradas configurações incompatíveis no ficheiro existente squid." +#~ "conf; Elas impedem o squid de iniciar ou funcionar correctamente. " +#~ "Contudo, este setup pode tentar modificar as configurações para o squid " +#~ "voltar a funcionar. Quer aplicar as alterações ?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "O parâmetro authenticate_program foi substituído por auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "O parâmetro authenticate_program que estava presente no squid <=2.4, já " +#~ "não exite no squid 2.5 e superiores. Todos os parâmetros de autenticação " +#~ "foram substituídos por auth_param. Neste momento, o seu squid já não " +#~ "autentica utilizadores, provavelmente deve querer corrirgir isto. O novo " +#~ "formato é explicado no ficheiro de configuração da nova versão 2.5, do " +#~ "qual já deve ter uma cópia em /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Aviso: o squid pode crashar quando o tamanho dos ficheiros de log for " +#~ "superior a 2GB." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "O Squid pode crashar se algum dos ficheiros de log crescer para além dos " +#~ "2GB. Por favor, configure o /etc/logrotate.d/squid de acordo com o " +#~ "tráfego do seu site." --- squid-2.7.STABLE3.orig/debian/po/nl.po +++ squid-2.7.STABLE3/debian/po/nl.po @@ -0,0 +1,236 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: squid 2.5.7-2\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2004-11-16 18:38+0100\n" +"Last-Translator: Luk Claes \n" +"Language-Team: Debian l10n Dutch \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "squid.conf automatisch opwaarderen?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +msgid "Fix permissions of 'cache_dir'?" +msgstr "Permissies van cache_dir repareren?" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"De waarden voor cache_effective_user en/of cache_effective_group in het " +"configuratiebestand zijn incompatibel met de gebruiker/groep van cache-" +"mappen. Wilt u de permissies van de cache-map automatisch laten repareren?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +#, fuzzy +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"WAARSCHUWING: als u een cache-map opgaf verschillend van /var/spool/squid en " +"u selecteerde een andere map die gebruikt wordt door andere programma's (v." +"b. /tmp), dan kan dit deze programma's beïnvloeden." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "De http_anonymizer-richtlijn is vervangen door header_replace en " +#~ "header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De http_anonymizer-richtlijn die aanwezig was in squid 2.1 en 2.2 bestaat " +#~ "niet meer in squid 2.3 en latere versies. Deze richtlijn is vervangen " +#~ "door header_replace en header_access die een preciezere controle toelaten " +#~ "over HTTP-headers. Op dit moment maakt squid uw gebruikers niet anoniem, " +#~ "u wil dit waarschijnlijk repareren. Het nieuwe formaat wordt uitgelegd in " +#~ "het nieuwe squid 2.5 configuratiebestand, waarvan u waarschijnlijk een " +#~ "kopie heeft in /usr/share/doc/squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "De anonymize_headers- en fake_user_agent-richtlijnen zijn vervangen door " +#~ "header_access en header_replace" + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De anonymize_headers- en fake_user_agent-richtlijnen die aanwezig waren " +#~ "in squid 2.3 en 2.4 bestaan niet meer in squid 2.5 en latere versies. Ze " +#~ "zijn vervangen door header_replace en header_access die een preciezere " +#~ "controle toelaten over HTTP-headers. Op dit moment maakt squid uw " +#~ "gebruikers niet meer anoniem, u wil dit waarschijnlijk repareren. Het " +#~ "nieuwe formaat wordt uitgelegd in het nieuwe squid 2.5 " +#~ "configuratiebestand, waarvan u waarschijnlijk een kopie heeft in /usr/" +#~ "share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Er is geen automatisch opwaarderingspad voor squid 2.5." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " SQUID 2.5 INSTALLATIE WAARSCHUWING" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "U bent squid aan het opwaarderen van een 1.x versie naar de 2.5 versie. " +#~ "De 1.x en 2.5 versies zijn NIET compatibel. De structuur van de buffer " +#~ "map is verschillend en het configuratiebestand \"squid.conf\" is niet " +#~ "helemaal compatibel." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Als u nog een oude buffermap heeft, gelieve dan NU te stoppen en de oude " +#~ "buffer handmatig te verwijderen (/var/spool/squid). Herinstalleer daarna " +#~ "deze versie van squid." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Gelieve het nieuwe configuratiebestand te aanvaarden. Na het opwaarderen " +#~ "kan u uw oude configuratie bestand vinden in \"/etc/squid.conf.dpkg-old" +#~ "\". Dan kan u het nieuwe configuratiebestand handmatig veranderen om uw " +#~ "oude configuratie terug te krijgen." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Wilt u nu stoppen?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "squid-cgi gebruikt nu een configuratiebestand voor doel-ACL" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi controleert nu een configuratiebestand alvorens een verbinding " +#~ "op te zetten met de doelcomputer. Enkel toegestane doelen zullen worden " +#~ "gecontacteerd. Voeg computers waarmee u wilt contact leggen toe aan het " +#~ "bestand /etc/squid/cachemgr.conf, één per lijn in de vorm" + +#~ msgid " hostname:port" +#~ msgstr " computernaam:poort" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Er zijn incompatibele instellingen gevonden in het squid.conf-bestand; ze " +#~ "zullen squid verhinderen te starten of correct te werken. Deze setup kan " +#~ "ze proberen te wijzigen om opnieuw te werken. Wilt u de veranderingen " +#~ "toepassen?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "De authenticate_program-instelling is vervangen door auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "De authenticate_program-richtlijn die aanwezig was in squid <= 2.4 " +#~ "bestaat niet meer in squid 2.5 en latere versies. Alle " +#~ "authenticatierichtlijnen zijn vervangen door auth_param. Op dit moment " +#~ "authenticeert uw squid geen gebruikers meer, u wil dit waarschijnlijk " +#~ "repareren. Het nieuwe formaat wordt uitgelegd in het nieuwe squid 2.5 " +#~ "configuratiebestand, waarvan u waarschijnlijk een kopie heeft in /usr/" +#~ "share/doc/squid/examples/squid.conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Waarschuwing: squid kan vastlopen wanneer de grootte van een logbestand " +#~ "meer is dan 2GB." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid kan vastlopen als één van de logbestanden groter wordt dan 2GB. " +#~ "Configureer /etc/logrotate.d/squid aangepast aan het verkeer op uw site." --- squid-2.7.STABLE3.orig/debian/po/cs.po +++ squid-2.7.STABLE3/debian/po/cs.po @@ -0,0 +1,234 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# Miroslav Kure , 2007. +# +# +msgid "" +msgstr "" +"Project-Id-Version: squid\n" +"Report-Msgid-Bugs-To: luigi@debian.org\n" +"POT-Creation-Date: 2007-09-01 01:49+0200\n" +"PO-Revision-Date: 2007-06-07 15:48+0200\n" +"Last-Translator: Viktor Matys \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Upgrade squid.conf automatically?" +msgstr "Aktualizovat squid.conf automaticky?" + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "Incompatible settings have been found in the existing squid.conf file." +msgstr "" +"Ve stávajícícím souboru squid.conf byla objevena nekompatibilní nastavení." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "They will prevent Squid from starting or working correctly." +msgstr "Ty zabrání Squidu nastartovat nebo správně pracovat." + +#. Type: boolean +#. Description +#: ../templates:2001 +msgid "" +"These settings can be corrected now. Please choose whether you want to apply " +"the needed changes." +msgstr "" +"Tato nastavení mohou být opravena teď. Rozhodněte, prosím, zda chcete " +"potřebnézměny uskutečnit." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Fix permissions of 'cache_dir'?" +msgstr "Opravit práva 'cache_dir'?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"The values for 'cache_effective_user' and/or 'cache_effective_group' in " +"Squid's configuration file are incompatible with the owner/group of the " +"cache directories." +msgstr "" +"Hodnoty pro 'cache_effective_user' a/nebo 'cache_effective_group' zadané v " +"konfiguračním souboru jsou nekompatibilní s vlastníkem/skupinou adresářůs " +"cache." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether this should be fixed automatically." +msgstr "Prosím rozhodněte, zda to má být napraveno automaticky." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"However, please note that if you specified a cache directory different from /" +"var/spool/squid (such as /tmp), this could affect any other programs using " +"that directory." +msgstr "" +"Nicméně, prosím, uvědomte si, že pokud jste zadali adresář pro cache odlišný " +"od /var/spool/squid (např. /tmp), pak to může ovlivnit jiné programy, které " +"tento adresář používají." + +#~ msgid "" +#~ "The http_anonymizer directive has been replaced with header_replace and " +#~ "header_access." +#~ msgstr "" +#~ "Direktiva http_anonymizer byla nahrazena direktivami header_replace a " +#~ "header_access." + +#~ msgid "" +#~ "The http_anonymizer directive that was present in squid 2.1 and 2.2 " +#~ "doesn't exist anymore in squid 2.3 and up. It has been replaced with " +#~ "header_replace and header_access that provide more fine-grained control " +#~ "over HTTP headers. Right now, your squid doesn't anonymize the HTTP " +#~ "headers anymore so you probably want to fix this. The new format is " +#~ "explained in the new 2.5 config file, of which you probably have a copy " +#~ "in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Direktiva http_anonymizer, která byla přítomna ve squidu 2.1 a 2.2, byla " +#~ "z verzí 2.3 a vyšších odstraněna a nahrazena direktivami header_replace a " +#~ "header_access, které poskytují jemnější kontrolu nad HTTP hlavičkami. V " +#~ "tento okamžik již váš squid neanonymizuje HTTP hlavičky, což " +#~ "pravděpodobně budete chtít změnit. Nový formát je vysvětlen v " +#~ "konfiguračním souboru verze 2.5, jehož kopie se nachází v /usr/share/doc/" +#~ "squid/examples/squid.conf." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives have been replaced " +#~ "with header_access and header_replace." +#~ msgstr "" +#~ "Direktivy anonymize_headers a fake_user_agent byly nahrazeny direktivami " +#~ "header_access a header_replace." + +#~ msgid "" +#~ "The anonymize_headers and fake_user_agent directives that were present in " +#~ "squid 2.3 and 2.4 don't exist anymore in squid 2.5 and up. They have been " +#~ "replaced with header_replace and header_access that provide more fine-" +#~ "grained control over HTTP headers. Right now, your squid doesn't " +#~ "anonymize the HTTP headers anymore so you probably want to fix this. The " +#~ "new format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Direktivy anonymize_headers a fake_user_agent, které byly přítomny ve " +#~ "squidu 2.3 a 2.4, byly z verzí 2.5 a vyšších odstraněny a nahrazeny " +#~ "direktivami header_replace a header_access, které poskytují jemnější " +#~ "kontrolu nad HTTP hlavičkami. V tento okamžik již váš squid neanonymizuje " +#~ "HTTP hlavičky, což pravděpodobně budete chtít změnit. Nový formát je " +#~ "vysvětlen v konfiguračním souboru verze 2.5, jehož kopie se nachází v /" +#~ "usr/share/doc/squid/examples/squid.conf." + +#~ msgid "There is no automatic upgrade path to squid 2.5." +#~ msgstr "Přechod na squid 2.5 se bohužel nedá zautomatizovat." + +#~ msgid " SQUID 2.5 INSTALLATION WARNING" +#~ msgstr " VAROVÁNÍ INSTALACE SQUIDu 2.5" + +#~ msgid "" +#~ "You are upgrading squid from an 1.x version to the 2.5 version. The 1.x " +#~ "and 2.5 versions are NOT compatible. The structure of the cache directory " +#~ "is different and the configuration file \"squid.conf\" is not entirely " +#~ "compatible." +#~ msgstr "" +#~ "Přecházíte ze squidu verze 1.x na verzi 2.5. Tyto verze NEJSOU " +#~ "kompatibilní. Struktura adresáře obsahujícího cache je jiná a také se " +#~ "změnil konfigurační soubor \"squid.conf\"." + +#~ msgid "" +#~ "If you have an old cache directory, please quit NOW and remove the old " +#~ "cache by hand (in /var/spool/squid). Then re-install this squid version." +#~ msgstr "" +#~ "Máte-li starý adresář s cache, opusťte nyní instalaci, adresář ručně " +#~ "odstraňte (většinou /var/spool/squid) a poté znovu spusťte instalaci této " +#~ "verze." + +#~ msgid "" +#~ "Also, please accept the new configuration file. After upgrading your old " +#~ "configuration file can be found in \"/etc/squid.conf.dpkg-old\". Then you " +#~ "have to edit the new configuration file by hand to match your old " +#~ "configuration." +#~ msgstr "" +#~ "Také prosím povolte instalaci nového konfiguračního souboru. Váš starý " +#~ "soubor bude zazálohován jako /etc/squid.conf.dpkg-old. Na závěr budete " +#~ "muset ručně upravit nový konfigurační soubor, aby odpovídal vašemu " +#~ "původnímu nastavení." + +#~ msgid "Do you want to quit now?" +#~ msgstr "Chcete nyní skončit?" + +#~ msgid "squid-cgi now uses config file for target ACL" +#~ msgstr "squid-cgi nyní používá pro cílová ACL konfigurační soubor" + +#~ msgid "" +#~ "squid-cgi now checks a configuration file before connecting to the target " +#~ "host. Only allowed target will be contacted. Please add hosts you want to " +#~ "access to the file /etc/squid/cachemgr.conf, one per line in the form" +#~ msgstr "" +#~ "squid-cgi nyní před připojením k cílovému počítači konzultuje " +#~ "konfigurační soubor. Spojení bude navázáno pouze s povolenými cíli. " +#~ "Seznam počítačů, ke kterým chcete přistupovat, můžete zadat do souboru /" +#~ "etc/squid/cachemgr.conf ve tvaru jeden záznam na řádek." + +#~ msgid " hostname:port" +#~ msgstr " pocitac:port" + +#~ msgid "" +#~ "Incompatible settings have been found in the existing squid.conf file; " +#~ "they will prevent squid from starting or working correctly. However, this " +#~ "setup can try to modify them to work again. Do you want to apply the " +#~ "changes?" +#~ msgstr "" +#~ "Ve stávajícím konfiguračním souboru squid.conf byly nalezeny " +#~ "nekompatibilní změny, které zabrání squidu v korektním práci. Instalační " +#~ "skript se však může pokusit toto nastavení upravit tak, aby opět " +#~ "fungovalo. Chcete změny aplikovat?" + +#~ msgid "" +#~ "The authenticate_program directive has been replaced with auth_param." +#~ msgstr "" +#~ "Direktiva authenticate_program byla nahrazena direktivou auth_param." + +#~ msgid "" +#~ "The authenticate_program directive that was present in squid <= 2.4 " +#~ "doesn't exist anymore in squid 2.5 and up. All authentication directives " +#~ "have been replaced with auth_param. Right now, your squid doesn't " +#~ "authenticate users anymore so you probably want to fix this. The new " +#~ "format is explained in the new 2.5 config file, of which you probably " +#~ "have a copy in /usr/share/doc/squid/examples/squid.conf." +#~ msgstr "" +#~ "Direktiva authenticate_program, která byla přítomna ve squidu <= 2.4, " +#~ "byla z verzí 2.5 a vyšších odstraněna a nahrazena direktivou auth_param. " +#~ "V tento okamžik již váš squid neověřuje uživatele, což pravděpodobně " +#~ "budete chtít změnit. Nový formát je vysvětlen v konfiguračním souboru " +#~ "verze 2.5, jehož kopie se nachází v /usr/share/doc/squid/examples/squid." +#~ "conf." + +#~ msgid "Warning: squid may crash when logfiles size is bigger than 2GB." +#~ msgstr "" +#~ "Varování: pokud velikost logovacího souboru přesáhne 2GB, squid může " +#~ "spadnout." + +#~ msgid "" +#~ "Squid may crash if any of the logfiles grows bigger than 2GB. Please " +#~ "configure /etc/logrotate.d/squid accordingly to your site's traffic." +#~ msgstr "" +#~ "Squid může spadnout v případech, kdy některý z logovacích souborů " +#~ "přesáhne 2GB. Doporučujeme tedy přizpůsobit soubor /etc/logrotate.d/squid " +#~ "podle provozu na vašem serveru." --- squid-2.7.STABLE3.orig/debian/conffiles +++ squid-2.7.STABLE3/debian/conffiles @@ -0,0 +1,3 @@ +/etc/init.d/squid +/etc/logrotate.d/squid +/etc/resolvconf/update-libc.d/squid --- squid-2.7.STABLE3.orig/debian/postinst +++ squid-2.7.STABLE3/debian/postinst @@ -0,0 +1,198 @@ +#! /bin/sh + +set -e + +# Source debconf library. +. /usr/share/debconf/confmodule +db_version 2.0 + +grepconf () { + w=" " # space tab + sq=/etc/squid/squid.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +grepconf2 () { + w=" " # space tab + sq=/etc/squid/squid.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +# +# Fix old style "cache_dir /var/spool/squid 100 16 256" +# to include "ufs" (Unix File System) after "cache_dir". +# +conf_fix_cache_dir () { + + # get value for squid/fix_lines + db_get squid/fix_lines + + # handle it! + if [ "$RET" = "true" ] ; then + sed -e 's/^cache_dir\(.*\)$/cache_dir ufs\1/' \ + -e 's/^\(dns_children.*\)$/#NOT IN 2.3#\1/' \ + -e 's/^\(dns_defnames.*\)$/#NOT IN 2.3#\1/' \ + -e 's/^\(cache_dns_program.*\)$/#NOT IN 2.3#\1/' \ + < /etc/squid/squid.conf > /etc/squid/squid.conf.TMP && \ + mv /etc/squid/squid.conf.TMP /etc/squid/squid.conf + fi + +} +# +# We moved from /etc/cron.d/squid to /etc/logrotate.d/squid +# +conf_fix_logrotate () { + c=/etc/cron.daily/squid + if [ -f $c ] + then + ##db_text high squid/logrotate || true + ##db_go + cp -a $c $c.disabled + ( head -1 $c + echo "#" + echo "# DISABLED - squid now uses /etc/logrotate.d/squid" + echo "# please remove this file." + echo "#" + ) > $c.disabled + tail +2 $c >> $c.disabled + rm -f $c + fi +} + + +# +# +# +conf_fix_http_port () { + w=" " # space tab + if ! grep -q "^http_port[$w]*" /etc/squid/squid.conf + then + if grep -q "^# http_port[$w]*" /etc/squid/squid.conf + then + sed -e 's/^# http_port\(.*\)$/http_port\1/' \ + < /etc/squid/squid.conf > /etc/squid/squid.conf.TMP && \ + mv /etc/squid/squid.conf.TMP /etc/squid/squid.conf + else + echo >> /etc/squid/squid.conf + echo "http_port 3128" >> /etc/squid/squid.conf + fi + fi +} + + +case "$1" in + configure) + if [ -e /etc/squid/conffile-moved ] ; then + rm /etc/squid/conffile-moved + fi + + if [ ! -f /etc/squid/squid.conf ]; then + cp /usr/share/doc/squid/examples/squid.conf \ + /etc/squid/squid.conf + chmod 0600 /etc/squid/squid.conf + fi + + # Check for old incompatible configs + case "$2" in + 2.[12].*) + conf_fix_cache_dir + FIXLINES="$RET" + ;; + esac + conf_fix_logrotate + conf_fix_http_port + + # + # Chown the directories. + # + dir=`grepconf2 cache_dir /var/spool/squid` + usr=`grepconf cache_effective_user proxy` + grp=`grepconf cache_effective_group proxy` + + if [ "$FIXLINES" = "false" ]; then + echo "squid.conf contains 2.2.5 syntax - not doing anything!" + else + if [ "$(/usr/bin/stat -c %U $dir)" != "$usr" ] || [ "$(/usr/bin/stat -c %G $dir)" != "$grp" ] ; then + db_get "squid/fix_cachedir_perms" + if [ "$RET" = "true" ] ; then + chown $usr:$grp $dir -R + fi + db_reset "squid/fix_cachedir_perms" + fi + if [ "$(/usr/bin/stat -c %U /var/log/squid)" != "$usr" ] || [ "$(/usr/bin/stat -c %G /var/log/squid)" != "$grp" ] ; then + # Check if there is an override of ownership + if [ "$(/usr/sbin/dpkg-statoverride --list /var/log/squid)" = "" ] ; then + chown $usr:$grp /var/log/squid -R + fi + fi + fi + + # + # Create spool dirs if they don't exist. + # + if [ -d "$dir" -a ! -d "$dir/00" ] + then + echo "Creating squid spool directory structure" + squid -z + fi + + # + # Install /etc/default/squid file if it doesn't + # exist yet. + # + if [ ! -f /etc/default/squid ] + then + cp /usr/share/doc/squid/examples/default.squid \ + /etc/default/squid + chmod 644 /etc/default/squid + fi + + # + # If winbind is installed, add proxy user to winbindd_priv + # group + # + getent group winbindd_priv >/dev/null 2>&1 && + adduser --quiet proxy winbindd_priv + + ;; + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + # + # Unknown action - do nothing. + # + exit 0 + ;; +esac + +db_stop + +# +# Update links if needed and start squid. +# +update-rc.d squid defaults 30 >/dev/null + +cd / + +if [ "$FIXLINES" = "false" ]; then + echo "squid.conf contains 2.2.5 syntax - cache_dir directive - not starting " + echo "Run 'dpkg-reconfigure -plow squid' to fix this automatically," + echo "or fix the 'cache_dir'-entry in your squid.conf manually." + echo "See documentation in /usr/share/doc/squid for nearer instructions." +else + invoke-rc.d squid restart +fi --- squid-2.7.STABLE3.orig/debian/logrotate +++ squid-2.7.STABLE3/debian/logrotate @@ -0,0 +1,15 @@ +# +# Logrotate fragment for squid. +# +/var/log/squid/*.log { + daily + compress + delaycompress + rotate 2 + missingok + nocreate + sharedscripts + postrotate + test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate + endscript +} --- squid-2.7.STABLE3.orig/debian/prerm +++ squid-2.7.STABLE3/debian/prerm @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +case "$1" in + remove|remove-in-favour|deconfigure-in-favour) + # + # Stop the daemon + # + invoke-rc.d squid stop + ;; + upgrade) + [ -L /usr/doc/squid ] && rm -f /usr/doc/squid + ;; + failed-upgrade) + ;; +esac + +exit 0 --- squid-2.7.STABLE3.orig/debian/doc/README.morefds +++ squid-2.7.STABLE3/debian/doc/README.morefds @@ -0,0 +1,17 @@ + + + More filedescriptors for squid + + +The Debian Squid package is compiled with a limit of filedescriptors +set to 65534. At startup time this limit is lowered to 1024 to save +runtime resources in default setup. You can change this runtime +setting by increasing SQUID_MAXFD in /etc/default/squid. + +The /etc/init.d/squid script then sets the maximum number of +filedescriptors at startup using 'ulimit'. It also examines +the global file maximum in /proc/sys/fs/file-max and increases +that to (SQUID_MAXFD + 4096) if it is lower than that. + + README.morefds 1.21 11-May-2007 luigi@debian.org + --- squid-2.7.STABLE3.orig/debian/doc/README.auth_modules +++ squid-2.7.STABLE3/debian/doc/README.auth_modules @@ -0,0 +1,15 @@ + +The Debian package of squid includes a number of SAMPLE authentication +modules in /usr/lib/squid. These are: + +ncsa_auth Authentication against an NCSA/Apache style password file +smb_auth Authentication against an SMB (for example NT) server +getpwnam_auth Authentication using the getpwnam() library call. +pam_auth Authentication using standard PAM services. +ldap_auth Authentication against an LDAP database. + +Note that these are really sample modules. The documentation leaves a +bit to be desired, and they probably haven't been fully tested. + +See the README.auth_module.* files for more information. + --- squid-2.7.STABLE3.orig/debian/doc/cachemgr.html +++ squid-2.7.STABLE3/debian/doc/cachemgr.html @@ -0,0 +1,16 @@ +Cache Manager Interface +

Cache Manager Interface

+

This is a WWW interface to the instrumentation interface +for the Squid object cache.

+
+
+ + + + + +
Cache Host:
Cache Port:
Manager name:
Password:

+ +
+
+ --- squid-2.7.STABLE3.orig/debian/doc/CacheManagerFaq +++ squid-2.7.STABLE3/debian/doc/CacheManagerFaq @@ -0,0 +1,647 @@ + #[1]Start [2]Wiki Markup [3]Print View [4]Up [5]Search [6]Index + [7]Glossary [8]Help + + [9]Squid SquidWiki + Search: ____________________ Titles Text + * [10]Login + + * [11]SquidFaq + * [12]CacheManager + + * [13]Up + * [14]Edit + * [15]View + * [16]Diffs + * [17]Info + * [18]Subscribe + * [19]Raw + * [20]Print + + * [21]FrontPage + * [22]RecentChanges + * [23]FindPage + * [24]HelpContents + * [25]SquidFaq/CacheManager + + Contents + 1. [26]What is the cache manager? + 2. [27]How do you set it up? + 3. [28]Cache manager configuration for CERN httpd 3.0 + 4. [29]Cache manager configuration for Apache + 5. [30]Cache manager configuration for Roxen 2.0 and later + 6. [31]Cache manager access from squidclient + 7. [32]Cache manager ACLs in squid.conf + 8. [33]Why does it say I need a password and a URL? + 9. [34]I want to shutdown the cache remotely. What's the password? + 10. [35]How do I make the cache host default to my cache? + 11. [36]What's the difference between Squid TCP connections and Squid + UDP connections? + 12. [37]It says the storage expiration will happen in 1970! + 13. [38]What do the Meta Data entries mean? + 14. [39]In the utilization section, what is Other? + 15. [40]In the utilization section, why is the Transfer KB/sec column + always zero? + 16. [41]In the utilization section, what is the Object Count? + 17. [42]In the utilization section, what is the Max/Current/Min KB? + 18. [43]What is the I/O section about? + 19. [44]What is the Objects section for? + 20. [45]What is the VM Objects section for? + 21. [46]What does AVG RTT mean? + 22. [47]In the IP cache section, what's the difference between a hit, a + negative hit and a miss? + 23. [48]What do the IP cache contents mean anyway? + 24. [49]What is the fqdncache and how is it different from the ipcache? + 25. [50]What does "Page faults with physical i/o: 4897" mean? + 26. [51]What does the IGNORED field mean in the 'cache server list'? + + Chapter contributed by Jonathan Larmour + +What is the cache manager? + + The cache manager (cachemgr.cgi) is a CGI utility for displaying + statistics about the squid process as it runs. The cache manager is a + convenient way to manage the cache and view statistics without logging + into the server. + +How do you set it up? + + That depends on which web server you're using. Below you will find + instructions for configuring the CERN and Apache servers to permit + cachemgr.cgi usage. + + {i} + + EDITOR'S NOTE: readers are encouraged to submit instructions for + configuration of cachemgr.cgi on other web server platforms, such as + Netscape. + + After you edit the server configuration files, you will probably need + to either restart your web server or or send it a SIGHUP signal to tell + it to re-read its configuration files. + + When you're done configuring your web server, you'll connect to the + cache manager with a web browser, using a URL such as: + + [52]http://www.example.com/Squid/cgi-bin/cachemgr.cgi + +Cache manager configuration for CERN httpd 3.0 + + First, you should ensure that only specified workstations can access + the cache manager. That is done in your CERN httpd.conf, not in + squid.conf. + +Protection MGR-PROT { + Mask @(workstation.example.com) +} + + Wildcards are acceptable, IP addresses are acceptable, and others can + be added with a comma-separated list of IP addresses. There are many + more ways of protection. Your server documentation has details. + + You also need to add: + +Protect /Squid/* MGR-PROT +Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi + + This marks the script as executable to those in MGR-PROT. + +Cache manager configuration for Apache + + First, make sure the cgi-bin directory you're using is listed with a + ScriptAlias in your Apache httpd.conf file like this: + +ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/ + + It's probably a bad idea to ScriptAlias the entire + //usr/local/squid/bin/ directory where all the Squid executables live. + + Next, you should ensure that only specified workstations can access the + cache manager. That is done in your Apache httpd.conf, not in + squid.conf. At the bottom of httpd.conf file, insert: + + +order allow,deny +allow from workstation.example.com + + + You can have more than one allow line, and you can allow domains or + networks. + + Alternately, cachemgr.cgi can be password-protected. You'd add the + following to httpd.conf: + + +AuthUserFile /path/to/password/file +AuthGroupFile /dev/null +AuthName User/Password Required +AuthType Basic +require user cachemanager + + + Consult the Apache documentation for information on using htpasswd to + set a password for this "user." + +Cache manager configuration for Roxen 2.0 and later + + by [53]FrancescoChemolli + + Notice: this is not how things would get best done with Roxen, but this + what you need to do go adhere to the example. Also, knowledge of basic + Roxen configuration is required. + + This is what's required to start up a fresh Virtual Server, only + serving the cache manager. If you already have some Virtual Server you + wish to use to host the Cache Manager, just add a new CGI support + module to it. + + Create a new virtual server, and set it to host + [54]http://www.example.com/. Add to it at least the following modules: + * Content Types + * CGI scripting support + + In the CGI scripting support module, section Settings, change the + following settings: + * CGI-bin path: set to /Squid/cgi-bin/ + * Handle *.cgi: set to no + * Run user scripts as owner: set to no + * Search path: set to the directory containing the cachemgr.cgi file + + In section Security, set Patterns to: + +allow ip=1.2.3.4 + + where 1.2.3.4 is the IP address for workstation.example.com + + Save the configuration, and you're done. + +Cache manager access from squidclient + + A simple way to test the access to the cache manager is: +% ./squidclient -p 8080 mgr:info@yourcachemanagerpassword + + Note, 8080 and yourcachemanagerpassword come from your exact + squid.configuration See squidclient -h for more options. + +Cache manager ACLs in squid.conf + + The default cache manager access configuration in squid.conf is: + +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl all src 0.0.0.0/0.0.0.0 + + With the following rules: + +http_access deny manager !localhost +http_access allow all + + The first ACL is the most important as the cache manager program + interrogates squid using a special cache_object protocol. Try it + yourself by doing: + +telnet mycache.example.com 3128 +GET cache_object://mycache.example.com/info HTTP/1.0 + + The default ACLs say that if the request is for a cache_object, and it + isn't the local host, then deny access; otherwise allow access. + + In fact, only allowing localhost access means that on the initial + cachemgr.cgi form you can only specify the cache host as localhost. We + recommend the following: + +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl example src 123.123.123.123/255.255.255.255 +acl all src 0.0.0.0/0.0.0.0 + + Where 123.123.123.123 is the IP address of your web server. Then modify + the rules like this: + +http_access allow manager localhost +http_access allow manager example +http_access deny manager +http_access allow all + + If you're using miss_access, then don't forget to also add a + miss_access rule for the cache manager: + +miss_access allow manager + + The default ACLs assume that your web server is on the same machine as + squid. Remember that the connection from the cache manager program to + squid originates at the web server, not the browser. So if your web + server lives somewhere else, you should make sure that IP address of + the web server that has cachemgr.cgi installed on it is in the example + ACL above. + + Always be sure to send a SIGHUP signal to squid any time you change the + squid.conf file, or to run squid -k reconfigure. + +Why does it say I need a password and a URL? + + If you "drop" the list box, and browse it, you will see that the + password is only required to shutdown the cache, and the URL is + required to refresh an object (i.e., retrieve it from its original + source again) Otherwise these fields can be left blank: a password is + not required to obtain access to the informational aspects of + cachemgr.cgi. + +I want to shutdown the cache remotely. What's the password? + + See the cachemgr_passwd directive in squid.conf. + +How do I make the cache host default to my cache? + + When you run configure use the --enable-cachemgr-hostname option: + +% ./configure --enable-cachemgr-hostname=`hostname` ... + + Note, if you do this after you already installed Squid before, you need + to make sure cachemgr.cgi gets recompiled. For example: + +% cd src +% rm cachemgr.o cachemgr.cgi +% make cachemgr.cgi + + Then copy cachemgr.cgi to your HTTP server's cgi-bin directory. + +What's the difference between Squid TCP connections and Squid UDP +connections? + + Browsers and caches use TCP connections to retrieve web objects from + web servers or caches. UDP connections are used when another cache + using you as a sibling or parent wants to find out if you have an + object in your cache that it's looking for. The UDP connections are ICP + queries. + +It says the storage expiration will happen in 1970! + + Don't worry. The default (and sensible) behavior of squid is to expire + an object when it happens to overwrite it. It doesn't explicitly + garbage collect (unless you tell it to in other ways). + +What do the Meta Data entries mean? + + StoreEntry + Entry describing an object in the cache. + + IPCacheEntry + An entry in the DNS cache. + + Hash link + Link in the cache hash table structure. + + URL strings + The strings of the URLs themselves that map to an object number + in the cache, allowing access to the StoreEntry. + + Basically just like the log file in your cache directory: + * PoolMemObject structures + * Info about objects currently in memory, (eg, in the process of + being transferred). + * Pool for Request structures + * Information about each request as it happens. + * Pool for in-memory object + * Space for object data as it is retrieved. + + If squid is much smaller than this field, run for cover! Something is + very wrong, and you should probably restart squid. + +In the utilization section, what is Other? + + Other is a default category to track objects which don't fall into one + of the defined categories. + +In the utilization section, why is the Transfer KB/sec column always zero? + + This column contains gross estimations of data transfer rates averaged + over the entire time the cache has been running. These numbers are + unreliable and mostly useless. + +In the utilization section, what is the Object Count? + + The number of objects of that type in the cache right now. + +In the utilization section, what is the Max/Current/Min KB? + + These refer to the size all the objects of this type have grown + to/currently are/shrunk to. + +What is the I/O section about? + + These are histograms on the number of bytes read from the network per + read(2) call. Somewhat useful for determining maximum buffer sizes. + +What is the Objects section for? + + + + This will download to your browser a list of every URL in the cache and + statistics about it. It can be very, very large. Sometimes it will be + larger than the amount of available memory in your client! You probably + don't need this information anyway. + +What is the VM Objects section for? + + VM Objects are the objects which are in Virtual Memory. These are + objects which are currently being retrieved and those which were kept + in memory for fast access (accelerator mode). + +What does AVG RTT mean? + + Average Round Trip Time. This is how long on average after an ICP ping + is sent that a reply is received. + +In the IP cache section, what's the difference between a hit, a negative hit +and a miss? + + A HIT means that the document was found in the cache. A MISS, that it + wasn't found in the cache. A negative hit means that it was found in + the cache, but it doesn't exist. + +What do the IP cache contents mean anyway? + + The hostname is the name that was requested to be resolved. + + For the Flags column: + * C means positively cached. + * N means negatively cached. + * P means the request is pending being dispatched. + * D means the request has been dispatched and we're waiting for an + answer. + * L means it is a locked entry because it represents a parent or + sibling. + + The TTL column represents "Time To Live" (i.e., how long the cache + entry is valid). (May be negative if the entry has expired.) + + The N column is the number of hostnames which the cache has + translations for. + + The rest of the line lists all the host names that have been associated + with that IP cache entry. + +What is the fqdncache and how is it different from the ipcache? + + IPCache contains data for the Hostname to IP-Number mapping, and + FQDNCache does it the other way round. For example: + + IP Cache Contents: + +Hostname Flags lstref TTL N [IP-Number] +gorn.cc.fh-lippe.de C 0 21581 1 193.16.112.73 +lagrange.uni-paderborn.de C 6 21594 1 131.234.128.245 +www.altavista.digital.com C 10 21299 4 204.123.2.75 ... +2/ftp.symantec.com DL 1583 -772855 0 +Flags: C --> Cached + D --> Dispatched + N --> Negative Cached + L --> Locked +lstref: Time since last use +TTL: Time-To-Live until information expires +N: Count of addresses + + FQDN Cache Contents: + +IP-Number Flags TTL N Hostname +130.149.17.15 C -45570 1 andele.cs.tu-berlin.de +194.77.122.18 C -58133 1 komet.teuto.de +206.155.117.51 N -73747 0 +Flags: C --> Cached + D --> Dispatched + N --> Negative Cached + L --> Locked +TTL: Time-To-Live until information expires +N: Count of names + +What does "Page faults with physical i/o: 4897" mean? + + This question was asked on the squid-users mailing list, to which there + were three excellent replies. + + by Jonathan Larmour + + You get a "page fault" when your OS tries to access something in memory + which is actually swapped to disk. The term "page fault" while correct + at the kernel and CPU level, is a bit deceptive to a user, as there's + no actual error - this is a normal feature of operation. + + Also, this doesn't necessarily mean your squid is swapping by that + much. Most operating systems also implement paging for executables, so + that only sections of the executable which are actually used are read + from disk into memory. Also, whenever squid needs more memory, the fact + that the memory was allocated will show up in the page faults. + + However, if the number of faults is unusually high, and getting bigger, + this could mean that squid is swapping. Another way to verify this is + using a program called "vmstat" which is found on most UNIX platforms. + If you run this as "vmstat 5" this will update a display every 5 + seconds. This can tell you if the system as a whole is swapping a lot + (see your local man page for vmstat for more information). + + It is very bad for squid to swap, as every single request will be + blocked until the requested data is swapped in. It is better to tweak + the cache_mem and/or memory_pools setting in squid.conf, or switch to + the NOVM versions of squid, than allow this to happen. + + by Peter Wemm + + There's two different operations at work, Paging and swapping. Paging + is when individual pages are shuffled (either discarded or swapped + to/from disk), while "swapping" generally means the entire process got + sent to/from disk. + + Needless to say, swapping a process is a pretty drastic event, and + usually only reserved for when there's a memory crunch and paging out + cannot free enough memory quickly enough. Also, there's some variation + on how swapping is implemented in OS's. Some don't do it at all or do a + hybrid of paging and swapping instead. + + As you say, paging out doesn't necessarily involve disk IO, eg: text + (code) pages are read-only and can simply be discarded if they are not + used (and reloaded if/when needed). Data pages are also discarded if + unmodified, and paged out if there's been any changes. Allocated memory + (malloc) is always saved to disk since there's no executable file to + recover the data from. mmap() memory is variable.. If it's backed from + a file, it uses the same rules as the data segment of a file - ie: + either discarded if unmodified or paged out. + + There's also "demand zeroing" of pages as well that cause faults.. If + you malloc memory and it calls brk()/sbrk() to allocate new pages, the + chances are that you are allocated demand zero pages. Ie: the pages are + not "really" attached to your process yet, but when you access them for + the first time, the page fault causes the page to be connected to the + process address space and zeroed - this saves unnecessary zeroing of + pages that are allocated but never used. + + The "page faults with physical IO" comes from the OS via getrusage(). + It's highly OS dependent on what it means. Generally, it means that the + process accessed a page that was not present in memory (for whatever + reason) and there was disk access to fetch it. Many OS's load + executables by demand paging as well, so the act of starting squid + implicitly causes page faults with disk IO - however, many (but not + all) OS's use "read ahead" and "prefault" heuristics to streamline the + loading. Some OS's maintain "intent queues" so that pages can be + selected as pageout candidates ahead of time. When (say) squid touches + a freshly allocated demand zero page and one is needed, the OS can page + out one of the candidates on the spot, causing a 'fault with physical + IO' with demand zeroing of allocated memory which doesn't happen on + many other OS's. (The other OS's generally put the process to sleep + while the pageout daemon finds a page for it). + + The meaning of "swapping" varies. On FreeBSD for example, swapping out + is implemented as unlocking upages, kernel stack, PTD etc for + aggressive pageout with the process. The only thing left of the process + in memory is the 'struct proc'. The FreeBSD paging system is highly + adaptive and can resort to paging in a way that is equivalent to the + traditional swapping style operation (ie: entire process). FreeBSD also + tries stealing pages from active processes in order to make space for + disk cache. I suspect this is why setting 'memory_pools off' on the + non-NOVM squids on FreeBSD is reported to work better - the VM/buffer + system could be competing with squid to cache the same pages. It's a + pity that squid cannot use mmap() to do file IO on the 4K chunks in + it's memory pool (I can see that this is not a simple thing to do + though, but that won't stop me wishing. :-). + + by John Line + + The comments so far have been about what paging/swapping figures mean + in a "traditional" context, but it's worth bearing in mind that on some + systems (Sun's Solaris 2, at least), the virtual memory and filesystem + handling are unified and what a user process sees as reading or writing + a file, the system simply sees as paging something in from disk or a + page being updated so it needs to be paged out. (I suppose you could + view it as similar to the operating system memory-mapping the files + behind-the-scenes.) + + The effect of this is that on Solaris 2, paging figures will also + include file I/O. Or rather, the figures from vmstat certainly appear + to include file I/O, and I presume (but can't quickly test) that + figures such as those quoted by Squid will also include file I/O. + + To confirm the above (which represents an impression from what I've + read and observed, rather than 100% certain facts...), using an + otherwise idle Sun Ultra 1 system system I just tried using cat (small, + shouldn't need to page) to copy (a) one file to another, (b) a file to + /dev/null, (c) /dev/zero to a file, and (d) /dev/zero to /dev/null + (interrupting the last two with control-C after a while!), while + watching with vmstat. 300-600 page-ins or page-outs per second when + reading or writing a file (rather than a device), essentially zero in + other cases (and when not cat-ing). + + So ... beware assuming that all systems are similar and that paging + figures represent *only* program code and data being shuffled to/from + disk - they may also include the work in reading/writing all those + files you were accessing... + + Ok, so what is unusually high? + + You'll probably want to compare the number of page faults to the number + of HTTP requests. If this ratio is close to, or exceeding 1, then Squid + is paging too much. + +What does the IGNORED field mean in the 'cache server list'? + + This refers to ICP replies which Squid ignored, for one of these + reasons: + * The URL in the reply could not be found in the cache at all. + * The URL in the reply was already being fetched. Probably this ICP + reply arrived too late. + * The URL in the reply did not have a MemObject associated with it. + Either the request is already finished, or the user aborted before + the ICP arrived. + * The reply came from a multicast-responder, but the + cache_peer_access configuration does not allow us to forward this + request to that neighbor. + * Source-Echo replies from known neighbors are ignored. + * ICP_OP_DENIED replies are ignored after the first 100. + __________________________________________________________________ + + Back to the [55]SquidFaq + + SquidFaq/CacheManager (last edited 2007-02-02 09:52:28 by [56]ecasbas) + + * Immutable Page + + [57]DeleteCache (cached 2007-05-12 06:12:21) + + Or try one of these actions: [58]Attach File, [59]Despam, [60]Like + Pages, [61]Local Site Map, [62]My Pages, [63]Package Pages, [64]Render + As Docbook, [65]Spell Check, [66]Subscribe User, [67]Visual Site Map + + * [68]MoinMoin Powered + * [69]Python Powered + * [70]Valid HTML 4.01 + +Riferimenti + + 1. http://wiki.squid-cache.org/FrontPage + 2. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=raw + 3. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=print + 4. http://wiki.squid-cache.org/SquidFaq + 5. http://wiki.squid-cache.org/FindPage + 6. http://wiki.squid-cache.org/TitleIndex + 7. http://wiki.squid-cache.org/WordIndex + 8. http://wiki.squid-cache.org/HelpOnFormatting + 9. http://wiki.squid-cache.org/FrontPage + 10. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=login + 11. http://wiki.squid-cache.org/SquidFaq + 12. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=fullsearch&value=linkto%3A%22SquidFaq/CacheManager%22&context=180 + 13. http://wiki.squid-cache.org/SquidFaq + 14. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=edit + 15. http://wiki.squid-cache.org/SquidFaq/CacheManager + 16. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=diff + 17. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=info + 18. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=subscribe + 19. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=raw + 20. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=print + 21. http://wiki.squid-cache.org/FrontPage + 22. http://wiki.squid-cache.org/RecentChanges + 23. http://wiki.squid-cache.org/FindPage + 24. http://wiki.squid-cache.org/HelpContents + 25. http://wiki.squid-cache.org/SquidFaq/CacheManager + 26. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-f700454ebeee78bda0718f926688eddef94fd48c + 27. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-bae94b0712337689e6c9f7284c9185a1efd3b849 + 28. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-92109d5c85e37389ebec721d1a899a5ceda3f0e0 + 29. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-30674c05dd94e629023bfc3210b602e15375f04f + 30. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-bc460e2fc85afc5ae3cf35c74dc95443bdcd5386 + 31. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-39f4392eb43ea504fa208d0d9e9bd185f8ef7e0b + 32. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-ae637024a0e00110c9e60a24033dad8d0b23a142 + 33. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-0aefe11b29b2c72acedf8fb8f6a1d81547e8f0e8 + 34. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-d2d0fbe69e2f4810b3b3e59a683984ee73bb72d8 + 35. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-e351d47fc9628b8814df4d371f48a8055ad13166 + 36. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-2506cb315464c32e51e8f9b0e01a5856ee9da06f + 37. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-eebd224417ff90f12a055ae920bfe2b487ad556f + 38. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-831a93ac82d6bee343656c82dc21957d987aeb25 + 39. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-8a490ee94fff2784383dfb65c68d6af64784f994 + 40. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-55c9e778a2d121688ad4bd350c1435c1ec2ce670 + 41. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-88ae7aa8c482244be645c23c869e3aba7451d8b5 + 42. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-995fbbef9f19018d3aebf7230feaf80e47190136 + 43. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-d981b575a1c9537fc0b3a42978a498ff2cd2a71f + 44. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-40e6497904e3183f254d5ad51f92c19b066ab25a + 45. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-1f2e6fa77a5e9bc74f8c8d90a2b256dd1167e21e + 46. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-59aac85d5b0d8723015d9644fbbba1237b2a7c58 + 47. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-a1230367d8abee79ad0b86472e7c4815a393b211 + 48. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-7b0ff43d939ef738626511f8239679059d259222 + 49. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-4ace20e9327160a554de0994a6635cca5a0cfb60 + 50. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-d85f3fd26715d359c7267ce0baebf6bd0f2c479e + 51. http://wiki.squid-cache.org/SquidFaq/CacheManager#head-81292737ab5673946ec43127fd62069923936829 + 52. http://www.example.com/Squid/cgi-bin/cachemgr.cgi + 53. http://wiki.squid-cache.org/FrancescoChemolli + 54. http://www.example.com/ + 55. http://wiki.squid-cache.org/SquidFaq + 56. http://wiki.squid-cache.org/ecasbas + 57. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=refresh + 58. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=AttachFile + 59. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=Despam + 60. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=LikePages + 61. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=LocalSiteMap + 62. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=MyPages + 63. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=PackagePages + 64. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=RenderAsDocbook + 65. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=SpellCheck + 66. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=SubscribeUser + 67. http://wiki.squid-cache.org/SquidFaq/CacheManager?action=VisualSiteMap + 68. http://moinmoin.wikiwikiweb.de/ + 69. http://www.python.org/ + 70. http://validator.w3.org/check?uri=referer --- squid-2.7.STABLE3.orig/debian/doc/README.transparent-proxy +++ squid-2.7.STABLE3/debian/doc/README.transparent-proxy @@ -0,0 +1,19 @@ + +You can do transparent caching on Linux, Solaris, and BSD derivations. + +The FAQ talks about this, search CompleteFaq for 'Interception Caching'. + +The trick is to get the operating system to forward certain IP packets +to the application. This document currently contains only instruction +for configuring transparent caching on Linux and Solaris. + +For squid-2.6 it is as easy as adding the keyword 'transparent' to the +http_port setting, like this + + http_port 3128 transparent. + +If you keep this in mind the general info in the FAQ should get +you up and running without any further problems. + + Luigi Gangitano 11-May-2007 + --- squid-2.7.STABLE3.orig/debian/doc/CompleteFaq +++ squid-2.7.STABLE3/debian/doc/CompleteFaq @@ -0,0 +1,14794 @@ + #[1]Start [2]Wiki Markup [3]Print View [4]Up [5]Search [6]Index + [7]Glossary [8]Help + + [9]Squid SquidWiki + Search: ____________________ Titles Text + * [10]Login + + * [11]SquidFaq + * [12]CompleteFaq + + * [13]Up + * [14]Edit + * [15]View + * [16]Diffs + * [17]Info + * [18]Subscribe + * [19]Raw + * [20]Print + + * [21]FrontPage + * [22]RecentChanges + * [23]FindPage + * [24]HelpContents + * [25]SquidFaq/CompleteFaq + + Contents + 1. [26]What is Squid? + 2. [27]What is Internet object caching? + 3. [28]Why is it called Squid? + 4. [29]What is the latest version of Squid? + 5. [30]Who is responsible for Squid? + 6. [31]Where can I get Squid? + 7. [32]What Operating Systems does Squid support? + 8. [33]Does Squid run on Windows ? + 9. [34]What Squid mailing lists are available? + 10. [35]I can't figure out how to unsubscribe from your mailing list. + 11. [36]What other Squid-related documentation is available? + 12. [37]Does Squid support SSL/HTTPS/TLS? + 13. [38]What's the legal status of Squid? + 14. [39]Can I pay someone for Squid support? + 15. [40]Squid FAQ contributors + 16. [41]About This Document + 17. [42]Want to contribute? + 18. [43]Which file do I download to get Squid? + 19. [44]How do I compile Squid? + 20. [45]What kind of compiler do I need? + 21. [46]What else do I need to compile Squid? + 22. [47]Do you have pre-compiled binaries available? + 23. [48]How do I apply a patch or a diff? + 24. [49]configure options + 25. [50]undefined reference to __inet_ntoa + 26. [51]My platform is BSD/OS or BSDI and I can't compile Squid + 27. [52]Problems compiling libmiscutil.a on Solaris + 28. [53]I have problems compiling Squid on Platform Foo. + 29. [54]I see a lot warnings while compiling Squid. + 30. [55]Building Squid on OS/2 + 31. [56]Building Squid on Cygwin + 32. [57]Building Squid on MinGW + 33. [58]How big of a system do I need to run Squid? + 34. [59]How do I install Squid? + 35. [60]What does the squid.conf file do? + 36. [61]Do you have a squid.conf example? + 37. [62]How do I start Squid? + 38. [63]How do I start Squid automatically when the system boots? + 39. [64]How do I tell if Squid is running? + 40. [65]squid command line options + 41. [66]How do I see how Squid works? + 42. [67]Can Squid benefit from SMP systems? + 43. [68]Is it okay to use separate drives for Squid? + 44. [69]Is it okay to use RAID on Squid? + 45. [70]How do I join a cache hierarchy? + 46. [71]How do I join NLANR's cache hierarchy? + 47. [72]Why should I want to join NLANR's cache hierarchy? + 48. [73]How do I register my cache with NLANR's registration service? + 49. [74]How do I find other caches close to me and arrange + parent/child/sibling relationships with them? + 50. [75]My cache registration is not appearing in the Tracker database. + 51. [76]What is the httpd-accelerator mode? + 52. [77]How do I configure Squid to work behind a firewall? + 53. [78]How do I configure Squid forward all requests to another proxy? + 54. [79]I have "dnsserver" processes that aren't being used, should I + lower the number in "squid.conf"? + 55. [80]My ''dnsserver'' average/median service time seems high, how + can I reduce it? + 56. [81]How can I easily change the default HTTP port? + 57. [82]Is it possible to control how big each ''cache_dir'' is? + 58. [83]What ''cache_dir'' size should I use? + 59. [84]I'm adding a new cache_dir. Will I lose my cache? + 60. [85]Squid and http-gw from the TIS toolkit. + 61. [86]What is "HTTP_X_FORWARDED_FOR"? Why does squid provide it to + WWW servers, and how can I stop it? + 62. [87]Can Squid anonymize HTTP requests? + 63. [88]Can I make Squid go direct for some sites? + 64. [89]Can I make Squid proxy only, without caching anything? + 65. [90]Can I prevent users from downloading large files? + 66. [91]Communication between browsers and Squid + 67. [92]Manual Browser Configuration + 68. [93]Firefox and Thunderbird manual configuration + 69. [94]Microsoft Internet Explorer manual configuration + 70. [95]Netscape manual configuration + 71. [96]Lynx and Mosaic manual configuration + 72. [97]Opera 2.12 manual configuration + 73. [98]Netmanage Internet Chameleon WebSurfer manual configuration + 74. [99]Partially Automatic Configuration + 75. [100]Netscape automatic configuration + 76. [101]Microsoft Internet Explorer + 77. [102]Fully Automatically Configuring Browsers for WPAD + 78. [103]Fully Automatically Configuring Browsers for WPAD with DHCP + 79. [104]Redundant Proxy Auto-Configuration + 80. [105]Proxy Auto-Configuration with URL Hashing + 81. [106]How do I tell Squid to use a specific username for FTP urls? + 82. [107]IE 5.0x crops trailing slashes from FTP URL's + 83. [108]IE 6.0 SP1 fails when using authentication + 84. [109]Squid Log Files + 85. [110]squid.out + 86. [111]cache.log + 87. [112]useragent.log + 88. [113]store.log + 89. [114]hierarchy.log + 90. [115]access.log + 91. [116]access.log native format in detail + 92. [117]Squid result codes + 93. [118]HTTP status codes + 94. [119]Request methods + 95. [120]Hierarchy Codes + 96. [121]cache/log (Squid-1.x) + 97. [122]swap.state (Squid-2.x) + 98. [123]Which log files can I delete safely? + 99. [124]How can I disable Squid's log files? + 100. [125]What is the maximum size of access.log? + 101. [126]My log files get very big! + 102. [127]I want to use another tool to maintain the log files. + 103. [128]Managing log files + 104. [129]Why do I get ERR_NO_CLIENTS_BIG_OBJ messages so often? + 105. [130]What does ERR_LIFETIME_EXP mean? + 106. [131]Retrieving "lost" files from the cache + 107. [132]Can I use store.log to figure out if a response was cachable? + 108. [133]Can I pump the squid access.log directly into a pipe? + 109. [134]How do I see system level Squid statistics? + 110. [135]How can I find the biggest objects in my cache? + 111. [136]I want to restart Squid with a clean cache + 112. [137]How can I proxy/cache Real Audio? + 113. [138]How can I purge an object from my cache? + 114. [139]How can i purge multiple objects from my cache? + 115. [140]Using ICMP to Measure the Network + 116. [141]Why are so few requests logged as TCP_IMS_MISS? + 117. [142]How can I make Squid NOT cache some servers or URLs? + 118. [143]How can I delete and recreate a cache directory? + 119. [144]Why can't I run Squid as root? + 120. [145]Can you tell me a good way to upgrade Squid with minimal + downtime? + 121. [146]Can Squid listen on more than one HTTP port? + 122. [147]Can I make origin servers see the client's IP address when + going through Squid? + 123. [148]Why does Squid use so much memory!? + 124. [149]How can I tell how much memory my Squid process is using? + 125. [150]My Squid process grows without bounds. + 126. [151]I set cache_mem to XX, but the process grows beyond that! + 127. [152]How do I analyze memory usage from the cache manger output? + 128. [153]The "Total memory accounted" value is less than the size of + my Squid process. + 129. [154]xmalloc: Unable to allocate 4096 bytes! + 130. [155]fork: (12) Cannot allocate memory + 131. [156]What can I do to reduce Squid's memory usage? + 132. [157]Using an alternate malloc library + 133. [158]How much memory do I need in my Squid server? + 134. [159]Why can't my Squid process grow beyond a certain size? + 135. [160]What is the cache manager? + 136. [161]How do you set it up? + 137. [162]Cache manager configuration for CERN httpd 3.0 + 138. [163]Cache manager configuration for Apache + 139. [164]Cache manager configuration for Roxen 2.0 and later + 140. [165]Cache manager access from squidclient + 141. [166]Cache manager ACLs in squid.conf + 142. [167]Why does it say I need a password and a URL? + 143. [168]I want to shutdown the cache remotely. What's the password? + 144. [169]How do I make the cache host default to my cache? + 145. [170]What's the difference between Squid TCP connections and Squid + UDP connections? + 146. [171]It says the storage expiration will happen in 1970! + 147. [172]What do the Meta Data entries mean? + 148. [173]In the utilization section, what is Other? + 149. [174]In the utilization section, why is the Transfer KB/sec column + always zero? + 150. [175]In the utilization section, what is the Object Count? + 151. [176]In the utilization section, what is the Max/Current/Min KB? + 152. [177]What is the I/O section about? + 153. [178]What is the Objects section for? + 154. [179]What is the VM Objects section for? + 155. [180]What does AVG RTT mean? + 156. [181]In the IP cache section, what's the difference between a hit, + a negative hit and a miss? + 157. [182]What do the IP cache contents mean anyway? + 158. [183]What is the fqdncache and how is it different from the + ipcache? + 159. [184]What does "Page faults with physical i/o: 4897" mean? + 160. [185]What does the IGNORED field mean in the 'cache server list'? + 161. [186]ACL elements + 162. [187]Access Lists + 163. [188]How do I allow my clients to use the cache? + 164. [189]how do I configure Squid not to cache a specific server? + 165. [190]How do I implement an ACL ban list? + 166. [191]How do I block specific users or groups from accessing my + cache? + 167. [192]Do you have a CGI program which lets users change their own + proxy passwords? + 168. [193]Is there a way to do ident lookups only for a certain host + and compare the result with a userlist in squid.conf? + 169. [194]Common Mistakes + 170. [195]I set up my access controls, but they don't work! why? + 171. [196]Proxy-authentication and neighbor caches + 172. [197]Is there an easy way of banning all Destination addresses + except one? + 173. [198]Does anyone have a ban list of porn sites and such? + 174. [199]Squid doesn't match my subdomains + 175. [200]Why does Squid deny some port numbers? + 176. [201]Does Squid support the use of a database such as mySQL for + storing the ACL list? + 177. [202]How can I allow a single address to access a specific URL? + 178. [203]How can I allow some clients to use the cache at specific + times? + 179. [204]How can I allow some users to use the cache at specific + times? + 180. [205]Problems with IP ACL's that have complicated netmasks + 181. [206]Can I set up ACL's based on MAC address rather than IP? + 182. [207]Can I limit the number of connections from a client? + 183. [208]I'm trying to deny ''foo.com'', but it's not working. + 184. [209]I want to customize, or make my own error messages. + 185. [210]I want to use local time zone in error messages. + 186. [211]I want to put ACL parameters in an external file. + 187. [212]I want to authorize users depending on their MS Windows group + memberships + 188. [213]Maximum length of an acl name + 189. [214]Why am I getting "Proxy Access Denied?" + 190. [215]I can't get ''local_domain'' to work; ''Squid'' is caching + the objects from my local servers. + 191. [216]Connection Refused when reaching a sibling + 192. [217]Running out of filedescriptors + 193. [218]What are these strange lines about removing objects? + 194. [219]Can I change a Windows NT FTP server to list directories in + Unix format? + 195. [220]Why am I getting "Ignoring MISS from non-peer x.x.x.x?" + 196. [221]DNS lookups for domain names with underscores (_) always + fail. + 197. [222]Why does Squid say: "Illegal character in hostname; + underscores are not allowed?' + 198. [223]Why am I getting access denied from a sibling cache? + 199. [224]Cannot bind socket FD NN to *:8080 (125) Address already in + use + 200. [225]icpDetectClientClose: ERROR xxx.xxx.xxx.xxx: (32) Broken pipe + 201. [226]icpDetectClientClose: FD 135, 255 unexpected bytes + 202. [227]Does Squid work with NTLM Authentication? + 203. [228]The ''default'' parent option isn't working! + 204. [229]"Hotmail" complains about: Intrusion Logged. Access denied. + 205. [230]My Squid becomes very slow after it has been running for some + time. + 206. [231]WARNING: Failed to start 'dnsserver' + 207. [232]Sending bug reports to the Squid team + 208. [233]Debugging Squid + 209. [234]FATAL: ipcache_init: DNS name lookup tests failed + 210. [235]FATAL: Failed to make swap directory /var/spool/cache: (13) + Permission denied + 211. [236]FATAL: Cannot open HTTP Port + 212. [237]FATAL: All redirectors have exited! + 213. [238]FATAL: file_map_allocate: Exceeded filemap limit + 214. [239]FATAL: You've run out of swap file numbers. + 215. [240]I am using up over 95% of the filemap bits?!! + 216. [241]FATAL: Cannot open /usr/local/squid/logs/access.log: (13) + Permission denied + 217. [242]When using a username and password, I can not access some + files. + 218. [243]pingerOpen: icmp_sock: (13) Permission denied + 219. [244]What is a forwarding loop? + 220. [245]accept failure: (71) Protocol error + 221. [246]storeSwapInFileOpened: ... Size mismatch + 222. [247]Why do I get ''fwdDispatch: Cannot retrieve + 'https://www.buy.com/corp/ordertracking.asp' '' + 223. [248]Squid can't access URLs like + http://3626046468/ab2/cybercards/moreinfo.html + 224. [249]I get a lot of "URI has whitespace" error messages in my + cache log, what should I do? + 225. [250]commBind: Cannot bind socket FD 5 to 127.0.0.1:0: (49) Can't + assign requested address + 226. [251]Unknown cache_dir type '/var/squid/cache' + 227. [252]unrecognized: 'cache_dns_program + /usr/local/squid/bin/dnsserver' + 228. [253]Is ''dns_defnames'' broken in Squid-2.3 and later? + 229. [254]What does "sslReadClient: FD 14: read failure: (104) + Connection reset by peer" mean? + 230. [255]What does ''Connection refused'' mean? + 231. [256]squid: ERROR: no running copy + 232. [257]FATAL: getgrnam failed to find groupid for effective group + 'nogroup' + 233. [258]"Unsupported Request Method and Protocol" for ''https'' URLs. + 234. [259]Squid uses 100% CPU + 235. [260]Webmin's ''cachemgr.cgi'' crashes the operating system + 236. [261]Segment Violation at startup or upon first request + 237. [262]urlParse: Illegal character in hostname + 'proxy.mydomain.com:8080proxy.mydomain.com' + 238. [263]Requests for international domain names does not work + 239. [264]Why do I sometimes get "Zero Sized Reply"? + 240. [265]Why do I get "The request or reply is too large" errors? + 241. [266]Negative or very large numbers in Store Directory Statistics, + or constant complaints about cache above limit + 242. [267]Squid problems with Windows Update v5 + 243. [268]What are cachable objects? + 244. [269]What is the ICP protocol? + 245. [270]What is the ''dnsserver''? + 246. [271]What is a cache hierarchy? What are parents and siblings? + 247. [272]What is the Squid cache resolution algorithm? + 248. [273]What features are Squid developers currently working on? + 249. [274]Tell me more about Internet traffic workloads + 250. [275]What are the tradeoffs of caching with the NLANR cache + system? + 251. [276]Where can I find out more about firewalls? + 252. [277]What is the "Storage LRU Expiration Age?" + 253. [278]What is "Failure Ratio at 1.01; Going into hit-only-mode for + 5 minutes"? + 254. [279]Does squid periodically re-read its configuration file? + 255. [280]How does ''unlinkd'' work? + 256. [281]What is an icon URL? + 257. [282]Can I make my regular FTP clients use a Squid cache? + 258. [283]Why is the select loop average time so high? + 259. [284]How does Squid deal with Cookies? + 260. [285]How does Squid decide when to refresh a cached object? + 261. [286]What exactly is a ''deferred read''? + 262. [287]Why is my cache's inbound traffic equal to the outbound + traffic? + 263. [288]How come some objects do not get cached? + 264. [289]What does ''keep-alive ratio'' mean? + 265. [290]How does Squid's cache replacement algorithm work? + 266. [291]What are private and public keys? + 267. [292]What is FORW_VIA_DB for? + 268. [293]Does Squid send packets to port 7 (echo)? If so, why? + 269. [294]What does "WARNING: Reply from unknown nameserver [a.b.c.d]" + mean? + 270. [295]How does Squid distribute cache files among the available + directories? + 271. [296]Why do I see negative byte hit ratio? + 272. [297]What does "Disabling use of private keys" mean? + 273. [298]What is a half-closed filedescriptor? + 274. [299]What does --enable-heap-replacement do? + 275. [300]Why is actual filesystem space used greater than what Squid + thinks? + 276. [301]How do ''positive_dns_ttl'' and ''negative_dns_ttl'' work? + 277. [302]What does ''swapin MD5 mismatch'' mean? + 278. [303]What does ''failed to unpack swapfile meta data'' mean? + 279. [304]Why doesn't Squid make ''ident'' lookups in interception + mode? + 280. [305]dnsSubmit: queue overload, rejecting blah + 281. [306]What are FTP passive connections? + 282. [307]What is Multicast? + 283. [308]How do I know if my network has multicast? + 284. [309]Should I be using Multicast ICP? + 285. [310]How do I configure Squid to send Multicast ICP queries? + 286. [311]How do I know what Multicast TTL to use? + 287. [312]How do I configure Squid to receive and respond to Multicast + ICP? + 288. [313]General advice + 289. [314]FreeBSD + 290. [315]Solaris + 291. [316]FreeBSD + 292. [317]OSF1/3.2 + 293. [318]BSD/OS + 294. [319]Linux + 295. [320]IRIX + 296. [321]SCO-UNIX + 297. [322]AIX + 298. [323]What is a redirector? + 299. [324]Why use a redirector? + 300. [325]How does it work? + 301. [326]Do you have any examples? + 302. [327]Can I use the redirector to return HTTP redirect messages? + 303. [328]FATAL: All redirectors have exited! + 304. [329]Redirector interface is broken re IDENT values + 305. [330]What is a Cache Digest? + 306. [331]How and why are they used? + 307. [332]What is the theory behind Cache Digests? + 308. [333]How is the size of the Cache Digest in Squid determined? + 309. [334]What hash functions (and how many of them) does Squid use? + 310. [335]How are objects added to the Cache Digest in Squid? + 311. [336]Does Squid support deletions in Cache Digests? What are + diffs/deltas? + 312. [337]When and how often is the local digest built? + 313. [338]How are Cache Digests transferred between peers? + 314. [339]How and where are Cache Digests stored? + 315. [340]How are the Cache Digest statistics in the Cache Manager to + be interpreted? + 316. [341]What are False Hits and how should they be handled? + 317. [342]How can Cache Digest related activity be traced/debugged? + 318. [343]What about ICP? + 319. [344]Is there a Cache Digest Specification? + 320. [345]Would it be possible to stagger the timings when + cache_digests are retrieved from peers? + 321. [346]Concepts of Interception Caching + 322. [347]Requirements and methods for Interception Caching + 323. [348]Steps involved in configuring Interception Caching + 324. [349]Configuring Other Operating Systems + 325. [350]Issues with HotMail + 326. [351]Does Squid support SNMP? + 327. [352]Enabling SNMP in Squid + 328. [353]Configuring Squid + 329. [354]How can I query the Squid SNMP Agent + 330. [355]What can I use SNMP and Squid for? + 331. [356]How can I use SNMP with Squid? + 332. [357]Where can I get more information/discussion about Squid and + SNMP? + 333. [358]Monitoring Squid with MRTG + 334. [359]What are the new features in squid 2.X? + 335. [360]How do I configure 'ssl_proxy' now? + 336. [361]Adding a new cache disk + 337. [362]How do I configure proxy authentication? + 338. [363]Why does proxy-auth reject all users after upgrading from + Squid-2.1 or earlier? + 339. [364]Delay Pools + 340. [365]Customizable Error Messages + 341. [366]My squid.conf from version 1.1 doesn't work! + 342. [367]What is the httpd-accelerator mode? + 343. [368]How do I set it up? + 344. [369]Domain based virtual host support + 345. [370]Sending different requests to different backend web servers + 346. [371]Running the web server on the same server + 347. [372]Load balancing of backend servers + 348. [373]When using an httpd-accelerator, the port number or host name + for redirects or CGI-generated content is wrong + 349. [374]Access to password protected content fails via the reverse + proxy + 350. [375]Mapping different URLs to different backend servers + 351. [376]Clients + 352. [377]Load Balancers + 353. [378]HA Clusters + 354. [379]Logfile Analysis + 355. [380]Configuration Tools + 356. [381]Squid add-ons + 357. [382]Ident Servers + 358. [383]What is DISKD? + 359. [384]Does it perform better? + 360. [385]How do I use it? + 361. [386]FATAL: Unknown cache_dir type 'diskd' + 362. [387]If I use DISKD, do I have to wipe out my current cache? + 363. [388]How do I configure message queues? + 364. [389]How do I configure shared memory? + 365. [390]Sometimes shared memory and message queues aren't released + when Squid exits. + 366. [391]What are the Q1 and Q2 parameters? + 367. [392]What is COSS? + 368. [393]Does it perform better? + 369. [394]How do I use it? + 370. [395]If I use COSS, do I have to wipe out my current cache? + 371. [396]What options are required for COSS? + 372. [397]Are there any other configuration options for COSS? + 373. [398]Examples + 374. [399]How does Proxy Authentication work in Squid? + 375. [400]How do I use authentication in access controls? + 376. [401]How do I ask for authentication of an already authenticated + user? + 377. [402]Does Squid cache authentication lookups? + 378. [403]Are passwords stored in clear text or encrypted? + 379. [404]How do I use the Winbind authenticators? + 380. [405]Can I use different authentication mechanisms together? + 381. [406]Can I use more than one user-database? + 382. [407]References + 383. [408]Other Resources + 384. [409]Neighbor + 385. [410]Regular Expression + 386. [411]Open-access proxies + 387. [412]Mail relaying + 388. [413]Way Too Many Cache Misses + +What is Squid? + + Squid is a high-performance proxy caching server for web clients, + supporting FTP, gopher, and HTTP data objects. Squid handles all + requests in a single, non-blocking, I/O-driven process. + + Squid keeps meta data and especially hot objects cached in RAM, caches + DNS lookups, supports non-blocking DNS lookups, and implements negative + caching of failed requests. + + Squid supports SSL, extensive access controls, and full request + logging. By using the lightweight Internet Cache Protocol, Squid caches + can be arranged in a hierarchy or mesh for additional bandwidth + savings. + + Squid consists of a main server program squid, an optional Domain Name + System lookup program dnsserver (Squid nowadays implements the DNS + protocol on its own by default), some optional programs for rewriting + requests and performing authentication, and some management and client + tools. + + Squid is originally derived from the ARPA-funded [414]Harvest project. + Since then it has gone through many changes and has many new features. + +What is Internet object caching? + + Internet object caching is a way to store requested Internet objects + (i.e., data available via the HTTP, FTP, and gopher protocols) on a + system closer to the requesting site than to the source. Web browsers + can then use the local Squid cache as a proxy HTTP server, reducing + access time as well as bandwidth consumption. + +Why is it called Squid? + + Harris' Lament says, "All the good ones are taken." + + We needed to distinguish this new version from the Harvest cache + software. Squid was the code name for initial development, and it + stuck. + +What is the latest version of Squid? + + At the time of writing (August 2006), [Squid-2.6] is the stable version + and [Squid-3.0] is under development. + + Please see [415]the Squid home page for the most recent versions. + +Who is responsible for Squid? + + Squid is the result of efforts by numerous individuals from the + Internet community. The core team and main contributors list is at + [416]WhoWeAre; a list of our excellent contributors can be seen in + [417]the CONTRIBUTORS file. + +Where can I get Squid? + + You can download Squid via FTP from one of the many worldwide + [418]mirror sites or [419]the primary FTP site. + + Many sushi bars also have Squid. + +What Operating Systems does Squid support? + + The software is designed to operate on any modern system, and is known + to work on at least the following platforms: + * Linux + * FreeBSD + * NetBSD + * OpenBSD + * BSDI + * Mac OS/X + * OSF/Digital Unix/Tru64 + * IRIX + * SunOS/Solaris + * NeXTStep + * SCO Unix + * AIX + * HP-UX + * Microsoft Windows Cygwin and MinGW + * OS/2 + + For more specific information, please see [420]platforms.html. If you + encounter any platform-specific problems, please let us know by + registering an entry in our [421]bug database. If you're curious about + what is the best OS to run Squid, see [422]BestOsForSquid. + +Does Squid run on Windows ? + + Recent versions of Squid will compile and run on Windows NT and later + incarnations with the [423]Cygwin / [424]MinGW packages. + + [425]GuidoSerassio maintains the [426]native Windows port of Squid + (built using the Microsoft toolchain) and is actively working on having + the needed changes integrated into the standard Squid distribution. His + effort is partially based on earlier Windows NT port by Romeo + Anghelache. + + UPDATE: starting from 2.6.STABLE4, Windows MinGW support is available + in the standard Squid distribution. + +What Squid mailing lists are available? + + * + hosts general discussions about the Squid cache software. subscribe + via . Previous + messages are available for browsing at [427]the Squid Users + Archive, and also at [428]theaimsgroup.com. + * squid-users-digest: digested (daily) version of above. Subscribe + via . + * + is a receive-only list for announcements of new versions. Subscribe + via . + * is meant for sending us bug + reports. Bug reports received here are given priority over those + mentioned on squid-users. + * : A closed list for sending us + feed-back and ideas. + * : A closed list for sending us + feed-back, updates, and additions to the Squid FAQ. + +I can't figure out how to unsubscribe from your mailing list. + + All of our mailing lists have "-subscribe" and "-unsubscribe" addresses + that you must use for subscribe and unsubscribe requests. To + unsubscribe from the squid-users list, you send a message to + . + +What other Squid-related documentation is available? + + * [429]The Squid home page for information on the Squid software + * [430]Squid: The Definitive Guide written by Duane Wessels and + published by [431]O'Reilly and Associates January 2004. + * [432]The IRCache Mesh gives information on our operational mesh of + caches. + * [433]The Squid FAQ (uh, you're reading it). + * [434]Oskar's Squid Users Guide. + * [435]Visolve's Configuration Guide. + * Squid documentation in [436]German, [437]Turkish, [438]Italian, + [439]Brazilian Portugese, and another in [440]Brazilian Portugese. + * [441]Squid Programmers Guide. Yeah, its extremely incomplete. I + assure you this is the most recent version. + * [442]Web Caching Resources + * [443]Tutorial on Configuring Hierarchical Squid Caches + * [444]RFC 2186 ICPv2 -- Protocol + * [445]RFC 2187 ICPv2 -- Application + * [446]RFC 1016 + +Does Squid support SSL/HTTPS/TLS? + + As of version 2.5, Squid can terminate SSL connections. This is perhaps + only useful in a surrogate (http accelerator) configuration. You must + run configure with --enable-ssl. See https_port in squid.conf for more + information. + + Squid also supports these encrypted protocols by "tunneling" traffic + between clients and servers. In this case, Squid can relay the + encrypted bits between a client and a server. + + Normally, when your browser comes across an https URL, it does one of + two things: + * - The browser opens an SSL connection directly to the origin + server. + - The browser tunnels the request through Squid with the CONNECT + request method. + + The CONNECT method is a way to tunnel any kind of connection through an + HTTP proxy. The proxy doesn't understand or interpret the contents. It + just passes bytes back and forth between the client and server. For the + gory details on tunnelling and the CONNECT method, please see [447]RFC + 2817 and [448]Tunneling TCP based protocols through Web proxy servers + (expired). + +What's the legal status of Squid? + + Squid is copyrighted by the University of California San Diego. Squid + uses some [449]code developed by others. + + Squid is [450]Free Software, licensed under the terms of the [451]GNU + General Public License. + +Can I pay someone for Squid support? + + Yes. Please see [452]Squid Support Services. You can also [453]donate + money or equipment to members of the squid core team. + +Squid FAQ contributors + + The following people have made contributions to this document: + + Dodjie Nava, Jonathan Larmour, Cord Beermann, Tony Sterrett, Gerard + Hynes, Katayama, Takeo, Duane Wessels, K Claffy, Paul Southworth, Oskar + Pearson, Ong Beng Hui, Torsten Sturm, James R Grinter, Rodney van den + Oever, Kolics Bertold, Carson Gaspar, Michael O'Reilly, Hume Smith, + Richard Ayres, John Saunders, Miquel van Smoorenburg, David J N Begley, + Kevin Sartorelli, Andreas Doering, Mark Visser, tom minchin, Jens-S. + Vckler, Andre Albsmeier, Doug Nazar, Henrik Nordstrom, Mark Reynolds, + Arjan de Vet, Peter Wemm, John Line, Jason Armistead, Chris Tilbury, + Jeff Madison, Mike Batchelor, Bill Bogstad, Radu Greab, F.J. Bosscha, + Brian Feeny, Martin Lyons, David Luyer, Chris Foote, Jens Elkner, Simon + White, Jerry Murdock, Gerard Eviston, Rob Poe, [454]FrancescoChemolli, + [455]ReubenFarrelly + +About This Document + + The Squid FAQ is copyrighted (2006) by The Squid Core Team. + + This FAQ was maintained for a long time as an XML Docbook file. It was + converted to a Wiki in March 2006. The wiki is now the authoritative + version. + +Want to contribute? + + We always welcome help keeping the Squid FAQ up-to-date. If you would + like to help out, please register with this Wiki and type away. Please + also send a note to the wiki operator to inform + him of your changes. + +Which file do I download to get Squid? + + You must download a source archive file of the form squid-x.y.tar.gz or + squid-x.y.tar.bz2 (eg, squid-2.5.STABLE14.tar.bz2). We recommend you + first try one of our [456]mirror sites. + + Alternatively, the main Squid WWW site [457]www.squid-cache.org, and + FTP site [458]ftp.squid-cache.org have these files. + + Context diffs are available for upgrading to new versions. These can be + applied with the patch program (available from [459]the GNU FTP site or + your distribution). + +How do I compile Squid? + + You must run the configure script yourself before running make. We + suggest that you first invoke ./configure --help and make a note of the + configure options you need in order to support the features you intend + to use. Do not compile in features you do not think you will need. + +% tar xzf squid-2.5.RELEASExy.tar.gz +% cd squid-2.5.RELEASExy +% ./configure --with-MYOPTION --with-MYOPTION2 etc +% make + +What kind of compiler do I need? + + To compile Squid, you will need an ANSI C compiler. Almost all modern + Unix systems come with pre-installed compilers which work just fine. + The old SunOS compilers do not have support for ANSI C, and the Sun + compiler for Solaris is a product which must be purchased separately. + + If you are uncertain about your system's C compiler, The GNU C compiler + is widely available and supplied in almost all operating systems. It is + also well tested with Squid. If your OS does not come with GCC you may + download it from [460]the GNU FTP site. In addition to gcc, you may + also want or need to install the binutils package. + +What else do I need to compile Squid? + + You will need [461]Perl installed on your system. + +Do you have pre-compiled binaries available? + + The squid core team members do not have the resources to make + pre-compiled binaries available. Instead, we invest effort into making + the source code very portable. Some contributors have made binary + packages available. Please see our [462]Platforms Page. + * The [463]SGI Freeware site has pre-compiled packages for SGI IRIX. + * Squid binaries for [464]FreeBSD on Alpha and Intel. + * Squid binaries for [465]NetBSD on everything + * Gurkan Sengun has some [466]Sparc/Solaris packages available. + * Squid binaries for [467]Windows. + +How do I apply a patch or a diff? + + You need the patch program. You should probably duplicate the entire + directory structure before applying the patch. For example, if you are + upgrading from squid-2.5STABLE13 to 2.5STABLE14, you would run these + commands: + +cp -rl squid-2.5.STABLE13 squid-2.5.STABLE14 +cd squid-2.5.STABLE14 +zcat /tmp/squid-2.5.STABLE13-STABLE14.diff.gz | patch -p1 + + After the patch has been applied, you must rebuild Squid from the very + beginning, i.e.: +make distclean +./configure [--option --option...] +make +make install + + If your patch program seems to complain or refuses to work, you should + get a more recent version, from the [468]GNU FTP site, for example. + + Ideally you should use the patch command which comes with your OS. + +configure options + + The configure script can take numerous options. The most useful is + --prefix to install it in a different directory. The default + installation directory is /usr/local/squid/. To change the default, you + could do: +% cd squid-x.y.z +% ./configure --prefix=/some/other/directory/squid + + Type +% ./configure --help + + to see all available options. You will need to specify some of these + options to enable or disable certain features. Some options which are + used often include: + +--prefix=PREFIX install architecture-independent files in PREFIX + [/usr/local/squid] +--enable-dlmalloc[=LIB] Compile & use the malloc package by Doug Lea +--enable-gnuregex Compile GNUregex +--enable-splaytree Use SPLAY trees to store ACL lists +--enable-xmalloc-debug Do some simple malloc debugging +--enable-xmalloc-debug-trace + Detailed trace of memory allocations +--enable-xmalloc-statistics + Show malloc statistics in status page +--enable-carp Enable CARP support +--enable-async-io Do ASYNC disk I/O using threads +--enable-icmp Enable ICMP pinging +--enable-delay-pools Enable delay pools to limit bandwith usage +--enable-mem-gen-trace Do trace of memory stuff +--enable-useragent-log Enable logging of User-Agent header +--enable-kill-parent-hack + Kill parent on shutdown +--enable-snmp Enable SNMP monitoring +--enable-cachemgr-hostname[=hostname] + Make cachemgr.cgi default to this host +--enable-arp-acl Enable use of ARP ACL lists (ether address) +--enable-htpc Enable HTCP protocol +--enable-forw-via-db Enable Forw/Via database +--enable-cache-digests Use Cache Digests + see http://www.squid-cache.org/Doc/FAQ/FAQ-16.html +--enable-err-language=lang + Select language for Error pages (see errors dir) + +undefined reference to __inet_ntoa + + by Kevin Sartorelli () and Andreas + Doering (<[doering AT usf DOT uni-kassel DOT de>). + + Probably you've recently installed bind 8.x. There is a mismatch + between the header files and DNS library that Squid has found. There + are a couple of things you can try. + + First, try adding -lbind to XTRA_LIBS in src/Makefile. If -lresolv is + already there, remove it. + + If that doesn't seem to work, edit your arpa/inet.h file and comment + out the following: + +#define inet_addr __inet_addr +#define inet_aton __inet_aton +#define inet_lnaof __inet_lnaof +#define inet_makeaddr __inet_makeaddr +#define inet_neta __inet_neta +#define inet_netof __inet_netof +#define inet_network __inet_network +#define inet_net_ntop __inet_net_ntop +#define inet_net_pton __inet_net_pton +#define inet_ntoa __inet_ntoa +#define inet_pton __inet_pton +#define inet_ntop __inet_ntop +#define inet_nsap_addr __inet_nsap_addr +#define inet_nsap_ntoa __inet_nsap_ntoa + +My platform is BSD/OS or BSDI and I can't compile Squid + +cache_cf.c: In function `parseConfigFile': +cache_cf.c:1353: yacc stack overflow before `token' +... + + You may need to upgrade your gcc installation to a more recent version. + Check your gcc version with +gcc -v + + If it is earlier than 2.7.2, you might consider upgrading. Gcc 2.7.2 is + very old and not widely supported. + +Problems compiling libmiscutil.a on Solaris + + The following error occurs on Solaris systems using gcc when the + Solaris C compiler is not installed: +/usr/bin/rm -f libmiscutil.a +/usr/bin/false r libmiscutil.a rfc1123.o rfc1738.o util.o ... +make[1]: *** [libmiscutil.a] Error 255 +make[1]: Leaving directory `/tmp/squid-1.1.11/lib' +make: *** [all] Error 1 + + Note on the second line the /usr/bin/false. This is supposed to be a + path to the ar program. If configure cannot find ar on your system, + then it substitues false. + + To fix this you either need to: + * Add /usr/ccs/bin to your PATH. This is where the ar command should + be. You need to install SUNWbtool if ar is not there. Otherwise, + * Install the binutils package from [469]the GNU FTP site. This + package includes programs such as ar, as, and ld. + +I have problems compiling Squid on Platform Foo. + + Please check the [470]page of platforms on which Squid is known to + compile. Your problem might be listed there together with a solution. + If it isn't listed there, mail us what you are trying, your Squid + version, and the problems you encounter. + +I see a lot warnings while compiling Squid. + + Warnings are usually not a big concern, and can be common with software + designed to operate on multiple platforms. If you feel like fixing + compile-time warnings, please do so and send us the patches. + +Building Squid on OS/2 + + by Doug Nazar (). + + In order in compile squid, you need to have a reasonable facsimile of a + Unix system installed. This includes bash, make, sed, emx, various file + utilities and a few more. I've setup a TVFS drive that matches a Unix + file system but this probably isn't strictly necessary. + + I made a few modifications to the pristine EMX 0.9d install. + * added defines for strcasecmp() & strncasecmp() to string.h + * changed all occurrences of time_t to signed long instead of + unsigned long + * hacked ld.exe + + to search for both xxxx.a and libxxxx.a + + to produce the correct filename when using the -Zexe option + + You will need to run scripts/convert.configure.to.os2 (in the Squid + source distribution) to modify the configure script so that it can + search for the various programs. + + Next, you need to set a few environment variables (see EMX docs for + meaning): +export EMXOPT="-h256 -c" +export LDFLAGS="-Zexe -Zbin -s" + + Now you are ready to configure squid: +./configure + + Compile everything: +make + + and finally, install: +make install + + This will by default, install into /usr/local/squid. If you wish to + install somewhere else, see the --prefix option for configure. + + Now, don't forget to set EMXOPT before running squid each time. I + recommend using the -Y and -N options. + +Building Squid on Cygwin + + In order to compile squid, you need to have Cygwin fully installed. + + Unpack the source archive as usual and run configure disabling WCCP and + WCCP2 (not available on Windows): +./configure --disable-wccp --disable-wccpv2 + + Compile everything: +make + + and finally, install: +make install + + This will by default, install into /usr/local/squid. If you wish to + install somewhere else, see the --prefix option for configure. + + Now, add a new Cygwin user - see the Cygwin user guide - and map it to + SYSTEM, or create a new NT user, and a matching Cygwin user and they + become the squid runas users. + + Read the squid FAQ on permissions if you are using CYGWIN=ntsec. + + After run squid -z. If that succeeds, try squid -N -D -d1, squid should + start. Check that there are no errors. If everything looks good, try + browsing through squid. + + Now, configure cygrunsrv to run Squid as a service as the chosen + username. You may need to check permissions here. + +Building Squid on MinGW + + In order to compile squid using the MinGW environment, the packages + MSYS, MinGW and msysDTK must be installed. Some additional libraries + and tools must be downloaded separately: + * OpenSSL: [471]Shining Light Productions Win32 OpenSSL + * libcrypt: [472]MinGW packages repository + * db-1.85: [473]TinyCOBOL download area + * uudecode: [474]Native Win32 ports of some GNU utilities + + Unpack the source archive as usual and run configure. The following are + the recommended minimal options for Windows: +./configure --prefix=c:/squid --disable-wccp --disable-wccpv2 --enable-win32-ser +vice --enable-default-hostsfile=none + + Compile everything: +make + + and finally, install: +make install + + This will install into c:\squid. If you wish to install somewhere else, + change the --prefix option for configure. + + After run squid -z. If that succeeds, try squid -N -D -d1, squid should + start. Check that there are no errors. If everything looks good, try + browsing through squid. + + Now, to run Squid as a system service, run squid -n. + + Always check the provided release notes for any version specific + detail. + + Contents + 1. [475]How big of a system do I need to run Squid? + 2. [476]How do I install Squid? + 3. [477]What does the squid.conf file do? + 4. [478]Do you have a squid.conf example? + 5. [479]How do I start Squid? + 6. [480]How do I start Squid automatically when the system boots? + 1. [481]by hand + 2. [482]from inittab + 3. [483]from rc.local + 4. [484]from init.d + 5. [485]with daemontools + 7. [486]How do I tell if Squid is running? + 8. [487]squid command line options + 9. [488]How do I see how Squid works? + 10. [489]Can Squid benefit from SMP systems? + 11. [490]Is it okay to use separate drives for Squid? + 12. [491]Is it okay to use RAID on Squid? + +How big of a system do I need to run Squid? + + There are no hard-and-fast rules. The most important resource for Squid + is physical memory, so put as much in your Squid box as you can. Your + processor does not need to be ultra-fast. We recommend buying whatever + is economical at the time. + + Your disk system will be the major bottleneck, so fast disks are + important for high-volume caches. SCSI disks generally perform better + than ATA, if you can afford them. Serial ATA (SATA) performs somewhere + between the two. Your system disk, and logfile disk can probably be IDE + without losing any cache performance. + + The ratio of memory-to-disk can be important. We recommend that you + have at least 32 MB of RAM for each GB of disk space that you plan to + use for caching. + +How do I install Squid? + + After [492]../CompilingSquid, you can install it with this simple + command: +% make install + + If you have enabled the [493]pinger then you will also want to type +% su +# make install-pinger + + After installing, you will want to edit and customize the squid.conf + file. By default, this file is located at + /usr/local/squid/etc/squid.conf. + + Also, a QUICKSTART guide has been included with the source + distribution. Please see the directory where you unpacked the source + archive. + +What does the squid.conf file do? + + The squid.conf file defines the configuration for squid. the + configuration includes (but not limited to) HTTP port number, the ICP + request port number, incoming and outgoing requests, information about + firewall access, and various timeout information. + +Do you have a squid.conf example? + + Yes, after you make install, a sample squid.conf file will exist in the + etc directory under the Squid installation directory. + + The sample squid.conf file contains comments explaining each option. + +How do I start Squid? + + First you need to check your Squid configuration. The Squid + configuration can be found in /usr/local/squid/etc/squid.conf and + includes documentation on all directives. + + In the Suqid distribution there is a small QUICKSTART guide indicating + which directives you need to look closer at and why. At a absolute + minimum you need to change the http_access configuration to allow + access from your clients. + + To verify your configuration file you can use the -k parse option +% /usr/local/squid/sbin/squid -k parse + + If this outputs any errors then these are syntax errors or other fatal + misconfigurations and needs to be corrected before you continue. If it + is silent and immediately gives back the command promt then your + squid.conf is syntactically correct and could be understood by Squid. + + After you've finished editing the configuration file, you can start + Squid for the first time. The procedure depends a little bit on which + version you are using. + + First, you must create the swap directories. Do this by running Squid + with the -z option: +% /usr/local/squid/sbin/squid -z + + + + If you run Squid as root then you may need to first create + /usr/local/squid/var/logs and your cache_dir directories and assign + ownership of these to the cache_effective_user configured in your + squid.conf + + Once the creation of the cache directories completes, you can start + Squid and try it out. Probably the best thing to do is run it from your + terminal and watch the debugging output. Use this command: +% /usr/local/squid/sbin/squid -NCd1 + + If everything is working okay, you will see the line: +Ready to serve requests. + + If you want to run squid in the background, as a daemon process, just + leave off all options: +% /usr/local/squid/sbin/squid + + + + Depending on which http_port you select you may need to start squid as + root (http_port <1024) + + + + In Squid-2.4 and earlier Squid was installed in bin by default, not + sbin + +How do I start Squid automatically when the system boots? + +by hand + + Squid-2 has a restart feature built in. This greatly simplifies + starting Squid and means that you don't need to use RunCache or + inittab. At the minimum, you only need to enter the pathname to the + Squid executable. For example: +/usr/local/squid/sbin/squid + + Squid will automatically background itself and then spawn a child + process. In your syslog messages file, you should see something like + this: +Sep 23 23:55:58 kitty squid[14616]: Squid Parent: child process 14617 started + + That means that process ID 14563 is the parent process which monitors + the child process (pid 14617). The child process is the one that does + all of the work. The parent process just waits for the child process to + exit. If the child process exits unexpectedly, the parent will + automatically start another child process. In that case, syslog shows: +Sep 23 23:56:02 kitty squid[14616]: Squid Parent: child process 14617 exited wit +h status 1 +Sep 23 23:56:05 kitty squid[14616]: Squid Parent: child process 14619 started + + If there is some problem, and Squid can not start, the parent process + will give up after a while. Your syslog will show: +Sep 23 23:56:12 kitty squid[14616]: Exiting due to repeated, frequent failures + + When this happens you should check your syslog messages and cache.log + file for error messages. + + When you look at a process (ps command) listing, you'll see two squid + processes: +24353 ?? Ss 0:00.00 /usr/local/squid/bin/squid +24354 ?? R 0:03.39 (squid) (squid) + + The first is the parent process, and the child process is the one + called "(squid)". Note that if you accidentally kill the parent + process, the child process will not notice. + + If you want to run Squid from your termainal and prevent it from + backgrounding and spawning a child process, use the -N command line + option. +/usr/local/squid/bin/squid -N + +from inittab + + On systems which have an /etc/inittab file (Digital Unix, Solaris, + IRIX, HP-UX, Linux), you can add a line like this: +sq:3:respawn:/usr/local/squid/sbin/squid.sh < /dev/null >> /tmp/squid.log 2>&1 + + We recommend using a squid.sh shell script, but you could instead call + Squid directly with the -N option and other options you may require. A + sameple squid.sh script is shown below: +#!