SQUISH FAQ -- http://www.ledge.co.za/software/squint/squish/


WHAT IS SQUISH FOR?

Q.  How does this software help against malware/viruses/etc??
A.  If your computer runs a program which polls a web site for instructions,
    you will quickly exceed your daily allocation of time or bandwidth.  This
    does not solve the problem, but should make it easier to identify.

Q.  What's with the version number?
A.  You're going to tell me about the bugs, then I'll fix them, and we can have
    another version.

Q.  Why would I ever want to use the --notime option?
A.  To test squish with old data.  That's the only occasion.


INSTALLATION OF SQUISH

Q.  How do I install squish?
A.  make install
    These are the prerequisites (failing which things will just die
    inexplicably):
	- squid
	- apache (for CGI part)
	- perl
	- perl-GD
	- gd
	- cron

Q.  http://localhost/squish/squish.cgi says "Can't locate GD.pm in @INC"
A.  Install perl-GD
    On SuSE 9.2, you need these packages:
    	perl-GD-2.16-3
	gd-2.0.28-2

    If you don't have it with your distribution, try
    	perl -MCPAN -e 'install GD'

Q.  How do I uninstall?
A.  rm -r /usr/local/squish /var/lib/squish  # be careful ...
    vi /etc/crontab           # remove squish entries
    vi /etc/squid/squid.conf  # remove SQUISH parts
    vi /etc/apache/httpd.conf  # remove include.*squish part

Q.  Can squish display usernames instead of ip addresses? 
A.  squish will use the user name if squid insists on authentication (or
    ident).  If there is no user name, then it will use the IP address.  There
    is (currently) no method for conversion, mapping or making things look
    prettier.  Continued with next question ...

Q.  How do I set up squid to require authentication?
A.  Add the following directives in /etc/squid/squid.conf ...

	# With the other auth_param stuff ...
	auth_param basic program /usr/lib/squid/pam_auth
	# Add this somewhere ... (defines "AUTHENTICATED" acl)
	acl AUTHENTICATED proxy_auth REQUIRED
	# Below the SQUISHED stuff ... (checks that you're AUTHENTICATED)
	http_access allow AUTHENTICATED

    If you're using ntlm auth, you may need to do this instead (haven't
    tried)...
	http_access allow AUTHENTICATED !SQUISHED1

Q.  How do I do squid acl's?
A.  A few simple rules:
    (a)	Every acl defined with "acl" is evaluated for every request (kinda)
    (b) For each request, http_access lines are evaluated in the order that
	they are listed, until one says "allow" or "deny". 
    (c) If you list a number of acl's for an http_access rule, then all the
    	listed acl's must match for the 'allow' or 'deny' to trigger.

Q.  How do I stop squish without breaking squid?
A.  (a)	You can reconfigure squid and comment out the SQUISH.* rules.
    (b)	You can comment out all the lines in /etc/squish/squish.conf so that
	there are no limits.  Run /usr/local/squish/squish.cron.sh to update.
    (c)	You can stop squish from running periodically by editing /etc/crontab
	there are no limits.
    If you modify /etc/squid/squished directly, then remember to reload squid
    (/etc/init.d/squid reload)


CONFIGURATION

Q.  Where's the configuration file?
A.  /etc/squid/squish.conf

Q.  How can I set the download limit?
A.  Modify /etc/squid/squish.conf.  All lines apply to all users that they match.
    So here's a restriction for a specific user:

    andrew         4h/day  60Mb/day    100Mb/week


BUGS AND ARB' QUESTIONS

Q.  Help!  I've been squished!
A.  Sorry.

Q.  I'm sorry!  I didn't mean it!  Can I have an emergency reserve?
A.  No - sorry - ask your friendly sysadmin, or use another account / computer,
    etc.

Q.  How long must I wait?
A.  You must wait until your data falls off the end of the graph.  This is
    usually until tomorrow (especially on Fridays).

Q.  I keep getting my browser madly reloading http://my.proxy.svr/squish/? 
    Aaargh!
A.  In /etc/hosts, you have multiple conflicting definitions of your fully
    qualified host name.  Remove all of them except one.
    	# /etc/hosts sample:
	10.0.0.1	my.proxy.svr           # REMOVE or RENAME THIS
	192.168.54.32	my.proxy.svr my
    The effect of having two definitions for your host name is that the
    dstdomain acl in squid.conf does not work correctly.

Q.  Can I download a file bigger than my daily quota?
A.  Just do it.  You'll get squished when the download completes, but don't
    worry about that.  Being squished does not affect downloads currently in
    progress, unless the connection is interrupted.

Q.  What's with the wierdo indigo cyan colour of the headings?
A.  I spilled C0FFEE in the HTML.  I was tired.

Q.  I've been squished, but now I just stay squished...
A.  You probably go through the proxy to see whether you're squished.  Don't
    check too often - because that is counted as squishable browsing time.
    Remember- you're supposed to be working.



TROUBLESHOOTING

Q.  I see this in /var/log/squid/cache.log (or on the terminal)
	Reloading WWW-proxy squid
	| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl SQUISHED1 proxy_auth "/etc/squid/squished"' because no authentication schemes are fully configured.
	| aclParseAclLine: IGNORING invalid ACL: acl SQUISHED1 proxy_auth "/etc/squid/squished"
	| aclParseIpData: Bad host/IP: 'aardvarkscantsquishants'
	| squid.conf line 1842: http_access deny SQUISHED1
	| aclParseAccessLine: ACL name 'SQUISHED1' not found.
	| squid.conf line 1842: http_access deny SQUISHED1
	| aclParseAccessLine: Access line contains no ACL's, skipping
	| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl SQUISHED1 proxy_auth "/etc/squid/squished"' because no authentication schemes are fully configured.
	| aclParseAclLine: IGNORING invalid ACL: acl SQUISHED1 proxy_auth "/etc/squid/squished"
	| aclParseIpData: Bad host/IP: 'aardvarkscantsquishants'
	| squid.conf line 1842: http_access deny SQUISHED1
	| aclParseAccessLine: ACL name 'SQUISHED1' not found.
	| squid.conf line 1842: http_access deny SQUISHED1
	| aclParseAccessLine: Access line contains no ACL's, skipping
    What's this about?
A.  This is not a fatal error, but a warning from squid.  To make my life
    simpler (not for you -- for me), squish makes one list, mixing up IP
    addresses and user names.  Squish's installer doesn't check if you are
    using ident, proxy_auth or no authentication -- it just installs
    for all three.  However, squid finds this a little annoying.  If it bothers
    you, you can remove	the SQUISHED1 lines -- or whichever ones squid
    complains about.  I'll accept suggestions / shell snippets on automating
    this ...

Q.  Why do I keep getting redirected to this site that doesn't exist --
    http://foo.bar/squish/?squished& --?
A.  This URL is in the squid.conf file -- "foo.bar" should be your hostname --
    the output of "hostname -f".  You can set this by modifying /etc/hostname
    or /etc/HOSTNAME, depending on distribution.  You probably also need to set
    your host name in /etc/hosts ...
    	/etc/HOSTNAME:		foo.bar.info
    	/etc/hostname:		foo
	/etc/hosts:		192.168.44.4	foo.bar.info	foo
    This URL is served by an apache server, which is assumed to run on the same
    host ...


CAN'T YOU JUST ...

Q.  I want squish to do something it doesn't already do ...
A.  Tell me -- andrew at ledge.co.za is a good starting point.  Offer to pay a
    truly inspiring amount, and we may be able to do wonders for you.

