brycecAgreed all-around [01:28]
kellytkOnce I went solid-state I knew I'd never go back, workstations and servers alike [01:57]
m0undsmnathani_: do you happen to have an exchange acct or similar w/policy enforcement enabled configured w/the win10 mail client? [07:45]
womp womp
***dj_goku has joined #arpnetworks [11:27]
mnathani_m0unds: no exchange account - or anything I can think of that would have policy enforcement enabled [15:12]
m0undsmnathani_: strange [15:43]
mercutioit's kind of disconcerting with the windows shift that's happened in here :) [15:44]
m0unds? [15:44]
mercutiooh just cos windows 10 came out etc :) [15:45]
m0undsoh, talking about it? [15:45]
mercutiomercutio has no idea how to fix most windows problems
m0undsm0unds was a windows and unix sysadmin for 10 yrs [15:45]
mercutiomy windows computer randomly had a black screen today [15:45]
m0undsthrow it down a flight of stairs [15:45]
mercutioit was still working, sound etc. [15:45]
m0undsweird [15:45]
mercutioturning the monitor on and off didn't fix it [15:45]
m0undsdisplay driver crash? [15:45]
i rebooted and it's fine so far.
m0undswas it coming out of sleep? [15:46]
mercutionope [15:46]
m0undsah [15:46]
mercutioit doesn't sleep
maybe it should
m0undsthere's a longstanding AMD driver issue w/sleep and black screens
dunno if they ever fixed it
mercutiowell it is amd
maybe it started sleeping since upgrading.
m0undsi know, that's why i mentioned it :) [15:46]
mercutiobut then why'd it wait until today to crash
my linxu computer went through a period of crashing
m0undsno time like the present [15:46]
mercutioi changed the motherboard and it was fine
i changed psu and case too though
but when linux crashes everyone now and then suspect hardware
when windows crashes every now and then suspect drivers :)
it did used to get ethernet brief lockups all the time from new
i never really noticed it except in dmesg
@weather iran
m0undsit's forecasted to be 110 in phoenix, az tomorrow [15:52]
mercutiohttp://time.com/3981478/iran-heatwave-bandar-mahsahr/ [15:52]
m0undsmaybe because it's on the water or something?
oh, with the heat index
because of humidity
mercutioIn Iraq, air temperatures continued to exceed 120 degrees (49 Celcius) for the eighth day in a row on Sunday, according to the Weather Channel. The heat had become so scorching on Thursday that the Iraqi government mandated a four-day holiday. [15:53]
m0undsyeah, that'd be why then [15:53]
mercutiooh [15:53]
m0undshigh humidity + hot as hell
yeah, that blows
m0unds is happy to live in an arid climate
mnathani_does unbound default to allow all source IPs for dns resolution?
turns out its only listening on localhost
it allows ::1 and and some others it hink
search for acl
oh it's not acl :")
mnathani_interface: [16:06]
mercutioit's access-control [16:06]
mnathani_I put that in there, but its still listening on localhost only [16:06]
mercutioaccess-control: refuse
access-control: allow
did you restart it?
mnathani_yup [16:06]
mercutiocould it bind that address?
i'm nost listening on
i listen on the real addresses
but should work
oh, unless you have an authorative dns server on the host too
mnathani_got it to listen on [16:08]
mercutiocool [16:08]
mnathani_but now I need the access control [16:08]
i pasted that up there
so first you refuse
then you accept
ie it's last match not first match
mnathani_ok, dns is good now [16:09]
mercutiosweet [16:09]
mnathani_time to try the transparent proxy using squid [16:10]
mercutiooh god
i mean cool :)
you got your firewall rules down? :)
mnathani_you mean iptables nat 80 to 3128 or something like that? [16:10]
mercutioalso you may want to try trafficserver instead of squid these days
is that ipfw?
iptables word
yeh sending 80 to 3128
i just use explicit proxy except for wireless at home
proto tcp if enp4s0 saddr dport http REDIRECT to-ports 8080;
that's what i'm doing with ferm
mnathani_does trafficserver have a binary or do I need to build from source
running ubuntu
mercutioit's got old binaries in ubuntu last i knew
what version does it say?
trusty has 3.2 that's probably fine
i think 5 is what it's up to
i compile from source myself
but i did a couple of patches etc
so yeah its' ok if you're ok behind two major versions behind
September 08, 2014: The old, legacy release of ATS, v3.2.x, is no longer supported. We have removed it from the download site, but it is available via the archives. We urge everyone to migrate to v4.2.x or 5.x as soon as possible.
