My New Book on Squid Proxy Server (A Beginner’s Guide)

I have not blogged since a long time mainly because I was a bit busy authoring a book Squid Proxy Server 3.1: Beginner’s Guide for Packt Publications. The book is an introductory guide to Squid (especially the new features in Squid-3 series) covering both the basic aspects as well as the in dept details for advanced users. The book focuses on learning by doing and provides example scenarios for the concepts discussed throughout the book. Access control configuration, reverse proxying, interception proxying, authentication and other features have been discussed in details with examples.

Checkout the links below:


Tip: Multiproxy Switch : Easily use multiple proxies in Firefox

A lot of people (especially working people with mobile devices like notebook/netbooks) need to use different proxy servers at home and office. There are several Firefox extensions available to achieve the required functionality but IMHO Multiproxy Switch(Mozilla Addon Page) is the best because

  1. Its simple and easy to use. It does what it should. No fancy/extra terrestrial stuff. Just switch proxies :)
  2. Easy and Firefox like interface to specify different proxies. Many extensions add their own fancy interfaces for specifying proxies which eventually suck big time.
  3. I am a fan of this one. The No-Proxy list. I could never understand those regular expression based no-proxy lists in FoxyProxy. Multiproxy Switch has Firefox like No-Proxy list which rocks and understandable :)

If you happen to come across a better proxy switcher for Firefox, do let us know :)


How To: Install/Configure GNUMP3d – Streaming Audio Server


GNUMP3d is the GNU Streaming MP3/Media Server written in perl. Our mission is to setup GNUMP3d and stream audio over LAN or over internet. Below are the essential steps to install and configure GNUMP3d.


Download latest version of GNUMP3d from GNUMP3d Website.


[kulbirsaini@fedora ~]$ tar -xjf gnump3d-x.x.tar.bz2


[root@fedora ~]$ cd gnump3d-3.0
[root@fedora ~]$ make install (as root)

Now gnump3d is installed on your system. Now you need to configure it according to your taste.


The configuration file is located at /etc/gnump3d/gnump3d.conf. For casual use, you just need to configure port, binding_host and root.

# Port to which gnump3d will be accessible via web interface or via a media player like xmms or winamp.
port = 1111
# The IP Address where gnump3d will bind itself.
binding_host =
# If you want the stream to be accessible via a fully qualified domain name, set hostname variable.
# You don't need to set this in most cases e.g. while setting up gnump3d on LAN.
hostname =
# The directory where are your music files resides.
root = /stuff/Music/

Though you can skip rest of the configuration, you may try to explore other options. My gnump3d.conf file can be download from here.

Thats all you need to do to configure gnump3d.


Now you need to index all you music collection (the audio files in gnump3d root). Run the following command to index

[root@fedora ~]$ gnump3d-index --verbose

Run gnump3d

Once the indexing is done, you are all set to run gnump3d. By default gnump3d tries to index all files whenever you start it, to avoid this we need to use –fast option.

[root@fedora ~]$ gnump3d --fast

By default gnump3d runs in foreground. If you want it to go in background and run quietly, run it as follows.

[root@fedora ~]$ gnump3d --fast --background

Accessing Media Server

To access your gnump3d streaming media server, please visit url http://ip_address:port/ .

Run at startup

If you want gnump3d to start when your computer starts add the following line to /etc/rc.local file.

gnump3d --fast --background

Feel free to comment in case you have a problem.


How To: Install and Configure GitWeb

UPDATE : I recommend using GitList instead of GitWeb. GitList is much easier to setup and has a better web interface. Continue reading this post if you looking for GitWeb setup instructions specifically.


Setting up gitweb (web interface for SCM software git) for your project’s git repository for public access and developer commits via ssh.


  1. You already have your project’s git repository.
  2. You have hosting space somewhere to host gitweb.
  3. You have root access.
  4. You are using Apache as webserver.

Example for this howto

Project : VideoCache
Domain for gitweb :
URL for git access for videocache :
Actual path on server : /home/saini/domains/
Git repository : /home/saini/projects/videocache/


Installation is pretty easy. Just one single command would do everything.

[root@localhost ~]# yum install gitweb (do as root)

This will create a directory /var/www/git which is default for gitweb.

Copy the directory /var/www/git/ to /home/saini/domains/

[root@localhost ~]# cp -r /var/www/git /home/saini/domains/


1. GitWeb

Open the file /etc/gitweb.conf (it may or may not be there) and add the following lines to it.