/bin/sh +C=/usr/local/squid +PATH=/usr/bin:$C/bin +TZ=PST8PDT +export PATH TZ + +# User to notify on restarts +notify="root" + +# Squid command line options +opts="" + +cd $C +umask 022 +sleep 10 +while [ -f /var/run/nosquid ]; do + sleep 1 +done +/usr/bin/tail -20 $C/logs/cache.log \ + | Mail -s "Squid restart on `hostname` at `date`" $notify +exec bin/squid -N $opts + +from rc.local + + On BSD-ish systems, you will need to start Squid from the "rc" files, + usually /etc/rc.local. For example: +if [ -f /usr/local/squid/sbin/squid ]; then + echo -n ' Squid' + /usr/local/squid/sbin/squid +fi + +from init.d + + Squid ships with a init.d type startup script in contrib/squid.rc which + works on most init.d type systems. Or you can write your own using any + normal init.d script found in your system as template and add the + start/stop fragments shown below. + + Start: +/usr/local/squid/sbin/squid + + Stop: +/usr/local/squid/sbin/squid -k shutdown +n=120 +while /usr/local/squid/sbin/squid -k check && [ $n -gt 120 ]; do + sleep 1 + echo -n . + n=`expr $n - 1` +done + +with daemontools + + Create squid service directory, and the log directory (if it does not + exist yet). +mkdir -p /usr/local/squid/supervise/log /var/log/squid +chown squid /var/log/squid + + Then, change to the service directory, +cd /usr/local/squid/supervise + + and create 2 executable scripts: run +#!/bin/sh +rm -f /var/run/squid/squid.pid +exec /usr/local/squid/sbin/squid -N 2>&1 + + and log/run. +#!/bin/sh +exec /usr/local/bin/multilog t /var/log/squid + + Finally, start the squid service by linking it into svscan monitored + area. +cd /service +ln -s /usr/local/squid/supervise squid + + Squid should start within 5 seconds. + +How do I tell if Squid is running? + + You can use the squidclient program: +% squidclient http://www.netscape.com/ > test + + There are other command-line HTTP client programs available as well. + Two that you may find useful are [494]wget and [495]echoping. + + Another way is to use Squid itself to see if it can signal a running + Squid process: +% squid -k check + + And then check the shell's exit status variable. + + Also, check the log files, most importantly the access.log and + cache.log files. + +squid command line options + + These are the command line options for Squid-2: + + -a Specify an alternate port number for incoming HTTP requests. Useful + for testing a configuration file on a non-standard port. + + -d Debugging level for "stderr" messages. If you use this option, then + debugging messages up to the specified level will also be written to + stderr. + + -f Specify an alternate squid.conf file instead of the pathname + compiled into the executable. + + -h Prints the usage and help message. + + -k reconfigure Sends a HUP signal, which causes Squid to re-read its + configuration files. + + -k rotate Sends an USR1 signal, which causes Squid to rotate its log + files. Note, if logfile_rotate is set to zero, Squid still closes and + re-opens all log files. + + -k shutdown Sends a TERM signal, which causes Squid to wait briefly for + current connections to finish and then exit. The amount of time to wait + is specified with shutdown_lifetime. + + -k interrupt Sends an INT signal, which causes Squid to shutdown + immediately, without waiting for current connections. + + -k kill Sends a KILL signal, which causes the Squid process to exit + immediately, without closing any connections or log files. Use this + only as a last resort. + + -k debug Sends an USR2 signal, which causes Squid to generate full + debugging messages until the next USR2 signal is recieved. Obviously + very useful for debugging problems. + + -k check Sends a "ZERO" signal to the Squid process. This simply checks + whether or not the process is actually running. + + -s Send debugging (level 0 only) message to syslog. + + -u Specify an alternate port number for ICP messages. Useful for + testing a configuration file on a non-standard port. + + -v Prints the Squid version. + + -z Creates disk swap directories. You must use this option when + installing Squid for the first time, or when you add or modify the + cache_dir configuration. + + -D Do not make initial DNS tests. Normally, Squid looks up some + well-known DNS hostnames to ensure that your DNS name resolution + service is working properly. + + -F If the swap.state logs are clean, then the cache is rebuilt in the + "foreground" before any requests are served. This will decrease the + time required to rebuild the cache, but HTTP requests will not be + satisified during this time. + + -N Do not automatically become a background daemon process. + + -R Do not set the SO_REUSEADDR option on sockets. + + -V Enable virtual host support for the httpd-accelerator mode. This is + identical to writing httpd_accel_host virtual in the config file. + + -X Enable full debugging while parsing the config file. + + -Y Return ICP_OP_MISS_NOFETCH instead of ICP_OP_MISS while the + swap.state file is being read. If your cache has mostly child caches + which use ICP, this will allow your cache to rebuild faster. + +How do I see how Squid works? + + * Check the cache.log file in your logs directory. It logs + interesting (and boring) things as a part of its normal operation. + * Install and use the [496]../CacheManager. + +Can Squid benefit from SMP systems? + + Squid is a single process application and can not make use of SMP. If + you want to make Squid benefit from a SMP system you will need to run + multiple instances of Squid and find a way to distribute your users on + the different Squid instances just as if you had multiple Squid boxes. + + Having two CPUs is indeed nice for running other CPU intensive tasks on + the same server as the proxy, such as if you have a lot of logs and + need to run various statistics collections during peak hours. + + The authentication and group helpers barely use any CPU and does not + benefit from dual-CPU configuration. + +Is it okay to use separate drives for Squid? + + Yes. Running Squid on separate drives to that which your OS is running + is often a very good idea. + + Generally seek time is what you want to optimize for Squid, or more + precisely the total amount of seeks/s your system can sustain. This is + why it is better to have your cache_dir spread over multiple smaller + disks than one huge drive (especially with SCSI). + + If your system is very I/O bound, you will want to have both your OS + and log directories running on separate drives. + +Is it okay to use RAID on Squid? + + We generally recommend you do not run RAID on the Squid disks + especially those on which your cache content is stored. + + If you must use RAID: + + RAID1 suffers a very slight degradation in write performance but slight + improvement in read performance, and you may find it better use of + resources to run two separate drives and have double the disk cache + space. Cache data is not usually considered critical so generally there + is little point in running squid on a RAID1 array. However as pointed + out above it may make sense to run your O/S in a RAID-1 configuration. + + RAID0 (striping) with Squid only gives you the drawback that if you + lose one of the drives the whole stripe set is lost. There is no + benefit in performance as Squid already distributes the load on the + drives quite nicely. It is better to configure multiple separate drives + with a separate cache_dir entrie for each one than one RAID0 partition. + + Squid is the worst case application for RAID5, whether hardware or + software, and will absolutely kill the performance of a RAID5. Once the + cache has been filled Squid uses a lot of small random writes which the + worst case workload for RAID5, effectively reducing write speed to only + little more than that of one single drive. + __________________________________________________________________ + + Include: Nothing found for "^Back to the"! + + Contents + 1. [497]How do I join a cache hierarchy? + 2. [498]How do I join NLANR's cache hierarchy? + 3. [499]Why should I want to join NLANR's cache hierarchy? + 4. [500]How do I register my cache with NLANR's registration service? + 5. [501]How do I find other caches close to me and arrange + parent/child/sibling relationships with them? + 6. [502]My cache registration is not appearing in the Tracker + database. + 7. [503]What is the httpd-accelerator mode? + 8. [504]How do I configure Squid to work behind a firewall? + 9. [505]How do I configure Squid forward all requests to another + proxy? + 10. [506]I have "dnsserver" processes that aren't being used, should I + lower the number in "squid.conf"? + 11. [507]My ''dnsserver'' average/median service time seems high, how + can I reduce it? + 12. [508]How can I easily change the default HTTP port? + 13. [509]Is it possible to control how big each ''cache_dir'' is? + 14. [510]What ''cache_dir'' size should I use? + 15. [511]I'm adding a new cache_dir. Will I lose my cache? + 16. [512]Squid and http-gw from the TIS toolkit. + 1. [513]Firewall configuration + 2. [514]Squid configuration + 17. [515]What is "HTTP_X_FORWARDED_FOR"? Why does squid provide it to + WWW servers, and how can I stop it? + 18. [516]Can Squid anonymize HTTP requests? + 1. [517]Squid 2.2 + 19. [518]Can I make Squid go direct for some sites? + 20. [519]Can I make Squid proxy only, without caching anything? + 21. [520]Can I prevent users from downloading large files? + +How do I join a cache hierarchy? + + To place your cache in a hierarchy, use the cache_peer directive in + squid.conf to specify the parent and sibling nodes. + + For example, the following squid.conf file on childcache.example.com + configures its cache to retrieve data from one parent cache and two + sibling caches: + +# squid.conf - On the host: childcache.example.com +# +# Format is: hostname type http_port udp_port +# +cache_peer parentcache.example.com parent 3128 3130 +cache_peer childcache2.example.com sibling 3128 3130 +cache_peer childcache3.example.com sibling 3128 3130 + + The cache_peer_domain directive allows you to specify that certain + caches siblings or parents for certain domains: + +# squid.conf - On the host: sv.cache.nlanr.net +# +# Format is: hostname type http_port udp_port +# +cache_peer electraglide.geog.unsw.edu.au parent 3128 3130 +cache_peer cache1.nzgate.net.nz parent 3128 3130 +cache_peer pb.cache.nlanr.net parent 3128 3130 +cache_peer it.cache.nlanr.net parent 3128 3130 +cache_peer sd.cache.nlanr.net parent 3128 3130 +cache_peer uc.cache.nlanr.net sibling 3128 3130 +cache_peer bo.cache.nlanr.net sibling 3128 3130 +cache_peer_domain electraglide.geog.unsw.edu.au .au +cache_peer_domain cache1.nzgate.net.nz .au .aq .fj .nz +cache_peer_domain pb.cache.nlanr.net .uk .de .fr .no .se .it +cache_peer_domain it.cache.nlanr.net .uk .de .fr .no .se .it +cache_peer_domain sd.cache.nlanr.net .mx .za .mu .zm + + The configuration above indicates that the cache will use + pb.cache.nlanr.net and it.cache.nlanr.net for domains uk, de, fr, no, + se and it, sd.cache.nlanr.net for domains mx, za, mu and zm, and + cache1.nzgate.net.nz for domains au, aq, fj, and nz. + +How do I join NLANR's cache hierarchy? + + We have a simple set of [521]guidelines for joining the NLANR cache + hierarchy. + +Why should I want to join NLANR's cache hierarchy? + + The NLANR hierarchy can provide you with an initial source for parent + or sibling caches. Joining the NLANR global cache system will + frequently improve the performance of your caching service. + +How do I register my cache with NLANR's registration service? + + Just enable these options in your squid.conf and you'll be registered: + +cache_announce 24 +announce_to sd.cache.nlanr.net:3131 + + + + Announcing your cache is not the same thing as joining the NLANR cache + hierarchy. You can join the NLANR cache hierarchy without registering, + and you can register without joining the NLANR cache hierarchy + +How do I find other caches close to me and arrange parent/child/sibling +relationships with them? + + Visit the NLANR cache [522]registration database to discover other + caches near you. Keep in mind that just because a cache is registered + in the database does not mean they are willing to be your + parent/sibling/child. But it can't hurt to ask... + +My cache registration is not appearing in the Tracker database. + + * Your site will not be listed if your cache IP address does not have + a DNS PTR record. If we can't map the IP address back to a domain + name, it will be listed as "Unknown." + * The registration messages are sent with UDP. We may not be + receiving your announcement message due to firewalls which block + UDP, or dropped packets due to congestion. + +What is the httpd-accelerator mode? + + This entry has been moved to its own [523]../ReverseProxy page. + +How do I configure Squid to work behind a firewall? + + If you are behind a firewall then you can't make direct connections to + the outside world, so you must use a parent cache. Normally Squid tries + to be smart and only uses cache peers when it makes sense from a + perspective of global hit ratio, and thus you need to tell Squid when + it can not go direct and must use a parent proxy even if it knows the + request will be a cache miss. + + You can use the never_direct access list in squid.conf to specify which + requests must be forwarded to your parent cache outside the firewall, + and the always_direct access list to specify which requests must not be + forwarded. For example, if Squid must connect directly to all servers + that end with mydomain.com, but must use the parent for all others, you + would write: + +acl INSIDE dstdomain .mydomain.com +always_direct allow INSIDE +never_direct allow all + + You could also specify internal servers by IP address + +acl INSIDE_IP dst 1.2.3.0/24 +always_direct allow INSIDE_IP +never_direct allow all + + Note, however that when you use IP addresses, Squid must perform a DNS + lookup to convert URL hostnames to an address. Your internal DNS + servers may not be able to lookup external domains. + + If you use never_direct and you have multiple parent caches, then you + probably will want to mark one of them as a default choice in case + Squid can't decide which one to use. That is done with the default + keyword on a cache_peer line. For example: + +cache_peer xyz.mydomain.com parent 3128 0 no-query default + +How do I configure Squid forward all requests to another proxy? + + First, you need to give Squid a parent cache. Second, you need to tell + Squid it can not connect directly to origin servers. This is done with + three configuration file lines: + +cache_peer parentcache.foo.com parent 3128 0 no-query default +acl all src 0.0.0.0/0.0.0.0 +never_direct allow all + + Note, with this configuration, if the parent cache fails or becomes + unreachable, then every request will result in an error message. + + In case you want to be able to use direct connections when all the + parents go down you should use a different approach: + +cache_peer parentcache.foo.com parent 3128 0 no-query +prefer_direct off + + The default behaviour of Squid in the absence of positive ICP, HTCP, + etc replies is to connect to the origin server instead of using + parents. The prefer_direct off directive tells Squid to try parents + first. + +I have "dnsserver" processes that aren't being used, should I lower the +number in "squid.conf"? + + The dnsserver processes are used by squid because the gethostbyname(3) + library routines used to convert web sites names to their internet + addresses blocks until the function returns (i.e., the process that + calls it has to wait for a reply). Since there is only one squid + process, everyone who uses the cache would have to wait each time the + routine was called. This is why the dnsserver is a separate process, so + that these processes can block, without causing blocking in squid. + + It's very important that there are enough dnsserver processes to cope + with every access you will need, otherwise squid will stop + occasionally. A good rule of thumb is to make sure you have at least + the maximum number of dnsservers squid has ever needed on your system, + and probably add two to be on the safe side. In other words, if you + have only ever seen at most three dnsserver processes in use, make at + least five. Remember that a dnsserver is small and, if unused, will be + swapped out. + +My ''dnsserver'' average/median service time seems high, how can I reduce it? + + First, find out if you have enough dnsserver processes running by + looking at the [524]../CacheManager dns output. Ideally, you should see + that the first dnsserver handles a lot of requests, the second one less + than the first, etc. The last dnsserver should have serviced relatively + few requests. If there is not an obvious decreasing trend, then you + need to increase the number of dns_children in the configuration file. + If the last dnsserver has zero requests, then you definately have + enough. + + Another factor which affects the dnsserver service time is the + proximity of your DNS resolver. Normally we do not recommend running + Squid and named on the same host. Instead you should try use a DNS + resolver (named) on a different host, but on the same LAN. If your DNS + traffic must pass through one or more routers, this could be causing + unnecessary delays. + +How can I easily change the default HTTP port? + + Before you run the configure script, simply set the CACHE_HTTP_PORT + environment variable. + +setenv CACHE_HTTP_PORT 8080 +./configure +make +make install + +Is it possible to control how big each ''cache_dir'' is? + + With Squid-1.1 it is NOT possible. Each cache_dir is assumed to be the + same size. The cache_swap setting defines the size of all cache_dirs + taken together. If you have N cache_dirs then each one will hold + cache_swap / N Megabytes. + +What ''cache_dir'' size should I use? + + This chapter assumes that you are dedicating an entire disk partition + to a squid cache_dir, as is often the case. + + Generally speaking, setting the cache_dir to be the same size as the + disk partition is not a wise choice, for two reasons. The first is that + squid is not very tolerant to running out of disk space. On top of the + cache_dir size, squid will use some extra space for swap.state and then + some more temporary storage as work-areas, for instance when rebuilding + swap.state. So in any case make sure to leave some extra room for this, + or your cache will enter an endless crash-restart cycle. + + The second reason is fragmentation (note, this won't apply to the COSS + object storage engine - when it will be ready): filesystems can only do + so much to avoid fragmentation, and in order to be effective they need + to have the space to try and optimize file placement. If the disk is + full, optimization is very hard, and when the disk is 100% full + optimizing is plain impossible. Get your disk fragmented, and it will + most likely be your worst bottleneck, by far offsetting the modest gain + you got by having more storage. + + Let's see an example: you have a 9Gb disk (these times they're even + hard to find..). First thing, manifacturers often lie about disk + capacity (the whole Megabyte vs Mebibyte issue), and then the OS needs + some space for its accounting structures, so you'll reasonably end up + with 8Gib of useable space. You then have to account for another 10% in + overhead for Squid, and then the space needed for keeping fragmentation + at bay. So in the end the recommended cache_dir setting is 6000 to 7000 + Mebibyte. + +cache_dir ... 7000 16 256 + + Its better to start out with a conservative setting and then, after the + cache has been filled, look at the disk usage. If you think there is + plenty of unused space, then increase the cache_dir setting a little. + + If you're getting "disk full" write errors, then you definately need to + decrease your cache size. + +I'm adding a new cache_dir. Will I lose my cache? + + With Squid-2, you will not lose your existing cache. You can add and + delete cache_dirs without affecting any of the others. + +Squid and http-gw from the TIS toolkit. + + Several people on both the fwtk-users and the squid-users mailing asked + about using Squid in combination with http-gw from the [525]TIS + toolkit. The most elegant way in my opinion is to run an internal Squid + caching proxyserver which handles client requests and let this server + forward it's requests to the http-gw running on the firewall. Cache + hits won't need to be handled by the firewall. + + In this example Squid runs on the same server as the http-gw, Squid + uses 8000 and http-gw uses 8080 (web). The local domain is home.nl. + +Firewall configuration + + Either run http-gw as a daemon from the /etc/rc.d/rc.local (Linux + Slackware): + + + or run it from inetd like this: + +web stream tcp nowait.100 root /usr/local/fwtk/http-gw http-gw + + I increased the watermark to 100 because a lot of people run into + problems with the default value. + + Make sure you have at least the following line in + /usr/local/etc/netperm-table: + + + You could add the IP-address of your own workstation to this rule and + make sure the http-gw by itself works, like: + +http-gw: hosts 127.0.0.1 10.0.0.1 + +Squid configuration + + The following settings are important: + +http_port 8000 +icp_port 0 +cache_peer localhost.home.nl parent 8080 0 default +acl HOME dstdomain .home.nl +alwayws_direct allow HOME +never_direct allow all + + This tells Squid to use the parent for all domains other than home.nl. + Below, access.log entries show what happens if you do a reload on the + Squid-homepage: + + + http-gw entries in syslog: + +Aug 28 02:46:00 memo http-gw[2052]: permit host=localhost/127.0.0.1 use of gatew +ay (V2.0beta) +Aug 28 02:46:00 memo http-gw[2052]: log host=localhost/127.0.0.1 protocol=HTTP c +md=dir dest=www.squid-cache.org path=/ +Aug 28 02:46:01 memo http-gw[2052]: exit host=localhost/127.0.0.1 cmds=1 in=0 ou +t=0 user=unauth duration=1 +Aug 28 02:46:01 memo http-gw[2053]: permit host=localhost/127.0.0.1 use of gatew +ay (V2.0beta) +Aug 28 02:46:01 memo http-gw[2053]: log host=localhost/127.0.0.1 protocol=HTTP c +md=get dest=www.squid-cache.org path=/Icons/Squidlogo2.gif +Aug 28 02:46:01 memo http-gw[2054]: permit host=localhost/127.0.0.1 use of gatew +ay (V2.0beta) +Aug 28 02:46:01 memo http-gw[2054]: log host=localhost/127.0.0.1 protocol=HTTP c +md=get dest=www.squid-cache.org path=/Icons/squidnow.gif +Aug 28 02:46:01 memo http-gw[2055]: permit host=localhost/127.0.0.1 use of gatew +ay (V2.0beta) +Aug 28 02:46:01 memo http-gw[2055]: log host=localhost/127.0.0.1 protocol=HTTP c +md=get dest=www.nlanr.net path=/Images/cache_now.gif +Aug 28 02:46:02 memo http-gw[2055]: exit host=localhost/127.0.0.1 cmds=1 in=0 ou +t=0 user=unauth duration=1 +Aug 28 02:46:03 memo http-gw[2053]: exit host=localhost/127.0.0.1 cmds=1 in=0 ou +t=0 user=unauth duration=2 +Aug 28 02:46:04 memo http-gw[2054]: exit host=localhost/127.0.0.1 cmds=1 in=0 ou +t=0 user=unauth duration=3 + + To summarize: + + Advantages: + * http-gw allows you to selectively block ActiveX and Java, and it's + primary design goal is security. + * The firewall doesn't need to run large applications like Squid. + * The internal Squid-server still gives you the benefit of caching. + + Disadvantages: + * The internal Squid proxyserver can't (and shouldn't) work with + other parent or neighbor caches. + * Initial requests are slower because these go through http-gw, + http-gw also does reverse lookups. Run a nameserver on the firewall + or use an internal nameserver. + + (contributed by [526]Rodney van den Oever) + +What is "HTTP_X_FORWARDED_FOR"? Why does squid provide it to WWW servers, and +how can I stop it? + + When a proxy-cache is used, a server does not see the connection coming + from the originating client. Many people like to implement access + controls based on the client address. To accommodate these people, + Squid adds its own request header called "X-Forwarded-For" which looks + like this: + +X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30 + + Entries are always IP addresses, or the word unknown if the address + could not be determined or if it has been disabled with the + forwarded_for configuration option. + + We must note that access controls based on this header are extremely + weak and simple to fake. Anyone may hand-enter a request with any IP + address whatsoever. This is perhaps the reason why client IP addresses + have been omitted from the HTTP/1.1 specification. + + Because of the weakness of this header, support for access controls + based on X-Forwarded-For is not yet available in any officially + released version of squid. However, unofficial patches are available + from the [527]follow_xff Squid development project and may be + integrated into later versions of Squid once a suitable trust model + have been developed. + +Can Squid anonymize HTTP requests? + + Yes it can, however the way of doing it has changed from earlier + versions of squid. As of squid-2.2 a more customisable method has been + introduced. Please follow the instructions for the version of squid + that you are using. As a default, no anonymizing is done. + + If you choose to use the anonymizer you might wish to investigate the + forwarded_for option to prevent the client address being disclosed. + Failure to turn off the forwarded_for option will reduce the + effectiveness of the anonymizer. Finally if you filter the User-Agent + header using the fake_user_agent option can prevent some user problems + as some sites require the User-Agent header. + +Squid 2.2 + + With the introduction of squid 2.2 the anonoymizer has become more + customisable. It now allows specification of exactly which headers will + be allowed to pass. This is further extended in Squid-2.5 to allow + headers to be anonymized conditionally. + + For details see the documentation of the http_header_access and + header_replace directives in squid.conf.default. + + References: [528]Anonymous WWW + +Can I make Squid go direct for some sites? + + Sure, just use the always_direct access list. + + For example, if you want Squid to connect directly to hotmail.com + servers, you can use these lines in your config file: + + +Can I make Squid proxy only, without caching anything? + + Sure, there are few things you can do. + + You can use the no_cache access list to make Squid never cache any + response: + + + With Squid-2.4 and later you can use the "null" storage module to avoid + having a cache directory: + +cache_dir null /tmp + + Note: a null cache_dir does not disable caching, but it does save you + from creating a cache structure if you have disabled caching with + no_cache. + + Note: the directory (e.g., /tmp) must exist so that squid can chdir to + it, unless you also use the coredump_dir option. + + To configure Squid for the "null" storage module, specify it on the + configure command line: + + +Can I prevent users from downloading large files? + + You can set the global reply_body_max_size parameter. This option + controls the largest HTTP message body that will be sent to a cache + client for one request. + + If the HTTP response coming from the server has a Content-length + header, then Squid compares the content-length value to the + reply_body_max_size value. If the content-length is larger,the server + connection is closed and the user receives an error message from Squid. + + Some responses don't have Content-length headers. In this case, Squid + counts how many bytes are written to the client. Once the limit is + reached, the client's connection is simply closed. + + Note that "creative" user-agents will still be able to download really + large files through the cache using HTTP/1.1 range requests. + __________________________________________________________________ + + * Back to the [529]SquidFaq + + Contents + 1. [530]Communication between browsers and Squid + 2. [531]Manual Browser Configuration + 3. [532]Firefox and Thunderbird manual configuration + 4. [533]Microsoft Internet Explorer manual configuration + 5. [534]Netscape manual configuration + 6. [535]Lynx and Mosaic manual configuration + 7. [536]Opera 2.12 manual configuration + 8. [537]Netmanage Internet Chameleon WebSurfer manual configuration + 9. [538]Partially Automatic Configuration + 10. [539]Netscape automatic configuration + 11. [540]Microsoft Internet Explorer + 12. [541]Fully Automatically Configuring Browsers for WPAD + 13. [542]Fully Automatically Configuring Browsers for WPAD with DHCP + 14. [543]Redundant Proxy Auto-Configuration + 15. [544]Proxy Auto-Configuration with URL Hashing + 16. [545]How do I tell Squid to use a specific username for FTP urls? + 17. [546]IE 5.0x crops trailing slashes from FTP URL's + 18. [547]IE 6.0 SP1 fails when using authentication + +Communication between browsers and Squid + + Most web browsers available today support proxying and are easily + configured to use a Squid server as a proxy. Some browsers support + advanced features such as lists of domains or URL patterns that + shouldn't be fetched through the proxy, or JavaScript automatic proxy + configuration. + + There are three ways to configure browsers to use Squid. The first + method involves manually configuring the proxy in each browser. + Alternatively, a proxy.pac file can be manually entered into each + browser so that it will download the proxy settings (partial auto + configuration), and lastly all modern browsers can also and indeed are + configured by default to fully automatically configure themselves if + the network is configured to support this. + +Manual Browser Configuration + + This involves manually specifying the proxy server and port name in + each browser. + +Firefox and Thunderbird manual configuration + + Both Firefox and Thunderbird are configured in the same way. Look in + the Tools menu, Options, General and then Connection Settings. The + options in there are fairly self explanatory. Firefox and Thunderbird + support manually specifying the proxy server, automatically downloading + a wpad.dat file from a specified source, and additionally wpad + auto-detection. + + Thunderbird uses these settings for downloading HTTP images in emails. + + In both cases if you are manually configuring proxies, make sure you + should add relevant statements for your network in the "No Proxy For" + boxes. + +Microsoft Internet Explorer manual configuration + + Select Options from the View menu. Click on the Connection tab. Tick + the Connect through Proxy Server option and hit the Proxy Settings + button. For each protocol that your Squid server supports (by default, + HTTP, FTP, and gopher) enter the Squid server's hostname or IP address + and put the HTTP port number for the Squid server (by default, 3128) in + the Port column. For any protocols that your Squid does not support, + leave the fields blank. + +Netscape manual configuration + + Select Network Preferences from the Options menu. On the Proxies page, + click the radio button next to Manual Proxy Configuration and then + click on the View button. For each protocol that your Squid server + supports (by default, HTTP, FTP, and gopher) enter the Squid server's + hostname or IP address and put the HTTP port number for the Squid + server (by default, 3128) in the Port column. For any protocols that + your Squid does not support, leave the fields blank. + +Lynx and Mosaic manual configuration + + For Mosaic and Lynx, you can set environment variables before starting + the application. For example (assuming csh or tcsh): + +% setenv http_proxy http://mycache.example.com:3128/ +% setenv gopher_proxy http://mycache.example.com:3128/ +% setenv ftp_proxy http://mycache.example.com:3128/ + + For Lynx you can also edit the lynx.cfg file to configure proxy usage. + This has the added benefit of causing all Lynx users on a system to + access the proxy without making environment variable changes for each + user. For example: +http_proxy:http://mycache.example.com:3128/ +ftp_proxy:http://mycache.example.com:3128/ +gopher_proxy:http://mycache.example.com:3128/ + +Opera 2.12 manual configuration + + by Hume Smith + + Select Proxy Servers... from the Preferences menu. Check each protocol + that your Squid server supports (by default, HTTP, FTP, and Gopher) and + enter the Squid server's address as hostname:port (e.g. + mycache.example.com:3128 or 123.45.67.89:3128). Click on Okay to accept + the setup. + + Notes: + * Opera 2.12 doesn't support gopher on its own, but requires a proxy; + therefore Squid's gopher proxying can extend the utility of your + Opera immensely. + * Unfortunately, Opera 2.12 chokes on some HTTP requests, for example + [548]abuse.net. + + At the moment I think it has something to do with cookies. If you have + trouble with a site, try disabling the HTTP proxying by unchecking that + protocol in the Preferences|Proxy Servers... dialogue. Opera will + remember the address, so reenabling is easy. + +Netmanage Internet Chameleon WebSurfer manual configuration + + Netmanage WebSurfer supports manual proxy configuration and exclusion + lists for hosts or domains that should not be fetched via proxy (this + information is current as of WebSurfer 5.0). Select Preferences from + the Settings menu. Click on the Proxies tab. Select the Use Proxy + options for HTTP, FTP, and gopher. For each protocol that enter the + Squid server's hostname or IP address and put the HTTP port number for + the Squid server (by default, 3128) in the Port boxes. For any + protocols that your Squid does not support, leave the fields blank. + + On the same configuration window, you'll find a button to bring up the + exclusion list dialog box, which will let you enter some hosts or + domains that you don't want fetched via proxy. + +Partially Automatic Configuration + + This involves the browser being preconfigured with the location of an + autoconfiguration script. + +Netscape automatic configuration + + Netscape Navigator's proxy configuration can be automated with + JavaScript (for Navigator versions 2.0 or higher). Select Network + Preferences from the Options menu. On the Proxies page, click the radio + button next to Automatic Proxy Configuration and then fill in the URL + for your JavaScript proxy configuration file in the text box. The box + is too small, but the text will scroll to the r8ight as you go. + + You may also wish to consult Netscape's documentation for the Navigator + [549]JavaScript proxy configuration + + Here is a sample auto configuration file from Oskar Pearson (link to + save at the bottom): +//We (www.is.co.za) run a central cache for our customers that they +//access through a firewall - thus if they want to connect to their intranet +//system (or anything in their domain at all) they have to connect +//directly - hence all the "fiddling" to see if they are trying to connect +//to their local domain. +// +//Replace each occurrence of company.com with your domain name +//and if you have some kind of intranet system, make sure +//that you put it's name in place of "internal" below. +// +//We also assume that your cache is called "cache.company.com", and +//that it runs on port 8080. Change it down at the bottom. +// +//(C) Oskar Pearson and the Internet Solution (http://www.is.co.za) + +function FindProxyForURL(url, host) +{ + //If they have only specified a hostname, go directly. + if (isPlainHostName(host)) + return "DIRECT"; + + //These connect directly if the machine they are trying to + //connect to starts with "intranet" - ie http://intranet + //Connect directly if it is intranet.* + //If you have another machine that you want them to + //access directly, replace "internal*" with that + //machine's name + if (shExpMatch( host, "intranet*")|| + shExpMatch(host, "internal*")) + return "DIRECT"; + + //Connect directly to our domains (NB for Important News) + if (dnsDomainIs( host,"company.com")|| + //If you have another domain that you wish to connect to + //directly, put it in here + dnsDomainIs(host,"sistercompany.com")) + return "DIRECT"; + + //So the error message "no such host" will appear through the + //normal Netscape box - less support queries :) + if (!isResolvable(host)) + return "DIRECT"; + + //We only cache http, ftp and gopher + if (url.substring(0, 5) == "http:" || + url.substring(0, 4) == "ftp:"|| + url.substring(0, 7) == "gopher:") + + //Change the ":8080" to the port that your cache + //runs on, and "cache.company.com" to the machine that + //you run the cache on + return "PROXY cache.company.com:8080; DIRECT"; + + //We don't cache WAIS + if (url.substring(0, 5) == "wais:") + return "DIRECT"; + + else + return "DIRECT"; +} + + [550]sample1.pac.txt + +Microsoft Internet Explorer + + Microsoft Internet Explorer, versions 4.0 and above, supports + JavaScript automatic proxy configuration in a Netscape-compatible way. + Just select Options from the View menu. Click on the Advanced tab. In + the lower left-hand corner, click on the Automatic Configuration + button. Fill in the URL for your JavaScript file in the dialog box it + presents you. Then exit MSIE and restart it for the changes to take + effect. MSIE will reload the JavaScript file every time it starts. + +Fully Automatically Configuring Browsers for WPAD + + by Mark Reynolds + + You may like to start by reading the [551]Expired Internet-Draft that + describes WPAD. + + After reading the 8 steps below, if you don't understand any of the + terms or methods mentioned, you probably shouldn't be doing this. + Implementing wpad requires you to fully understand: + * web server installations and modifications. + * squid proxy server (or others) installation etc. + * Domain Name System maintenance etc. + + + + Please don't bombard the squid list with web server or DNS questions. + See your system administrator, or do some more research on those + topics. + + This is not a recommendation for any product or version. All major + browsers out now implementing WPAD. I think WPAD is an excellent + feature that will return several hours of life per month. + + I have only focused on the domain name method, to the exclusion of the + DHCP method. I think the dns method might be easier for most people. I + don't currently, and may never, fully understand wpad and IE5, but this + method worked for me. It may work for you. + + But if you'd rather just have a go ... + + Create a standard Netscape auto proxy config file. The sample provided + above is more than adequate to get you going. No doubt all the other + load balancing and backup scripts will be fine also. + + Store the resultant file in the document root directory of a handy web + server as wpad.dat (Not proxy.pac as you may have previously done.) + Andrei Ivanov notes that you should be able to use an HTTP redirect if + you want to store the wpad.dat file somewhere else. You can probably + even redirect wpad.dat to proxy.pac: + +Redirect /wpad.dat http://racoon.riga.lv/proxy.pac + + If you do nothing more, a URL like + [552]http://www.your.domain.name/wpad.dat should bring up the script + text in your browser window. + + Insert the following entry into your web server mime.types file. Maybe + in addition to your pac file type, if you've done this before. +application/x-ns-proxy-autoconfig dat + + And then restart your web server, for new mime type to work. + + Assuming Internet Explorer 5, under Tools, Internet Options, + Connections, Settings or Lan Settings, set ONLY Use Automatic + Configuration Script to be the URL for where your new wpad.dat file can + be found. i.e. [553]http://www.your.domain.name/wpad.dat. Test that + that all works as per your script and network. There's no point + continuing until this works ... + + Create/install/implement a DNS record so that wpad.your.domain.name + resolves to the host above where you have a functioning auto config + script running. You should now be able to use + [554]http://wpad.your.domain.name/wpad.dat as the Auto Config Script + location in step 5 above. + + And finally, go back to the setup screen detailed in 5 above, and + choose nothing but the Automatically Detect Settings option, turning + everything else off. Best to restart IE5, as you normally do with any + Microsoft product... And it should all work. Did for me anyway. + + One final question might be "Which domain name does the client (IE5) + use for the wpad... lookup?" It uses the hostname from the control + panel setting. It starts the search by adding the hostname wpad to + current fully-qualified domain name. For instance, a client in + a.b.Microsoft.com would search for a WPAD server at + wpad.a.b.microsoft.com. If it could not locate one, it would remove the + bottom-most domain and try again; for instance, it would try + wpad.b.microsoft.com next. IE 5 would stop searching when it found a + WPAD server or reached the third-level domain, wpad.microsoft.com. + + Anybody using these steps to install and test, please feel free to make + notes, corrections or additions for improvements, and post back to the + squid list... + + There are probably many more tricks and tips which hopefully will be + detailed here in the future. Things like wpad.dat files being served + from the proxy server themselves, maybe with a round robin dns setup + for the WPAD host. + +Fully Automatically Configuring Browsers for WPAD with DHCP + + You can also use DHCP to configure browsers for WPAD. This technique + allows you to set any URL as the PAC URL. For ISC DHCPD, enter a line + like this in your dhcpd.conf file: +option wpad code 252 = text; +option wpad "http://www.example.com/proxy.pac"; + + Replace the hostname with the name or address of your own server. + + Ilja Pavkovic notes that the DHCP mode does not work reliably with + every version of Internet Explorer. The DNS name method to find + wpad.dat is more reliable. + + Another user adds that IE 6.01 seems to strip the last character from + the URL. By adding a trailing newline, he is able to make it work with + both IE 5.0 and 6.0: +option wpad "http://www.example.com/proxy.pac\n"; + +Redundant Proxy Auto-Configuration + + by Rodney van den Oever + + There's one nasty side-effect to using auto-proxy scripts: if you start + the web browser it will try and load the auto-proxy-script. + + If your script isn't available either because the web server hosting + the script is down or your workstation can't reach the web server (e.g. + because you're working off-line with your notebook and just want to + read a previously saved HTML-file) you'll get different errors + depending on the browser you use. + + The Netscape browser will just return an error after a timeout (after + that it tries to find the site 'www.proxy.com' if the script you use is + called 'proxy.pac'). + + The Microsoft Internet Explorer on the other hand won't even start, no + window displays, only after about 1 minute it'll display a window + asking you to go on with/without proxy configuration. + + The point is that your workstations always need to locate the + proxy-script. I created some extra redundancy by hosting the script on + two web servers (actually Apache web servers on the proxy servers + themselves) and adding the following records to my primary nameserver: +proxy IN A 10.0.0.1 ; IP address of proxy1 + IN A 10.0.0.2 ; IP address of proxy2 + + The clients just refer to '[555]http://proxy/proxy.pac'. This script + looks like this: +function FindProxyForURL(url,host) +{ +// Hostname without domainname or host within our own domain? +// Try them directly: +// http://www.domain.com actually lives before the firewall, so +// make an exception: +if ((isPlainHostName(host)||dnsDomainIs( host,".domain.com")) && + !localHostOrDomainIs(host, "www.domain.com")) + return "DIRECT"; + +// First try proxy1 then proxy2. One server mostly caches '.com' +// to make sure both servers are not +// caching the same data in the normal situation. The other +// server caches the other domains normally. +// If one of 'm is down the client will try the other server. +else if (shExpMatch(host, "*.com")) + return "PROXY proxy1.domain.com:8080; PROXY proxy2.domain.com:8081; DIRE +CT"; +return "PROXY proxy2.domain.com:8081; PROXY proxy1.domain.com:8080; DIRECT"; +} + + [556]sample2.pac.txt + + I made sure every client domain has the appropriate 'proxy' entry. The + clients are automatically configured with two nameservers using DHCP. + +Proxy Auto-Configuration with URL Hashing + + The [557]Sharp Super Proxy Script page contains a lot of good + information about hash-based proxy auto-configuration scripts. With + these you can distribute the load between a number of caching proxies. + +How do I tell Squid to use a specific username for FTP urls? + + Insert your username in the host part of the URL, for example: +ftp://joecool@ftp.foo.org/ + + Squid should then prompt you for your account password. Alternatively, + you can specify both your username and password in the URL itself: +ftp://joecool:secret@ftp.foo.org/ + + However, we certainly do not recommend this, as it could be very easy + for someone to see or grab your password. + +IE 5.0x crops trailing slashes from FTP URL's + + by [558]ReubenFarrelly + + There was a bug in the 5.0x releases of Internet Explorer in which IE + cropped any trailing slash off an FTP URL. The URL showed up correctly + in the browser's "Address:" field, however squid logs show that the + trailing slash was being taken off. + + An example of where this impacted squid if you had a setup where squid + would go direct for FTP directory listings but forward a request to a + parent for FTP file transfers. This was useful if your upstream proxy + was an older version of Squid or another vendors software which + displayed directory listings with broken icons and you wanted your own + local version of squid to generate proper FTP directory listings + instead. The workaround for this is to add a double slash to any + directory listing in which the slash was important, or else upgrade to + IE 5.5. (Or use Firefox if you cannot upgrade your IE) + +IE 6.0 SP1 fails when using authentication + + When using authentication with Internet Explorer 6 SP1, you may + encounter issues when you first launch Internet Explorer. The problem + will show itself when you first authenticate, you will receive a "Page + Cannot Be Displayed" error. However, if you click refresh, the page + will be correctly displayed. + + This only happens immediately after you authenticate. + + This is not a Squid error or bug. Microsoft broke the Basic + Authentication when they put out IE6 SP1. + + There is a knowledgebase article ( [559]KB 331906) regarding this + issue, which contains a link to a downloadable "hot fix." They do warn + that this code is not "regression tested" but so far there have not + been any reports of this breaking anything else. The problematic file + is wininet.dll. Please note that this hotfix is included in the latest + security update. + + Lloyd Parkes notes that the article references another article, [560]KB + 312176. He says that you must not have the registry entry that KB + 312176 encourages users to add to their registry. + + According to Joao Coutinho, this simple solution also corrects the + problem: + * Go to Tools/Internet + * Go to Options/Advanced + * UNSELECT "Show friendly HTTP error messages" under Browsing. + + Another possible workaround to these problems is to make the + ERR_CACHE_ACCESS_DENIED larger than 1460 bytes. This should trigger IE + to handle the authentication in a slightly different manner. + __________________________________________________________________ + + Contents + 1. [561]Squid Log Files + 2. [562]squid.out + 3. [563]cache.log + 4. [564]useragent.log + 5. [565]store.log + 6. [566]hierarchy.log + 7. [567]access.log + 1. [568]The common log file format + 2. [569]The native log file format + 8. [570]access.log native format in detail + 9. [571]Squid result codes + 10. [572]HTTP status codes + 11. [573]Request methods + 12. [574]Hierarchy Codes + 13. [575]cache/log (Squid-1.x) + 14. [576]swap.state (Squid-2.x) + 15. [577]Which log files can I delete safely? + 16. [578]How can I disable Squid's log files? + 17. [579]What is the maximum size of access.log? + 18. [580]My log files get very big! + 19. [581]I want to use another tool to maintain the log files. + 20. [582]Managing log files + 21. [583]Why do I get ERR_NO_CLIENTS_BIG_OBJ messages so often? + 22. [584]What does ERR_LIFETIME_EXP mean? + 23. [585]Retrieving "lost" files from the cache + 24. [586]Can I use store.log to figure out if a response was cachable? + 25. [587]Can I pump the squid access.log directly into a pipe? + +Squid Log Files + + The logs are a valuable source of information about Squid workloads and + performance. The logs record not only access information, but also + system configuration errors and resource consumption (eg, memory, disk + space). There are several log file maintained by Squid. Some have to be + explicitely activated during compile time, others can safely be + deactivated during run-time. + + There are a few basic points common to all log files. The time stamps + logged into the log files are usually UTC seconds unless stated + otherwise. The initial time stamp usually contains a millisecond + extension. + +squid.out + + If you run your Squid from the RunCache script, a file squid.out + contains the Squid startup times, and also all fatal errors, e.g. as + produced by an assert() failure. If you are not using RunCache, you + will not see such a file. + +cache.log + + The cache.log file contains the debug and error messages that Squid + generates. If you start your Squid using the default RunCache script, + or start it with the -s command line option, a copy of certain messages + will go into your syslog facilities. It is a matter of personal + preferences to use a separate file for the squid log data. + + From the area of automatic log file analysis, the cache.log file does + not have much to offer. You will usually look into this file for + automated error reports, when programming Squid, testing new features, + or searching for reasons of a perceived misbehaviour, etc. + +useragent.log + + The user agent log file is only maintained, if + * you configured the compile time --enable-useragent-log option, and + * you pointed the useragent_log configuration option to a file. + + From the user agent log file you are able to find out about + distributation of browsers of your clients. Using this option in + conjunction with a loaded production squid might not be the best of all + ideas. + +store.log + + The store.log file covers the objects currently kept on disk or removed + ones. As a kind of transaction log it is ususally used for debugging + purposes. A definitive statement, whether an object resides on your + disks is only possible after analysing the complete log file. The + release (deletion) of an object may be logged at a later time than the + swap out (save to disk). + + The store.log file may be of interest to log file analysis which looks + into the objects on your disks and the time they spend there, or how + many times a hot object was accessed. The latter may be covered by + another log file, too. With knowledge of the cache_dir configuration + option, this log file allows for a URL to filename mapping without + recursing your cache disks. However, the Squid developers recommend to + treat store.log primarily as a debug file, and so should you, unless + you know what you are doing. + + The print format for a store log entry (one line) consists of thirteen + space-separated columns, compare with the storeLog() function in file + src/store_log.c: + +9ld.%03d %-7s %02d %08X %s %4d %9ld %9ld %9ld %s %ld/%ld %s %s + + 1. time The timestamp when the line was logged in UTC with a + millisecond fraction. + 2. action The action the object was sumitted to, compare with + src/store_log.c: + + CREATE Seems to be unused. + + RELEASE The object was removed from the cache (see also file + number below). + + SWAPOUT The object was saved to disk. + + SWAPIN The object existed on disk and was read into memory. + 3. dir number The cache_dir number this object was stored into, + starting at 0 for your first cache_dir line. + 4. file number The file number for the object storage file. Please + note that the path to this file is calculated according to your + cache_dir configuration. A file number of FFFFFFFF indicates + "memory only" objects. Any action code for such a file number + refers to an object which existed only in memory, not on disk. For + instance, if a RELEASE code was logged with file number FFFFFFFF, + the object existed only in memory, and was released from memory. + 5. hash The hash value used to index the object in the cache. Squid + currently uses MD5 for the hash value. + 6. status The HTTP reply status code. + 7. datehdr The value of the HTTP Date reply header. + 8. lastmod The value of the HTTP Last-Modified reply header. + 9. expires The value of the HTTP "Expires: " reply header. + 10. type The HTTP Content-Type major value, or "unknown" if it cannot + be determined. + 11. sizes This column consists of two slash separated fields: + + The advertised content length from the HTTP Content-Length + reply header. + + The size actually read. + o If the advertised (or expected) length is missing, it + will be set to zero. If the advertised length is not + zero, but not equal to the real length, the object will + be realeased from the cache. + 12. method The request method for the object, e.g. GET. + 13. key The key to the object, usually the URL. + + The datehdr, lastmod, and expires values are all expressed in + UTC seconds. The actual values are parsed from the HTTP reply + headers. An unparsable header is represented by a value of -1, + and a missing header is represented by a value of -2. + +hierarchy.log + + This logfile exists for Squid-1.0 only. The format is + +[date] URL peerstatus peerhost + +access.log + + Most log file analysis program are based on the entries in access.log. + Currently, there are two file formats possible for the log file, + depending on your configuration for the emulate_httpd_log option. By + default, Squid will log in its native log file format. If the above + option is enabled, Squid will log in the common log file format as + defined by the CERN web daemon. + + The common log file format contains other information than the native + log file, and less. The native format contains more information for the + admin interested in cache evaluation. + +The common log file format + + The [588]Common Logfile Format is used by numerous HTTP servers. This + format consists of the following seven fields: + +remotehost rfc931 authuser [date] "method URL" status bytes + + It is parsable by a variety of tools. The common format contains + different information than the native log file format. The HTTP version + is logged, which is not logged in native log file format. + +The native log file format + + The native format is different for different major versions of Squid. + For Squid-1.0 it is: + +time elapsed remotehost code/status/peerstatus bytes method URL + + For Squid-1.1, the information from the hierarchy.log was moved into + access.log. The format is: + +time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost +type + + For Squid-2 the columns stay the same, though the content within may + change a little. + + The native log file format logs more and different information than the + common log file format: the request duration, some timeout information, + the next upstream server address, and the content type. + + There exist tools, which convert one file format into the other. Please + mind that even though the log formats share most information, both + formats contain information which is not part of the other format, and + thus this part of the information is lost when converting. Especially + converting back and forth is not possible without loss. + + squid2common.pl is a conversion utility, which converts any of the + squid log file formats into the old CERN proxy style output. There + exist tools to analyse, evaluate and graph results from that format. + +access.log native format in detail + + We recommend that you use Squid's native log format due to its greater + amount of information made available for later analysis. The print + format line for native access.log entries looks like this: + +"%9d.%03d %6d %s %s/%03d %d %s %s %s %s%s/%s %s" + + Therefore, an access.log entry usually consists of (at least) 10 + columns separated by one ore more spaces: + 1. time A Unix timestamp as UTC seconds with a millisecond resolution. + You can convert Unix timestamps into something more human readable + using this short perl script: + + +#! /usr/bin/perl -p +s/^\d+\.\d+/localtime $&/e; + + 2. duration The elapsed time considers how many milliseconds the + transaction busied the cache. It differs in interpretation between + TCP and UDP: + + For HTTP this is basically the time from having received the + request to when Squid finishes sending the last byte of the + response. + + For ICP, this is the time between scheduling a reply and + actually sending it. + o Please note that the entries are logged after the reply + finished being sent, not during the lifetime of the + transaction. + 3. client address The IP address of the requesting instance, the + client IP address. The client_netmask configuration option can + distort the clients for data protection reasons, but it makes + analysis more difficult. Often it is better to use one of the log + file anonymizers. Also, the log_fqdn configuration option may log + the fully qualified domain name of the client instead of the dotted + quad. The use of that option is discouraged due to its performance + impact. + 4. result codes This column is made up of two entries separated by a + slash. This column encodes the transaction result: + + The cache result of the request contains information on the + kind of request, how it was satisfied, or in what way it + failed. Please refer to [589]Squid result codes for valid + symbolic result codes. Several codes from older versions are + no longer available, were renamed, or split. Especially the + ERR_ codes do not seem to appear in the log file any more. + Also refer to [590]Squid result codes for details on the codes + no longer available in Squid-2. The NOVM versions and Squid-2 + also rely on the Unix buffer cache, thus you will see less + TCP_MEM_HITs than with a Squid-1. Basically, the NOVM feature + relies on read() to obtain an object, but due to the kernel + buffer cache, no disk activity is needed. Only small objects + (below 8KByte) are kept in Squid's part of main memory. The + status part contains the HTTP result codes with some Squid + specific extensions. Squid uses a subset of the RFC defined + error codes for HTTP. Refer to section [591]status codes for + details of the status codes ecognized by a Squid-2. + 5. bytes The size is the amount of data delivered to the client. Mind + that this does not constitute the net object size, as headers are + also counted. Also, failed requests may deliver an error page, the + size of which is also logged here. + 6. request method The request method to obtain an object. Please refer + to section [592]request-methods for available methods. If you + turned off log_icp_queries in your configuration, you will not see + (and thus unable to analyse) ICP exchanges. The PURGE method is + only available, if you have an ACL for "method purge" enabled in + your configuration file. + 7. URL This column contains the URL requested. Please note that the + log file may contain whitespaces for the URI. The default + configuration for uri_whitespace denies whitespaces, though. + 8. rfc931 The eigth column may contain the ident lookups for the + requesting client. Since ident lookups have performance impact, the + default configuration turns ident_loookups off. If turned off, or + no ident information is available, a "-" will be logged. + 9. hierarchy code The hierarchy information consists of three items: + + Any hierarchy tag may be prefixed with TIMEOUT_, if the + timeout occurs waiting for all ICP replies to return from the + neighbours. The timeout is either dynamic, if the + icp_query_timeout was not set, or the time configured there + has run up. + + A code that explains how the request was handled, e.g. by + forwarding it to a peer, or going straight to the source. + Refer to [593]Hierarchy Codes for details on hierarchy codes + and removed hierarchy codes. + + The IP address or hostname where the request (if a miss) was + forwarded. For requests sent to origin servers, this is the + origin server's IP address. For requests sent to a neighbor + cache, this is the neighbor's hostname. NOTE: older versions + of Squid would put the origin server hostname here. + 10. type The content type of the object as seen in the HTTP reply + header. Please note that ICP exchanges usually don't have any + content type, and thus are logged "-". Also, some weird replies + have content types ":" or even empty ones. + + There may be two more columns in the access.log, if the (debug) option + log_mime_headers is enabled In this case, the HTTP request headers are + logged between a "[" and a "]", and the HTTP reply headers are also + logged between "[" and "]". All control characters like CR and LF are + URL-escaped, but spaces are not escaped! Parsers should watch out for + this. + +Squid result codes + + The TCP_ codes refer to requests on the HTTP port (usually 3128). The + UDP_ codes refer to requests on the ICP port (usually 3130). If ICP + logging was disabled using the log_icp_queries option, no ICP replies + will be logged. + + The following result codes were taken from a Squid-2, compare with the + log_tags struct in src/access_log.c: + + TCP_HIT A valid copy of the requested object was in the cache. + + TCP_MISS The requested object was not in the cache. + + TCP_REFRESH_HIT The requested object was cached but STALE. The IMS + query for the object resulted in "304 not modified". + + TCP_REF_FAIL_HIT The requested object was cached but STALE. The IMS + query failed and the stale object was delivered. + + TCP_REFRESH_MISS The requested object was cached but STALE. The IMS + query returned the new content. + + TCP_CLIENT_REFRESH_MISS The client issued a "no-cache" pragma, or some + analogous cache control command along with the request. Thus, the cache + has to refetch the object. + + TCP_IMS_HIT The client issued an IMS request for an object which was in + the cache and fresh. + + TCP_SWAPFAIL_MISS The object was believed to be in the cache, but could + not be accessed. + + TCP_NEGATIVE_HIT Request for a negatively cached object, e.g. "404 not + found", for which the cache believes to know that it is inaccessible. + Also refer to the explainations for negative_ttl in your squid.conf + file. + + TCP_MEM_HIT A valid copy of the requested object was in the cache and + it was in memory, thus avoiding disk accesses. + + TCP_DENIED Access was denied for this request. + + TCP_OFFLINE_HIT The requested object was retrieved from the cache + during offline mode. The offline mode never validates any object, see + offline_mode in squid.conf file. + + UDP_HIT A valid copy of the requested object was in the cache. + + UDP_MISS The requested object is not in this cache. + + UDP_DENIED Access was denied for this request. + + UDP_INVALID An invalid request was received. + + UDP_MISS_NOFETCH During "-Y" startup, or during frequent failures, a + cache in hit only mode will return either UDP_HIT or this code. + Neighbours will thus only fetch hits. + + NONE Seen with errors and cachemgr requests. + + The following codes are no longer available in Squid-2: + + ERR_* Errors are now contained in the status code. + + TCP_CLIENT_REFRESH See: TCP_CLIENT_REFRESH_MISS. + + TCP_SWAPFAIL See: TCP_SWAPFAIL_MISS. + + TCP_IMS_MISS Deleted, now replaced with TCP_IMS_HIT. + + UDP_HIT_OBJ Refers to an old version that would send cache hits in ICP + replies. No longer implemented. + + UDP_RELOADING See: UDP_MISS_NOFETCH. + +HTTP status codes + + These are taken from [594]RFC 2616 and verified for Squid. Squid-2 uses + almost all codes except 307 (Temporary Redirect), 416 (Request Range + Not Satisfiable), and 417 (Expectation Failed). Extra codes include 0 + for a result code being unavailable, and 600 to signal an invalid + header, a proxy error. Also, some definitions were added as for + [595]RFC 2518 (WebDAV). Yes, there are really two entries for status + code 424, compare with http_status in src/enums.h: + + 000 Used mostly with UDP traffic. + 100 Continue + 101 Switching Protocols +*102 Processing + 200 OK + 201 Created + 202 Accepted + 203 Non-Authoritative Information + 204 No Content + 205 Reset Content + 206 Partial Content +*207 Multi Status + 300 Multiple Choices + 301 Moved Permanently + 302 Moved Temporarily + 303 See Other + 304 Not Modified + 305 Use Proxy +[307 Temporary Redirect] + 400 Bad Request + 401 Unauthorized + 402 Payment Required + 403 Forbidden + 404 Not Found + 405 Method Not Allowed + 406 Not Acceptable + 407 Proxy Authentication Required + 408 Request Timeout + 409 Conflict + 410 Gone + 411 Length Required + 412 Precondition Failed + 413 Request Entity Too Large + 414 Request URI Too Large + 415 Unsupported Media Type +[416 Request Range Not Satisfiable] +[417 Expectation Failed] +*424 Locked +*424 Failed Dependency +*433 Unprocessable Entity + 500 Internal Server Error + 501 Not Implemented + 502 Bad Gateway + 503 Service Unavailable + 504 Gateway Timeout + 505 HTTP Version Not Supported +*507 Insufficient Storage + 600 Squid header parsing error + +Request methods + + Squid recognizes several request methods as defined in [596]RFC 2616. + Newer versions of Squid (2.2.STABLE5 and above) also recognize [597]RFC + 2518 "HTTP Extensions for Distributed Authoring -- WEBDAV" extensions. + + method defined cachabil. meaning + --------- ---------- ---------- ------------------------------------------- + GET HTTP/0.9 possibly object retrieval and simple searches. + HEAD HTTP/1.0 possibly metadata retrieval. + POST HTTP/1.0 CC or Exp. submit data (to a program). + PUT HTTP/1.1 never upload data (e.g. to a file). + DELETE HTTP/1.1 never remove resource (e.g. file). + TRACE HTTP/1.1 never appl. layer trace of request route. + OPTIONS HTTP/1.1 never request available comm. options. + CONNECT HTTP/1.1r3 never tunnel SSL connection. + ICP_QUERY Squid never used for ICP based exchanges. + PURGE Squid never remove object from cache. + PROPFIND rfc2518 ? retrieve properties of an object. + PROPATCH rfc2518 ? change properties of an object. + MKCOL rfc2518 never create a new collection. + COPY rfc2518 never create a duplicate of src in dst. + MOVE rfc2518 never atomically move src to dst. + LOCK rfc2518 never lock an object against modifications. + UNLOCK rfc2518 never unlock an object. + +Hierarchy Codes + + The following hierarchy codes are used with Squid-2: + + NONE For TCP HIT, TCP failures, cachemgr requests and all UDP requests, + there is no hierarchy information. + + DIRECT The object was fetched from the origin server. + + SIBLING_HIT The object was fetched from a sibling cache which replied + with UDP_HIT. + + PARENT_HIT The object was requested from a parent cache which replied + with UDP_HIT. + + DEFAULT_PARENT No ICP queries were sent. This parent was chosen because + it was marked "default" in the config file. + + SINGLE_PARENT The object was requested from the only parent appropriate + for the given URL. + + FIRST_UP_PARENT The object was fetched from the first parent in the + list of parents. + + NO_PARENT_DIRECT The object was fetched from the origin server, because + no parents existed for the given URL. + + FIRST_PARENT_MISS The object was fetched from the parent with the + fastest (possibly weighted) round trip time. + + CLOSEST_PARENT_MISS This parent was chosen, because it included the the + lowest RTT measurement to the origin server. See also the closest-only + peer configuration option. + + CLOSEST_PARENT The parent selection was based on our own RTT + measurements. + + CLOSEST_DIRECT Our own RTT measurements returned a shorter time than + any parent. + + NO_DIRECT_FAIL The object could not be requested because of a firewall + configuration, see also never_direct and related material, and no + parents were available. + + SOURCE_FASTEST The origin site was chosen, because the source ping + arrived fastest. + + ROUNDROBIN_PARENT No ICP replies were received from any parent. The + parent was chosen, because it was marked for round robin in the config + file and had the lowest usage count. + + CACHE_DIGEST_HIT The peer was chosen, because the cache digest + predicted a hit. This option was later replaced in order to distinguish + between parents and siblings. + + CD_PARENT_HIT The parent was chosen, because the cache digest predicted + a hit. + + CD_SIBLING_HIT The sibling was chosen, because the cache digest + predicted a hit. + + NO_CACHE_DIGEST_DIRECT This output seems to be unused? + + CARP The peer was selected by CARP. + + ANY_PARENT part of src/peer_select.c:hier_strings[]. + + INVALID CODE part of src/peer_select.c:hier_strings[]. + + Almost any of these may be preceded by 'TIMEOUT_' if the two-second + (default) timeout occurs waiting for all ICP replies to arrive from + neighbors, see also the icp_query_timeout configuration option. + + The following hierarchy codes were removed from Squid-2: + +code meaning +-------------------- ------------------------------------------------- +PARENT_UDP_HIT_OBJ hit objects are not longer available. +SIBLING_UDP_HIT_OBJ hit objects are not longer available. +SSL_PARENT_MISS SSL can now be handled by squid. +FIREWALL_IP_DIRECT No special logging for hosts inside the firewall. +LOCAL_IP_DIRECT No special logging for local networks. + +cache/log (Squid-1.x) + + This file has a rather unfortunate name. It also is often called the + swap log. It is a record of every cache object written to disk. It is + read when Squid starts up to "reload" the cache. If you remove this + file when squid is NOT running, you will effectively wipe out your + cache contents. If you remove this file while squid IS running, you can + easily recreate it. The safest way is to simply shutdown the running + process: + +% squid -k shutdown + + This will disrupt service, but at least you will have your swap log + back. Alternatively, you can tell squid to rotate its log files. This + also causes a clean swap log to be written. + +% squid -k rotate + + For Squid-1.1, there are six fields: + + [1] fileno: The swap file number holding the object data. This is + mapped to a pathname on your filesystem. + + [2] timestamp: This is the time when the object was last verified to be + current. The time is a hexadecimal representation of Unix time. + + [3] expires: This is the value of the Expires header in the HTTP reply. + If an Expires header was not present, this will be -2 or FFFFFFFE. If + the Expires header was present, but invalid (unparsable), this will be + -1 or FFFFFFFF. + + [4] lastmod: Value of the HTTP reply Last-Modified header. If missing + it will be -2, if invalid it will be -1. + + [5] size: Size of the object, including headers. + + [6] url: The URL naming this object. + +swap.state (Squid-2.x) + + In Squid-2, the swap log file is now called swap.state. This is a + binary file that includes MD5 checksums, and StoreEntry fields. Please + see the Programmers' Guide for information on the contents and format + of that file. + + If you remove swap.state while Squid is running, simply send Squid the + signal to rotate its log files: + +% squid -k rotate + + Alternatively, you can tell Squid to shutdown and it will rewrite this + file before it exits. + + If you remove the swap.state while Squid is not running, you will not + lose your entire cache. In this case, Squid will scan all of the cache + directories and read each swap file to rebuild the cache. This can take + a very long time, so you'll have to be patient. + + By default the swap.state file is stored in the top-level of each + cache_dir. You can move the logs to a different location with the + cache_swap_log option. + +Which log files can I delete safely? + + You should never delete access.log, store.log, cache.log, or swap.state + while Squid is running. With Unix, you can delete a file when a process + has the file opened. However, the filesystem space is not reclaimed + until the process closes the file. + + If you accidentally delete swap.state while Squid is running, you can + recover it by following the instructions in the previous questions. If + you delete the others while Squid is running, you can not recover them. + + The correct way to maintain your log files is with Squid's "rotate" + feature. You should rotate your log files at least once per day. The + current log files are closed and then renamed with numeric extensions + (.0, .1, etc). If you want to, you can write your own scripts to + archive or remove the old log files. If not, Squid will only keep up to + logfile_rotate versions of each log file. The logfile rotation + procedure also writes a clean swap.state file, but it does not leave + numbered versions of the old files. + + If you set logfile_rotate to 0, Squid simply closes and then re-opens + the logs. This allows third-party logfile management systems, such as + newsyslog, to maintain the log files. + + To rotate Squid's logs, simple use this command: + +squid -k rotate + + For example, use this cron entry to rotate the logs at midnight: + +0 0 * * * /usr/local/squid/bin/squid -k rotate + +How can I disable Squid's log files? + + For Squid 2.4: + + To disable access.log: + +cache_access_log /dev/null + + To disable store.log: + +cache_store_log none + + To disable cache.log: + +cache_log /dev/null + + For Squid 2.5: + + To disable access.log: + +cache_access_log none + + To disable store.log: + +cache_store_log none + + To disable cache.log: + +cache_log /dev/null + + + + It is a bad idea to disable the cache.log because this file contains + many important status and debugging messages. However, if you really + want to, you can + + /!\ + + If /dev/null is specified to any of the above log files, logfile rotate + must also be set to 0 or else risk Squid rotating away /dev/null making + it a plain log file + + {i} + + Instead of disabling the log files, it is advisable to use a smaller + value for logfile_rotate and properly rotating Squid's log files in + your cron. That way, your log files are more controllable and + self-maintained by your system + +What is the maximum size of access.log? + + Squid does not impose a size limit on its log files. Some operating + systems have a maximum file size limit, however. If a Squid log file + exceeds the operating system's size limit, Squid receives a write error + and shuts down. You should regularly rotate Squid's log files so that + they do not become very large. + + /!\ + + Logging is very important to Squid. In fact, it is so important that it + will shut itself down if it can't write to its logfiles. This includes + cases such as a full log disk, or logfiles getting too big. + +My log files get very big! + + You need to rotate your log files with a cron job. For example: + +0 0 * * * /usr/local/squid/bin/squid -k rotate + +I want to use another tool to maintain the log files. + + If you set logfile_rotate to 0, Squid simply closes and then re-opens + the logs. This allows third-party logfile management systems, such as + [598]newsyslog or logrotate, to maintain the log files. + +Managing log files + + The preferred log file for analysis is the access.log file in native + format. For long term evaluations, the log file should be obtained at + regular intervals. Squid offers an easy to use API for rotating log + files, in order that they may be moved (or removed) without disturbing + the cache operations in progress. The procedures were described above. + + Depending on the disk space allocated for log file storage, it is + recommended to set up a cron job which rotates the log files every 24, + 12, or 8 hour. You will need to set your logfile_rotate to a + sufficiently large number. During a time of some idleness, you can + safely transfer the log files to your analysis host in one burst. + + Before transport, the log files can be compressed during off-peak time. + On the analysis host, the log file are concatinated into one file, so + one file for 24 hours is the yield. Also note that with log_icp_queries + enabled, you might have around 1 GB of uncompressed log information per + day and busy cache. Look into you cache manager info page to make an + educated guess on the size of your log files. + + The EU project [599]DESIRE developed some [600]some basic rules to obey + when handling and processing log files: + * Respect the privacy of your clients when publishing results. + * Keep logs unavailable unless anonymized. Most countries have laws + on privacy protection, and some even on how long you are legally + allowed to keep certain kinds of information. + * Rotate and process log files at least once a day. Even if you don't + process the log files, they will grow quite large, see My log files + get very big above here. If you rely on processing the log files, + reserve a large enough partition solely for log files. + * Keep the size in mind when processing. It might take longer to + process log files than to generate them! + * Limit yourself to the numbers you are interested in. There is data + beyond your dreams available in your log file, some quite obvious, + others by combination of different views. Here are some examples + for figures to watch: + + The hosts using your cache. + + The elapsed time for HTTP requests - this is the latency the + user sees. Usually, you will want to make a distinction for + HITs and MISSes and overall times. Also, medians are preferred + over averages. + + The requests handled per interval (e.g. second, minute or + hour). + +Why do I get ERR_NO_CLIENTS_BIG_OBJ messages so often? + + This message means that the requested object was in "Delete Behind" + mode and the user aborted the transfer. An object will go into "Delete + Behind" mode if + * It is larger than maximum_object_size + * It is being fetched from a neighbor which has the proxy-only option + set. + +What does ERR_LIFETIME_EXP mean? + + This means that a timeout occurred while the object was being + transferred. Most likely the retrieval of this object was very slow (or + it stalled before finishing) and the user aborted the request. However, + depending on your settings for quick_abort, Squid may have continued to + try retrieving the object. Squid imposes a maximum amount of time on + all open sockets, so after some amount of time the stalled request was + aborted and logged win an ERR_LIFETIME_EXP message. + +Retrieving "lost" files from the cache + + "I've been asked to retrieve an object which was accidentally destroyed + at the source for recovery. So, how do I figure out where the things + are so I can copy them out and strip off the headers?"" + + The following method applies only to the Squid-1.1 versions: + + Use grep to find the named object (URL) in the cache.log file. The + first field in this file is an integer file number. + + Then, find the file fileno-to-pathname.pl from the "scripts" directory + of the Squid source distribution. The usage is + +perl fileno-to-pathname.pl [-c squid.conf] + + file numbers are read on stdin, and pathnames are printed on stdout. + +Can I use store.log to figure out if a response was cachable? + + Sort of. You can use store.log to find out if a particular response was + cached. + + Cached responses are logged with the SWAPOUT tag. Uncached responses + are logged with the RELEASE tag. + + However, your analysis must also consider that when a cached response + is removed from the cache (for example due to cache replacement) it is + also logged in store.log with the RELEASE tag. To differentiate these + two, you can look at the filenumber (3rd) field. When an uncachable + response is released, the filenumber is FFFFFFFF (-1). Any other + filenumber indicates a cached response was released. + +Can I pump the squid access.log directly into a pipe? + + Several people have asked for this, usually to feed the log into some + kind of external database, or to analyze them in real-time. + + The answer is No. Well, yes, sorta. But you have to be very careful, + and Squid doesn't encourage or help it in any way, as it opens up a + whole load of possible problems. + + /!