July 4, 2015: The latest stable release, v5.3.1, is now available from the Downloads section. This is the LTS release for 5.x
yeah i'd go with source
trafficserver has http2 support :)
and a few other cool things
but squid maybe easier to get started with
mnathani_do you generally need to enable nat / ip forwarding for other non http traffic? [16:16]
mercutiothe default trafficserver config is more towards reverse proxies than forward
saddr outerface ppp0 SNAT to;
i do it with that
but then i have normal ip's mixed too, that i don't want to nat
proxies don't give much improvement with few users generally btw
mnathani_my proxy is already behind nat [16:19]
mercutiothe majority of "slow" web sites these days are https
mnathani_so perhaps I could simply enable routing [16:19]
mercutiothen you can just let the normal nat work it's magic
ip forwarding yes
erk that doesn't seem to ber it
oh zsh just wasn't completing
mnathani_the nat gateway would need to know how to get back to my segment [16:20]
i don't do full transparent with proxies
mnathani_its on [16:20]
mercutioso it's just like any other
yeh the nat router should also nat
and have routes to reach it
mnathani_right [16:21]
mercutiodsl modems can be a pita for that :/ [16:21]
mnathani_do you transparent proxy https as well? [16:21]
mercutionope [16:21]
mnathani_good think I have a mikrotik [16:21]
mercutioyou can only tcp proxy it
which i want to do again
so who here is using a ssid ending in optout_nomap?
err _optout_nomap
m0undsnot me, don't care enough [16:30]
mnathani_step 2 complete, Nat is working and my vm on has internet access using the ubuntu gateway that has ip forwarding enabled. Now all I need to do is get the transparent proxy working [17:53]
brycecFWIW I've had no such issue on my system, whether Windows 7, 8.1, or 10. And it sleeps a lot. 15:44:06 m0unds | there's a longstanding AMD driver issue w/sleep and black screens [18:06]
mercutiomnathani_: just go explicit ?
ie set your proxy in your browser
or in http_proxy on command line
mnathani_my goal is transparent proxy [18:07]
mercutiook [18:07]
mnathani_iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
that eth0
is that on the interface facing client?
mercutiois eth0 in? [18:07]
mnathani_or towards internet
in that iptables rule
mercutiothat looks fine
have you got squid setup to listen in transparent mode
that's the interface that http connections come in on
mnathani_in my case its eth1 [18:09]
mercutiooh :)
well there goes the issue
in my case it's enp4s0
don't you love the naming
mnathani_I am getting connection refused [18:11]
mercutioare you listening on port 3128 [18:11]
mnathani_for http requests from my client [18:11]
mercutiosudo netstat -tnlp | grep 3128 [18:11]
mnathani_I am not
so that would be a problem
mercutiowell there goes the issue
i think it's http_port in squid
yeh http_port 3128 http11 transparent
although if you just installed squid you may have to run squid -z to create the cache directories
mnathani_http_port 3128
I have that in my config
mercutioso squid isn't running then
append transparent
i dunno if you still need http11 or snot
i only see that http11 was added in 2.7, not that it was deprecated, hmm.
it seems transparent is changing to the word intercept though
m0undsbrycec: i'm happy you didn't experience it
because it's horribly annoying
brycecm0unds: thanks :p [18:16]
m0undsi've seen it on more machines than i haven't seen it on, so you're a lucky duck [18:16]
mnathani_ok, I get access denied now
so that looks better
mercutiosweet now ip acl [18:16]
brycecWow. And yet both mine and my lady's windows desktops are just peachy.
So 100% okay in my experience, m0unds
mercutiobrycec: large sample set there [18:16]
brycec:D [18:17]
mercutioi seem to remember some computer screwing up if it suspended and it wouldn't come back at one point
but memory is sketchy
i just remember thinking it wasn't good to plug in the sleep button
m0undshttp://forums.anandtech.com/showthread.php?t=2322060 [18:17]
mercutiobecause it can cause issues when used :) [18:17]
m0unds^ that mess [18:17]
brycecHeh, then again those posts are from 2 years ago. Plenty of time for change. [18:18]
mercutioheh i like it how windows includes ethernet drivers now days [18:19]
m0undsright, but i was managing a site with 30 7xxx era firegl and radeon cards and most of them would die if the machine was left unattended and went to sleep overnight or whatever [18:19]
mercutiothat used to be my biggest gripe [18:19]
m0undsto the point that i had to set a policy to prevent sleep so i didn't have to deal with it every morning [18:19]
brycecThat really sucks [18:19]
mercutiom0unds: were you using microsoft or ati drivers? [18:19]
m0undsAMD, had to
needed opencl
i used to find that the ati drivers were worse than the microsoft ones
unless you needed to play games
m0undsand as luck had it, they started replacing those boxes when my contract was ending
the bastard
mercutiointel hd seems nice and stable. [18:20]
m0undss [18:20]
mnathani_Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. [18:21]
mercutiomnathani_: fix your acl :)
acl's are two step in squid
you need like acl localnet src
http_access allow localnet
and they're first match
so you hvae to allow before you deny
mnathani_my allows were under another deny way up in the config
its a 7000 line config
probably easier to wipe it clean and start fresh
use grep
cat /etc/squid/squid.conf | grep ^http_access
brycecwhy not just "grep ^http_access /etc/squid/squid.conf" ? [18:26]
mercutiobrycec: that'd work too, but i find it easier to think that way around :) [18:26]
brycec:) [18:26]
mercutioi'm not a big fan of condensing [18:27]
brycecbrycec is a huge fan of optimising [18:27]
mercutioon grep'ing a 7000 line file?
does it save more than a msec?