# Change This
$projectroot = '/home/saini/domains/';
# Change This
$site_name = "Kulbir Saini's git trees.";
# Don't Change the variables below
$my_uri = "/";
$home_link = '/';
@stylesheets = ("/gitweb.css");
$favicon = "/git-favicon.png";
$logo = "/git-logo.png";

2. Apache

Open the file /etc/httpd/conf.d/git.conf and clear all the lines that are already there and add the following lines to it

  DocumentRoot /home/saini/domains/
  ErrorLog "/home/saini/domains/"
  CustomLog "/home/saini/domains/" combined
  SetEnv  GITWEB_CONFIG  /etc/gitweb.conf
  DirectoryIndex gitweb.cgi
    Allow from all
    AllowOverride all
    Order allow,deny
    Options +ExecCGI
    AddHandler cgi-script .cgi
      SetHandler cgi-script
    RewriteEngine on
    RewriteRule ^[a-zA-Z0-9_\-]+\.git/?(\?.*)?$ /gitweb.cgi%{REQUEST_URI} [L,PT]

3. Git repository configuration

Go to your git repository (/home/saini/projects/videocache/) and make the following changes.

(a). Open file .git/description and add a short nice description for your project.

videocache is a squid url rewriter plugin written in Python to facilitate youtube, metacafe, dailymotion, google, vimeo, msn soapbox,,, videos and audio caching.

(b). Open file .git/config and append the following lines

  owner = "Kulbir Saini"

Copy project’s git repository for gitweb

Copy the /home/saini/projects/videocache/.git directory to /home/saini/domains/

[root@localhost ~]# cp -r /home/saini/projects/videocache/.git /home/saini/domains/

Finishing Step

Restart Apache webserver.

[root@localhost ~]# service httpd restart

Now you can browser a list of your projects’ git repositories at .

Adding another project repository

Just copy the project repository’s .git directory to /home/saini/domains/ And it’ll be shown on the list.

Committing (pushing) to the repository

For committing to the repository via ssh use the following command.

# Pushing everything (Please see the username)
[root@localhost videocache]# git push --all ssh://

To update tags on the remote repository use this command.

# Pushing all tags
[root@localhost videocache]# git push --tags ssh://

Well, if you consider just the web interface and committing part for your project, thats all. But things can be fine tuned further. Below are few hacks!

1. Enabling nice urls.

By default the urls for browsing repository via git web are pretty crappy and difficult to remember. The RewriteRule and RewriteEngine lines in your Apache configuration file (/etc/httpd/conf.d/git.conf) takes care of that and produce nice and clean urls.

So you can browser the repository via instead of;a=summary.

2. Enabling remote ls (git-ls-remote or git ls-remote)

This is the most trickiest part. If you try the command below, it won’t produce any output

[root@localhost ~]# git-ls-remote

You need to go to project’s repository in gitweb and then run the following command to update the server info for git.

[root@localhost ~]# cd /home/saini/domains/
[root@localhost ~]# git-update-server-info

Try the ls-remote command now and it should succeed by producing all the branches and tags in the remote repository.

But there is a problem, you have to run the above command after every commit to the remote repository. To solve this issue, you can enable post-update hook for the project’s repository in gitweb. Use the following command to enable it.

[root@localhost ~]# cd /home/saini/domains/
[root@localhost ~]# chmod +x post-update

The above command will update the server info automatically every time you commit.

Thats all you need to do for setting up gitweb. I hope this will be helpful.


How To: Boot Fedora Faster

Note: These tricks apply to any Linux based OS. But I have tested them only on Fedora, so can’t say whether they’ll work on other Linux(s).

My current Fedora installation is now almost one and a half years old. Yes. I am still using Fedora 7 😀 I have Fedora 10 on my other machine. Coming to the agenda, my Fedora installation has grown beyond control and I have services from named, squid, drbl, privoxy, vsftpd, vbox*, smb and what not on a personal desktop. These services really force my system startup to slow down to more than two minutes. While shutting down, its very easy to just cut the power supply but while booting up I can’t help and it frustrates me. And what frustrates me further that I have 4GB DDR2 RAM and AMD64 X2 5600+ (2.8GHz x 2) and booting time is still more than two minutes.


  • Boot Fedora faster using whatever techniques possible.

Remove the services from normal order and delay their execution to a later stage. So, services like network, squid, privoxy, named, vsftpd, smb etc. doesn’t make sense unless I am not logged in and using them. Let us start them after we have login screen.