\ + + Logging is very important to Squid. In fact, it is so important that it + will shut itself down if it can't write to its logfiles. + + There's a whole load of possible problems, security risks and DOS + scenarios that emerge if Squid allowed writing log files to some + external program (for instance via a pipe). For instance, how should + Squid behave if the output program crashes? Or if it can't keep up with + the load? Or if it blocks? So the safest path was chosen, and that + means sticking to writing to files. + + There's a few tricks that can be used to still be able to work around + this: + * using the tail -f UNIX command on access.log + + It will keep on reading the access.log file and write to + stdout (or to a pipe) the lines being added in almost real + time. Unfortunately it doesn't behave correctly if the + access.log file gets renamed (via link/unlink, which is what + squid does on -k rotate: tail will happily keep the old file + open, but noone is writing to it anymore + * using the tail -F feature of GNU tail + + GNU tail supports an extra option, which allows it to notice + if a file gets renamed and recreated. + * using File::Tail from within a PERL script + + File::Tail behaves like tail -F. It is however only available + in PERL. + + It's unfortunately highly unlikely that either of those will work under + MS Windows, due to its brain-dead file-sharing semantics. + + {i} + + Anyone with good MS Windows experience or knowing any better is invited + to amend the previous sentence. + + If you really really want to send your squid logs to some external + script, AND you're really really sure you know what you're doing (but + then again, if you're doing this you probably you don't know what + you're doing), you can use the UNIX command mkfifo to create a named + pipe. You need to + 1. create a named pipe (i.e. with the command mkfifo + /var/log/squid/access.log) + 2. attach a daemonized text-processor to it (i.e. + (/usr/local/sbin/text-processor.pl /var/log/squid/access.log)& ) + 3. start squid + + The problem with this approach is that if the text-processor blocks, + squid blocks. If it crashes, in the best case squid blocks until the + processor is restarted. In the second-best case, squid crashes or + aborts. There is no worst case (than this). + __________________________________________________________________ + + Contents + 1. [601]How do I see system level Squid statistics? + 2. [602]How can I find the biggest objects in my cache? + 3. [603]I want to restart Squid with a clean cache + 4. [604]How can I proxy/cache Real Audio? + 5. [605]How can I purge an object from my cache? + 6. [606]How can i purge multiple objects from my cache? + 7. [607]Using ICMP to Measure the Network + 1. [608]Supporting ICMP in your Squid cache + 2. [609]Utilizing your parents database + 3. [610]Inspecting the database + 8. [611]Why are so few requests logged as TCP_IMS_MISS? + 9. [612]How can I make Squid NOT cache some servers or URLs? + 10. [613]How can I delete and recreate a cache directory? + 11. [614]Why can't I run Squid as root? + 12. [615]Can you tell me a good way to upgrade Squid with minimal + downtime? + 13. [616]Can Squid listen on more than one HTTP port? + 14. [617]Can I make origin servers see the client's IP address when + going through Squid? + +How do I see system level Squid statistics? + + The Squid distribution includes a CGI utility called cachemgr.cgi which + can be used to view squid statistics with a web browser. See + [618]../CacheManager for more information on its usage and + installation. + +How can I find the biggest objects in my cache? + +sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25 + + If your cache processes several hundred hits per second, good luck. + +I want to restart Squid with a clean cache + + Note: The information here is current for version 2.2 and later. + + First of all, you must stop Squid of course. You can use the command: +% squid -k shutdown + + The fastest way to restart with an entirely clean cache is to over + write the swap.state files for each cache_dir in your config file. + Note, you can not just remove the swap.state file, or truncate it to + zero size. Instead, you should put just one byte of garbage there. For + example: +% echo "" > /cache1/swap.state + + Repeat that for every cache_dir, then restart Squid. Be sure to leave + the swap.state file with the same owner and permissions that it had + before! + + Another way, which takes longer, is to have squid recreate all the + cache_dir directories. But first you must move the existing directories + out of the way. For example, you can try this: +% cd /cache1 +% mkdir JUNK +% mv ?? swap.state* JUNK +% rm -rf JUNK & + + Repeat this for your other cache_dirs, then tell Squid to create new + directories: +% squid -z + +How can I proxy/cache Real Audio? + + by Rodney van den Oever and James R Grinter + * Point the RealPlayer at your Squid server's HTTP port (e.g. 3128). + * Using the Preferences->Transport tab, select Use specified + transports and with the Specified Transports button, select use + HTTP Only. + + The RealPlayer (and RealPlayer Plus) manual states: +Use HTTP Only +Select this option if you are behind a firewall and cannot +receive data through TCP. All data will be streamed through +HTTP. + +Note: You may not be able to receive some content if you select +this option. + + Again, from the documentation: +RealPlayer 4.0 identifies itself to the firewall when making a +request for content to a RealServer. The following string is +attached to any URL that the Player requests using HTTP GET: + +/SmpDsBhgRl + +Thus, to identify an HTTP GET request from the RealPlayer, look +for: + +http://[^/]+/SmpDsBhgRl + +The Player can also be identified by the mime type in a POST to +the RealServer. The RealPlayer POST has the following mime +type: + +"application/x-pncmd" + + Note that the first request is a POST, and the second has a '?' in the + URL, so standard Squid configurations would treat it as non-cachable. + It also looks rather "magic." + + HTTP is an alternative delivery mechanism introduced with version 3 + players, and it allows a reasonable approximation to "streaming" data - + that is playing it as you receive it. + + It isn't available in the general case: only if someone has made the + realaudio file available via an HTTP server, or they're using a version + 4 server, they've switched it on, and you're using a version 4 client. + If someone has made the file available via their HTTP server, then + it'll be cachable. Otherwise, it won't be (as far as we can tell.) + + The more common RealAudio link connects via their own pnm: method and + is transferred using their proprietary protocol (via TCP or UDP) and + not using HTTP. It can't be cached nor proxied by Squid, and requires + something such as the simple proxy that Progressive Networks themselves + have made available, if you're in a firewall/no direct route situation. + Their product does not cache (and I don't know of any software + available that does.) + + Some confusion arises because there is also a configuration option to + use an HTTP proxy (such as Squid) with the RealAudio/RealVideo players. + This is because the players can fetch the ".ram" file that contains the + pnm: reference for the audio/video stream. They fetch that .ram file + from an HTTP server, using HTTP. + +How can I purge an object from my cache? + + Squid does not allow you to purge objects unless it is configured with + access controls in squid.conf. First you must add something like +acl PURGE method PURGE +acl localhost src 127.0.0.1 +http_access allow PURGE localhost +http_access deny PURGE + + The above only allows purge requests which come from the local host and + denies all other purge requests. + + To purge an object, you can use the squidclient program: +squidclient -m PURGE http://www.miscreant.com/ + + If the purge was successful, you will see a "200 OK" response: +HTTP/1.0 200 OK +Date: Thu, 17 Jul 1997 16:03:32 GMT +Server: Squid/1.1.14 + + If the object was not found in the cache, you will see a "404 Not + Found" response: +HTTP/1.0 404 Not Found +Date: Thu, 17 Jul 1997 16:03:22 GMT +Server: Squid/1.1.14 + +How can i purge multiple objects from my cache? + + It's not possible; you have to purte the objects one by one by URL. + This is because squid doesn't keep in memory the URL of every object it + stores, but only a compact representation of it (a hash). Finding the + hash given the URL is easy, the other way around is not possible. + + Purging by wildcard, by domain etc. are unfortunately not possible at + this time. + +Using ICMP to Measure the Network + + As of version 1.1.9, Squid is able to utilize ICMP Round-Trip-Time + (RTT) measurements to select the optimal location to forward a cache + miss. Previously, cache misses would be forwarded to the parent cache + which returned the first ICP reply message. These were logged with + FIRST_PARENT_MISS in the access.log file. Now we can select the parent + which is closest (RTT-wise) to the origin server. + +Supporting ICMP in your Squid cache + + It is more important that your parent caches enable the ICMP features. + If you are acting as a parent, then you may want to enable ICMP on your + cache. Also, if your cache makes RTT measurements, it will fetch + objects directly if your cache is closer than any of the parents. + + If you want your Squid cache to measure RTT's to origin servers, Squid + must be compiled with the USE_ICMP option. This is easily accomplished + by uncommenting "-DUSE_ICMP=1" in src/Makefile and/or src/Makefile.in. + + An external program called pinger is responsible for sending and + receiving ICMP packets. It must run with root privileges. After Squid + has been compiled, the pinger program must be installed separately. A + special Makefile target will install pinger with appropriate + permissions. +% make install +% su +# make install-pinger + + There are three configuration file options for tuning the measurement + database on your cache. netdb_low and netdb_high specify high and low + water marks for keeping the database to a certain size (e.g. just like + with the IP cache). The netdb_ttl option specifies the minimum rate for + pinging a site. If netdb_ttl is set to 300 seconds (5 minutes) then an + ICMP packet will not be sent to the same site more than once every five + minutes. Note that a site is only pinged when an HTTP request for the + site is received. + + Another option, minimum_direct_hops can be used to try finding servers + which are close to your cache. If the measured hop count to the origin + server is less than or equal to minimum_direct_hops, the request will + be forwarded directly to the origin server. + +Utilizing your parents database + + Your parent caches can be asked to include the RTT measurements in + their ICP replies. To do this, you must enable query_icmp in your + config file: +query_icmp on + + This causes a flag to be set in your outgoing ICP queries. + + If your parent caches return ICMP RTT measurements then the eighth + column of your access.log will have lines similar to: +CLOSEST_PARENT_MISS/it.cache.nlanr.net + + In this case, it means that it.cache.nlanr.net returned the lowest RTT + to the origin server. If your cache measured a lower RTT than any of + the parents, the request will be logged with +CLOSEST_DIRECT/www.sample.com + +Inspecting the database + + The measurement database can be viewed from the cachemgr by selecting + "Network Probe Database." Hostnames are aggregated into /24 networks. + All measurements made are averaged over time. Measurements are made to + specific hosts, taken from the URLs of HTTP requests. The recv and sent + fields are the number of ICMP packets sent and received. At this time + they are only informational. + + A typical database entry looks something like this: + Network recv/sent RTT Hops Hostnames + 192.41.10.0 20/ 21 82.3 6.0 www.jisedu.org www.dozo.com +bo.cache.nlanr.net 42.0 7.0 +uc.cache.nlanr.net 48.0 10.0 +pb.cache.nlanr.net 55.0 10.0 +it.cache.nlanr.net 185.0 13.0 + + This means we have sent 21 pings to both www.jisedu.org and + www.dozo.com. The average RTT is 82.3 milliseconds. The next four lines + show the measured values from our parent caches. Since + bo.cache.nlanr.net has the lowest RTT, it would be selected as the + location to forward a request for a www.jisedu.org or www.dozo.com URL. + +Why are so few requests logged as TCP_IMS_MISS? + + When Squid receives an If-Modified-Since request, it will not forward + the request unless the object needs to be refreshed according to the + refresh_pattern rules. If the request does need to be refreshed, then + it will be logged as TCP_REFRESH_HIT or TCP_REFRESH_MISS. + + If the request is not forwarded, Squid replies to the IMS request + according to the object in its cache. If the modification times are the + same, then Squid returns TCP_IMS_HIT. If the modification times are + different, then Squid returns TCP_IMS_MISS. In most cases, the cached + object will not have changed, so the result is TCP_IMS_HIT. Squid will + only return TCP_IMS_MISS if some other client causes a newer version of + the object to be pulled into the cache. + +How can I make Squid NOT cache some servers or URLs? + + In Squid-2, you use the no_cache option to specify uncachable requests. + For example, this makes all responses from origin servers in the + 10.0.1.0/24 network uncachable: +acl Local dst 10.0.1.0/24 +no_cache deny Local + + This example makes all URL's with '.html' uncachable: +acl HTML url_regex .html$ +no_cache deny HTML + + This example makes a specific URL uncachable: +acl XYZZY url_regex ^http://www.i.suck.com/foo.html$ +no_cache deny XYZZY + + This example caches nothing between the hours of 8AM to 11AM: +acl Morning time 08:00-11:00 +no_cache deny Morning + + In Squid-1.1, whether or not an object gets cached is controlled by the + cache_stoplist, and cache_stoplist_pattern options. So, you may add: +cache_stoplist my.domain.com + +How can I delete and recreate a cache directory? + + Deleting an existing cache directory is not too difficult. + Unfortunately, you can't simply change squid.conf and then reconfigure. + You can't stop using a cache_dir while Squid is running. Also note that + Squid requires at least one cache_dir to run. + * Edit your squid.conf file and comment out, or delete the cache_dir + line for the cache directory that you want to remove. + * If you don't have any cache_dir lines in your squid.conf, then + Squid was using the default. You'll need to add a new cache_dir + line because Squid will continue to use the default otherwise. You + can add a small, temporary directory, for example: +/usr/local/squid/cachetmp .... + + If you add a new cache_dir you have to run squid -z to initialize + that directory. + * Remeber that you can not delete a cache directory from a running + Squid process; you can not simply reconfigure squid. You must + shutdown Squid: +squid -k shutdown + + * Once Squid exits, you may immediately start it up again. Since you + deleted the old cache_dir from squid.conf, Squid won't try to + access that directory. If you use the RunCache script, Squid should + start up again automatically. + * Now Squid is no longer using the cache directory that you removed + from the config file. You can verify this by checking "Store + Directory" information with the cache manager. From the command + line, type: +squidclient mgr:storedir + + * Now that Squid is not using the cache directory, you can rm -rf it, + format the disk, build a new filesystem, or whatever. + + The procedure is similar to recreate the directory. + * Edit squid.conf and add a new cache_dir line. + * Shutdown Squid (squid -k shutdown) + * Initialize the new directory by running +% squid -z + + * Start Squid again + +Why can't I run Squid as root? + + by Dave J Woolley + + If someone were to discover a buffer overrun bug in Squid and it runs + as a user other than root, they can only corrupt the files writeable to + that user, but if it runs a root, they can take over the whole machine. + This applies to all programs that don't absolutely need root status, + not just squid. + +Can you tell me a good way to upgrade Squid with minimal downtime? + + Here is a technique that was described by Radu Greab. + + Start a second Squid server on an unused HTTP port (say 4128). This + instance of Squid probably doesn't need a large disk cache. When this + second server has finished reloading the disk store, swap the http_port + values in the two squid.conf files. Set the original Squid to use port + 5128, and the second one to use 3128. Next, run "squid -k reconfigure" + for both Squids. New requests will go to the second Squid, now on port + 3128 and the first Squid will finish handling its current requests. + After a few minutes, it should be safe to fully shut down the first + Squid and upgrade it. Later you can simply repeat this process in + reverse. + +Can Squid listen on more than one HTTP port? + + Note: The information here is current for version 2.3. + + Yes, you can specify multiple http_port lines in your squid.conf file. + Squid attempts to bind() to each port that you specify. Sometimes Squid + may not be able to bind to a port, either because of permissions or + because the port is already in use. If Squid can bind to at least one + port, then it will continue running. If it can not bind to any of the + ports, then Squid stops. + + With version 2.3 and later you can specify IP addresses and port + numbers together (see the squid.conf comments). + +Can I make origin servers see the client's IP address when going through +Squid? + + Normally you cannot. Most TCP/IP stacks do not allow applications to + create sockets with the local endpoint assigned to a foreign IP + address. However, some folks have some [619]patches to Linux that allow + exactly that. + + In this situation, you must ensure that all HTTP packets destined for + the client IP addresses are routed to the Squid box. If the packets + take another path, the real clients will send TCP resets to the origin + servers, thereby breaking the connections. + __________________________________________________________________ + + Contents + 1. [620]Why does Squid use so much memory!? + 2. [621]How can I tell how much memory my Squid process is using? + 3. [622]My Squid process grows without bounds. + 4. [623]I set cache_mem to XX, but the process grows beyond that! + 5. [624]How do I analyze memory usage from the cache manger output? + 6. [625]The "Total memory accounted" value is less than the size of my + Squid process. + 7. [626]xmalloc: Unable to allocate 4096 bytes! + 8. [627]fork: (12) Cannot allocate memory + 9. [628]What can I do to reduce Squid's memory usage? + 10. [629]Using an alternate malloc library + 1. [630]GNU malloc + 2. [631]dlmalloc + 11. [632]How much memory do I need in my Squid server? + 12. [633]Why can't my Squid process grow beyond a certain size? + +Why does Squid use so much memory!? + + Squid uses a lot of memory for performance reasons. It takes much, much + longer to read something from disk than it does to read directly from + memory. + + A small amount of metadata for each cached object is kept in memory. + This is the StoreEntry data structure. For Squid-2 this is 56-bytes on + "small" pointer architectures (Intel, Sparc, MIPS, etc) and 88-bytes on + "large" pointer architectures (Alpha). In addition, there is a 16-byte + cache key (MD5 checksum) associated with each StoreEntry. This means + there are 72 or 104 bytes of metadata in memory for every object in + your cache. A cache with 1,000,000 objects therefore requires 72MB of + memory for metadata only. In practice it requires much more than that. + + Other uses of memory by Squid include: + * Disk buffers for reading and writing + * Network I/O buffers + * IP Cache contents + * FQDN Cache contents + * Netdb ICMP measurement database + * Per-request state information, including full request and reply + headers + * Miscellaneous statistics collection. + * "Hot objects" which are kept entirely in memory. + +How can I tell how much memory my Squid process is using? + + One way is to simply look at ps output on your system. For BSD-ish + systems, you probably want to use the -u option and look at the VSZ and + RSS fields: +wessels ~ 236% ps -axuhm +USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND +squid 9631 4.6 26.4 141204 137852 ?? S 10:13PM 78:22.80 squid -NCYs + + For SYSV-ish, you probably want to use the -l option. When interpreting + the ps output, be sure to check your ps manual page. It may not be + obvious if the reported numbers are kbytes, or pages (usually 4 kb). + + A nicer way to check the memory usage is with a program called top: +last pid: 20128; load averages: 0.06, 0.12, 0.11 14:10:58 +46 processes: 1 running, 45 sleeping +CPU states: % user, % nice, % system, % interrupt, % idle +Mem: 187M Active, 1884K Inact, 45M Wired, 268M Cache, 8351K Buf, 1296K Free +Swap: 1024M Total, 256K Used, 1024M Free + + PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND + 9631 squid 2 0 138M 135M select 78:45 3.93% 3.93% squid + + Finally, you can ask the Squid process to report its own memory usage. + This is available on the Cache Manager info page. Your output may vary + depending upon your operating system and Squid version, but it looks + similar to this: +Resource usage for squid: +Maximum Resident Size: 137892 KB +Memory usage for squid via mstats(): +Total space in arena: 140144 KB +Total free: 8153 KB 6% + + If your RSS (Resident Set Size) value is much lower than your process + size, then your cache performance is most likely suffering due to + Paging. See also [634]../CacheManager + +My Squid process grows without bounds. + + You might just have your cache_mem parameter set too high. See What can + I do to reduce Squid's memory usage? below. + + When a process continually grows in size, without levelling off or + slowing down, it often indicates a memory leak. A memory leak is when + some chunk of memory is used, but not free'd when it is done being + used. + + Memory leaks are a real problem for programs (like Squid) which do all + of their processing within a single process. Historically, Squid has + had real memory leak problems. But as the software has matured, we + believe almost all of Squid's memory leaks have been eliminated, and + new ones are least easy to identify. + + Memory leaks may also be present in your system's libraries, such as + libc.a or even libmalloc.a. If you experience the ever-growing process + size phenomenon, we suggest you first try [635]#alternate-malloc. + +I set cache_mem to XX, but the process grows beyond that! + + The cache_mem parameter does NOT specify the maximum size of the + process. It only specifies how much memory to use for caching "hot" + (very popular) replies. Squid's actual memory usage is depends very + strongly on your cache size (disk space) and your incoming request + load. Reducing cache_mem will usually also reduce the process size, but + not necessarily, and there are other ways to reduce Squid's memory + usage (see below). + + See also [636]How much memory do I need in my Squid server?. + +How do I analyze memory usage from the cache manger output? + + Note: This information is specific to Squid-1.1 versions + + Look at your cachemgr.cgi Cache Information page. For example: +Memory usage for squid via mallinfo(): + Total space in arena: 94687 KB + Ordinary blocks: 32019 KB 210034 blks + Small blocks: 44364 KB 569500 blks + Holding blocks: 0 KB 5695 blks + Free Small blocks: 6650 KB + Free Ordinary blocks: 11652 KB + Total in use: 76384 KB 81% + Total free: 18302 KB 19% + +Meta Data: +StoreEntry 246043 x 64 bytes = 15377 KB +IPCacheEntry 971 x 88 bytes = 83 KB +Hash link 2 x 24 bytes = 0 KB +URL strings = 11422 KB +Pool MemObject structures 514 x 144 bytes = 72 KB ( 70 free) +Pool for Request structur 516 x 4380 bytes = 2207 KB ( 2121 free) +Pool for in-memory object 6200 x 4096 bytes = 24800 KB ( 22888 free) +Pool for disk I/O 242 x 8192 bytes = 1936 KB ( 1888 free) +Miscellaneous = 2600 KB +total Accounted = 58499 KB + + First note that mallinfo() reports 94M in "arena." This is pretty close + to what top says (97M). + + Of that 94M, 81% (76M) is actually being used at the moment. The rest + has been freed, or pre-allocated by malloc(3) and not yet used. + + Of the 76M in use, we can account for 58.5M (76%). There are some calls + to malloc(3) for which we can't account. + + The Meta Data list gives the breakdown of where the accounted memory + has gone. 45% has gone to StoreEntry and URL strings. Another 42% has + gone to buffering hold objects in VM while they are fetched and relayed + to the clients (Pool for in-memory object). + + The pool sizes are specified by squid.conf parameters. In version 1.0, + these pools are somewhat broken: we keep a stack of unused pages + instead of freeing the block. In the Pool for in-memory object, the + unused stack size is 1/2 of cache_mem. The Pool for disk I/O is + hardcoded at 200. For MemObject and Request it's 1/8 of your system's + FD_SETSIZE value. + + If you need to lower your process size, we recommend lowering the max + object sizes in the 'http', 'ftp' and 'gopher' config lines. You may + also want to lower cache_mem to suit your needs. But if you make + cache_mem too low, then some objects may not get saved to disk during + high-load periods. Newer Squid versions allow you to set memory_pools + off to disable the free memory pools. + +The "Total memory accounted" value is less than the size of my Squid process. + + We are not able to account for all memory that Squid uses. This would + require excessive amounts of code to keep track of every last byte. We + do our best to account for the major uses of memory. + + Also, note that the malloc and free functions have their own overhead. + Some additional memory is required to keep track of which chunks are in + use, and which are free. Additionally, most operating systems do not + allow processes to shrink in size. When a process gives up memory by + calling free, the total process size does not shrink. So the process + size really represents the maximum size your Squid process has reached. + +xmalloc: Unable to allocate 4096 bytes! + + by [637]HenrikNordstrm + + Messages like "FATAL: xcalloc: Unable to allocate 4096 blocks of 1 + bytes!" appear when Squid can't allocate more memory, and on most + operating systems (inclusive BSD) there are only two possible reasons: + * The machine is out of swap + * The process' maximum data segment size has been reached + + The first case is detected using the normal swap monitoring tools + available on the platform (pstat on SunOS, perhaps pstat is used on BSD + as well). + + To tell if it is the second case, first rule out the first case and + then monitor the size of the Squid process. If it dies at a certain + size with plenty of swap left then the max data segment size is reached + without no doubts. + + The data segment size can be limited by two factors: + * Kernel imposed maximum, which no user can go above + * The size set with ulimit, which the user can control. + + When squid starts it sets data and file ulimit's to the hard level. If + you manually tune ulimit before starting Squid make sure that you set + the hard limit and not only the soft limit (the default operation of + ulimit is to only change the soft limit). root is allowed to raise the + soft limit above the hard limit. + + This command prints the hard limits: +ulimit -aH + + This command sets the data size to unlimited: +ulimit -HSd unlimited + + BSD/OS + + by Arjan de Vet + + The default kernel limit on BSD/OS for datasize is 64MB (at least on + 3.0 which I'm using). + + Recompile a kernel with larger datasize settings: + +maxusers 128 +# Support for large inpcb hash tables, e.g. busy WEB servers. +options INET_SERVER +# support for large routing tables, e.g. gated with full Internet routing: +options "KMEMSIZE=\(16*1024*1024\)" +options "DFLDSIZ=\(128*1024*1024\)" +options "DFLSSIZ=\(8*1024*1024\)" +options "SOMAXCONN=128" +options "MAXDSIZ=\(256*1024*1024\)" + + See /usr/share/doc/bsdi/config.n for more info. + + In /etc/login.conf I have this: + +default:\ + :path=/bin /usr/bin /usr/contrib/bin:\ + :datasize-cur=256M:\ + :openfiles-cur=1024:\ + :openfiles-max=1024:\ + :maxproc-cur=1024:\ + :stacksize-cur=64M:\ + :radius-challenge-styles=activ,crypto,skey,snk,token:\ + :tc=auth-bsdi-defaults:\ + :tc=auth-ftp-bsdi-defaults: + +# +# Settings used by /etc/rc and root +# This must be set properly for daemons started as root by inetd as well. +# Be sure reset these values back to system defaults in the default class! +# +daemon:\ + :path=/bin /usr/bin /sbin /usr/sbin:\ + :widepasswords:\ + :tc=default: +# :datasize-cur=128M:\ +# :openfiles-cur=256:\ +# :maxproc-cur=256:\ + + This should give enough space for a 256MB squid process. + + FreeBSD (2.2.X) + + by [wessels Duane Wessels] + + The procedure is almost identical to that for BSD/OS above. Increase + the open filedescriptor limit in /sys/conf/param.c: +int maxfiles = 4096; +int maxfilesperproc = 1024; + + Increase the maximum and default data segment size in your kernel + config file, e.g. /sys/conf/i386/CONFIG: +options "MAXDSIZ=(512*1024*1024)" +options "DFLDSIZ=(128*1024*1024)" + + We also found it necessary to increase the number of mbuf clusters: +options "NMBCLUSTERS=10240" + + And, if you have more than 256 MB of physical memory, you probably have + to disable BOUNCE_BUFFERS (whatever that is), so comment out this line: +#options BOUNCE_BUFFERS #include support for DMA bounce buffers + + Also, update limits in /etc/login.conf: +# Settings used by /etc/rc +# +daemon:\ + :coredumpsize=infinity:\ + :datasize=infinity:\ + :maxproc=256:\ + :maxproc-cur@:\ + :memoryuse-cur=64M:\ + :memorylocked-cur=64M:\ + :openfiles=4096:\ + :openfiles-cur@:\ + :stacksize=64M:\ + :tc=default: + + And don't forget to run "cap_mkdb /etc/login.conf" after editing that + file. + + OSF, Digital Unix + + by Ong Beng Hui + + To increase the data size for Digital UNIX, edit the file + /etc/sysconfigtab and add the entry... +proc: + per-proc-data-size=1073741824 + + Or, with csh, use the limit command, such as +> limit datasize 1024M + + Editing /etc/sysconfigtab requires a reboot, but the limit command + doesn't. + +fork: (12) Cannot allocate memory + + When Squid is reconfigured (SIGHUP) or the logs are rotated (SIGUSR1), + some of the helper processes (dnsserver) must be killed and restarted. + If your system does not have enough virtual memory, the Squid process + may not be able to fork to start the new helper processes. This is due + to the UNIX way of starting child processes using the fork() system + call which temporary duplicates the whole Squid process, and when + rapidly starting many child processes such as on "squid -k rotate" the + memory usage can temporarily grow to many times the normal memory usage + due to several temporary copies of the whole process. + + The best way to fix this is to increase your virtual memory by adding + swap space. Normally your system uses raw disk partitions for swap + space, but most operating systems also support swapping on regular + files (Digital Unix excepted). See your system manual pages for swap, + swapon, and mkfile. Alternatively you can use the sleep_after_fork + directive to make Squid sleep a little while invoking helpers to allow + the helper to start up before trying to start the next one. This can be + helpful if you find that Squid sometimes fail to restart all helpers on + "squid -k reconfigure". + +What can I do to reduce Squid's memory usage? + + If your cache performance is suffering because of memory limitations, + you might consider buying more memory. But if that is not an option, + There are a number of things to try: + * Try a different malloc library (see below) + * Reduce the cache_mem parameter in the config file. This controls + how many "hot" objects are kept in memory. Reducing this parameter + will not significantly affect performance, but you may recieve some + warnings in cache.log if your cache is busy. + * Turn the memory_pools off in the config file. This causes Squid to + give up unused memory by calling free() instead of holding on to + the chunk for potential, future use. Generally speaking, this is a + bad idea as it will induce heap fragmentation. Use + memory_pools_limit instead. + * Reduce the cache_swap parameter in your config file. This will + reduce the number of objects Squid keeps. Your overall hit ratio + may go down a little, but your cache will perform significantly + better. + +Using an alternate malloc library + + Many users have found improved performance and memory utilization when + linking Squid with an external malloc library. We recommend either GNU + malloc, or dlmalloc. + +GNU malloc + + To make Squid use GNU malloc follow these simple steps: + * - Download the GNU malloc source, available from one of [[638]GNU + FTP Mirror sites. - Compile it + +% gzip -dc malloc.tar.gz | tar xf - +% cd malloc +% vi Makefile # edit as needed +% make + + * - Copy libmalloc.a to your system's library directory and be sure + to name it libgnumalloc.a. + +% su +# cp malloc.a /usr/lib/libgnumalloc.a + + * - (Optional) Copy the GNU malloc.h to your system's include + directory and be sure to name it gnumalloc.h. This step is not + required, but if you do this, then Squid will be able to use the + mstat() function to report memory usage statistics on the cachemgr + info page. + +# cp malloc.h /usr/include/gnumalloc.h + + * - Reconfigure and recompile Squid + +% make distclean +% ./configure ... +% make +% make install + + As Squid's configure script runs, watch its output. You should find + that it locates libgnumalloc.a and optionally gnumalloc.h. + +dlmalloc + + [639]dlmalloc has been written by Doug Lea. According to Doug: +This is not the fastest, most space-conserving, most portable, or +most tunable malloc ever written. However it is among the fastest +while also being among the most space-conserving, portable and tunable. + + dlmalloc is included with the Squid-2 source distribution. To use this + library, you simply give an option to the configure script: +% ./configure --enable-dlmalloc ... + +How much memory do I need in my Squid server? + + As a rule of thumb on Squid uses approximately 10 MB of RAM per GB of + the total of all cache_dirs (more on 64 bit servers such as Alpha), + plus your cache_mem setting and about an additional 10-20MB. It is + recommended to have at least twice this amount of physical RAM + available on your Squid server. For a more detailed discussion on + Squid's memory usage see the sections above. + + The recommended extra RAM besides what is used by Squid is used by the + operating system to improve disk I/O performance and by other + applications or services running on the server. This will be true even + of a server which runs Squid as the only tcp service, since there is a + minimum level of memory needed for process management, logging, and + other OS level routines. + + If you have a low memory server, and a large disk, then you will not + necessarily be able to use all the disk space, since as the cache fills + the memory available will be insufficient, forcing Squid to swap out + memory and affecting performance. A very large cache_dir total and + insufficient physical RAM + Swap could cause Squid to stop functioning + completely. The solution for larger caches is to get more physical RAM; + allocating more to Squid via cache_mem will not help. + +Why can't my Squid process grow beyond a certain size? + + by [[640]AdrianChadd Adrian Chadd] + + A number of people are running Squid with more than a gigabyte of + memory. Here are some things to keep in mind. + * The Operating System may put a limit on how much memory available + per-process. Check the resource limits (/etc/security/limits.conf + or similar under PAM systems, 'ulimit', etc.) + * The Operating System may have a limit on the size of processes. + 32-bit platforms are sometimes "split" to be 2gb process/2gb + kernel; this can be changed to be 3gb process/1gb kernel through a + kernel recompile or boot-time option. Check your operating system's + documentation for specific details. + * Some malloc implementations may not support > 2gb of memory - eg + dlmalloc. Don't use dlmalloc unless your platform is very broken + (and then realise you won't be able to use >2gb RAM using it.) + * Make sure the Squid has been compiled to be a 64 bit binary (with + modern Unix-like OSes you can use the 'file' command for this); + some platforms may have a 64 bit kernel but a 32 bit userland, or + the compiler may default to a 32 bit userland. + __________________________________________________________________ + + Contents + 1. [641]What is the cache manager? + 2. [642]How do you set it up? + 3. [643]Cache manager configuration for CERN httpd 3.0 + 4. [644]Cache manager configuration for Apache + 5. [645]Cache manager configuration for Roxen 2.0 and later + 6. [646]Cache manager access from squidclient + 7. [647]Cache manager ACLs in squid.conf + 8. [648]Why does it say I need a password and a URL? + 9. [649]I want to shutdown the cache remotely. What's the password? + 10. [650]How do I make the cache host default to my cache? + 11. [651]What's the difference between Squid TCP connections and Squid + UDP connections? + 12. [652]It says the storage expiration will happen in 1970! + 13. [653]What do the Meta Data entries mean? + 14. [654]In the utilization section, what is Other? + 15. [655]In the utilization section, why is the Transfer KB/sec column + always zero? + 16. [656]In the utilization section, what is the Object Count? + 17. [657]In the utilization section, what is the Max/Current/Min KB? + 18. [658]What is the I/O section about? + 19. [659]What is the Objects section for? + 20. [660]What is the VM Objects section for? + 21. [661]What does AVG RTT mean? + 22. [662]In the IP cache section, what's the difference between a hit, + a negative hit and a miss? + 23. [663]What do the IP cache contents mean anyway? + 24. [664]What is the fqdncache and how is it different from the + ipcache? + 25. [665]What does "Page faults with physical i/o: 4897" mean? + 26. [666]What does the IGNORED field mean in the 'cache server list'? + + Chapter contributed by Jonathan Larmour + +What is the cache manager? + + The cache manager (cachemgr.cgi) is a CGI utility for displaying + statistics about the squid process as it runs. The cache manager is a + convenient way to manage the cache and view statistics without logging + into the server. + +How do you set it up? + + That depends on which web server you're using. Below you will find + instructions for configuring the CERN and Apache servers to permit + cachemgr.cgi usage. + + {i} + + EDITOR'S NOTE: readers are encouraged to submit instructions for + configuration of cachemgr.cgi on other web server platforms, such as + Netscape. + + After you edit the server configuration files, you will probably need + to either restart your web server or or send it a SIGHUP signal to tell + it to re-read its configuration files. + + When you're done configuring your web server, you'll connect to the + cache manager with a web browser, using a URL such as: + + [667]http://www.example.com/Squid/cgi-bin/cachemgr.cgi + +Cache manager configuration for CERN httpd 3.0 + + First, you should ensure that only specified workstations can access + the cache manager. That is done in your CERN httpd.conf, not in + squid.conf. + +Protection MGR-PROT { + Mask @(workstation.example.com) +} + + Wildcards are acceptable, IP addresses are acceptable, and others can + be added with a comma-separated list of IP addresses. There are many + more ways of protection. Your server documentation has details. + + You also need to add: + +Protect /Squid/* MGR-PROT +Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi + + This marks the script as executable to those in MGR-PROT. + +Cache manager configuration for Apache + + First, make sure the cgi-bin directory you're using is listed with a + ScriptAlias in your Apache httpd.conf file like this: + +ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/ + + It's probably a bad idea to ScriptAlias the entire + //usr/local/squid/bin/ directory where all the Squid executables live. + + Next, you should ensure that only specified workstations can access the + cache manager. That is done in your Apache httpd.conf, not in + squid.conf. At the bottom of httpd.conf file, insert: + + +order allow,deny +allow from workstation.example.com + + + You can have more than one allow line, and you can allow domains or + networks. + + Alternately, cachemgr.cgi can be password-protected. You'd add the + following to httpd.conf: + + +AuthUserFile /path/to/password/file +AuthGroupFile /dev/null +AuthName User/Password Required +AuthType Basic +require user cachemanager + + + Consult the Apache documentation for information on using htpasswd to + set a password for this "user." + +Cache manager configuration for Roxen 2.0 and later + + by [668]FrancescoChemolli + + Notice: this is not how things would get best done with Roxen, but this + what you need to do go adhere to the example. Also, knowledge of basic + Roxen configuration is required. + + This is what's required to start up a fresh Virtual Server, only + serving the cache manager. If you already have some Virtual Server you + wish to use to host the Cache Manager, just add a new CGI support + module to it. + + Create a new virtual server, and set it to host + [669]http://www.example.com/. Add to it at least the following modules: + * Content Types + * CGI scripting support + + In the CGI scripting support module, section Settings, change the + following settings: + * CGI-bin path: set to /Squid/cgi-bin/ + * Handle *.cgi: set to no + * Run user scripts as owner: set to no + * Search path: set to the directory containing the cachemgr.cgi file + + In section Security, set Patterns to: + +allow ip=1.2.3.4 + + where 1.2.3.4 is the IP address for workstation.example.com + + Save the configuration, and you're done. + +Cache manager access from squidclient + + A simple way to test the access to the cache manager is: +% ./squidclient -p 8080 mgr:info@yourcachemanagerpassword + + Note, 8080 and yourcachemanagerpassword come from your exact + squid.configuration See squidclient -h for more options. + +Cache manager ACLs in squid.conf + + The default cache manager access configuration in squid.conf is: + +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl all src 0.0.0.0/0.0.0.0 + + With the following rules: + +http_access deny manager !localhost +http_access allow all + + The first ACL is the most important as the cache manager program + interrogates squid using a special cache_object protocol. Try it + yourself by doing: + +telnet mycache.example.com 3128 +GET cache_object://mycache.example.com/info HTTP/1.0 + + The default ACLs say that if the request is for a cache_object, and it + isn't the local host, then deny access; otherwise allow access. + + In fact, only allowing localhost access means that on the initial + cachemgr.cgi form you can only specify the cache host as localhost. We + recommend the following: + +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl example src 123.123.123.123/255.255.255.255 +acl all src 0.0.0.0/0.0.0.0 + + Where 123.123.123.123 is the IP address of your web server. Then modify + the rules like this: + +http_access allow manager localhost +http_access allow manager example +http_access deny manager +http_access allow all + + If you're using miss_access, then don't forget to also add a + miss_access rule for the cache manager: + +miss_access allow manager + + The default ACLs assume that your web server is on the same machine as + squid. Remember that the connection from the cache manager program to + squid originates at the web server, not the browser. So if your web + server lives somewhere else, you should make sure that IP address of + the web server that has cachemgr.cgi installed on it is in the example + ACL above. + + Always be sure to send a SIGHUP signal to squid any time you change the + squid.conf file, or to run squid -k reconfigure. + +Why does it say I need a password and a URL? + + If you "drop" the list box, and browse it, you will see that the + password is only required to shutdown the cache, and the URL is + required to refresh an object (i.e., retrieve it from its original + source again) Otherwise these fields can be left blank: a password is + not required to obtain access to the informational aspects of + cachemgr.cgi. + +I want to shutdown the cache remotely. What's the password? + + See the cachemgr_passwd directive in squid.conf. + +How do I make the cache host default to my cache? + + When you run configure use the --enable-cachemgr-hostname option: + +% ./configure --enable-cachemgr-hostname=`hostname` ... + + Note, if you do this after you already installed Squid before, you need + to make sure cachemgr.cgi gets recompiled. For example: + +% cd src +% rm cachemgr.o cachemgr.cgi +% make cachemgr.cgi + + Then copy cachemgr.cgi to your HTTP server's cgi-bin directory. + +What's the difference between Squid TCP connections and Squid UDP +connections? + + Browsers and caches use TCP connections to retrieve web objects from + web servers or caches. UDP connections are used when another cache + using you as a sibling or parent wants to find out if you have an + object in your cache that it's looking for. The UDP connections are ICP + queries. + +It says the storage expiration will happen in 1970! + + Don't worry. The default (and sensible) behavior of squid is to expire + an object when it happens to overwrite it. It doesn't explicitly + garbage collect (unless you tell it to in other ways). + +What do the Meta Data entries mean? + + StoreEntry + Entry describing an object in the cache. + + IPCacheEntry + An entry in the DNS cache. + + Hash link + Link in the cache hash table structure. + + URL strings + The strings of the URLs themselves that map to an object number + in the cache, allowing access to the StoreEntry. + + Basically just like the log file in your cache directory: + * PoolMemObject structures + * Info about objects currently in memory, (eg, in the process of + being transferred). + * Pool for Request structures + * Information about each request as it happens. + * Pool for in-memory object + * Space for object data as it is retrieved. + + If squid is much smaller than this field, run for cover! Something is + very wrong, and you should probably restart squid. + +In the utilization section, what is Other? + + Other is a default category to track objects which don't fall into one + of the defined categories. + +In the utilization section, why is the Transfer KB/sec column always zero? + + This column contains gross estimations of data transfer rates averaged + over the entire time the cache has been running. These numbers are + unreliable and mostly useless. + +In the utilization section, what is the Object Count? + + The number of objects of that type in the cache right now. + +In the utilization section, what is the Max/Current/Min KB? + + These refer to the size all the objects of this type have grown + to/currently are/shrunk to. + +What is the I/O section about? + + These are histograms on the number of bytes read from the network per + read(2) call. Somewhat useful for determining maximum buffer sizes. + +What is the Objects section for? + + + + This will download to your browser a list of every URL in the cache and + statistics about it. It can be very, very large. Sometimes it will be + larger than the amount of available memory in your client! You probably + don't need this information anyway. + +What is the VM Objects section for? + + VM Objects are the objects which are in Virtual Memory. These are + objects which are currently being retrieved and those which were kept + in memory for fast access (accelerator mode). + +What does AVG RTT mean? + + Average Round Trip Time. This is how long on average after an ICP ping + is sent that a reply is received. + +In the IP cache section, what's the difference between a hit, a negative hit +and a miss? + + A HIT means that the document was found in the cache. A MISS, that it + wasn't found in the cache. A negative hit means that it was found in + the cache, but it doesn't exist. + +What do the IP cache contents mean anyway? + + The hostname is the name that was requested to be resolved. + + For the Flags column: + * C means positively cached. + * N means negatively cached. + * P means the request is pending being dispatched. + * D means the request has been dispatched and we're waiting for an + answer. + * L means it is a locked entry because it represents a parent or + sibling. + + The TTL column represents "Time To Live" (i.e., how long the cache + entry is valid). (May be negative if the entry has expired.) + + The N column is the number of hostnames which the cache has + translations for. + + The rest of the line lists all the host names that have been associated + with that IP cache entry. + +What is the fqdncache and how is it different from the ipcache? + + IPCache contains data for the Hostname to IP-Number mapping, and + FQDNCache does it the other way round. For example: + + IP Cache Contents: + +Hostname Flags lstref TTL N [IP-Number] +gorn.cc.fh-lippe.de C 0 21581 1 193.16.112.73 +lagrange.uni-paderborn.de C 6 21594 1 131.234.128.245 +www.altavista.digital.com C 10 21299 4 204.123.2.75 ... +2/ftp.symantec.com DL 1583 -772855 0 +Flags: C --> Cached + D --> Dispatched + N --> Negative Cached + L --> Locked +lstref: Time since last use +TTL: Time-To-Live until information expires +N: Count of addresses + + FQDN Cache Contents: + +IP-Number Flags TTL N Hostname +130.149.17.15 C -45570 1 andele.cs.tu-berlin.de +194.77.122.18 C -58133 1 komet.teuto.de +206.155.117.51 N -73747 0 +Flags: C --> Cached + D --> Dispatched + N --> Negative Cached + L --> Locked +TTL: Time-To-Live until information expires +N: Count of names + +What does "Page faults with physical i/o: 4897" mean? + + This question was asked on the squid-users mailing list, to which there + were three excellent replies. + + by Jonathan Larmour + + You get a "page fault" when your OS tries to access something in memory + which is actually swapped to disk. The term "page fault" while correct + at the kernel and CPU level, is a bit deceptive to a user, as there's + no actual error - this is a normal feature of operation. + + Also, this doesn't necessarily mean your squid is swapping by that + much. Most operating systems also implement paging for executables, so + that only sections of the executable which are actually used are read + from disk into memory. Also, whenever squid needs more memory, the fact + that the memory was allocated will show up in the page faults. + + However, if the number of faults is unusually high, and getting bigger, + this could mean that squid is swapping. Another way to verify this is + using a program called "vmstat" which is found on most UNIX platforms. + If you run this as "vmstat 5" this will update a display every 5 + seconds. This can tell you if the system as a whole is swapping a lot + (see your local man page for vmstat for more information). + + It is very bad for squid to swap, as every single request will be + blocked until the requested data is swapped in. It is better to tweak + the cache_mem and/or memory_pools setting in squid.conf, or switch to + the NOVM versions of squid, than allow this to happen. + + by Peter Wemm + + There's two different operations at work, Paging and swapping. Paging + is when individual pages are shuffled (either discarded or swapped + to/from disk), while "swapping" generally means the entire process got + sent to/from disk. + + Needless to say, swapping a process is a pretty drastic event, and + usually only reserved for when there's a memory crunch and paging out + cannot free enough memory quickly enough. Also, there's some variation + on how swapping is implemented in OS's. Some don't do it at all or do a + hybrid of paging and swapping instead. + + As you say, paging out doesn't necessarily involve disk IO, eg: text + (code) pages are read-only and can simply be discarded if they are not + used (and reloaded if/when needed). Data pages are also discarded if + unmodified, and paged out if there's been any changes. Allocated memory + (malloc) is always saved to disk since there's no executable file to + recover the data from. mmap() memory is variable.. If it's backed from + a file, it uses the same rules as the data segment of a file - ie: + either discarded if unmodified or paged out. + + There's also "demand zeroing" of pages as well that cause faults.. If + you malloc memory and it calls brk()/sbrk() to allocate new pages, the + chances are that you are allocated demand zero pages. Ie: the pages are + not "really" attached to your process yet, but when you access them for + the first time, the page fault causes the page to be connected to the + process address space and zeroed - this saves unnecessary zeroing of + pages that are allocated but never used. + + The "page faults with physical IO" comes from the OS via getrusage(). + It's highly OS dependent on what it means. Generally, it means that the + process accessed a page that was not present in memory (for whatever + reason) and there was disk access to fetch it. Many OS's load + executables by demand paging as well, so the act of starting squid + implicitly causes page faults with disk IO - however, many (but not + all) OS's use "read ahead" and "prefault" heuristics to streamline the + loading. Some OS's maintain "intent queues" so that pages can be + selected as pageout candidates ahead of time. When (say) squid touches + a freshly allocated demand zero page and one is needed, the OS can page + out one of the candidates on the spot, causing a 'fault with physical + IO' with demand zeroing of allocated memory which doesn't happen on + many other OS's. (The other OS's generally put the process to sleep + while the pageout daemon finds a page for it). + + The meaning of "swapping" varies. On FreeBSD for example, swapping out + is implemented as unlocking upages, kernel stack, PTD etc for + aggressive pageout with the process. The only thing left of the process + in memory is the 'struct proc'. The FreeBSD paging system is highly + adaptive and can resort to paging in a way that is equivalent to the + traditional swapping style operation (ie: entire process). FreeBSD also + tries stealing pages from active processes in order to make space for + disk cache. I suspect this is why setting 'memory_pools off' on the + non-NOVM squids on FreeBSD is reported to work better - the VM/buffer + system could be competing with squid to cache the same pages. It's a + pity that squid cannot use mmap() to do file IO on the 4K chunks in + it's memory pool (I can see that this is not a simple thing to do + though, but that won't stop me wishing. :-). + + by John Line + + The comments so far have been about what paging/swapping figures mean + in a "traditional" context, but it's worth bearing in mind that on some + systems (Sun's Solaris 2, at least), the virtual memory and filesystem + handling are unified and what a user process sees as reading or writing + a file, the system simply sees as paging something in from disk or a + page being updated so it needs to be paged out. (I suppose you could + view it as similar to the operating system memory-mapping the files + behind-the-scenes.) + + The effect of this is that on Solaris 2, paging figures will also + include file I/O. Or rather, the figures from vmstat certainly appear + to include file I/O, and I presume (but can't quickly test) that + figures such as those quoted by Squid will also include file I/O. + + To confirm the above (which represents an impression from what I've + read and observed, rather than 100% certain facts...), using an + otherwise idle Sun Ultra 1 system system I just tried using cat (small, + shouldn't need to page) to copy (a) one file to another, (b) a file to + /dev/null, (c) /dev/zero to a file, and (d) /dev/zero to /dev/null + (interrupting the last two with control-C after a while!), while + watching with vmstat. 300-600 page-ins or page-outs per second when + reading or writing a file (rather than a device), essentially zero in + other cases (and when not cat-ing). + + So ... beware assuming that all systems are similar and that paging + figures represent *only* program code and data being shuffled to/from + disk - they may also include the work in reading/writing all those + files you were accessing... + + Ok, so what is unusually high? + + You'll probably want to compare the number of page faults to the number + of HTTP requests. If this ratio is close to, or exceeding 1, then Squid + is paging too much. + +What does the IGNORED field mean in the 'cache server list'? + + This refers to ICP replies which Squid ignored, for one of these + reasons: + * The URL in the reply could not be found in the cache at all. + * The URL in the reply was already being fetched. Probably this ICP + reply arrived too late. + * The URL in the reply did not have a MemObject associated with it. + Either the request is already finished, or the user aborted before + the ICP arrived. + * The reply came from a multicast-responder, but the + cache_peer_access configuration does not allow us to forward this + request to that neighbor. + * Source-Echo replies from known neighbors are ignored. + * ICP_OP_DENIED replies are ignored after the first 100. + __________________________________________________________________ + + Contents + 1. [670]ACL elements + 2. [671]Access Lists + 3. [672]How do I allow my clients to use the cache? + 4. [673]how do I configure Squid not to cache a specific server? + 5. [674]How do I implement an ACL ban list? + 6. [675]How do I block specific users or groups from accessing my + cache? + 1. [676]Using Ident + 2. [677]Using Proxy Authentication + 7. [678]Do you have a CGI program which lets users change their own + proxy passwords? + 8. [679]Is there a way to do ident lookups only for a certain host and + compare the result with a userlist in squid.conf? + 9. [680]Common Mistakes + 1. [681]And/Or logic + 2. [682]allow/deny mixups + 3. [683]Differences between ''src'' and ''srcdomain'' ACL types + 10. [684]I set up my access controls, but they don't work! why? + 11. [685]Proxy-authentication and neighbor caches + 12. [686]Is there an easy way of banning all Destination addresses + except one? + 13. [687]Does anyone have a ban list of porn sites and such? + 14. [688]Squid doesn't match my subdomains + 15. [689]Why does Squid deny some port numbers? + 16. [690]Does Squid support the use of a database such as mySQL for + storing the ACL list? + 17. [691]How can I allow a single address to access a specific URL? + 18. [692]How can I allow some clients to use the cache at specific + times? + 19. [693]How can I allow some users to use the cache at specific times? + 20. [694]Problems with IP ACL's that have complicated netmasks + 21. [695]Can I set up ACL's based on MAC address rather than IP? + 22. [696]Can I limit the number of connections from a client? + 23. [697]I'm trying to deny ''foo.com'', but it's not working. + 24. [698]I want to customize, or make my own error messages. + 25. [699]I want to use local time zone in error messages. + 26. [700]I want to put ACL parameters in an external file. + 27. [701]I want to authorize users depending on their MS Windows group + memberships + 28. [702]Maximum length of an acl name + + Squid's access control scheme is relatively comprehensive and difficult + for some people to understand. There are two different components: ACL + elements, and access lists. An access list consists of an allow or deny + action followed by a number of ACL elements. + +ACL elements + + {i} + + The information here is current for version 2.5. + + Squid knows about the following types of ACL elements: + * src: source (client) IP addresses + * dst: destination (server) IP addresses + * myip: the local IP address of a client's connection + * srcdomain: source (client) domain name + * dstdomain: destination (server) domain name + * srcdom_regex: source (client) regular expression pattern matching + * dstdom_regex: destination (server) regular expression pattern + matching + * time: time of day, and day of week + * url_regex: URL regular expression pattern matching + * urlpath_regex: URL-path regular expression pattern matching, leaves + out the protocol and hostname + * port: destination (server) port number + * myport: local port number that client connected to + * proto: transfer protocol (http, ftp, etc) + * method: HTTP request method (get, post, etc) + * browser: regular expression pattern matching on the request's + user-agent header + * ident: string matching on the user's name + * ident_regex: regular expression pattern matching on the user's name + * src_as: source (client) Autonomous System number + * dst_as: destination (server) Autonomous System number + * proxy_auth: user authentication via external processes + * proxy_auth_regex: user authentication via external processes + * snmp_community: SNMP community string matching + * maxconn: a limit on the maximum number of connections from a single + client IP address + * req_mime_type: regular expression pattern matching on the request + content-type header + * arp: Ethernet (MAC) address matching + * rep_mime_type: regular expression pattern matching on the reply + (downloaded content) content-type header. This is only usable in + the http_reply_access directive, not http_access. + * external: lookup via external acl helper defined by + external_acl_type + + Notes: + + Not all of the ACL elements can be used with all types of access lists + (described below). For example, snmp_community is only meaningful when + used with snmp_access. The src_as and dst_as types are only used in + cache_peer_access access lists. + + The arp ACL requires the special configure option --enable-arp-acl. + Furthermore, the ARP ACL code is not portable to all operating systems. + It works on Linux, Solaris, and some *BSD variants. + + The SNMP ACL element and access list require the --enable-snmp + configure option. + + Some ACL elements can cause processing delays. For example, use of + src_domain and srcdom_regex require a reverse DNS lookup on the + client's IP address. This lookup adds some delay to the request. + + Each ACL element is assigned a unique name. A named ACL element + consists of a list of values. When checking for a match, the multiple + values use OR logic. In other words, an ACL element is matched when any + one of its values is a match. + + You can't give the same name to two different types of ACL elements. It + will generate a syntax error. + + You can put different values for the same ACL name on different lines. + Squid combines them into one list. + +Access Lists + + There are a number of different access lists: + * http_access: Allows HTTP clients (browsers) to access the HTTP + port. This is the primary access control list. + * http_reply_access: Allows HTTP clients (browsers) to receive the + reply to their request. This further restricts permissions given by + http_access, and is primarily intended to be used together with the + rep_mime_type acl type for blocking different content types. + * icp_access: Allows neighbor caches to query your cache with ICP. + * miss_access: Allows certain clients to forward cache misses through + your cache. This further restricts permissions given by + http_access, and is primarily intended to be used for enforcing + sibling relations by denying siblings from forwarding cache misses + through your cache. + * no_cache: Defines responses that should not be cached. + * redirector_access: Controls which requests are sent through the + redirector pool. + * ident_lookup_access: Controls which requests need an Ident lookup. + * always_direct: Controls which requests should always be forwarded + directly to origin servers. + * never_direct: Controls which requests should never be forwarded + directly to origin servers. + * snmp_access: Controls SNMP client access to the cache. + * broken_posts: Defines requests for which squid appends an extra + CRLF after POST message bodies as required by some broken origin + servers. + * cache_peer_access: Controls which requests can be forwarded to a + given neighbor (peer). + + Notes: + + An access list rule consists of an allow or deny keyword, followed by a + list of ACL element names. + + An access list consists of one or more access list rules. + + Access list rules are checked in the order they are written. List + searching terminates as soon as one of the rules is a match. + + If a rule has multiple ACL elements, it uses AND logic. In other words, + all ACL elements of the rule must be a match in order for the rule to + be a match. This means that it is possible to write a rule that can + never be matched. For example, a port number can never be equal to both + 80 AND 8000 at the same time. + + To summarise the acl logics can be described as: + +http_access allow|deny acl AND acl AND ... + OR +http_access allow|deny acl AND acl AND ... + OR +... + + If none of the rules are matched, then the default action is the + opposite of the last rule in the list. Its a good idea to be explicit + with the default action. The best way is to thse the all ACL. For + example: + +acl all src 0/0 +http_access deny all + +How do I allow my clients to use the cache? + + Define an ACL that corresponds to your client's IP addresses. For + example: + +acl myclients src 172.16.5.0/24 + + Next, allow those clients in the http_access list: + +http_access allow myclients + +how do I configure Squid not to cache a specific server? + +acl someserver dstdomain .someserver.com +no_cache deny someserver + +How do I implement an ACL ban list? + + As an example, we will assume that you would like to prevent users from + accessing cooking recipes. + + One way to implement this would be to deny access to any URLs that + contain the words "cooking" or "recipe." You would use these + configuration lines: + +acl Cooking1 url_regex cooking +acl Recipe1 url_regex recipe +acl myclients src 172.16.5.0/24 +http_access deny Cooking1 +http_access deny Recipe1 +http_access allow myclients +http_access deny all + + The url_regex means to search the entire URL for the regular expression + you specify. Note that these regular expressions are case-sensitive, so + a url containing "Cooking" would not be denied. + + Another way is to deny access to specific servers which are known to + hold recipes. For example: + +acl Cooking2 dstdomain www.gourmet-chef.com +http_access deny Cooking2 +http_access allow all + + The dstdomain means to search the hostname in the URL for the string + "www.gourmet-chef.com." Note that when IP addresses are used in URLs + (instead of domain names), Squid-1.1 implements relaxed access + controls. If the a domain name for the IP address has been saved in + Squid's "FQDN cache," then Squid can compare the destination domain + against the access controls. However, if the domain is not immediately + available, Squid allows the request and makes a lookup for the IP + address so that it may be available for future reqeusts. + +How do I block specific users or groups from accessing my cache? + +Using Ident + + You can use [703]ident lookups to allow specific users access to your + cache. This requires that an [704]ident server process runs on the + user's machine(s). In your squid.conf configuration file you would + write something like this: + +ident_lookup_access allow all +acl friends ident kim lisa frank joe +http_access allow friends +http_access deny all + +Using Proxy Authentication + + Another option is to use proxy-authentication. In this scheme, you + assign usernames and passwords to individuals. When they first use the + proxy they are asked to authenticate themselves by entering their + username and password. + + In Squid v2 this authentication is hanled via external processes. For + information on how to configure this, please see + [705]../ProxyAuthentication. + +Do you have a CGI program which lets users change their own proxy passwords? + + [706]Pedro L Orso has adapted the Apache's htpasswd into a CGI program + called [/htpasswd/chpasswd-cgi.tar.gz chpasswd.cgi]. + +Is there a way to do ident lookups only for a certain host and compare the +result with a userlist in squid.conf? + + You can use the ident_access directive to control for which hosts Squid + will issue [707]ident lookup requests. + + Additionally, if you use a ident ACL in squid conf, then Squid will + make sure an ident lookup is performed while evaluating the acl even if + iden_access does not indicate ident lookups should be performed. + + However, Squid does not wait for the lookup to complete unless the ACL + rules require it. Consider this configuration: + +acl host1 src 10.0.0.1 +acl host2 src 10.0.0.2 +acl pals ident kim lisa frank joe +http_access allow host1 +http_access allow host2 pals + + Requests coming from 10.0.0.1 will be allowed immediately because there + are no user requirements for that host. However, requests from 10.0.0.2 + will be allowed only after the ident lookup completes, and if the + username is in the set kim, lisa, frank, or joe. + +Common Mistakes + +And/Or logic + + You've probably noticed (and been frustrated by) the fact that you + cannot combine access controls with terms like "and" or "or." These + operations are already built in to the access control scheme in a + fundamental way which you must understand. + * All elements of an acl entry are OR'ed together. + * All elements of an access entry are AND'ed together (e.g. + http_access and icp_access) + + For example, the following access control configuration will never + work: + +acl ME src 10.0.0.1 +acl YOU src 10.0.0.2 +http_access allow ME YOU + + In order for the request to be allowed, it must match the "ME" acl AND + the "YOU" acl. This is impossible because any IP address could only + match one or the other. This should instead be rewritten as: + +acl ME src 10.0.0.1 +acl YOU src 10.0.0.2 +http_access allow ME +http_access allow YOU + + Or, alternatively, this would also work: + +acl US src 10.0.0.1 10.0.0.2 +http_access allow US + +allow/deny mixups + + I have read through my squid.conf numerous times, spoken to my + neighbors, read the FAQ and Squid Docs and cannot for the life of me + work out why the following will not work. + + I can successfully access cachemgr.cgi from our web server machine + here, but I would like to use MRTG to monitor various aspects of our + proxy. When I try to use 'squidclient' or GET cache_object from the + machine the proxy is running on, I always get access denied. + +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl server src 1.2.3.4/255.255.255.255 +acl all src 0.0.0.0/0.0.0.0 +acl ourhosts src 1.2.0.0/255.255.0.0 +http_access deny manager !localhost !server +http_access allow ourhosts +http_access deny all + + The intent here is to allow cache manager requests from the localhost + and server addresses, and deny all others. This policy has been + expressed here: + +http_access deny manager !localhost !server + + The problem here is that for allowable requests, this access rule is + not matched. For example, if the source IP address is localhost, then + "!localhost" is false and the access rule is not matched, so Squid + continues checking the other rules. Cache manager requests from the + server address work because server is a subset of ourhosts and the + second access rule will match and allow the request. Also note that + this means any cache manager request from ourhosts would be allowed. + + To implement the desired policy correctly, the access rules should be + rewritten as + +http_access allow manager localhost +http_access allow manager server +http_access deny manager +http_access allow ourhosts +http_access deny all + + If you're using miss_access, then don't forget to also add a + miss_access rule for the cache manager: + +miss_access allow manager + + You may be concerned that the having five access rules instead of three + may have an impact on the cache performance. In our experience this is + not the case. Squid is able to handle a moderate amount of access + control checking without degrading overall performance. You may like to + verify that for yourself, however. + +Differences between ''src'' and ''srcdomain'' ACL types + + For the srcdomain ACL type, Squid does a reverse lookup of the client's + IP address and checks the result with the domains given on the acl + line. With the src ACL type, Squid converts hostnames to IP addresses + at startup and then only compares the client's IP address. The src ACL + is preferred over srcdomain because it does not require address-to-name + lookups for each request. + +I set up my access controls, but they don't work! why? + + If ACLs are giving you problems and you don't know why they aren't + working, you can use this tip to debug them. + + In squid.conf enable debugging for section 33 at level 2. For example: + +debug_options ALL,1 33,2 + + Then restart or reconfigure squid. + + From now on, your cache.log should contain a line for every request + that explains if it was allowed, or denied, and which ACL was the last + one that it matched. + + If this does not give you sufficient information to nail down the + problem you can also enable detailed debug information on ACL + processing + +debug_options ALL,1 33,2 28,9 + + Then restart or reconfigure squid as above. + + From now on, your cache.log should contain detailed traces of all + access list processing. Be warned that this can be quite some lines per + request. + + See also [708]../TroubleShooting. + +Proxy-authentication and neighbor caches + + The problem + + [ Parents ] + / \ + / \ + [ Proxy A ] --- [ Proxy B ] + | + | + USER + + Proxy A sends and ICP query to Proxy B about an object, Proxy B replies + with an ICP_HIT. Proxy A forwards the HTTP request to Proxy B, but does + not pass on the authentication details, therefore the HTTP GET from + Proxy A fails. + + Only ONE proxy cache in a chain is allowed to "use" the + Proxy-Authentication request header. Once the header is used, it must + not be passed on to other proxies. + + Therefore, you must allow the neighbor caches to request from each + other without proxy authentication. This is simply accomplished by + listing the neighbor ACL's first in the list of http_access lines. For + example: + +acl proxy-A src 10.0.0.1 +acl proxy-B src 10.0.0.2 +acl user_passwords proxy_auth /tmp/user_passwds +http_access allow proxy-A +http_access allow proxy-B +http_access allow user_passwords +http_access deny all + + Squid 2.5 allows two exceptions to this rule, by defining the + appropriate cache_peer options: + +cache_peer parent.foo.com parent login=PASS + + This will forward the user's credentials as-is to the parent proxy + which will be thus able to authenticate again. + + + + This will only work with the Basic authentication scheme. If any other + scheme is enabled, it will fail + +cache_peer parent.foo.com parent login=*:somepassword + + This will perform Basic authentication against the parent, sending the + username of the current client connection and as password always + somepassword. The parent will need to authorization against the child + cache's IP address, as if there was no authentication forwarding, and + it will need to perform client authentication for all usernames against + somepassword via a specially-designed authentication helper. The + purpose is to log the client cache's usernames into the parent's + access.log. You can find an example semi-tested helper of that kind as + [709]parent_auth.pl . + +Is there an easy way of banning all Destination addresses except one? + +acl GOOD dst 10.0.0.1 +acl BAD dst 0.0.0.0/0.0.0.0 +http_access allow GOOD +http_access deny BAD + +Does anyone have a ban list of porn sites and such? + + * Snerpa, an ISP in Iceland operates a DNS-database of IP-addresses + of blacklisted sites containing porn, violence, etc. which is + utilized using a small perl-script redirector. Information on this + on the [710]INfilter webpage. + * The [711]SquidGuard redirector folks provide a blacklist. + * Bill Stearns maintains the [712]sa-blacklist of known spammers. By + blocking the spammer web sites in squid, users can no longer use up + bandwidth downloading spam images and html. Even more importantly, + they can no longer send out requests for things like scripts and + gifs that have a unique identifer attached, showing that they + opened the email and making their addresses more valuable to the + spammer. + * The [713]SleezeBall site has a list of patterns that you can + download. + +Squid doesn't match my subdomains + + If you are using Squid-2.4 or later then keep in mind that dstdomain + acls uses different syntax for exact host matches and entire domain + matches. www.example.com matches the exact host www.example.com, while + .example.com matches the entire domain example.com (including + example.com alone) + + There is also subtle issues if your dstdomain ACLs contains matches for + both an exact host in a domain and the whole domain where both are in + the same domain (i.e. both www.example.com and .example.com). Depending + on how your data is ordered this may cause only the most specific of + these (e.g. www.example.com) to be used. + + {i} + + Current Squid versions (as of Squid-2.4) will warn you when this kind + of configuration is used. If your Squid does not warn you while reading + the configuration file you do not have the problem described below. + Also the configuration here uses the dstdomain syntax of Squid-2.1 or + earlier.. (2.2 and later needs to have domains prefixed by a dot) + + There is a subtle problem with domain-name based access controls when a + single ACL element has an entry that is a subdomain of another entry. + For example, consider this list: + +acl FOO dstdomain boulder.co.us vail.co.us co.us + + In the first place, the above list is simply wrong because the first + two (boulder.co.us and vail.co.us) are unnecessary. Any domain name + that matches one of the first two will also match the last one (co.us). + Ok, but why does this happen? + + The problem stems from the data structure used to index domain names in + an access control list. Squid uses Splay trees for lists of domain + names. As other tree-based data structures, the searching algorithm + requires a comparison function that returns -1, 0, or +1 for any pair + of keys (domain names). This is similar to the way that strcmp() works. + + The problem is that it is wrong to say that co.us is greater-than, + equal-to, or less-than boulder.co.us. + + For example, if you said that co.us is LESS than fff.co.us, then the + Splay tree searching algorithm might never discover co.us as a match + for kkk.co.us. + + similarly, if you said that co.us is GREATER than fff.co.us, then the + Splay tree searching algorithm might never discover co.us as a match + for bbb.co.us. + + The bottom line is that you can't have one entry that is a subdomain of + another. Squid-2.2 will warn you if it detects this condition. + +Why does Squid deny some port numbers? + + It is dangerous to allow Squid to connect to certain port numbers. For + example, it has been demonstrated that someone can use Squid as an SMTP + (email) relay. As I'm sure you know, SMTP relays are one of the ways + that spammers are able to flood our mailboxes. To prevent mail + relaying, Squid denies requests when the URL port number is 25. Other + ports should be blocked as well, as a precaution. + + There are two ways to filter by port number: either allow specific + ports, or deny specific ports. By default, Squid does the first. This + is the ACL entry that comes in the default squid.conf: + +acl Safe_ports port 80 21 443 563 70 210 1025-65535 +http_access deny !Safe_ports + + The above configuration denies requests when the URL port number is not + in the list. The list allows connections to the standard ports for + HTTP, FTP, Gopher, SSL, WAIS, and all non-priveleged ports. + + Another approach is to deny dangerous ports. The dangerous port list + should look something like: + +acl Dangerous_ports 7 9 19 22 23 25 53 109 110 119 +http_access deny Dangerous_ports + + ...and probably many others. + + Please consult the /etc/services file on your system for a list of + known ports and protocols. + +Does Squid support the use of a database such as mySQL for storing the ACL +list? + + Yes, Squid supports acl interaction with external data sources via the + external_acl_type directive. Helpers for LDAP and NT Domain group + membership is included in the distribution and it's very easy to write + additional helpers to fit your environment. + +How can I allow a single address to access a specific URL? + + This example allows only the special_client to access the special_url. + Any other client that tries to access the special_url is denied. + +acl special_client src 10.1.2.3 +acl special_url url_regex ^http://www.squid-cache.org/Doc/FAQ/$ +http_access allow special_client special_url +http_access deny special_url + +How can I allow some clients to use the cache at specific times? + + Let's say you have two workstations that should only be allowed access + to the Internet during working hours (8:30 - 17:30). You can use + something like this: + +acl FOO src 10.1.2.3 10.1.2.4 +acl WORKING time MTWHF 08:30-17:30 +http_access allow FOO WORKING +http_access deny FOO + +How can I allow some users to use the cache at specific times? + +acl USER1 proxy_auth Dick +acl USER2 proxy_auth Jane +acl DAY time 06:00-18:00 +http_access allow USER1 DAY +http_access deny USER1 +http_access allow USER2 !DAY +http_access deny USER2 + +Problems with IP ACL's that have complicated netmasks + + The following ACL entry gives inconsistent or unexpected results: + +acl restricted src 10.0.0.128/255.0.0.128 10.85.0.0/16 + + The reason is that IP access lists are stored in "splay" tree data + structures. These trees require the keys to be sortable. When you use a + complicated, or non-standard, netmask (255.0.0.128), it confuses the + function that compares two address/mask pairs. + + The best way to fix this problem is to use separate ACL names for each + ACL value. For example, change the above to: + +acl restricted1 src 10.0.0.128/255.0.0.128 +acl restricted2 src 10.85.0.0/16 + + Then, of course, you'll have to rewrite your http_access lines as well. + +Can I set up ACL's based on MAC address rather than IP? + + Yes, for some operating systes. Squid calls these "ARP ACLs" and they + are supported on Linux, Solaris, and probably BSD variants. + + /!\ + + MAC address is only available for clients that are on the same subnet. + If the client is on a different subnet, then Squid can not find out its + MAC address as the MAC is replaced by the router MAC when a packet is + router. + + To use ARP (MAC) access controls, you first need to compile in the + optional code. Do this with the --enable-arp-acl configure option: + +% ./configure --enable-arp-acl ... +% make clean +% make + + If src/acl.c doesn't compile, then ARP ACLs are probably not supported + on your system. + + If everything compiles, then you can add some ARP ACL lines to your + squid.conf: + +acl M1 arp 01:02:03:04:05:06 +acl M2 arp 11:12:13:14:15:16 +http_access allow M1 +http_access allow M2 +http_access deny all + +Can I limit the number of connections from a client? + + Yes, use the maxconn ACL type in conjunction with http_access deny. For + example: + +acl losers src 1.2.3.0/24 +acl 5CONN maxconn 5 +http_access deny 5CONN losers + + Given the above configuration, when a client whose source IP address is + in the 1.2.3.0/24 subnet tries to establish 6 or more connections at + once, Squid returns an error page. Unless you use the deny_info + feature, the error message will just say "access denied." + + The maxconn ACL requires the client_db feature. If you've disabled + client_db (for example with client_db off) then maxconn ALCs will not + work. + + Note, the maxconn ACL type is kind of tricky because it uses less-than + comparison. The ACL is a match when the number of established + connections is greater than the value you specify. Because of that, you + don't want to use the maxconn ACL with http_access allow. + + Also note that you could use maxconn in conjunction with a user type + (ident, proxy_auth), rather than an IP address type. + +I'm trying to deny ''foo.com'', but it's not working. + + In Squid-2.3 we changed the way that Squid matches subdomains. There is + a difference between .foo.com and foo.com. The first matches any domain + in foo.com, while the latter matches only "foo.com" exactly. So if you + want to deny bar.foo.com, you should write + +acl yuck dstdomain .foo.com +http_access deny yuck + +I want to customize, or make my own error messages. + + You can customize the existing error messages as described in + Customizable Error Messages in [714]../MiscFeatures. You can also + create new error messages and use these in conjunction with the + deny_info option. + + For example, lets say you want your users to see a special message when + they request something that matches your pornography list. First, + create a file named ERR_NO_PORNO in the /usr/local/squid/etc/errors + directory. That file might contain something like this: + +Our company policy is to deny requests to known porno sites. If you +feel you've received this message in error, please contact +the support staff (support@this.company.com, 555-1234). + + Next, set up your access controls as follows: + +acl porn url_regex "/usr/local/squid/etc/porno.txt" +deny_info ERR_NO_PORNO porn +http_access deny porn +(additional http_access lines ...) + +I want to use local time zone in error messages. + + Squid, by default, uses GMT as timestamp in all generated error + messages. This to allow the cache to participate in a hierarchy of + caches in different timezones without risking confusion about what the + time is. + + To change the timestamp in Squid generated error messages you must + change the Squid signature. See Customizable Error Messages in + [715]../MiscFeatures. The signature by defaults uses %T as timestamp, + but if you like then you can use %t instead for a timestamp using local + time zone. + +I want to put ACL parameters in an external file. + + by Adam Aube + + Squid can read ACL parameters from an external file. To do this, first + place the acl parameters, one per line, in a file. Then, on the ACL + line in squid.conf, put the full path to the file in double quotes. + + For example, instead of: + +acl trusted_users proxy_auth john jane jim + + you would have: + +acl trusted_users proxy_auth "/usr/local/squid/etc/trusted_users.txt" + + Inside trusted_users.txt, there is: + +john +jane +jim + +I want to authorize users depending on their MS Windows group memberships + + There is an excellent resource over at + [716]http://workaround.org/moin/SquidLdap on how to use LDAP-based + group membership checking. + +Maximum length of an acl name + + By default the maximum length of an ACL name is 32-1 = 31 characters, + but it can be changed by editing the source: in defines.h + +#define ACL_NAME_SZ 32 + __________________________________________________________________ + + Contents + 1. [717]Why am I getting "Proxy Access Denied?" + 2. [718]I can't get ''local_domain'' to work; ''Squid'' is caching the + objects from my local servers. + 3. [719]Connection Refused when reaching a sibling + 4. [720]Running out of filedescriptors + 1. [721]Linux + 2. [722]Solaris + 3. [723]FreeBSD + 4. [724]General BSD + 1. [725]SunOS + 2. [726]FreeBSD (from the 2.1.6 kernel) + 3. [727]BSD/OS (from the 2.1 kernel) + 5. [728]Reconfigure afterwards + 5. [729]What are these strange lines about removing objects? + 6. [730]Can I change a Windows NT FTP server to list directories in + Unix format? + 7. [731]Why am I getting "Ignoring MISS from non-peer x.x.x.x?" + 8. [732]DNS lookups for domain names with underscores (_) always fail. + 9. [733]Why does Squid say: "Illegal character in hostname; + underscores are not allowed?' + 10. [734]Why am I getting access denied from a sibling cache? + 11. [735]Cannot bind socket FD NN to *:8080 (125) Address already in + use + 12. [736]icpDetectClientClose: ERROR xxx.xxx.xxx.xxx: (32) Broken pipe + 13. [737]icpDetectClientClose: FD 135, 255 unexpected bytes + 14. [738]Does Squid work with NTLM Authentication? + 15. [739]The ''default'' parent option isn't working! + 16. [740]"Hotmail" complains about: Intrusion Logged. Access denied. + 17. [741]My Squid becomes very slow after it has been running for some + time. + 18. [742]WARNING: Failed to start 'dnsserver' + 19. [743]Sending bug reports to the Squid team + 1. [744]crashes and core dumps + 2. [745]Resource Limits + 3. [746]Debugging Symbols + 4. [747]Coredump Location + 20. [748]Debugging Squid + 21. [749]FATAL: ipcache_init: DNS name lookup tests failed + 22. [750]FATAL: Failed to make swap directory /var/spool/cache: (13) + Permission denied + 23. [751]FATAL: Cannot open HTTP Port + 24. [752]FATAL: All redirectors have exited! + 25. [753]FATAL: file_map_allocate: Exceeded filemap limit + 26. [754]FATAL: You've run out of swap file numbers. + 27. [755]I am using up over 95% of the filemap bits?!! + 28. [756]FATAL: Cannot open /usr/local/squid/logs/access.log: (13) + Permission denied + 29. [757]When using a username and password, I can not access some + files. + 30. [758]pingerOpen: icmp_sock: (13) Permission denied + 31. [759]What is a forwarding loop? + 32. [760]accept failure: (71) Protocol error + 33. [761]storeSwapInFileOpened: ... Size mismatch + 34. [762]Why do I get ''fwdDispatch: Cannot retrieve + 'https://www.buy.com/corp/ordertracking.asp' '' + 35. [763]Squid can't access URLs like + http://3626046468/ab2/cybercards/moreinfo.html + 36. [764]I get a lot of "URI has whitespace" error messages in my cache + log, what should I do? + 37. [765]commBind: Cannot bind socket FD 5 to 127.0.0.1:0: (49) Can't + assign requested address + 38. [766]Unknown cache_dir type '/var/squid/cache' + 39. [767]unrecognized: 'cache_dns_program + /usr/local/squid/bin/dnsserver' + 40. [768]Is ''dns_defnames'' broken in Squid-2.3 and later? + 41. [769]What does "sslReadClient: FD 14: read failure: (104) + Connection reset by peer" mean? + 42. [770]What does ''Connection refused'' mean? + 43. [771]squid: ERROR: no running copy + 44. [772]FATAL: getgrnam failed to find groupid for effective group + 'nogroup' + 45. [773]"Unsupported Request Method and Protocol" for ''https'' URLs. + 46. [774]Squid uses 100% CPU + 47. [775]Webmin's ''cachemgr.cgi'' crashes the operating system + 48. [776]Segment Violation at startup or upon first request + 49. [777]urlParse: Illegal character in hostname + 'proxy.mydomain.com:8080proxy.mydomain.com' + 50. [778]Requests for international domain names does not work + 51. [779]Why do I sometimes get "Zero Sized Reply"? + 52. [780]Why do I get "The request or reply is too large" errors? + 53. [781]Negative or very large numbers in Store Directory Statistics, + or constant complaints about cache above limit + 54. [782]Squid problems with Windows Update v5 + +Why am I getting "Proxy Access Denied?" + + You may need to set up the http_access option to allow requests from + your IP addresses. Please see [783]../SquidAcl for information about + that. + + If squid is in httpd-accelerator mode, it will accept normal HTTP + requests and forward them to a HTTP server, but it will not honor proxy + requests. If you want your cache to also accept proxy-HTTP requests + then you must enable this feature: +httpd_accel_with_proxy on + + Alternately, you may have misconfigured one of your ACLs. Check the + access.log and squid.conf files for clues. + +I can't get ''local_domain'' to work; ''Squid'' is caching the objects from +my local servers. + + The local_domain directive does not prevent local objects from being + cached. It prevents the use of sibling caches when fetching local + objects. If you want to prevent objects from being cached, use the + cache_stoplist or http_stop configuration options (depending on your + version). + +Connection Refused when reaching a sibling + + I get Connection Refused when the cache tries to retrieve an object + located on a sibling, even though the sibling thinks it delivered the + object to my cache. + + If the HTTP port number is wrong but the ICP port is correct you will + send ICP queries correctly and the ICP replies will fool your cache + into thinking the configuration is correct but large objects will fail + since you don't have the correct HTTP port for the sibling in your + squid.conf file. If your sibling changed their http_port, you could + have this problem for some time before noticing. + +Running out of filedescriptors + + If you see the Too many open files error message, you are most likely + running out of file descriptors. This may be due to running Squid on an + operating system with a low filedescriptor limit. This limit is often + configurable in the kernel or with other system tuning tools. There are + two ways to run out of file descriptors: first, you can hit the + per-process limit on file descriptors. Second, you can hit the system + limit on total file descriptors for all processes. + +Linux + + Linux kernel 2.2.12 and later supports "unlimited" number of open files + without patching. So does most of glibc-2.1.1 and later (all areas + touched by Squid is safe from what I can tell, even more so in later + glibc releases). But you still need to take some actions as the kernel + defaults to only allow processes to use up to 1024 filedescriptors, and + Squid picks up the limit at build time. + * Edit /usr/include/bits/types.h to define __FD_SETSIZE to at least + the amount of filedescriptors you'd like to support (Not required + for Squid-2.5 and later). + * Before configuring Squid run "ulimit -HSn ####" (where #### is the + number of filedescriptors you need to support). Be sure to run + "make clean" before configure if you have already run configure as + the script might otherwise have cached the prior result. + * Configure, build and install Squid as usual + * Make sure your script for starting Squid contains the above ulimit + command to raise the filedescriptor limit. You may also need to + allow a larger port span for outgoing connections (set in + /proc/sys/net/ipv4/, like in "echo 1024 32768 > + /proc/sys/net/ipv4/ip_local_port_range") + + Alternatively you can + * Run configure with your needed configure options + * edit include/autoconf.h and define SQUID_MAXFD to your desired + limit. Make sure to make it a nice and clean modulo 64 value + (multiple of 64) to avoid various bugs in the libc headers. + * build and install Squid as usual + * Set the runtime ulimit as described above when starting Squid. + + If running things as root is not an option then get your sysadmin to + install a the needed ulimit command in /etc/inittscript (see man + initscript), install a patched kernel where INR_OPEN in + include/linux/fs.h is changed to at least the amount you need or have + them install a small suid program which sets the limit (see link + below). + + More information can be found from Henriks [784]How to get many + filedescriptors on Linux 2.2.X and later page. + +Solaris + + Add the following to your /etc/system file and reboot to increase your + maximum file descriptors per process: + +set rlim_fd_max = 4096 + + Next you should re-run the configure script in the top directory so + that it finds the new value. If it does not find the new limit, then + you might try editing include/autoconf.h and setting #define + DEFAULT_FD_SETSIZE by hand. Note that include/autoconf.h is created + from autoconf.h.in every time you run configure. Thus, if you edit it + by hand, you might lose your changes later on. + + Jens-S. Voeckler advises that you should NOT change the default soft + limit (rlim_fd_cur) to anything larger than 256. It will break other + programs, such as the license manager needed for the SUN workshop + compiler. Jens-S. also says that it should be safe to raise the limit + for the Squid process as high as 16,384 except that there may be + problems duruing reconfigure or logrotate if all of the lower 256 + filedescriptors are in use at the time or rotate/reconfigure. + +FreeBSD + + by [785]Torsten Sturm + * How do I check my maximum filedescriptors? + + Do sysctl -a and look for the value of kern.maxfilesperproc. + * How do I increase them? + +sysctl -w kern.maxfiles=XXXX +sysctl -w kern.maxfilesperproc=XXXX + + /!