On Mon, Jan 11, 2010 at 6:50 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> Dave T wrote:
>>
>> Thank you. Comments inline.
>>
>> On Sun, Jan 10, 2010 at 5:49 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>
>>> Dave T wrote:
>>>>
>>>> I just set up squid for the first time. It is on a Ubuntu box hosted
>>>> on Linode.com. I have zero experience with proxy servers. I used this
>>>> guide:
>>>> http://news.softpedia.com/news/Seting-Up-a-HTTP-Proxy-Server-with-Authentication-and-Filtering-52467.shtml
>>>
>>> Eeek! That tutorial is advising people to create open proxies for global public access (allow all).
>>
>> I think that is just for initial testing. The tutorial actually
>> changes that in the second step.
>>
>>>
>>>> (I also looked at a few other guides such as this one:
>>>> http://ubuntuforums.org/showthread.php?t=320733. However, I wanted to
>>>> most barebones config to start with and the link I used was the
>>>> simplest I found.)
>>>
>>> The simplest and safest documentation is in:
>>> /usr/share/doc/squid-common/QUICKSTART
>>> or
>>> /usr/share/doc/squid3-common/QUICKSTART
>>>
>>> ... which outlines the minimal config changes to go from a clean install of your particular version to a working proxy.
>>
>> Thanks. Amazing that I looked everywhere else but on my local HDD. :)
>>>
>>>> So now that I have it set up, I'm testing it with FoxyProxy. It is not
>>>> working well. Many web pages do not load completely. Some load very
>>>> slowly. A few load fast (but even then, some images are often
>>>> missing). Many times I have to try an address several times before a
>>>> page will even start to load.
>>>>
>>>> I am using iptables. When I turn the firewall off, I have slightly
>>>> less problems, but nothing significantly changes. I don't want to
>>>> leave the firewall off, so I took a few ideas from here:
>>>> http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
>>>> But the changes I put in actually made the performance a little worse
>>>> than before. And like I said, even with the firewall off, the problems
>>>> I described remain.
>>>>
>>>> What should I look at next to begin to understand my problem? Thanks.
>>>
>>> Coming here was a good start.
>>>
>>> We are going to need to known the version of Squid you are using, there are a dozen or more available on Ubuntu.
>>>
>> I assume this will give more than enough info:
>>
>> $ dpkg -s squid
>
> <snip>
>>
>> Version: 2.6.18-1ubuntu3
>
> <snip>
>>
>> Linux Linode01 2.6.18.8-linode19 #1 SMP Mon Aug 17 22:19:18 UTC 2009
>> i686 GNU/Linux
>>
>
> Excellent.
>
> A little old, there are some recent config alterations we recommend. I'm adding the ones 2.6 can use inline with your config below.
>
>>
>>> Also, we are going to have to see what squid.conf you have ended up working with. Minus the documentation comments and empty lines please.
>>
>> Here is what I am using for TESTING only. I was getting TCP_DENIED/407
>> errors in the log, so I made an attempt to test it with no auth
>> required at all. (Not sure if I achieved that with this config or not,
>> but the problems didn't go away.)
>>
>> acl all src 0.0.0.0/0.0.0.0
>
> all src all
>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>
> acl localhost src 127.0.0.1
>
>> acl to_localhost dst 127.0.0.0/8
>
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>
> NP: For non-testing use you will need to re-add the Safe_ports and SSL_ports security controls here.
> They are the safety nets that prevent people, particularly infected clients, from opening tunnels via the proxy and sending spam or worse.
>
>> http_access allow all
>
> replace the above http_access line with:
>
> # alter to match your LAN range(s) currently allowed to use the proxy.
> acl localnet src 192.168.0.0/16
> http_access allow localnet
> http_access deny all
>
>> icp_access allow all
>
> NP: you probably want icp_access to be limited to local LAN same as http_access is above.
>
Thanks for the detailed feedback. I am about half way through reading
it and I'm not sure if your suggestions will apply because my Squid
proxy server is not on my LAN. It is hosted at Linode.com. I will be
accessing it from an Android phone. I do not know what IP address the
phone may have and I suspect it will be a NAT-style address (not a
publicly addressable IP).
Shall I follow the rest of your instructions, just leaving out the
part about LAN addresses, or does this create larger issues?
Received on Tue Jan 12 2010 - 00:38:09 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 12 2010 - 12:00:03 MST