Turn off all the services by using the command

[root@bordeaux ~]# chkconfig service_name off

where service_name is the service you want to turn off.

Now create a file /etc/ Enter a line like this

[root@bordeaux ~]# service service_name start

for every service that you have turned off in the Step 1.1 and you want it to be running after your machine starts up. Now, your file should look like this

service network start &
service sshd start &
modprobe it87 &
modprobe k8temp &
/usr/bin/iptraf -s eth0 -B &
/usr/bin/iptraf -s lo -B &
service squid start &
service privoxy start &
service httpd start &
service mysqld start &
service named start &
service smb start &
service vboxdrv start &
service vboxnet start &
service vsftpd start &

Add the following line to /etc/rc.local file

/bin/bash /etc/ &

Done!!! Notice the &s in both files. They are for execution in background so that a process can block boot process. You’ll observe a drop of 10-20 seconds in system startup time.

Problem with Hack #1 : The execution is not really parallel. It executes like a process in the background. So we can’t get the real advantage of parallel execution.

Hack #2 solves this problem. Now we don’t put processes in background. We use daemon forking to fork a separate daemon process which will start all the services for us in parallel. Here we’ll get the real advantage and startup time will decrease further.

This step is totally similar to Step 1.1. So skipping it.

This step is also similar to Step 1.2. The /etc/ file should look like this.

service network start
service xinetd start
service crond start
service anacron start
service atd start
service sshd start
service rpcbind start
service rpcgssd start
service rpcimapd start
modprobe it87
modprobe k8temp
/usr/bin/iptraf -s eth0 -B
/usr/bin/iptraf -s lo -B
service nasd start
service squid start
service privoxy start
service httpd start
service iptables start
service lm_sensors start
service mysqld start
service named start
service nfs start
service nfslock start
service smb start
service vboxdrv start
service vboxnet start
service vsftpd start
service autofs start
service smartd start

Notice the absence of &s in the file.

Download the attached file attached at the end of this post or copy paste the following code to /etc/ file.

#!/usr/bin/env python
# (C) Copyright 2008 Kulbir Saini
# License : GPL
import os
import sys
def fork_daemon(f):
    """This function forks a daemon."""
    # Perform double fork
    r = ''
    if os.fork(): # Parent
        # Wait for the child so that it doesn't defunct
        # Return a function
        return  lambda *x, **kw: r
    # Otherwise, we are the child
    # Perform second fork
    if os.fork():
    def wrapper(*args, **kwargs):
        """Wrapper function to be returned from generator.
        Executes the function bound to the generator and then
        exits the process"""
        f(*args, **kwargs)
    return wrapper
def start_services(startup_file):
    command = '/bin/bash ' + startup_file + ' > /dev/null 2> /dev/null '
if __name__ == '__main__':
    forkd = fork_daemon(start_services)
    print 'Executing ', sys.argv[1], '[  OK  ]'

Add the following line to your /etc/rc.local file.

/usr/bin/python /etc/ /etc/

Thats it. Done!!! Now you’ll experience a boost of about 25-30 seconds of decrease in boot time.

Stats of my machine

With all services started in normal order : 2minutes.
With Hack #1 : 1minute 42 seconds.
With Hack #2 : 1minute.

Warning : These hacks may break your system and can make it unusable. Use at your own risk.


Crack: Google Authentication Services are Vulnerable

There is a vulnerability in the way Google authentication service works. Whenever you login to any of the Google’s online services like GMail, Orkut, Groups, Docs, Youtube, Calendar etc., you are redirected to an authentication server which authenticates against the entered username and password and redirect back to the required service (GMail, Youtube etc.) setting the session variables.

Now, if you are able to grab the url used to set the session variables, you can login as the user to whom that url belongs from any machine on the Internet (need not be the machine belonging to the same subnet) without entering the username and password of the user.

The proxy servers in the organizations can be used to exploit this vulnerability. Squid is the most popular proxy server used. In the default configuration, squid strips the query terms of a url before logging. So, this vulnerability can’t be exploited. But if you turn off the stripping mechanism by adding the line shown below, then squid will log the complete url.

strip_query_terms off

So, after turning stripping mechanism off, the log will contain urls which will look like this

Replace with your tld specific to your country. If you paste this url in any browser, it’ll directly log you in and you can do whatever you want to that account. Remember that all such urls remains valid only for two minutes. So, if you use that url after two minutes, it’ll lead nowhere.

At the time of writing this post Orkut, Google Docs, Google Calendar, Google Books and Youtube are vulnerable.