\ + + You probably want maxfiles > maxfilesperproc if you're going to be + pushing the limit. + * What is the upper limit? + + I don't think there is a formal upper limit inside the kernel. + All the data structures are dynamically allocated. In practice + there might be unintended metaphenomena (kernel spending too + much time searching tables, for example). + +General BSD + + For most BSD-derived systems (SunOS, 4.4BSD, OpenBSD, FreeBSD, NetBSD, + BSD/OS, 386BSD, Ultrix) you can also use the "brute force" method to + increase these values in the kernel (requires a kernel rebuild): + * How do I check my maximum filedescriptors? + + Do pstat -T and look for the files value, typically expressed + as the ratio of currentmaximum. + * How do I increase them the easy way? + + One way is to increase the value of the maxusers variable in + the kernel configuration file and build a new kernel. This + method is quick and easy but also has the effect of increasing + a wide variety of other variables that you may not need or + want increased. + * Is there a more precise method? + + Another way is to find the param.c file in your kernel build + area and change the arithmetic behind the relationship between + maxusers and the maximum number of open files. + + Here are a few examples which should lead you in the right direction: + +SunOS + + Change the value of nfile in 'usr/kvm/sys/conf.common/param.c/tt> by + altering this equation: +int nfile = 16 * (NPROC + 16 + MAXUSERS) / 10 + 64; + + Where NPROC is defined by: +#define NPROC (10 + 16 * MAXUSERS) + +FreeBSD (from the 2.1.6 kernel) + + Very similar to SunOS, edit /usr/src/sys/conf/param.c and alter the + relationship between maxusers and the maxfiles and maxfilesperproc + variables: +int maxfiles = NPROC*2; +int maxfilesperproc = NPROC*2; + + Where NPROC is defined by: #define NPROC (20 + 16 * MAXUSERS) The + per-process limit can also be adjusted directly in the kernel + configuration file with the following directive: options OPEN_MAX=128 + +BSD/OS (from the 2.1 kernel) + + Edit /usr/src/sys/conf/param.c and adjust the maxfiles math here: +int maxfiles = 3 * (NPROC + MAXUSERS) + 80; + + Where NPROC is defined by: #define NPROC (20 + 16 * MAXUSERS) You + should also set the OPEN_MAX value in your kernel configuration file to + change the per-process limit. + +Reconfigure afterwards + + After you rebuild/reconfigure your kernel with more filedescriptors, + you must then recompile Squid. Squid's configure script determines how + many filedescriptors are available, so you must make sure the configure + script runs again as well. For example: +cd squid-1.1.x +make realclean +./configure --prefix=/usr/local/squid +make + +What are these strange lines about removing objects? + + For example: +97/01/23 22:31:10| Removed 1 of 9 objects from bucket 3913 +97/01/23 22:33:10| Removed 1 of 5 objects from bucket 4315 +97/01/23 22:35:40| Removed 1 of 14 objects from bucket 6391 + + These log entries are normal, and do not indicate that squid has + reached cache_swap_high. + + Consult your cache information page in cachemgr.cgi for a line like + this: + +Storage LRU Expiration Age: 364.01 days + + Objects which have not been used for that amount of time are removed as + a part of the regular maintenance. You can set an upper limit on the + LRU Expiration Age value with reference_age in the config file. + +Can I change a Windows NT FTP server to list directories in Unix format? + + Why, yes you can! Select the following menus: + * Start + * Programs + * Microsoft Internet Server (Common) + * Internet Service Manager + + This will bring up a box with icons for your various services. One of + them should be a little ftp "folder." Double click on this. + + You will then have to select the server (there should only be one) + Select that and then choose "Properties" from the menu and choose the + "directories" tab along the top. + + There will be an option at the bottom saying "Directory listing style." + Choose the "Unix" type, not the "MS-DOS" type. + + by Oskar Pearson + +Why am I getting "Ignoring MISS from non-peer x.x.x.x?" + + You are receiving ICP MISSes (via UDP) from a parent or sibling cache + whose IP address your cache does not know about. This may happen in two + situations. + + If the peer is multihomed, it is sending packets out an interface which + is not advertised in the DNS. Unfortunately, this is a configuration + problem at the peer site. You can tell them to either add the IP + address interface to their DNS, or use Squid's "udp_outgoing_address" + option to force the replies out a specific interface. For example: on + your parent squid.conf: +udp_outgoing_address proxy.parent.com + + on your squid.conf: +cache_peer proxy.parent.com parent 3128 3130 + + You can also see this warning when sending ICP queries to multicast + addresses. For security reasons, Squid requires your configuration to + list all other caches listening on the multicast group address. If an + unknown cache listens to that address and sends replies, your cache + will log the warning message. To fix this situation, either tell the + unknown cache to stop listening on the multicast address, or if they + are legitimate, add them to your configuration file. + +DNS lookups for domain names with underscores (_) always fail. + + The standards for naming hosts ( [786]RFC 952 and [787]RFC 1101) do not + allow underscores in domain names: +A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characte +rs drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). + + The resolver library that ships with recent versions of BIND enforces + this restriction, returning an error for any host with underscore in + the hostname. The best solution is to complain to the hostmaster of the + offending site, and ask them to rename their host. + + See also the [788]comp.protocols.tcp-ip.domains FAQ. + + Some people have noticed that [789]RFC 1033 implies that underscores + are allowed. However, this is an informational RFC with a poorly chosen + example, and not a standard by any means. + +Why does Squid say: "Illegal character in hostname; underscores are not +allowed?' + + See the above question. The underscore character is not valid for + hostnames. + + Some DNS resolvers allow the underscore, so yes, the hostname might + work fine when you don't use Squid. + + To make Squid allow underscores in hostnames, re-run the configure + script with this option: +% ./configure --enable-underscores ... + + and then recompile: +% make clean +% make + +Why am I getting access denied from a sibling cache? + + The answer to this is somewhat complicated, so please hold on. + + {i} + + Most of this text is taken from [790]ICP and the Squid Web Cache + + An ICP query does not include any parent or sibling designation, so the + receiver really has no indication of how the peer cache is configured + to use it. This issue becomes important when a cache is willing to + serve cache hits to anyone, but only handle cache misses for its paying + users or customers. In other words, whether or not to allow the request + depends on if the result is a hit or a miss. To accomplish this, Squid + acquired the miss_access feature in October of 1996. + + The necessity of "miss access" makes life a little bit complicated, and + not only because it was awkward to implement. Miss access means that + the ICP query reply must be an extremely accurate prediction of the + result of a subsequent HTTP request. Ascertaining this result is + actually very hard, if not impossible to do, since the ICP request + cannot convey the full HTTP request. Additionally, there are more types + of HTTP request results than there are for ICP. The ICP query reply + will either be a hit or miss. However, the HTTP request might result in + a "304 Not Modified" reply sent from the origin server. Such a reply is + not strictly a hit since the peer needed to forward a conditional + request to the source. At the same time, its not strictly a miss either + since the local object data is still valid, and the Not-Modified reply + is quite small. + + One serious problem for cache hierarchies is mismatched freshness + parameters. Consider a cache C using "strict" freshness parameters so + its users get maximally current data. C has a sibling S with less + strict freshness parameters. When an object is requested at C, C might + find that S already has the object via an ICP query and ICP HIT + response. C then retrieves the object from S. + + In an HTTP/1.0 world, C (and Cs client) will receive an object that was + never subject to its local freshness rules. Neither HTTP/1.0 nor ICP + provides any way to ask only for objects less than a certain age. If + the retrieved object is stale by + Cs rules, it will be removed from Cs cache, but it will subsequently be + fetched from S so long as it remains fresh there. This configuration + miscoupling problem is a significant deterrent to establishing both + parent and sibling relationships. + + HTTP/1.1 provides numerous request headers to specify freshness + requirements, which actually introduces a different problem for cache + hierarchies: ICP still does not include any age information, neither in + query nor reply. So + S may return an ICP HIT if its copy of the object is fresh by its + configuration parameters, but the subsequent HTTP request may result in + a cache miss due to any Cache-control: headers originated by C or by C + 's client. Situations now emerge where the ICP reply no longer matches + the HTTP request result. + + In the end, the fundamental problem is that the ICP query does not + provide enough information to accurately predict whether the HTTP + request will be a hit or miss. In fact, the current ICP Internet Draft + is very vague on this subject. What does ICP HIT really mean? Does it + mean "I know a little about that URL and have some copy of the object?" + Or does it mean "I have a valid copy of that object and you are allowed + to get it from me?" + + So, what can be done about this problem? We really need to change ICP + so that freshness parameters are included. Until that happens, the + members of a cache hierarchy have only two options to totally eliminate + the "access denied" messages from sibling caches: + * Make sure all members have the same + refresh_rules parameters. + * Do not use + miss_access at all. Promise your sibling cache administrator that + your cache is properly configured and that you will not abuse their + generosity. The sibling cache administrator can check his log files + to make sure you are keeping your word. + + If neither of these is realistic, then the sibling relationship should + not exist. + +Cannot bind socket FD NN to *:8080 (125) Address already in use + + This means that another processes is already listening on port 8080 (or + whatever you're using). It could mean that you have a Squid process + already running, or it could be from another program. To verify, use + the + netstat command: +netstat -naf inet | grep LISTEN + + That will show all sockets in the LISTEN state. You might also try +netstat -naf inet | grep 8080 + + If you find that some process has bound to your port, but you're not + sure which process it is, you might be able to use the excellent + [791]lsof program. It will show you which processes own every open file + descriptor on your system. + +icpDetectClientClose: ERROR xxx.xxx.xxx.xxx: (32) Broken pipe + + This means that the client socket was closed by the client before Squid + was finished sending data to it. Squid detects this by trying to + read(2) some data from the socket. If the read(2) call fails, then + Squid konws the socket has been closed. Normally the read(2) call + returns ECONNRESET: Connection reset by peer and these are NOT logged. + Any other error messages (such as EPIPE: Broken pipe are logged to + cache.log. See the "intro" of section 2 of your Unix manual for a list + of all error codes. + +icpDetectClientClose: FD 135, 255 unexpected bytes + + These are caused by misbehaving Web clients attempting to use + persistent connections. Squid-1.1 does not support persistent + connections. + +Does Squid work with NTLM Authentication? + + [792]Version 2.5 supports Microsoft NTLM authentication. However, there + are some limits on our support: we cannot proxy connections to a origin + server that use NTLM authentication, but we can act as a web + accelerator or proxy server and authenticate the client connection + using NTLM. + + We support NT4, Samba, and Windows 2000 Domain Controllers. For more + information see [793]../ProxyAuthentication . + + Why we cannot proxy NTLM even though we can use it. Quoting from + summary at the end of the browser authentication section in [794]this + article: +In summary, Basic authentication does not require an implicit end-to-end +state, and can therefore be used through a proxy server. Windows NT +Challenge/Response authentication requires implicit end-to-end state and +will not work through a proxy server. + + Squid transparently passes the NTLM request and response headers + between clients and servers. NTLM relies on a single end-end connection + (possibly with men-in-the-middle, but a single connection every step of + the way. This implies that for NTLM authentication to work at all with + proxy caches, the proxy would need to tightly link the client-proxy and + proxy-server links, as well as understand the state of the link at any + one time. NTLM through a CONNECT might work, but we as far as we know + that hasn't been implemented by anyone, and it would prevent the pages + being cached - removing the value of the proxy. + + NTLM authentication is carried entirely inside the HTTP protocol, but + is not a true HTTP authentication protocol and is different from Basic + and Digest authentication in many ways, the most notable of which are: + 1. It is dependent on a stateful end-to-end connection which collides + with RFC 2616 for proxy-servers to disjoin the client-proxy and + proxy-server connections. + 2. It is only taking place once per connection, not per request. Once + the connection is authenticated then all future requests on the + same connection inherities the authentication. The connection must + be reestablished to set up other authentication or re-identify the + user. This too collides with RFC 2616 where authentication is + defined as a property of the HTTP messages, not connections. + + The reasons why it is not implemented in Netscape is probably: + * It is very specific for the Windows platform + * It is not defined in any RFC or even internet draft. + * The protocol has several shortcomings, where the most apparent one + is that it cannot be proxied. + * There exists an open internet standard which does mostly the same + but without the shortcomings or platform dependencies: [795]digest + authentication. + +The ''default'' parent option isn't working! + + This message was received at + squid-bugs: + + If you have only one parent, configured as: +cache_peer xxxx parent 3128 3130 no-query default + + nothing is sent to the parent; neither UDP packets, nor TCP + connections. + + Simply adding + default to a parent does not force all requests to be sent to that + parent. The term default is perhaps a poor choice of words. A default + parent is only used as a last resort . + + If the cache is able to make direct connections, direct will be + preferred over default. If you want to force all requests to your + parent cache(s), use the + never_direct option: + +acl all src 0.0.0.0/0.0.0.0 +never_direct allow all + +"Hotmail" complains about: Intrusion Logged. Access denied. + + Hotmail is proxy-unfriendly and requires all requests to come from the + same IP address. You can fix this by adding to your + squid.conf: +hierarchy_stoplist hotmail.com + +My Squid becomes very slow after it has been running for some time. + + This is most likely because Squid is using more memory than it should + be for your system. When the Squid process becomes large, it + experiences a lot of paging. This will very rapidly degrade the + performance of Squid. Memory usage is a complicated problem. There are + a number of things to consider. + + Then, examine the Cache Manager + Info ouput and look at these two lines: +Number of HTTP requests received: 121104 +Page faults with physical i/o: 16720 + + {i} + + If your system does not have the + getrusage() function, then you will not see the page faults line. + + Divide the number of page faults by the number of connections. In this + case 16720/121104 = 0.14. Ideally this ratio should be in the 0.0 - 0.1 + range. It may be acceptable to be in the 0.1 - 0.2 range. Above that, + however, and you will most likely find that Squid's performance is + unacceptably slow. + + If the ratio is too high, you will need to make some changes as + detailed in [796]../SquidMemory. + +WARNING: Failed to start 'dnsserver' + + This could be a permission problem. Does the Squid userid have + permission to execute the + dnsserver program? + + You might also try testing + dnsserver from the command line: +$ echo oceana.nlanr.net | ./dnsserver + + Should produce something like: +$name oceana.nlanr.net +$h_name oceana.nlanr.net +$h_len 4 +$ipcount 1 +132.249.40.200 +$aliascount 0 +$ttl 82067 +$end + +Sending bug reports to the Squid team + + Bug reports for Squid should be registered in our [797]bug database. + Any bug report must include + * The Squid version + * Your Operating System type and version + * A clear description of the bug symptoms. + * If your Squid crashes the report must include a coredumps stack + trace as described below + + Please note that bug reports are only processed if they can be + reproduced or identified in the current STABLE or development versions + of Squid. If you are running an older version of Squid the first + response will be to ask you to upgrade unless the developer who looks + at your bug report immediately can identify that the bug also exists in + the current versions. It should also be noted that any patches provided + by the Squid developer team will be to the current STABLE version even + if you run an older version. + +crashes and core dumps + + There are two conditions under which squid will exit abnormally and + generate a coredump. First, a SIGSEGV or SIGBUS signal will cause Squid + to exit and dump core. Second, many functions include consistency + checks. If one of those checks fail, Squid calls abort() to generate a + core dump. + + Many people report that Squid doesn't leave a coredump anywhere. This + may be due to one of the following reasons: + * Resource Limits + + The shell has limits on the size of a coredump file. You may + need to increase the limit using ulimit or a similar command + (see below) + * sysctl options + + On FreeBSD, you won't get a coredump from programs that call + setuid() and/or setgid() (like Squid sometimes does) unless + you enable this option: + +# sysctl -w kern.sugid_coredump=1 + + * No debugging symbols + + The Squid binary must have debugging symbols in order to get a + meaningful coredump. + * Threads and Linux + + On Linux, threaded applications do not generat core dumps. + When you use the aufs cache_dir type, it uses threads and you + can't get a coredump. + * It did leave a coredump file, you just can't find it. + +Resource Limits + + These limits can usually be changed in shell scripts. The command to + change the resource limits is usually either + limit or limits. Sometimes it is a shell-builtin function, and + sometimes it is a regular program. Also note that you can set resource + limits in the /etc/login.conf file on FreeBSD and maybe other systems. + + To change the coredumpsize limit you might use a command like: +limit coredumpsize unlimited + + or +limits coredump unlimited + +Debugging Symbols + + To see if your Squid binary has debugging symbols, use this command: +% nm /usr/local/squid/bin/squid | head + + The binary has debugging symbols if you see gobbledegook like this: +0812abec B AS_tree_head +080a7540 D AclMatchedName +080a73fc D ActionTable +080908a4 r B_BYTES_STR +080908bc r B_GBYTES_STR +080908ac r B_KBYTES_STR +080908b4 r B_MBYTES_STR +080a7550 D Biggest_FD +08097c0c R CacheDigestHashFuncCount +08098f00 r CcAttrs + + There are no debugging symbols if you see this instead: +/usr/local/squid/bin/squid: no symbols + + Debugging symbols may have been removed by your + install program. If you look at the squid binary from the source + directory, then it might have the debugging symbols. + +Coredump Location + + The core dump file will be left in one of the following locations: + 1. The + coredump_dir directory, if you set that option. + 2. The first + cache_dir directory if you have used the cache_effective_user + option. + 3. The current directory when Squid was started + + Recent versions of Squid report their current directory after starting, + so look there first: +2000/03/14 00:12:36| Set Current Directory to /usr/local/squid/cache + + If you cannot find a core file, then either Squid does not have + permission to write in its current directory, or perhaps your shell + limits are preventing the core file from being written. + + Often you can get a coredump if you run Squid from the command line + like this (csh shells and clones): +% limit core un +% /usr/local/squid/bin/squid -NCd1 + + Once you have located the core dump file, use a debugger such as + dbx or gdb to generate a stack trace: +tirana-wessels squid/src 270% gdb squid /T2/Cache/core +GDB is free software and you are welcome to distribute copies of it + under certain conditions; type "show copying" to see the conditions. +There is absolutely no warranty for GDB; type "show warranty" for details. +GDB 4.15.1 (hppa1.0-hp-hpux10.10), Copyright 1995 Free Software Foundation, Inc. +.. +Core was generated by `squid'. +Program terminated with signal 6, Aborted. + +[...] + +(gdb) where +#0 0xc01277a8 in _kill () +#1 0xc00b2944 in _raise () +#2 0xc007bb08 in abort () +#3 0x53f5c in __eprintf (string=0x7b037048 "", expression=0x5f
, line=8, filename=0x6b
) +#4 0x29828 in fd_open (fd=10918, type=3221514150, desc=0x95e4 "HTTP Request") a +t fd.c:71 +#5 0x24f40 in comm_accept (fd=2063838200, peer=0x7b0390b0, me=0x6b) at comm.c:5 +74 +#6 0x23874 in httpAccept (sock=33, notused=0xc00467a6) at client_side.c:1691 +#7 0x25510 in comm_select_incoming () at comm.c:784 +#8 0x25954 in comm_select (sec=29) at comm.c:1052 +#9 0x3b04c in main (argc=1073745368, argv=0x40000dd8) at main.c:671 + + If possible, you might keep the coredump file around for a day or two. + It is often helpful if we can ask you to send additional debugger + output, such as the contents of some variables. But please note that a + core file is only useful if paired with the exact same binary as + generated the corefile. If you recompile Squid then any coredumps from + previous versions will be useless unless you have saved the + corresponding Squid binaries, and any attempts to analyze such + coredumps will most certainly give misleading information about the + cause to the crash. + + If you CANNOT get Squid to leave a core file for you then one of the + following approaches can be used + + First alternative is to start Squid under the contol of GDB + +% gdb /path/to/squid +handle SIGPIPE pass nostop noprint +run -DNYCd3 +[wait for crash] +backtrace +quit + + The drawback from the above is that it isn't really suitable to run on + a production system as Squid then won't restart automatically if it + crashes. The good news is that it is fully possible to automate the + process above to automatically get the stack trace and then restart + Squid. Here is a short automated script that should work: + +#!/bin/sh +trap "rm -f $$.gdb" 0 +cat <$$.gdb +handle SIGPIPE pass nostop noprint +run -DNYCd3 +backtrace +quit +EOF +while sleep 2; do + gdb -x $$.gdb /path/to/squid 2>&1 | tee -a squid.out +done + + Other options if the above cannot be done is to: + 1. Build Squid with the --enable-stacktraces option, if support exists + for your OS (exists for Linux glibc on Intel, and Solaris with some + extra libraries which seems rather impossible to find these days..) + 2. Run Squid using the "catchsegv" tool. (Linux glibc Intel) + + {i} these approaches does not by far provide as much details as using + gdb. + +Debugging Squid + + If you believe you have found a non-fatal bug (such as incorrect HTTP + processing) please send us a section of your cache.log with debugging + to demonstrate the problem. The cache.log file can become very large, + so alternatively, you may want to copy it to an FTP or HTTP server + where we can download it. + + It is very simple to enable full debugging on a running squid process. + Simply use the + -k debug command line option: +% ./squid -k debug + + This causes every + debug() statement in the source code to write a line in the cache.log + file. You also use the same command to restore Squid to normal + debugging level. + + To enable selective debugging (e.g. for one source file only), you need + to edit + squid.conf and add to the debug_options line. Every Squid source file + is assigned a different debugging section. The debugging section + assignments can be found by looking at the top of individual source + files, or by reading the file doc/debug-levels.txt (correctly renamed + to debug-sections.txt for Squid-2). You also specify the debugging + level to control the amount of debugging. Higher levels result in more + debugging messages. For example, to enable full debugging of Access + Control functions, you would use +debug_options ALL,1 28,9 + + Then you have to restart or reconfigure Squid. + + Once you have the debugging captured to + cache.log, take a look at it yourself and see if you can make sense of + the behaviour which you see. If not, please feel free to send your + debugging output to the squid-users or squid-bugs lists. + +FATAL: ipcache_init: DNS name lookup tests failed + + Squid normally tests your system's DNS configuration before it starts + server requests. Squid tries to resolve some common DNS names, as + defined in the + dns_testnames configuration directive. If Squid cannot resolve these + names, it could mean: + * your DNS nameserver is unreachable or not running. + * your + /etc/resolv.conf file may contain incorrect information. + * your + /etc/resolv.conf file may have incorrect permissions, and may be + unreadable by Squid. + + To disable this feature, use the + -D command line option. + + Note, Squid does NOT use the + dnsservers to test the DNS. The test is performed internally, before + the dnsservers start. + +FATAL: Failed to make swap directory /var/spool/cache: (13) Permission denied + + Starting with version 1.1.15, we have required that you first run +squid -z + + to create the swap directories on your filesystem. If you have set the + cache_effective_user option, then the Squid process takes on the given + userid before making the directories. If the cache_dir directory (e.g. + /var/spool/cache) does not exist, and the Squid userid does not have + permission to create it, then you will get the "permission denied" + error. This can be simply fixed by manually creating the cache + directory. +# mkdir /var/spool/cache +# chown /var/spool/cache +# squid -z + + Alternatively, if the directory already exists, then your operating + system may be returning "Permission Denied" instead of "File Exists" on + the mkdir() system call. This [store.c-mkdir.patch patch] by + [798]Miquel van Smoorenburg should fix it. + +FATAL: Cannot open HTTP Port + + Either + 1. the Squid userid does not have permission to bind to the port, or + 2. some other process has bound itself to the port + + Remember that root privileges are required to open port numbers less + than 1024. If you see this message when using a high port number, or + even when starting Squid as root, then the port has already been opened + by another process. + + Maybe you are running in the HTTP Accelerator mode and there is already + a HTTP server running on port 80? If you're really stuck, install the + way cool [799]lsof utility to show you which process has your port in + use. + +FATAL: All redirectors have exited! + + This is explained in [800]../SquidRedirectors. + +FATAL: file_map_allocate: Exceeded filemap limit + + See the next question. + +FATAL: You've run out of swap file numbers. + + {i} + + The information here applies to version 2.2 and earlier + + Squid keeps an in-memory bitmap of disk files that are available for + use, or are being used. The size of this bitmap is determined at run + name, based on two things: the size of your cache, and the average + (mean) cache object size. + + The size of your cache is specified in squid.conf, on the + cache_dir lines. The mean object size can also be specified in + squid.conf, with the 'store_avg_object_size' directive. By default, + Squid uses 13 Kbytes as the average size. + + When allocating the bitmaps, Squid allocates this many bits: +2 * cache_size / store_avg_object_size + + So, if you exactly specify the correct average object size, Squid + should have 50% filemap bits free when the cache is full. You can see + how many filemap bits are being used by looking at the 'storedir' cache + manager page. It looks like this: + +Store Directory #0: /usr/local/squid/cache +First level subdirectories: 4 +Second level subdirectories: 4 +Maximum Size: 1024000 KB +Current Size: 924837 KB +Percent Used: 90.32% +Filemap bits in use: 77308 of 157538 (49%) +Flags: + + Now, if you see the "You've run out of swap file numbers" message, then + it means one of two things: + 1. You've found a Squid bug. + 2. Your cache's average file size is much smaller than the + 'store_avg_object_size' value. + + To check the average file size of object currently in your cache, look + at the cache manager 'info' page, and you will find a line like: +Mean Object Size: 11.96 KB + + To make the warning message go away, set 'store_avg_object_size' to + that value (or lower) and then restart Squid. + +I am using up over 95% of the filemap bits?!! + + {i} + + The information here is current for version 2.3 + + Calm down, this is now normal. Squid now dynamically allocates filemap + bits based on the number of objects in your cache. You won't run out of + them, we promise. + +FATAL: Cannot open /usr/local/squid/logs/access.log: (13) Permission denied + + In Unix, things like + processes and files have an owner. For Squid, the process owner and + file owner should be the same. If they are not the same, you may get + messages like "permission denied." + + To find out who owns a file, use the + ls -l command: +% ls -l /usr/local/squid/logs/access.log + + A process is normally owned by the user who starts it. However, Unix + sometimes allows a process to change its owner. If you specified a + value for the + effective_user option in squid.conf, then that will be the process + owner. The files must be owned by this same userid. + + If all this is confusing, then you probably should not be running Squid + until you learn some more about Unix. As a reference, I suggest + [801]Learning the UNIX Operating System, 4th Edition. + +When using a username and password, I can not access some files. + + If I try by way of a test, to access +ftp://username:password@ftpserver/somewhere/foo.tar.gz + + I get +somewhere/foo.tar.gz: Not a directory. + + Use this URL instead: +ftp://username:password@ftpserver/%2fsomewhere/foo.tar.gz + +pingerOpen: icmp_sock: (13) Permission denied + + This means your + pinger program does not have root priveleges. You should either do + this: +% su +# make install-pinger + + or +# chown root /usr/local/squid/bin/pinger +# chmod 4755 /usr/local/squid/bin/pinger + +What is a forwarding loop? + + A forwarding loop is when a request passes through one proxy more than + once. You can get a forwarding loop if + * a cache forwards requests to itself. This might happen with + interception caching (or server acceleration) configurations. + * a pair or group of caches forward requests to each other. This can + happen when Squid uses ICP, Cache Digests, or the ICMP RTT database + to select a next-hop cache. + + Forwarding loops are detected by examining the + Via request header. Each cache which "touches" a request must add its + hostname to the Via header. If a cache notices its own hostname in this + header for an incoming request, it knows there is a forwarding loop + somewhere. + + + + Squid may report a forwarding loop if a request goes through two caches + that have the same + visible_hostname value. If you want to have multiple machines with the + same visible_hostname then you must give each machine a different + unique_hostname so that forwarding loops are correctly detected. + + When Squid detects a forwarding loop, it is logged to the + cache.log file with the recieved Via header. From this header you can + determine which cache (the last in the list) forwarded the request to + you. + + One way to reduce forwarding loops is to change a + parent relationship to a sibling relationship. + + Another way is to use + cache_peer_access rules. For example: +# Our parent caches +cache_peer A.example.com parent 3128 3130 +cache_peer B.example.com parent 3128 3130 +cache_peer C.example.com parent 3128 3130 + +# An ACL list +acl PEERS src A.example.com +acl PEERS src B.example.com +acl PEERS src C.example.com + +# Prevent forwarding loops +cache_peer_access A.example.com allow !PEERS +cache_peer_access B.example.com allow !PEERS +cache_peer_access C.example.com allow !PEERS + + The above configuration instructs squid to NOT forward a request to + parents A, B, or C when a request is received from any one of those + caches. + +accept failure: (71) Protocol error + + This error message is seen mostly on Solaris systems. [802]Mark Kennedy + gives a great explanation: +Error 71 [EPROTO] is an obscure way of reporting that clients made it onto your +server's TCP incoming connection queue but the client tore down the +connection before the server could accept it. I.e. your server ignored +its clients for too long. We've seen this happen when we ran out of +file descriptors. I guess it could also happen if something made squid +block for a long time. + +storeSwapInFileOpened: ... Size mismatch + + {i} + + These messages are specific to squid 2.X + + Got these messages in my cache log - I guess it means that the index + contents do not match the contents on disk. +1998/09/23 09:31:30| storeSwapInFileOpened: /var/cache/00/00/00000015: Size mism +atch: 776(fstat) != 3785(object) +1998/09/23 09:31:31| storeSwapInFileOpened: /var/cache/00/00/00000017: Size mism +atch: 2571(fstat) != 4159(object) + + What does Squid do in this case? + + These happen when Squid reads an object from disk for a cache hit. + After it opens the file, Squid checks to see if the size is what it + expects it should be. If the size doesn't match, the error is printed. + In this case, Squid does not send the wrong object to the client. It + will re-fetch the object from the source. + +Why do I get ''fwdDispatch: Cannot retrieve +'https://www.buy.com/corp/ordertracking.asp' '' + + These messages are caused by buggy clients, mostly Netscape Navigator. + What happens is, Netscape sends an HTTPS/SSL request over a persistent + HTTP connection. Normally, when Squid gets an SSL request, it looks + like this: +CONNECT www.buy.com:443 HTTP/1.0 + + Then Squid opens a TCP connection to the destination host and port, and + the + real request is sent encrypted over this connection. Thats the whole + point of SSL, that all of the information must be sent encrypted. + + With this client bug, however, Squid receives a request like this: +GET https://www.buy.com/corp/ordertracking.asp HTTP/1.0 +Accept: */* +User-agent: Netscape ... +... + + Now, all of the headers, and the message body have been sent, + unencrypted to Squid. There is no way for Squid to somehow turn this + into an SSL request. The only thing we can do is return the error + message. + + /!\ + + This browser bug does represent a security risk because the browser is + sending sensitive information unencrypted over the network. + +Squid can't access URLs like http://3626046468/ab2/cybercards/moreinfo.html + + by Dave J Woolley (DJW at bts dot co dot uk) + + These are illegal URLs, generally only used by illegal sites; typically + the web site that supports a spammer and is expected to survive a few + hours longer than the spamming account. + + Their intention is to: + * confuse content filtering rules on proxies, and possibly some + browsers' idea of whether they are trusted sites on the local + intranet; + * confuse whois (?); + * make people think they are not IP addresses and unknown domain + names, in an attempt to stop them trying to locate and complain to + the ISP. + + Any browser or proxy that works with them should be considered a + security risk. + + [803]RFC 1738 has this to say about the hostname part of a URL: +The fully qualified domain name of a network host, or its IP +address as a set of four decimal digit groups separated by +".". Fully qualified domain names take the form as described +in Section 3.5 of RFC 1034 [13] and Section 2.1 of RFC 1123 +[5]: a sequence of domain labels separated by ".", each domain +label starting and ending with an alphanumerical character and +possibly also containing "-" characters. The rightmost domain +label will never start with a digit, though, which +syntactically distinguishes all domain names from the IP +addresses. + +I get a lot of "URI has whitespace" error messages in my cache log, what +should I do? + + Whitespace characters (space, tab, newline, carriage return) are not + allowed in URI's and URL's. Unfortunately, a number of Web services + generate URL's with whitespace. Of course your favorite browser + silently accomodates these bad URL's. The servers (or people) that + generate these URL's are in violation of Internet standards. The + whitespace characters should be encoded. + + If you want Squid to accept URL's with whitespace, you have to decide + how to handle them. There are four choices that you can set with the + uri_whitespace option: + * DENY + + The request is denied with an "Invalid Request" message. This + is the default. + * ALLOW + + The request is allowed and the URL remains unchanged. + * ENCODE + + The whitespace characters are encoded according to [804]RFC + 1738. This can be considered a violation of the HTTP + specification. + * CHOP + + The URL is chopped at the first whitespace character and then + processed normally. This also can be considered a violation of + HTTP. + +commBind: Cannot bind socket FD 5 to 127.0.0.1:0: (49) Can't assign requested +address + + This likely means that your system does not have a loopback network + device, or that device is not properly configured. All Unix systems + should have a network device named + lo0, and it should be configured with the address 127.0.0.1. If not, + you may get the above error message. To check your system, run: +% ifconfig lo0 + + The result should look something like: +lo0: flags=8049 mtu 16384 + inet 127.0.0.1 netmask 0xff000000 + + If you use FreeBSD, see + freebsd-no-lo0 + +Unknown cache_dir type '/var/squid/cache' + + The format of the + cache_dir option changed with version 2.3. It now takes a type + argument. All you need to do is insert ufs in the line, like this: +cache_dir ufs /var/squid/cache ... + +unrecognized: 'cache_dns_program /usr/local/squid/bin/dnsserver' + + As of Squid 2.3, the default is to use internal DNS lookup code. The + cache_dns_program and dns_children options are not known squid.conf + directives in this case. Simply comment out these two options. + + If you want to use external DNS lookups, with the + dnsserver program, then add this to your configure command: +--disable-internal-dns + +Is ''dns_defnames'' broken in Squid-2.3 and later? + + Sort of. As of Squid 2.3, the default is to use internal DNS lookup + code. The + dns_defnames option is only used with the external dnsserver processes. + If you relied on dns_defnames before, you have three choices: + * See if the + append_domain option will work for you instead. + * Configure squid with --disable-internal-dns to use the external + dnsservers. + * Enhance + src/dns_internal.c to understand the search and domain lines from + /etc/resolv.conf. + +What does "sslReadClient: FD 14: read failure: (104) Connection reset by +peer" mean? + + "Connection reset by peer" is an error code that Unix operating systems + sometimes return for + read, write, connect, and other system calls. + + Connection reset means that the other host, the peer, sent us a RESET + packet on a TCP connection. A host sends a RESET when it receives an + unexpected packet for a nonexistent connection. For example, if one + side sends data at the same time that the other side closes a + connection, when the other side receives the data it may send a reset + back. + + The fact that these messages appear in Squid's log might indicate a + problem, such as a broken origin server or parent cache. On the other + hand, they might be "normal," especially since some applications are + known to force connection resets rather than a proper close. + + You probably don't need to worry about them, unless you receive a lot + of user complaints relating to SSL sites. + + Rick Jones notes that if the server is running a Microsoft TCP stack, + clients receive RST segments whenever the listen queue overflows. In + other words, if the server is really busy, new connections receive the + reset message. This is contrary to rational behaviour, but is unlikely + to change. + +What does ''Connection refused'' mean? + + This is an error message, generated by your operating system, in + response to a + connect() system call. It happens when there is no server at the other + end listening on the port number that we tried to connect to. + + Its quite easy to generate this error on your own. Simply telnet to a + random, high numbered port: +% telnet localhost 12345 +Trying 127.0.0.1... +telnet: Unable to connect to remote host: Connection refused + + It happens because there is no server listening for connections on port + 12345. + + When you see this in response to a URL request, it probably means the + origin server web site is temporarily down. It may also mean that your + parent cache is down, if you have one. + +squid: ERROR: no running copy + + You may get this message when you run commands like + squid -krotate. + + This error message usually means that the + squid.pid file is missing. Since the PID file is normally present when + squid is running, the absence of the PID file usually means Squid is + not running. If you accidentally delete the PID file, Squid will + continue running, and you won't be able to send it any signals. + + If you accidentally removed the PID file, there are two ways to get it + back. + + One is to run + ps and find the Squid process id. You'll probably see two processes, + like this: +bender-wessels % ps ax | grep squid +83617 ?? Ss 0:00.00 squid -s +83619 ?? S 0:00.48 (squid) -s (squid) + + You want the second process id, 83619 in this case. Create the PID file + and put the process id number there. For example: +echo 83619 > /usr/local/squid/logs/squid.pid + + The second is to use the above technique to find the Squid process id. + Send the process a HUP signal, which is the same as + squid -kreconfigure: +kill -HUP 83619 + + The reconfigure process creates a new PID file automatically. + +FATAL: getgrnam failed to find groupid for effective group 'nogroup' + + You are probably starting Squid as root. Squid is trying to find a + group-id that doesn't have any special priveleges that it will run as. + The default is + nogroup, but this may not be defined on your system. You need to edit + squid.conf and set cache_effective_group to the name of an + unpriveledged group from /etc/group. There is a good chance that nobody + will work for you. + +"Unsupported Request Method and Protocol" for ''https'' URLs. + + {i} + + The information here is current for version 2.3 + + This is correct. Squid does not know what to do with an + https URL. To handle such a URL, Squid would need to speak the SSL + protocol. Unfortunately, it does not (yet). + + Normally, when you type an + https URL into your browser, one of two things happens. + * The browser opens an SSL connection directly to the origin server. + * The browser tunnels the request through Squid with the + CONNECT request method. + + The + CONNECT method is a way to tunnel any kind of connection through an + HTTP proxy. The proxy doesn't understand or interpret the contents. It + just passes bytes back and forth between the client and server. For the + gory details on tunnelling and the CONNECT method, please see [805]RFC + 2817 and [806]Tunneling TCP based protocols through Web proxy servers + (expired IETF draft). + +Squid uses 100% CPU + + There may be many causes for this. + + Andrew Doroshenko reports that removing + /dev/null, or mounting a filesystem with the nodev option, can cause + Squid to use 100% of CPU. His suggested solution is to "touch + /dev/null." + +Webmin's ''cachemgr.cgi'' crashes the operating system + + Mikael Andersson reports that clicking on Webmin's + cachemgr.cgi link creates numerous instances of cachemgr.cgi that + quickly consume all available memory and brings the system to its + knees. + + Joe Cooper reports this to be caused by SSL problems in some browsers + (mainly Netscape 6.x/Mozilla) if your Webmin is SSL enabled. Try with + another browser such as Netscape 4.x or Microsoft IE, or disable SSL + encryption in Webmin. + +Segment Violation at startup or upon first request + + Some versions of GCC (notably 2.95.1 through 2.95.4 at least) have bugs + with compiler optimization. These GCC bugs may cause NULL pointer + accesses in Squid, resulting in a " + FATAL: Received Segment Violation...dying" message and a core dump. + + You can work around these GCC bugs by disabling compiler optimization. + The best way to do that is start with a clean source tree and set the + CC options specifically: +% cd squid-x.y +% make distclean +% setenv CFLAGS='-g -Wall' +% ./configure ... + + To check that you did it right, you can search for AC_CFLAGS in + src/Makefile: +% grep AC_CFLAGS src/Makefile +AC_CFLAGS = -g -Wall + + Now when you recompile, GCC won't try to optimize anything: +% make +Making all in lib... +gcc -g -Wall -I../include -I../include -c rfc1123.c +...etc... + + + + Some people worry that disabling compiler optimization will negatively + impact Squid's performance. The impact should be negligible, unless + your cache is really busy and already runs at a high CPU usage. For + most people, the compiler optimization makes little or no difference at + all + +urlParse: Illegal character in hostname +'proxy.mydomain.com:8080proxy.mydomain.com' + + By Yomler of fnac.net + + A combination of a bad configuration of Internet Explorer and any + application which use the cydoor DLLs will produce the entry in the + log. See [807]cydoor.com for a complete list. + + The bad configuration of IE is the use of a active configuration script + (proxy.pac) and an active or inactive, but filled proxy settings. IE + will only use the proxy.pac. Cydoor aps will use both and will generate + the errors. + + Disabling the old proxy settings in IE is not enought, you should + delete them completely and only use the proxy.pac for example. + +Requests for international domain names does not work + + By [808]HenrikNordstrm. + + Some people have asked why requests for domain names using national + symbols as "supported" by the certain domain registrars does not work + in Squid. This is because there as of yet is no standard on how to + manage national characters in the current Internet protocols such as + HTTP or DNS. The current Internet standards is very strict on what is + an acceptable hostname and only accepts A-Z a-z 0-9 and - in Internet + hostname labels. Anything outside this is outside the current Internet + standards and will cause interoperability issues such as the problems + seen with such names and Squid. + + When there is a consensus in the DNS and HTTP standardization groups on + how to handle international domain names Squid will be changed to + support this if any changes to Squid will be required. + + If you are interested in the progress of the standardization process + for international domain names please see the IETF IDN working group's + [809]dedicated page. + +Why do I sometimes get "Zero Sized Reply"? + + This happens when Squid makes a TCP connection to an origin server, but + for some reason, the connection is closed before Squid reads any data. + Depending on various factors, Squid may be able to retry the request + again. If you see the "Zero Sized Reply" error message, it means that + Squid was unable to retry, or that all retry attempts also failed. + + What causes a connection to close prematurely? It could be a number of + things, including: + * An overloaded origin server. + * TCP implementation/interoperability bugs. See the + [810]../SystemWeirdnesses for details. + * Race conditions with HTTP persistent connections. + * Buggy or misconfigured NAT boxes, firewalls, and load-balancers. + * Denial of service attacks. + * Utilizing TCP blackholing on FreeBSD (check + [811]../SystemWeirdnesses). + + You may be able to use + tcpdump to track down and observe the problem. + + Some users believe the problem is caused by very large cookies. One + user reports that his Zero Sized Reply problem went away when he told + Internet Explorer to not accept third-party cookies. + + Here are some things you can try to reduce the occurance of the Zero + Sized Reply error: + * Delete or rename your cookie file and configure your browser to + prompt you before accepting any new cookies. + * Disable HTTP persistent connections with the + server_persistent_connections and client_persistent_connections + directives. + * Disable any advanced TCP features on the Squid system. Disable ECN + on Linux with + echo 0 > /proc/sys/net/ipv4/tcp_ecn/. + * Upgrade to Squid-2.5.STABLE4 or later to work around a Host header + related bug in Cisco PIX HTTP inspection. The Cisco PIX firewall + wrongly assumes the Host header can be found in the first packet of + the request. + + If this error causes serious problems for you and the above does not + help, Squid developers would be happy to help you uncover the problem. + However, we will require high-quality debugging information from you, + such as + tcpdump output, server IP addresses, operating system versions, and + access.log entries with full HTTP headers. + + If you want to make Squid give the Zero Sized error on demand, you can + use [812]a short C program. Simply compile and start the program on a + system that doesn't already have a server running on port 80. Then try + to connect to this fake server through Squid: + +Why do I get "The request or reply is too large" errors? + + by Grzegorz Janoszka + + This error message appears when you try downloading large file using + GET or uploading it using POST/PUT. There are three parameters to look + for: + request_body_max_size, reply_body_max_size (these two are set to 0 by + default now, which means no limits at all, earlier version of squid had + e.g. 1MB in request) and request_header_max_size - it defaults to 10kB + (now, earlier versions had here 4 or even 2 kB) - in some rather rare + circumstances even 10kB is too low, so you can increase this value. + +Negative or very large numbers in Store Directory Statistics, or constant +complaints about cache above limit + + In some situations where swap.state has been corrupted Squid can be + very confused about how much data it has in the cache. Such corruption + may happen after a power failure or similar fatal event. To recover + first stop Squid, then delete the swap.state files from each cache + directory and then start Squid again. Squid will automatically rebuild + the swap.state index from the cached files reasonably well. + + If this does not work or causes too high load on your server due to the + reindexing of the cache then delete the cache content as explained in + [813]../OperatingSquid. + +Squid problems with Windows Update v5 + + By Janno de Wit + + There seems to be some problems with Microsoft Windows to access the + Windows Update website. This is especially a problem when you block all + traffic by a firewall and force your users to go through the Squid + Cache. + + Symptom: Windows Update gives error codes like 0x80072EFD and cannot + update, automatic updates aren't working too. + + Cause: In earlier Windows-versions Windows Update takes the + proxy-settings from Internet Explorer. Since XP SP2 this is not sure. + At my machine I ran Windows XP SP1 without Windows Update problems. + When I upgraded to SP2 Windows Update started to give errors when + searching updates etc. + + The problem was that WU did not go through the proxy and tries to + establish direct HTTP connections to Update-servers. Even when I set + the proxy in IE again, it didn't help . It isn't Squid's problem that + Windows Update doesn't work, but it is in Windows itself. The solution + is to use the 'proxycfg' tool shipped with Windows XP. With this tool + you can set the proxy for WinHTTP. + + Commands: +C:\> proxycfg +# gives information about the current connection type. Note: 'Direct Connection' + does not force WU to bypass proxy + +C:\> proxycfg -d +# Set Direct Connection + +C:\> proxycfg -p wu-proxy.lan:8080 +# Set Proxy to use with Windows Update to wu-proxy.lan, port 8080 + +c:\> proxycfg -u +# Set proxy to Internet Explorer settings. + __________________________________________________________________ + + Contents + 1. [814]What are cachable objects? + 2. [815]What is the ICP protocol? + 3. [816]What is the ''dnsserver''? + 4. [817]What is a cache hierarchy? What are parents and siblings? + 5. [818]What is the Squid cache resolution algorithm? + 6. [819]What features are Squid developers currently working on? + 7. [820]Tell me more about Internet traffic workloads + 8. [821]What are the tradeoffs of caching with the NLANR cache system? + 9. [822]Where can I find out more about firewalls? + 10. [823]What is the "Storage LRU Expiration Age?" + 11. [824]What is "Failure Ratio at 1.01; Going into hit-only-mode for 5 + minutes"? + 12. [825]Does squid periodically re-read its configuration file? + 13. [826]How does ''unlinkd'' work? + 14. [827]What is an icon URL? + 15. [828]Can I make my regular FTP clients use a Squid cache? + 16. [829]Why is the select loop average time so high? + 17. [830]How does Squid deal with Cookies? + 18. [831]How does Squid decide when to refresh a cached object? + 19. [832]What exactly is a ''deferred read''? + 20. [833]Why is my cache's inbound traffic equal to the outbound + traffic? + 21. [834]How come some objects do not get cached? + 22. [835]What does ''keep-alive ratio'' mean? + 23. [836]How does Squid's cache replacement algorithm work? + 24. [837]What are private and public keys? + 25. [838]What is FORW_VIA_DB for? + 26. [839]Does Squid send packets to port 7 (echo)? If so, why? + 27. [840]What does "WARNING: Reply from unknown nameserver [a.b.c.d]" + mean? + 28. [841]How does Squid distribute cache files among the available + directories? + 29. [842]Why do I see negative byte hit ratio? + 30. [843]What does "Disabling use of private keys" mean? + 31. [844]What is a half-closed filedescriptor? + 32. [845]What does --enable-heap-replacement do? + 33. [846]Why is actual filesystem space used greater than what Squid + thinks? + 34. [847]How do ''positive_dns_ttl'' and ''negative_dns_ttl'' work? + 35. [848]What does ''swapin MD5 mismatch'' mean? + 36. [849]What does ''failed to unpack swapfile meta data'' mean? + 37. [850]Why doesn't Squid make ''ident'' lookups in interception mode? + 38. [851]dnsSubmit: queue overload, rejecting blah + 39. [852]What are FTP passive connections? + +What are cachable objects? + + An Internet Object is a file, document or response to a query for an + Internet service such as FTP, HTTP, or gopher. A client requests an + Internet object from a caching proxy; if the object is not already + cached, the proxy server fetches the object (either from the host + specified in the URL or from a parent or sibling cache) and delivers it + to the client. + +What is the ICP protocol? + + ICP is a protocol used for communication among squid caches. The ICP + protocol is defined in two Internet RFC's. [853]RFC 2186 describes the + protocol itself, while [854]RFC 2187 describes the application of ICP + to hierarchical Web caching. + + ICP is primarily used within a cache hierarchy to locate specific + objects in sibling caches. If a squid cache does not have a requested + document, it sends an ICP query to its siblings, and the siblings + respond with ICP replies indicating a "HIT" or a "MISS." The cache then + uses the replies to choose from which cache to resolve its own MISS. + + ICP also supports multiplexed transmission of multiple object streams + over a single TCP connection. ICP is currently implemented on top of + UDP. Current versions of Squid also support ICP via multicast. + +What is the ''dnsserver''? + + The dnsserver is a process forked by squid to resolve IP addresses from + domain names. This is necessary because the gethostbyname(3) function + blocks the calling process until the DNS query is completed. + + Squid must use non-blocking I/O at all times, so DNS lookups are + implemented external to the main process. The dnsserver processes do + not cache DNS lookups, that is implemented inside the squid process. + + The dnsserver program was integrated into the main Squid binary in + Squid-2. If you have reason to use the old style dnsserver process you + can build it at ./configure time. However we would suggest that you + file a bug if you find that the internal DNS process does not work as + you would expect. + +What is a cache hierarchy? What are parents and siblings? + + A cache hierarchy is a collection of caching proxy servers organized in + a logical parent/child and sibling arrangement so that caches closest + to Internet gateways (closest to the backbone transit entry-points) act + as parents to caches at locations farther from the backbone. The parent + caches resolve "misses" for their children. In other words, when a + cache requests an object from its parent, and the parent does not have + the object in its cache, the parent fetches the object, caches it, and + delivers it to the child. This ensures that the hierarchy achieves the + maximum reduction in bandwidth utilization on the backbone transit + links, helps reduce load on Internet information servers outside the + network served by the hierarchy, and builds a rich cache on the parents + so that the other child caches in the hierarchy will obtain better + "hit" rates against their parents. + + In addition to the parent-child relationships, squid supports the + notion of siblings: caches at the same level in the hierarchy, provided + to distribute cache server load. Each cache in the hierarchy + independently decides whether to fetch the reference from the object's + home site or from parent or sibling caches, using a a simple resolution + protocol. Siblings will not fetch an object for another sibling to + resolve a cache "miss." + +What is the Squid cache resolution algorithm? + + 1. Send ICP queries to all appropriate siblings + 2. Wait for all replies to arrive with a configurable timeout (the + default is two seconds). + 1. Begin fetching the object upon receipt of the first HIT reply, + or + 2. Fetch the object from the first parent which replied with MISS + (subject to weighting values), or + 3. Fetch the object from the source + + The algorithm is somewhat more complicated when firewalls are involved. + + The single_parent_bypass directive can be used to skip the ICP queries + if the only appropriate sibling is a parent cache (i.e., if there's + only one place you'd fetch the object from, why bother querying?) + +What features are Squid developers currently working on? + + There are several open issues for the caching project namely more + automatic load balancing and (both configured and dynamic) selection of + parents, routing, multicast cache-to-cache communication, and better + recognition of URLs that are not worth caching. + + For our other to-do list items, please see our "TODO" file in the + recent source distributions. + + Prospective developers should review the resources available at the + [855]Squid developers corner + +Tell me more about Internet traffic workloads + + Workload can be characterized as the burden a client or group of + clients imposes on a system. Understanding the nature of workloads is + important to the managing system capacity. + + If you are interested in Internet traffic workloads then NLANR's + [856]Network Analysis activities is a good place to start. + +What are the tradeoffs of caching with the NLANR cache system? + + The NLANR root caches are at the NSF supercomputer centers (SCCs), + which are interconnected via NSF's high speed backbone service (vBNS). + So inter-cache communication between the NLANR root caches does not + cross the Internet. + + The benefits of hierarchical caching (namely, reduced network bandwidth + consumption, reduced access latency, and improved resiliency) come at a + price. Caches higher in the hierarchy must field the misses of their + descendents. If the equilibrium hit rate of a leaf cache is 50%, half + of all leaf references have to be resolved through a second level cache + rather than directly from the object's source. If this second level + cache has most of the documents, it is usually still a win, but if + higher level caches often don't have the document, or become + overloaded, then they could actually increase access latency, rather + than reduce it. + +Where can I find out more about firewalls? + + Please see the [857]Firewalls FAQ information site. + +What is the "Storage LRU Expiration Age?" + + For example: +Storage LRU Expiration Age: 4.31 days + + The LRU expiration age is a dynamically-calculated value. Any objects + which have not been accessed for this amount of time will be removed + from the cache to make room for new, incoming objects. Another way of + looking at this is that it would take your cache approximately this + many days to go from empty to full at your current traffic levels. + + As your cache becomes more busy, the LRU age becomes lower so that more + objects will be removed to make room for the new ones. Ideally, your + cache will have an LRU age value in the range of at least 3 days. If + the LRU age is lower than 3 days, then your cache is probably not big + enough to handle the volume of requests it receives. By adding more + disk space you could increase your cache hit ratio. + + The configuration parameter reference_age places an upper limit on your + cache's LRU expiration age. + +What is "Failure Ratio at 1.01; Going into hit-only-mode for 5 minutes"? + + Consider a pair of caches named A and B. It may be the case that A can + reach B, and vice-versa, but B has poor reachability to the rest of the + Internet. In this case, we would like B to recognize that it has poor + reachability and somehow convey this fact to its neighbor caches. + + Squid will track the ratio of failed-to-successful requests over short + time periods. A failed request is one which is logged as ERR_DNS_FAIL, + ERR_CONNECT_FAIL, or ERR_READ_ERROR. When the failed-to-successful + ratio exceeds 1.0, then Squid will return ICP_MISS_NOFETCH instead of + ICP_MISS to neighbors. Note, Squid will still return ICP_HIT for cache + hits. + +Does squid periodically re-read its configuration file? + + No, you must send a HUP signal to have Squid re-read its configuration + file, including access control lists. An easy way to do this is with + the -k command line option: +squid -k reconfigure + +How does ''unlinkd'' work? + + unlinkd is an external process used for unlinking unused cache files. + Performing the unlink operation in an external process opens up some + race-condition problems for Squid. If we are not careful, the following + sequence of events could occur: + * An object with swap file number S is removed from the cache. + * We want to unlink file F which corresponds to swap file number S, + so we write pathname F to the unlinkd socket. We also mark S as + available in the filemap. + * We have a new object to swap out. It is allocated to the first + available file number, which happens to be S. Squid opens file F + for writing. + * The unlinkd process reads the request to unlink F and issues the + actual unlink call. + + So, the problem is, how can we guarantee that unlinkd will not remove a + cache file that Squid has recently allocated to a new object? The + approach we have taken is to have Squid keep a stack of unused (but not + deleted!) swap file numbers. The stack size is hard-coded at 128 + entries. We only give unlink requests to unlinkd when the unused file + number stack is full. Thus, if we ever have to start unlinking files, + we have a pool of 128 file numbers to choose from which we know will + not be removed by unlinkd. + + In terms of implementation, the only way to send unlink requests to the + unlinkd process is via the storePutUnusedFileno function. + + Unfortunately there are times when Squid can not use the unlinkd + process but must call unlink(2) directly. One of these times is when + the cache swap size is over the high water mark. If we push the + released file numbers onto the unused file number stack, and the stack + is not full, then no files will be deleted, and the actual disk usage + will remain unchanged. So, when we exceed the high water mark, we must + call unlink(2) directly. + +What is an icon URL? + + One of the most unpleasant things Squid must do is generate HTML pages + of Gopher and FTP directory listings. For some strange reason, people + like to have little icons next to each listing entry, denoting the type + of object to which the link refers (image, text file, etc.). + + We include a set of icons in the source distribution for this purpose. + These icon files are loaded by Squid as cached objects at runtime. + Thus, every Squid cache now has its own icons to use in Gopher and FTP + listings. Just like other objects available on the web, we refer to the + icons with [858]Uniform Resource Locators, or URLs. + +Can I make my regular FTP clients use a Squid cache? + + Nope, its not possible. Squid only accepts HTTP requests. It speaks FTP + on the server-side, but not on the client-side. + + The very cool [859]wget will download FTP URLs via Squid (and probably + any other proxy cache). + +Why is the select loop average time so high? + + Is there any way to speed up the time spent dealing with select? + Cachemgr shows: + Select loop called: 885025 times, 714.176 ms avg + + This number is NOT how much time it takes to handle filedescriptor I/O. + We simply count the number of times select was called, and divide the + total process running time by the number of select calls. + + This means, on average it takes your cache .714 seconds to check all + the open file descriptors once. But this also includes time select() + spends in a wait state when there is no I/O on any file descriptors. My + relatively idle workstation cache has similar numbers: +Select loop called: 336782 times, 715.938 ms avg + + But my busy caches have much lower times: +Select loop called: 16940436 times, 10.427 ms avg +Select loop called: 80524058 times, 10.030 ms avg +Select loop called: 10590369 times, 8.675 ms avg +Select loop called: 84319441 times, 9.578 ms avg + +How does Squid deal with Cookies? + + The presence of Cookies headers in requests does not affect whether or + not an HTTP reply can be cached. Similarly, the presense of Set-Cookie + headers in replies does not affect whether the reply can be cached. + + The proper way to deal with Set-Cookie reply headers, according to + [860]RFC 2109 is to cache the whole object, EXCEPT the Set-Cookie + header lines. + + However, we can filter out specific HTTP headers. But instead of + filtering them on the receiving-side, we filter them on the + sending-side. Thus, Squid does cache replies with Set-Cookie headers, + but it filters out the Set-Cookie header itself for cache hits. + +How does Squid decide when to refresh a cached object? + + When checking the object freshness, we calculate these values: + * OBJ_DATE is the time when the object was given out by the + + origin server. This is taken from the HTTP Date reply header. + * OBJ_LASTMOD is the time when the object was last modified, + + given by the HTTP Last-Modified reply header. + * OBJ_AGE is how much the object has aged since it was retrieved: + +OBJ_AGE = NOW - OBJ_DATE + + * LM_AGE is how old the object was when it was retrieved: + +LM_AGE = OBJ_DATE - OBJ_LASTMOD + + * LM_FACTOR is the ratio of OBJ_AGE to LM_AGE: + +LM_FACTOR = OBJ_AGE / LM_AGE + + * CLIENT_MAX_AGE is the (optional) maximum object age the client will + + accept as taken from the HTTP/1.1 Cache-Control request header. + * EXPIRES is the (optional) expiry time from the server reply + headers. + + These values are compared with the parameters of the refresh_pattern + rules. The refresh parameters are: + * URL regular expression + * CONF_MIN: The time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended value is 0, + any higher values may cause dynamic applications to be erronously + cached unless the application designer has taken the appropriate + actions. + * CONF_PERCENT: A percentage of the objects age (time since last + modification age) an object without explicit exipry time will be + considered fresh. + * CONF_MAX: An upper limit on how long objects without an explicit + expiry time will be considered fresh. + + The URL regular expressions are checked in the order listed until a + match is found. Then the algorithms below are applied for determining + if an object is fresh or stale. + + The refresh algorithm used in Squid-2 looks like this: + + if (EXPIRES) { + if (EXPIRES <= NOW) + return STALE + else + return FRESH + } + if (CLIENT_MAX_AGE) + if (OBJ_AGE > CLIENT_MAX_AGE) + return STALE + if (OBJ_AGE > CONF_MAX) + return STALE + if (OBJ_DATE > OBJ_LASTMOD) { + if (LM_FACTOR < CONF_PERCENT) + return FRESH + else + return STALE + } + if (OBJ_AGE <= CONF_MIN) + return FRESH + return STALE + +What exactly is a ''deferred read''? + + The cachemanager I/O page lists deferred reads for various server-side + protocols. + + Sometimes reading on the server-side gets ahead of writing to the + client-side. Especially if your cache is on a fast network and your + clients are connected at modem speeds. Squid-1.1 will read up to 256k + (per request) ahead before it starts to defer the server-side reads. + +Why is my cache's inbound traffic equal to the outbound traffic? + + I've been monitoring the traffic on my cache's ethernet adapter an + found a behavior I can't explain: the inbound traffic is equal to the + outbound traffic. The differences are negligible. The hit ratio reports + 40%. Shouldn't the outbound be at least 40% greater than the inbound? + + by [861]David J N Begley + + I can't account for the exact behavior you're seeing, but I can offer + this advice; whenever you start measuring raw Ethernet or IP traffic on + interfaces, you can forget about getting all the numbers to exactly + match what Squid reports as the amount of traffic it has sent/received. + + Why? + + Squid is an application - it counts whatever data is sent to, or + received from, the lower-level networking functions; at each + successively lower layer, additional traffic is involved (such as + header overhead, retransmits and fragmentation, unrelated + broadcasts/traffic, etc.). The additional traffic is never seen by + Squid and thus isn't counted - but if you run MRTG (or any SNMP/RMON + measurement tool) against a specific interface, all this additional + traffic will "magically appear". + + Also remember that an interface has no concept of upper-layer + networking (so an Ethernet interface doesn't distinguish between IP + traffic that's entirely internal to your organization, and traffic + that's to/from the Internet); this means that when you start measuring + an interface, you have to be aware of *what* you are measuring before + you can start comparing numbers elsewhere. + + It is possible (though by no means guaranteed) that you are seeing + roughly equivalent input/output because you're measuring an interface + that both retrieves data from the outside world (Internet), *and* + serves it to end users (internal clients). That wouldn't be the whole + answer, but hopefully it gives you a few ideas to start applying to + your own circumstance. + + To interpret any statistic, you have to first know what you are + measuring; for example, an interface counts inbound and outbound bytes + - that's it. The interface doesn't distinguish between inbound bytes + from external Internet sites or from internal (to the organization) + clients (making requests). If you want that, try looking at RMON2. + + Also, if you're talking about a 40% hit rate in terms of object + requests/counts then there's absolutely no reason why you should expect + a 40% reduction in traffic; after all, not every request/object is + going to be the same size so you may be saving a lot in terms of + requests but very little in terms of actual traffic. + +How come some objects do not get cached? + + To determine whether a given object may be cached, Squid takes many + things into consideration. The current algorithm (for Squid-2) goes + something like this: + * Responses with Cache-Control: Private are NOT cachable. + * Responses with Cache-Control: No-Cache are NOT cachable. + * Responses with Cache-Control: No-Store are NOT cachable. + * Responses for requests with an Authorization header are cachable + ONLY if the reponse includes Cache-Control: Public. + * Responses with Vary headers are NOT cachable because Squid does not + yet support Vary features. + * The following HTTP status codes are cachable: + + 200 OK + + 203 Non-Authoritative Information + + 300 Multiple Choices + + 301 Moved Permanently + + 410 Gone + + However, if Squid receives one of these responses from a neighbor + cache, it will NOT be cached if ALL of the Date, Last-Modified, and + Expires reply headers are missing. This prevents such objects from + bouncing back-and-forth between siblings forever. + + A 302 Moved Temporarily response is cachable ONLY if the response also + includes an Expires header. + + The following HTTP status codes are "negatively cached" for a short + amount of time (configurable): + * 204 No Content + * 305 Use Proxy + * 400 Bad Request + * 403 Forbidden + * 404 Not Found + * 405 Method Not Allowed + * 414 Request-URI Too Large + * 500 Internal Server Error + * 501 Not Implemented + * 502 Bad Gateway + * 503 Service Unavailable + * 504 Gateway Time-out + + All other HTTP status codes are NOT cachable, including: + * 206 Partial Content + * 303 See Other + * 304 Not Modified + * 401 Unauthorized + * 407 Proxy Authentication Required + +What does ''keep-alive ratio'' mean? + + The keep-alive ratio shows up in the server_list cache manager page. + + This is a mechanism to try detecting neighbor caches which might not be + able to deal with persistent connections. Every time we send a + proxy-connection: keep-alive request header to a neighbor, we count how + many times the neighbor sent us a proxy-connection: keep-alive reply + header. Thus, the keep-alive ratio is the ratio of these two counters. + + If the ratio stays above 0.5, then we continue to assume the neighbor + properly implements persistent connections. Otherwise, we will stop + sending the keep-alive request header to that neighbor. + +How does Squid's cache replacement algorithm work? + + Squid uses an LRU (least recently used) algorithm to replace old cache + objects. This means objects which have not been accessed for the + longest time are removed first. In the source code, the + StoreEntry->lastref value is updated every time an object is accessed. + + Objects are not necessarily removed "on-demand." Instead, a regularly + scheduled event runs to periodically remove objects. Normally this + event runs every second. + + Squid keeps the cache disk usage between the low and high water marks. + By default the low mark is 90%, and the high mark is 95% of the total + configured cache size. When the disk usage is close to the low mark, + the replacement is less aggressive (fewer objects removed). When the + usage is close to the high mark, the replacement is more aggressive + (more objects removed). + + When selecting objects for removal, Squid examines some number of + objects and determines which can be removed and which cannot. A number + of factors determine whether or not any given object can be removed. If + the object is currently being requested, or retrieved from an upstream + site, it will not be removed. If the object is "negatively-cached" it + will be removed. If the object has a private cache key, it will be + removed (there would be no reason to keep it -- because the key is + private, it can never be "found" by subsequent requests). Finally, if + the time since last access is greater than the LRU threshold, the + object is removed. + + The LRU threshold value is dynamically calculated based on the current + cache size and the low and high marks. The LRU threshold scaled + exponentially between the high and low water marks. When the store swap + size is near the low water mark, the LRU threshold is large. When the + store swap size is near the high water mark, the LRU threshold is + small. The threshold automatically adjusts to the rate of incoming + requests. In fact, when your cache size has stabilized, the LRU + threshold represents how long it takes to fill (or fully replace) your + cache at the current request rate. Typical values for the LRU threshold + are 1 to 10 days. + + Back to selecting objects for removal. Obviously it is not possible to + check every object in the cache every time we need to remove some of + them. We can only check a small subset each time. + + Every time an object is accessed, it gets moved to the top of a list. + Over time, the least used objects migrate to the bottom of the list. + When looking for objects to remove, we only need to check the last 100 + or so objects in the list. Unfortunately this approach increases our + memory usage because of the need to store three additional pointers per + cache object. We also use cache keys with MD5 hashes. + +What are private and public keys? + + keys refers to the database keys which Squid uses to index cache + objects. Every object in the cache--whether saved on disk or currently + being downloaded--has a cache key. We use MD5 checksums for cache keys. + + The Squid cache uses the notions of private and public cache keys. An + object can start out as being private, but may later be changed to + public status. Private objects are associated with only a single client + whereas a public object may be sent to multiple clients at the same + time. In other words, public objects can be located by any cache + client. Private keys can only be located by a single client--the one + who requested it. + + Objects are changed from private to public after all of the HTTP reply + headers have been received and parsed. In some cases, the reply headers + will indicate the object should not be made public. For example, if the + no-cache Cache-Control directive is used. + +What is FORW_VIA_DB for? + + We use it to collect data for [862]Plankton. + +Does Squid send packets to port 7 (echo)? If so, why? + + It may. This is an old feature from the Harvest cache software. The + cache would send ICP "SECHO" message to the echo ports of origin + servers. If the SECHO message came back before any of the other ICP + replies, then it meant the origin server was probably closer than any + neighbor cache. In that case Harvest/Squid sent the request directly to + the origin server. + + With more attention focused on security, many administrators filter UDP + packets to port 7. The Computer Emergency Response Team (CERT) once + issued an advisory note ( [863]CA-96.01: UDP Port Denial-of-Service + Attack) that says UDP echo and chargen services can be used for a + denial of service attack. This made admins extremely nervous about any + packets hitting port 7 on their systems, and they made complaints. + + The source_ping feature has been disabled in Squid-2. If you're seeing + packets to port 7 that are coming from a Squid cache (remote port + 3130), then its probably a very old version of Squid. + +What does "WARNING: Reply from unknown nameserver [a.b.c.d]" mean? + + It means Squid sent a DNS query to one IP address, but the response + came back from a different IP address. By default Squid checks that the + addresses match. If not, Squid ignores the response. + + There are a number of reasons why this would happen: + * -Your DNS name server just works this way, either becuase its been + configured to, or because its stupid and doesn't know any better. + -You have a weird broadcast address, like 0.0.0.0, in your + /etc/resolv.conf file. -Somebody is trying to send spoofed DNS + responses to your cache. + + If you recognize the IP address in the warning as one of your name + server hosts, then its probably numbers (1) or (2). + + You can make these warnings stop, and allow responses from "unknown" + name servers by setting this configuration option: +ignore_unknown_nameservers off + +How does Squid distribute cache files among the available directories? + + Note: The information here is current for version 2.2. + + See storeDirMapAllocate() in the source code. + + When Squid wants to create a new disk file for storing an object, it + first selects which cache_dir the object will go into. This is done + with the storeDirSelectSwapDir() function. If you have N cache + directories, the function identifies the 3N/4 (75%) of them with the + most available space. These directories are then used, in order of + having the most available space. When Squid has stored one URL to each + of the 3N/4 cache_dirs, the process repeats and storeDirSelectSwapDir() + finds a new set of 3N/4 cache directories with the most available + space. + + Once the cache_dir has been selected, the next step is to find an + available swap file number. This is accomplished by checking the file + map, with the file_map_allocate() function. Essentially the swap file + numbers are allocated sequentially. For example, if the last number + allocated happens to be 1000, then the next one will be the first + number after 1000 that is not already being used. + +Why do I see negative byte hit ratio? + + Byte hit ratio is calculated a bit differently than Request hit ratio. + Squid counts the number of bytes read from the network on the + server-side, and the number of bytes written to the client-side. The + byte hit ratio is calculated as + (client_bytes - server_bytes) / client_bytes + + If server_bytes is greater than client_bytes, you end up with a + negative value. + + The