i don't even use egrep usually :)
brycecIn this case, probably not. But I'm not saying that optimisation is for speed
It just makes it, whatever it is, optimal :) Could be readable, simpler, fewer system calls, etc
mercutioahh, i find it more readable, simpler with it spread out [18:30]
brycecIf you were grepping multiple files, you would almost certainly prefer the "condensed" form as then grep can report *which* file matched. [18:30]
mercutiobut yeah there may be fewer system calls with your method. but that's not even a certainty [18:30]
brycecI find mine to be more readable. But to each their own. [18:31]
mercutioyeah different thinking styles and all that
i like to think of the "object i'm doing something with" then what i do with it
rather than what i'm doing with it, then what object i'm doing on it
mnathani_coredump_dir /var/spool/squid3 [18:32]
mercutioalso if you need to change it to something else it's much easier
like that word doesn't work..
mnathani_do I need that in my config? [18:32]
mercutiomnathani_: that's normal
squid spool directory is given less space to allow some space for coredump
and for file system overheads
did you figure out your acl? :)
mnathani_I think so
trying it now
1438565621.558 115 TCP_MISS/200 114420 GET http://turnerhd-f.akamaihd.net/z/tvecnn_1@135347/tiny_6963ff495dca454b-p_Seg1-Frag239760933? - HIER_DIRECT/ video/f4f
1438565623.468 18 TCP_REFRESH_MODIFIED/200 668 GET http://turnerhd-f.akamaihd.net/z/tvecnn_1@135347/tiny_6963ff495dca454b-p.bootstrap? - HIER_DIRECT/ video/abst
1438565625.831 76 TCP_MISS/200 982 GET http://ar.voicefive.com/bmx3/iframe.htm? - HIER_DIRECT/ text/html
appears to be working now
thanks mercutio :-)
did you set cache_dir to a big enough size?
i think it defaults to 100mb
mnathani_cache_dir rock Directory-Name Mbytes [options]
do I need to specify a directory?
mercutiooh god
i abandoned squid beforethat rock stuff
is rock stable?
anyway normally it's something like:
cache_dir ufs /var/spool/squid3 32000 16 256
for 32gb with ufs
you can do aufs too, but for light loads it's generally not necessary
i assume with rock it's something like cache_dir rock /var/spool/squid3 32000
mnathani_do you recall slow restarts with squid
that can be speeded up with some config

not sure if that was it
also it has to rebuild the cache sometimes
like if you press the reset button and have a huge cache it'll have to go through rebuilding the cache indexes
the cache rebuild is more of an issue than the shutdown lifetime
the shutdown lifetime is for connections that are still going
mnathani_on ubuntu how do I make that iptables rule persistent? [18:57]
brycecStep 1) Erase Ubuntu. :P
</generic Ubuntu and non-BSD hate>
m0undssounds reasonable to me [19:00]
brycecI've always had trouble working with Ubuntu-isms, eg upstart (or whatever it was called) [19:00]
mnathani_is Debian really that much better? [19:01]
brycecNowadays, yes. Because I know systemd. [19:02]
mercutioi use ferm mnathani_
ubuntu has systemd too if you use recent ersion
mnathani_is there a good tutorial out there to get ones self up to speed with systemd? [19:55]
brycecI learned from https://wiki.archlinux.org/index.php/Systemd [19:56]
mnathani_I suppose this would be useful in managing RedHat Enterprise Linux 7 / CentOS 7 as well since they moved to systemd too? I wonder if there are differences in implementation [19:59]
mike-burnsIf you run into issues, here's a good systemd troubleshooting guide: http://www.openbsd.org/faq/faq4.html [19:59]
mnathani_: The fundamentals are the same. The only differences I'd expect could be the names of the unit files
mnathani_lol mike-burns [20:01]
mercutiomnathani_: ubuntu hasnt' fully moved over to systemd yet last i knew
although it seems to be more so when doing new installs than updating
mnathani_so many sites using ssl - didnt realize it earlier
perhaps I am doing it wrong - too many misses not enough hits with regards to Squid
even when I load the exact same url into a different browser
mercutio10% hit rate is common for bytes
it's only really useful for things like updating packages over multiple hosts
mnathani_perhaps I am missing something in the config: http://paste.ubuntu.com/11990871/
what happens if the different hosts choose different mirrors
mercutiothen you're out of lock
centos is nice like that :/
you can do complicated rewrite stuff but i wouldn't recommend
mnathani_anything more I can do with my config to get more hits? [21:12]
kellytkI'm cautiously optimistic about what the FreeBSD project comes up with for a modern service manager [22:05]
JC_Dentonanyone here using Duo Security? [22:15]
mercutioi only just found out about iotop [22:21]
m0undsJC_Denton: i've used it before
it was kind of flaky
JC_Dentoni'm giving it a go over Google Authenticator
seems a little slow, but it's nice to be able to approve 2fa from a wearable
mnathani_here is something really strange - I had unbound installed, but wanted to switch to bind, so I stopped the unbound service and started bind, but unbound got restarted instead [22:23]
mercutiothat does strange
but i have no idea sorry :)
mnathani_got it taken care of
I like the query log style of bind compared to unbound
mercutioyou use query log?
i just tcpdump if i want to see queries

