SQUISH FAQ -- http://www.ledge.co.za/software/squint/squish/ WHAT IS SQUISH FOR? Q. How does this software help against malware/viruses/etc?? A. If your computer runs a program which polls a web site for instructions, you will quickly exceed your daily allocation of time or bandwidth. This does not solve the problem, but should make it easier to identify. Q. What's with the version number? A. You're going to tell me about the bugs, then I'll fix them, and we can have another version. Q. Why would I ever want to use the --notime option? A. To test squish with old data. That's the only occasion. INSTALLATION OF SQUISH Q. How do I install squish? A. make install These are the prerequisites (failing which things will just die inexplicably): - squid - apache (for CGI part) - perl - perl-GD - gd - cron Q. http://localhost/squish/squish.cgi says "Can't locate GD.pm in @INC" A. Install perl-GD On SuSE 9.2, you need these packages: perl-GD-2.16-3 gd-2.0.28-2 If you don't have it with your distribution, try perl -MCPAN -e 'install GD' Q. How do I uninstall? A. rm -r /usr/local/squish /var/lib/squish # be careful ... vi /etc/crontab # remove squish entries vi /etc/squid/squid.conf # remove SQUISH parts vi /etc/apache/httpd.conf # remove include.*squish part Q. Can squish display usernames instead of ip addresses? A. squish will use the user name if squid insists on authentication (or ident). If there is no user name, then it will use the IP address. There is (currently) no method for conversion, mapping or making things look prettier. Continued with next question ... Q. How do I set up squid to require authentication? A. Add the following directives in /etc/squid/squid.conf ... # With the other auth_param stuff ... auth_param basic program /usr/lib/squid/pam_auth # Add this somewhere ... (defines "AUTHENTICATED" acl) acl AUTHENTICATED proxy_auth REQUIRED # Below the SQUISHED stuff ... (checks that you're AUTHENTICATED) http_access allow AUTHENTICATED If you're using ntlm auth, you may need to do this instead (haven't tried)... http_access allow AUTHENTICATED !SQUISHED1 Q. How do I do squid acl's? A. A few simple rules: (a) Every acl defined with "acl" is evaluated for every request (kinda) (b) For each request, http_access lines are evaluated in the order that they are listed, until one says "allow" or "deny". (c) If you list a number of acl's for an http_access rule, then all the listed acl's must match for the 'allow' or 'deny' to trigger. Q. How do I stop squish without breaking squid? A. (a) You can reconfigure squid and comment out the SQUISH.* rules. (b) You can comment out all the lines in /etc/squish/squish.conf so that there are no limits. Run /usr/local/squish/squish.cron.sh to update. (c) You can stop squish from running periodically by editing /etc/crontab there are no limits. If you modify /etc/squid/squished directly, then remember to reload squid (/etc/init.d/squid reload) CONFIGURATION Q. Where's the configuration file? A. /etc/squid/squish.conf Q. How can I set the download limit? A. Modify /etc/squid/squish.conf. All lines apply to all users that they match. So here's a restriction for a specific user: andrew 4h/day 60Mb/day 100Mb/week BUGS AND ARB' QUESTIONS Q. Help! I've been squished! A. Sorry. Q. I'm sorry! I didn't mean it! Can I have an emergency reserve? A. No - sorry - ask your friendly sysadmin, or use another account / computer, etc. Q. How long must I wait? A. You must wait until your data falls off the end of the graph. This is usually until tomorrow (especially on Fridays). Q. I keep getting my browser madly reloading http://my.proxy.svr/squish/? Aaargh! A. In /etc/hosts, you have multiple conflicting definitions of your fully qualified host name. Remove all of them except one. # /etc/hosts sample: 10.0.0.1 my.proxy.svr # REMOVE or RENAME THIS 192.168.54.32 my.proxy.svr my The effect of having two definitions for your host name is that the dstdomain acl in squid.conf does not work correctly. Q. Can I download a file bigger than my daily quota? A. Just do it. You'll get squished when the download completes, but don't worry about that. Being squished does not affect downloads currently in progress, unless the connection is interrupted. Q. What's with the wierdo indigo cyan colour of the headings? A. I spilled C0FFEE in the HTML. I was tired. Q. I've been squished, but now I just stay squished... A. You probably go through the proxy to see whether you're squished. Don't check too often - because that is counted as squishable browsing time. Remember- you're supposed to be working. TROUBLESHOOTING Q. I see this in /var/log/squid/cache.log (or on the terminal) Reloading WWW-proxy squid | aclParseAclLine: IGNORING: Proxy Auth ACL 'acl SQUISHED1 proxy_auth "/etc/squid/squished"' because no authentication schemes are fully configured. | aclParseAclLine: IGNORING invalid ACL: acl SQUISHED1 proxy_auth "/etc/squid/squished" | aclParseIpData: Bad host/IP: 'aardvarkscantsquishants' | squid.conf line 1842: http_access deny SQUISHED1 | aclParseAccessLine: ACL name 'SQUISHED1' not found. | squid.conf line 1842: http_access deny SQUISHED1 | aclParseAccessLine: Access line contains no ACL's, skipping | aclParseAclLine: IGNORING: Proxy Auth ACL 'acl SQUISHED1 proxy_auth "/etc/squid/squished"' because no authentication schemes are fully configured. | aclParseAclLine: IGNORING invalid ACL: acl SQUISHED1 proxy_auth "/etc/squid/squished" | aclParseIpData: Bad host/IP: 'aardvarkscantsquishants' | squid.conf line 1842: http_access deny SQUISHED1 | aclParseAccessLine: ACL name 'SQUISHED1' not found. | squid.conf line 1842: http_access deny SQUISHED1 | aclParseAccessLine: Access line contains no ACL's, skipping What's this about? A. This is not a fatal error, but a warning from squid. To make life simpler (not for you -- for me), squish makes one list, mixing up IP addresses and user names. Squish's installer doesn't check if you are using ident, proxy_auth or no authentication -- it just installs for all three. However, squid finds this a little annoying. If it bothers you, you can remove the SQUISHED1 lines -- or whichever ones squid complains about. I'll accept suggestions / shell snippets on automating this ... Q. Why do I keep getting redirected to this site that doesn't exist -- http://foo.bar/squish/?squished& --? A. This URL is in the squid.conf file -- "foo.bar" should be your hostname -- the output of "hostname -f". You can set this by modifying /etc/hostname or /etc/HOSTNAME, depending on distribution. You probably also need to set your host name in /etc/hosts ... /etc/HOSTNAME: foo.bar.info /etc/hostname: foo /etc/hosts: 192.168.44.4 foo.bar.info foo This URL is served by an apache server, which is assumed to run on the same host ... Q. My user names are all in capitals, and squid doesn't match them! A. Try this: Just thought I would try acl SQUISHED1 proxy_auth -i "/etc/squid/squished" The -i switch works for "proxy_auth_regex" to force Squid to ignore case. Not a documented switch for "proxy_auth" - but it just goes to show that a bit of hacking can go a long way. You might want to add this as a tip in the documentation for your next version. (Thanks Patrick) CAN'T YOU JUST ... Q. I want squish to do something it doesn't already do ... A. Tell me -- andrew at ledge.co.za is a good starting point. Offer to pay a truly inspiring amount, and we may be able to do wonders for you.