server_bytes may be greater than client_bytes for a number of + reasons, including: + * Cache Digests and other internally generated requests. Cache Digest + messages are quite large. They are counted in the server_bytes, but + since they are consumed internally, they do not count in + client_bytes. + * User-aborted requests. If your quick_abort setting allows it, Squid + sometimes continues to fetch aborted requests from the server-side, + without sending any data to the client-side. + * Some range requests, in combination with Squid bugs, can consume + more bandwidth on the server-side than on the + + client-side. In a range request, the client is asking for only some + part of the object. Squid may decide to retrieve the whole object + anyway, so that it can be used later on. This means downloading more + from the server than sending to the client. You can affect this + behavior with the range_offset_limit option. + +What does "Disabling use of private keys" mean? + + First you need to understand the difference between public and private + keys. + + When Squid sends ICP queries, it uses the ICP 'reqnum' field to hold + the private key data. In other words, when Squid gets an ICP reply, it + uses the 'reqnum' value to build the private cache key for the pending + object. + + Some ICP implementations always set the 'reqnum' field to zero when + they send a reply. Squid can not use private cache keys with such + neighbor caches because Squid will not be able to locate cache keys for + those ICP replies. Thus, if Squid detects a neighbor cache that sends + zero reqnum's, it disables the use of private cache keys. + + Not having private cache keys has some important privacy implications. + Two users could receive one response that was meant for only one of the + users. This response could contain personal, confidential information. + You will need to disable the 'zero reqnum' neighbor if you want Squid + to use private cache keys. + +What is a half-closed filedescriptor? + + TCP allows connections to be in a "half-closed" state. This is + accomplished with the shutdown(2) system call. In Squid, this means + that a client has closed its side of the connection for writing, but + leaves it open for reading. Half-closed connections are tricky because + Squid can't tell the difference between a half-closed connection, and a + fully closed one. + + If Squid tries to read a connection, and read() returns 0, and Squid + knows that the client doesn't have the whole response yet, Squid puts + marks the filedescriptor as half-closed. Most likely the client has + aborted the request and the connection is really closed. However, there + is a slight chance that the client is using the shutdown() call, and + that it can still read the response. + + To disable half-closed connections, simply put this in squid.conf: + half_closed_clients off + + Then, Squid will always close its side of the connection instead of + marking it as half-closed. + +What does --enable-heap-replacement do? + + Squid has traditionally used an LRU replacement algorithm. However with + Squid version 2.4 and later you should use this configure option: + +./configure --enable-removal-policies=heap + + Currently, the heap replacement code supports two additional + algorithms: LFUDA, and GDS. + + Then, in squid.conf, you can select different policies with the + cache_replacement_policy option. See the squid.conf comments for + details. + + The LFUDA and GDS replacement code was contributed by John Dilley and + others from Hewlett-Packard. Their work is described in these papers: + * - + + [864]Enhancement and Validation of Squid's Cache Replacement Policy (HP + Tech Report). + * - + + [865]Enhancement and Validation of the Squid Cache Replacement Policy + (WCW 1999 paper). + +Why is actual filesystem space used greater than what Squid thinks? + + If you compare df output and cachemgr storedir output, you will notice + that actual disk usage is greater than what Squid reports. This may be + due to a number of reasons: + * Squid doesn't keep track of the size of the swap.state + + file, which normally resides on each cache_dir. + * Directory entries and take up filesystem space. + * Other applications might be using the same disk partition. + * Your filesystem block size might be larger than what Squid + + thinks. When calculating total disk usage, Squid rounds file sizes up + to a whole number of 1024 byte blocks. If your filesystem uses larger + blocks, then some "wasted" space is not accounted. + * Your cache has suffered some minor corruption and some objects have + gotten lost without being removed from the swap.state file. Over + time, Squid will detect this and automatically fix it. + +How do ''positive_dns_ttl'' and ''negative_dns_ttl'' work? + + positive_dns_ttl is how long Squid caches a successful DNS lookup. + Similarly, negative_dns_ttl is how long Squid caches a failed DNS + lookup. + + positive_dns_ttl is not always used. It is NOT used in the following + cases: + * Squid-2.3 and later versions with internal DNS lookups. Internal + + lookups are the default for Squid-2.3 and later. + * If you applied the "DNS TTL" for BIND as described in + [866]../CompilingSquid. + * If you are using FreeBSD, then it already has the DNS TTL patch + + built in. + + Let's say you have the following settings: +positive_dns_ttl 1 hours +negative_dns_ttl 1 minutes + + When Squid looks up a name like www.squid-cache.org, it gets back an IP + address like 204.144.128.89. The address is cached for the next hour. + That means, when Squid needs to know the address for + www.squid-cache.org again, it uses the cached answer for the next hour. + After one hour, the cached information expires, and Squid makes a new + query for the address of www.squid-cache.org. + + If you have the DNS TTL patch, or are using internal lookups, then each + hostname has its own TTL value, which was set by the domain name + administrator. You can see these values in the 'ipcache' cache manager + page. For example: + Hostname Flags lstref TTL N + www.squid-cache.org C 73043 12784 1( 0) 204.144.128.89-OK + www.ircache.net C 73812 10891 1( 0) 192.52.106.12-OK + polygraph.ircache.net C 241768 -181261 1( 0) 192.52.106.12-OK + + The TTL field shows how how many seconds until the entry expires. + Negative values mean the entry is already expired, and will be + refreshed upon next use. + + The negative_dns_ttl specifies how long to cache failed DNS lookups. + When Squid fails to resolve a hostname, you can be pretty sure that it + is a real failure, and you are not likely to get a successful answer + within a short time period. Squid retries its lookups many times before + declaring a lookup has failed. If you like, you can set + negative_dns_ttl to zero. + +What does ''swapin MD5 mismatch'' mean? + + It means that Squid opened up a disk file to serve a cache hit, but it + found that the stored object doesn't match what the user's request. + Squid stores the MD5 digest of the URL at the start of each disk file. + When the file is opened, Squid checks that the disk file MD5 matches + the MD5 of the URL requested by the user. If they don't match, the + warning is printed and Squid forwards the request to the origin server. + + You do not need to worry about this warning. It means that Squid is + automatically recovering from a corrupted cache directory. + +What does ''failed to unpack swapfile meta data'' mean? + + Each of Squid's disk cache files has a metadata section at the + beginning. This header is used to store the URL MD5, some StoreEntry + data, and more. When Squid opens a disk file for reading, it looks for + the meta data header and unpacks it. + + This warning means that Squid couln't unpack the meta data. This is + non-fatal bug, from which Squid can recover. Perhaps the meta data was + just missing, or perhaps the file got corrupted. + + You do not need to worry about this warning. It means that Squid is + double-checking that the disk file matches what Squid thinks should be + there, and the check failed. Squid recorvers and generates a cache miss + in this case. + +Why doesn't Squid make ''ident'' lookups in interception mode? + + Its a side-effect of the way interception proxying works. + + When Squid is configured for interception proxying, the operating + system pretends that it is the origin server. That means that the + "local" socket address for intercepted TCP connections is really the + origin server's IP address. If you run netstat -n on your interception + proxy, you'll see a lot of foreign IP addresses in the Local Address + column. + + When Squid wants to make an ident query, it creates a new TCP socket + and binds the local endpoint to the same IP address as the local end of + the client's TCP connection. Since the local address isn't really local + (its some far away origin server's IP address), the bind() system call + fails. Squid handles this as a failed ident lookup. + + So why bind in that way? If you know you are interception proxying, + then why not bind the local endpoint to the host's (intranet) IP + address? Why make the masses suffer needlessly? + + Because thats just how ident works. Please read [867]RFC 931, in + particular the RESTRICTIONS section. + +dnsSubmit: queue overload, rejecting blah + + This means that you are using external dnsserver processes for lookups, + and all processes are busy, and Squid's pending queue is full. Each + dnsserver program can only handle one request at a time. When all + dnsserver processes are busy, Squid queues up requests, but only to a + certain point. + + To alleviate this condition, you need to either (1) increase the number + of dnsserver processes by changing the value for dns_children in your + config file, or (2) switch to using Squid's internal DNS client code. + + Note that in some versions, Squid limits dns_children to 32. To + increase it beyond that value, you would have to edit the source code. + + As we have mentioned previously in this page, you should NOT be running + with external DNS processes. + +What are FTP passive connections? + + by Colin Campbell + + Ftp uses two data streams, one for passing commands around, the other + for moving data. The command channel is handled by the ftpd listening + on port 21. + + The data channel varies depending on whether you ask for passive ftp or + not. When you request data in a non-passive environment, you client + tells the server "I am listening on ." The server + then connects FROM port 20 to the ip address and port specified by your + client. This requires your "security device" to permit any host outside + from port 20 to any host inside on any port > 1023. Somewhat of a hole. + + In passive mode, when you request a data transfer, the server tells the + client "I am listening on ." Your client then + connects to the server on that IP and port and data flows. + __________________________________________________________________ + + Contents + 1. [868]What is Multicast? + 2. [869]How do I know if my network has multicast? + 3. [870]Should I be using Multicast ICP? + 4. [871]How do I configure Squid to send Multicast ICP queries? + 5. [872]How do I know what Multicast TTL to use? + 6. [873]How do I configure Squid to receive and respond to Multicast + ICP? + +What is Multicast? + + Multicast is essentially the ability to send one IP packet to multiple + receivers. Multicast is often used for audio and video conferencing + systems. + +How do I know if my network has multicast? + + One way is to ask someone who manages your network. If your network + manager doesn't know, or looks at you funny, then you probably don't + have it. + + Another way is to use the mtrace program, which can be found on the + [874]Xerox PARC FTP site. Mtrace is similar to traceroute. It will tell + you about the multicast path between your site and another. For + example: +> mtrace mbone.ucar.edu +mtrace: WARNING: no multicast group specified, so no statistics printed +Mtrace from 128.117.64.29 to 192.172.226.25 via group 224.2.0.1 +Querying full reverse path... * switching to hop-by-hop: +0 oceana-ether.nlanr.net (192.172.226.25) +-1 avidya-ether.nlanr.net (192.172.226.57) DVMRP thresh^ 1 +-2 mbone.sdsc.edu (198.17.46.39) DVMRP thresh^ 1 +-3 * nccosc-mbone.dren.net (138.18.5.224) DVMRP thresh^ 48 +-4 * * FIXW-MBONE.NSN.NASA.GOV (192.203.230.243) PIM/Special thresh^ 64 +-5 dec3800-2-fddi-0.SanFrancisco.mci.net (204.70.158.61) DVMRP thresh^ 64 +-6 dec3800-2-fddi-0.Denver.mci.net (204.70.152.61) DVMRP thresh^ 1 +-7 mbone.ucar.edu (192.52.106.7) DVMRP thresh^ 64 +-8 mbone.ucar.edu (128.117.64.29) +Round trip time 196 ms; total ttl of 68 required. + +Should I be using Multicast ICP? + + Short answer: No, probably not. + + Reasons why you SHOULD use Multicast: + * It reduces the number of times Squid calls sendto() to put a UDP + packet onto the network. + * Its trendy and cool to use Multicast. + + Reasons why you SHOULD NOT use Multicast: + * Multicast tunnels/configurations/infrastructure are often unstable. + You may lose multicast connectivity but still have unicast + connectivity. + * Multicast does not simplify your Squid configuration file. Every + trusted neighbor cache must still be specified. + * Multicast does not reduce the number of ICP replies being sent + around. It does reduce the number of ICP queries sent, but not the + number of replies. + * Multicast exposes your cache to some privacy issues. There are no + special emissions required to join a multicast group. Anyone may + join your group and eavesdrop on ICP query messages. However, the + scope of your multicast traffic can be controlled such that it does + not exceed certain boundaries. + + We only recommend people to use Multicast ICP over network + infrastructure which they have close control over. In other words, only + use Multicast over your local area network, or maybe your wide area + network if you are an ISP. We think it is probably a bad idea to use + Multicast ICP over congested links or commodity backbones. + +How do I configure Squid to send Multicast ICP queries? + + To configure Squid to send ICP queries to a Multicast address, you need + to create another neighbour cache entry specified as multicast. For + example: +cache_peer 224.9.9.9 multicast 3128 3130 ttl=64 + + 224.9.9.9 is a sample multicast group address. multicast indicates that + this is a special type of neighbour. The HTTP-port argument (3128) is + ignored for multicast peers, but the ICP-port (3130) is very important. + The final argument, ttl=64 specifies the multicast TTL value for + queries sent to this address. It is probably a good idea to increment + the minimum TTL by a few to provide a margin for error and changing + conditions. + + You must also specify which of your neighbours will respond to your + multicast queries, since it would be a bad idea to implicitly trust any + ICP reply from an unknown address. Note that ICP replies are sent back + to unicast addresses; they are NOT multicast, so Squid has no + indication whether a reply is from a regular query or a multicast + query. To configure your multicast group neighbours, use the cache_peer + directive and the multicast-responder option: +cache_peer cache1 sibling 3128 3130 multicast-responder +cache_peer cache2 sibling 3128 3130 multicast-responder + + Here all fields are relevant. The ICP port number (3130) must be the + same as in the cache_peer line defining the multicast peer above. The + third field must either be parent or sibling to indicate how Squid + should treat replies. With the multicast-responder flag set for a peer, + Squid will NOT send ICP queries to it directly (i.e. unicast). + +How do I know what Multicast TTL to use? + + The Multicast TTL (which is specified on the cache_peer line of your + multicast group) determines how "far" your ICP queries will go. In the + Mbone, there is a certain TTL threshold defined for each network + interface or tunnel. A multicast packet's TTL must be larger than the + defined TTL for that packet to be forwarded across that link. For + example, the mrouted manual page recommends: +32 for links that separate sites within an organization. +64 for links that separate communities or organizations, and are attached to t +he Internet MBONE. +128 for links that separate continents on the MBONE. + + A good way to determine the TTL you need is to run mtrace as shown + above and look at the last line. It will show you the minimum TTL + required to reach the other host. + + If you set you TTL too high, then your ICP messages may travel "too + far" and will be subject to eavesdropping by others. If you're only + using multicast on your LAN, as we suggest, then your TTL will be quite + small, for example ttl=4. + +How do I configure Squid to receive and respond to Multicast ICP? + + You must tell Squid to join a multicast group address with the + mcast_groups directive. For example: +mcast_groups 224.9.9.9 + + Of course, all members of your Multicast ICP group will need to use the + exact same multicast group address. + + Choose a multicast group address with care! If two organizations + happen to choose the same multicast address, then they may find that + their groups "overlap" at some point. This will be especially true if + one of the querying caches uses a large TTL value. There are two ways + to reduce the risk of group overlap: + * Use a unique group address + * Limit the scope of multicast messages with TTLs or administrative + scoping. + + Using a unique address is a good idea, but not without some potential + problems. If you choose an address randomly, how do you know that + someone else will not also randomly choose the same address? NLANR has + been assigned a block of multicast addresses by the IANA for use in + situations such as this. If you would like to be assigned one of these + addresses, please [875]write to us. However, note that NLANR or IANA + have no authority to prevent anyone from using an address assigned to + you. + + Limiting the scope of your multicast messages is probably a better + solution. They can be limited with the TTL value discussed above, or + with some newer techniques known as administratively scoped addresses. + Here you can configure well-defined boundaries for the traffic to a + specific address. The [876]Administratively Scoped IP Multicast RFC + describes this. + __________________________________________________________________ + + Contents + 1. [877]General advice + 2. [878]FreeBSD + 1. [879]Filedescriptors + 2. [880]Diskd + +General advice + + The settings detailed in this FAQ chapter are suggestion for + operating-system-specific settings which may help when running busy + caches. It is recommended to check that the settings have the desired + effect by using the [881]Cache Manager. + +FreeBSD + +Filedescriptors + + For busy caches, it makes sense to increase the number of system-wide + available filedescriptors, by setting in: in /etc/sysctl.conf +kern.maxfilesperproc=8192 + +Diskd + + /!\ + + This information is out-of-date, as with newer FreeBSD versions these + parameters can be tuned at runtime via sysctl. We're looking for + contributions to update this page + + In order to run diskd you may need to tweak your kernel settings. Try + setting in the kernel config file (larger values may be needed for very + busy caches): +options MSGMNB=8192 # max # of bytes in a queue +options MSGMNI=40 # number of message queue identifiers +options MSGSEG=512 # number of message segments per queue +options MSGSSZ=64 # size of a message segment +options MSGTQL=2048 # max messages in system + +options SHMSEG=16 +options SHMMNI=32 +options SHMMAX=2097152 +options SHMALL=4096 +options MAXFILES=16384 + __________________________________________________________________ + + Contents + 1. [882]Solaris + 1. [883]TCP incompatibility? + 2. [884]select() + 3. [885]malloc + 4. [886]DNS lookups and ''nscd'' + 5. [887]DNS lookups and /etc/nsswitch.conf + 6. [888]DNS lookups and NIS + 7. [889]Tuning + 8. [890]disk write error: (28) No space left on device + 9. [891]Solaris X86 and IPFilter + 10. [892]Changing the directory lookup cache size + 11. [893]The priority_paging algorithm + 12. [894]assertion failed: StatHist.c:91: `statHistBin(H, max) == + H->capacity - 1' + 2. [895]FreeBSD + 1. [896]T/TCP bugs + 2. [897]mbuf size + 3. [898]Dealing with NIS + 4. [899]FreeBSD 3.3: The lo0 (loop-back) device is not configured + on startup + 5. [900]FreeBSD 3.x or newer: Speed up disk writes using + Softupdates + 6. [901]Internal DNS problems with jail environment + 7. [902]"Zero Sized Reply" error due to TCP blackholing + 3. [903]OSF1/3.2 + 4. [904]BSD/OS + 1. [905]gcc/yacc + 2. [906]process priority + 5. [907]Linux + 1. [908]FATAL: Don't run Squid as root, set + 'cache_effective_user'! + 2. [909]Large ACL lists make Squid slow + 3. [910]gethostbyname() leaks memory in RedHat 6.0 with glibc + 2.1.1. + 4. [911]assertion failed: StatHist.c:91: `statHistBin(H, max) == + H->capacity - 1' on Alpha system. + 5. [912]tools.c:605: storage size of `rl' isn't known + 6. [913]Can't connect to some sites through Squid + 7. [914]Some sites load extremely slowly or not at all + 6. [915]IRIX + 1. [916]''dnsserver'' always returns 255.255.255.255 + 7. [917]SCO-UNIX + 8. [918]AIX + 1. [919]"shmat failed" errors with ''diskd'' + 2. [920]Core dumps when squid process grows to 256MB + +Solaris + +TCP incompatibility? + + J.D. Bronson (jb at ktxg dot com) reported that his Solaris box could + not talk to certain origin servers, such as [921]moneycentral.msn.com + and [922]www.mbnanetaccess.com. J.D. fixed his problem by setting: + +tcp_xmit_hiwat 49152 +tcp_xmit_lowat 4096 +tcp_recv_hiwat 49152 + +select() + + select(3c) won't handle more than 1024 file descriptors. The configure + script should enable poll() by default for Solaris. poll() allows you + to use many more filedescriptors, probably 8192 or more. + + For older Squid versions you can enable poll() manually by changing + HAVE_POLL in include/autoconf.h, or by adding -DUSE_POLL=1 to the + DEFINES in src/Makefile. + +malloc + + libmalloc.a is leaky. Squid's configure does not use -lmalloc on + Solaris. + +DNS lookups and ''nscd'' + + by [923]David J N Begley. + + DNS lookups can be slow because of some mysterious thing called ncsd. + You should edit /etc/nscd.conf and make it say: + +enable-cache hosts no + + Apparently nscd serializes DNS queries thus slowing everything down + when an application (such as Squid) hits the resolver hard. You may + notice something similar if you run a log processor executing many DNS + resolver queries - the resolver starts to slow.. right.. down.. . . . + + According to [924]at online dot ee Andres Kroonmaa, users of Solaris + starting from version 2.6 and up should NOT completely disable nscd + daemon. nscd should be running and caching passwd and group files, + although it is suggested to disable hosts caching as it may interfere + with DNS lookups. + + Several library calls rely on available free FILE descriptors FD < 256. + Systems running without nscd may fail on such calls if first 256 files + are all in use. + + Since solaris 2.6 Sun has changed the way some system calls work and is + using nscd daemon as a implementor of them. To communicate to nscd + Solaris is using undocumented door calls. Basically nscd is used to + reduce memory usage of user-space system libraries that use passwd and + group files. Before 2.6 Solaris cached full passwd file in library + memory on the first use but as this was considered to use up too much + ram on large multiuser systems Sun has decided to move implementation + of these calls out of libraries and to a single dedicated daemon. + +DNS lookups and /etc/nsswitch.conf + + by [925]Jason Armistead. + + The /etc/nsswitch.conf file determines the order of searches for + lookups (amongst other things). You might only have it set up to allow + NIS and HOSTS files to work. You definitely want the "hosts:" line to + include the word dns, e.g.: + +hosts: nis dns [NOTFOUND=return] files + +DNS lookups and NIS + + by [926]Chris Tilbury. + + Our site cache is running on a Solaris 2.6 machine. We use NIS to + distribute authentication and local hosts information around and in + common with our multiuser systems, we run a slave NIS server on it to + help the response of NIS queries. + + We were seeing very high name-ip lookup times (avg ~2sec) and ip->name + lookup times (avg ~8 sec), although there didn't seem to be that much + of a problem with response times for valid sites until the cache was + being placed under high load. Then, performance went down the toilet. + + After some time, and a bit of detective work, we found the problem. On + Solaris 2.6, if you have a local NIS server running (ypserv) and you + have NIS in your /etc/nsswitch.conf hosts entry, then check the flags + it is being started with. The 2.6 ypstart script checks to see if there + is a resolv.conf file present when it starts ypserv. If there is, then + it starts it with the -d option. + + This has the same effect as putting the YP_INTERDOMAIN key in the hosts + table -- namely, that failed NIS host lookups are tried against the DNS + by the NIS server. + + This is a bad thing(tm)! If NIS itself tries to resolve names using the + DNS, then the requests are serialised through the NIS server, creating + a bottleneck (This is the same basic problem that is seen with nscd). + Thus, one failing or slow lookup can, if you have NIS before DNS in the + service switch file (which is the most common setup), hold up every + other lookup taking place. + + If you're running in this kind of setup, then you will want to make + sure that + * ypserv doesn't start with the -d flag. + * you don't have the YP_INTERDOMAIN key in the hosts table (find the + B=-b line in the yp Makefile and change it to B=) + + We changed these here, and saw our average lookup times drop by up to + an order of magnitude (~150msec for name-ip queries and ~1.5sec for + ip-name queries, the latter still so high, I suspect, because more of + these fail and timeout since they are not made so often and the entries + are frequently non-existent anyway). + +Tuning + + Have a look at [927]Tuning your TCP/IP stack and more by Jens-S. + Voeckler. + +disk write error: (28) No space left on device + + You might get this error even if your disk is not full, and is not out + of inodes. Check your syslog logs (/var/adm/messages, normally) for + messages like either of these: + +NOTICE: realloccg /proxy/cache: file system full +NOTICE: alloc: /proxy/cache: file system full + + In a nutshell, the UFS filesystem used by Solaris can't cope with the + workload squid presents to it very well. The filesystem will end up + becoming highly fragmented, until it reaches a point where there are + insufficient free blocks left to create files with, and only fragments + available. At this point, you'll get this error and squid will revise + its idea of how much space is actually available to it. You can do a + "fsck -n raw_device" (no need to unmount, this checks in read only + mode) to look at the fragmentation level of the filesystem. It will + probably be quite high (>15%). + + Sun suggest two solutions to this problem. One costs money, the other + is free but may result in a loss of performance (although Sun do claim + it shouldn't, given the already highly random nature of squid disk + access). + + The first is to buy a copy of VxFS, the Veritas Filesystem. This is an + extent-based filesystem and it's capable of having online + defragmentation performed on mounted filesystems. This costs money, + however (VxFS is not very cheap!) + + The second is to change certain parameters of the UFS filesystem. + Unmount your cache filesystems and use tunefs to change optimization to + "space" and to reduce the "minfree" value to 3-5% (under Solaris 2.6 + and higher, very large filesystems will almost certainly have a minfree + of 2% already and you shouldn't increase this). You should be able to + get fragmentation down to around 3% by doing this, with an accompanied + increase in the amount of space available. + + Thanks to [928]Chris Tilbury. + +Solaris X86 and IPFilter + + by [929]Jeff Madison + + Important update regarding Squid running on Solaris x86. I have been + working for several months to resolve what appeared to be a memory leak + in squid when running on Solaris x86 regardless of the malloc that was + used. I have made 2 discoveries that anyone running Squid on this + platform may be interested in. + + Number 1: There is not a memory leak in Squid even though after the + system runs for some amount of time, this varies depending on the load + the system is under, Top reports that there is very little memory free. + True to the claims of the Sun engineer I spoke to this statistic from + Top is incorrect. The odd thing is that you do begin to see performance + suffer substantially as time goes on and the only way to correct the + situation is to reboot the system. This leads me to discovery number 2. + + Number 2: There is some type of resource problem, memory or other, with + IPFilter on Solaris x86. I have not taken the time to investigate what + the problem is because we no longer are using IPFilter. We have + switched to a Alteon ACE 180 Gigabit switch which will do the + trans-proxy for you. After moving the trans-proxy, redirection process + out to the Alteon switch Squid has run for 3 days strait under a huge + load with no problem what so ever. We currently have 2 boxes with 40 GB + of cached objects on each box. This 40 GB was accumulated in the 3 + days, from this you can see what type of load these boxes are under. + Prior to this change we were never able to operate for more than 4 + hours. + + Because the problem appears to be with IPFilter I would guess that you + would only run into this issue if you are trying to run Squid as a + interception proxy using IPFilter. That makes sense. If there is anyone + with information that would indicate my finding are incorrect I am + willing to investigate further. + +Changing the directory lookup cache size + + by [930]Mike Batchelor + + On Solaris, the kernel variable for the directory name lookup cache + size is ncsize. In /etc/system, you might want to try + +set ncsize = 8192 + + or even higher. The kernel variable ufs_inode - which is the size of + the inode cache itself - scales with ncsize in Solaris 2.5.1 and later. + Previous versions of Solaris required both to be adjusted + independently, but now, it is not recommended to adjust ufs_inode + directly on 2.5.1 and later. + + You can set ncsize quite high, but at some point - dependent on the + application - a too-large ncsize will increase the latency of lookups. + + Defaults are: + +Solaris 2.5.1 : (max_nprocs + 16 + maxusers) + 64 +Solaris 2.6/Solaris 7 : 4 * (max_nprocs + maxusers) + 320 + +The priority_paging algorithm + + by [931]Mike Batchelor + + Another new tuneable (actually a toggle) in Solaris 2.5.1, 2.6 or + Solaris 7 is the priority_paging algorithm. This is actually a complete + rewrite of the virtual memory system on Solaris. It will page out + application data last, and filesystem pages first, if you turn it on + (set priority_paging = 1 in /etc/system). As you may know, the Solaris + buffer cache grows to fill available pages, and under the old VM + system, applications could get paged out to make way for the buffer + cache, which can lead to swap thrashing and degraded application + performance. The new priority_paging helps keep application and shared + library pages in memory, preventing the buffer cache from paging them + out, until memory gets REALLY short. Solaris 2.5.1 requires patch + 103640-25 or higher and Solaris 2.6 requires 105181-10 or higher to get + priority_paging. Solaris 7 needs no patch, but all versions have it + turned off by default. + +assertion failed: StatHist.c:91: `statHistBin(H, max) == H->capacity - 1' + + by [932]Marc + + This crash happen on Solaris, when you don't have the "math.h" file at + the compile time. I guess it can happen on every system without the + correct include, but I have not verified. + + The configure script just report: "math.h: no" and continue. The math + functions are bad declared, and this cause this crash. + + For 32bit Solaris, "math.h" is found in the SUNWlibm package. + +FreeBSD + +T/TCP bugs + + We have found that with FreeBSD-2.2.2-RELEASE, there some bugs with + T/TCP. FreeBSD will try to use T/TCP if you've enabled the "TCP + Extensions." To disable T/TCP, use sysinstall to disable TCP + Extensions, or edit /etc/rc.conf and set + +tcp_extensions="NO" # Allow RFC1323 & RFC1544 extensions (or NO). + + or add this to your /etc/rc files: + +sysctl -w net.inet.tcp.rfc1644=0 + +mbuf size + + We noticed an odd thing with some of Squid's interprocess + communication. Often, output from the dnsserver processes would NOT be + read in one chunk. With full debugging, it looks like this: + +1998/04/02 15:18:48| comm_select: FD 46 ready for reading +1998/04/02 15:18:48| ipcache_dnsHandleRead: Result from DNS ID 2 (100 bytes) +1998/04/02 15:18:48| ipcache_dnsHandleRead: Incomplete reply +....other processing occurs... +1998/04/02 15:18:48| comm_select: FD 46 ready for reading +1998/04/02 15:18:48| ipcache_dnsHandleRead: Result from DNS ID 2 (9 bytes) +1998/04/02 15:18:48| ipcache_parsebuffer: parsing: +$name www.karup.com +$h_name www.karup.inter.net +$h_len 4 +$ipcount 2 +38.15.68.128 +38.15.67.128 +$ttl 2348 +$end + + Interestingly, it is very common to get only 100 bytes on the first + read. When two read() calls are required, this adds additional latency + to the overall request. On our caches running Digital Unix, the median + dnsserver response time was measured at 0.01 seconds. On our FreeBSD + cache, however, the median latency was 0.10 seconds. + + Here is a simple patch to fix the bug: + +============================ +RCS file: /home/ncvs/src/sys/kern/uipc_socket.c,v +retrieving revision 1.40 +retrieving revision 1.41 +diff -p -u -r1.40 -r1.41 +--- src/sys/kern/uipc_socket.c 1998/05/15 20:11:30 1.40 ++++ /home/ncvs/src/sys/kern/uipc_socket.c 1998/07/06 19:27:14 1.41 +@@ -31,7 +31,7 @@ + * SUCH DAMAGE. + * + * @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94 +- * $Id: FAQ.sgml,v 1.250 2005/04/22 19:29:50 hno Exp $ ++ * $Id: FAQ.sgml,v 1.250 2005/04/22 19:29:50 hno Exp $ + */ + #include +@@ -491,6 +491,7 @@ restart: + mlen = MCLBYTES; + len = min(min(mlen, resid), space); + } else { ++ atomic = 1; + nopages: + len = min(min(mlen, resid), space); + /* + + Another technique which may help, but does not fix the bug, is to + increase the kernel's mbuf size. The default is 128 bytes. The MSIZE + symbol is defined in /usr/include/machine/param.h. However, to change + it we added this line to our kernel configuration file: + + options MSIZE="256" + +Dealing with NIS + + /var/yp/Makefile has the following section: + + # The following line encodes the YP_INTERDOMAIN key into the hosts.bynam +e + # and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve + # hosts not in the current domain. Commenting this line out will disable + # the DNS lookups. + B=-b + + You will want to comment out the B=-b line so that ypserv does not do + DNS lookups. + +FreeBSD 3.3: The lo0 (loop-back) device is not configured on startup + + Squid requires a the loopback interface to be up and configured. If it + is not, you will get errors such as + [FAQ-11.html#comm-bind-loopback-fail commBind]. + + From [933]FreeBSD 3.3 Errata Notes: + +Fix: Assuming that you experience this problem at all, edit ''/etc/rc.conf'' +and search for where the network_interfaces variable is set. In +its value, change the word ''auto'' to ''lo0'' since the auto keyword +doesn't bring the loop-back device up properly, for reasons yet to +be adequately determined. Since your other interface(s) will already +be set in the network_interfaces variable after initial installation, +it's reasonable to simply s/auto/lo0/ in rc.conf and move on. + + Thanks to [934]at lentil dot org Robert Lister. + +FreeBSD 3.x or newer: Speed up disk writes using Softupdates + + by [935]Andre Albsmeier + + FreeBSD 3.x and newer support Softupdates. This is a mechanism to speed + up disk writes as it is possible by mounting ufs volumes async. + However, Softupdates does this in a way that a performance similar or + better than async is achieved but without loosing security in a case of + a system crash. For more detailed information and the copyright terms + see /sys/contrib/softupdates/README and /sys/ufs/ffs/README.softupdate. + + To build a system supporting softupdates, you have to build a kernel + with options SOFTUPDATES set (see LINT for a commented out example). + After rebooting with the new kernel, you can enable softupdates on a + per filesystem base with the command: + + $ tunefs -n /mountpoint + + The filesystem in question MUST NOT be mounted at this time. After + that, softupdates are permanently enabled and the filesystem can be + mounted normally. To verify that the softupdates code is running, + simply issue a mount command and an output similar to the following + will appear: + + $ mount + /dev/da2a on /usr/local/squid/cache (ufs, local, noatime, soft-updates, +writes: sync 70 async 225) + +Internal DNS problems with jail environment + + Some users report problems with running Squid in the jail environment. + Specifically, Squid logs messages like: + +2001/10/12 02:08:49| comm_udp_sendto: FD 4, 192.168.1.3, port 53: (22) Invalid a +rgument +2001/10/12 02:08:49| idnsSendQuery: FD 4: sendto: (22) Invalid argument + + You can eliminate the problem by putting the jail's network interface + address in the 'udp_outgoing_addr' configuration option in squid.conf. + +"Zero Sized Reply" error due to TCP blackholing + + by [936]David Landgren + + On FreeBSD, make sure that TCP blackholing is not active. You can + verify the current setting with: + +# /sbin/sysctl net.inet.tcp.blackhole + + It should return the following output: + +net.inet.tcp.blackhole: 0 + + If it is set to a positive value (usually, 2), disable it by setting it + back to zero with< + +# /sbin/sysctl net.inet.tcp.blackhole=0 + + To make sure the setting survives across reboots, add the following + line to the file /etc/sysctl.conf: + +net.inet.tcp.blackhole=0 + +OSF1/3.2 + + If you compile both libgnumalloc.a and Squid with cc, the mstats() + function returns bogus values. However, if you compile libgnumalloc.a + with gcc, and Squid with cc, the values are correct. + +BSD/OS + +gcc/yacc + + Some people report [FAQ-2.html#bsdi-compile difficulties compiling + squid on BSD/OS]. + +process priority + + I've noticed that my Squid process seems to stick at a nice value of + four, and clicks back to that even after I renice it to a higher + priority. However, looking through the Squid source, I can't find any + instance of a setpriority() call, or anything else that would seem to + indicate Squid's adjusting its own priority. + + by [937]Bill Bogstad + + BSD Unices traditionally have auto-niced non-root processes to 4 after + they used alot (4 minutes???) of CPU time. My guess is that it's the + BSD/OS not Squid that is doing this. I don't know offhand if there is a + way to disable this on BSD/OS. + + by [938]Arjan de Vet + + You can get around this by starting Squid with nice-level -4 (or + another negative value). + + by [939]at nl dot compuware dot com Bert Driehuis + + The autonice behavior is a leftover from the history of BSD as a + university OS. It penalises CPU bound jobs by nicing them after using + 600 CPU seconds. Adding + + sysctl -w kern.autonicetime=0 + + to /etc/rc.local will disable the behavior systemwide. + +Linux + + Generally we recommend you use Squid with an up-to-date Linux + distribution, preferably one with a 2.6 kernel. Recent 2.6 kernels + support some features in new versions of Squid such as epoll and + WCCP/GRE support built in that will give better performance and + flexibility. Note that Squid will however still function just fine + under older Linux kernels. You will need to be mindful of the security + implications of running your Squid proxy on the Internet if you are + using a very old and unsupported distribution. + + There have been issues with GLIBC in some very old distributions, and + upgrading or fixing GLIBC is not for the faint of heart. + +FATAL: Don't run Squid as root, set 'cache_effective_user'! + + Some users have reported that setting cache_effective_user to nobody + under Linux does not work. However, it appears that using any + cache_effective_user other than nobody will succeed. One solution is to + create a user account for Squid and set cache_effective_user to that. + Alternately you can change the UID for the nobody account from 65535 to + 65534. + + [940]Russ Mellon notes that these problems with cache_effective_user + are fixed in version 2.2.x of the Linux kernel. + +Large ACL lists make Squid slow + + The regular expression library which comes with Linux is known to be + very slow. Some people report it entirely fails to work after long + periods of time. + + To fix, use the GNUregex library included with the Squid source code. + With Squid-2, use the --enable-gnuregex configure option. + +gethostbyname() leaks memory in RedHat 6.0 with glibc 2.1.1. + + by [941]at netsoft dot ro Radu Greab + + The gethostbyname() function leaks memory in RedHat 6.0 with glibc + 2.1.1. The quick fix is to delete nisplus service from hosts entry in + /etc/nsswitch.conf. In my tests dnsserver memory use remained stable + after I made the above change. + + See [942]RedHat bug id 3919. + +assertion failed: StatHist.c:91: `statHistBin(H, max) == H->capacity - 1' on +Alpha system. + + by [943]Jamie Raymond + + Some early versions of Linux have a kernel bug that causes this. All + that is needed is a recent kernel that doesn't have the mentioned bug. + +tools.c:605: storage size of `rl' isn't known + + This is a bug with some versions of glibc. The glibc headers + incorrectly depended on the contents of some kernel headers. Everything + broke down when the kernel folks rearranged a bit in the + kernel-specific header files. + + We think this glibc bug is present in versions 2.1.1 (or 2.1.0) and + earlier. There are two solutions: + * Make sure /usr/include/linux and /usr/include/asm are from the + kernel version glibc is build/configured for, not any other kernel + version. Only compiling of loadable kernel modules outside of the + kernel sources depends on having the current versions of these, and + for such builds -I/usr/src/linux/include (or where ever the new + kernel headers are located) can be used to resolve the matter. + * Upgrade glibc to 2.1.2 or later. This is always a good idea anyway, + provided a prebuilt upgrade package exists for the Linux + distribution used.. Note: Do not attempt to manually build and + install glibc from source unless you know exactly what you are + doing, as this can easily render the system unuseable. + +Can't connect to some sites through Squid + + When using Squid, some sites may give erorrs such as "(111) Connection + refused" or "(110) Connection timed out" although these sites work fine + without going through Squid. + + Linux 2.6 implements [944]Explicit Congestion Notification (ECN) + support and this can cause some TCP connections to fail when contacting + some sites with broken firewalls or broken TCP/IP implementations. + + As of June 2006, the number of sites that fail when ECN is enabled is + very low and you may find you benefit more from having this feature + enabled than globally turning it off. + + To work around such broken sites you can disable ECN with the following + command: + +echo 0 > /proc/sys/net/ipv4/tcp_ecn + + [945]HenrikNordstrom explains: + +ECN is an standard extension to TCP/IP, making TCP/IP behave better in +overload conditions where the available bandwidth is all used up (i.e. +the default condition for any WAN link). +Defined by Internet RFC3168 issued by the Networking Working Group at +IETF, the standardization body responsible for the evolution of TCP/IP +and other core Internet technologies such as routing. +It's implemented by using two previously unused bits (of 6) in the TCP +header, plus redefining two bits of the never standardized TOS field in +the IP header (dividing TOS in 6 bits Diffserv and 2 bit ECN fields), +allowing routers to clearly indicate overload conditions to the +participating computers instead of dropping packets hoping that the +computers will realize there is too much traffic. +The main problem is the use of those previously unused bits in the TCP +header. The TCP/IP standard has always said that those bits is reserved +for future use, but many old firewalls assume the bits will never be +used and simply drops all traffic using this new feature thinking it's +invalid use of TCP/IP to evolve beyond the original standards from 1981. +ECN in it's final form was defined 2001, but earlier specifications was +circulated several years earlier. + + See also the [946]thread on the NANOG mailing list, [947]RFC3168 + "The Addition of Explicit Congestion Notification (ECN) to IP, + PROPOSED STANDARD" , [948]Sally Floyd's page on ECN and problems + related to it or [949]ECN Hall of Shame for more information. + +Some sites load extremely slowly or not at all + + You may occasionally have problems with TCP Window Scaling on Linux. At + first you may be able to TCP connect to the site, but then unable to + transfer any data across your connection or that data flows extremely + slowly. This is due to some broken firewalls on the Internet (it is not + a bug with Linux) mangling the window scaling option when the TCP + connection is established. More details and a workaround can be found + at [950]lwn.net. + + The reason why this is experienced with Linux and not most other OS:es + is that all desktop OS:es advertise a quite small window scaling factor + if at all, and therefore the firewall bug goes unnoticed with these + OS:es. + +IRIX + +''dnsserver'' always returns 255.255.255.255 + + There is a problem with GCC (2.8.1 at least) on Irix 6 which causes it + to always return the string 255.255.255.255 for _ANY_ address when + calling inet_ntoa(). If this happens to you, compile Squid with the + native C compiler instead of GCC. + +SCO-UNIX + + by [951]F.J. Bosscha + + To make squid run comfortable on SCO-unix you need to do the following: + + Increase the NOFILES paramater and the NUMSP parameter and compile + squid with I had, although squid told in the cache.log file he had 3000 + filedescriptors, problems with the messages that there were no + filedescriptors more available. After I increase also the NUMSP value + the problems were gone. + + One thing left is the number of tcp-connections the system can handle. + Default is 256, but I increase that as well because of the number of + clients we have. + +AIX + +"shmat failed" errors with ''diskd'' + + 32-bit processes on AIX and later are restricted by default to a + maximum of 11 shared memory segments. This restriction can be removed + on AIX 4.2.1 and later by setting the environment variable EXTSHM=ON in + the script or shell which starts squid. + +Core dumps when squid process grows to 256MB + + 32-bit processes cannot use more than 256MB of stack and data in the + default memory model. To force the loader to use large address space + for squid, either: + * set the LDR_CNTRL environment variable, + + eg LDR_CNTRL="MAXDATA=0x80000000"; or + * link with -bmaxdata:0x80000000; or + * patch the squid binary + + See [952]IBM's documentation on large program support for more + information, including how to patch an already-compiled program. + __________________________________________________________________ + + Contents + 1. [953]What is a redirector? + 2. [954]Why use a redirector? + 3. [955]How does it work? + 4. [956]Do you have any examples? + 5. [957]Can I use the redirector to return HTTP redirect messages? + 6. [958]FATAL: All redirectors have exited! + 7. [959]Redirector interface is broken re IDENT values + +What is a redirector? + + Squid has the ability to rewrite requested URLs. Implemented as an + external process (similar to a dnsserver), Squid can be configured to + pass every incoming URL through a redirector process that returns + either a new URL, or a blank line to indicate no change. + + The redirector program is NOT a standard part of the Squid package. + However, some examples are provided below, and in the "contrib/" + directory of the source distribution. Since everyone has different + needs, it is up to the individual administrators to write their own + implementation. + +Why use a redirector? + + A redirector allows the administrator to control the locations to which + his users goto. Using this in conjunction with interception proxies + allows simple but effective porn control. + +How does it work? + + The redirector program must read URLs (one per line) on standard input, + and write rewritten URLs or blank lines on standard output. Note that + the redirector program can not use buffered I/O. Squid writes + additional information after the URL which a redirector can use to make + a decision. The input line consists of four fields: +URL ip-address/fqdn ident method + +Do you have any examples? + + A simple very fast redirector called [960]SQUIRM is a good place to + start, it uses the regex lib to allow pattern matching. + + Also see [961]jesred. + + The following Perl script may also be used as a template for writing + your own redirector: +#!/usr/bin/perl +$|=1; +while (<>) { + s@http://fromhost.com@http://tohost.org@; + print; +} + +Can I use the redirector to return HTTP redirect messages? + + Normally, the redirector feature is used to rewrite requested URLs. + Squid then transparently requests the new URL. However, in some + situations, it may be desirable to return an HTTP "301" or "302" + redirect message to the client. + + Simply modify your redirector program to prepend either "301:" or + "302:" before the new URL. For example, the following script might be + used to direct external clients to a secure Web server for internal + documents: +#!perl (-) +#!/usr/bin/perl +$|=1; +while (<>) { + @X = split; + $url = $X[0]; + if ($url =~ /^http:\/\/internal\.foo\.com/) { + $url =~ s/^http/https/; + $url =~ s/internal/secure/; + print "302:$url\n"; + } else { + print "$url\n"; + } +} + + Please see sections 10.3.2 and 10.3.3 of [962]RFC 2068 for an + explanation of the 301 and 302 HTTP reply codes. + +FATAL: All redirectors have exited! + + A redirector process must exit (stop running) only when its stdin is + closed. If you see the "All redirectors have exited" message, it + probably means your redirector program has a bug. Maybe it runs out of + memory or has memory access errors. You may want to test your + redirector program outside of squid with a big input list, taken from + your access.log perhaps. Also, check for coredump files from the + redirector program (see [963]../TroubleShooting to define where). + +Redirector interface is broken re IDENT values + + I added a redirctor consisting of +#! /bin/sh +/usr/bin/tee /tmp/squid.log + + and many of the redirector requests don't have a username in the ident + field. + + Squid does not delay a request to wait for an ident lookup, unless you + use the ident ACLs. Thus, it is very likely that the ident was not + available at the time of calling the redirector, but became available + by the time the request is complete and logged to access.log. + + If you want to block requests waiting for ident lookup, try something + like this: +acl foo ident REQUIRED +http_access allow foo + __________________________________________________________________ + + Contents + 1. [964]What is a Cache Digest? + 2. [965]How and why are they used? + 3. [966]What is the theory behind Cache Digests? + 1. [967]Adding a Key + 2. [968]Querying a Key + 3. [969]Deleting a Key + 4. [970]How is the size of the Cache Digest in Squid determined? + 5. [971]What hash functions (and how many of them) does Squid use? + 6. [972]How are objects added to the Cache Digest in Squid? + 7. [973]Does Squid support deletions in Cache Digests? What are + diffs/deltas? + 8. [974]When and how often is the local digest built? + 9. [975]How are Cache Digests transferred between peers? + 10. [976]How and where are Cache Digests stored? + 1. [977]Cache Digest built locally + 2. [978]Cache Digest fetched from peer + 11. [979]How are the Cache Digest statistics in the Cache Manager to be + interpreted? + 12. [980]What are False Hits and how should they be handled? + 13. [981]How can Cache Digest related activity be traced/debugged? + 1. [982]Enabling Cache Digests + 2. [983]What do the access.log entries look like? + 3. [984]What does a False Hit look like? + 4. [985]How is the cause of a False Hit determined? + 5. [986]Use The Source + 14. [987]What about ICP? + 15. [988]Is there a Cache Digest Specification? + 16. [989]Would it be possible to stagger the timings when cache_digests + are retrieved from peers? + + Cache Digest FAQs compiled by Niall Doherty + . + +What is a Cache Digest? + + A Cache Digest is a summary of the contents of an Internet Object + Caching Server. It contains, in a compact (i.e. compressed) format, an + indication of whether or not particular URLs are in the cache. + + A "lossy" technique is used for compression, which means that very high + compression factors can be achieved at the expense of not having 100% + correct information. + +How and why are they used? + + Cache servers periodically exchange their digests with each other. + + When a request for an object (URL) is received from a client a cache + can use digests from its peers to find out which of its peers (if any) + have that object. The cache can then request the object from the + closest peer (Squid uses the NetDB database to determine this). + + Note that Squid will only make digest queries in those digests that are + enabled. It will disable a peers digest IFF it cannot fetch a valid + digest for that peer. It will enable that peers digest again when a + valid one is fetched. + + The checks in the digest are very fast and they eliminate the need for + per-request queries to peers. Hence: + * Latency is eliminated and client response time should be improved. + * Network utilisation may be improved. + + Note that the use of Cache Digests (for querying the cache contents of + peers) and the generation of a Cache Digest (for retrieval by peers) + are independent. So, it is possible for a cache to make a digest + available for peers, and not use the functionality itself and vice + versa. + +What is the theory behind Cache Digests? + + Cache Digests are based on Bloom Filters - they are a method for + representing a set of keys with lookup capabilities; where lookup means + "is the key in the filter or not?". + + In building a cache digest: + * A vector (1-dimensional array) of m bits is allocated, with all + bits initially set to 0. + * A number, k, of independent hash functions are chosen, h1, h2, ..., + hk, with range { 1, ..., m } (i.e. a key hashed with any of these + functions gives a value between 1 and m inclusive). + * The set of n keys to be operated on are denoted by: A = { a1, a2, + a3, ..., an }. + +Adding a Key + + To add a key the value of each hash function for that key is + calculated. So, if the key was denoted by a, then h1(a), h2(a), ..., + hk(a) are calculated. + + The value of each hash function for that key represents an index into + the array and the corresponding bits are set to 1. So, a digest with 6 + hash functions would have 6 bits to be set to 1 for each key added. + + Note that the addition of a number of different keys could cause one + particular bit to be set to 1 multiple times. + +Querying a Key + + To query for the existence of a key the indices into the array are + calculated from the hash functions as above. + * If any of the corresponding bits in the array are 0 then the key is + not present. + * If all of the corresponding bits in the array are 1 then the key is + likely to be present. + + Note the term likely. It is possible that a collision in the digest can + occur, whereby the digest incorrectly indicates a key is present. This + is the price paid for the compact representation. While the probability + of a collision can never be reduced to zero it can be controlled. + Larger values for the ratio of the digest size to the number of entries + added lower the probability. The number of hash functions chosen also + influence the probability. + +Deleting a Key + + To delete a key, it is not possible to simply set the associated bits + to 0 since any one of those bits could have been set to 1 by the + addition of a different key! + + Therefore, to support deletions a counter is required for each bit + position in the array. The procedures to follow would be: + * When adding a key, set appropriate bits to 1 and increment the + corresponding counters. + * When deleting a key, decrement the appropriate counters (while > + 0), and if a counter reaches 0 then the corresponding bit is set to + 0. + +How is the size of the Cache Digest in Squid determined? + + Upon initialisation, the capacity is set to the number of objects that + can be (are) stored in the cache. Note that there are upper and lower + limits here. + + An arbitrary constant, bits_per_entry (currently set to 5), is used to + calculate the size of the array using the following formula: + + number of bits in array = capacity * bits_per_entry + 7 + + The size of the digest, in bytes, is therefore: + +digest size = int (number of bits in array / 8) + + When a digest rebuild occurs, the change in the cache size (capacity) + is measured. If the capacity has changed by a large enough amount (10%) + then the digest array is freed and reallocated memory, otherwise the + same digest is re-used. + +What hash functions (and how many of them) does Squid use? + + The protocol design allows for a variable number of hash functions (k). + However, Squid employs a very efficient method using a fixed number - + four. + + Rather than computing a number of independent hash functions over a URL + Squid uses a 128-bit MD5 hash of the key (actually a combination of the + URL and the HTTP retrieval method) and then splits this into four equal + chunks. + + Each chunk, modulo the digest size (m), is used as the value for one of + the hash functions - i.e. an index into the bit array. + + Note: As Squid retrieves objects and stores them in its cache on disk, + it adds them to the in-RAM index using a lookup key which is an MD5 + hash - the very one discussed above. This means that the values for the + Cache Digest hash functions are already available and consequently the + operations are extremely efficient! + + Obviously, modifying the code to support a variable number of hash + functions would prove a little more difficult and would most likely + reduce efficiency. + +How are objects added to the Cache Digest in Squid? + + Every object referenced in the index in RAM is checked to see if it is + suitable for addition to the digest. + + A number of objects are not suitable, e.g. those that are private, not + cachable, negatively cached etc. and are skipped immediately. + + A freshness test is next made in an attempt to guess if the object will + expire soon, since if it does, it is not worthwhile adding it to the + digest. The object is checked against the refresh patterns for + staleness... + + Since Squid stores references to objects in its index using the MD5 key + discussed earlier there is no URL actually available for each object - + which means that the pattern used will fall back to the default + pattern, ".". This is an unfortunate state of affairs, but little can + be done about it. A cd_refresh_pattern option will be added to the + configuration file soon which will at least make the confusion a little + clearer :-) + + Note that it is best to be conservative with your refresh pattern for + the Cache Digest, i.e. do not add objects if they might become stale + soon. This will reduce the number of False Hits. + +Does Squid support deletions in Cache Digests? What are diffs/deltas? + + Squid does not support deletions from the digest. Because of this the + digest must, periodically, be rebuilt from scratch to erase stale bits + and prevent digest pollution. + + A more sophisticated option is to use diffs or deltas. These would be + created by building a new digest and comparing with the current/old + one. They would essentially consist of aggregated deletions and + additions since the previous digest. + + Since less bandwidth should be required using these it would be + possible to have more frequent updates (and hence, more accurate + information). + + Costs: + * RAM - extra RAM needed to hold two digests while comparisons takes + place. + * CPU - probably a negligible amount. + +When and how often is the local digest built? + + The local digest is built: + * when store_rebuild completes after startup (the cache contents have + been indexed in RAM), and + * periodically thereafter. Currently, it is rebuilt every hour (more + data and experience is required before other periods, whether fixed + or dynamically varying, can "intelligently" be chosen). The good + thing is that the local cache decides on the expiry time and peers + must obey (see later). + + While the (new) digest is being built in RAM the old version (stored on + disk) is still valid, and will be returned to any peer requesting it. + When the digest has completed building it is then swapped out to disk, + overwriting the old version. + + The rebuild is CPU intensive, but not overly so. Since Squid is + programmed using an event-handling model, the approach taken is to + split the digest building task into chunks (i.e. chunks of entries to + add) and to register each chunk as an event. If CPU load is overly + high, it is possible to extend the build period - as long as it is + finished before the next rebuild is due! + + It may prove more efficient to implement the digest building as a + separate process/thread in the future... + +How are Cache Digests transferred between peers? + + Cache Digests are fetched from peers using the standard HTTP protocol + (note that a pull rather than push technique is used). + + After the first access to a peer, a peerDigestValidate event is queued + (this event decides if it is time to fetch a new version of a digest + from a peer). The queuing delay depends on the number of peers already + queued for validation - so that all digests from different peers are + not fetched simultaneously. + + A peer answering a request for its digest will specify an expiry time + for that digest by using the HTTP Expires header. The requesting cache + thus knows when it should request a fresh copy of that peers digest. + + Note: requesting caches use an If-Modified-Since request in case the + peer has not rebuilt its digest for some reason since the last time it + was fetched. + +How and where are Cache Digests stored? + +Cache Digest built locally + + Since the local digest is generated purely for the benefit of its + neighbours keeping it in RAM is not strictly required. However, it was + decided to keep the local digest in RAM partly because of the + following: + * Approximately the same amount of memory will be (re-)allocated on + every rebuild of the digest + * the memory requirements are probably quite small (when compared to + other requirements of the cache server) + * if ongoing updates of the digest are to be supported (e.g. + additions/deletions) it will be necessary to perform these + operations on a digest in RAM + * if diffs/deltas are to be supported the "old" digest would have to + be swapped into RAM anyway for the comparisons. + + When the digest is built in RAM, it is then swapped out to disk, where + it is stored as a "normal" cache item - which is how peers request it. + +Cache Digest fetched from peer + + When a query from a client arrives, fast lookups are required to decide + if a request should be made to a neighbour cache. It it therefore + required to keep all peer digests in RAM. + + Peer digests are also stored on disk for the following reasons: + * Recovery If stopped and restarted, peer digests can be reused from + the local on-disk copy (they will soon be validated using an HTTP + IMS request to the appropriate peers as discussed earlier) + * Sharing peer digests are stored as normal objects in the cache. + This allows them to be given to neighbour caches. + +How are the Cache Digest statistics in the Cache Manager to be interpreted? + + Cache Digest statistics can be seen from the Cache Manager or through + the squidclient utility. The following examples show how to use the + squidclient utility to request the list of possible operations from the + localhost, local digest statistics from the localhost, refresh + statistics from the localhost and local digest statistics from another + cache, respectively. + + squidclient mgr:menu + squidclient mgr:store_digest + squidclient mgr:refresh + squidclient -h peer mgr:store_digest + + The available statistics provide a lot of useful debugging information. + The refresh statistics include a section for Cache Digests which + explains why items were added (or not) to the digest. + + The following example shows local digest statistics for a 16GB cache in + a corporate intranet environment (may be a useful reference for the + discussion below). + +store digest: size: 768000 bytes +entries: count: 588327 capacity: 1228800 util: 48% +deletion attempts: 0 +bits: per entry: 5 on: 1953311 capacity: 6144000 util: 32% +bit-seq: count: 2664350 avg.len: 2.31 +added: 588327 rejected: 528703 ( 47.33 %) del-ed: 0 +collisions: on add: 0.23 % on rej: 0.23 % + + entries:capacity is a measure of how many items "are likely" to be + added to the digest. It represents the number of items that were in the + local cache at the start of digest creation - however, upper and lower + limits currently apply. This value is multiplied by bits: per entry (an + arbitrary constant) to give bits:capacity, which is the size of the + cache digest in bits. Dividing this by 8 will give store digest: size + which is the size in bytes. + + The number of items represented in the digest is given by + entries:count. This should be equal to added minus deletion attempts. + + Since (currently) no modifications are made to the digest after the + initial build (no additions are made and deletions are not supported) + deletion attempts will always be 0 and entries:count should simply be + equal to added. + + entries:util is not really a significant statistic. At most it gives a + measure of how many of the items in the store were deemed suitable for + entry into the cache compared to how many were "prepared" for. + + rej shows how many objects were rejected. Objects will not be added for + a number of reasons, the most common being refresh pattern settings. + Remember that (currently) the default refresh pattern will be used for + checking for entry here and also note that changing this pattern can + significantly affect the number of items added to the digest! Too + relaxed and False Hits increase, too strict and False Misses increase. + Remember also that at time of validation (on the peer) the "real" + refresh pattern will be used - so it is wise to keep the default + refresh pattern conservative. + + bits: on indicates the number of bits in the digest that are set to 1. + bits: util gives this figure as a percentage of the total number of + bits in the digest. As we saw earlier, a figure of 50% represents the + optimal trade-off. Values too high (say > 75%) would cause a larger + number of collisions, and hence False Hits, while lower values mean the + digest is under-utilised (using unnecessary RAM). Note that low values + are normal for caches that are starting to fill up. + + A bit sequence is an uninterrupted sequence of bits with the same + value. bit-seq: avg.len gives some insight into the quality of the hash + functions. Long values indicate problem, even if bits:util is 50% (> 3 + = suspicious, > 10 = very suspicious). + +What are False Hits and how should they be handled? + + A False Hit occurs when a cache believes a peer has an object and asks + the peer for it but the peer is not able to satisfy the request. + + Expiring or stale objects on the peer are frequent causes of False + Hits. At the time of the query actual refresh patterns are used on the + peer and stale entries are marked for revalidation. However, + revalidation is prohibited unless the peer is behaving as a parent, or + miss_access is enabled. Thus, clients can receive error messages + instead of revalidated objects! + + The frequency of False Hits can be reduced but never eliminated + completely, therefore there must be a robust way of handling them when + they occur. The philosophy behind the design of Squid is to use + lightweight techniques and optimise for the common case and robustly + handle the unusual case (False Hits). + + Squid will soon support the HTTP only-if-cached header. Requests for + objects made to a peer will use this header and if the objects are not + available, the peer can reply appropriately allowing Squid to recognise + the situation. The following describes what Squid is aiming towards: + * Cache Digests used to obtain good estimates of where a requested + object is located in a Cache Hierarchy + * Persistent HTTP Connections between peers. There will be no TCP + startup overhead and both latency and + + network load will be similar for ICP (i.e. fast). + * HTTP False Hit Recognition using the only-if-cached HTTP header - + allowing fall back to another peer or, if no other + + peers are available with the object, then going direct (or through a + parent if behind a firewall). + +How can Cache Digest related activity be traced/debugged? + +Enabling Cache Digests + + If you wish to use Cache Digests (available in Squid version 2) you + need to add a configure option, so that the relevant code is compiled + in: + +./configure --enable-cache-digests ... + +What do the access.log entries look like? + + If a request is forwarded to a neighbour due a HIT in that neighbour's + Cache Digest the hierarchy (9th) field of the access.log file for the + local cache will look like CACHE_DIGEST_HIT/neighbour. The Log Tag (4th + field) should obviously show a MISS. + + On the peer cache the request should appear as a normal HTTP request + from the first cache. + +What does a False Hit look like? + + The easiest situation to analyse is when two caches (say A and B) are + involved neither of which uses the other as a parent. In this case, a + False Hit would show up as a CACHE_DIGEST_HIT on A and NOT as a TCP_HIT + on B (or vice versa). If B does not fetch the object for A then the + hierarchy field will look like NONE/- (and A will have received an + Access Denied or Forbidden message). This will happen if the object is + not "available" on B and B does not have miss_access enabled for A (or + is not acting as a parent for A). + +How is the cause of a False Hit determined? + + Assume A requests a URL from B and receives a False Hit + * Using the squidclient utility PURGE the URL from A, e.g. + + + squidclient -m PURGE 'URL' + + * Using the squidclient utility request the object from A, e.g. + + + squidclient 'URL' + + The HTTP headers of the request are available. Two header types are of + particular interest: + * X-Cache - this shows whether an object is available or not. + * X-Cache-Lookup - this keeps the result of a store table lookup + before refresh causing rules are checked (i.e. it indicates if the + object is available before any validation would be attempted). + + The X-Cache and X-Cache-Lookup headers from A should both show MISS. + + If A requests the object from B (which it will if the digest lookup + indicates B has it - assuming B is closest peer of course :-) then + there will be another set of these headers from B. + + If the X-Cache header from B shows a MISS a False Hit has occurred. + This means that A thought B had an object but B tells A it does not + have it available for retrieval. The reason why it is not available for + retrieval is indicated by the X-Cache-Lookup header. If: + * X-Cache-Lookup = MISS then either A's (version of B's) digest is + out-of-date or corrupt OR a collision occurred + + in the digest (very small probability) OR B recently purged the object. + * X-Cache-Lookup = HIT then B had the object, but refresh rules (or + A's max-age requirements) prevent A from getting a HIT (validation + failed). + +Use The Source + + If there is something else you need to check you can always look at the + source code. The main Cache Digest functionality is organised as + follows: + * CacheDigest.c (debug section 70) Generic Cache Digest routines + * store_digest.c (debug section 71) Local Cache Digest routines + * peer_digest.c (debug section 72) Peer Cache Digest routines + + Note that in the source the term Store Digest refers to the digest + created locally. The Cache Digest code is fairly self-explanatory (once + you understand how Cache Digests work): + +What about ICP? + + /!\ + + WANTED + +Is there a Cache Digest Specification? + + There is now, thanks to Martin Hamilton + and Alex Rousskov + . + + Cache Digests, as implemented in Squid 2.1.PATCH2, are described in + [990]cache-digest-v5.txt. + + You'll notice the format is similar to an Internet Draft. We decided + not to submit this document as a draft because Cache Digests will + likely undergo some important changes before we want to try to make it + a standard. + +Would it be possible to stagger the timings when cache_digests are retrieved +from peers? + + {i} + + The information here is current for version 2.2 + + Squid already has code to spread the digest updates. The algorithm is + currently controlled by a few hard-coded constants in peer_digest.c. + For example, GlobDigestReqMinGap variable determines the minimum + interval between two requests for a digest. You may want to try to + increase the value of GlobDigestReqMinGap from 60 seconds to whatever + you feel comfortable with (but it should be smaller than + hour/number_of_peers, of course). + + Note that whatever you do, you still need to give Squid enough time and + bandwidth to fetch all the digests. Depending on your environment, that + bandwidth may be more or less than an ICP would require. Upcoming + digest deltas (x10 smaller than the digests themselves) may be the only + way to solve the "big scale" problem. + __________________________________________________________________ + + Or, How can I make my users' browsers use my cache without configuring + the browsers for proxying? + + Contents + 1. [991]Concepts of Interception Caching + 2. [992]Requirements and methods for Interception Caching + 3. [993]Steps involved in configuring Interception Caching + 1. [994]Compile a version of Squid which accepts connections for + other addresses + 1. [995]Choosing the right options to pass to ./configure + 2. [996]Configure Squid to accept and process the redirected + port 80 connections + 2. [997]Getting your traffic to the right port on your Squid + Cache + 1. [998]Interception Caching packet redirection for Solaris, + SunOS, and BSD systems + 1. [999]Install IP Filter + 2. [1000]Configure ipnat + 2. [1001]Interception Caching packet redirection for OpenBSD + PF + 3. [1002]Interception Caching packet redirection for Linux + 1. [1003]Interception Caching packet redirection with + Linux 2.0 and ipfwadm + 2. [1004]Interception Caching packet redirection with + Linux 2.2 and ipchains + 3. [1005]Interception Caching packet redirection with + Linux 2.4 or later and Netfilter + 3. [1006]Get the packets from the end clients to your cache + server + 1. [1007]Interception Caching packet redirection with Cisco + routers using policy routing (NON WCCP) + 1. [1008]Shortcomings of the cisco ip policy route-map + method + 2. [1009]Interception Caching packet redirection with + Foundry L4 switches + 3. [1010]Interception Caching packet redirection with an + Alcatel OmnySwitch 7700 + 4. [1011]Interception Caching packet redirection with + Cabletron/Entrasys products + 5. [1012]Interception Caching packet redirection with ACC + Tigris digital access server + 4. [1013]WCCP - Web Cache Coordination Protocol + 1. [1014]Does Squid support WCCP? + 2. [1015]Do I need a cisco router to run WCCP? + 3. [1016]Can I run WCCP with the Windows port of Squid? + 4. [1017]Where can I find out more about WCCP? + 5. [1018]Cisco router software required for WCCP + 1. [1019]IOS support in Cisco Routers + 2. [1020]IOS support in Cisco Switches + 3. [1021]Software support in Cisco Firewalls (PIX OS) + 4. [1022]What about WCCPv2? + 5. [1023]Configuring your router + 6. [1024]IOS Version 11.x + 7. [1025]IOS Version 12.x + 8. [1026]IOS 12.x problems + 9. [1027]Configuring you cisco PIX to run WCCP + 6. [1028]Cache/Host configuration of WCCP + 1. [1029]Configuring Squid to talk WCCP + 2. [1030]Configuring FreeBSD + 3. [1031]FreeBSD-3.x + 4. [1032]FreeBSD 4.8 and later + 5. [1033]FreeBSD 6.x and later + 6. [1034]Standard Linux GRE Tunnel + 7. [1035]WCCP Specific Module + 5. [1036]TProxy Interception + 6. [1037]Complete + 7. [1038]Troubleshooting and Questions + 1. [1039]It doesn't work. How do I debug it? + 2. [1040]Why can't I use authentication together with + interception proxying? + 3. [1041]Can I use ''proxy_auth'' with interception? + 4. [1042]"Connection reset by peer" and Cisco policy routing + 8. [1043]Configuration Examples contributed by users who have + working installations + 1. [1044]Linux 2.0.33 and Cisco policy-routing + 2. [1045]Interception on Linux with Squid and the Browser on + the same box + 3. [1046]Interception Caching with FreeBSD by by + DuaneWessels + 4. [1047]Interception Caching with Linux 2.6.18, ip_gre, + Squid-2.6 and cisco IOS 12.4(6)T2 by ReubenFarrelly + 5. [1048]Joe Cooper's Patch + 9. [1049]Further information about configuring Interception + Caching with Squid + 4. [1050]Configuring Other Operating Systems + 5. [1051]Issues with HotMail + +Concepts of Interception Caching + + Interception Caching goes under many names - Interception Caching, + Transparent Proxying and Cache Redirection. Interception Caching is the + process by which HTTP connections coming from remote clients are + redirected to a cache server, without their knowledge or explicit + configuration. + + There are some good reasons why you may want to use this technique: + * There is no client configuration required. This is the most popular + reason for investigating this option. + * You can implement better and more reliable strategies to maintain + client access in case of your cache infrastructure going out of + service. + + However there are also significant disadvantages for this strategy, as + outlined by Mark Elsen: + * Intercepting HTTP breaks TCP/IP standards because user agents think + they are talking directly to the origin server. + * It causes path-MTU (PMTUD) to fail, possibly making some remote + sites inaccessible. This is not usually a problem if your client + machines are connected via Ethernet or DSL PPPoATM where the MTU of + all links between the cache and client is 1500 or more. If your + clients are connecting via DSL PPPoE then this is likely to be a + problem as PPPoE links often have a reduced MTU (1472 is very + common). + * On older IE versions before version 6, the ctrl-reload function did + not work as expected. + * Proxy authentication does not work, and IP based authentication + conceptually fails because the users are all seen to come from the + Interception Cache's own IP address. + * You can't use IDENT lookups (which are inherently very insecure + anyway) + * Interception Caching only supports the HTTP protocol, not gopher, + SSL or FTP. You cannot setup a redirection-rule to the proxy server + for other protocols other than HTTP since it will not know how to + deal with it. + * Intercepting Caches are incompatible with IP filtering designed to + prevent address spoofing. + * Clients are still expected to have full Internet DNS resolving + capabilities; in certain intranet/firewalling setups, this is not + always wanted. + * Related to above: suppose the users browser connects to a site + which is down. However, due to the transparent proxying, it gets a + connected state to the interceptor. The end user may get wrong + error messages or a hung browser, for seemingly unknown reasons to + them. + + If you feel that the advantages outweigh the disadvantages in your + network, you may choose to continue reading and look at implementing + Interception Caching. + +Requirements and methods for Interception Caching + + * You need to have a good understanding of what you are doing before + you start. This involves understanding at a TCP layer what is + happening to the connections. This will help you both configure the + system and additionally assist you if your end clients experience + problems after you have deployed your solution. + * Squid-2.5, Squid-2.6 or Squid-3.0. You should run the latest + version of 2.6 or 3.0 that is available at the time. + * A newer OS may make things easier, especially with Linux. Linux + 2.6.9 supports WCCP via the native GRE kernel module. This will + save you having to build the ip_wccp module by hand later on, and + also means that any upgrades to your kernel will not result in a + broken binary WCCP module. + * Quite likely you will need a network device which can redirect the + traffic to your cache. If your Squid box is also functioning as a + router and all traffic from and to your network is in the path, you + can skip this step. If your cache is a standalone box on a LAN that + does not normally see your clients web browsing traffic, you will + need to choose a method of redirecting the HTTP traffic from your + client machines to the cache. This is typically done with a network + appliance such as a router or Layer 3 switch which either rewrite + the destination MAC address or alternatively encapsulate the + network traffic via a GRE or WCCP tunnel to your cache. + + NB: If you are using Cisco routers and switches in your network you may + wish to investigate the use of WCCP. WCCP is an extremely flexible way + of redirecting traffic and is intelligent enough to automatically stop + redirecting client traffic if your cache goes offline. This may involve + you upgrading your router or switch to a release of IOS or an upgraded + featureset which supports WCCP. There is a section written specifically + on WCCP below. + +Steps involved in configuring Interception Caching + + * Building a Squid with the correct options to ./configure to support + the redirection and handle the clients correctly + * Routing the traffic from port 80 to the port your Squid is + configured to accept the connections on + * Decapsulating the traffic that your network device sends to Squid + (only if you are using GRE or WCCP to intercept the traffic) + * Configuring your network device to redirect the port 80 traffic. + + The first two steps are required and the last two may or may not be + required depending on how you intend to route the HTTP traffic to your + cache. + + !It is critical to read the full comments in the squid.conf file and in + this document in it's entirety before you begin. Getting Interception + Caching to work with Squid is non-trivial and requires many subsystems + of both Squid and your network to be configured exactly right or else + you will find that it will not work and your users will not be able to + browse at all. You MUST test your configuration out in a non-live + environment before you unleash this feature on your end users. + +Compile a version of Squid which accepts connections for other addresses + + Firstly you need to build Squid with the correct options to + ./configure, and then you need to configure squid.conf to support + Intercept Caching. + +Choosing the right options to pass to ./configure + + All supported versions of Squid currently available support + Interception Caching, however for this to work properly, your operating + system and network also need to be configured. For some operating + systems, you need to have configured and built a version of Squid which + can recognize the hijacked connections and discern the destination + addresses. For Linux this works by configuring Squid with the + --enable-linux-netfilter option. For *BSD-based systems, you probably + have to configure squid with the --enable-ipf-transparent option if + you're using IP Filter, or --enable-pf-transparent if you're using + OpenBSD's PF. Do a make clean if you previously configured without that + option, or the correct settings may not be present. + + By default, Squid-2.6 and Squid-3.0 support both WCCPv1 and WCCPv2 by + default (unless explicitly disabled). + +Configure Squid to accept and process the redirected port 80 connections + + You have to change the Squid configuration settings to recognize the + hijacked connections and discern the destination addresses. + + For Squid-2.6 and Squid-3.0 you simply need to add the keyword + transparent on the http_port that your proxy will receive the + redirected requests on as the above directives are not necessary and in + fact have been removed in those releases: + +http_port 3128 transparent + + You can manually configure browsers to connect to the IP address + and port which you have specified as transparent. The only drawback is + that there will be a very slight (and probably unnoticeable) + performance hit as a syscall done to see if the connection is + intercepted. If no interception state is found it is processed just + like a normal connection. + + For Squid-2.5 and earlier the configuration is a little more complex. + Here are the important settings in squid.conf for Squid-2.5 and + earlier: + +http_port 3128 +httpd_accel_host virtual +httpd_accel_port 80 +httpd_accel_with_proxy on +httpd_accel_uses_host_header on + + * The http_port 3128 in this example assumes you will redirect + incoming port 80 packets to port 3128 on your cache machine. You + may use any other port like 8080, the most important thing is that + the port number matches the interception rules in the local + firewall. + * In the httpd_accel_host option, use the keyword virtual + * The httpd_accel_with_proxy on is required to enable interception + proxy mode; essentially in interception proxy mode Squid thinks it + is acting both as an accelerator (hence accepting packets for other + IPs on port 80) and a caching proxy (hence serving files out of + cache.) + * You must use httpd_accel_uses_host_header on to get the cache to + work properly in interception mode. This enables the cache to index + its stored objects under the true hostname, as is done in a normal + proxy, rather than under the IP address. This is especially + important if you want to use a parent cache hierarchy, or to share + cache data between interception proxy users and non-interception + proxy users, which you can do with Squid in this configuration. + +Getting your traffic to the right port on your Squid Cache + + You have to configure your cache host to accept the redirected packets + - any IP address, on port 80 - and deliver them to your cache + application. This is typically done with IP filtering/forwarding + features built into the kernel. On Linux this is called iptables + (kernel 2.4 and above), ipchains (2.2.x) or + + ipfwadm (2.0.x). On FreeBSD its called ipfw. Other BSD systems may use + ip filter, ipnat or pf. + + On most systems, it may require rebuilding the kernel or adding a new + loadable kernel module. If you are running a modern Linux distribution + and using the vendor supplied kernel you will likely not need to do any + rebuilding as the required modules will have been built by default. + +Interception Caching packet redirection for Solaris, SunOS, and BSD systems + + You don't need to use IP Filter on FreeBSD. Use the built-in ipfw + feature instead. See the FreeBSD subsection below. + +Install IP Filter + + First, get and install the [1052]IP Filter package. + +Configure ipnat + + Put these lines in /etc/ipnat.rules: + +# Redirect direct web traffic to local web server. +rdr de0 1.2.3.4/32 port 80 -> 1.2.3.4 port 80 tcp +# Redirect everything else to squid on port 8080 +rdr de0 0.0.0.0/0 port 80 -> 1.2.3.4 port 8080 tcp + + Modify your startup scripts to enable ipnat. For example, on FreeBSD it + looks something like this: + +/sbin/modload /lkm/if_ipl.o +/sbin/ipnat -f /etc/ipnat.rules +chgrp nobody /dev/ipnat +chmod 644 /dev/ipnat + + Thanks to [1053]Quinton Dolan. + +Interception Caching packet redirection for OpenBSD PF + + $i port 3128 +pass on $i inet proto tcp from $i:network to $i port 3128 + + Or, depending on how recent your implementation of PF is: + +i = "sk0" +rdr pass on $i inet proto tcp to any port 80 -> $i port 3128 + + Also, see [1054]Daniel Hartmeier's page on the subject. + +Interception Caching packet redirection for Linux + + Specific instructions depend on what version of Linux Kernel you are + using. + +Interception Caching packet redirection with Linux 2.0 and ipfwadm + + by [1055]Rodney van den Oever + + Interception proxying does NOT work with Linux-2.0.30! Linux-2.0.29 + is known to work well. If you're using a more recent kernel, like + 2.2.X, then you should probably use an ipchains configuration, as + described below. + + This technique has some shortcomings. + + If you can live with the side-effects, go ahead and compile your kernel + with firewalling and redirection support. Here are the important + parameters from + + /usr/src/linux/.config: + +# +# Code maturity level options +# +CONFIG_EXPERIMENTAL=y +# +# Networking options +# +CONFIG_FIREWALL=y +# CONFIG_NET_ALIAS is not set +CONFIG_INET=y +CONFIG_IP_FORWARD=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_FIREWALL=y +# CONFIG_IP_FIREWALL_VERBOSE is not set +CONFIG_IP_MASQUERADE=y +CONFIG_IP_TRANSPARENT_PROXY=y +CONFIG_IP_ALWAYS_DEFRAG=y +# CONFIG_IP_ACCT is not set +CONFIG_IP_ROUTER=y + + You may also need to enable IP Forwarding. One way to do it is to add + this line to your startup scripts: + +echo 1 > /proc/sys/net/ipv4/ip_forward + + Alternatively edit /etc/sysctl.conf + + You can either go to the [1056]Linux IP Firewall and Accounting page, + obtain the source distribution to ipfwadm and install it OR better + still, download a precompiled binary from your distribution. Older + versions of ipfwadm may not work. You might need at least version + 2.3.0. You'll use ipfwadm to setup the redirection rules. I added this + rule to the script that runs from /etc/rc.d/rc.inet1 (Slackware) which + sets up the interfaces at boot-time. The redirection should be done + before any other Input-accept rule. + + To really make sure it worked I disabled the forwarding (masquerading) + I normally do. + + /etc/rc.d/rc.firewall: + +#!