Re: [squid-users] Can a guru verify my config?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 6 Apr 2009 13:44:14 +1200 (NZST)

Hello,
 I'm placing a few details you may need to be aware of inline to reply to
your latest post, followed by the help you asked for in your first post.

>
> What the heck kind of reply is this and why did you send it to my email
> address and not post it in the forums! Sending replies like this are what
> make people run back to Microsoft in frustration.

Ahem, this got sent as reply to the users *mailing list*. There is no web
'forum'.

You asked for a 'guru' to check your mail and thats what you got.

Note that most gurus and experts speak natively in mystical terms commonly
known as technical language and can be very confusing if they slip into it
when you want 'Help for dummies' language.

Please don't get angry about communications failures. On the Internet
there is always a chance for another better answer.

>
>>Â Rather than craft a config file from what you have picked from the
>> list,
>>Â it's better for you to start with the default squid.conf that you get
>> when
>>Â you install squid and improve on the functions by reading about what
>> you
>>Â need from the FAQ and the Wiki. Only ask questions when you have read
>> and
>>Â failed to understand or gotten stuck.
>
> Are you kidding me with this reply? I AM STUCK!

... and the responder (whose name you cut so we can't see) gave you clear
instructions on the best way not to get un-stuck and prevent yourself
getting stuck again in future.

They could perhapse have been a *little* bit clearer and pointed you at
the reference material itself:
 http://wiki.squid-cache.org/SquidFaq
 http://wiki.squid-cache.org/ConfigExamples
 http://www.squid-cache.org/Doc/config/

NP: we see a LOT of people mailing here for help with the simplest things
without reading those docs.

For good security you need to know what each part of squid.conf is doing.
So learning about any options you don't understand before cut-n-pasting is
a Really Good Idea.

The example you found seems to have a lot of crud and issues you don't
want. Please cut your config back to the squid.conf.default settings for
your version of squid and then on the clean copy follow the help I'm
listing below...

>
> What makes you think I didn't read, and read and read and try until I
> finally found someone's config which I could mod for my own start to get
> going on this? I spent DAYS trying to get this thing to work, reading
> hundreds of confused postings, not one ever working and certainly unable
> to
> quickly learn about this.

I get the same impression as this other poster that you have not yet found
the wiki, because you say you spent days searching 'forums' for a config
already present with simple explanations and security controls in the
official help wiki:

http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting

And now for your detailed help...

Step 1) clearing your config back to squid.conf.default settings.

Step 2) follow the
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
config. Making sure the options are added between the default 'acl' lines
and the default 'http_access' lines.

You should end up with something looking like this config layout (uses
your apparent obfuscation for "my-main-domain"):

  .. <default squid environment configs>
  ... <default ACLs>

  http_port 80 accel defaultsite=my-main-domain

  cache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccel

  acl our_sites dstdomain .my-main-domain
  http_access allow our_sites
  cache_peer_access myAccel allow our_sites
  cache_peer_access myAccel deny all

  http_access allow manager localhost
  http_access deny manager
  http_access allow purge localhost
  http_access deny purge
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost
  http_access deny all

  ... <default squid misc etc settings>

For the logging section you only need:

  access_log /var/log/squid/access.log squid
  cache_log /var/log/squid/cache.log
  cache_store_log none

Your earlier config also had:
  redirect_rewrites_host_header off
  buffered_logs on

are you aware of what they do and do you actually need them?
 * I don't believe you need the redirect setting with no redirectors in use.
 * buffered_logs only you can really decide...
  http://squid-cache.org/Doc/config/buffered_logs/

Now you should have a simple, working and secure configuration. Any
further questions please speak up again with details about them.

When you are confidant about this going, we can move on to the HTTPS and
failover questions.

Amos
Received on Mon Apr 06 2009 - 00:44:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 07 2009 - 12:00:02 MDT