Re: [squid-users] CDN / JS 503 Service Unavailable
On 15/08/2014 11:22 p.m., Paul Regan wrote: Urg, thats like standing front of the class for everyone to stare! If you are not able to take constructive criticisms, sysadmin is probably not the best ine of work for you :-) I see you seem to have found the problem. So consider these a free audit. here you go : cache_effective_user squid url_rewrite_program /usr/sbin/ufdbgclient -l /var/ufdbguard/logs url_rewrite_children 64 acl localnet src subnet acl eu-edge-IP src subnet acl eu-buscon-edge-IP src subnet acl eu-inet-dmz src subnet acl na-subnet src subnet acl na-inet-dmz src subnet acl na-buscon-edge-IP src subnet acl st-buscon-vpc src subnet acl eu-mfmgt src subnet acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT hosts_file /etc/hosts dns_nameservers server server server http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl infrastructure src http_access allow localhost manager http_access allow infrastructure manager http_access deny manager acl mo-whitelist dstdomain /etc/squid/mo-whitelist http_access allow mo-whitelist acl mo-blockedsites dstdomain /etc/squid/mo-blockedsites deny_info http://urlrestricted_content_blockedsites.html mo-blockedsites http_access deny mo-blockedsites acl mo-blockedkeywords urlpath_regex /etc/squid/mo-blockedkeywords deny_info http://urlrestricted_content_keywords.html mo-blockedkeywords http_access deny mo-blockedkeywords acl mo-nocache dstdomain /etc/squid/mo-nocache no_cache deny mo-nocache The correct name for that directive is cache, has been since Squid-2.4. As in, what you should have there is: cache deny mo-nocache acl mo-blockedIP src /etc/squid/mo-blockedIP acl mo-allowURLs dstdomain src /etc/squid/mo-allowURLs http_access allow mo-blockedIP mo-allowURLs http_access deny mo-blockedIP deny_info http://urlrestricted_content_blockedip.html mo-blockedIP acl mo-allowNYIP src /etc/squid/mo-allowNYIP http_access allow mo-allowNYIP http_access allow na-subnet mo-allowURLs http_access deny na-subnet deny_info http://urlrestricted_content_subnet.html na-subnet http_access allow localnet http_access deny st-buscon-vpc http_access allow eu-edge-IP http_access allow eu-inet-dmz http_access allow eu-buscon-edge-IP http_access allow na-inet-dmz http_access allow na-buscon-edge-IP http_access allow eu-mfmgt acl ftp proto FTP always_direct allow ftp acl purge method PURGE http_access allow purge localhost http_access deny purge Hmm.. What you have here is a pure forward-proxy configuration. If you need to purge things from the cache of a forward-proxy then it is caching badly/wrong. I know that Squid does cache some things badly, but we have taken great pains to ensure that those cases are conservative. The wrong cases shoudl all take form of dropping things which should have been kept, rather than storing things which should have been dropped. Are you perhase finding that you need to manually erase content permitted into cache by the refresh rules with override-expire ignore-no-store ignore-private. Ignoring private and no-store in particular are very dangerous... think Captcha images, username in image form for embeded session display, company private information, etc. http_access allow localhost http_access deny all http_port 8080 cache_dir aufs /squid-cache 39322 16 256 cache_replacement_policy heap LFUDA cache_swap_low 96 cache_swap_high 98 cache_mem 256 MB maximum_object_size 64 KB It's a little unclear why you are limiting cached objects to 64KB while refresh patterns also force archive and binary executable types to be cached. You have 40.25 GB of cache space available. maximum_object_size_in_memory 20 KB quick_abort_min 0 KB quick_abort_max 0 KB memory_pools off Have you tested performance with these on recently? HTH Amos
Re: [squid-users] Re: ONLY Cache certain Websites.
On 16/08/2014 8:02 a.m., nuhll wrote: I got nearly all working. Except Battle.net. This problem seems to known, but i dont know how to fix. http://stackoverflow.com/questions/24933962/squid-proxy-blocks-battle-net That post displays a perfectly working proxy transaction. No sign of an error anywhere. https://forum.pfsense.org/index.php?topic=72271.0 Contains three solutions. All of which are essentially turn on PNP at the router. Amos
Re: [squid-users] unbound and squid not resolving SSL sites
You are at least missing https_port and all the sslproxy_* directives for outgoing HTTPS. Then also you are probably missing the TLS/SSL certificate security keys, including any DNS entries for IPSEC, DNSSEC, DANE, HSTS etc. Ok, so I generated some keys and added the directives. On restarting squid it askes for the certificate password and starts ok but it still won;t resolve the SSL websites. I also added an iptables forward directive: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130 CONF: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth acl interval_auth external time_squid_auth http_access allow interval_auth http_access deny all http_port 80 accel vhost allow-direct https_port 3130 transparent cert=/etc/squid/server.crt key=/etc/squid/server.key hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Re: [squid-users] unbound and squid not resolving SSL sites
Take a look at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP Your squid.conf seems to be too incomplete to allow SSL-Bump to work. Eliezer On 08/18/2014 02:16 AM, sq...@proxyplayer.co.uk wrote: Ok, so I generated some keys and added the directives. On restarting squid it askes for the certificate password and starts ok but it still won;t resolve the SSL websites. I also added an iptables forward directive: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130 CONF: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7# RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth acl interval_auth external time_squid_auth http_access allow interval_auth http_access deny all http_port 80 accel vhost allow-direct https_port 3130 transparent cert=/etc/squid/server.crt key=/etc/squid/server.key hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 0 0%0 refresh_pattern . 020% 4320
