Re: [squid-users] Squid wont work when removing DG
On Tue, Jan 21, 2014 at 11:56 AM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello, May be it is time to look into ICAP web filtering server for Squid? As an example see a short howto - http://www.howtoforge.com/filtering-https-traffic-with-squid. The only problem I see with that is that from what I can tell, I would have to pay for that now. I don't see any educational pricing. It says a proxy admin cost is $1.82 per user per month (that is converted to US dollars). That would cost me approximately $15,000 per year. :( Unless I am missing a non-profit pricing on the Diladele Web Safety somewhere. Thanks. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
RE: [squid-users] Squid wont work when removing DG
The site was updated, now the educational licensing and licensing for business for more than 100 users are available at much reduced rates. Best regards, Rafael From: Scott Mayo scotgm...@gmail.com Sent: Friday, January 24, 2014 3:26 PM To: Rafael Akchurin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid wont work when removing DG On Tue, Jan 21, 2014 at 11:56 AM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello, May be it is time to look into ICAP web filtering server for Squid? As an example see a short howto - http://www.howtoforge.com/filtering-https-traffic-with-squid. The only problem I see with that is that from what I can tell, I would have to pay for that now. I don't see any educational pricing. It says a proxy admin cost is $1.82 per user per month (that is converted to US dollars). That would cost me approximately $15,000 per year. :( Unless I am missing a non-profit pricing on the Diladele Web Safety somewhere. Thanks. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
Re: [squid-users] Squid wont work when removing DG
Hey, The main issue is that using DG with squid might lead to an issue. The basic issue is two proxies per connection which is almost the same as ICAP service else then the ICAP service doesn't care for real in most cases what are the TCP levels of the connection. Handling SSL encrypted sessions by default is not the best thing to do. It is indeed being done and being used but it's one of the things that can be identified with even almost a naked human eyes. In the cases that there are ip addresses which are using a combination of client and server side certificates the option to intercept it drops to a trizillion percent of success(if even possible). If there is a way to analyze the network usage it will be quite simple to implement the right solution. On the cases which there is not way to first know the load and the traffic I would not use DG but squid as the main classification tool. Eliezer On 21/01/14 19:56, Rafael Akchurin wrote: Hello, May be it is time to look into ICAP web filtering server for Squid? As an example see a short howto -http://www.howtoforge.com/filtering-https-traffic-with-squid. Best regards, Sich
[squid-users] Squid wont work when removing DG
I have run a DG/Squid setup for quite some time. I am having problems with slowness. It seems DG has too many processes open. I wanted to test this to remove DG from the mix. DG listens on 8080 and Squid on 3128. I have it set to authenticate users. Since I wanted to test I did the following: 1. Edited squid.conf to listen on 8080 2. Stopped DG 3. Restarted squid 'squid -k reconfigure' After that did not work I even set squid.conf back to listening to port 3128 and had my test client proxy settings changed to 3128 instead of 8080. I even cleared my squid cache out. In both scenarios it seems that the client would intermittently hit the Internet. Most of the times it just gave me the error that I could retrieve the cache (cant recall what it exactly says),. but once in a bit it would pop up with my authtentication and pull a webpage (not very often). I even disabled my IPTABLES for a bit to make sure it was nothing there. I can put my DG back into place and everything works fine, well except for the slowness when all the users get on. Any idea why Squid would not work like that? I did check with netstat and Squid was listening on the port that it should be in both instances. Thanks. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
RE: [squid-users] Squid wont work when removing DG
Hello, May be it is time to look into ICAP web filtering server for Squid? As an example see a short howto - http://www.howtoforge.com/filtering-https-traffic-with-squid. Best regards, Sich -Original Message- I have run a DG/Squid setup for quite some time. I am having problems with slowness. It seems DG has too many processes open. I wanted to test this to remove DG from the mix. Any idea why Squid would not work like that? I did check with netstat and Squid was listening on the port that it should be in both instances.
Re: [squid-users] Squid wont work when removing DG
On 2014-01-22 03:14, Scott Mayo wrote: I have run a DG/Squid setup for quite some time. I am having problems with slowness. It seems DG has too many processes open. I wanted to test this to remove DG from the mix. DG listens on 8080 and Squid on 3128. I have it set to authenticate users. Since I wanted to test I did the following: 1. Edited squid.conf to listen on 8080 2. Stopped DG 3. Restarted squid 'squid -k reconfigure' After that did not work I even set squid.conf back to listening to port 3128 and had my test client proxy settings changed to 3128 instead of 8080. I even cleared my squid cache out. It sounds like you have access control problems. When removing DG you also need to make Squid do whatever controls DG was doing (or ensure omitted rules were not actually needed for connectivity), and remove anything in squid.conf which was specifically for DG (such as only allowing traffic from the IP address used by DG). Perhapse if you would share your squid.conf we could be a bit more helpful. Amos
Re: [squid-users] Squid wont work when removing DG
On 2014-01-22 09:52, Scott Mayo wrote: On Tue, Jan 21, 2014 at 2:45 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 2014-01-22 03:14, Scott Mayo wrote: I have run a DG/Squid setup for quite some time. I am having problems with slowness. It seems DG has too many processes open. I wanted to test this to remove DG from the mix. DG listens on 8080 and Squid on 3128. I have it set to authenticate users. Since I wanted to test I did the following: 1. Edited squid.conf to listen on 8080 2. Stopped DG 3. Restarted squid 'squid -k reconfigure' After that did not work I even set squid.conf back to listening to port 3128 and had my test client proxy settings changed to 3128 instead of 8080. I even cleared my squid cache out. It sounds like you have access control problems. When removing DG you also need to make Squid do whatever controls DG was doing (or ensure omitted rules were not actually needed for connectivity), and remove anything in squid.conf which was specifically for DG (such as only allowing traffic from the IP address used by DG). Perhapse if you would share your squid.conf we could be a bit more helpful. Thanks. I was actually going to do that. Just got it out a bit a go. Here it is if you see anything that should not be there. I really thought I had done exactly what I did before and it worked. Maybe I have changed somethign along the way. What version of Squid are you running? I see a lot of lines here for things which have been obsoleted or deprecated since 2.6 and one which is only relevant to squid-2.5 down there at the end. If you have anything older than 3.2 please seriously consider an upgrade ASAP, and if you have something newer please at least run squid -k parse and followup on the messages it emits. http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwdauth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl username proxy_auth REQUIRED acl update-micro-dom dstdomain .microsoft.com acl update-micro-dom dstdomain .windowsupdate.com acl all src 0.0.0.0/0.0.0.0 acl banned_ips src 10.1.1.1 acl limituserconStudent maxconn 3 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 2443 acl Safe_ports port 80-81 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 210 acl Safe_ports port 8080 3123 acl CONNECT method CONNECT These ... follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on ... are all Squid config lines to integrate with DG. Try removing them, or at least commenting out the first one. no_cache deny no_cache_sites http_access deny limituserconStudent http_access allow manager localhost http_access deny manager http_access deny banned_ips http_access allow update-micro-dom http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow username http_access allow localhost Um, only localhost services or authenticated traffic is permitted. Is that correct for your policy? cache_effective_user squid cache_effective_group squid visible_hostname localhost Proxy hostname of localhost leads to many problems. This should be the public (at least in the LAN) accessible FQDN for your proxy service. http_access deny all http_reply_access allow all icp_access allow all httpd_accel_with_proxy off Er, httpd_accel_with_proxy is so old we do not even document it anymore. Amos