Re: [squid-users] 3.1.x compile errors using ssl_crtd

From: Linos <info_at_linos.es>
Date: Wed, 30 May 2012 09:15:36 +0200

El 30/05/12 01:30, Amos Jeffries escribió:
> On 30.05.2012 09:23, Linos wrote:
>> El 29/05/12 19:32, Eliezer Croitoru escribió:
>>> On 29/05/2012 17:23, Linos wrote:
>>>> El 29/05/12 15:43, Eliezer Croitoru escribió:
>>>>> well i have tried compiling squid 3.2.0.17 and it was built fine.
>>>>>
>>>>> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04 with all the
>>>>> dev
>>>>> dependencies required to compile it at:
>>>>>
>>>>> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2
>>>>>
>>>>> Eliezer
>>>>>
>>>>
>>>> I am using squid-3.2.0.17-20120527-r11561 (the last daily build) right now, it
>>>> compiles cleanly but have any bugs (well it is a beta version so it isn't
>>>> unexpected), i have reported one at
>>>> http://bugs.squid-cache.org/show_bug.cgi?id=3556
>>>>
>>>> So i can't compile stable versions and beta versions have bugs, given this is a
>>>> production machine i don't have still a working solution.
>>>>
>>>> Regards,
>>>> Miguel Angel.
>>> as i wrote.. i have compiled the stable versions without any problem.
>>> can you share you squid.conf?
>>>
>>> Eliezer
>>>
>>
>> you wrote that you compiled 3.2.0.17, like you can see here
>> http://www.squid-cache.org/Versions/ 3.2.0.17 it's a beta version,
>> like i wrote
>> i have compiled this too and found any bugs in it.
>
> What do you mean by "found any bugs"? I assumed it was a typo of "many bugs"
> earlier, but you have been using it consistently across multiple emails.

Sorry, i was trying to mean "some bugs", bad usage of "any" here :(

>
>>
>> I am not sure what it is the value of squid.conf in a compilation problem but
>> anyway this are the uncommented lines:
>>
>
>
> Small audit check, not related to your current problems ...
>
>
>> external_acl_type request_body children-max=20 %{Content-Length}
>> /etc/squid3/request_body_max_size.sh
>> acl request_max_aulas external request_body 104857
>> acl srv_aulas src 192.168.2.200/32
>> acl oficinas src 192.168.0.0/24
>> acl aulas1 src 192.168.2.0/24
>> acl aulas2 src 192.168.3.0/24
>> acl wifi_alumnos src 192.168.4.71-192.168.4.254/32
>> acl wifi_profesores src 192.168.4.1-192.168.4.70/32
>> acl hostsprohibidos src "/etc/squid3/hostsprohibidos"
>> acl urlaprobadas url_regex -i "/etc/squid3/urlaprobadas"
>> acl urlprohibidasaulas url_regex -i "/etc/squid3/urlprohibidasaulas"
>> acl urlprohibidasoficinas url_regex -i "/etc/squid3/urlprohibidasoficinas"
>> acl extensionesprohibidas url_regex -i "/etc/squid3/extensionesprohibidas"
>> acl whitenet src "/etc/squid3/whitehosts"
>> acl maniana time SMTWHFA 06:00-16:00
>> acl tarde time SMTWHFA 16:00-23:59 00:00-06:00
>> acl extensionestarde url_regex -i "/etc/squid3/extensionestarde"
>> acl msnmsg url_regex
>> ^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll
>> acl msnmsg url_regex ^http://64\.4\.[^/]*/gateway/gateway\.dll
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny aulas1 request_max_aulas
>> http_access deny aulas2 request_max_aulas
>
>
> NOTE: CONNECT requests should never have a specific content-length size. They
> are tested by the http_access ACLs prior to ssl-bump unwrapping them. Look
> carefully at what your request_max_aulas helper does when it receives "-" or no
> content-length. If it rejects a CONNECT it will be blocking ssl-bump from
> operating on that tunnel request.

I am checking for "-" in the helper so this should be not a problem.

>> http_access allow whitenet
>> http_access allow all urlaprobadas
>> http_access allow oficinas !urlprohibidasoficinas
>> http_access allow wifi_alumnos !urlprohibidasoficinas
>> http_access allow wifi_profesores !urlprohibidasoficinas
>> http_access allow aulas1 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas
>> !extensionesprohibidas
>> http_access allow aulas2 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas
>> !extensionesprohibidas
>> http_access allow aulas1 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas
>> !extensionestarde
>> http_access allow aulas2 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas
>> !extensionestarde
>> http_access deny all
>
>
> hint 1) aulas1 and aulas2 are identical type of ACL, and are always listed in
> identical pairs of http_access or delay_access lines.
> You can improve the proxy service time by merging both IP ranges into one ACL
> name and dropping all the duplicated ACL testing.
> hint 2) "!msnmsg !hostsprohibidos !urlprohibidasaulas !extensionesprohibidas"
> are also the same type and only used together.
> You can merge all of them into one ACL same as above.
> HOWEVER, they are url_regex, which is one of the slowest ACL types. You should
> consider splitting the file entries out into a dstdomain or other faster ACL
> types where possible.

Thanks! i will try to merge all of them :), about the dstdomain and faster acl
types, many of the lines of this file are real regex but i started adding real
domains that could be in a dstdomain acl, i will split them.

The performance of the proxy it is not a problem right now because this machine
it's too powerful for the number of users but anyway a waste of resources should
be avoided.

>> http_port 3128 transparent
>
> "intercept".
>
>> http_port 3150 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
>> always_direct allow all
>> ssl_bump allow all
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db -M 16MB
>> sslcrtd_children 16
>> memory_replacement_policy heap LFUDA
>> cache_replacement_policy heap LFUDA
>> cache_dir aufs /var/spool/squid3 15000 16 256
>> maximum_object_size 40960 KB
>> coredump_dir /var/spool/squid3
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
>> refresh_pattern . 0 20% 4320
>> store_avg_object_size 50 KB
>> delay_pools 2
>> delay_class 1 2 # pool 1 is a class 2 pool
>> delay_class 2 2 # pool 2 is a class 2 pool
>> delay_access 1 allow oficinas
>> delay_access 1 allow wifi_profesores
>> delay_access 1 deny all
>> delay_access 2 allow wifi_alumnos
>> delay_access 2 allow aulas1
>> delay_access 2 allow aulas2
>> delay_access 2 deny all
>> delay_parameters 1 2500000/3125000 1024000/1296000
>> delay_parameters 2 2500000/3125000 512000/600000
>> delay_initial_bucket_level 90
>> dns_nameservers 80.58.61.250 8.8.8.8
>>
>>
>> Regards,
>> Miguel Angel.
>
Received on Wed May 30 2012 - 07:15:47 MDT

This archive was generated by hypermail 2.2.0 : Wed May 30 2012 - 12:00:06 MDT