/bin/sh +# rc.firewall Linux kernel firewalling rules +FW=/sbin/ipfwadm +# Flush rules, for testing purposes +for i in I O F # A # If we enabled accounting too +do + ${FW} -$i -f +done +# Default policies: +${FW} -I -p rej # Incoming policy: reject (quick error) +${FW} -O -p acc # Output policy: accept +${FW} -F -p den # Forwarding policy: deny +# Input Rules: +# Loopback-interface (local access, eg, to local nameserver): +${FW} -I -a acc -S localhost/32 -D localhost/32 +# Local Ethernet-interface: +# Redirect to Squid proxy server: +${FW} -I -a acc -P tcp -D default/0 80 -r 8080 +# Accept packets from local network: +${FW} -I -a acc -P all -S localnet/8 -D default/0 -W eth0 +# Only required for other types of traffic (FTP, Telnet): +# Forward localnet with masquerading (udp and tcp, no icmp!): +${FW} -F -a m -P tcp -S localnet/8 -D default/0 +${FW} -F -a m -P udp -S localnet/8 -D default/0 + + Here all traffic from the local LAN with any destination gets + redirected to the local port 8080. Rules can be viewed like this: + +IP firewall input rules, default policy: reject +type prot source destination ports +acc all 127.0.0.1 127.0.0.1 n/a +acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 8080 +acc all 10.0.0.0/8 0.0.0.0/0 n/a +acc tcp 0.0.0.0/0 0.0.0.0/0 * -> * + + I did some testing on Windows 95 with both Microsoft Internet Explorer + 3.01 and Netscape Communicator pre-release and it worked with both + browsers with the proxy-settings disabled. + + At one time Squid seemed to get in a loop when I pointed the browser to + the local port 80. But this could be avoided by adding a reject rule + for client to this address: + +${FW} -I -a rej -P tcp -S localnet/8 -D hostname/32 80 +IP firewall input rules, default policy: reject +type prot source destination ports +acc all 127.0.0.1 127.0.0.1 n/a +rej tcp 10.0.0.0/8 10.0.0.1 * -> 80 +acc/r tcp 10.0.0.0/8 0.0.0.0/0 * -> 80 => 8080 +acc all 10.0.0.0/8 0.0.0.0/0 n/a +acc tcp 0.0.0.0/0 0.0.0.0/0 * -> * + + NOTE on resolving names: Instead of just passing the URLs to the proxy + server, the browser itself has to resolve the URLs. Make sure the + workstations are setup to query a local nameserver, to minimize + outgoing traffic. + + If you're already running a nameserver at the firewall or proxy server + (which is a good idea anyway IMHO) let the workstations use this + nameserver. + + Additional notes from [1057]Richard Ayres + +I'm using such a setup. The only issues so far have been that: + * Linux kernel 2.0.30 is a no-no as interception proxying is broken (Use 2.0.29 + or 2.0.31 or later) + * The Microsoft Network won't authorize its users through a proxy, so I have to + specifically *not* redirect those packets (my company is a MSN content provider +). + + See also [1058]Daniel Kiracofe's HOWTO page. + +Interception Caching packet redirection with Linux 2.2 and ipchains + + by [1059]Martin Lyons + + You need to configure your kernel for ipchains. Configuring Linux + kernels is beyond the scope of this FAQ. One way to do it is: + +# cd /usr/src/linux +# make menuconfig + + The following shows important kernel features to include: + +[*] Network firewalls +[ ] Socket Filtering +[*] Unix domain sockets +[*] TCP/IP networking +[ ] IP: multicasting +[ ] IP: advanced router +[ ] IP: kernel level autoconfiguration +[*] IP: firewalling +[ ] IP: firewall packet netlink device +[*] IP: always defragment (required for masquerading) +[*] IP: transparent proxy support + + You must include the IP: always defragment, otherwise it prevents you + from using the REDIRECT chain. You can use this script as a template + for your own rc.firewall to configure ipchains: + +#!/bin/sh +# rc.firewall Linux kernel firewalling rules +# Leon Brooks (leon at brooks dot fdns dot net) +FW=/sbin/ipchains +ADD="$FW -A" +# Flush rules, for testing purposes +for i in I O F # A # If we enabled accounting too +do + ${FW} -F $i +done +# Default policies: +${FW} -P input REJECT # Incoming policy: reject (quick error) +${FW} -P output ACCEPT # Output policy: accept +${FW} -P forward DENY # Forwarding policy: deny +# Input Rules: +# Loopback-interface (local access, eg, to local nameserver): +${ADD} input -j ACCEPT -s localhost/32 -d localhost/32 +# Local Ethernet-interface: +# Redirect to Squid proxy server: +${ADD} input -p tcp -d 0/0 80 -j REDIRECT 8080 +# Accept packets from local network: +${ADD} input -j ACCEPT -s localnet/8 -d 0/0 -i eth0 +# Only required for other types of traffic (FTP, Telnet): +# Forward localnet with masquerading (udp and tcp, no icmp!): +${ADD} forward -j MASQ -p tcp -s localnet/8 -d 0/0 +${ADD} forward -j MASQ -P udp -s localnet/8 -d 0/0 + + Also, [1060]Andrew Shipton notes that with 2.0.x kernels you don't need + to enable packet forwarding, but with the 2.1.x and 2.2.x kernels using + ipchains you do. Edit /etc/sysctl.conf to make this change permanent. + Packet forwarding is enabled with the following command: + +echo 1 > /proc/sys/net/ipv4/ip_forward + +Interception Caching packet redirection with Linux 2.4 or later and Netfilter + + NOTE: this information comes from Daniel Kiracofe's [1061]Transparent + Proxy with Squid HOWTO. + + To support Netfilter transparent interception on Linux 2.4 or later, + remember Squid must be compiled with the --enable-linux-netfilter + option. + + If you are running a custom built kernel (rather than one supplied by + your Linux distribution), you need to build in support for at least + these options: + * Networking support + * Sysctl support + * Network packet filtering + * TCP/IP networking + * Connection tracking (Under "IP: Netfilter Configuration" in + menuconfig) + * IP tables support + * Full NAT + * REDIRECT target support + + Quite likely you will already have most if not all of those options. + + You must say NO to "Fast switching". + + After building the kernel, install it and reboot. + + You may need to enable packet forwarding (e.g. in your startup + scripts): + +echo 1 > /proc/sys/net/ipv4/ip_forward + + Use the iptables command to make your kernel intercept HTTP connections + and send them to Squid: + +iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.0/255.255.255.0 ACCEPT +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 31 +28 + +Get the packets from the end clients to your cache server + + There are several ways to do this. First, if your proxy machine is + already in the path of the packets (i.e. it is routing between your + proxy users and the Internet) then you don't have to worry about this + step as the Interception Caching should now be working. This would be + true if you install Squid on a firewall machine, or on a UNIX-based + router. If the cache is not in the natural path of the connections, + then you have to divert the packets from the normal path to your cache + host using a router or switch. + + If you are using an external device to route the traffic to your Cache, + there are multiple ways of doing this. You may be able to do this with + a Cisco router using WCCP, or the "route map" feature. You might also + use a so-called layer-4 switch, such as the Alteon ACE-director or the + Foundry Networks ServerIron. + + Finally, you might be able to use a stand-alone router/load-balancer + type product, or routing capabilities of an access server. + +Interception Caching packet redirection with Cisco routers using policy +routing (NON WCCP) + + by [1062]John Saunders + + This works with at least IOS 11.1 and later. If your router is doing + anything more complicated that shuffling packets between an ethernet + interface and either a serial port or BRI port, then you should work + through if this will work for you. + + First define a route map with a name of proxy-redirect (name doesn't + matter) and specify the next hop to be the machine Squid runs on. + +! +route-map proxy-redirect permit 10 + match ip address 110 + set ip next-hop 203.24.133.2 +! + + Define an access list to trap HTTP requests. The second line allows the + Squid host direct access so an routing loop is not formed. By carefully + writing your access list as show below, common cases are found quickly + and this can greatly reduce the load on your router's processor. + +! +access-list 110 deny tcp any any neq www +access-list 110 deny tcp host 203.24.133.2 any +access-list 110 permit tcp any any +! + + Apply the route map to the ethernet interface. + +! +interface FastEthernet0/0 + ip policy route-map proxy-redirect +! + +Shortcomings of the cisco ip policy route-map method + + [1063]Bruce Morgan notes that there is a Cisco bug relating to + interception proxying using IP policy route maps, that causes NFS and + other applications to break. Apparently there are two bug reports + raised in Cisco, but they are not available for public dissemination. + + The problem occurs with o/s packets with more than 1472 data bytes. If + you try to ping a host with more than 1472 data bytes across a Cisco + interface with the access-lists and ip policy route map, the icmp + request will fail. The packet will be fragmented, and the first + fragment is checked against the access-list and rejected - it goes the + "normal path" as it is an icmp packet - however when the second + fragment is checked against the access-list it is accepted (it isn't + regarded as an icmp packet), and goes to the action determined by the + policy route map! + + [1064]John notes that you may be able to get around this bug by + carefully writing your access lists. If the last/default rule is to + permit then this bug would be a problem, but if the last/default rule + was to deny then it won't be a problem. I guess fragments, other than + the first, don't have the information available to properly policy + route them. Normally TCP packets should not be fragmented, at least my + network runs an MTU of 1500 everywhere to avoid fragmentation. So this + would affect UDP and ICMP traffic only. + + Basically, you will have to pick between living with the bug or better + performance. This set has better performance, but suffers from the bug: + +access-list 110 deny tcp any any neq www +access-list 110 deny tcp host 10.1.2.3 any +access-list 110 permit tcp any any + + Conversely, this set has worse performance, but works for all + protocols: + +access-list 110 deny tcp host 10.1.2.3 any +access-list 110 permit tcp any any eq www +access-list 110 deny tcp any any + +Interception Caching packet redirection with Foundry L4 switches + + by [1065]at shreve dot net Brian Feeny. + + First, configure Squid for interception caching as detailed at the + [1066]beginning of this section. + + Next, configure the Foundry layer 4 switch to redirect traffic to your + Squid box or boxes. By default, the Foundry redirects to port 80 of + your squid box. This can be changed to a different port if needed, but + won't be covered here. + + In addition, the switch does a "health check" of the port to make sure + your squid is answering. If you squid does not answer, the switch + defaults to sending traffic directly thru instead of redirecting it. + When the Squid comes back up, it begins redirecting once again. + + This example assumes you have two squid caches: + +squid1.foo.com 192.168.1.10 +squid2.foo.com 192.168.1.11 + + We will assume you have various workstations, customers, etc, plugged + into the switch for which you want them to be intercepted and sent to + Squid. The squid caches themselves should be plugged into the switch as + well. Only the interface that the router is connected to is important. + Where you put the squid caches or ther connections does not matter. + + This example assumes your router is plugged into interface 17 of the + switch. If not, adjust the following commands accordingly. + * Enter configuration mode: + +telnet@ServerIron#conf t + + * Configure each squid on the Foundry: + +telnet@ServerIron(config)# server cache-name squid1 192.168.1.10 +telnet@ServerIron(config)# server cache-name squid2 192.168.1.11 + + * Add the squids to a cache-group: + +telnet@ServerIron(config)#server cache-group 1 +telnet@ServerIron(config-tc-1)#cache-name squid1 +telnet@ServerIron(config-tc-1)#cache-name squid2 + + * Create a policy for caching http on a local port + +telnet@ServerIron(config)# ip policy 1 cache tcp http local + + * Enable that policy on the port connected to your router + +telnet@ServerIron(config)#int e 17 +telnet@ServerIron(config-if-17)# ip-policy 1 + + Since all outbound traffic to the Internet goes out interface 17 (the + router), and interface 17 has the caching policy applied to it, HTTP + traffic is going to be intercepted and redirected to the caches you + have configured. + + The default port to redirect to can be changed. The load balancing + algorithm used can be changed (Least Used, Round Robin, etc). Ports can + be exempted from caching if needed. Access Lists can be applied so that + only certain source IP Addresses are redirected, etc. This information + was left out of this document since this was just a quick howto that + would apply for most people, not meant to be a comprehensive manual of + how to configure a Foundry switch. I can however revise this with any + information necessary if people feel it should be included. + +Interception Caching packet redirection with an Alcatel OmnySwitch 7700 + + by Pedro A M Vazquez + + On the switch define a network group to be intercepted: + + policy network group MyGroup 10.1.1.0 mask 255.255.255.0 + + Define the tcp services to be intercepted: + + policy service web80 destination tcp port 80 + policy service web8080 destination tcp port 8080 + + Define a group of services using the services above: + + policy service group WebPorts web80 web8080 + + And use these to create an intercept condition: + + policy condition WebFlow source network group MyGroup service group WebPorts + + Now, define an action to redirect the traffic to the host running + squid: + + policy action Redir alternate gateway ip 10.1.2.3 + + Finally, create a rule using this condition and the corresponding + action: + + policy rule Intercept condition WebFlow action Redir + + Apply the rules to the QoS system to make them effective + + qos apply + + Don't forget that you still need to configure Squid and Squid's + operating system to handle the intercepted connections. See above for + Squid and OS-specific details. + +Interception Caching packet redirection with Cabletron/Entrasys products + + By Dave Wintrip, dave at purevanity dot net, June 3, 2004. + + I have verified this configuration as working on a Cabletron + SmartSwitchRouter 2000, and it should work on any layer-4 aware + Cabletron or Entrasys product. + + You must first configure Squid to enable interception caching, outlined + earlier. + + Next, make sure that you have connectivity from the layer-4 device to + your squid box, and that squid is correctly configured to intercept + port 80 requests thrown it's way. + + I generally create two sets of redirect ACLs, one for cache, and one + for bypassing the cache. This method of interception is very similar to + Cisco's route-map. + + Log into the device, and enter enable mode, as well as configure mode. + +ssr> en +Password: +ssr# conf +ssr(conf)# + + I generally create two sets of redirect ACLs, one for specifying who to + cache, and one for destination addresses that need to bypass the cache. + This method of interception is very similar to Cisco's route-map in + this way. The ACL cache-skip is a list of destination addresses that we + do not want to transparently redirect to squid. + +ssr(conf)# acl cache-skip permit tcp any 192.168.1.100/255.255.255.255 any http + + The ACL cache-allow is a list of source addresses that will be + redirected to Squid. + +ssr(conf)# acl cache-allow permit tcp 10.0.22.0/255.255.255.0 any any http + + Save your new ACLs to the running configuration. + +ssr(conf)# save a + + Next, we need to create the ip-policies that will work to perform the + redirection. Please note that 10.0.23.2 is my Squid server, and that + 10.0.24.1 is my standard default next hop. By pushing the cache-skip + ACL to the default gateway, the web request is sent out as if the squid + box was not present. This could just as easily be done using the squid + configuration, but I would rather Squid not touch the data if it has no + reason to. + +ssr(conf)# ip-policy cache-allow permit acl cache-allow next-hop-list 10.0.23.2 +action policy-only +ssr(conf)# ip-policy cache-skip permit acl cache-skip next-hop-list 10.0.24.1 ac +tion policy-only + + Apply these new policies into the active configuration. + +ssr(conf)# save a + + We now need to apply the ip-policies to interfaces we want to cache + requests from. Assuming that localnet-gw is the interface name to the + network we want to cache requests from, we first apply the cache-skip + ACL to intercept requests on our do-not-cache list, and forward them + out the default gateway. We then apply the cache-allow ACL to the same + interface to redirect all other requests to the cache server. + +ssr(conf)# ip-policy cache-skip apply interface localnet-gw +ssr(conf)# ip-policy cache-allow apply interface localnet-gw + + We now need to apply, and permanently save our changes. Nothing we have + done before this point would effect anything without adding the + ip-policy applications into the active configuration, so lets try it. + +ssr(conf)# save a +ssr(conf)# save s + + Provided your Squid box is correct configured, you should now be able + to surf, and be transparently cached if you are using the localnet-gw + address as your gateway. + + Some Cabletron/Entrasys products include another method of applying a + web cache, but details on configuring that is not covered in this + document, however is it fairly straight forward. + + Also note, that if your Squid box is plugged directly into a port on + your layer-4 switch, and that port is part of its own VLAN, and its own + subnet, if that port were to change states to down, or the address + becomes uncontactable, then the switch will automatically bypass the + ip-policies and forward your web request though the normal means. This + is handy, might I add. + +Interception Caching packet redirection with ACC Tigris digital access server + + by [1067]John Saunders + + This is to do with configuring interception proxy for an ACC Tigris + digital access server (like a CISCO 5200/5300 or an Ascend MAX 4000). + I've found that doing this in the NAS reduces traffic on the LAN and + reduces processing load on the CISCO. The Tigris has ample CPU for + filtering. + + Step 1 is to create filters that allow local traffic to pass. Add as + many as needed for all of your address ranges. + +ADD PROFILE IP FILTER ENTRY local1 INPUT 10.0.3.0 255.255.255.0 0.0.0.0 0.0.0.0 + NORMAL +ADD PROFILE IP FILTER ENTRY local2 INPUT 10.0.4.0 255.255.255.0 0.0.0.0 0.0.0.0 + NORMAL + + Step 2 is to create a filter to trap port 80 traffic. + +ADD PROFILE IP FILTER ENTRY http INPUT 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 = 0x6 D= + 80 NORMAL + + Step 3 is to set the "APPLICATION_ID" on port 80 traffic to 80. This + causes all packets matching this filter to have ID 80 instead of the + default ID of 0. + +SET PROFILE IP FILTER APPLICATION_ID http 80 + + Step 4 is to create a special route that is used for packets with + "APPLICATION_ID" set to 80. The routing engine uses the ID to select + which routes to use. + +ADD IP ROUTE ENTRY 0.0.0.0 0.0.0.0 PROXY-IP 1 +SET IP ROUTE APPLICATION_ID 0.0.0.0 0.0.0.0 PROXY-IP 80 + + Step 5 is to bind everything to a filter ID called transproxy. List all + local filters first and the http one last. + +ADD PROFILE ENTRY transproxy local1 local2 http + + With this in place use your RADIUS server to send back the + "Framed-Filter-Id = transproxy" key/value pair to the NAS. + + You can check if the filter is being assigned to logins with the + following command: + +display profile port table + +WCCP - Web Cache Coordination Protocol + + Contributors: [1068]Glenn Chisholm, [1069]Lincoln Dale and + [1070]ReubenFarrelly. + + WCCP is a very common and indeed a good way of doing Interception + Caching as it adds additional features and intelligence to the traffic + redirection process. WCCP is a dynamic service in which a cache engine + communicates to a router about it's status, and based on that the + router decides whether or not to redirect the traffic. This means that + if your cache becomes unavailable, the router will automatically stop + attempting to forward traffic to it and end users will not be affected + (and likely not even notice that your cache is out of service). + + WCCPv1 is documented in the Internet-Draft + [1071]draft-forster-wrec-wccp-v1-00.txt and WCCPv2 is documented in + [1072]draft-wilson-wrec-wccp-v2-00.txt. + + For WCCP to work, you firstly need to configure your Squid Cache, and + additionally configure the host OS to redirect the HTTP traffic from + port 80 to whatever port your Squid box is listening to the traffic on. + Once you have done this you can then proceed to configure WCCP on your + router. + +Does Squid support WCCP? + + Cisco's Web Cache Coordination Protocol V1.0 is supported in all + current versions of Squid. WCCPv2 is supported by Squid-2.6 and later. + +Do I need a cisco router to run WCCP? + + No. Originally WCCP support could only be found on cisco devices, but + some other network vendors now support WCCP as well. If you have any + information on how to configure non-cisco devices, please post this + here. + +Can I run WCCP with the Windows port of Squid? + + Technically it may be possible, but we have not heard of anyone doing + so. The easiest way would be to use a Layer 3 switch and doing Layer 2 + MAC rewriting to send the traffic to your cache. If you are using a + router then you will need to find out a way to decapsulate the GRE/WCCP + traffic that the router sends to your Windows cache (this is a function + of your OS, not Squid). + +Where can I find out more about WCCP? + + Cisco have some good content on their website about WCCP. One of the + better documents which lists the features and describes how to + configure WCCP on their routers can be found on there website + [1073]here. + + There is also a more technical document which describes the format of + the WCCP packets at [1074]Colasoft + +Cisco router software required for WCCP + + This depends on whether you are running a switch or a router. + +IOS support in Cisco Routers + + Almost all Cisco routers support WCCP provided you are running IOS + release 12.0 or above, however some routers running older software + require an upgrade to their software feature sets to a 'PLUS' + featureset or better. WCCPv2 is supported on almost all routers in + recent IPBASE releases. + + Cisco's Feature Navigator at [1075]http://www.cisco.com/go/fn runs an + up to date list of which platforms support WCCPv2. + + Generally you should run the latest release train of IOS for your + router that you can. We do not recommend you run T or branch releases + unless you have fully tested them out in a test environment before + deployment as WCCP requires many parts of IOS to work reliably. The + latest mainline 12.1, 12.2, 12.3 and 12.4 releases are generally the + best ones to use and should be the most trouble free. + + Note that you will need to set up a GRE or WCCP tunnel on your cache to + decapsulate the packets your router sends to it. + +IOS support in Cisco Switches + + High end Cisco switches support Layer 2 WCCPv2, which means that + instead of a GRE tunnel transport, the ethernet frames have their next + hop/destination MAC address rewritten to that of your cache engine. + This is far faster to process by the hardware than the router/GRE + method of redirection, and in fact on some platforms such as the 6500s + may be the only way WCCP can be configured. L2 redirection is + supposedly capable of redirecting in excess of 30 million PPS on the + high end 6500 Sup cards. + + Cisco switches known to be able to do WCCPv2 include the Catalyst 3550 + (very basic WCCP only), Catalyst 4500-SUP2 and above, and all models of + the 6000/6500. + + Note that the Catalyst 2900, 3560, 3750 and 4000 early Supervisors do + NOT support WCCP (at all). + + Layer 2 WCCP is a WCCPv2 feature and does not exist in cisco's WCCPv1 + implementation. + + WCCPv2 Layer 2 redirection was added in 12.1E and 12.2S. + + It is always advisable to read the release notes for the version of + software you are running on your switch before you deploy WCCP. + +Software support in Cisco Firewalls (PIX OS) + + Version 7.2(1) of the cisco PIX software now also supports WCCP, + allowing you to do WCCP redirection with this appliance rather than + having to have a router do the redirection. + + 7.2(1) has been tested and verified to work with Squid-2.6. + +What about WCCPv2? + + WCCPv2 is a new feature to Squid-2.6 and Squid-3.0. WCCPv2 + configuration is similar to the WCCPv1 configuration. The directives in + squid.conf are slightly different but are well documented within that + file. Router configuration for WCCPv2 is identical except that you must + not force the router to use WCCPv1 (it defaults to WCCPv2 unless you + tell it otherwise). + +Configuring your router + + There are two different methods of configuring WCCP on Cisco routers. + The first method is for routers that only support V1.0 of the protocol. + The second is for routers that support both. + +IOS Version 11.x + + For very old versions of IOS you will need this config: + +conf t +wccp enable +! +interface [Interface carrying Outgoing Traffic]x/x +! +ip wccp web-cache redirect +! +CTRL Z +copy running-config startup-config + +IOS Version 12.x + + Some of the early versions of 12.x do not have the 'ip wccp version' + command. You will need to upgrade your IOS version to use V1.0. + +conf t +ip wccp version 1 +ip wccp web-cache redirect-list 150 +! +interface [Interface carrying Outgoing/Incoming Traffic]x/x +ip wccp web-cache redirect out|in +! +CTRL Z +copy running-config startup-config + + IOS defaults to using WCCP version 2 if you do not explicitly specify a + version. + + Replace 150 with an access list number (either standard or extended) + which lists IP addresses which you do not wish to be transparently + redirected to your cache. If you wish to redirect all client traffic + then do not add the ip wccp web-cache redirect-list command. + + WCCP is smart enough that it will automatically bypass your cache from + the redirection process, ensuring that your cache does not become + redirected back to itself. + +IOS 12.x problems + + Some people report problems with WCCP and IOS 12.x. + + If you find that the redirection does not work properly, try turning + off CEF and disabling the route-cache on the interface. WCCP has a + nasty habit of sometimes badly interacting with some other cisco + features. Note that both features result in quite significant + performance penalties, so only disable them if there is no other way. + + IOS firewall inspection can also cause problems with WCCP and is worth + disabling if you experience problems. + +Configuring you cisco PIX to run WCCP + + Cisco PIX is very easy to configure. The configuration format is almost + identical to a cisco router, which is hardly surprising given many of + the features are common to both. Like cisco router's, PIX supports the + GRE encapsulation method of traffic redirection. + + Merely put this in your global config: + +wccp web-cache +wccp interface inside web-cache redirect in + + There is no interface specific configuration required. + + Note that the only supported configuration of WCCP on the PIX is with + the WCCP cache engine on the inside of the network (most people want + this anyway). The PIX only supports WCCPv2 and not WCCPv1. There are + some other limitations of this WCCP support, but this feature has been + tested and proven to work with a simple PIX config using version 7.2(1) + and Squid-2.6. + + You can find more information about configuring this and how the PIX + handles WCCP at + [1076]http://www.cisco.com/en/US/customer/products/ps6120/products_conf + iguration_guide_chapter09186a0080636f31.html#wp1094445 + +Cache/Host configuration of WCCP + + There are two parts to this. Firstly you need to configure Squid to + talk WCCP, and additionally you need to configure your operating system + to decapsulate the WCCP traffic as it comes from the router. + +Configuring Squid to talk WCCP + + The configuration directives for this are well documented in + squid.conf. + + For Squid-2.5 which supports only WCCPv1, you need these directives: + +wccp_router a.b.c.d +wccp_version 4 +wccp_incoming_address e.f.g.h +wccp_outgoing_address e.f.g.h + + * a.b.c.d is the address of your WCCP router + * e.f.g.h is the address that you want your WCCP requests to come and + go from. If you are not sure or have only a single IP address on + your cache, do not specify these. + + For Squid-2.6 and Squid-3.0: + + Note: do NOT configure both the WCCPv1 directives (wccp_*) and + WCCPv2 (wccp2_*) options at the same time in your squid.conf. Squid 2.6 + and above only supports configuration of one version at a time, either + WCCPv1 or WCCPv2. With no configuration, the unconfigured version(s) + are not enabled. Unpredictable things might happen if you configure + both sets of options. + + If you are doing WCCPv1, then the configuration is the same as for + Squid-2.5. If you wish to run WCCPv2, then you will want something like + this: + +wccp2_router a.b.c.d +wccp2_version 4 +wccp2_forwarding_method 1 +wccp2_return_method 1 +wccp2_service standard 0 +wccp2_outgoing_address e.f.g.h + + * Use a wccp_forwarding_method and wccp2_return_method of 1 if you + are using a router and GRE/WCCP tunnel, or 2 if you are using a + Layer 3 switch to do the forwarding. + * Your wccp2_service should be set to standard 0 which is the + standard HTTP redirection. + * a.b.c.d is the address of your WCCP router + * e.f.g.h is the address that you want your WCCP requests to come and + go from. If you are not sure or have only a single IP address on + your cache, do not specify these parameters as they are usually not + needed. + + Now you need to read on for the details of configuring your operating + system to support WCCP. + +Configuring FreeBSD + + FreeBSD first needs to be configured to receive and strip the GRE + encapsulation from the packets from the router. To do this you will + need to patch and recompile your kernel. The steps depend on your + kernel version. + +FreeBSD-3.x + + * Apply the [1077]patch for FreeBSD-3.x kernels: + +# cd /usr/src +# patch -s < /tmp/gre.patch + + * Download [1078]gre.c for FreeBSD-3.x. Save this file as + /usr/src/sys/netinet/gre.c. + * Add "options GRE" to your kernel config file and rebuild your + kernel. Note, the opt_gre.h file is created when you run config. + Once your kernel is installed you will need to configure FreeBSD + for interception proxying (see below). + + ====== FreeBSD 4.0 through 4.7 ======= The procedure is nearly + identical to the above for 3.x, but the source files are a little + different. + * Apply the most appropriate patch file from the list of + [1079]patches for 4.x kernels. + * Download [1080]gre.c for FreeBSD-3.x. Save this file as + /usr/src/sys/netinet/gre.c. + * Add "options GRE" to your kernel config file and rebuild your + kernel. Note, the opt_gre.h file is created when you run config. + Once your kernel is installed you will need to [1081]configure + FreeBSD for interception proxying. + +FreeBSD 4.8 and later + + The operating system now comes standard with some GRE support. You need + to make a kernel with the GRE code enabled: + +pseudo-device gre + + And then configure the tunnel so that the router's GRE packets are + accepted: + +# ifconfig gre0 create +# ifconfig gre0 $squid_ip $router_ip netmask 255.255.255.255 up +# ifconfig gre0 tunnel $squid_ip $router_ip +# route delete $router_ip + + Alternatively, you can try it like this: + +ifconfig gre0 create +ifconfig gre0 $squid_ip 10.20.30.40 netmask 255.255.255.255 link1 tunnel $squid_ +ip $router_ip up + + Since the WCCP/GRE tunnel is one-way, Squid never sends any packets to + 10.20.30.40 and that particular address doesn't matter. + +FreeBSD 6.x and later + + FreeBSD 6.x has GRE support in kernel by default. It also supports both + WCCPv1 and WCCPv2. From gre(4) manpage: "Since there is no reliable way + to distinguish between WCCP versions, it should be configured manually + using the link2 flag. If the link2 flag is not set (default), then WCCP + version 1 is selected." The rest of configuration is just as it was in + 4.8+ + +Standard Linux GRE Tunnel + + Linux 2.2 kernels already support GRE, as long as the GRE module is + compiled into the kernel. However, WCCP uses a slightly non-standard + GRE encapsulation format and Linux versions earlier than 2.6.9 may need + to be patched to support WCCP. That is why we strongly recommend you + run a recent version of the Linux kernel, as if you are you simply need + to modprobe the module to gain it's functionality. + + Ensure that the GRE code is either built as static or as a module by + chosing the appropriate option in your kernel config. Then rebuild your + kernel. If it is a module you will need to: + +modprobe ip_gre + + The next step is to tell Linux to establish an IP tunnel between the + router and your host. + +ip tunnel add wccp0 mode gre remote local dev +ip addr add /32 dev wccp0 +ip link set wccp0 up + + or if using the older network tools + +iptunnel add wccp0 mode gre remote local dev +ifconfig wccp0 netmask 255.255.255.255 up + + is the extrnal IP address of your router that is + intercepting the HTTP packets. is the IP address of your + cache, and is the network interface that receives those + packets (probably eth0). + + Note that WCCP is incompatible with the rp_filter function in Linux and + you must disable this if enabled. If enabled any packets redirected by + WCCP and intercepted by Netfilter/iptables will be silendly discarded + by the TCP/IP stack due to their "unexpected" origin from the gre + interface. + +echo 0 >/proc/sys/net/ipv4/conf/wccp0/rp_filter + +WCCP Specific Module + + This module is not part of the standard Linux distributon. It needs to + be compiled as a module and loaded on your system to function. Do not + attempt to build this in as a static part of your kernel. + + This module is most suited to Linux kernels prior to 2.6.9. Kernels + more recent than that support WCCP with the ip_gre module that comes + with the kernel. + + Download the [1082]Linux WCCP module and compile it as you would any + Linux network module. In most cases this is just to run make install in + the module source directory. Note: Compiling kernel modules requires + the kernel development files to be installed. + + Finally you will need to load the module: + +modprobe ip_wccp + + If the WCCP redirected traffic is coming on on a different interface + than where return traffic to the clients are sent then you may also + need to disable the rp_filter function. If enabled any packets + redirected by WCCP will be silendly discarded by the TCP/IP stack due + to their "unexpected" origin from the other interface. + +echo 0 >/proc/sys/net/ipv4/conf/eth0/rp_filter + + And set up Netfilter/iptables to redirect the intercepted traffic to + your Squid port + +iptables -t nat -A PREROUTING -i eth0 -j REDIRECT --redirect-to 3128 + +TProxy Interception + + TProxy is a new feature in Squid-2.6 which enhances standard + Interception Caching so that it further hides the presence of your + cache. Normally with Interception Caching the remote server sees your + cache engine as the source of the HTTP request. TProxy takes this a + step further by hiding your cache engine so that the end client is seen + as the source of the request (even though really they aren't). + + Here are some notes by [1083]StevenWilton on how to get TProxy working + properly: + + I've got TProxy + WCCPv2 working with squid 2.6. There are a few things + that need to be done: + * The kernel and iptables need to be patched with the tproxy patches + (and the tproxy include file needs to be placed in + /usr/include/linux/netfilter_ipv4/ip_tproxy.h or + include/netfilter_ipv4/ip_tproxy.h in the squid src tree). + * The iptables rule needs to use the TPROXY target (instead of the + REDIRECT target) to redirect the port 80 traffic to the proxy. ie: + +iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on +-port 80 + + * The kernel must strip the GRE header from the incoming packets + (either using the ip_wccp module, or by having a GRE tunnel set up + in Linux pointing at the router (no GRE setup is required on the + router)). + * Two WCCP services must be used, one for outgoing traffic and an + inverse for return traffic from the Internet. We use the following + WCCP definitions in squid.conf: + +wccp2_service dynamic 80 +wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 +wccp2_service dynamic 90 +wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 p +orts=80 + + It is highly recommended that the above definitions be used for the two + WCCP services, otherwise things will break if you have more than one + cache (specifically, you will have problems when the name of a web + server resolves to multiple ip addresses). + * The http port that you are redirecting to must have the transparent + and tproxy options enabled as follows (modify the port as + appropriate): http_port 80 transparent tproxy + * There must be a tcp_outgoing address defined. This will need to be + valid to satisfy any non-tproxied connections. + * On the router, you need to make sure that all traffic going to/from + the customer will be processed by both WCCP rules. The way we have + + implemented this is to apply WCCP service 80 to all traffic coming in + from a customer-facing interface, and WCCP service 90 applied to all + traffic going out a customer-facing interface. We have also applied the + WCCP exclude-in rule to all traffic coming in from the proxy-facing + interface although this will probably not normally be necessary if all + your caches have registered to the WCCP router. ie: + +interface GigabitEthernet0/3.100 + description ADSL customers + encapsulation dot1Q 502 + ip address x.x.x.x y.y.y.y + ip wccp 80 redirect in + ip wccp 90 redirect out +interface GigabitEthernet0/3.101 + description Dialup customers + encapsulation dot1Q 502 + ip address x.x.x.x y.y.y.y + ip wccp 80 redirect in + ip wccp 90 redirect out +interface GigabitEthernet0/3.102 + description proxy servers + encapsulation dot1Q 506 + ip address x.x.x.x y.y.y.y + ip wccp redirect exclude in + + * It's highly recommended to turn httpd_accel_no_pmtu_disc on in the + squid.conf. + + The homepage for the TProxy software is at [1084]balabit.com. + +Complete + + By now if you have followed the documentation you should have a working + Interception Caching system. Verify this by unconfiguring any proxy + settings in your browser and surfing out through your system. You + should see entries appearing in your access.log for the sites you are + visiting in your browser. If your system does not work as you would + expect, you will want to read on to our troubleshooting section below. + +Troubleshooting and Questions + +It doesn't work. How do I debug it? + + * Start by testing your cache. Check to make sure you have configured + Squid with the right configure options - squid -v will tell you + what options Squid was configured with. + * Can you manually configure your browser to talk to the proxy port? + If not, you most likely have a proxy configuration problem. + * Have you tried unloading ALL firewall rules on your cache and/or + the inside address of your network device to see if that helps? If + your router or cache are inadvertently blocking or dropping either + the WCCP control traffic or the GRE, things won't work. + * If you are using WCCP on a cisco router or switch, is the router + seeing your cache? Use the command show ip wccp web-cache detail + * Look in your logs both in Squid (cache.log), and on your + router/switch where a show log will likely tell you if it has + detected your cache engine registering. + * On your Squid cache, set debug_options ALL,1 80,3 or for even + more detail debug_options ALL,1 80,5 . The output of this will be + in your cache.log. + * On your cisco router, turn on WCCP debugging: + +router#term mon +router#debug ip wccp events +WCCP events debugging is on +router#debug ip wccp packets +WCCP packet info debugging is on +router# + + !Do not forget to turn this off after you have finished your debugging + session as this imposes a performance hit on your router. + * Run tcpdump or ethereal on your cache interface and look at the + traffic, try and figure out what is going on. You should be seeing + UDP packets to and from port 2048 and GRE encapsulated traffic with + TCP inside it. If you are seeing messages about "protocol not + supported" or "invalid protocol", then your GRE or WCCP module is + not loaded, and your cache is rejecting the traffic because it does + not know what to do with it. + * Have you configured both wccp_ and wccp2_ options? You should only + configure one or the other and NOT BOTH. + * The most common problem people have is that the router and cache + are talking to each other and traffic is being redirected from the + router but the traffic decapsulation process is either broken or + (as is almost always the case) misconfigured. This is often a case + of your traffic rewriting rules on your cache not being applied + correctly (see section 2 above - Getting your traffic to the right + port on your Squid Cache). + * Run the most recent General Deployment (GD) release of the software + train you have on your router or switch. Broken IOS's can also + result in broken redirection. A known good version of IOS for + routers with no apparent WCCP breakage is 12.3(7)T12. There was + extensive damage to WCCP in 12.3(8)T up to and including early + 12.4(x) releases. 12.4(8) is known to work fine as long as you are + not doing ip firewall inspection on the interface where your cache + is located. + + If none of these steps yield any useful clues, post the vital + information including the versions of your router, proxy, operating + system, your traffic redirection rules, debugging output and any other + things you have tried to the squid-users mailing list. + +Why can't I use authentication together with interception proxying? + + Interception Proxying works by having an active agent (the proxy) where + there should be none. The browser is not expecting it to be there, and + it's for all effects and purposes being cheated or, at best, confused. + As an user of that browser, I would require it not to give away any + credentials to an unexpected party, wouldn't you agree? Especially so + when the user-agent can do so without notifying the user, like + Microsoft browsers can do when the proxy offers any of the + Microsoft-designed authentication schemes such as NTLM (see + [1085]../ProxyAuthentication and [1086]NegotiateAuthentication). + + In other words, it's not a squid bug, but a browser security feature. + +Can I use ''proxy_auth'' with interception? + + No, you cannot. See the answer to the previous question. With + interception proxying, the client thinks it is talking to an origin + server and would never send the Proxy-authorization request header. + +"Connection reset by peer" and Cisco policy routing + + Fyodor has tracked down the cause of unusual "connection reset by peer" + messages when using Cisco policy routing to hijack HTTP requests. + + When the network link between router and the cache goes down for just a + moment, the packets that are supposed to be redirected are instead sent + out the default route. If this happens, a TCP ACK from the client host + may be sent to the origin server, instead of being diverted to the + cache. The origin server, upon receiving an unexpected ACK packet, + sends a TCP RESET back to the client, which aborts the client's + request. + + To work around this problem, you can install a static route to the + null0 interface for the cache address with a higher metric (lower + precedence), such as 250. + + Then, when the link goes down, packets from the client just get dropped + instead of sent out the default route. For example, if 1.2.3.4 is the + IP address of your Squid cache, you may add: + +ip route 1.2.3.4 255.255.255.255 Null0 250 + + This appears to cause the correct behaviour. + +Configuration Examples contributed by users who have working installations + +Linux 2.0.33 and Cisco policy-routing + + By [1087]Brian Feeny + + Here is how I have Interception proxying working for me, in an + environment where my router is a Cisco 2501 running IOS 11.1, and Squid + machine is running Linux 2.0.33. + + Many thanks to the following individuals and the squid-users list for + helping me get redirection and interception proxying working on my + Cisco/Linux box. + * Lincoln Dale + * Riccardo Vratogna + * Mark White + * [1088]HenrikNordstrm + + First, here is what I added to my Cisco, which is running IOS 11.1. In + IOS 11.1 the route-map command is "process switched" as opposed to the + faster "fast-switched" route-map which is found in IOS 11.2 and later. + Even more recent versions CEF switch for much better performance. + +! +interface Ethernet0 + description To Office Ethernet + ip address 208.206.76.1 255.255.255.0 + no ip directed-broadcast + no ip mroute-cache + ip policy route-map proxy-redir +! +access-list 110 deny tcp host 208.206.76.44 any eq www +access-list 110 permit tcp any any eq www +route-map proxy-redir permit 10 + match ip address 110 + set ip next-hop 208.206.76.44 + + So basically from above you can see I added the "route-map" + declaration, and an access-list, and then turned the route-map on under + int e0 "ip policy route-map proxy-redir" The host above: 208.206.76.44, + is the ip number of my squid host. + + My squid box runs Linux, so I had to configure my kernel (2.0.33) like + this: + +# +# Networking options +# +CONFIG_FIREWALL=y +# CONFIG_NET_ALIAS is not set +CONFIG_INET=y +CONFIG_IP_FORWARD=y +CONFIG_IP_MULTICAST=y +CONFIG_SYN_COOKIES=y +# CONFIG_RST_COOKIES is not set +CONFIG_IP_FIREWALL=y +# CONFIG_IP_FIREWALL_VERBOSE is not set +CONFIG_IP_MASQUERADE=y +# CONFIG_IP_MASQUERADE_IPAUTOFW is not set +CONFIG_IP_MASQUERADE_ICMP=y +CONFIG_IP_TRANSPARENT_PROXY=y +CONFIG_IP_ALWAYS_DEFRAG=y +# CONFIG_IP_ACCT is not set +CONFIG_IP_ROUTER=y + + You will need Firewalling and Transparent Proxy turned on at a minimum. + + Then some ipfwadm stuff: + +# Accept all on loopback +ipfwadm -I -a accept -W lo +# Accept my own IP, to prevent loops (repeat for each interface/alias) +ipfwadm -I -a accept -P tcp -D 208.206.76.44 80 +# Send all traffic destined to port 80 to Squid on port 3128 +ipfwadm -I -a accept -P tcp -D 0/0 80 -r 3128 + + it accepts packets on port 80 (redirected from the Cisco), and + redirects them to 3128 which is the port my squid process is sitting + on. I put all this in /etc/rc.d/rc.local + + I am using [/Versions/1.1/1.1.20/ v1.1.20 of Squid] with [1089]Henrik's + patch installed. + + You will want to install this patch if using a setup similar to mine. + +Interception on Linux with Squid and the Browser on the same box + + by Joshua N Pritikin + +#!/bin/sh +iptables -t nat -F # clear table +# normal transparent proxy +iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 80 +80 +# handle connections on the same box (192.168.0.2 is a loopback instance) +gid=`id -g proxy` +iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT +iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2 +:8080 + +Interception Caching with FreeBSD by by DuaneWessels + + I set out yesterday to make interception caching work with Squid-2 and + FreeBSD. It was, uh, fun. + + It was relatively easy to configure a cisco to divert port 80 packets + to my FreeBSD box. Configuration goes something like this: + +access-list 110 deny tcp host 10.0.3.22 any eq www +access-list 110 permit tcp any any eq www +route-map proxy-redirect permit 10 + match ip address 110 + set ip next-hop 10.0.3.22 +int eth2/0 + ip policy route-map proxy-redirect + + Here, 10.0.3.22 is the IP address of the FreeBSD cache machine. + + Once I have packets going to the FreeBSD box, I need to get the kernel + to deliver them to Squid. I started on FreeBSD-2.2.7, and then + downloaded + + [1090]IPFilter. This was a dead end for me. The IPFilter distribution + includes patches to the FreeBSD kernel sources, but many of these had + conflicts. Then I noticed that the IPFilter page says "It comes as a + part of [FreeBSD-2.2 and later]." Fair enough. Unfortunately, you can't + hijack connections with the FreeBSD-2.2.X IPFIREWALL code (ipfw), and + you can't (or at least I couldn't) do it with natd either. + + FreeBSD-3.0 has much better support for connection hijacking, so I + suggest you start with that. You need to build a kernel with the + following options: + +options IPFIREWALL +options IPFIREWALL_FORWARD + + Next, its time to configure the IP firewall rules with ipfw. By + default, there are no "allow" rules and all packets are denied. I added + these commands to /etc/rc.local just to be able to use the machine on + my network: + +ipfw add 60000 allow all from any to any + + But we're still not hijacking connections. To accomplish that, add + these rules: + +ipfw add 49 allow tcp from 10.0.3.22 to any +ipfw add 50 fwd 127.0.0.1 tcp from any to any 80 + + The second line (rule 50) is the one which hijacks the connection. The + first line makes sure we never hit rule 50 for traffic originated by + the local machine. + + This prevents forwarding loops. + + Note that I am not changing the port number here. That is, port 80 + packets are simply diverted to Squid on port 80. My Squid configuration + is: + +http_port 80 +httpd_accel_host virtual +httpd_accel_port 80 +httpd_accel_with_proxy on +httpd_accel_uses_host_header on + + If you don't want Squid to listen on port 80 (because that requires + root privileges) then you can use another port. In that case your ipfw + redirect rule looks like: + +ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80 + + and the squid.conf lines are: + +http_port 3128 +httpd_accel_host virtual +httpd_accel_port 80 +httpd_accel_with_proxy on +httpd_accel_uses_host_header on + +Interception Caching with Linux 2.6.18, ip_gre, Squid-2.6 and cisco IOS +12.4(6)T2 by ReubenFarrelly + + Here's how I do it. My system is a Fedora Core 5 based system, and I am + presently running Squid-2.6 with WCCPv2. The cache is located on the + same subnet as my router and client PC's. + + My Squid proxy is configured like this: + * In /etc/sysconfig/iptables: + +-A PREROUTING -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -i gre +0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.5:3128 + * In /etc/sysctl.conf + +# Controls IP packet forwarding +net.ipv4.ip_forward = 1 +# Controls source route verification +net.ipv4.conf.default.rp_filter = 0 +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + + * In /etc/sysconfig/network-scripts/ifcfg-gre0 I have this: + +DEVICE=gre0 +BOOTPROTO=static +IPADDR=172.16.1.6 +NETMASK=255.255.255.252 +ONBOOT=yes +IPV6INIT=no + + By configuring the interface like this, it automatically comes up at + boot, and the module is loaded automatically. I can additionally ifup + or ifdown the interface at will. This is the standard Fedora way of + configuring a GRE interface. + * I build customised kernels for my hardware, so I have this set in + my kernel .config: + +CONFIG_NET_IPGRE=m + + However you can optionally build the GRE tunnel into your kernel by + selecting 'y' instead. + * My router runs cisco IOS 12.4(6)T2 ADVSECURITY, and I have a + sub-interface on my FastEthernet port as the switch-router link is + a trunk: + +! +ip wccp web-cache +ip cef +! +interface FastEthernet0/0.2 + description Link to internal LAN + encapsulation dot1Q 2 + ip address 192.168.0.1 255.255.255.0 + ip access-group outboundfilters in + no ip proxy-arp + ip wccp web-cache redirect in + ip inspect fw-rules in + ip nat inside + ip virtual-reassembly + no snmp trap link-status +! + + Note: in this release of IOS software that I am running (12.4(6)T2 and + 12.4(9)T) you MUST NOT have ip inspect fw-rules in on the same + interface as your ip wccp web-cache redirect statement. I opened a TAC + case on this as it is clearly a bug and regression from past behaviour + where WCCP did work fine with IP inspection configured on the same + interface. This turned out to be confirmed as a bug in IOS, which is + documented as [1091]CSCse55959. The cause of this is TCP fragments of + traffic being dropped by the ip inspection process - fragments which + should not even be inspected in the first place. This bug does not + occur on the PIX which works fine with the same network design and + configuration. If you would like this bug fixed, please open a cisco + TAC case referencing this bug report and encourage cisco to fix it. + + If you are running WCCPv1 then you would additionally add: + +ip wccp version 1 + + to your router configuration. + + What does it all look like? + * iptables rules looks like this: + +[root@tornado squid]# iptables -t nat -L +Chain PREROUTING (policy ACCEPT) +target prot opt source destination +DNAT tcp -- network.reub.net/24 !network.reub.net/24 tcp dpt:http to:192 +.168.0.5:3128 + + * my squid.conf looks like this: + +http_port tornado.reub.net:3128 transparent +wccp2_router router.reub.net +wccp2_forwarding_method 1 +wccp2_return_method 1 +wccp2_service standard 0 + + * my operating system runs a GRE tunnel which looks like this: + +[root@tornado squid]# ifconfig gre0 +gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 +-00 + inet addr:172.16.1.6 Mask:255.255.255.252 + UP RUNNING NOARP MTU:1476 Metric:1 + RX packets:449 errors:0 dropped:0 overruns:0 frame:0 + TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:0 + RX bytes:20917 (20.4 KiB) TX bytes:0 (0.0 b) + + * my router sees the cache engine, and tells me how much traffic it + has switched through to the cache: + +router#show ip wccp web-cache +Global WCCP information: + Router information: + Router Identifier: 172.16.1.5 + Protocol Version: 2.0 + Service Identifier: web-cache + Number of Service Group Clients: 1 + Number of Service Group Routers: 1 + Total Packets s/w Redirected: 1809 + Process: 203 + Fast: 1606 + CEF: 0 + Redirect access-list: -none- + Total Packets Denied Redirect: 0 + Total Packets Unassigned: 0 + Group access-list: -none- + Total Messages Denied to Group: 0 + Total Authentication failures: 0 + Total Bypassed Packets Received: 0 +router# +router#show ip wccp web-cache detail +WCCP Client information: + WCCP Client ID: 192.168.0.5 + Protocol Version: 2.0 + State: Usable + Initial Hash Info: 00000000000000000000000000000000 + 00000000000000000000000000000000 + Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + Hash Allotment: 256 (100.00%) + Packets s/w Redirected: 449 + Connect Time: 13:51:42 + Bypassed Packets + Process: 0 + Fast: 0 + CEF: 0 +router# + +Joe Cooper's Patch + + Joe Cooper has a patch for Linux 2.2.18 kernel on his [1092]Squid page. + +Further information about configuring Interception Caching with Squid + + [1093]ReubenFarrelly has written a fairly comprehensive but somewhat + incomplete guide to configuring WCCP with cisco routers on his website. + You can find it at [1094]www.reub.net. + + [1095]DuaneWessels has written an O'Reilly book about Web Caching which + is an invaluable reference guide for Squid (and in fact non-Squid) + cache administrators. A sample chapter on "Interception Proxying and + Caching" from his book is up online, at + [1096]http://www.oreilly.com/catalog/webcaching/chapter/ch05.html. + +Configuring Other Operating Systems + + If you have managed to configure your operating system to support WCCP + with Squid please contact us or add the details to this wiki so that + others may benefit. + +Issues with HotMail + + Recent changes at Hotmail.com and has led to some users receiving a + blank page in response to a login request when browsing through a proxy + operating in interception, or transparent, mode. This is due to Hotmail + incorrectly responding with Transfer-Encoding encoded response when the + HTTP/1.0 request has an Accept-Encoding header. (Transfer-Encoding + absolutely REQUIRES HTTP/1.1 and is forbidden within HTTP/1.0) + + A workaround is simply to add the following three lines to + /etc/squid/squid.conf: + +acl hotmail_domains dstdomain .hotmail.msn.com +header_access Accept-Encoding deny hotmail_domains + + (para-quoted by [1097]HenrikNordstrm from + [1098]http://www.swelltech.com/news.html) + __________________________________________________________________ + + Contents + 1. [1099]Does Squid support SNMP? + 2. [1100]Enabling SNMP in Squid + 3. [1101]Configuring Squid + 4. [1102]How can I query the Squid SNMP Agent + 5. [1103]What can I use SNMP and Squid for? + 6. [1104]How can I use SNMP with Squid? + 7. [1105]Where can I get more information/discussion about Squid and + SNMP? + 8. [1106]Monitoring Squid with MRTG + + Contributors: [1107]Glenn Chisholm. + +Does Squid support SNMP? + + Yes. You will need to configure Squid with SNMP support and edit your + squid.conf file with appropriate access conrols. + +Enabling SNMP in Squid + + To use SNMP, it must first be enabled with the configure script, and + squid rebuilt. To enable is first run the script: + +./configure --enable-snmp [ ... other configure options ] + + Next, recompile after cleaning the source tree : + +make clean +make all +make install + + Once the compile is completed and the new binary is installed the + squid.conf file needs to be configured to allow access; the default is + to deny all requests. + + You may also want to move the Squid mib.txt into your SNMP MIB + directory so that you can view the output as text rather than raw OID + numbers. + +Configuring Squid + + To configure SNMP first specify a list of communities that you would + like to allow access by using a standard acl of the form: + +acl aclname snmp_community string + + For example: + +acl snmppublic snmp_community public +acl snmpjoebloggs snmp_community joebloggs + + This creates two acl's, with two different communities, public and + joebloggs. You can name the acl's and the community strings anything + that you like. + + To specify the port that the agent will listen on modify the + "snmp_port" parameter, it is defaulted to 3401. The port that the agent + will forward requests that can not be furfilled by this agent to is set + by "forward_snmpd_port" it is defaulted to off. It must be configured + for this to work. Remember that as the requests will be originating + from this agent you will need to make sure that you configure your + access accordingly. + + To allow access to Squid's SNMP agent, define an snmp_access ACL with + the community strings that you previously defined. For example: + +snmp_access allow snmppublic localhost +snmp_access deny all + + The above will allow anyone on the localhost who uses the community + public to access the agent. It will deny all others access. + + If you do not define any snmp_access ACL's, then SNMP access is denied + by default. + + Finally squid allows to you to configure the address that the agent + will bind to for incoming and outgoing traffic. These are defaulted to + 0.0.0.0, changing these will cause the agent to bind to a specific + address on the host, rather than the default which is all. + +snmp_incoming_address 0.0.0.0 +snmp_outgoing_address 0.0.0.0 + +How can I query the Squid SNMP Agent + + You can test if your Squid supports SNMP with the snmpwalk program + (snmpwalk is a part of the [1108]NET-SNMP project). Note that you have + to specify the SNMP port, which in Squid defaults to 3401. + +snmpwalk -p 3401 hostname communitystring .1.3.6.1.4.1.3495.1.1 + + If it gives output like: + +enterprises.nlanr.squid.cacheSystem.cacheSysVMsize = 7970816 +enterprises.nlanr.squid.cacheSystem.cacheSysStorage = 2796142 +enterprises.nlanr.squid.cacheSystem.cacheUptime = Timeticks: (766299) 2:07:42.99 + + or + +SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 460 +SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 1566452 +SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (584627) 1:37:26.27 + + then it is working ok, and you should be able to make nice statistics + out of it. + + For an explanation of what every string (OID) does, you should refer to + the [/SNMP/ Squid SNMP web pages]. + +What can I use SNMP and Squid for? + + There are a lot of things you can do with SNMP and Squid. It can be + useful in some extent for a longer term overview of how your proxy is + doing. It can also be used as a problem solver. For example: how is it + going with your filedescriptor usage? or how much does your LRU vary + along a day. Things you can't monitor very well normally, aside from + clicking at the cachemgr frequently. Why not let MRTG do it for you? + +How can I use SNMP with Squid? + + There are a number of tools that you can use to monitor Squid via SNMP. + Many people use MRTG. Another good combination is [1109]NET-SNMP plus + [1110]RRDTool. You might be able to find more information at the + [/SNMP/ Squid SNMP web pages] or [1111]ircache rrdtool scripts + +Where can I get more information/discussion about Squid and SNMP? + + There is an archive of messages from the [1112]cache-snmp@ircache.net + mailing list [1113]mailing list. + + Subscriptions should be sent to: [1114]cache-snmp-request@ircache.net . + +Monitoring Squid with MRTG + + Some people use [1115]MRTG to query Squid through its SNMP interface. + + To get instruction on using MRTG with Squid please visit these pages: + * [1116]Cache Monitoring - How to set up your own monitoring by + DFN-Cache + * [1117]Using MRTG to monitor Squid by ACME Consulting + * [1118]Squid Configuration Manual - Monitoring Squid by Visolve + * [1119]Using MRTG for Squid monitoring Desire II caching workshop + session by Matija Grabnar + * [1120]How do I monitor my Squid 2 cache using MRT by The National + Janet Web Cache Service + + Further examples of Squid MRTG configurations can be found here: + * [1121]MRTG HOWTO Collection / Squid from MRTG + * [1122]using mrtg to monitor Squid from MRTG + * [1123]Chris' MRTG Resources + * [1124]MRTG & Squid by Glenn Chisholm + * [1125]Braindump by Joakim Recht + __________________________________________________________________ + + Contents + 1. [1126]What are the new features in squid 2.X? + 2. [1127]How do I configure 'ssl_proxy' now? + 3. [1128]Adding a new cache disk + 4. [1129]How do I configure proxy authentication? + 5. [1130]Why does proxy-auth reject all users after upgrading from + Squid-2.1 or earlier? + 6. [1131]Delay Pools + 1. [1132]How can I limit Squid's total bandwidth to, say, 512 + Kbps? + 2. [1133]How to limit a single connection to 128 Kbps? + 3. [1134]How do you personally use delay pools? + 4. [1135]Where else can I find out about delay pools? + 7. [1136]Customizable Error Messages + 8. [1137]My squid.conf from version 1.1 doesn't work! + +What are the new features in squid 2.X? + + * persistent connections. + * Lower VM usage; in-transit objects are not held fully in memory. + * Totally independent swap directories. + * Customizable error texts. + * FTP supported internally; no more ftpget. + * Asynchronous disk operations (optional, requires pthreads library). + * Internal icons for FTP and gopher directories. + * snprintf() used everywhere instead of sprintf(). + * SNMP + * URN support + * Routing requests based on AS numbers. + * [1138]../CacheDigests + * ...and many more! + +How do I configure 'ssl_proxy' now? + + By default, Squid connects directly to origin servers for SSL requests. + But if you must force SSL requests through a parent, first tell Squid + it can not go direct for SSL: +acl SSL method CONNECT +never_direct allow SSL + + With this in place, Squid should pick one of your parents to use for + SSL requests. If you want it to pick a particular parent, you must use + the cache_peer_access configuration: +cache_peer parent1 parent 3128 3130 +cache_peer parent2 parent 3128 3130 +cache_peer_access parent2 allow !SSL + + The above lines tell Squid to NOT use parent2 for SSL, so it should + always use parent1. + +Adding a new cache disk + + Simply add your new cache_dir line to squid.conf, then run squid -z + again. Squid will create swap directories on the new disk and leave the + existing ones in place. + +How do I configure proxy authentication? + + Authentication is handled via external processes. Arjan's [1139]proxy + auth page describes how to set it up. Some simple instructions are + given below as well. + * We assume you have configured an ACL entry with proxy_auth, for + example: + +acl foo proxy_auth REQUIRED +http_access allow foo + + * You will need to compile and install an external authenticator + program. Most people will want to use ncsa_auth. The source for + this program is included in the source distribution, in the + helpers/basic_auth/NCSA directory. + +% cd helpers/basic_auth/NCSA +% make +% make install + + You should now have an ncsa_auth program in the /libexec/ + directory where the helpers for squid lives (usually + /usr/local/squid/libexec unless overridden by configure flags). You can + also select with the --enable-basic-auth-helpers=... option which + helpers should be installed by default when you install Squid. + * You may need to create a password file. If you have been using + proxy authentication before, you probably already have such a file. + You can get Apache's htpasswd program. Pick a pathname for your + password file. We will assume you will want to put it in the same + directory as your squid.conf. + * Configure the external authenticator in squid.conf. For ncsa_auth + you need to give the pathname to the executable and the password + file as an argument. For example: + + auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/s +quid/etc/passwd + + After all that, you should be able to start up Squid. If we left + something out, or haven't been clear enough, please let us know + ([1140]squid-faq@squid-cache.org). + +Why does proxy-auth reject all users after upgrading from Squid-2.1 or +earlier? + + The ACL for proxy-authentication has changed from: +acl foo proxy_auth timeout + + to: +acl foo proxy_auth username + + Please update your ACL appropriately - a username of REQUIRED will + permit all valid usernames. The timeout is now specified with the + configuration option: +auth_param basic credentialsttl timeout + +Delay Pools + + by [1141]David Luyer. + + Delay pools provide a way to limit the bandwidth of certain requests + based on any list of criteria. The idea came from a Western Australian + university who wanted to restrict student traffic costs (without + affecting staff traffic, and still getting cache and local peering hits + at full speed). There was some early Squid 1.0 code by Central Network + Services at Murdoch University, which I then developed (at the + University of Western Australia) into a much more complex patch for + Squid 1.0 called "DELAY_HACK." I then tried to code it in a much + cleaner style and with slightly more generic options than I personally + needed, and called this "delay pools" in Squid 2. I almost completely + recoded this in Squid 2.2 to provide the greater flexibility requested + by people using the feature. + + To enable delay pools features in Squid 2.2, you must use the + --enable-delay-pools configure option before compilation. + + Terminology for this FAQ entry: + + pool + a collection of bucket groups as appropriate to a given class + + bucket group + a group of buckets within a pool, such as the per-host bucket + group, the per-network bucket group or the aggregate bucket + group (the aggregate bucket group is actually a single bucket) + + bucket + an individual delay bucket represents a traffic allocation which + is replenished at a given rate (up to a given limit) and causes + traffic to be delayed when empty + + class + the class of a delay pool determines how the delay is applied, + ie, whether the different client IPs are treated seperately or + as a group (or both) + + class 1 + a class 1 delay pool contains a single unified bucket which is + used for all requests from hosts subject to the pool + + class 2 + a class 2 delay pool contains one unified bucket and 255 + buckets, one for each host on an 8-bit network (IPv4 class C) + + class 3 + contains 255 buckets for the subnets in a 16-bit network, and + individual buckets for every host on these networks (IPv4 class + B ) + + Delay pools allows you to limit traffic for clients or client groups, + with various features: + * can specify peer hosts which aren't affected by delay pools, ie, + local peering or other 'free' traffic (with the no-delay peer + option). + * delay behavior is selected by ACLs (low and high priority traffic, + staff vs students or student vs authenticated student or so on). + * each group of users has a number of buckets, a bucket has an amount + coming into it in a second and a maximum amount it can grow to; + when it reaches zero, objects reads are deferred until one of the + object's clients has some traffic allowance. + * any number of pools can be configured with a given class and any + set of limits within the pools can be disabled, for example you + might only want to use the aggregate and per-host bucket groups of + class 3, not the per-network one. + + This allows options such as creating a number of class 1 delay pools + and allowing a certain amount of bandwidth to given object types (by + using URL regular expressions or similar), and many other uses I'm sure + I haven't even though of beyond the original fair balancing of a + relatively small traffic allocation across a large number of users. + + There are some limitations of delay pools: + * delay pools are incompatible with slow aborts; quick abort should + be set fairly low to prevent objects being retrived at full speed + once there are no clients requesting them (as the traffic + allocation is based on the current clients, and when there are no + clients attached to the object there is no way to determine the + traffic allocation). + * delay pools only limits the actual data transferred and is not + inclusive of overheads such as TCP overheads, ICP, DNS, icmp pings, + etc. + * it is possible for one connection or a small number of connections + to take all the bandwidth from a given bucket and the other + connections to be starved completely, which can be a major problem + if there are a number of large objects being transferred and the + parameters are set in a way that a few large objects will cause all + clients to be starved (potentially fixed by a currently + experimental patch). + +How can I limit Squid's total bandwidth to, say, 512 Kbps? + +acl all src 0.0.0.0/0.0.0.0 # might already be defined +delay_pools 1 +delay_class 1 1 +delay_access 1 allow all +delay_parameters 1 64000/64000 # 512 kbits == 64 kbytes per second + + For an explanation of these tags please see the configuration file. + + The 1 second buffer (max = restore = 64kbytes/sec) is because a limit + is requested, and no responsiveness to a busrt is requested. If you + want it to be able to respond to a burst, increase the aggregate_max to + a larger value, and traffic bursts will be handled. It is recommended + that the maximum is at least twice the restore value - if there is only + a single object being downloaded, sometimes the download rate will fall + below the requested throughput as the bucket is not empty when it comes + to be replenished. + +How to limit a single connection to 128 Kbps? + + You can not limit a single HTTP request's connection speed. You can + limit individual hosts to some bandwidth rate. To limit a specific + host, define an acl for that host and use the example above. To limit a + group of hosts, then you must use a delay pool of class 2 or 3. For + example: +acl only128kusers src 192.168.1.0/255.255.192.0 +acl all src 0.0.0.0/0.0.0.0 +delay_pools 1 +delay_class 1 3 +delay_access 1 allow only128kusers +delay_access 1 deny all +delay_parameters 1 64000/64000 -1/-1 16000/64000 + + For an explanation of these tags please see the configuration file. + + The above gives a solution where a cache is given a total of 512kbits + to operate in, and each IP address gets only 128kbits out of that pool. + +How do you personally use delay pools? + + We have six local cache peers, all with the options 'proxy-only + no-delay' since they are fast machines connected via a fast ethernet + and microwave (ATM) network. + + For our local access we use a dstdomain ACL, and for delay pool + exceptions we use a dst ACL as well since the delay pool ACL processing + is done using "fast lookups", which means (among other things) it won't + wait for a DNS lookup if it would need one. + + Our proxy has two virtual interfaces, one which requires student + authentication to connect from machines where a department is not + paying for traffic, and one which uses delay pools. Also, users of the + main Unix system are allowed to choose slow or fast traffic, but must + pay for any traffic they do using the fast cache. Ident lookups are + disabled for accesses through the slow cache since they aren't needed. + Slow accesses are delayed using a class 3 delay pool to give fairness + between departments as well as between users. We recognize users of + Lynx on the main host are grouped together in one delay bucket but they + are mostly viewing text pages anyway, so this isn't considered a + serious problem. If it was we could take those hosts into a class 1 + delay pool and give it a larger allocation. + + I prefer using a slow restore rate and a large maximum rate to give + preference to people who are looking at web pages as their individual + bucket fills while they are reading, and those downloading large + objects are disadvantaged. This depends on which clients you believe + are more important. Also, one individual 8 bit network (a residential + college) have paid extra to get more bandwidth. + + The relevant parts of my configuration file are (IP addresses, etc, all + changed): +# ACL definitions +# Local network definitions, domains a.net, b.net +acl LOCAL-NET dstdomain a.net b.net +# Local network; nets 64 - 127. Also nearby network class A, 10. +acl LOCAL-IP dst 192.168.64.0/255.255.192.0 10.0.0.0/255.0.0.0 +# Virtual i/f used for slow access +acl virtual_slowcache myip 192.168.100.13/255.255.255.255 +# All permitted slow access, nets 96 - 127 +acl slownets src 192.168.96.0/255.255.224.0 +# Special 'fast' slow access, net 123 +acl fast_slow src 192.168.123.0/255.255.255.0 +# User hosts +acl my_user_hosts src 192.168.100.2/255.255.255.254 +# "All" ACL +acl all src 0.0.0.0/0.0.0.0 + +# Don't need ident lookups for billing on (free) slow cache +ident_lookup_access allow my_user_hosts !virtual_slowcache +ident_lookup_access deny all + +# Security access checks +http_access [...] + +# These people get in for slow cache access +http_access allow virtual_slowcache slownets +http_access deny virtual_slowcache + +# Access checks for main cache +http_access [...] + +# Delay definitions (read config file for clarification) +delay_pools 2 +delay_initial_bucket_level 50 + +delay_class 1 3 +delay_access 1 allow virtual_slowcache !LOCAL-NET !LOCAL-IP !fast_slow +delay_access 1 deny all +delay_parameters 1 8192/131072 1024/65536 256/32768 + +delay_class 2 2 +delay_access 2 allow virtual_slowcache !LOCAL-NET !LOCAL-IP fast_slow +delay_access 2 deny all +delay_parameters 2 2048/65536 512/32768 + + The same code is also used by a some of departments using class 2 delay + pools to give them more flexibility in giving different performance to + different labs or students. + +Where else can I find out about delay pools? + + This is also pretty well documented in the configuration file, with + examples. Since people seem to lose their config files, here's a copy + of the relevant section. + +# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# To enable this option, you must use --enable-delay-pools with the +# configure script. +#delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +#delay_pools 2 # 2 delay pools +#delay_class 1 2 # pool 1 is a class 2 pool +#delay_class 2 3 # pool 2 is a class 3 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IP address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IP address. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# The first matched delay pool is always used, ie, if a request falls +# into delay pool number one, no more delay are checked, otherwise the +# rest are checked in order of their delay pool number until they have +# all been checked. For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +#delay_access 1 allow some_big_clients +#delay_access 1 deny all +#delay_access 2 allow lotsa_little_clients +#delay_access 2 deny all + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. For a class 1 delay pool, the syntax is: +# +#delay_parameters pool aggregate +# +# For a class 2 delay pool: +# +#delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# +#delay_parameters pool aggregate network individual +# +# The variables here are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the "delay parameters" for the aggregate bucket +# (class 1, 2, 3). +# +# individual the "delay parameters" for the individual +# buckets (class 2, 3). +# +# network the "delay parameters" for the network buckets +# (class 3). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64kbps +# (plus overheads), with no overall limit, the line is: +# +#delay_parameters 1 -1/-1 8000/8000 +# +# Note that the figure -1 is used to represent "unlimited". +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256kbps (strict limit) +# with each 8-bit network permitted 64kbps (strict limit) and each +# individual host permitted 4800bps with a bucket maximum size of 64kb +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +#delay_parameters 2 32000/32000 8000/8000 600/8000 +# +# There must be one delay_parameters line for each delay pool. + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +# +#delay_initial_bucket_level 50 + +Customizable Error Messages + + Squid-2 lets you customize your error messages. The source distribution + includes error messages in different languages. You can select the + language with the configure option: +--enable-err-language=lang + + Furthermore, you can rewrite the error message template files if you + like. This list describes the tags which Squid will insert into the + messages: %B:: URL with FTP %2f hack + + %c:: Squid error code + + %d:: seconds elapsed since request received (not yet implemented) + + %e:: errno + + %E:: strerror() + + %f:: FTP request line + + %F:: FTP reply line + + %g:: FTP server message + + %h:: cache hostname + + %H:: server host name + + %i:: client IP address + + %I:: server IP address + + %L:: contents of err_html_text config option + + %M:: Request Method + + %m:: Error message returned by external auth helper + + %p:: URL port \# + + %P:: Protocol + + %R:: Full HTTP Request + + %S:: squid default signature + + %s:: caching proxy software with version + + %t:: local time + + %T:: UTC + + %U:: URL without password + + %u:: URL with password (Squid-2.5 and later only) + + %w:: cachemgr email address + + %z:: dns server error message + + The Squid default signature is added automatically unless %s is used in + the error page. To change the signature you must manually append the + signature to each error page. + + The default signature reads like: +
+
+
+Generated %T by %h (%s) +