So, make sure your squid has stripping mechanism turned on and your squid server is properly firewalled.

You can watch the Video proof for Orkut on, Youtube.


Humour: Funny Apache Logs

The other day I was debugging my drupal installation and had a look at the Apache error logs. And this is what I found 😀

[root@gofedora html]# tail -f /var/log/httpd/error_log
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23229)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23230)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23231)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23232)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23233)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23234)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23235)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23236)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23237)
[Fri Nov 28 21:00:16 2008] [warn] long lost child came home! (pid 23238)

Reminded me of famous Indian saying, “Kumbh ke mele mein khoya wapis aa gaya“.

And Apache logs it as a warning. You long lost child has come home. You gotta run 😛


IntelligentMirror: RPM and DEB Caching Improved (0.5)

After spending a lot of time with youtube cache, now I am trying to devote some time to update intelligentmirror with required features and enhancements that youtube cache already enjoys. In the same direction here is version 0.5 of intelligentmirror.


  • Added max_parallel_downloads options to controll the maximum threading fetching from upstream to cache the packages.
  • Fine grained control on logging via max_logfile_size and max_logfile_backups option.
  • Added setup script to help you install intelligentmirror. No need to execute commands one by one for installation. Just run
 [root@localhost]# python install [ENTER]
  • Added update script (update-im). So in case you decide to change the locations for caching rpm/deb packages, just run
 [root@localhost]# update-im [ENTER]


 [root@localhost]# /usr/sbin/update-im [ENTER]
  • Download scheduler similar to youtube cache is added to facilitate the download queing in case of large number of requests.
  • More informative logging.
  • cache.log is not flooding anymore with XMLRPC logs and python tracebacks.
  • Added extensive exception handling thoughout the program.


  1. RPMs for Fedora/Red Hat/Cent OS
  2. Source RPMs for Fedora/Red Hat/Cent OS
  3. Source Tar balls

Installation and Configuration

INSTALL and README files should help you throughout the installation and configuration process.

In case you have questions, ask them here in comments. Suggestions for improvement are welcome :)


How To: Configure Caching Nameserver (named)


To configure a caching nameserver on a local machine which will cascade to another previously configured and functional nameserver (may or may not be caching. It’ll generally be your ISP nameserver or the one provided by your organization).


  • Reduces the delay in domain name resolution drastically as the requests for frequently accessed websites are served from cache.


  • named gets a request for domain resolution.
  • It checks whether the request can be satisfied from cache. If the answer is in cache and not stale, the request is satisfied from cache itself saving a lot of time :)
  • If request can’t be satisfied from cache, named queries the first parent. If it replies with the answer, then named will cache the response and subsequent requests for the same domain name will be satisfied from the cache.
  • In case first parent fails to reply, named will query the second parent and so on.

(The working is my understanding of caching-nameserver using wireshark as traffic analysis tool and caching-nameserver may not behave exactly as explained above.)

How to install

named is by default on most of the systems by the package name ‘caching-nameserver‘. If its not present on your system, install using

[root@localhost ~]# yum install caching-nameserver [ENTER]
# If that doesn't work try this
[root@localhost ~]# yum install bind [ENTER]

How to configure

The main configuration file for named resides in /var/named/chroot/etc/named.caching-nameserver.conf which is also soft linked from /etc/named.caching-nameserver.conf . named configuration file supports C/C++ style comments.

For a caching nameserver which will cascade to another nameserver, there is nothing much to be configured. You need to configure “options” block. Below is a configuration file for a machine with IP address cascading to two nameserver and The comments inline explain what each option does.

options {
  // Set the port to 53 which is standard port for DNS.
  // Add the IP address on which named will listen separated by semi-colons.
  // It'll be your own IP address.
  listen-on port 53 {;;};
  // These are default. Leave them as it is.
  directory   "/var/named";
  dump-file   "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  // The machines which are allowed to query this nameserver.
  // Normally you'll allow only your machine. But you can allow other machines also.
  // The address should be separated by semi-colons. To allow a network,
  // the line would be
  // allow-query {localhost;; };
  // Don't forget the semi-colons.
  allow-query     { localhost;; };
  recursion yes;
  // The parent nameservers. List all the nameserver which you can query.
  forwarders {;; };
  forward first;
logging {
        channel default_debug {
                file "data/";
                severity dynamic;
zone "." IN {
  type hint;
  file "";
include "/etc/named.rfc1912.zones";