+ + +My squid.conf from version 1.1 doesn't work! + + Yes, a number of configuration directives have been renamed. Here are + some of them: + + cache_host:: This is now called cache_peer. The old term does not + really describe what you are configuring, but the new name tells you + that you are configuring a peer for your cache. + + cache_host_domain:: Renamed to cache_peer_domain + + local_ip, local_domain:: The functaionality provided by these + directives is now implemented as access control lists. You will use the + always_direct and never_direct options. The new squid.conf file has + some examples. + + cache_stoplist:: This directive also has been reimplemented with access + control lists. You will use the no_cache option. For example: + acl Uncachable url_regex cgi ? + no_cache deny Uncachable + + + cache_swap:: This option used to specify the cache disk size. Now you + specify the disk size on each cache_dir line. + + cache_host_acl:: This option has been renamed to cache_peer_access and + the syntax has changed. Now this option is a true access control list, + and you must include an allow or deny keyword. For example: +acl that-AS dst_as 1241 +cache_peer_access thatcache.thatdomain.net allow that-AS +cache_peer_access thatcache.thatdomain.net deny all + + + This example sends requests to your peer thatcache.thatdomain.net only + for origin servers in Autonomous System Number 1241. + + units:: In Squid-1.1 many of the configuration options had implied + units associated with them. For example, the connect_timeout value may + have been in seconds, but the read_timeout value had to be given in + minutes. With Squid-2, these directives take units after the numbers, + and you will get a warning if you leave off the units. For example, you + should now write: +connect_timeout 120 seconds +read_timeout 15 minutes + + __________________________________________________________________ + + Include: Nothing found for "^Back to the"! + + Contents + 1. [1142]What is the httpd-accelerator mode? + 2. [1143]How do I set it up? + 3. [1144]Domain based virtual host support + 4. [1145]Sending different requests to different backend web servers + 5. [1146]Running the web server on the same server + 6. [1147]Load balancing of backend servers + 7. [1148]When using an httpd-accelerator, the port number or host name + for redirects or CGI-generated content is wrong + 8. [1149]Access to password protected content fails via the reverse + proxy + 9. [1150]Mapping different URLs to different backend servers + +What is the httpd-accelerator mode? + + Occasionally people have trouble understanding accelerators and proxy + caches, usually resulting from mixed up interpretations of "incoming" + and "outgoing" data. I think in terms of requests (i.e., an outgoing + request is from the local site out to the big bad Internet). The data + received in reply is incoming, of course. Others think in the opposite + sense of "a request for incoming data". + + An accelerator caches incoming requests for outgoing data (i.e., that + which you publish to the world). It takes load away from your HTTP + server and internal network. You move the server away from port 80 (or + whatever your published port is), and substitute the accelerator, which + then pulls the HTTP data from the "real" HTTP server (only the + accelerator needs to know where the real server is). The outside world + sees no difference (apart from an increase in speed, with luck). + + Quite apart from taking the load of a site's normal web server, + accelerators can also sit outside firewalls or other network + bottlenecks and talk to HTTP servers inside, reducing traffic across + the bottleneck and simplifying the configuration. Two or more + accelerators communicating via ICP can increase the speed and + resilience of a web service to any single failure. + + The Squid redirector can make one accelerator act as a single front-end + for multiple servers. If you need to move parts of your filesystem from + one server to another, or if separately administered HTTP servers + should logically appear under a single URL hierarchy, the accelerator + makes the right thing happen. + + If you wish only to cache the "rest of the world" to improve local + users browsing performance, then accelerator mode is irrelevant. Sites + which own and publish a URL hierarchy use an accelerator to improve + access to it from the Internet. Sites wishing to improve their local + users' access to other sites' URLs use proxy caches. Many sites, like + us, do both and hence run both. + + Measurement of the Squid cache and its Harvest counterpart suggest an + order of magnitude performance improvement over CERN or other widely + available caching software. This order of magnitude performance + improvement on hits suggests that the cache can serve as an httpd + accelerator, a cache configured to act as a site's primary httpd server + (on port 80), forwarding references that miss to the site's real httpd + (on port 81). + + In such a configuration, the web administrator renames all non-cachable + URLs to the httpd's port (81). The cache serves references to cachable + objects, such as HTML pages and GIFs, and the true httpd (on port 81) + serves references to non-cachable objects, such as queries and cgi-bin + programs. If a site's usage characteristics tend toward cachable + objects, this configuration can dramatically reduce the site's web + workload. + +How do I set it up? + + First, you have to tell Squid to listen on port 80 (usually), so set + the 'http_port' option with the defaultsite option telling Squid it's + an accelerator for this site: + +http_port 80 accel defaultsite=your.main.website + + Next, you need to tell Squid where to find the real web server: + +cache_peer ip.of.webserver parent 80 0 no-query originserver + + You should now be able to start Squid and it will serve requests as a + HTTP server. + + Note: The accel option to http_port is optional and should only be + specified for 2.6.STABLE8 and later. In all versions Squid-2.6 and + later specifying one of defaultsite or vhost is sufficient. + +Domain based virtual host support + + If you are using Squid has an accelerator for a domain based virtual + host system then you need to additionally specify the vhost option to + http_port + +http_port 80 accel defaultsite=your.main.website vhost + + When both defaultsite and vhost is specified defaultsite specifies the + domain name old HTTP/1.0 clients not sending a Host header should be + sent to. Squid will run fine if you only use vhost, but there is still + some software out there not sending Host headers so it's recommended to + specify defaultsite as well. If defaultsite is not specified those + clients will get an "Invalid request" error. + +Sending different requests to different backend web servers + + To control which web servers (cache_peer) gets which requests the + cache_peer_access or cache_peer_domain directives is used. These + directives limit which requests may be sent to a given peer. + +cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1 +acl sites_server_1 dstdomain www.example.com example.com +cache_peer_access server_1 allow sites_server_1 +cache_peer ip.of.server2 parent 80 0 no-query originserver name=server_2 +acl sites_server_2 dstdomain www.example.net .example.net +cache_peer_access server_2 allow sites_server_2 + + It's also possible to route requests based on other criterias than the + host name by using other acl types, such as urlpath_regex. But be + warned that the cache is on the requested URL so don't use user + dependent acls if the content is cached. + +Running the web server on the same server + + While not generally recommended it is possible to run both the + accelerator and the backend web server on the same host. To do this you + need to make them listen on different IP addresses. Usually the + loopback address (127.0.0.1) is used for the web server. + + In Squid this is done by specifying the IP address in http_port, and + using 127.0.0.1 as address to the web server + +http_port the.public.ip.address:80 accel defaultsite=your.main.website +cache_peer 127.0.0.1 parent 80 0 no-query originserver + + And[1151]Apache may be configured like in httpd.conf to listen on the + loopback address: + +Port 80 +BindAddress 127.0.0.1 + + Other web servers uses similar directives specifying the address where + it should listen for requests. See the manual to your web server for + details. + +Load balancing of backend servers + + To load balance requests among a set of backend servers allow requests + to be forwarded to more than one cache_peer, and use one of the load + balancing options in the cache_peer lines. I.e. the round-robin option. + +cache_peer ip.of.server1 parent 80 0 no-query originserver round-robin +cache_peer ip.of.server2 parent 80 0 no-query originserver round-robin + + Other load balancing methods is also available. See squid.conf.default + for the full the description of the cache_peer directive options. + +When using an httpd-accelerator, the port number or host name for redirects +or CGI-generated content is wrong + + This happens if the port or domain name of the accelerated content is + different from what the client requested. When your httpd issues a + redirect message (e.g. 302 Moved Temporarily) or generates absolute + URLs, it only knows the port it's configured on and uses this to build + the URL. Then, when the client requests the redirected URL, it bypasses + the accelerator. + + To fix this make sure that defaultsite is the site name requested by + clients, and that the port number of http_port and the backent web + server is the same. You may also need to configure the official site + name on the web server. + + Alternatively you can also use the location_rewrite helper interface to + Squid to fixup redirects on the way out to the client, but this only + works for the Location header, not URLs dynamically embedded in the + returned content. + +Access to password protected content fails via the reverse proxy + + If the content on the web servers is password protected then you need + to tell the proxy to trust your web server with authetication + credentials. This is done via the login= option to cache_peer. Normally + you would use login=PASS to have the login information forwarded. The + other alternatives is meant to be used when it's the reverse proxy + which processes the authentication as such but you like to have + information about the authenticated account forwarded to the backend + web server. + +cache_peer ip.of.server parent 80 0 no-query originserver login=PASS + +Mapping different URLs to different backend servers + + If you need to map different URLs to different backend servers then + define one cache_peer per server, then use cache_peer_access (or + _domain) to define which URLs should be sent to each server. Remember + that a cache_peer is by default a candidate for all requests unless + limited by cache_peer_access (or _domain) so you need to define this + for all peers. + + Example: + +/foo -> server2 +the rest -> server1 + + squid.conf: + +cache_peer ip.of.server1 parent 80 0 no-query originserver name=server1 +cache_peer ip.of.server2 parent 80 0 no-query originserver name=server2 +acl foo urlpath_regex ^/foo +cache_peer_access server2 allow foo +cache_peer_access server1 deny foo + __________________________________________________________________ + + * Back to the [1152]SquidFaq + + Contents + 1. [1153]Clients + 1. [1154]Wget + 2. [1155]echoping + 3. [1156]curl-loader + 2. [1157]Load Balancers + 1. [1158]Pen + 2. [1159]L7SW + 3. [1160]Linux Virtual Server + 3. [1161]HA Clusters + 1. [1162]Keepalived + 2. [1163]VRRPd + 4. [1164]Logfile Analysis + 1. [1165]SGI's Performance Co-Pilot + 5. [1166]Configuration Tools + 1. [1167]3Dhierarchy.pl + 6. [1168]Squid add-ons + 1. [1169]transproxy + 2. [1170]Iain's redirector package + 3. [1171]Junkbusters + 4. [1172]Squirm + 5. [1173]chpasswd.cgi + 6. [1174]jesred + 7. [1175]squidGuard + 8. [1176]Central Squid Server + 9. [1177]Cerberian content filter (subscription service) + 10. [1178]Filter-Modules patch for Squid + 7. [1179]Ident Servers + +Clients + +Wget + + [1180]Wget is a command-line Web client. It supports HTTP and FTP URLs, + recursive retrievals, and HTTP proxies. + +echoping + + If you want to test your Squid cache in batch (from a cron command, for + instance), you can use the [1181]echoping program, which will tell you + (in plain text or via an exit code) if the cache is up or not, and will + indicate the response times. + +curl-loader + + A stress-testing tool for performance analysis, available at + [1182]http://sourceforge.net/projects/curl-loader + +Load Balancers + +Pen + + [1183]Pen is a simple load-balancer with session affinity for TCP-based + protocols. + +L7SW + + [1184]Layer-7 switching is a Layer-7 load-balancing engine for Linux. + It's a young project, stemming off the more mature Keepalived. + +Linux Virtual Server + + [1185]Linux Virtual Server is a kernel-based layer 3-7 load balancer + for Linux + +HA Clusters + +Keepalived + + [1186]Keepalived is a software suite that implements HA (via VRRP) and + status monitoring with failover capabilities. It's focused on Linux, + support for other OSes is unclear. + +VRRPd + + [1187]VRRPd is aimple implementation of VRRPv2 + +Logfile Analysis + + Rather than maintain the same list in two places, please see the + [1188]Logfile Analysis Scripts page on the Web server. + * [1189]Squeezer is a logfile analysis software aimed at measuring + Squid's performance + +SGI's Performance Co-Pilot + + Jan-Frode Myklebust writes: + + I use Performance CoPilot from [1190]http://oss.sgi.com/projects/pcp/ + for keeping track of squid and server performance. It comes by default + with a huge number of system performance metrics, and also has a nice + plugin (PMDA, Performance Metrics Domain Agent) for collecting metrics + from the squid access.log. + + i.e. it can collect historic, or show live how many requests/s or + byte/s squid is answering of type: + * total + * get + * head + * post + * other + * size.zero le3k le10k le30k le100k le300k le1m le3m gt3m unknown + * client.total + * cached.total + * cached.size.zero le3k le10k le30k le100k le300k le1m le3m gt3m + unknown + * uncached.total + * uncached.size.zero le3k le10k le30k le100k le300k le1m le3m gt3m + unknown + + and also combine this with system level metrics like load, system cpu + time, cpu i/o wait, per partition byte/s, network interface byte/s, and + much more.. + + Because of it's historic logs of all this, it's great for collecting + the performance numbers during high activity, and then replaying it to + analyse what goes wrong later on. + +Configuration Tools + +3Dhierarchy.pl + + Kenichi Matsui has a simple perl script which generates a 3D hierarchy + map (in VRML) from squid.conf. [1191]3Dhierarchy.pl. + +Squid add-ons + +transproxy + + [1192]transproxy is a program used in conjunction with the Linux + Transparent Proxy networking feature, and ipfwadm, to intercept HTTP + and other requests. Transproxy is written by [1193]John Saunders. + +Iain's redirector package + + A [1194]redirector package from [1195]Iain Lea to allow Intranet + (restricted) or Internet (full) access with URL deny and redirection + for sites that are not deemed acceptable for a userbase all via a + single proxy port. + +Junkbusters + + [1196]Junkbusters Corp has a copyleft privacy-enhancing, ad-blocking + proxy server which you can use in conjunction with Squid. + +Squirm + + [1197]Squirm is a configurable, efficient redirector for Squid by + [1198]Chris Foote. Features: + * Very fast + * Virtually no memory usage + * It can re-read it's config files while running by sending it a HUP + signal + * Interactive test mode for checking new configs + * Full regular expression matching and replacement + * Config files for patterns and IP addresses. + * If you mess up the config file, Squirm runs in Dodo Mode so your + squid keeps working :-) + +chpasswd.cgi + + [1199]Pedro L Orso has adapated the Apache's [../../htpasswd/ htpasswd] + into a CGI program called [1200]chpasswd.cgi. + +jesred + + [1201]jesred by [1202]Jens Elkner. + +squidGuard + + [1203]squidGuard is a free (GPL), flexible and efficient filter and + redirector program for squid. It lets you define multiple access rules + with different restrictions for different user groups on a squid cache. + squidGuard uses squid standard redirector interface. + +Central Squid Server + + The Smart Neighbour [URL disappeared] (or 'Central Squid Server' - CSS) + is a cut-down version of Squid without HTTP or object caching + functionality. The CSS deals only with ICP messages. Instead of caching + objects, the CSS records the availability of objects in each of its + neighbour caches. Caches that have smart neighbours update each smart + neighbour with the status of their cache by sending + ICP_STORE_NOTIFY/ICP_RELEASE_NOTIFY messages upon storing/releasing an + object from their cache. The CSS maintains an up to date 'object map' + recording the availability of objects in its neighbouring caches. + +Cerberian content filter (subscription service) + + The [1204]Cerberian content filter is a very flexible URL rating system + with full Squid integration provided by [1205]MARA Systems AB. The + service requires a license (priced by the number of seats) but + evaluation licenses are available. + +Filter-Modules patch for Squid + + It's a patch for squid-2.4 and squid-2.5 to enable inline alteration of + data passing through the proxy; available at + [1206]http://sites.inka.de/~bigred/devel/squid-filter.html + +Ident Servers + + For [1207]Windows NT, [1208]Windows 95/98, and [1209]Unix. + __________________________________________________________________ + + Include: Nothing found for "^Back to the"! + + The external resources on this page are only provided as pointers so + that users may find useful information. + * [1210]HOWTO set up a transparent proxy + * [1211]Squeezer2 is an access.log analyzer aimed at understanding + squid perfrmance + * [1212]Squid Blog is a squid blog about some interesting suggestions + extracting from the squid mail list + * [1213]Gadgetry is available at CafePress + + Contents + 1. [1214]What is DISKD? + 2. [1215]Does it perform better? + 3. [1216]How do I use it? + 4. [1217]FATAL: Unknown cache_dir type 'diskd' + 5. [1218]If I use DISKD, do I have to wipe out my current cache? + 6. [1219]How do I configure message queues? + 1. [1220]FreeBSD + 2. [1221]OpenBSD + 3. [1222]Digital Unix + 4. [1223]Linux + 5. [1224]Solaris + 7. [1225]How do I configure shared memory? + 1. [1226]FreeBSD + 2. [1227]OpenBSD + 3. [1228]Digital Unix + 4. [1229]Linux + 5. [1230]Solaris + 8. [1231]Sometimes shared memory and message queues aren't released + when Squid exits. + 9. [1232]What are the Q1 and Q2 parameters? + +What is DISKD? + + DISKD refers to some features in Squid-2.4 and later to improve Disk + I/O performance. The basic idea is that each cache_dir has its own + diskd child process. The diskd process performs all disk I/O operations + (open, close, read, write, unlink) for the cache_dir. Message queues + are used to send requests and responses between the Squid and diskd + processes. Shared memory is used for chunks of data to be read and + written. + +Does it perform better? + + Yes. We benchmarked Squid-2.4 with DISKD at the [1233]Second IRCache + Bake-Off. The results are also described [1234]here. At the bakeoff, we + got 160 req/sec with diskd. Without diskd, we'd have gotten about 40 + req/sec. + +How do I use it? + + You need to run Squid version [1235]2.4 or later. Your operating system + must support message queues, and shared memory. + + To configure Squid for DISKD, use the --enable-storeio option: +% ./configure --enable-storeio=diskd,ufs + +FATAL: Unknown cache_dir type 'diskd' + + You didn't put diskd in the list of storeio modules as described above. + You need to run configure and and recompile Squid. + +If I use DISKD, do I have to wipe out my current cache? + + No. Diskd uses the same storage scheme as the standard "UFS" type. It + only changes how I/O is performed. + +How do I configure message queues? + + Most Unix operating systems have message queue support by default. One + way to check is to see if you have an ipcs command. + + However, you will likely need to increase the message queue parameters + for Squid. Message queue implementations normally have the following + parameters: + + MSGMNB + Maximum number of bytes per message queue. + + MSGMNI + Maximum number of message queue identifiers (system wide). + + MSGSEG + Maximum number of message segments per queue. + + MSGSSZ + Size of a message segment. + + MSGTQL + Maximum number of messages (system wide). + + MSGMAX + Maximum size of a whole message. On some systems you may need to + + increase this limit. On other systems, you may not be able to change + it. + + The messages between Squid and diskd are 32 bytes for 32-bit CPUs and + 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You may + want to set it to a larger value, just to be safe. + + We'll have two queues for each cache_dir -- one in each direction. So, + MSGMNI needs to be at least two times the number of cache_dirs. + + I've found that 75 messages per queue is about the limit of decent + performance. If each diskd message consists of just one segment + (depending on your value of MSGSSZ), then MSGSEG should be greater than + 75. + + MSGMNB and MSGTQL affect how many messages can be in the queues at one + time. Diskd messages shouldn't be more than 40 bytes, but let's use 64 + bytes to be safe. MSGMNB should be at least 64*75. I recommend rounding + up to the nearest power of two, or 8192. + + MSGTQL should be at least 75 times the number of + cache_dirs that you'll have. + +FreeBSD + + Your kernel must have +options SYSVMSG + + You can set the parameters in the kernel as follows. This is just an + example. Make sure the values are appropriate for your system: +options MSGMNB=8192 # max # of bytes in a queue +options MSGMNI=40 # number of message queue identifiers +options MSGSEG=512 # number of message segments per queue +options MSGSSZ=64 # size of a message segment +options MSGTQL=2048 # max messages in system + +OpenBSD + + You can set the parameters in the kernel as follows. This is just an + example. Make sure the values are appropriate for your system: +option MSGMNB=16384 # max characters per message queue +option MSGMNI=40 # max number of message queue identifiers +option MSGSEG=2048 # max number of message segments in the system +option MSGSSZ=64 # size of a message segment (Must be 2^N) +option MSGTQL=1024 # max amount of messages in the system + +Digital Unix + + Message queue support seems to be in the kernel by default. Setting the + options is as follows: +options MSGMNB="8192" # max # bytes on queue +options MSGMNI="40" # # of message queue identifiers +options MSGMAX="2048" # max message size +options MSGTQL="2048" # # of system message headers + + by (B.C.Phillips at massey dot ac dot nz) Brenden Phillips + + If you have a newer version (DU64), then you can probably use sysconfig + instead. To see what the current IPC settings are run +# sysconfig -q ipc + + To change them make a file like this called ipc.stanza: +ipc: + msg-max = 2048 + msg-mni = 40 + msg-tql = 2048 + msg-mnb = 8192 + + then run +# sysconfigdb -a -f ipc.stanza + + You have to reboot for the change to take effect. + +Linux + + Stefan Kpsell reports that if you compile sysctl support into your + kernel, then you can change the following values: + * kernel.msgmnb + * kernel.msgmni + * kernel.msgmax + + Winfried Truemper reports: The default values should be large enough + for most common cases. You can modify the message queue configuration + by writing to these files: + * /proc/sys/kernel/msgmax + * /proc/sys/kernel/msgmnb + * /proc/sys/kernel/msgmni + +Solaris + + Refer to [1236]Demangling Message Queues in Sunworld Magazine. + + I don't think the above article really tells you how to set the + parameters. You do it in /etc/system with lines like this: +set msgsys:msginfo_msgmax=2048 +set msgsys:msginfo_msgmnb=8192 +set msgsys:msginfo_msgmni=40 +set msgsys:msginfo_msgssz=64 +set msgsys:msginfo_msgtql=2048 + + Of course, you must reboot whenever you modify /etc/system before + changes take effect. + +How do I configure shared memory? + + Shared memory uses a set of parameters similar to the ones for message + queues. The Squid DISKD implementation uses one shared memory area for + each cache_dir. Each shared memory area is about 800 kilobytes in size. + You may need to modify your system's shared memory parameters: + + SHMSEG + Maximum number of shared memory segments per process. + + SHMMNI + Maximum number of shared memory segments for the whole system. + + SHMMAX + Largest shared memory segment size allowed. + + SHMALL + Total amount of shared memory that can be used. + + For Squid and DISKD, SHMSEG and SHMMNI must be greater than or equal to + the number of cache_dir's that you have. SHMMAX must be at least 800 + kilobytes. SHMALL must be at least 800 kilobytes multiplied by the + number of cache_dir's. + + Note that some operating systems express SHMALL in pages, rather than + bytes, so be sure to divide the number of bytes by the page size if + necessary. Use the pagesize command to determine your system's page + size, or use 4096 as a reasonable guess. + +FreeBSD + + Your kernel must have +options SYSVSHM + + You can set the parameters in the kernel as follows. This is just an + example. Make sure the values are appropriate for your system: +options SHMSEG=16 # max shared mem id's per process +options SHMMNI=32 # max shared mem id's per system +options SHMMAX=2097152 # max shared memory segment size (bytes) +options SHMALL=4096 # max amount of shared memory (pages) + +OpenBSD + + OpenBSD is similar to FreeBSD, except you must use option instead of + options, and SHMMAX is in pages instead of bytes: +option SHMSEG=16 # max shared mem id's per process +option SHMMNI=32 # max shared mem id's per system +option SHMMAX=2048 # max shared memory segment size (pages) +option SHMALL=4096 # max amount of shared memory (pages) + +Digital Unix + + Message queue support seems to be in the kernel by default. Setting the + options is as follows: +options SHMSEG="16" # max shared mem id's per process +options SHMMNI="32" # max shared mem id's per system +options SHMMAX="2097152" # max shared memory segment size (bytes) +options SHMALL=4096 # max amount of shared memory (pages) + + by (B.C.Phillips at massey dot ac dot nz) Brenden Phillips + + If you have a newer version (DU64), then you can probably use sysconfig + instead. To see what the current IPC settings are run +# sysconfig -q ipc + + To change them make a file like this called ipc.stanza: +ipc: + shm-seg = 16 + shm-mni = 32 + shm-max = 2097152 + shm-all = 4096 + + then run +# sysconfigdb -a -f ipc.stanza + + You have to reboot for the change to take effect. + +Linux + + Winfried Truemper reports: The default values should be large enough + for most common cases. You can modify the shared memory configuration + by writing to these files: + * /proc/sys/kernel/shmall + * /proc/sys/kernel/shmmax + * /proc/sys/kernel/shmmni + * /proc/sys/kernel/shm-use-bigpages + + Stefan Kpsell reports that if you compile sysctl support into your + kernel, then you can change the following values: + * kernel.shmall + * kernel.shmmni + * kernel.shmmax + +Solaris + + Refer to [1237]Shared memory uncovered in Sunworld Magazine. + + To set the values, you can put these lines in /etc/system: +set shmsys:shminfo_shmmax=2097152 +set shmsys:shminfo_shmmni=32 +set shmsys:shminfo_shmseg=16 + +Sometimes shared memory and message queues aren't released when Squid exits. + + Yes, this is a little problem sometimes. Seems like the operating + system gets confused and doesn't always release shared memory and + message queue resources when processes exit, especially if they exit + abnormally. To fix it you can "manually" clear the resources with the + ipcs command. Add this command into your RunCache or squid_start + script: +ipcs | awk '/squid/ {printf "ipcrm -%s %s\n", $1, $2}' | /bin/sh + +What are the Q1 and Q2 parameters? + + In the source code, these are called magic1 and magic2. These numbers + refer to the number of oustanding requests on a message queue. They are + specified on the cache_dir option line, after the L1 and L2 + directories: +cache_dir diskd /cache1 1024 16 256 Q1=72 Q2=64 + + If there are more than Q1 messages outstanding, then Squid will + intentionally fail to open disk files for reading and writing. This is + a load-shedding mechanism. If your cache gets really really busy and + the disks can not keep up, Squid bypasses the disks until the load goes + down again. + + If there are more than Q2 messages outstanding, then the main Squid + process "blocks" for a little bit until the diskd process services some + of the messages and sends back some replies. + + Reasonable Q1 and Q2 values are 64 and 72. If you would rather have + good hit ratio and bad response time, set Q1 > Q2. Otherwise, if you + would rather have good response time and bad hit ratio, set Q1 < Q2. + __________________________________________________________________ + + Include: Nothing found for "^Back to the"! + + Contents + 1. [1238]What is COSS? + 2. [1239]Does it perform better? + 3. [1240]How do I use it? + 4. [1241]If I use COSS, do I have to wipe out my current cache? + 5. [1242]What options are required for COSS? + 6. [1243]Are there any other configuration options for COSS? + 7. [1244]Examples + +What is COSS? + + COSS is a Cyclic Object storage system originally designed by Eric + Stern. COSS works with a single file, and each stripe is a fixed size + an in a fixed position in the file. The stripe size is a compile-time + option. + + As objects are written to a COSS stripe, their place is pre-reserved + and data is copied into a memory copy of the stripe. Because of this, + the object size must be known before it can be stored in a COSS + filesystem. (Hence the max-size requirement with a coss cache_dir.) + + When a stripe is filled, the stripe is written to disk, and a new + memory stripe is created. + +Does it perform better? + + Yes. At the time of writing COSS is the fastest performing cache_dir + available in squid. Because COSS cache_dirs can only store small cache + objects, they need to be combineds with another cache_dir type (aufs, + diskd or ufs) in order to allow caching of larger objects. Because COSS + takes care of the small objects more efficiently, the non-COSS + cache_dirs also perform more efficiently because they have a small + number of larger objects to deal with. + +How do I use it? + + You need to run Squid version [1245]2.6 or later to be able to run a + stable version of COSS. + + To configure Squid for COSS, use the --enable-storeio option (and the + --enable-coss-aio-ops to enable async I/O): +% ./configure --enable-storeio=coss,ufs + +If I use COSS, do I have to wipe out my current cache? + + Yes. COSS uses a single file or direct partition access to store + objects. To prepare a file or disk for COSS you need to run the + following command: +dd if=/dev/zero bs=1048576 count= of= + + where: + + is the size of the COSS partition in MB + + is the partition or filename that you want to use as the COSS + store + +What options are required for COSS? + + The minimum configuration for a COSS partition is as follows: +cache_dir coss max-size= +cache_swap_log /var/spool/squid/%s + + where: + + is the partition or filename that you want to use as the COSS + store (you will need to pre-create the file if it doesn't exist) + + is the size of the COSS cache_dir in MB + + is the size of the largest object that this cache_dir can + store. This value can not be bigger then 1MB in the default + configuration. + + The cache_swap_log option should be set to a directory that squid has + write access to. This is used to store all the swap.state files for all + cache_dirs, and needs to be set when using COSS because COSS does not + have a normal filesystem that it can store this information on. + +Are there any other configuration options for COSS? + + COSS partitions have a number of different configuration options + available. These options are: + +block-size= + + This will limit the maximum size for a COSS cache_dir (where the size + is calculated as the size of the disk space + the size of any membufs) + as follows: + + n=512 - 8192 MB + + n=1024 - 16384 MB + + n=2048 - 32768 MB + + n=4096 - 65536 MB + + n=8192 - 131072 MB + + The default value for block-size is 512 bytes. + +overwrite-percent= + + This will allow a trade-off between the size a COSS cache_dir will grow + to, the accuracy of the LRU algorithm and the amount of disk I/O + bandwidth used. must be between 0 and 100. + + If it is set to 0, the COSS cache_dir will always copy any cache hits + to the current disk stripe. This reduces the amount of unique data that + the cache will store, increases the amount of disk bandwidth used but + makes the LRU algorithm work perfectly. + + If it is set to 100, the COSS cache_dir will never copy any cache hits + to the current stripe. This will mean that all objects will be stored + exactly once, reducing the total disk bandwidth used, but it + effectively makes the disk a FIFO (ie popular objects ony stay in the + cache_dir for as long as it takes for COSS to loop back tot he original + stripe). + + The default value for overwrite-percent of 50 is a good balance between + the two extremes. + +max-stripe-waste= + + This option sets the maximum amount of space that a COSS cache_dir will + waste when writing a stripe to disk. Every time a COSS stripe is + written, it will waste up to max-size worth of space. This becomes a + problem if max-size is set to a larger value (eg is max-size is 512K + when a COSS stripe is 1MB, up to 50 of the space in that stripe could + be written to disk with no data). max-stripe-waste overcomes this + problem by dynamically reducing the max-size value to ensure that only + bytes of space will be wasted on each stripe write. + + The max-stripe-waste option is not set by default. + +membufs= + + This option determines the maximum number of stripes that COSS will use + to send cache hits to clients. It is designed to limit the amount of + memory that a given COSS cache_dir can cause squid to use. Once squid + runs out of membufs, it starts to move all objects to the current disk + stripe, effectively ignoring the overwrite-percent setting. + + The default value for membufs is 10. + +maxfullbufs= + + This option sets the maximum number of stripes that are full, but + waiting to be freed that this cache_dir will hold in memory. Once + again, this is a setting to limit the amount of memory that a given + COSS cache_dir can grow to use. + + Each cache_dir will reserve the last 2 maxfullbufs for cache hits (ie + they will only be used when squid runs out of membufs). This is + designed to allow a higher hit rate at the expense of storing new + objects in the cache. + + The default is to leave the maxfullbufs option as unlimited (ie we can + always accept new objects). + +Examples + +cache_dir coss /var/spool/squid/coss 100 block-size=512 max-size=131072 + + * This will use a file with the filename /var/spool/squid/coss + * The cache_dir will store up to 100MB worth of data + * The block size is 512 byte + * Objects that are up to 131072 bytes long will be stored. + +cache_dir coss /dev/sdf1 34500 max-size=524288 max-stripe-waste=32768 block-size +=4096 maxfullbufs=10 + + * This will use the /dev/sdf1 partition + * The cache_dir will store up to 34500MB worth of data + * The block size is 4096 bytes + * Objects that are up to 524288 bytes long will be stored. + * If a given stripe has less than 524288 bytes available, this + cache_dir will only accept smaller objects until there is less than + 32768 bytes available in the stripe. + * If the default stripe size of 1MB is not changed, up to 10MB will + be used for stripes that are waiting to be written to disk. + + Contents + 1. [1246]How does Proxy Authentication work in Squid? + 2. [1247]How do I use authentication in access controls? + 3. [1248]How do I ask for authentication of an already authenticated + user? + 4. [1249]Does Squid cache authentication lookups? + 5. [1250]Are passwords stored in clear text or encrypted? + 6. [1251]How do I use the Winbind authenticators? + 1. [1252]Supported Samba Releases + 2. [1253]Configure Samba + 3. [1254]Test Samba's winbindd + 4. [1255]SMBD and Machine Trust Accounts + 5. [1256]winbind privileged pipe permissions + 6. [1257]Configure Squid + 7. [1258]Test Squid without auth + 8. [1259]Test the helpers + 9. [1260]Relevant squid.conf parameters + 10. [1261]Test Squid with auth + 7. [1262]Can I use different authentication mechanisms together? + 8. [1263]Can I use more than one user-database? + 9. [1264]References + 10. [1265]Other Resources + +How does Proxy Authentication work in Squid? + + Users will be authenticated if squid is configured to use proxy_auth + ACLs (see next question). + + Browsers send the user's authentication credentials in the + Authorization request header. + + If Squid gets a request and the http_access rule list gets to a + proxy_auth ACL, Squid looks for the Authorization header. If the header + is present, Squid decodes it and extracts a username and password. + + If the header is missing, Squid returns an HTTP reply with status 407 + (Proxy Authentication Required). The user agent (browser) receives the + 407 reply and then prompts the user to enter a name and password. The + name and password are encoded, and sent in the Authorization header for + subsequent requests to the proxy. + + NOTE: The name and password are encoded using "base64" (See section + 11.1 of [1266]RFC 2616). However, base64 is a binary-to-text encoding + only, it does NOT encrypt the information it encodes. This means that + the username and password are essentially "cleartext" between the + browser and the proxy. Therefore, you probably should not use the same + username and password that you would use for your account login. + + Authentication is actually performed outside of main Squid process. + When Squid starts, it spawns a number of authentication subprocesses. + These processes read usernames and passwords on stdin, and reply with + "OK" or "ERR" on stdout. This technique allows you to use a number of + different authentication protocols (named "schemes" in this context). + When multiple authentication schemes are offered by the server (Squid + in this case), it is up to the User-Agent to choose one and + authenticate using it. By RFC it should choose the safest one it can + handle; in practice usually Microsoft Internet Explorer chooses the + first one it's been offered that it can handle, and Mozilla browsers + are bug-compatible with the Microsoft system in this field. + + The Squid source code comes with a few authentcation backends + ("helpers") for Basic authentication. These include: + * LDAP: Uses the Lightweight Directory Access Protocol + * NCSA: Uses an NCSA-style username and password file. + * MSNT: Uses a Windows NT authentication domain. + * PAM: Uses the Linux Pluggable Authentication Modules scheme. + * SMB: Uses a SMB server like Windows NT or Samba. + * getpwam: Uses the old-fashioned Unix password file. + * SASL: Uses SALS libraries. + * mswin_sspi: Windows native authenticator + * YP: Uses the NIS database + + In addition Squid also supports the NTLM, Negotiate and Digest + authentication schemes which provide more secure authentication + methods, in that where the password is not exchanged in plain text over + the wire. Each scheme have their own set of helpers and auth_param + settings. Notice that helpers for different authentication schemes use + different protocols to talk with squid, so they can't be mixed. + + For information on how to set up NTLM authentication see winbind below. + + In order to authenticate users, you need to compile and install one of + the supplied authentication modules found in the helpers/basic_auth/ + directory, one of [1267]the others, or supply your own. + + You tell Squid which authentication program to use with the auth_param + option in squid.conf. You specify the name of the program, plus any + command line options if necessary. For example: +auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/pas +swd + +How do I use authentication in access controls? + + Make sure that your authentication program is installed and working + correctly. You can test it by hand. + + Add some proxy_auth ACL entries to your squid configuration. For + example: +acl foo proxy_auth REQUIRED +acl all src 0/0 +http_access allow foo +http_access deny all + + The REQURIED term means that any authenticated user will match the ACL + named foo. + + Squid allows you to provide fine-grained controls by specifying + individual user names. For example: +acl foo proxy_auth REQUIRED +acl bar proxy_auth lisa sarah frank joe +acl daytime time 08:00-17:00 +acl all src 0/0 +http_access allow bar +http_access allow foo daytime +http_access deny all + + In this example, users named lisa, sarah, joe, and frank are allowed to + use the proxy at all times. Other users are allowed only during daytime + hours. + +How do I ask for authentication of an already authenticated user? + + If a user is authenticated at the proxy you cannot "log out" and + re-authenticate. The user usually has to close and re-open the browser + windows to be able to re-login at the proxy. A simple configuration + will probably look like this: + +acl my_auth proxy_auth REQUIRED +http_access allow my_auth +http_access deny all + + But there is a trick which can force the user to authenticate with a + different account in certain situations. This happens if you deny + access with an authentication related ACL last in the http_access deny + statement. Example configuration: + +acl my_auth proxy_auth REQUIRED +acl google_users proxyauth user1 user2 user3 +acl google dstdomain .google.com +http_access deny google !google_users +http_access allow my_auth +http_access deny all + + In this case if the user requests www.google.com then first second + http_access line matches and triggers re-authentication unless the user + is one of the listed users. Remember: it's always the last ACL on a + http_access line that "matches". If the matching ACL deals with + authentication a re-authentication is triggered. If you didn't want + that you would need to switch the order of ACLs so that you get + http_access deny !google_users google. + + You might also run into an authentication loop if you are not careful. + Assume that you use LDAP group lookups and want to deny access based on + an LDAP group (e.g. only members of a certain LDAP group are allowed to + reach certain web sites). In this case you may trigger + re-authentication although you don't intend to. This config is likely + wrong for you: + +acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED + +http_access deny !ldapgroup-allowed +http_access allow all + + The second http_access line would force the user to re-authenticate + time and again if he/she is not member of the PROXY_ALLOWED group. This + is perhaps not what you want. You rather wanted to deny access to + non-members. So you need to rewrite this http_access line so that an + ACL matches that has nothing to do with authentication. This is the + correct example: + +acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED +acl dummy src 0.0.0.0/0.0.0.0 + +http_access deny !ldapgroup-allowed dummy +http_access allow all + + This way the http_access line still matches. But it's the dummy ACL + which is now last in the line. Since dummy is a static ACL (that always + matches) and has nothing to do with authentication you will find that + the access is just denied. + + See also: + [1268]http://www.squid-cache.org/mail-archive/squid-users/200511/0339.h + tml + +Does Squid cache authentication lookups? + + It depends on the authentication scheme; Squid does some caching when + it can. Successful Basic authentication lookups are cached for one hour + by default. That means (in the worst case) its possible for someone to + keep using your cache up to an hour after he has been removed from the + authentication database. + + You can control the expiration time with the auth_param basic + credentialsttl configuration option. + + Note: This has nothing to do with how often the user needs to + re-authenticate himself. It is the browser who maintains the session, + and re-authentication is a business between the user and his browser, + not the browser and Squid. The browser authenticates on behalf of the + user on every request sent to Squid. What this parameter controls is + only how often Squid will ask the defined helper if the password is + still valid. + +Are passwords stored in clear text or encrypted? + + In the basic scheme passwords is exchanged in plain text. In the other + schemes only cryptographic hashes of the password is exchanges. + + Squid stores cleartext passwords in its basic authentication memory + cache. + + Squid writes cleartext usernames and passwords when talking to the + external basic authentication processes. Note, however, that this + interprocess communication occors over TCP connections bound to the + loopback interface or private UNIX pipes. Thus, its not possile for + processes on other comuters or local users without root privileges to + "snoop" on the authentication traffic. + + Each authentication program must select its own scheme for persistent + storage of passwords and usernames. + + For the digest scheme Squid never sees the actual password, but the + backend helper needs either plaintext passwords or Digest specific + hashes of the same. + + In the ntlm or Negotiate schemes Squid also never sees the actual + password. Usually this is connected to a Windows realm or Kerberos + realm and how these authentication services stores the password is + outside of this document but usually it's not in plain text. + +How do I use the Winbind authenticators? + + by Jerry Murdock + + Winbind is a recent addition to Samba providing some impressive + capabilities for NT based user accounts. From Squid's perspective + winbind provides a robust and efficient engine for both basic and NTLM + challenge/response authentication against an NT domain controller. + + The winbind authenticators have been used successfully under Linux, + FreeBSD, Solaris and Tru64. + +Supported Samba Releases + + Samba-3.X is supported natively using the ntlm_auth helper shipped as + part of Samba. No Squid specific winbind helpers need to be compiled + (and even if compiled they won't work with Samba-3.X). + + NOTE: Samba 2.2.X reached its End-Of-Life on October 1, 2004. It was + supported using the winbind helpers shipped with Squid-2.5 but is no + longer supported with later versions, even if using the helper from 2.5 + may still work. + + For Samba-3.X the winbind helpers which was shipped with Squid should + not be used (and won't work if you attempt to do so), instead the + ntlm_auth helper shipped as part of the Samba-3 distribution should be + used. This helper supports all versions of Squid and both the ntlm and + basic authentication schemes. For details on how to use this Samba + helper see the Samba documentation. For group membership lookups the + wbinfo_group helper shipped with Squid can be used (this is just a + wrapper around the samba wbinfo program and works with all versions of + Samba) + +Configure Samba + + For full details on how to configure Samba and joining a domain please + see the Samba documentation. The Samba team has quite extensive + documentation both on how to join a NT domain and how to join a Active + Directory tree. + + Samba must be built with these configure options: + --with-winbind + + and is normally enabled by default if you installed Samba from a + prepackaged distribution. + + Then follow the Samba installation instructions. But please note that + neither nsswitch or the pam modules needs to be installed for Squid to + function, these are only needed if you want your OS to integrate with + the domain for UNIX accounts. + +Test Samba's winbindd + + Edit smb.conf for winbindd functionality. The following entries in the + [global] section of smb.conf may be used as a template. + +workgroup = mydomain +password server = myPDC +security = domain +winbind uid = 10000-20000 +winbind gid = 10000-20000 +winbind use default domain = yes + + Join the NT domain as outlined in the winbindd man page for your + version of samba. + + Start nmbd (required to insure proper operation). + + Start winbindd. + + Test basic winbindd functionality "wbinfo -t": + +# wbinfo -t +Secret is good + + Test winbindd user authentication: + +# wbinfo -a mydomain\\myuser%mypasswd +plaintext password authentication succeeded +error code was NT_STATUS_OK (0x0) +challenge/response password authentication succeeded +error code was NT_STATUS_OK (0x0) + + NOTE: both plaintext and challenge/response should return "succeeded." + If there is no "challenge/response" status returned then Samba was not + built with "--with-winbind-auth-challenge" and cannot support ntlm + authentication. + +SMBD and Machine Trust Accounts + + The Samba team has incorporated functionality to change the machine + trust account password in the new "net" command. A simple daily cron + job scheduling "net rpc changetrustpw" is all that is needed, if + anything at all. + +winbind privileged pipe permissions + + ntlm_auth requires access to the privileged winbind pipe in order to + function properly. You enable this access by changing group of the + winbind_privileged directory to the group you run Squid as + (cache_effective_group setting in squid.conf). + +chgrp squid /path/to/winbind_privileged + +Configure Squid + + As Samba-3.x has it's own authentication helper there is no need to + build any of the Squid authentication helpers for use with Samba-3.x + (and the helpers provided by Squid won't work if you do). You do + however need to enable support for the ntlm scheme if you plan on using + this. Also you may want to use the wbinfo_group helper for group + lookups + + --enable-auth="ntlm,basic" + --enable-external-acl-helpers="wbinfo_group" + +Test Squid without auth + + Before going further, test basic Squid functionality. Make sure squid + is functioning without requiring authorization. + +Test the helpers + + Testing the winbind ntlm helper is not really possible from the command + line, but the winbind basic authenticator can be tested like any other + basic helper. Make sure to run the test as your cache_effective_user + +# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic +mydomain+myuser mypasswd +OK + + The helper should return "OK" if given a valid username/password. + is + the domain separator set in your smb.conf + +Relevant squid.conf parameters + + Add the following to enable both the winbind basic and ntlm + authenticators. IE will use ntlm and everything else basic: +auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntl +mssp +auth_param ntlm children 30 +auth_param ntlm max_challenge_reuses 0 +auth_param ntlm max_challenge_lifetime 2 minutes +# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet +auth_param ntlm use_ntlm_negotiate on + +auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ba +sic +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours + + And the following acl entries to require authentication: +acl AuthorizedUsers proxy_auth REQUIRED +.. +http_access allow all AuthorizedUsers + +Test Squid with auth + + * Internet Explorer, Mozilla, Firefox: + + Test browsing through squid with a NTLM capable browser. If + logged into the domain, a password prompt should NOT pop up. + Confirm the traffic really is being authorized by tailing + access.log. The domain\username should be present. + * Netscape, Mozilla ( < 1.4), Opera...: + + Test with a NTLM non-capable browser. A standard password + dialog should appear. Entering the domain should not be + required if the user is in the default domain and "winbind use + default domain = yes" is set in smb.conf. Otherwise, the + username must be entered in "domain+username" format. (where + + is the domain separator set in smb.conf) + + If no usernames appear in access.log and/or no password dialogs appear + in either browser, then the acl/http_access portions of squid.conf are + not correct. + + Note that when using NTLM authentication, you will see two + "TCP_DENIED/407" entries in access.log for every request. This is due + to the challenge-response process of NTLM. + +Can I use different authentication mechanisms together? + + Yes, with limitations. + + Commonly deployed user-agents support at least one and up to four + different authentication protocols (also called schemes): + 1. Basic + 2. Digest + 3. NTLM + 4. Negotiate + + Those schemes are explained in detail elsewhere (see + [1269]../ProxyAuthentication, [1270]NegotiateAuthentication and + [1271]../TroubleShooting). You can enable more than one at any given + moment, just configure the relevant auth_param sections for each + different scheme you want to offer to the browsers. + + /!\ + + Due to a bug in common User-Agents (most notably Microsoft Internet + Explorer) the order the auth-schemes are configured is relevant. + [1272]RFC 2617, chapter 4.6, states: A user agent MUST choose to use + the strongest auth-scheme it understands. Microsoft Internet Explorer + instead chooses the first authe-scheme (in the order they are offered) + it understands + + In other words, you SHOULD use this order for the auth_params + directives: + 1. negotiate + 2. ntlm + 3. digest + 4. basic + + omitting those you do not plan to offer. + + Once the admin decides to offer multiple auth-schemes to the clients, + Squid can not force the clients to choose one over the other. + +Can I use more than one user-database? + + Generally speaking, no. The only exception is the Basic authentication + scheme, where you can cook a proxy script which relays the requests to + different authenticators and applies an 'OR' type of logic. For all + other auth-schemes this cannot be done; this is not a limitation in + squid, but it's a feature of the authentication protocols themselves: + allowing multiple user-databases would open the door for replay attacks + to the protocols. + +References + + * [1273]Winbind: Use of Domain Accounts + * [1274]Domain Membership + * [1275]winbindd man page + * [1276]wbinfo man page + * [1277]nmbd man page + * [1278]smbd man page + * [1279]smb.conf man page + * [1280]smbclient man page + * [1281]ntlm_auth man page + +Other Resources + + * [1282]Configuring Squid Proxy To Authenticate With Active Directory + __________________________________________________________________ + + Contents + 1. [1283]Neighbor + 2. [1284]Regular Expression + +Neighbor + + In Squid, neighbor usually means the same thing as peer. A neighbor + cache is one that you have defined with the cache_peer configuration + option. Neighbor refers to either a parent or a sibling. + + In Harvest 1.4, neighbor referred to what Squid calls a sibling. That + is, Harvest had parents and neighbors. For backward compatability, the + term neighbor is still accepted in some Squid configuration options. + +Regular Expression + + Regular expressions are patterns that used for matching sequences of + characters in text. For more information, see [1285]A Tao of Regular + Expressions and [1286]Newbie's page. + __________________________________________________________________ + + Contents + 1. [1287]Open-access proxies + 2. [1288]Mail relaying + +Open-access proxies + + Squid's default configuration file denies all client requests. It is + the administrator's responsibility to configure Squid to allow access + only to trusted hosts and/or users. + + If your proxy allows access from untrusted hosts or users, you can be + sure that people will find and abuse your service. Some people will use + your proxy to make their browsing anonymous. Others will intentionally + use your proxy for transactions that may be illegal (such as credit + card fraud). A number of web sites exist simply to provide the world + with a list of open-access HTTP proxies. You don't want to end up on + this list. + + Be sure to carefully design your access control scheme. You should also + check it from time to time to make sure that it works as you expect. + +Mail relaying + + SMTP and HTTP are rather similar in design. This, unfortunately, may + allow someone to relay an email message through your HTTP proxy. To + prevent this, you must make sure that your proxy denies HTTP requests + to port 25, the SMTP port. + + Squid is configured this way by default. The default squid.conf file + lists a small number of trusted ports. See the Safe_ports ACL in + squid.conf. Your configuration file should always deny unsafe ports + early in the http_access lists: +http_access deny !Safe_ports +(additional http_access lines ...) + + Do NOT add port 25 to Safe_ports (unless your goal is to end up in the + [1289]RBL). You may want to make a cron job that regularly verifies + that your proxy blocks access to port 25. + __________________________________________________________________ + + Include: Nothing found for "^Back to the"! + +Way Too Many Cache Misses + + In normal operation Squid gives very few (typically well less than 1%) + code TCP_SWAPFAIL_MISS indicating an object was thought to be in the + cache but couldn't be found. Once in a while though this occurs very + very frequently. When lots of errors occur, the problem is the Squid + cache index (probably in a file named something like swap.state at the + top level of the Squid cache directory structure) is out of sync with + the actual cache contents. + + Here's a script I use to make sure this doesn't happen. It's way too + paranoid, doing a lot of unnecessary things including throwing away + what's in the cache every time. But it always works. + +sample script + +#!/bin/bash + +# restart Squid +# (probably after making arbitrary config changes) + +echo temporarily stopping Dans Guardian [Squid user] +dansguardian -q +while [[ `ps aux | grep dansguardian | wc -l` -gt 1 ]]; do + sleep 1 +done +sleep 2 +echo stopping Squid so can make arbitrary changes +squid -k shutdown +while [[ `ps aux | grep squid | wc -l` -gt 1 ]]; do + sleep 1 +done +sleep 2 +echo flushing-by-deleting old Squid cache including index +rm -rf /var/spool/squid/* +sleep 2 +echo creating new Squid disk cache directories and index +squid -z +sleep 2 +echo starting Squid again with new configuration +squid +sleep 2 +echo starting Dans Guardian [Squid user] again +dansguardian + __________________________________________________________________ + + Back to the [1290]SquidFaq + + SquidFaq/CompleteFaq (last edited 2007-04-19 16:24:05 by [1291]kinkie) + + * Immutable Page + + [1292]DeleteCache (cached 2007-05-07 01:10:44) + + Or try one of these actions: [1293]Attach File, [1294]Despam, + [1295]Like Pages, [1296]Local Site Map, [1297]My Pages, [1298]Package + Pages, [1299]Render As Docbook, [1300]Spell Check, [1301]Subscribe + User, [1302]Visual Site Map + + * [1303]MoinMoin Powered + * [1304]Python Powered + * [1305]Valid HTML 4.01 + +Riferimenti + + 1. http://wiki.squid-cache.org/FrontPage + 2. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=raw + 3. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=print + 4. http://wiki.squid-cache.org/SquidFaq + 5. http://wiki.squid-cache.org/FindPage + 6. http://wiki.squid-cache.org/TitleIndex + 7. http://wiki.squid-cache.org/WordIndex + 8. http://wiki.squid-cache.org/HelpOnFormatting + 9. http://wiki.squid-cache.org/FrontPage + 10. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=login + 11. http://wiki.squid-cache.org/SquidFaq + 12. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=fullsearch&value=linkto%3A%22SquidFaq/CompleteFaq%22&context=180 + 13. http://wiki.squid-cache.org/SquidFaq + 14. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=edit + 15. http://wiki.squid-cache.org/SquidFaq/CompleteFaq + 16. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=diff + 17. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=info + 18. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=subscribe + 19. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=raw + 20. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=print + 21. http://wiki.squid-cache.org/FrontPage + 22. http://wiki.squid-cache.org/RecentChanges + 23. http://wiki.squid-cache.org/FindPage + 24. http://wiki.squid-cache.org/HelpContents + 25. http://wiki.squid-cache.org/SquidFaq/CompleteFaq + 26. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-59539a8dc35c06926bc2a21e63969752bea3d14c + 27. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f0ceba073f10c3357882fcc84d9990251a259fff + 28. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-66e0b4e71baa910a5e26e02f9629aa842ff187a4 + 29. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-796c4e6ab89cb381d1c65b2ba9fbc2f9c03eab74 + 30. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bfe6c0489e15226ce0ead6f841b9fd77d47fb671 + 31. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6c4a1fdba249190b63e8c2e6566263f851cd9455 + 32. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f801105f74cf332e739236ba2b4a8be9e60095ba + 33. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-500ddc367517c94cdf5cc49cb26868ab64becf63 + 34. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7d84cfdfbdf2f6874f34fe39e2ee4ae4ca8f83a9 + 35. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-18bd0fbf664c87d5531c9048aac1309b7bfc12f1 + 36. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e3e3e053b1151dc670333fbb8f620125934723d1 + 37. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-593dae4b6b740816917a6cc2ce5854d3d43624ee + 38. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a685a2960fe82a4e7a19e59daf7996f74a4a051b + 39. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c28267355740d39c82e17cecb836dee3334c9f57 + 40. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f7ce702862a08d19798a0a887741a719df2e31a0 + 41. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-41d3922b7f3dfc07430e05be3db2b61a7dce510a + 42. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2f76ade024ee313001ac1bb01316cae3e34dabb8 + 43. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5f991f297b815f27ac6ee3e0243eefd81408527a + 44. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c798f12d803598888f45f734637416a59df87d01 + 45. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4b5b239d6ddf17538a691360a13491bb18ce3e84 + 46. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-28094a614e0f6de7c0864bf8c8a33f2ec8890d8b + 47. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9006d24ba6191334e8bee1e2151d318f15fa42bb + 48. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d6db04f81ea51f3a7990e111ef60e04526dbd0c + 49. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c5ec1ea55b016aca02887eb3d98a8947873c3005 + 50. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6c49b726f191af18835c8da8f8e863fe8835d68e + 51. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5caa3975df5606a6cec81a9a794e43830d922b95 + 52. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0104a2e7591dc97d57bb21bc43a3a0c0f5b71058 + 53. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fb5967fd09a7e3906305bf081337bc4ead1df0e6 + 54. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-56d537d249810cec0c07412f99f78e82563e25c2 + 55. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f12aa27535ffb2ed3b823da564c6eb6a4c12e555 + 56. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98bbe5f38d8831a038d52dda1cb901e10eb08373 + 57. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4767d458ebf24afe2d251644d982cd0b01a6bce4 + 58. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da6aaf6d39fcaa9d0add1317f0b3e8fa331e13d1 + 59. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ace04b18aa4598683afdce8360108bcdd93a7943 + 60. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c193a0b21657934517ec38ec96b68276ec4fafa0 + 61. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-747b68fce27e20b388854b45b7cbc779510ce8c5 + 62. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a39053b3dbcf5263c6600db076b47b9ab0805d4 + 63. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d70615e7da8487b529863507da876876b87ff404 + 64. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7de9c28131e5bb3f8690ba59f6bcad671394cb37 + 65. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f7739f50cab3991a0ac6cbea66763dc4f4578887 + 66. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-651ae9d5b55f38762a6636f9d1b026929c1ad214 + 67. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-56167774a7ab4b9ec2fb1b0bd20a74b4d984776c + 68. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-28550b35ec926a1e09fb702760bb668816fb1ad8 + 69. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-659c6dd2285a2c21346bf4dd8085589b9b66831f + 70. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a41265006666913a427b5b2ea0c1d055a06b56dd + 71. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c8f9e2188c26b980b3c9553ab8f3bc818b4fa417 + 72. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2459a45be5c94aa01d41fb5e6fc9c8d855dc597b + 73. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e1c48e66a796b412819fa8f2fb0b99407a10f67d + 74. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-db176299da58c0337043225dcb12547d912879c3 + 75. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-745460d4b876b81004c095b9144076261a8cdece + 76. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a0adf81b87a3ceee2195b10e919c9b19eee65ae4 + 77. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f7c4c667d4154ec5a9619044ef7d8ab94dfda39b + 78. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027 + 79. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0c8166e1a6ff2619c5a8e4b45a0b37ae08e2e770 + 80. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-84c8dd573982d6865b127c6a01e8a286b22e4810 + 81. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-22182b0bc89042030d822ea49a492506bda30777 + 82. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a2d396c0ef66603362ae3790cf89752c8dcf463b + 83. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f3dcce36d33e0ff906ed4a92bbc36b90172dea4f + 84. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9470dfbc900bbc59d82d2ad79d27f9c09b60807f + 85. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9fbf5d6584104a6aa7e8477190fee98ee4c31597 + 86. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f + 87. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f9e0be1913de4721c55b207bb39b2e0e7fdf78a6 + 88. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d82a8d4c42f3600c857cef92d77d76914af54592 + 89. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c1da1b7113875d4bb84170e3de291298cb1be7f3 + 90. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8cbd306242ac3a1704cd5eb623d51b035c00b904 + 91. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-762bbaea1ac8783d239962dd63826c26b7d3f71e + 92. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ff9baa2cb7a38bf8d3959db144c47927ad45c225 + 93. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5e1228acffd85105070309134c036139314338e8 + 94. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f542453a97368d79efedc751f2bebdff4b30f93a + 95. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a2271ddc5a73a7f142e962601f865c817780d4ed + 96. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cf123cad3ce4fd82f975130087deda5419595b81 + 97. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c820ef5e12bd4681ed69bee9f165f34ceb524e99 + 98. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c73c3ddb323f477d4f40dedc51d659071ae27f42 + 99. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0549f149dce15e67419271b02e5a1811460b6b30 + 100. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8c788b04bb8f67c1e81e0f296b9801e4a0b49e09 + 101. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6265be07f59f6e8c3ce44bc946c8b42eb59c8f13 + 102. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5aa28de5e8308087a925cb7ef54ca070a16564d4 + 103. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8623ffc5e6a381ccfe77f17bbe29fa87c3cf9734 + 104. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4b8195f9511b2f3b32bd2bbb55b136a4834c9830 + 105. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c1adf7d7b10cef814f2d6c7adb23e1cff04c21ab + 106. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8e09b2dea3c0dc4a8d2fb605f4ddd56a090518f0 + 107. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b78358248bb5b926746438bfcfa2760171590ebd + 108. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ae79c183518a63b89413dbd47812a78c207a7baa + 109. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c7790b22c22089953fcf0f1c576b8c1c83ff2c76 + 110. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d4ce65324e6aacc7fa87cc152edb17fc3342ecfb + 111. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-85c1d53dcdcc9ca102a7244fb45e7b4d4631f62a + 112. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-11bf94a12c61667aa90c1e7cf30cdf643663288d + 113. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-513c454f63441d21b525e5888cb7ba917fdacbde + 114. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6138e5966fa3ab127c1ae573d81369d318cc46e + 115. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9726ca355b50b0f794212297fc345fe217a4108b + 116. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de34519356ecd6791303987f0ee79b043199374b + 117. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2914f3a846d41673d4ae34018142e672b8f258ce + 118. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0d4421694c8f3dbfbabeb029330bd478ae849b3 + 119. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b68908c93520751aedc2311c245694476978681a + 120. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-195a678e23ba5ce5d8c38a07edc0d7143fb026ce + 121. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-89527f6cfcbc7b97accc5a9944fef96b230e19ef + 122. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98d39ef0e016b2c6c4f178ce91a1c4dcfabdb7f0 + 123. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-df8a4e31ffc62c98268eb3e7774f7c4f0735fac9 + 124. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-46cd2e7778996fd4b9108536305188f745fc09dc + 125. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9af6fc4e471c09b60a1ab5019807c4af13aea9d8 + 126. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-846a10b99bf2b75db1b7344c388d1a0957f6afd6 + 127. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5f3d54d268734f58005e09bf16f125468ce90813 + 128. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0706d81b2b24b1105016c37cff2047cdff79bcb6 + 129. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d75b80be97d15312faaf6c854a39b326e8cbc466 + 130. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d84a3e0f9a54d4c7b67de550a180fbec35d9347d + 131. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f2cf2b26556b6ca0a963b749898b0a38f4254e0b + 132. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ceefaf272ce42c78534fd63b2e6dd1c7335b51ce + 133. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-594c53a118469e9a7e921b751e0b733602632e66 + 134. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6cd62a35ca400fcc71ffea97a8122abb72b5ec1 + 135. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d39ef6015944bcdb0c5eef1deaf5dea585c9607 + 136. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-23466fef7b7d2e1e43f4a3b83564029116e1faef + 137. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ede055b778fd55413910c75febb3c19f05428732 + 138. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f418956943bd72ee8b94390ec9df241c3d1dfd20 + 139. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-997ff43f2b62743af566fb32f62e8ed512f49be2 + 140. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3837aecab5c2e169d6b76c56ad1af42685b593c0 + 141. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-186f61cd041ca5d858a71511d166af9c8b51c1d7 + 142. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c74fb57f0db11c0984a3307d2411c4a1dfb41b9f + 143. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c977b203232561023bbf9e4c8b206c81dbf2a868 + 144. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9b2938134356a3ab04092bd1f17e71c496d861c4 + 145. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-64aff7c0bc127c50351ea7d062ca079d458eb9c3 + 146. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4105ced82a1883c29fc75e1fe4ae8c0150e767da + 147. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b843309e72ea4472600020aac0fd4a1fdf7c49e8 + 148. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3da538dc64ac0575720762e73a506ccaca6d65f0 + 149. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a4b2eaa755759aebff8fa138d421aeaab0136f3a + 150. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-69e5f15b0a46f05fb5c7fb90c143ddc191e7a26a + 151. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7562e2dac4a1330c5d386e6a9f99440b4a84f664 + 152. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3e8d0885f13f45203f9f0a2a6112a46b22ce6118 + 153. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0b5e485f61e7ea4e580c60f45177f0bbcf7d7b80 + 154. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39e12a96f79151b3749822fa25b5d935979a3dfb + 155. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bf4b008f8ddce753c70b7c29d20735830f5fd803 + 156. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-19e0cdaa6ea3ec4d6943291a3d18c3f003acdc45 + 157. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ad606a6438c4599e26e8c731226881f2be4978aa + 158. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-09818ad4cb8a1dfea1f51688c41bdf4b79a69991 + 159. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-45526678eacf95bd32eea32669fe7e9d2e1e2498 + 160. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f700454ebeee78bda0718f926688eddef94fd48c + 161. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bae94b0712337689e6c9f7284c9185a1efd3b849 + 162. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-92109d5c85e37389ebec721d1a899a5ceda3f0e0 + 163. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-30674c05dd94e629023bfc3210b602e15375f04f + 164. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bc460e2fc85afc5ae3cf35c74dc95443bdcd5386 + 165. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39f4392eb43ea504fa208d0d9e9bd185f8ef7e0b + 166. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ae637024a0e00110c9e60a24033dad8d0b23a142 + 167. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0aefe11b29b2c72acedf8fb8f6a1d81547e8f0e8 + 168. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d2d0fbe69e2f4810b3b3e59a683984ee73bb72d8 + 169. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e351d47fc9628b8814df4d371f48a8055ad13166 + 170. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2506cb315464c32e51e8f9b0e01a5856ee9da06f + 171. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-eebd224417ff90f12a055ae920bfe2b487ad556f + 172. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-831a93ac82d6bee343656c82dc21957d987aeb25 + 173. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8a490ee94fff2784383dfb65c68d6af64784f994 + 174. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-55c9e778a2d121688ad4bd350c1435c1ec2ce670 + 175. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-88ae7aa8c482244be645c23c869e3aba7451d8b5 + 176. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-995fbbef9f19018d3aebf7230feaf80e47190136 + 177. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d981b575a1c9537fc0b3a42978a498ff2cd2a71f + 178. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-40e6497904e3183f254d5ad51f92c19b066ab25a + 179. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1f2e6fa77a5e9bc74f8c8d90a2b256dd1167e21e + 180. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-59aac85d5b0d8723015d9644fbbba1237b2a7c58 + 181. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a1230367d8abee79ad0b86472e7c4815a393b211 + 182. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7b0ff43d939ef738626511f8239679059d259222 + 183. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ace20e9327160a554de0994a6635cca5a0cfb60 + 184. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d85f3fd26715d359c7267ce0baebf6bd0f2c479e + 185. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81292737ab5673946ec43127fd62069923936829 + 186. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-021f45033c4ee1b1fc5bdd4f5c49ddcd08f45bd1 + 187. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-926288cb0cbbdea92bc4a807f06dd75ddbc446ff + 188. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c87419712cac704d01cecc7da11cd02f489b6986 + 189. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-33b8907a9b30ed5ff43025da794697809908f84f + 190. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e3dd033b305d86288bf884cb23e0ae658e9d567e + 191. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4fed8ebc79e53e3e453aa15c15b71a4887c412c2 + 192. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-166b82aa65e6da44aeb41e792b10efe979fc9b49 + 193. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fa58b438d5d46902e230c8c2471757f8103b8276 + 194. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-57610c67cac987182f6055118dd6d29e1ccd4445 + 195. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-57ab8844e9060937c4a654e1aa7568f87cb25aef + 196. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bba1e27593d13640e9693e39979b7d61a9b0244 + 197. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a9bfc224f3d301f4046e5bc1d96e837b01c7f9b7 + 198. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-46e7f29ffd321ae28670bfab4e7dc345f0fa0432 + 199. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-37f00e4c3e6b2b02d72f3c47af4a10a4d6c7def2 + 200. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bb7bbe3355a5093f8aae1c5470e5b6f043c139d + 201. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-83d27196ad84b9142d034ce8fe95278b77f08106 + 202. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-94e21dcd0f93a7e8528ceb4ef67ea005a4aa653c + 203. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ef469ed90b785ebb496c66523bb69030e0b7c906 + 204. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0f722810cee0817bdefe0a1f5b573542e4761123 + 205. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2b627d7cdd461eee9c23b7d167d1b5d53e0bced2 + 206. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f5a9a7efc69525f1e3d928b725cced0f7822e451 + 207. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1860f23748bd13d5c26b127a78559d1b068835f9 + 208. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a6886122c63cab9a4154365c0f55eddb0f3be59e + 209. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2931f707c7137629bad3cecc83d8a014c4818e0a + 210. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de11286b4accdede48d411359ab365725673c88a + 211. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-44573752106a6a834704da181eec6bc054a44ee8 + 212. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0f8ba664357ea0d5ff447fce7aaecf0b8ee8df9 + 213. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d909b5a9835e335bc5d5009915403b14f40c0be2 + 214. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-916574549beb3a0d8161875d8694ecaeb6aaf01d + 215. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-66a70fb373bfc9667b41360ddf2ad6f858490b99 + 216. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-35440d12e5f9a9181a6ae9c057728e9e20245143 + 217. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-eb3240fe8e61368056af86138a2b5dcbc9781a54 + 218. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2c0c0d6a5294c2b9d0c43b010fe2afcb545039db + 219. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-653b0b3ead22a007f8cef30201738b73550fc9c8 + 220. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ba15ba24819c12b1e1983ae5a34a13bb22196134 + 221. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-96a60b2ba87332720b90f37a265d022ddde8ec83 + 222. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2c01c04a051852b78309cffc46c91c5b252f15bc + 223. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-853f16610e999cb552d1afec94954263f508fedf + 224. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-97c3ff164d9706d3782ea3b242b6e409ce8395f6 + 225. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ffc04f166c31c23dc916a9efba8ee6a39f457924 + 226. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9cf741503b395077505206cf0a59459bb36bcb0d + 227. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-663844d925e559109734bd02d6dd049a861197e0 + 228. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-36aedae8f2cc4943850c22bdbff2e781c76ce2f6 + 229. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6f120993bd475fff02da05f9fb732661a0f326c3 + 230. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6f2395a90dee90ebb2a99503f82c5078f58012a2 + 231. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-26df43152f36191efc06ace8f0d2caced04c6393 + 232. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7067fc0034ce967e67911becaabb8c95a34d576d + 233. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c768646e45c7cacddf84aaff29f18a3a4d53f7b6 + 234. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c51279b144d8f9e1c9ecbf7291c5589d15f96335 + 235. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-065ce069210200a8c2127dcec828c21ab7cba183 + 236. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c63455a50c270b9c06f674f014eec7bd6a1ebedc + 237. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-815c5ad52cfdfdbbda5322cf4af9f999d8ae7d0d + 238. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39c5fd3d7a74f95a13453fa6772a1f6d55ea57b8 + 239. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e17462450d6ac1fe681a71154020881ad8e88423 + 240. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-61c29145b2b9a768959b2acc87753f2eba9946f1 + 241. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-58e537df0dc615c84668c354ad136e9d168066e3 + 242. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a8225e8a8885679828c76711b60d1422ebbbdac3 + 243. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3d8e95cfc667af07c3377cac0d37b3244bfabe5a + 244. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-16ad27f86ac8fcbd395bcf440c202ee23308a7cc + 245. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ff75e13a2f1a05ae1c4d54f7456f640b10458dfd + 246. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d52a57b1259c25954ac4deb22d6e7f4ad5067ff5 + 247. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03d5d82b9c2b2e558084f4ba72b226a711639d62 + 248. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-67078f9d8729e401f819b154ce0f5a0cb2edafc2 + 249. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2a6c320e0ebfff63dd791191497947330e7ec3c9 + 250. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-19aa8aba19772e32d6e3f783a20b0d2be0edc6a2 + 251. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d6a59da6f02bf84c17c9eb2c08299309765162e9 + 252. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4c3b947a45b239c82331db1dca1129b3ac6ab67c + 253. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6ca2bf4d71b1d23ef226f08217bde36dfa219a12 + 254. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cfb249e7c752e8ba79ff4946ad19a66b42aff454 + 255. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a7c153b45eef4487f7a56b7d4d899fe2e2e7ad5 + 256. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fa2a8d93db2ab1c414c4d0e71106ce871d2087e1 + 257. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-892c9481264e0931e73cfb42789944828edbdec0 + 258. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-73138b37f4e7c00cc6759dbdc3fc6d4076ffdcb6 + 259. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7234482b81492f6abcb90276677acc40c1bfae3d + 260. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-20c9647868c014d7694cd327a3c1f7df76ab6deb + 261. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c149b09cb3879f1fee0fc4195c1b53cf497d8e80 + 262. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9e8a57b836495651a516d3f0617a682fc96eb539 + 263. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-358d6ca81c2d621541f1fd90dfc8fdd86c606aa8 + 264. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f4a45377a57a797587e0c67314da8c603f1581cc + 265. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b3486c600a12bdfd1ebea296da263b44cca8eed0 + 266. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0985314c3d073a1f1ad2c7fb6bc63e680f0475fd + 267. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a7e73c7541f323d5d8f07baf48681be280061204 + 268. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8aceb1fc6528b3107037e6f30dd800fd333b4cd1 + 269. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-708f0a43aa721f06d66ad6652a6c7e7ccf36958e + 270. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9843e555882aaa72d6fb89491f935f6961075ba8 + 271. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5ab4d6f509584304daf02931019aaa6f4516179b + 272. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-00d1a79a0fb911a2b5ab3bc79982f0bf21fdfad9 + 273. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d80836a3c2f5f69b37de9ee7fbb1c1368bc88d45 + 274. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fc0538118ab0c640c2e45fe9ed234ad47f10a494 + 275. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-dc0bcde00ec48ac3dd08d16a2ad00b535ad77ea7 + 276. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0ccbb6e09b66e0f30d2ebf257181e4b212d42315 + 277. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-663164c42cab57480d3ea8775884cdb8ecf64eee + 278. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a20eced79955a01c9e4a8c70e73f644a98cb0aec + 279. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5b134ffbbb858537468b862c645ecf8a9281c87f + 280. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-696ad003492f3d05a5a66a9db6b1691746bb3dcf + 281. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-416ed42147005281452c0c68a82eba9d29694df0 + 282. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cc52368a9a961fcf8f7f5a4df2e8ff0da8becb16 + 283. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2d2e5aa1b71ecbce1a96da41ddee6d42c6e99884 + 284. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de01afb001b1e96229214e5e3d5c536616b49fff + 285. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-42f0582290981fb15dd7d7edd3d42ae8c52fa317 + 286. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3edd56de3f1aa11f94310d3b002289d6fe46242d + 287. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7637989ca3ff978c7b37a9c123b08557147fce91 + 288. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-aed2acb07aed79ef1f7a590447b6a45a8dd8e7d1 + 289. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49fb0ef157bf6158a4564722cfae529f747a2208 + 290. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3ccaef79f36bf2d74c7cdde76eeb163b8c8e691e + 291. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cd9411b0d43438efd50e30856e2cf1f3b49d1ddc + 292. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-283fb4c12d3b19bd74fa36f5f964e60fa214b0c8 + 293. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7cd5ddaf221f668cf8085a87e16aa4934c9636c8 + 294. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f0a1b55f0c13ee71df0cf1634ea7578d497b2f08 + 295. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-add7db8ac84a5fee1ea667e4fc08fe6f167934ca + 296. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-401a0ade283b4a6bf820fb85c149bbc7e7a24ea7 + 297. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e57a765f3f0b2719622a7ba6c13ce4d43c8b2b3b + 298. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c94e6944852c8d4f42e6e1f96d106a3fc54441d7 + 299. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d42626f8b81b6ad5f4367902ec9e7d71ee050b33 + 300. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-74b09784362f23f4bae8024d653fa2b0170fb14b + 301. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ee8c42d6eaabfce0262092de289210487d7bed42 + 302. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-48eb75026e1e1df9203853887a021a3a61a72f0e + 303. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0a51249088fdb7377ccf09e4e8d9a33f19d632f + 304. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2fc65748b38219b70169b98d0ac4433e319cd532 + 305. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b9853e4d5dfd4bac301d308ab175fd48ba2921fa + 306. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da0ac8317d448f0c4db88ee7fa553d03a833eddc + 307. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-32c418dcaaddee7f737291d925c3c0880fdcd484 + 308. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03816a0db7fe5f810e1d523fec057f696611289e + 309. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-17a058b4b75a83dbc5a9946e551c6152e269dc7b + 310. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b5d29a9bef601cc103b4f7fc07ed7759362133e6 + 311. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98288e4cb98a041aa1f0502fdb51c6cb1068a91c + 312. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8ba49e142dbc101a49f05a2617628ab2000b0c3f + 313. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4c2f26c7a6580097cef720cf5604dcc1e34908ad + 314. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-41e22620016f1f78bd7b24b7b03e11da0999f261 + 315. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-29b448e799c42ebb5f5621ca147f58dd8f3459fc + 316. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6d7a43d1a1ec9f12d51ec3c5109ef384a2cdaaf + 317. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5cceab6ab1d29ee46f8c94095952039e50b61270 + 318. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-12f96ac7932458c7e6baefb04c98dbb9b457a470 + 319. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a3f7979b38d8dc384bd1942d742b57d29efac4f4 + 320. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0acdd049dcd92e4cb6c76b5babbebd66c1266f33 + 321. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6a5262e8c005ba6dd0bf06705b0a9c804592406b + 322. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d5bcfeff50f1122dd56823a2c771c33c5679390 + 323. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98c42454a7af28e7c53f6591fcabe1ee3e167c0a + 324. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7b9a2c73fc204e8696373df9a3df28f6322325f3 + 325. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-273f739f842cdd4a6294522893a3ccde23fa98a1 + 326. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-38c1f3907a71fbe2944b757b993af9f68b6918ff + 327. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f3056294199fcd322b7d9b2498040fcc26d6b544 + 328. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c15d65bab4c0ec0479760e2dbb75d046dbf25bb9 + 329. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c8bece76abc4d8aae80a3cc28600db50536eed8a + 330. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e97986a7cdf421068cde691163e5ed6001a769d0 + 331. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a301d118756752a4346d1900314cb8357c37ec4 + 332. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3cb764bbc81c9ff68342e5e2b2fa41c38e5ee8e0 + 333. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ce75b1c73fc91dbd778dc1b27de44948a97a058c + 334. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6e2fe2d22d290f385af3ade7b067ab8c94e53b32 + 335. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-61078654f79e7c9c7a4be2fd3e08cb7a386bee58 + 336. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-912b9ed09449af26230d6edc3b7eb7f353baf677 + 337. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da56b290ab9465885c566f650eab2c164dfc9688 + 338. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d65e88e672032032635c3ae9f10ece43f2d2cf9b + 339. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a606912df02681bc6cf6252cd07c19ae55f644f4 + 340. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1680ad56d8dcecaa52c83d06eade8be1eb8e88b8 + 341. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da6226045aa6ed179770573c2d35e227c83a4abf + 342. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0722a8c058fa20bb84a9b59c4bed6924dc77c461 + 343. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ed2979cea4219a6112a348736bbd6652315a9a35 + 344. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d690b12c8a0ce11e04dfac6f247d5c6c308bf4c1 + 345. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3326f4d47dc1c02970655bd127c324acd343b514 + 346. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-182f30adede2d8daf8569aef5027629ed799b0d4 + 347. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-23852505c1d7fc62fc3bc3beb8eeb262d929101c + 348. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d670c7ff34fb27d5c36f4235acc5a3faadb76f9 + 349. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-464a11f17139f4e019e041e07033d4600bb0c825 + 350. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c78fbd6d364a74fb2393431e0d0ae3586a0c123a + 351. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03e030fd9418dbedf89a48ec0bc55a792e4a53e7 + 352. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2322bb89ee8a67696ab031da31fd093d4fdc503e + 353. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ffffd3128329c39147756f28ee4b33128e98aca5 + 354. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-edb6affeb8aa4364a710048e20f0ce125e5b8244 + 355. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-38a0f8863d60448e9ece0afcaca222254c39aa48 + 356. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5d36cf8a2aec310c4841849976cc7bf093042bb2 + 357. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ee2785e8e504f215a4d551fc98b7bb3c6af284f + 358. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b5da591672d836e62b119ea2840571a0db9ad353 + 359. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8bb1e7380165c2559bd46ec8884f35435d3bdec6 + 360. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7628c4a349cdeeafdb6d4743e3d5f4fc5e3ffa8b + 361. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-31b25bb649fcffb7ff0b626d9b84011a536e700e + 362. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ac92ca0bab2c30e29013d619be68db337ae16dbd + 363. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81781cb17cb47d2f26d9edabc75be035107d2644 + 364. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd9b4b7ba1854a3c21796173af9d0b9aee33e376 + 365. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd8f5559ec842b21e1acb06823eaa9b83897fcc3 + 366. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d3266cdb6117dfee988cca9ba2e267f82faa69ac + 367. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49b545e8b5b3e57679b5cab14fb757ee096f62cd + 368. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7fa129a6528d9a5c914f8dd5671668173e39e341 + 369. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c422ff29b44235d1804abfdc92e1f3d838d21ce8 + 370. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bd155a1a9919bda8ff10ca7d3831458866b72eb + 371. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c7da685b97cb3783adaf61e8a807063c8f34e4f2 + 372. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81d06e5a0d3a3ed4bdf7a7cb9077370a7b02bfaf + 373. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fdee3a2261a8093ce1a47ff1ba24dc912e630747 + 374. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd + 375. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c073a2271a01dac8f222cff894d358707fd497ec + 376. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-06a4e52a380ee592c4917d3a1848e678613d44a1 + 377. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-31b624041161e0893b05c2d498852a9fd89613f5 + 378. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b9c0aa19aa2882c4853c98543ded628a7843307a + 379. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-240bc08017c2dd270f719fbd23313b0f9792772a + 380. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1a656b6b0fb82223800e144852b95606119b84cb + 381. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b89e95c341d868f46c55148ce99530e819367f21 + 382. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f5c2dd6871e0a87f18b7e6403fc8f67947ad565f + 383. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0326ff77448388449b62fc6fb25262e9368cb01a + 384. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2a55a16a2ccd1e9513507e3adcff73215e7a3728 + 385. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3baf5f4307e79e9eb566f4829d7797d16d6a9263 + 386. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3533104f335829e6ab6c76cddf09507a5601cc36 + 387. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d43e0703bdce8b44c558b07c08155ee1f9edf39b + 388. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-67c820f9dcbd409ba84ff97e6ab053c9172e7271 + 389. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7fdf7183bde8298a126b069c2dd573678feec9fc + 390. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c46a1560841d6119fc8db1a73a350a359e9b2850 + 391. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e19bfa7f2c0ecf180a4a8e035e8547587e27d3b3 + 392. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-54d286d3bce5ff023feacda17e137f3fb3fe84b8 + 393. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-01275889ce1cdf256418fa5eb3158d51aa84b1f6 + 394. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de6ea721d5c0f5a9f51275c9d4b3829be6af1364 + 395. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-50fd1875d22fc5011d685de32e1de3a9c9c52c17 + 396. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9ea9413f6192100b42c8453f0590142e2251a91c + 397. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8fdb27e2d0da5cb41d73622c9b4891af9c22ba4e + 398. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-709b4cfabea7728116852af20796512fb54afce2 + 399. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-60015968110d4e4fba31c1c9e3f917e0f196624a + 400. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-092eeba6ce2d24f83356d6e20e2375eebb4036f9 + 401. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ca6c847dd2974a610ef8f6a0e44319cb325f92b4 + 402. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2d25b99d1bbc404eb33a4a454f70857116bad9dc + 403. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-63c70345154ed43eb99587bf4e32a8e594edd883 + 404. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2 + 405. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4fa68e1a751de826ec620c625c3a256e5fb16744 + 406. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ab375f4b1c3159136f7ccefcc9a8b70fba192d2 + 407. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e581a5cd05ec7c36162d277188d63337622df082 + 408. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-24d51e40a989e2a508844201fb59a38e8e29c0f7 + 409. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-25612f68d5b80d31e889f7f68144f3d2b869ae12 + 410. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f840b741e536311cad341d05f8386468e592a8c0 + 411. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-77b3abc555cc572d0a6edbd257a251640e6e39ce + 412. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b8f454bfce31e8bc3648d42b64b40ad72e7b92c8 + 413. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9ed4110b5a20a9b05206da0647b000d686530ef8 + 414. http://webharvest.sourceforge.net/ng/ + 415. http://www.squid-cache.org/ + 416. http://wiki.squid-cache.org/WhoWeAre + 417. http://www.squid-cache.org/CONTRIBUTORS + 418. http://www.squid-cache.org/mirrors.html + 419. ftp://ftp.squid-cache.org/pub/ + 420. http://www.squid-cache.org/platforms.html + 421. http://www.squid-cache.org/bugs/ + 422. http://wiki.squid-cache.org/BestOsForSquid + 423. http://www.cygwin.com/ + 424. http://www.mingw.org/ + 425. http://wiki.squid-cache.org/GuidoSerassio + 426. http://www.acmeconsulting.it/SquidNT/ + 427. http://www.squid-cache.org/mail-archive/squid-users/ + 428. http://marc.theaimsgroup.com/?l=squid-users&r=1&w=2 + 429. http://www.squid-cache.org/ + 430. http://squidbook.org/ + 431. http://www.oreilly.com/catalog/squid/ + 432. http://www.ircache.net/ + 433. http://www.squid-cache.org/Doc/FAQ/ + 434. http://www.deckle.co.za/squid-users-guide/Main_Page + 435. http://squid.visolve.com/squid/configuration_manual_24.htm + 436. http://www.squid-handbuch.de/ + 437. http://istanbul.linux.org.tr/~ilkerg/squid/elkitabi.html + 438. http://merlino.merlinobbs.net/Squid-Book/ + 439. http://www.linuxman.pro.br/squid/ + 440. http://www.geocities.com/glasswalk3r/linux/squidnomicon.html + 441. http://www.squid-cache.org/Doc/Prog-Guide/prog-guide.html + 442. http://www.web-cache.com/ + 443. http://www.squid-cache.org/Doc/Hierarchy-Tutorial/ + 444. ftp://ftp.isi.edu/in-notes/rfc2186.txt + 445. ftp://ftp.isi.edu/in-notes/rfc2187.txt + 446. ftp://ftp.isi.edu/in-notes/rfc1016.txt + 447. ftp://ftp.isi.edu/in-notes/rfc2817.txt + 448. http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt + 449. http://www.squid-cache.org/Doc/FAQ/squid-credits.txt + 450. http://www.gnu.org/philosophy/free-sw.html + 451. http://www.gnu.org/copyleft/gpl.html + 452. http://www.squid-cache.org/Support/services.html + 453. http://www.squid-cache.org/donate.html + 454. http://wiki.squid-cache.org/FrancescoChemolli + 455. http://wiki.squid-cache.org/ReubenFarrelly + 456. http://www.squid-cache.org/Mirrors/http-mirrors.html + 457. http://www.squid-cache.org/ + 458. ftp://www.squid-cache.org/pub/ + 459. ftp://ftp.gnu.org/gnu/patch + 460. ftp://ftp.gnu.org/gnu/gcc + 461. http://www.perl.com/ + 462. http://www.squid-cache.org/platforms.html + 463. http://freeware.sgi.com/ + 464. http://www.freebsd.org/cgi/ports.cgi?query=squid-2&stype=all + 465. ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/squid/README.html + 466. http://www.linuks.mine.nu/solaris/ + 467. http://www.acmeconsulting.it/SquidNT/download.html + 468. ftp://ftp.gnu.ai.mit.edu/pub/gnu/ + 469. ftp://ftp.gnu.org/gnu/binutils + 470. http://www.squid-cache.org/platforms.html + 471. http://www.slproweb.com/products/Win32OpenSSL.html + 472. http://sourceforge.net/projects/mingwrep/ + 473. http://tinycobol.org/download.html + 474. http://unxutils.sourceforge.net/ + 475. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da6aaf6d39fcaa9d0add1317f0b3e8fa331e13d1 + 476. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ace04b18aa4598683afdce8360108bcdd93a7943 + 477. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c193a0b21657934517ec38ec96b68276ec4fafa0 + 478. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-747b68fce27e20b388854b45b7cbc779510ce8c5 + 479. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a39053b3dbcf5263c6600db076b47b9ab0805d4 + 480. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d70615e7da8487b529863507da876876b87ff404 + 481. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-243001ba9e72327236b1eb83a881c042b191d7cd + 482. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e649acb1d381d7e62776ba05ac07465b7a8b6a2d + 483. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9330d0fc23ac4d56d5bd0ebc41d7f785f5a63b94 + 484. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-218a44757e7c99e9967fe92413400da607150b96 + 485. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f86def091b88678fa78b2a6bfc7192341a8ca455 + 486. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7de9c28131e5bb3f8690ba59f6bcad671394cb37 + 487. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f7739f50cab3991a0ac6cbea66763dc4f4578887 + 488. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-651ae9d5b55f38762a6636f9d1b026929c1ad214 + 489. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-56167774a7ab4b9ec2fb1b0bd20a74b4d984776c + 490. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-28550b35ec926a1e09fb702760bb668816fb1ad8 + 491. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-659c6dd2285a2c21346bf4dd8085589b9b66831f + 492. http://wiki.squid-cache.org/SquidFaq/CompilingSquid + 493. http://wiki.squid-cache.org/SquidFaq/OperatingSquid + 494. ftp://gnjilux.cc.fer.hr/pub/unix/util/wget/ + 495. ftp://ftp.internatif.org/pub/unix/echoping/ + 496. http://wiki.squid-cache.org/SquidFaq/CacheManager + 497. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a41265006666913a427b5b2ea0c1d055a06b56dd + 498. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c8f9e2188c26b980b3c9553ab8f3bc818b4fa417 + 499. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2459a45be5c94aa01d41fb5e6fc9c8d855dc597b + 500. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e1c48e66a796b412819fa8f2fb0b99407a10f67d + 501. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-db176299da58c0337043225dcb12547d912879c3 + 502. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-745460d4b876b81004c095b9144076261a8cdece + 503. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a0adf81b87a3ceee2195b10e919c9b19eee65ae4 + 504. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f7c4c667d4154ec5a9619044ef7d8ab94dfda39b + 505. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c050a0a0382c01fbfb9da7e9c18d58bafd4eb027 + 506. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0c8166e1a6ff2619c5a8e4b45a0b37ae08e2e770 + 507. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-84c8dd573982d6865b127c6a01e8a286b22e4810 + 508. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-22182b0bc89042030d822ea49a492506bda30777 + 509. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a2d396c0ef66603362ae3790cf89752c8dcf463b + 510. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f3dcce36d33e0ff906ed4a92bbc36b90172dea4f + 511. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9470dfbc900bbc59d82d2ad79d27f9c09b60807f + 512. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9fbf5d6584104a6aa7e8477190fee98ee4c31597 + 513. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-686db1e194b474369659a51ea05037c9c5ce862f + 514. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4423d8e732c0b2677057f4f475a3886e9b97e28f + 515. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f + 516. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f9e0be1913de4721c55b207bb39b2e0e7fdf78a6 + 517. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c134859d49062a83f117b0ecce7b85c3f74c33a7 + 518. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d82a8d4c42f3600c857cef92d77d76914af54592 + 519. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c1da1b7113875d4bb84170e3de291298cb1be7f3 + 520. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8cbd306242ac3a1704cd5eb623d51b035c00b904 + 521. http://www.ircache.net/Cache/joining.html + 522. http://www.ircache.net/Cache/Tracker/ + 523. http://wiki.squid-cache.org/SquidFaq/ReverseProxy + 524. http://wiki.squid-cache.org/SquidFaq/CacheManager + 525. http://www.tis.com/ + 526. mailto:RvdOever@baan.nl + 527. http://devel.squid-cache.org/follow_xff/index.html + 528. http://www.iks-jena.de/mitarb/lutz/anon/web.en.html + 529. http://wiki.squid-cache.org/SquidFaq + 530. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-762bbaea1ac8783d239962dd63826c26b7d3f71e + 531. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ff9baa2cb7a38bf8d3959db144c47927ad45c225 + 532. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5e1228acffd85105070309134c036139314338e8 + 533. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f542453a97368d79efedc751f2bebdff4b30f93a + 534. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a2271ddc5a73a7f142e962601f865c817780d4ed + 535. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cf123cad3ce4fd82f975130087deda5419595b81 + 536. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c820ef5e12bd4681ed69bee9f165f34ceb524e99 + 537. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c73c3ddb323f477d4f40dedc51d659071ae27f42 + 538. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0549f149dce15e67419271b02e5a1811460b6b30 + 539. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8c788b04bb8f67c1e81e0f296b9801e4a0b49e09 + 540. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6265be07f59f6e8c3ce44bc946c8b42eb59c8f13 + 541. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5aa28de5e8308087a925cb7ef54ca070a16564d4 + 542. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8623ffc5e6a381ccfe77f17bbe29fa87c3cf9734 + 543. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4b8195f9511b2f3b32bd2bbb55b136a4834c9830 + 544. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c1adf7d7b10cef814f2d6c7adb23e1cff04c21ab + 545. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8e09b2dea3c0dc4a8d2fb605f4ddd56a090518f0 + 546. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b78358248bb5b926746438bfcfa2760171590ebd + 547. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ae79c183518a63b89413dbd47812a78c207a7baa + 548. http://spam.abuse.net/spam/ + 549. http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html + 550. http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers?action=AttachFile&do=get&target=sample1.pac.txt + 551. http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt + 552. http://www.your.domain.name/wpad.dat + 553. http://www.your.domain.name/wpad.dat + 554. http://wpad.your.domain.name/wpad.dat + 555. http://proxy/proxy.pac + 556. http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers?action=AttachFile&do=get&target=sample2.pac.txt + 557. http://naragw.sharp.co.jp/sps/ + 558. http://wiki.squid-cache.org/ReubenFarrelly + 559. http://support.microsoft.com/default.aspx?id=kb;en-us;331906 + 560. http://support.microsoft.com/default.aspx?scid=kb;EN-US;312176 + 561. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c7790b22c22089953fcf0f1c576b8c1c83ff2c76 + 562. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d4ce65324e6aacc7fa87cc152edb17fc3342ecfb + 563. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-85c1d53dcdcc9ca102a7244fb45e7b4d4631f62a + 564. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-11bf94a12c61667aa90c1e7cf30cdf643663288d + 565. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-513c454f63441d21b525e5888cb7ba917fdacbde + 566. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6138e5966fa3ab127c1ae573d81369d318cc46e + 567. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9726ca355b50b0f794212297fc345fe217a4108b + 568. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d8a3f53a199ba080400c2fa30581fec8db374141 + 569. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-903e00896639a4de9acf7a11b20b721eb3b64527 + 570. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de34519356ecd6791303987f0ee79b043199374b + 571. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2914f3a846d41673d4ae34018142e672b8f258ce + 572. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0d4421694c8f3dbfbabeb029330bd478ae849b3 + 573. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b68908c93520751aedc2311c245694476978681a + 574. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-195a678e23ba5ce5d8c38a07edc0d7143fb026ce + 575. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-89527f6cfcbc7b97accc5a9944fef96b230e19ef + 576. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98d39ef0e016b2c6c4f178ce91a1c4dcfabdb7f0 + 577. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-df8a4e31ffc62c98268eb3e7774f7c4f0735fac9 + 578. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-46cd2e7778996fd4b9108536305188f745fc09dc + 579. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9af6fc4e471c09b60a1ab5019807c4af13aea9d8 + 580. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-846a10b99bf2b75db1b7344c388d1a0957f6afd6 + 581. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5f3d54d268734f58005e09bf16f125468ce90813 + 582. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0706d81b2b24b1105016c37cff2047cdff79bcb6 + 583. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d75b80be97d15312faaf6c854a39b326e8cbc466 + 584. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d84a3e0f9a54d4c7b67de550a180fbec35d9347d + 585. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f2cf2b26556b6ca0a963b749898b0a38f4254e0b + 586. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ceefaf272ce42c78534fd63b2e6dd1c7335b51ce + 587. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-594c53a118469e9a7e921b751e0b733602632e66 + 588. http://www.w3.org/Daemon/User/Config/Logging.html#common-logfile-format + 589. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#squid_result_codes + 590. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#squid_result_codes + 591. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#http_status_codes + 592. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#request-methods + 593. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#hierarchy_codes + 594. ftp://ftp.isi.edu/in-notes/rfc2616.txt + 595. ftp://ftp.isi.edu/in-notes/rfc2518.txt + 596. ftp://ftp.isi.edu/in-notes/rfc2616.txt + 597. ftp://ftp.isi.edu/in-notes/rfc2518.txt + 598. http://www.weird.com/~woods/projects/newsyslog.html + 599. http://www.desire.org/ + 600. http://www.uninett.no/prosjekt/desire/arneberg/statistics.html + 601. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6cd62a35ca400fcc71ffea97a8122abb72b5ec1 + 602. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d39ef6015944bcdb0c5eef1deaf5dea585c9607 + 603. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-23466fef7b7d2e1e43f4a3b83564029116e1faef + 604. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ede055b778fd55413910c75febb3c19f05428732 + 605. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f418956943bd72ee8b94390ec9df241c3d1dfd20 + 606. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-997ff43f2b62743af566fb32f62e8ed512f49be2 + 607. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3837aecab5c2e169d6b76c56ad1af42685b593c0 + 608. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b15b90f8220b019791906dfd8e0703a77225d361 + 609. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-797ca105cc57184585e3dbc2395b7ea3dcdb167d + 610. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-74a04f624f1863f683773712a2d01192d7b2916d + 611. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-186f61cd041ca5d858a71511d166af9c8b51c1d7 + 612. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c74fb57f0db11c0984a3307d2411c4a1dfb41b9f + 613. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c977b203232561023bbf9e4c8b206c81dbf2a868 + 614. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9b2938134356a3ab04092bd1f17e71c496d861c4 + 615. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-64aff7c0bc127c50351ea7d062ca079d458eb9c3 + 616. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4105ced82a1883c29fc75e1fe4ae8c0150e767da + 617. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b843309e72ea4472600020aac0fd4a1fdf7c49e8 + 618. http://wiki.squid-cache.org/SquidFaq/CacheManager + 619. http://www.balabit.hu/en/downloads/tproxy/ + 620. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3da538dc64ac0575720762e73a506ccaca6d65f0 + 621. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a4b2eaa755759aebff8fa138d421aeaab0136f3a + 622. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-69e5f15b0a46f05fb5c7fb90c143ddc191e7a26a + 623. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7562e2dac4a1330c5d386e6a9f99440b4a84f664 + 624. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3e8d0885f13f45203f9f0a2a6112a46b22ce6118 + 625. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0b5e485f61e7ea4e580c60f45177f0bbcf7d7b80 + 626. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39e12a96f79151b3749822fa25b5d935979a3dfb + 627. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bf4b008f8ddce753c70b7c29d20735830f5fd803 + 628. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-19e0cdaa6ea3ec4d6943291a3d18c3f003acdc45 + 629. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ad606a6438c4599e26e8c731226881f2be4978aa + 630. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a1aff63b595a5c82db99619929ed06bf6ec1b1f + 631. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ae9b4b59164c7e7d71279147914cd58bf394edc + 632. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-09818ad4cb8a1dfea1f51688c41bdf4b79a69991 + 633. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-45526678eacf95bd32eea32669fe7e9d2e1e2498 + 634. http://wiki.squid-cache.org/SquidFaq/CacheManager + 635. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#alternate-malloc + 636. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#how-much-ram + 637. http://wiki.squid-cache.org/HenrikNordstr%C3%B6m + 638. http://www.gnu.org/order/ftp.html|The + 639. http://g.oswego.edu/dl/html/malloc.html + 640. http://wiki.squid-cache.org/AdrianChadd + 641. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f700454ebeee78bda0718f926688eddef94fd48c + 642. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bae94b0712337689e6c9f7284c9185a1efd3b849 + 643. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-92109d5c85e37389ebec721d1a899a5ceda3f0e0 + 644. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-30674c05dd94e629023bfc3210b602e15375f04f + 645. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bc460e2fc85afc5ae3cf35c74dc95443bdcd5386 + 646. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39f4392eb43ea504fa208d0d9e9bd185f8ef7e0b + 647. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ae637024a0e00110c9e60a24033dad8d0b23a142 + 648. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0aefe11b29b2c72acedf8fb8f6a1d81547e8f0e8 + 649. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d2d0fbe69e2f4810b3b3e59a683984ee73bb72d8 + 650. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e351d47fc9628b8814df4d371f48a8055ad13166 + 651. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2506cb315464c32e51e8f9b0e01a5856ee9da06f + 652. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-eebd224417ff90f12a055ae920bfe2b487ad556f + 653. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-831a93ac82d6bee343656c82dc21957d987aeb25 + 654. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8a490ee94fff2784383dfb65c68d6af64784f994 + 655. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-55c9e778a2d121688ad4bd350c1435c1ec2ce670 + 656. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-88ae7aa8c482244be645c23c869e3aba7451d8b5 + 657. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-995fbbef9f19018d3aebf7230feaf80e47190136 + 658. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d981b575a1c9537fc0b3a42978a498ff2cd2a71f + 659. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-40e6497904e3183f254d5ad51f92c19b066ab25a + 660. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1f2e6fa77a5e9bc74f8c8d90a2b256dd1167e21e + 661. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-59aac85d5b0d8723015d9644fbbba1237b2a7c58 + 662. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a1230367d8abee79ad0b86472e7c4815a393b211 + 663. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7b0ff43d939ef738626511f8239679059d259222 + 664. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ace20e9327160a554de0994a6635cca5a0cfb60 + 665. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d85f3fd26715d359c7267ce0baebf6bd0f2c479e + 666. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81292737ab5673946ec43127fd62069923936829 + 667. http://www.example.com/Squid/cgi-bin/cachemgr.cgi + 668. http://wiki.squid-cache.org/FrancescoChemolli + 669. http://www.example.com/ + 670. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-021f45033c4ee1b1fc5bdd4f5c49ddcd08f45bd1 + 671. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-926288cb0cbbdea92bc4a807f06dd75ddbc446ff + 672. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c87419712cac704d01cecc7da11cd02f489b6986 + 673. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-33b8907a9b30ed5ff43025da794697809908f84f + 674. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e3dd033b305d86288bf884cb23e0ae658e9d567e + 675. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4fed8ebc79e53e3e453aa15c15b71a4887c412c2 + 676. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5c9f26bbde72f076de876c8e30f2a0fb80ef91f4 + 677. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-21e4cb6d72ff4911ea340d00bb95d0cfd1e9bd76 + 678. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-166b82aa65e6da44aeb41e792b10efe979fc9b49 + 679. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fa58b438d5d46902e230c8c2471757f8103b8276 + 680. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-57610c67cac987182f6055118dd6d29e1ccd4445 + 681. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-af2c190759b099a7986221cd12a4066eb146a1c4 + 682. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-26f2a77472cb1e86e2f01d74f011a7c5bd89f459 + 683. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-01ebc8c30aa41aca3fa2bf473a5bcfc95823a8a1 + 684. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-57ab8844e9060937c4a654e1aa7568f87cb25aef + 685. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bba1e27593d13640e9693e39979b7d61a9b0244 + 686. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a9bfc224f3d301f4046e5bc1d96e837b01c7f9b7 + 687. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-46e7f29ffd321ae28670bfab4e7dc345f0fa0432 + 688. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-37f00e4c3e6b2b02d72f3c47af4a10a4d6c7def2 + 689. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bb7bbe3355a5093f8aae1c5470e5b6f043c139d + 690. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-83d27196ad84b9142d034ce8fe95278b77f08106 + 691. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-94e21dcd0f93a7e8528ceb4ef67ea005a4aa653c + 692. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ef469ed90b785ebb496c66523bb69030e0b7c906 + 693. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0f722810cee0817bdefe0a1f5b573542e4761123 + 694. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2b627d7cdd461eee9c23b7d167d1b5d53e0bced2 + 695. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f5a9a7efc69525f1e3d928b725cced0f7822e451 + 696. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1860f23748bd13d5c26b127a78559d1b068835f9 + 697. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a6886122c63cab9a4154365c0f55eddb0f3be59e + 698. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2931f707c7137629bad3cecc83d8a014c4818e0a + 699. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de11286b4accdede48d411359ab365725673c88a + 700. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-44573752106a6a834704da181eec6bc054a44ee8 + 701. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0f8ba664357ea0d5ff447fce7aaecf0b8ee8df9 + 702. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d909b5a9835e335bc5d5009915403b14f40c0be2 + 703. ftp://ftp.isi.edu/in-notes/rfc931.txt + 704. ftp://ftp.lysator.liu.se/pub/ident/servers + 705. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication + 706. mailto:orso@brturbo.com + 707. ftp://ftp.isi.edu/in-notes/rfc931.txt + 708. http://wiki.squid-cache.org/SquidFaq/TroubleShooting + 709. http://wiki.squid-cache.org/SquidFaq/SquidAcl?action=AttachFile&do=get&target=parent_auth.pl + 710. http://www.snerpa.is/notendur/infilter/infilter-en.phtml + 711. http://www.squidguard.org/blacklist/ + 712. http://www.stearns.org/sa-blacklist/ + 713. http://www.rambris.com/fredrik/sleezeball/ + 714. http://wiki.squid-cache.org/SquidFaq/MiscFeatures + 715. http://wiki.squid-cache.org/SquidFaq/MiscFeatures + 716. http://workaround.org/moin/SquidLdap + 717. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-916574549beb3a0d8161875d8694ecaeb6aaf01d + 718. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-66a70fb373bfc9667b41360ddf2ad6f858490b99 + 719. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-35440d12e5f9a9181a6ae9c057728e9e20245143 + 720. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-eb3240fe8e61368056af86138a2b5dcbc9781a54 + 721. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ca645370e3a54bcb94c0a9a8ed9c235e59f50bc5 + 722. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-41565059248056bd60f519bd1bab4a974c9b5ef5 + 723. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d4f24fdac6a6722202f431df572090390287e245 + 724. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0a267839d989339a8e34e2323048b30185d4f8f6 + 725. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8ab77e8b65c3cc3c7d50f8627c42ee22e37d220c + 726. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a8b524d3f710e7368fadd1701f1db8d385c8cdc + 727. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-33c487597421c1b24cf63a7d8f301b524240a8c0 + 728. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49eff190283c1578c0ab9017c1b8126cdc85dce2 + 729. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2c0c0d6a5294c2b9d0c43b010fe2afcb545039db + 730. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-653b0b3ead22a007f8cef30201738b73550fc9c8 + 731. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ba15ba24819c12b1e1983ae5a34a13bb22196134 + 732. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-96a60b2ba87332720b90f37a265d022ddde8ec83 + 733. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2c01c04a051852b78309cffc46c91c5b252f15bc + 734. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-853f16610e999cb552d1afec94954263f508fedf + 735. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-97c3ff164d9706d3782ea3b242b6e409ce8395f6 + 736. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ffc04f166c31c23dc916a9efba8ee6a39f457924 + 737. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9cf741503b395077505206cf0a59459bb36bcb0d + 738. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-663844d925e559109734bd02d6dd049a861197e0 + 739. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-36aedae8f2cc4943850c22bdbff2e781c76ce2f6 + 740. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6f120993bd475fff02da05f9fb732661a0f326c3 + 741. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6f2395a90dee90ebb2a99503f82c5078f58012a2 + 742. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-26df43152f36191efc06ace8f0d2caced04c6393 + 743. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7067fc0034ce967e67911becaabb8c95a34d576d + 744. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ec6b316c2f73a72782198dab56d9e9a3a7127eeb + 745. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-645325ef517a09ee94283b214f3884a4289929fc + 746. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b09c6d3a618b5b8aca46a10bd1c5d88c38375ed2 + 747. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1fd2b038f11cae4bc9a6b04caf90ee950a79485c + 748. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c768646e45c7cacddf84aaff29f18a3a4d53f7b6 + 749. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c51279b144d8f9e1c9ecbf7291c5589d15f96335 + 750. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-065ce069210200a8c2127dcec828c21ab7cba183 + 751. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c63455a50c270b9c06f674f014eec7bd6a1ebedc + 752. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-815c5ad52cfdfdbbda5322cf4af9f999d8ae7d0d + 753. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-39c5fd3d7a74f95a13453fa6772a1f6d55ea57b8 + 754. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e17462450d6ac1fe681a71154020881ad8e88423 + 755. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-61c29145b2b9a768959b2acc87753f2eba9946f1 + 756. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-58e537df0dc615c84668c354ad136e9d168066e3 + 757. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a8225e8a8885679828c76711b60d1422ebbbdac3 + 758. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3d8e95cfc667af07c3377cac0d37b3244bfabe5a + 759. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-16ad27f86ac8fcbd395bcf440c202ee23308a7cc + 760. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ff75e13a2f1a05ae1c4d54f7456f640b10458dfd + 761. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d52a57b1259c25954ac4deb22d6e7f4ad5067ff5 + 762. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03d5d82b9c2b2e558084f4ba72b226a711639d62 + 763. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-67078f9d8729e401f819b154ce0f5a0cb2edafc2 + 764. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2a6c320e0ebfff63dd791191497947330e7ec3c9 + 765. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-19aa8aba19772e32d6e3f783a20b0d2be0edc6a2 + 766. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d6a59da6f02bf84c17c9eb2c08299309765162e9 + 767. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4c3b947a45b239c82331db1dca1129b3ac6ab67c + 768. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6ca2bf4d71b1d23ef226f08217bde36dfa219a12 + 769. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cfb249e7c752e8ba79ff4946ad19a66b42aff454 + 770. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a7c153b45eef4487f7a56b7d4d899fe2e2e7ad5 + 771. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fa2a8d93db2ab1c414c4d0e71106ce871d2087e1 + 772. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-892c9481264e0931e73cfb42789944828edbdec0 + 773. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-73138b37f4e7c00cc6759dbdc3fc6d4076ffdcb6 + 774. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7234482b81492f6abcb90276677acc40c1bfae3d + 775. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-20c9647868c014d7694cd327a3c1f7df76ab6deb + 776. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c149b09cb3879f1fee0fc4195c1b53cf497d8e80 + 777. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9e8a57b836495651a516d3f0617a682fc96eb539 + 778. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-358d6ca81c2d621541f1fd90dfc8fdd86c606aa8 + 779. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f4a45377a57a797587e0c67314da8c603f1581cc + 780. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b3486c600a12bdfd1ebea296da263b44cca8eed0 + 781. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0985314c3d073a1f1ad2c7fb6bc63e680f0475fd + 782. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a7e73c7541f323d5d8f07baf48681be280061204 + 783. http://wiki.squid-cache.org/SquidFaq/SquidAcl + 784. http://squid.sourceforge.net/hno/linux-lfd.html + 785. mailto:torsten.sturm@axis.de + 786. ftp://ftp.isi.edu/in-notes/rfc952.txt + 787. ftp://ftp.isi.edu/in-notes/rfc1101.txt + 788. http://www.intac.com/~cdp/cptd-faq/section4.html#underscore + 789. ftp://ftp.isi.edu/in-notes/rfc1033.txt + 790. http://www.life-gone-hazy.com/writings/icp-squid.ps.gz + 791. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ + 792. http://www.squid-cache.org/Versions/v2/2.5/ + 793. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication + 794. http://support.microsoft.com/support/kb/articles/Q198/1/16.ASP + 795. ftp://ftp.isi.edu/in-notes/rfc2617.txt + 796. http://wiki.squid-cache.org/SquidFaq/SquidMemory + 797. http://www.squid-cache.org/bugs/ + 798. mailto:miquels@cistron.nl + 799. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ + 800. http://wiki.squid-cache.org/SquidFaq/SquidRedirectors + 801. http://www.oreilly.com/catalog/lunix4/ + 802. mailto:mtk@ny.ubs.com + 803. http://www.ietf.org/rfc/rfc1738.txt + 804. http://www.ietf.org/rfc/rfc1738.txt + 805. ftp://ftp.isi.edu/in-notes/rfc2817.txt + 806. http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt + 807. http://www.cydoor.com/ + 808. http://wiki.squid-cache.org/HenrikNordstr%C3%B6m + 809. http://www.i-d-n.net/ + 810. http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses + 811. http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses + 812. http://wiki.squid-cache.org/SquidFaq/TroubleShooting?action=AttachFile&do=get&target=zerosized_reply.c + 813. http://wiki.squid-cache.org/SquidFaq/OperatingSquid + 814. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8aceb1fc6528b3107037e6f30dd800fd333b4cd1 + 815. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-708f0a43aa721f06d66ad6652a6c7e7ccf36958e + 816. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9843e555882aaa72d6fb89491f935f6961075ba8 + 817. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5ab4d6f509584304daf02931019aaa6f4516179b + 818. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-00d1a79a0fb911a2b5ab3bc79982f0bf21fdfad9 + 819. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d80836a3c2f5f69b37de9ee7fbb1c1368bc88d45 + 820. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fc0538118ab0c640c2e45fe9ed234ad47f10a494 + 821. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-dc0bcde00ec48ac3dd08d16a2ad00b535ad77ea7 + 822. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0ccbb6e09b66e0f30d2ebf257181e4b212d42315 + 823. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-663164c42cab57480d3ea8775884cdb8ecf64eee + 824. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a20eced79955a01c9e4a8c70e73f644a98cb0aec + 825. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5b134ffbbb858537468b862c645ecf8a9281c87f + 826. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-696ad003492f3d05a5a66a9db6b1691746bb3dcf + 827. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-416ed42147005281452c0c68a82eba9d29694df0 + 828. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cc52368a9a961fcf8f7f5a4df2e8ff0da8becb16 + 829. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2d2e5aa1b71ecbce1a96da41ddee6d42c6e99884 + 830. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de01afb001b1e96229214e5e3d5c536616b49fff + 831. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-42f0582290981fb15dd7d7edd3d42ae8c52fa317 + 832. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3edd56de3f1aa11f94310d3b002289d6fe46242d + 833. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7637989ca3ff978c7b37a9c123b08557147fce91 + 834. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-aed2acb07aed79ef1f7a590447b6a45a8dd8e7d1 + 835. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49fb0ef157bf6158a4564722cfae529f747a2208 + 836. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3ccaef79f36bf2d74c7cdde76eeb163b8c8e691e + 837. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cd9411b0d43438efd50e30856e2cf1f3b49d1ddc + 838. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-283fb4c12d3b19bd74fa36f5f964e60fa214b0c8 + 839. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7cd5ddaf221f668cf8085a87e16aa4934c9636c8 + 840. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f0a1b55f0c13ee71df0cf1634ea7578d497b2f08 + 841. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-add7db8ac84a5fee1ea667e4fc08fe6f167934ca + 842. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-401a0ade283b4a6bf820fb85c149bbc7e7a24ea7 + 843. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e57a765f3f0b2719622a7ba6c13ce4d43c8b2b3b + 844. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c94e6944852c8d4f42e6e1f96d106a3fc54441d7 + 845. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d42626f8b81b6ad5f4367902ec9e7d71ee050b33 + 846. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-74b09784362f23f4bae8024d653fa2b0170fb14b + 847. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ee8c42d6eaabfce0262092de289210487d7bed42 + 848. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-48eb75026e1e1df9203853887a021a3a61a72f0e + 849. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e0a51249088fdb7377ccf09e4e8d9a33f19d632f + 850. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2fc65748b38219b70169b98d0ac4433e319cd532 + 851. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b9853e4d5dfd4bac301d308ab175fd48ba2921fa + 852. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da0ac8317d448f0c4db88ee7fa553d03a833eddc + 853. http://www.ircache.net/Cache/ICP/rfc2186.txt + 854. http://www.ircache.net/Cache/ICP/rfc2187.txt + 855. http://www.squid-cache.org/Devel/ + 856. http://www.nlanr.net/NA/ + 857. http://www.faqs.org/faqs/firewalls-faq/ + 858. ftp://ftp.isi.edu/in-notes/rfc1738.txt + 859. ftp://gnjilux.cc.fer.hr/pub/unix/util/wget/ + 860. ftp://ftp.isi.edu/in-notes/rfc2109.txt + 861. mailto:david@avarice.nepean.uws.edu.au + 862. http://www.ircache.net/Cache/Plankton/ + 863. http://www.cert.org/advisories/CA-96.01.UDP_service_denial.html + 864. http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html + 865. http://workshop.ircache.net/Papers/dilley-abstract.html + 866. http://wiki.squid-cache.org/SquidFaq/CompilingSquid + 867. ftp://ftp.isi.edu/in-notes/rfc931.txt + 868. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-32c418dcaaddee7f737291d925c3c0880fdcd484 + 869. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03816a0db7fe5f810e1d523fec057f696611289e + 870. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-17a058b4b75a83dbc5a9946e551c6152e269dc7b + 871. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b5d29a9bef601cc103b4f7fc07ed7759362133e6 + 872. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98288e4cb98a041aa1f0502fdb51c6cb1068a91c + 873. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8ba49e142dbc101a49f05a2617628ab2000b0c3f + 874. ftp://parcftp.xerox.com/pub/net-research/ipmulti/ + 875. mailto:nlanr-cache@nlanr.net + 876. ftp://ftp.isi.edu/in-notes/rfc2365.txt + 877. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4c2f26c7a6580097cef720cf5604dcc1e34908ad + 878. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-41e22620016f1f78bd7b24b7b03e11da0999f261 + 879. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2b92588eec4649f39da5aa68c8de5a04640afb1e + 880. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-320c101d973dabcefd09de89a360292605cd1ecb + 881. http://wiki.squid-cache.org/SquidFaq/CacheManager + 882. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-29b448e799c42ebb5f5621ca147f58dd8f3459fc + 883. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-742ae66a1347811b7a3ee278657c1a462548ad4e + 884. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-32c02416a50ff8f57557eb7f7a5568a29f081f36 + 885. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-68576263d142ce95032a5cd86d48bf314347a47b + 886. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2b4bb17c52a96e834f45150838a4c6db0c4d4de1 + 887. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81930fec2a2bc75333845deef2422587f25e808b + 888. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3e4d4a982fb89472bddda8b339dbde797b683f92 + 889. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a3543e9e19710a47f3116a58bb2a50394bf65bf + 890. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3000379916f42842968143b3209732b1e14eeb33 + 891. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-67e8f4928dba2b38adf23405dcc8a6cd3b36ee62 + 892. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e2b538387fd65c456d75f655baf53ea71d1734c5 + 893. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c12430697ea5e6e70cfec85a00c58e8309f93981 + 894. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8c50d688b472aaeac242338375c9149df1b595b9 + 895. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6d7a43d1a1ec9f12d51ec3c5109ef384a2cdaaf + 896. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b372e64edbbf442749e7d6602bf53af1293c41d6 + 897. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-57b543604a947c76e9e9d1d9b6a5837df9165b9f + 898. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5a3092d1c4d984ca25aff88d1e8642368561b963 + 899. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c65a7d02a1456bf603f36d757d0fc0f62cf493e9 + 900. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-233929f8bb9073226dc7f92ea8f66125fd1678be + 901. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49674e28d21cafa24a11556c50056b17d610d579 + 902. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-69c86c56c716d46d55faa98751964f442e0bb92d + 903. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5cceab6ab1d29ee46f8c94095952039e50b61270 + 904. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-12f96ac7932458c7e6baefb04c98dbb9b457a470 + 905. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9413226016ca3d81afa7d77056b81a9f4838453e + 906. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2fca17961021998f2d16d5b480a824a119788cac + 907. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a3f7979b38d8dc384bd1942d742b57d29efac4f4 + 908. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8981ef78d61b7a6ba661f664980781d641caeca1 + 909. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-91b0cf15c4781cd7b3248e3663ac85baef66e70f + 910. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-89a03260144041a79f2cfca2fc1a8b6ba966cbf6 + 911. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-092c805cd40432256e88f8f6b53f3b869a2ff6a3 + 912. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8e4bdac877fd3dcbe737d00b79a7c4d68d5bc571 + 913. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-699d810035c099c8b4bff21e12bb365438a21027 + 914. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4920199b311ce7d20b9a0d85723fd5d0dfc9bc84 + 915. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0acdd049dcd92e4cb6c76b5babbebd66c1266f33 + 916. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ee876cc4543b4c9b3ba2ccf6e4ec7bf3d5a9a5f2 + 917. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6a5262e8c005ba6dd0bf06705b0a9c804592406b + 918. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d5bcfeff50f1122dd56823a2c771c33c5679390 + 919. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-154f58e2cb31f002a8c7e28c4a13d31f39842e99 + 920. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-337d7f774cc1b157eefacbdf58bd5d654509f342 + 921. http://moneycentral.msn.com/ + 922. http://www.mbnanetaccess.com/ + 923. mailto:david@avarice.nepean.uws.edu.au + 924. mailto:andre + 925. mailto:ARMISTEJ@oeca.otis.com + 926. mailto:cudch@csv.warwick.ac.uk + 927. http://www.sean.de/Solaris/soltune.html + 928. mailto:cudch@csv.warwick.ac.uk + 929. mailto:jeff@sisna.com + 930. mailto:mbatchelor@citysearch.com + 931. mailto:mbatchelor@citysearch.com + 932. mailto:mremy@gmx.ch + 933. http://www.freebsd.org/releases/3.3R/errata.html + 934. mailto:robl + 935. mailto:andre.albsmeier@mchp.siemens.de + 936. mailto:david@landgren.net + 937. mailto:bogstad@pobox.com + 938. mailto:Arjan.deVet@adv.iae.nl + 939. mailto:bert_driehuis + 940. mailto:galifrey@crown.net + 941. mailto:radu + 942. http://developer.redhat.com/bugzilla/show_bug.cgi?id=3919 + 943. mailto:jraymond@gnu.org + 944. http://en.wikipedia.org/wiki/Explicit_Congestion_Notification + 945. http://wiki.squid-cache.org/HenrikNordstrom + 946. http://answerpointe.cctec.com/maillists/nanog/historical/0104/msg00714.html + 947. ftp://ftp.isi.edu/in-notes/rfc3168.txt + 948. http://www.aciri.org/floyd/ecn.html + 949. http://urchin.earth.li/ecn/ + 950. http://lwn.net/Articles/92727/ + 951. mailto:f.j.bosscha@nhl.nl + 952. http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/genprogc/lrg_prg_support.htm + 953. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-98c42454a7af28e7c53f6591fcabe1ee3e167c0a + 954. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7b9a2c73fc204e8696373df9a3df28f6322325f3 + 955. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-273f739f842cdd4a6294522893a3ccde23fa98a1 + 956. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-38c1f3907a71fbe2944b757b993af9f68b6918ff + 957. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f3056294199fcd322b7d9b2498040fcc26d6b544 + 958. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c15d65bab4c0ec0479760e2dbb75d046dbf25bb9 + 959. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c8bece76abc4d8aae80a3cc28600db50536eed8a + 960. http://squirm.foote.com.au/ + 961. http://ivs.cs.uni-magdeburg.de/~elkner/webtools/jesred/ + 962. ftp://ftp.isi.edu/in-notes/rfc2068.txt + 963. http://wiki.squid-cache.org/SquidFaq/TroubleShooting + 964. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e97986a7cdf421068cde691163e5ed6001a769d0 + 965. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a301d118756752a4346d1900314cb8357c37ec4 + 966. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3cb764bbc81c9ff68342e5e2b2fa41c38e5ee8e0 + 967. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ad73500d38b30589e36a1ee35113c8e8f2508fdc + 968. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f0b7a9bbff32d4966a19bfd716f72caeed05e3e0 + 969. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3ff343d0f367ecf5399dd2d2970fed38409ea77b + 970. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ce75b1c73fc91dbd778dc1b27de44948a97a058c + 971. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6e2fe2d22d290f385af3ade7b067ab8c94e53b32 + 972. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-61078654f79e7c9c7a4be2fd3e08cb7a386bee58 + 973. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-912b9ed09449af26230d6edc3b7eb7f353baf677 + 974. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da56b290ab9465885c566f650eab2c164dfc9688 + 975. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d65e88e672032032635c3ae9f10ece43f2d2cf9b + 976. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a606912df02681bc6cf6252cd07c19ae55f644f4 + 977. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8a4278abe058276b651e76b5297bbc3a4902f52c + 978. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4a21d0bab23279cdade9144fc2cfa0a618aef887 + 979. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1680ad56d8dcecaa52c83d06eade8be1eb8e88b8 + 980. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-da6226045aa6ed179770573c2d35e227c83a4abf + 981. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0722a8c058fa20bb84a9b59c4bed6924dc77c461 + 982. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6a740dec1f1412ea745ef9c90e6083f37f19f21f + 983. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-27792fea9311c8b65d8cc4c242753ea398ef4beb + 984. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6ec5bd31809e0d7e10efefd6e4cb01b8187d7eb9 + 985. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-df3f082115cb84ed1f6de54b7c2f87847e57ff23 + 986. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-986e5ea1f34b9f9c5fd40bd68707fde887a0a8f0 + 987. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ed2979cea4219a6112a348736bbd6652315a9a35 + 988. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d690b12c8a0ce11e04dfac6f247d5c6c308bf4c1 + 989. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3326f4d47dc1c02970655bd127c324acd343b514 + 990. http://www.squid-cache.org/CacheDigest/cache-digest-v5.txt + 991. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-182f30adede2d8daf8569aef5027629ed799b0d4 + 992. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-23852505c1d7fc62fc3bc3beb8eeb262d929101c + 993. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d670c7ff34fb27d5c36f4235acc5a3faadb76f9 + 994. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e826e98e3db89dd81cf2b48da8c2f59688e6be4a + 995. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9c95bcb0da689aa1fe3c759e29e74d4752c3ab41 + 996. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1baf52754892d9355e3aa292dd70d96d74608b9b + 997. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e7bc177b18f8d349f3ba9cf440aeef49610c3d9b + 998. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1111fe35071d3ef569928e344df97517b43267a0 + 999. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1752d4230a9d1db8a956d68a8be81f262da14058 +1000. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0525bec35885e37f42702e104897ee8e30ebd485 +1001. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9cd7bde0330d67b86c844ad725b2da71d0ee2be7 +1002. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81ee38e48e667b6509952be269f0f469306cf3a2 +1003. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c0a77ff82b6fe6a1e3041c05991e494db872c294 +1004. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a3016c485d02a3b42f0ff51088ef4ad008e87be6 +1005. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-935dbe4ef8ea8e21c1e04cc7753a09095c0d8285 +1006. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-dc04d83c7405935b9d5a056bb9385615bfe26238 +1007. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6616eef3ce759dfa57f86bec19c112278d3a5d4 +1008. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a84383ab9c5e0fe11c290e787cb37e752b49ff03 +1009. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-facdacb36c4db1a48949fdcdca0f5ade45768d8a +1010. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1ca9755a51b3fc1f0c6b4a857f04f366b9043c16 +1011. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3027475a2212faea234bfba53e3536ed43f33f68 +1012. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c3a767076899594cb5767f6a64cae8600d4abadf +1013. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3a8820922b612e5efaf516ef043ea4c05e2e4799 +1014. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-022d0ae33341af5c2277b147ee341091e9885888 +1015. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f92fd34dea365ba61f1bd08f254dfc1be6231402 +1016. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fde31e15630ba3848f9bfd76f589d57e3eb0617b +1017. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9d2c7425899678934f201b25de3828f8393fec67 +1018. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-558e175c7f7179b7c5a662be7f94ecc241813212 +1019. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0554fc775e5864bf062d8ed64155edb0ef93ec41 +1020. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c9d76dc217996842055d4ea3604abcc7ff37f61d +1021. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-36cc41e25fa948cf6a12833ed622a2d1bd66e720 +1022. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-00c956602422fed8545ae419bc40a991cc144ca3 +1023. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3930e8d851d9fc418cbabab3b5db367a24fa7ef8 +1024. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-93c813de14c5d3c6146e65dd0abd38b3959d0243 +1025. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-cea965e9410986f1ecb37a29245c9b2094410a90 +1026. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-efed4677ba6b335deb3a61d639e0354c35fe8468 +1027. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-80c70feffdac51169ae17379761ad9e32e5025ed +1028. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-71cbf0f304d7e2b5e2d1de24b7299d28e943eb84 +1029. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f3f1855603b64952983a83f1b4f5adcfe059c5d6 +1030. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f6788c5272fb3883e259c760fdd65415be1bcca8 +1031. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6ac9cf52b804e4e3911ca981fa27e3981b415d6b +1032. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b36e7b7d01c8577efd3ddf0419ceda4f97b79dae +1033. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a6b322ea1aee564dc117ad6ccd46c2df52d1ba7f +1034. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a7fed84c39e23407b93737da0815d1e6ed926a4f +1035. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c0e70336480c489c316fc0d4d6ca9ab3a41d0760 +1036. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b +1037. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd189efb7c0b438e0b9eb1987118851a85a69cb8 +1038. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-00589825260ac21903920950c788544ed2151811 +1039. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ade063abe6f27246a0934de9c9cb6f468ad10c81 +1040. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e56904dd4dfe0e21e5c2903473c473d401533ac7 +1041. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7cfff26a112769fccff8f4d507961cd27ebe5eac +1042. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-607433e79435c6306b47f5e1f2e5df1e6cb177d9 +1043. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a7fa812ca86804e1f9c77a9bb71da22a596f0a41 +1044. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9046f6b1479748be48c1e4e11ccdc6159e9c26ac +1045. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-779feb6af81cda62fc6dce049030d3434c13ee05 +1046. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-94b19e59c1f793d41aaa3567e12d1c582bc3534e +1047. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c71f7c796136376f0a2afd4e0f5102984482cbbc +1048. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f613ab8bbb6bfe13f27c3063377e136038288f87 +1049. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03cbd4f73d885ee17bfb57177720d25c6021d12a +1050. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-464a11f17139f4e019e041e07033d4600bb0c825 +1051. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c78fbd6d364a74fb2393431e0d0ae3586a0c123a +1052. http://coombs.anu.edu.au/ipfilter/ +1053. mailto:q@fan.net.au +1054. http://www.benzedrine.cx/transquid.html +1055. mailto:Rodney.van.den.Oever@tip.nl +1056. http://www.xos.nl/linux/ipfwadm/ +1057. mailto:RichardA@noho.co.uk +1058. http://www.ibiblio.org/pub/linux/docs/HOWTO/TransparentProxy +1059. mailto:Support@dnet.co.uk +1060. mailto:andrew@careless.net +1061. http://www.ibiblio.org/pub/linux/docs/HOWTO/TransparentProxy +1062. mailto:John.Saunders@scitec.com.au +1063. mailto:morgan@curtin.net +1064. mailto:John.Saunders@scitec.com.au +1065. mailto:signal +1066. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#trans-caching +1067. mailto:John.Saunders@scitec.com.au +1068. mailto:glenn@ircache.net +1069. mailto:ltd@cisco.com +1070. http://wiki.squid-cache.org/ReubenFarrelly +1071. http://www.web-cache.com/Writings/Internet-Drafts/draft-forster-wrec-wccp-v1-00.txt +1072. http://www.web-cache.com/Writings/Internet-Drafts/draft-wilson-wrec-wccp-v2-00.txt +1073. http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008030c778.html +1074. http://www.colasoft.com/resources/protocol.php?id=WCCP +1075. http://www.cisco.com/go/fn +1076. http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f31.html#wp1094445 +1077. http://www.squid-cache.org/WCCP-support/FreeBSD-3.x/ +1078. http://www.squid-cache.org/WCCP-support/FreeBSD-3.x/gre.c +1079. http://www.squid-cache.org/WCCP-support/FreeBSD-4.x/ +1080. http://www.squid-cache.org/WCCP-support/FreeBSD-3.x/gre.c +1081. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#trans-freebsd +1082. http://www.squid-cache.org/WCCP-support/Linux/ +1083. http://wiki.squid-cache.org/StevenWilton +1084. http://www.balabit.com/products/oss/tproxy/ +1085. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication +1086. http://wiki.squid-cache.org/NegotiateAuthentication +1087. mailto:signal@shreve.net +1088. http://wiki.squid-cache.org/HenrikNordstr%C3%B6m +1089. http://devel.squid-cache.org/hno/patches/squid-1.1.20.host_and_virtual.patch +1090. ftp://coombs.anu.edu.au/pub/net/ip-filter/ +1091. http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCse55959 +1092. http://www.swelltech.com/pengies/joe/patches/ +1093. http://wiki.squid-cache.org/ReubenFarrelly +1094. http://www.reub.net/node/3 +1095. http://wiki.squid-cache.org/DuaneWessels +1096. http://www.oreilly.com/catalog/webcaching/chapter/ch05.html +1097. http://wiki.squid-cache.org/HenrikNordstr%C3%B6m +1098. http://www.swelltech.com/news.html +1099. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-03e030fd9418dbedf89a48ec0bc55a792e4a53e7 +1100. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2322bb89ee8a67696ab031da31fd093d4fdc503e +1101. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ffffd3128329c39147756f28ee4b33128e98aca5 +1102. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-edb6affeb8aa4364a710048e20f0ce125e5b8244 +1103. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-38a0f8863d60448e9ece0afcaca222254c39aa48 +1104. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5d36cf8a2aec310c4841849976cc7bf093042bb2 +1105. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ee2785e8e504f215a4d551fc98b7bb3c6af284f +1106. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b5da591672d836e62b119ea2840571a0db9ad353 +1107. mailto:glenn@ircache.net +1108. http://net-snmp.sourceforge.net/ +1109. http://net-snmp.sourceforge.net/ +1110. http://oss.oetiker.ch/rrdtool/ +1111. http://wessels.squid-cache.org/squid-rrd/ +1112. mailto:cache-snmp@ircache.net +1113. http://www.squid-cache.org/mail-archive/cache-snmp/ +1114. mailto:cache-snmp-request@ircache.net +1115. http://www.mrtg.org/ +1116. http://www.cache.dfn.de/DFN-Cache/Development/Monitoring/ +1117. http://www.acmeconsulting.it/SquidNT.html +1118. http://squid.visolve.com/related/snmp/monitoringsquid.htm +1119. http://www.arnes.si/~matija/utrecht/lecture.html +1120. http://hermes.wwwcache.ja.net/FAQ/FAQ-2.html#mrtg +1121. http://howto.aphroland.de/HOWTO/MRTG/SquidMonitoringWithMRTG +1122. http://people.ee.ethz.ch/~oetiker/webtools/mrtg/squid.html +1123. http://www.psychofx.com/chris/unix/mrtg/ +1124. http://thproxy.jinr.ru/file-archive/doc/squid/cache-snmp/mrtg-demo/ +1125. http://www.braindump.dk/en/wiki/?catid=7&wikipage=ConfigFiles +1126. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8bb1e7380165c2559bd46ec8884f35435d3bdec6 +1127. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7628c4a349cdeeafdb6d4743e3d5f4fc5e3ffa8b +1128. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-31b25bb649fcffb7ff0b626d9b84011a536e700e +1129. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ac92ca0bab2c30e29013d619be68db337ae16dbd +1130. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81781cb17cb47d2f26d9edabc75be035107d2644 +1131. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd9b4b7ba1854a3c21796173af9d0b9aee33e376 +1132. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-84c6f23dc11531c502597c064d0981f1e16d4ef4 +1133. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a2c8a250b2e00d2104793bcb8f74e16b61790321 +1134. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-75a75a2d52fe4fb1447a5e2e428cfd504af56b01 +1135. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6a60a203f25ce922610b02a9080277ffe1092708 +1136. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd8f5559ec842b21e1acb06823eaa9b83897fcc3 +1137. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d3266cdb6117dfee988cca9ba2e267f82faa69ac +1138. http://wiki.squid-cache.org/SquidFaq/CacheDigests +1139. http://www.devet.org/squid/proxy_auth/ +1140. mailto:squid-faq@squid-cache.org +1141. mailto:david@luyer.net +1142. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-49b545e8b5b3e57679b5cab14fb757ee096f62cd +1143. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7fa129a6528d9a5c914f8dd5671668173e39e341 +1144. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c422ff29b44235d1804abfdc92e1f3d838d21ce8 +1145. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7bd155a1a9919bda8ff10ca7d3831458866b72eb +1146. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c7da685b97cb3783adaf61e8a807063c8f34e4f2 +1147. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-81d06e5a0d3a3ed4bdf7a7cb9077370a7b02bfaf +1148. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fdee3a2261a8093ce1a47ff1ba24dc912e630747 +1149. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd +1150. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c073a2271a01dac8f222cff894d358707fd497ec +1151. http://www.apache.org/ +1152. http://wiki.squid-cache.org/SquidFaq +1153. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-06a4e52a380ee592c4917d3a1848e678613d44a1 +1154. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b753f9e7f3e22951e95db1eb1c964d83bf4c2fb5 +1155. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-6c934b40790f5fde7495c55589958f3ae5921411 +1156. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1c47d19f38c4f840520c39009b5513896c285072 +1157. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-31b624041161e0893b05c2d498852a9fd89613f5 +1158. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5ee1beb9a5b2cd2a518fef3f60e977710e36aae8 +1159. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-afecc2f5adbbe64a9440e2f84d22e744befe7bfb +1160. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-45a82f297d67ba214677e67180b1947b79a41aae +1161. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b9c0aa19aa2882c4853c98543ded628a7843307a +1162. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ee248eb8ef2d68baca799dba4ce1f80680b96b4c +1163. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5000f03cc91e6953dd03fc9eb6418632032f47a4 +1164. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-240bc08017c2dd270f719fbd23313b0f9792772a +1165. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9028c0a33efe35a4340c12ffb737a5c62579e3f4 +1166. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1a656b6b0fb82223800e144852b95606119b84cb +1167. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-44a6ab3c607977ece4d680d9557ee692aad41c1b +1168. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b89e95c341d868f46c55148ce99530e819367f21 +1169. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-af85714e3b20e1c58c3722b420234ccd91ac2cc7 +1170. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-138cdbc2bd44565c26b9d78f915fcfb4669a4aa9 +1171. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ec80d03cdbcf3a3e3c45896a9c717df215f95886 +1172. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9a665601732fe128244f7eed62919b105dd90475 +1173. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d1dc4b7974ef5c946855203f2025ce10dbd26ddb +1174. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-348dd6218153eac4bf6ad509bb25e576a26a193b +1175. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fd6508f3c5b92c35ad45693c2a6a0812a49c8612 +1176. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4a34701acc4fba457f249c8d5647ac0d721f717e +1177. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-89230902eedb064a7d256e1084325417474c8f28 +1178. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4786d63c5e1475413f56628b4e0101b976724cec +1179. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f5c2dd6871e0a87f18b7e6403fc8f67947ad565f +1180. ftp://gnjilux.cc.fer.hr/pub/unix/util/wget/ +1181. ftp://ftp.internatif.org/pub/unix/echoping/ +1182. http://sourceforge.net/projects/curl-loader +1183. http://siag.nu/pen/ +1184. http://www.linux-l7sw.org/ +1185. http://www.linuxvirtualserver.org/ +1186. http://www.keepalived.org/ +1187. http://off.net/~jme/vrrpd/ +1188. http://www.squid-cache.org/Scripts/ +1189. http://sourceforge.net/projects/squidoptimizer/ +1190. http://oss.sgi.com/projects/pcp/ +1191. ftp://ftp.nemoto.ecei.tohoku.ac.jp/pub/Net/WWW/VRML/converter/3Dhierarchy.pl +1192. http://www.transproxy.nlc.net.au/ +1193. mailto:john@nlc.net.au +1194. ftp://ftp.sbs.de/pub/www/cache/redirector/redirector.tar.gz +1195. mailto:iain@ecrc.de +1196. http://internet.junkbuster.com/ +1197. http://squirm.foote.com.au/ +1198. mailto:chris@senet.com.au +1199. mailto:orso@ineparnet.com.br +1200. http://web.onda.com.br/orso/chpasswd.html +1201. http://ivs.cs.uni-magdeburg.de/~elkner/webtools/jesred/ +1202. mailto:elkner@wotan.cs.Uni-Magdeburg.DE +1203. http://www.squidguard.org/ +1204. http://www.marasystems.com/?section=cerberian +1205. http://marasystems.com/download/cerberian +1206. http://sites.inka.de/~bigred/devel/squid-filter.html +1207. http://ftp.tdcnorge.no/pub/windows/Identd/ +1208. http://identd.sourceforge.net/ +1209. http://www2.lysator.liu.se/~pen/pidentd/ +1210. http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html +1211. http://www.rraz.net/squeezer2/ +1212. http://squid-cache.blogspot.com/ +1213. http://www.cafepress.com/squidproxy +1214. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0326ff77448388449b62fc6fb25262e9368cb01a +1215. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2a55a16a2ccd1e9513507e3adcff73215e7a3728 +1216. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3baf5f4307e79e9eb566f4829d7797d16d6a9263 +1217. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-3533104f335829e6ab6c76cddf09507a5601cc36 +1218. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d43e0703bdce8b44c558b07c08155ee1f9edf39b +1219. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-67c820f9dcbd409ba84ff97e6ab053c9172e7271 +1220. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5f03c4d6420b267f3ddd11fb9e67ca7deaebeb86 +1221. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bf207d46505bcf5f2a4a59d9b1b3c726959fb80e +1222. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f1ffc4b193830e2c339207a936819d25ed8ab299 +1223. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2bc666ab64c1a8573d47a35e2ba1e79969a5ec30 +1224. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a1bde4f2d56c8c0fadf1dae1f32aa532ec081bc +1225. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7fdf7183bde8298a126b069c2dd573678feec9fc +1226. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-5f03c4d6420b267f3ddd11fb9e67ca7deaebeb86-2 +1227. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-bf207d46505bcf5f2a4a59d9b1b3c726959fb80e-2 +1228. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f1ffc4b193830e2c339207a936819d25ed8ab299-2 +1229. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2bc666ab64c1a8573d47a35e2ba1e79969a5ec30-2 +1230. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-7a1bde4f2d56c8c0fadf1dae1f32aa532ec081bc-2 +1231. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-c46a1560841d6119fc8db1a73a350a359e9b2850 +1232. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e19bfa7f2c0ecf180a4a8e035e8547587e27d3b3 +1233. http://polygraph.ircache.net/Results/bakeoff-2/ +1234. http://www.squid-cache.org/Benchmarking/bakeoff-02/ +1235. http://www.squid-cache.org/Versions/v2/2.4 +1236. http://www.sunworld.com/sunworldonline/swol-11-1997/swol-11-insidesolaris.html +1237. http://www.sunworld.com/swol-09-1997/swol-09-insidesolaris.html +1238. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-54d286d3bce5ff023feacda17e137f3fb3fe84b8 +1239. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-01275889ce1cdf256418fa5eb3158d51aa84b1f6 +1240. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-de6ea721d5c0f5a9f51275c9d4b3829be6af1364 +1241. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-50fd1875d22fc5011d685de32e1de3a9c9c52c17 +1242. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-9ea9413f6192100b42c8453f0590142e2251a91c +1243. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-8fdb27e2d0da5cb41d73622c9b4891af9c22ba4e +1244. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-709b4cfabea7728116852af20796512fb54afce2 +1245. http://www.squid-cache.org/Versions/v2/2.6 +1246. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-60015968110d4e4fba31c1c9e3f917e0f196624a +1247. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-092eeba6ce2d24f83356d6e20e2375eebb4036f9 +1248. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-ca6c847dd2974a610ef8f6a0e44319cb325f92b4 +1249. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-2d25b99d1bbc404eb33a4a454f70857116bad9dc +1250. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-63c70345154ed43eb99587bf4e32a8e594edd883 +1251. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-1d6e24e071a1a5e65f112d9a96cdf1320684a8f2 +1252. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-d857d069ac73a5cdbefca60a8d0e0d6e1df02452 +1253. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f53b3d45b4a53f1e225465c4197e4c61083df0eb +1254. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a06a9e7b1ff9d431ce41fb0c1e90f0788ac00e55 +1255. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-0e6726d3024c249e993f5927efb62f0702dc836d +1256. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-fc6ce1ba7fd667059c8678732c2b5e67e20d1f58 +1257. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f92e92ea0e4d01f073162195320b58883c8b962a +1258. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-a7ea3a5058d17342c75956e439aec9acd2e4c1f0 +1259. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-56ad2f07574c143695aa6dffa68aa0a89f3cec15 +1260. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-73aba4d0e50b80849952dcae8ce63d36a276e35c +1261. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e4803074fbb62b906724838137cc39c8481c1f16 +1262. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4fa68e1a751de826ec620c625c3a256e5fb16744 +1263. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-4ab375f4b1c3159136f7ccefcc9a8b70fba192d2 +1264. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-e581a5cd05ec7c36162d277188d63337622df082 +1265. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-24d51e40a989e2a508844201fb59a38e8e29c0f7 +1266. ftp://ftp.isi.edu/in-notes/rfc2616.txt +1267. http://www.squid-cache.org/related-software.html#auth +1268. http://www.squid-cache.org/mail-archive/squid-users/200511/0339.html +1269. http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication +1270. http://wiki.squid-cache.org/NegotiateAuthentication +1271. http://wiki.squid-cache.org/SquidFaq/TroubleShooting +1272. http://www.ietf.org/rfc/rfc2617.txt +1273. http://samba.org/samba/docs/man/Samba3-HOWTO/winbind.html +1274. http://samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html +1275. http://samba.org/samba/docs/man/manpages-3/winbindd.8.html +1276. http://samba.org/samba/docs/man/manpages-3/wbinfo.1.html +1277. http://samba.org/samba/docs/man/manpages-3/nmbd.8.html +1278. http://samba.org/samba/docs/man/manpages-3/smbd.8.html +1279. http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html +1280. http://samba.org/samba/docs/man/manpages-3/smbclient.1.html +1281. http://samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html +1282. http://www.papercut.biz/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory +1283. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-25612f68d5b80d31e889f7f68144f3d2b869ae12 +1284. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-f840b741e536311cad341d05f8386468e592a8c0 +1285. http://jmason.org/software/sitescooper/tao_regexps.html +1286. http://www.newbie.org/gazette/xxaxx/xprmnt02.html +1287. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-77b3abc555cc572d0a6edbd257a251640e6e39ce +1288. http://wiki.squid-cache.org/SquidFaq/CompleteFaq#head-b8f454bfce31e8bc3648d42b64b40ad72e7b92c8 +1289. http://mail-abuse.org/rbl/ +1290. http://wiki.squid-cache.org/SquidFaq +1291. http://wiki.squid-cache.org/kinkie +1292. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=refresh +1293. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=AttachFile +1294. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=Despam +1295. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=LikePages +1296. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=LocalSiteMap +1297. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=MyPages +1298. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=PackagePages +1299. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=RenderAsDocbook +1300. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=SpellCheck +1301. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=SubscribeUser +1302. http://wiki.squid-cache.org/SquidFaq/CompleteFaq?action=VisualSiteMap +1303. http://moinmoin.wikiwikiweb.de/ +1304. http://www.python.org/ +1305. http://validator.w3.org/check?uri=referer --- squid-2.7.STABLE3.orig/debian/doc/cachemgr.README +++ squid-2.7.STABLE3/debian/doc/cachemgr.README @@ -0,0 +1,40 @@ + + + README for the squid-cgi cachemanager package. + + +0. INTRODUCTION + + This package was seperated from the main squid proxy cache package so + that you can install it on another server than the one squid is + running on, usually your webserver host. + +1. DOCUMENTATION + + There's a chapter on the cache manager in the squid FAQ. The relevant + section of the FAQ is installed as /usr/doc/squid-cgi/CacheManager. + +2. POINTING IT TO YOUR CACHE HOST + + The FAQ tells you that if you want to use the cachemgr.cgi program to + connect by default to another host instead of localhost and/or another port + that you should recompile cachemgr.cgi. This is not strictly true; you + can save the output of the initial screen to cachemgr.html, change + the defaults, save it somewhere into your HTML documents tree and call + up that screen instead of cachemgr.cgi. + + A sample cachemgr.html is provided in /usr/doc/squid-cgi/examples/ + +3. WARNING + + Because it is easy to point the cache manager to any host and port, + the cache manager can be used to connect to any service on any host + inside or outside your network. Thus hosts that can be accessed by + cachemgr.cgi are limited by settings in /etc/squid/cachemgr.conf. + + By default only localhost can be accessed by cachemgr.cgi, more hosts + can be added, one per line. Ports can also be limited with the usual + syntax: 'hostname:port'. + + + cachemgr.README 1.4 12-May-2007 luigi@debian.org --- squid-2.7.STABLE3.orig/debian/config +++ squid-2.7.STABLE3/debian/config @@ -0,0 +1,73 @@ +#!/bin/sh -e + +# +# check for old config-style in squid.conf +# (include "ufs" (Unix File System) after "cache_dir".) +# + +# Source debconf library. +. /usr/share/debconf/confmodule +db_version 2.0 + +grepconf () { + w=" " # space tab + sq=/etc/squid/squid.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +grepconf2 () { + w=" " # space tab + sq=/etc/squid/squid.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +conf_fix_check_cache_dir () { + + if [ -f "/etc/squid/squid.conf" ]; then + + sq=/etc/squid/squid.conf + w=" " # space tab + grep -q "^cache_dir[$w]*[^/$w]" /etc/squid/squid.conf && return + umask 022 + + if grep -q '^dns_children\|^dns_defnames\|^cache_dns_program' $sq || ( grep -q '^cache_dir' $sq && ! grep -q '^cache_dir.*ufs' $sq ); then + + # ask debconf-question here + db_input high squid/fix_lines || true + db_go + + fi + + fi +} + +conf_fix_cachedir_perms () { + + if [ -f "/etc/squid/squid.conf" ]; then + dir=`grepconf2 cache_dir /var/spool/squid` + usr=`grepconf cache_effective_user proxy` + grp=`grepconf cache_effective_group proxy` + + if [ "$(/usr/bin/stat -L -c %U $dir)" != "$usr" ] || [ "$(/usr/bin/stat -L -c %G $dir)" != "$grp" ] ; then + db_input high "squid/fix_cachedir_perms" || true + db_go + fi + fi +} + +conf_fix_check_cache_dir +conf_fix_cachedir_perms --- squid-2.7.STABLE3.orig/debian/NEWS.Debian +++ squid-2.7.STABLE3/debian/NEWS.Debian @@ -0,0 +1,349 @@ +squid (2.7.STABLE2-2) unstable; urgency=low + + Squid 2.7 introduced a long listing of new features including partial + HTTP/1.1 support, modular logging, background object revalidation and + configuration file includes. + + Release notes with details of changes can be found in + + /usr/share/doc/squid/RELEASENOTES.html + + Changes to the configuration file: + + *Added directives* + + acl myportname + + new acl matching the incoming port name + + authenticate_ip_shortcircuit_ttl + authenticate_ip_shortcircuit_access + + controls the new IP based authentication cache. + + zph_mode + zph_local + zph_sibling + zph_parent + zph_option + + controls the Zero Penalty Hit support + + update_headers + + optimization to skip updating on-disk headers + + logfile_daemon + + new log file daemon support + + netdb_filename + + sas hardcoded to the first cache_dir + + storeurl_rewrite_program + storeurl_rewrite_children + storeurl_rewrite_concurrency + storeurl_access + + controls the new store URL rewrite functionality + + rewrite_access + rewrite + + controls the new builtin URL rewrite functionality + + max_stale + server_http11 + ignore_expect_100 + + Experimental HTTP/1.1 support knobs + + external_refresh_check + + new helper to allow custom cache validations in accelerator setups + + delay_body_max_size + + new way of using delay pools based on response size + + ignore_ims_on_miss + + optimization mainly targeted for accelerator setups + + max_filedescriptors + + can now be set runtime. Was previously hardcoded at build time and further limited by ulimit + + accept_filter + + optimization to avoid waking Squid up until a request has been received + + incoming_rate + + new tuning knob for high traffic conditions + + zero_buffers + + tuning knob to disable a new optimization + + *Changed directives* + + cache + + Suggested defaults modified + + cache_dir + + the "read-only" option has been renamed to "no-store" to better reflect the functionality + + cache_peer + + new multicast-siblings option, enabling multicast ICP sibling relations + + new idle=n option to keep a minimum pool of idle connections + + new http11 option to enable experimental HTTP/1.1 support + + external_acl_type + + New %URI format tag + + acl + + Suggested defaults cleaned up, defines a new "localnet" acl with RFC1918 addresses + + new "myportname" acl type matching the http_port name + + icp_access + + Suggested defaults cleaned up, now requires configuration to use ICP + + htcp_access + + Suggested defaults cleaned up, now requires configuration to use HTCP + + http_access + + Suggested defaults cleaned up, using a new "localnet" acl. + + http_port + + Accelerator mode options cleaned up (accel, defaultsite, vport, vhost and combinations thereof) + + new "allow-direct" option + + new "act-as-origin" option + + new "http11" option (experimental) + + new "name=" option + + nee "keepalive=" option + + https_port + + See http_port. + + logformat + + New format codes: oa (Our outgoing IP address), rp (Request URL-Path), sn (Unique sequence number) + + refresh_pattern + + Several new options: stale-while-revalidate, ignore-stale-while-revalidate, max-stale, negative-ttl + + Suggested defaults adjusted to match the changes in the cache directive. + + url_rewrite_program + + Future protocol change adding key=value pairs after the requests + + forwarded_for + + Has several new modes, allowing one to finetune how/if the requesting client IP should be forwarded in X-Forwarded-For + + *Removed directives* + + incoming_icp_average + incoming_http_average + incoming_dns_average + min_icp_poll_cnt + min_dns_poll_cnt + min_http_poll_cnt + + the above tuning knobs no longer have any effect and has been removed. + + -- Luigi Gangitano Sun, 1 Jun 2008 04:11:08 +0200 + +squid (2.6.1-3) unstable; urgency=low + + Squid 2.6 introduced a long listing of new features including ICAP support, + TPROXY support on Linux, epoll() support, WCCPv2 support and new + authentication helpers. + + Release notes with details of changes can be found in + + /usr/share/doc/squid/RELEASENOTES.html + + Changes to the configuration file: + + http_port + Now takes a list of options in addition to the port address, specifying the + purpose of this http_port. Default is plain Internet proxy as usual. + + httpd_accel_* for transparent proxy + Now implemented by the "transparent" http_port option + + httpd_accel_host + Replaced by defaultsite http_port option and cache_peer originserver option. + + httpd_accel_port + No longer needed. Server port defined by the cache_peer port. + + httpd_accel_uses_host_header + Replaced by vhost http_port option + + https_port + Many new options. Reconstructs URLs as https:// by default. + + cache_peer + Many new options to support origin servers and SSL encryption + + ssl_engine + New directive for hardware assisted SSL encryption + + sslproxy_* + New directives defining how to gateway http->https + + sslpassword_program + New helper directive to query an external program for SSL key encryption + password (if any) + + no_cache + Renamed to cache to better reflect the functionaliy. no_cache still + accepted. + + cache + New name for the old no_cache directive. + + cache_vary + New directive to disable caching of Vary:ing responses + + broken_vary_encoding + New directive to work around known broken compression modules which hasn't + understood the meaning of the ETag HTTP header in relation to + Accept-Encoding. + + logformat + New directive for defining custom log formats + + cache_access_log + Renamed to access_log + + access_log + Select what requests to log where any by what format. Support for multiple + log files and multiple log formats. + + check_hostnames + New option to disable the hostname validity/sanity checks usually performed + by Squid, replacing the similar build time configure option in 2.5. + + allow_underscore + New option to allow _ in hostnames, replacing the similar build time + configure option in 2.5 and earlier. + + dns_defnames + Allow for domain searches. Now possible even when using the internal DNS + client + + redirect_* + Renamed to url_rewrite_* to better reflect the functionality of this helper + (rewriting requested URLs) + + url_rewrite_concurrency + Activates a new and more efficient helper protocol. Requires changes in the + helper. + + location_rewrite_* + New helper hook for rewriting Location headers + + auth_param basic blankpassword + New option to allow the use of blank passwords. + + auth_param ntlm max_challenge_reuse / max_challenge_lifetime + No longer supported + + auth_param ntlm use_ntlm_negotiate + Directive no longer supported. Use of NTLM negotiate packet is always on. + + auth_param ntlm keep_alive + New option to fine-tune the use of HTTP keep-alive in combination with NTLM + + auth_param negotiate + New Negotiate authentication scheme, the "next generation" scheme in the + family of Microsoft authentication. + + external_acl_type + Many new format options %SRCPORT, %MYADDR, %MYPORT, %PATH, %USER_CERT, %ACL, + %DATA and a few variants. Helper protocol defaults to the simpler "3.0" + protocol, and there is support for a highly efficient protocol via the + concurrency= option if supported by the helper. + + refresh_pattern + Several new HTTP override/ignore options + + read_ahead_gap + New directive to set the response buffer size. + + collapsed_forwarding + New directive to enable an alternative optimized forwarding path when there + is very many concurrent requests for the same URL. + + refresh_stale_hit + New directive similar to collapsed_forwarding and activates an alternative + optimized request processing when there is very many concurrent requests for + the same recently expired URL. + + acl urlgroup + New acl class + + acl user_cert + New acl class matching the user SSL certificate (https_port) + + acl ca_cert + New acl class matching the CA of the user SSL certificate (https_port) + + acl ext_user / ext_user_regex + New acl matching usernames returned by external acl + + follow_x_forwarded_for + New option to enable parsing of X-Forwarded-For headers allowing access + controls to be based on the real client IP even if behind secondary proxies + + http_access2 + New http_access type directive but evaluated after url rewrites + + htcp_access, htcp_clr_access + Access control on HTCP requests + + log_access + New directive to limit what gets logged. + + httpd_suppress_version_string + Enable hiding of the Squid version + + umask + New directive to specify the minimum umask Squid should run under + + error_map + New directive to allow dynamic rewrites of error pages + + via + New directive to disable the use of the Via directive + + wccp2_* + WCCP2 protocol support + + -- Luigi Gangitano Wed, 12 Jul 2006 15:11:08 +0200 + --- squid-2.7.STABLE3.orig/debian/conffiles.squid-cgi +++ squid-2.7.STABLE3/debian/conffiles.squid-cgi @@ -0,0 +1 @@ +/etc/squid/cachemgr.conf --- squid-2.7.STABLE3.orig/debian/squid.rc +++ squid-2.7.STABLE3/debian/squid.rc @@ -0,0 +1,177 @@ +#! /bin/sh +# +# squid Startup script for the SQUID HTTP proxy-cache. +# +# Version: @(#)squid.rc 2.20 01-Oct-2001 miquels@cistron.nl +# +### BEGIN INIT INFO +# Provides: squid +# Required-Start: $local_fs $network +# Required-Stop: $local_fs $network +# Should-Start: $named +# Should-Stop: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Squid HTTP Proxy +### END INIT INFO + +NAME=squid +DAEMON=/usr/sbin/squid +LIB=/usr/lib/squid +PIDFILE=/var/run/$NAME.pid +SQUID_ARGS="-D -YC" + +[ ! -f /etc/default/squid ] || . /etc/default/squid + +. /lib/lsb/init-functions + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +[ -x $DAEMON ] || exit 0 + +grepconf () { + w=" " # space tab + sq=/etc/squid/squid.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +grepconf2 () { + w=" " # space tab + sq=/etc/squid/$NAME.conf + # sed is cool. + res=`sed -ne ' + s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; + t end; + d; + :end q' < $sq` + [ -n "$res" ] || res=$2 + echo "$res" +} + +# +# Try to increase the # of filedescriptors we can open. +# +maxfds () { + [ -n "$SQUID_MAXFD" ] || return + [ -f /proc/sys/fs/file-max ] || return 0 + global_file_max=`cat /proc/sys/fs/file-max` + minimal_file_max=$(($SQUID_MAXFD + 4096)) + if [ "$global_file_max" -lt $minimal_file_max ] + then + echo $minimal_file_max > /proc/sys/fs/file-max + fi + ulimit -n $SQUID_MAXFD +} + +start () { + cdr=`grepconf2 cache_dir /var/spool/$NAME` + ctp=`grepconf cache_dir ufs` + + case "$cdr" in + [0-9]*) + log_failure_msg "squid: squid.conf contains 2.2.5 syntax - not starting!" + log_end_msg 1 + exit 1 + ;; + esac + + # + # Create spool dirs if they don't exist. + # + if [ -d "$cdr" -a ! -d "$cdr/00" ] || [ "$ctp" = "coss" -a ! -f "$cdr" ] + then + log_warning_msg "Creating squid cache structure" + $DAEMON $SQUID_ARGS -z + fi + + if [ "$CHUID" = "" ]; then + CHUID=root + fi + + maxfds + umask 027 + start-stop-daemon --quiet --start \ + --pidfile $PIDFILE \ + --chuid $CHUID \ + --exec $DAEMON -- $SQUID_ARGS < /dev/null + return $? +} + +stop () { + PID=`cat $PIDFILE 2>/dev/null` + start-stop-daemon --stop --quiet --pidfile $PIDFILE --name squid + # + # Now we have to wait until squid has _really_ stopped. + # + sleep 2 + if test -n "$PID" && kill -0 $PID 2>/dev/null + then + log_action_begin_msg " Waiting" + cnt=0 + while kill -0 $PID 2>/dev/null + do + cnt=`expr $cnt + 1` + if [ $cnt -gt 24 ] + then + log_action_end_msg 1 + return 1 + fi + sleep 5 + log_action_cont_msg "" + done + log_action_end_msg 0 + return 0 + else + return 0 + fi +} + +case "$1" in + start) + log_daemon_msg "Starting Squid HTTP proxy" "squid" + if start ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + stop) + log_daemon_msg "Stopping Squid HTTP proxy" "squid" + if stop ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + reload|force-reload) + log_action_msg "Reloading Squid configuration files" + $DAEMON -k reconfigure + log_action_end_msg 0 + ;; + restart) + log_daemon_msg "Restarting Squid HTTP proxy" "squid" + stop + if start ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + status) + status_of_proc -p "$PIDFILE" "$DAEMON" squid && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}" + exit 3 + ;; +esac + +exit 0 + --- squid-2.7.STABLE3.orig/debian/README.ldap_auth +++ squid-2.7.STABLE3/debian/README.ldap_auth @@ -0,0 +1,34 @@ + +This LDAP Authentication code is written by Glen Newton +. + +Please see his Web page at: +http://orca.cisti.nrc.ca/~gnewton/opensource/squid_ldap_auth/ + +Description: + +squid_ladp_auth is a drop in replacement for the ncsa_auth.c +distributed with the squid proxy server (http://squid.nlanr.net) which +allows you to authenticate against an LDAP server. To use, include +something like the following in your squid.conf file: + +# authenticate_program +/usr/lib/squid/ldap_auth -b searchbase my.ldap.server.com +# + +This indicates that you want squid_ldap_auth to take the userid +and password submited by the proxy user, and see if you can bind to +the LDAP server running on 'my.ldap.server.com'. The searchbase +should be something like "ou=people,o=nrc.ca" or +"ou=users,dc=debian,dc=org". + +In order to use squid_ldap_auth, you will also need to install +the OpenLDAP libraries (libopenldap2_*.deb) + +You can test it by running it manually like + +/usr/lib/squid/ldap_auth -b ou=users,dc=debian,dc=org db.debian.org + +Input "usernamepassword" pairs. The authentication module +will answer back with OK or ERR. End the session with Control-D. + --- squid-2.7.STABLE3.orig/debian/postrm.squid-cgi +++ squid-2.7.STABLE3/debian/postrm.squid-cgi @@ -0,0 +1,10 @@ +#! /bin/sh + +set -e + +if [ "$1" = "purge" -a -e /usr/share/debconf/confmodule ]; then + # Source debconf library. + . /usr/share/debconf/confmodule + # Remove my changes to the db. + db_purge +fi --- squid-2.7.STABLE3.orig/debian/default.squid +++ squid-2.7.STABLE3/debian/default.squid @@ -0,0 +1,8 @@ +# +# /etc/default/squid Configuration settings for the Squid proxy server. +# + +# Max. number of filedescriptors to use. You can increase this on a busy +# cache to a maximum of (currently) 65536 filedescriptors. Default is 1024. +SQUID_MAXFD=1024 + --- squid-2.7.STABLE3.orig/debian/copyright +++ squid-2.7.STABLE3/debian/copyright @@ -0,0 +1,32 @@ + +SQUID Internet Object Cache http://squid.nlanr.net/Squid/ +-------------------------------------------------------- + + This software product, SQUID, is developed by a team of individuals, + and copyrighted (C) 2001 by the Regents of the University of + California, with all rights reserved. UCSD administered the NLANR + Cache grants, NCR 9616602 and NCR 9521745 under which most of this + code was developed. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, + MA 02110-1301, USA. + + On Debian GNU/Linux systems, a copy of the GNU General Public License + can be found in /usr/share/common-licenses/GPL. + +Squid is derived from the ``cached'' software from the ARPA-funded +Harvest research project. The Harvest home page is +http://harvest.cs.colorado.edu/. +