Start caching-nameserver

Now start the caching-nameserver using the following command

[root@localhost ~]# server named start [ENTER]


[root@localhost ~]# /etc/init.d/named start [ENTER]

To make named start every time your reboot your machine use following command

[root@localhost ~]# chkconfig named on [ENTER]

Using caching-nameserver

To use your caching-nameserver, open /etc/resolv.conf file and add the following line


Comment all other lines in the file, so that finally the file looks like

; generated by /sbin/dhclient-script

Now your system will use your own nameserver (in caching mode) for resolving all domain names. To test if your nameserver use the following command

[root@localhost ~]# dig [ENTER]

Now if you use that command for the second time, the resolution time will be around 2-3 milli seconds while first time it would be around 400-700 milli seconds.


Below is two subsequent runs of dig for . Notice the Query time.

[root@bordeaux SPECS]# dig
; <<>> DiG 9.4.2rc1 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7839
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;                  IN      A
;; ANSWER SECTION:           83629   IN      A
;; AUTHORITY SECTION:           79709   IN      NS
;; ADDITIONAL SECTION:        79709   IN      A
;; Query time: 531 msec
;; WHEN: Wed Nov 19 18:04:47 2008
;; MSG SIZE  rcvd: 79
[root@bordeaux SPECS]# dig
; <<>> DiG 9.4.2rc1 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64233
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;                  IN      A
;; ANSWER SECTION:           83625   IN      A
;; AUTHORITY SECTION:           79705   IN      NS
;; ADDITIONAL SECTION:        79705   IN      A
;; Query time: 1 msec
;; WHEN: Wed Nov 19 18:04:51 2008
;; MSG SIZE  rcvd: 79
[root@bordeaux SPECS]#

IntelligentMirror Gets Even More Intelligent (1.0.1)

Warning : This version of IntelligentMirror is compatible with only squid-2.7 as of now. It is NOT compatible even with squid-3.0.

IntelligentMirror Version 1.0.1

I have been following squid development regularly (at least the part in which I am interested) and they have introduced a new directive in squid-2.7 known as StoreUrlRewrite (storeurl_rewrite_program). Using this directive you can instruct squid to cache url A ( as url B ( In simple words you can direct squid to cache any url as any other url without any extra efforts.

So keeping the above directive in mind, I have worked out a different version of intelligentmirror especially for squid-2.7.

IntelligentMirror : Old method of operation

  1. IntelligentMirror gets a client request for a URL.
  2. Check: if URL is not in (RPM, metadata file)
    • Then its none of our business.
    • Let proxy handle it the normal way.
    • Done and exit.
  3. Check: if RPM/metadata is available in cache
    • Stream the RPM/metadata from cache.
    • Done and exit.
  4. Check: if RPM/metadata is not available in cache
    • Download in parallel for caching in some dir and stream.
    • Done and exit.

IntelligentMirror : New method of operation

  1. IntelligentMirror gets a client request for a URL.
  2. Check: if request for rpm
    1. Direct squid to cache the request as http://<same_host_all_the_time>/intelligentmirror/<rpmname>.rpm
  3. Check: if request for deb
    1. Direct squid to cache the request as http://<same_host_all_the_time>/intelligentmirror/<debname>.deb
  4. Done and exit.

So your squid will see every request for an rpm package as a request http://<same_host_all_the_time>/intelligentmirror/<rpmname>.rpm. So, if you happen to request the same rpm from a different mirror, it’ll still be served from cache :)


  1. No need to check if the url supplied by squid is for rpm or not because storeurl_rewrite_program has an acl controller attached which will invoke intelligentmirror for urls ending in .rpm .
  2. No need to check if the url is already cached or not. No need to worry about the directory where you are going to store the packages. No human intervention is needed in maintaining the cache. Almighty squid is doing everything for us.
  3. No need to worry if the target package has changed because of the resigning or whatever because squid will do that for you.
  4. No need to actually download the package in parallel for caching because squid is already doing that.
  5. No need to worry about the hashing algorithms and storage optimizations for the cached content.


  1. RPM for Fedora/Red Hat
  2. Source RPM for Fedora/Red Hat
  3. Source Tarball

Install and Configure

The install and configure files should be enough to guide you through the installation if you choose the tar ball way. Otherwise you can always install from rpm from the above link.

Note1: You have to configure your squid to use intelligentmirror as a plugin even if you install via rpm. Check the configure file at the above link.

Note2: StoreUrlRewrite will probably be available in squid-3.1.