On 2014-01-22 09:52, Scott Mayo wrote:
> On Tue, Jan 21, 2014 at 2:45 PM, Amos Jeffries <squid3_at_treenet.co.nz>
> wrote:
>> On 2014-01-22 03:14, Scott Mayo wrote:
>>>
>>> I have run a DG/Squid setup for quite some time. I am having
>>> problems
>>> with slowness. It seems DG has too many processes open. I wanted to
>>> test this to remove DG from the mix.
>>>
>>> DG listens on 8080 and Squid on 3128. I have it set to authenticate
>>> users.
>>>
>>> Since I wanted to test I did the following:
>>> 1. Edited squid.conf to listen on 8080
>>> 2. Stopped DG
>>> 3. Restarted squid 'squid -k reconfigure'
>>>
>>> After that did not work I even set squid.conf back to listening to
>>> port 3128 and had my test client proxy settings changed to 3128
>>> instead of 8080. I even cleared my squid cache out.
>>
>>
>> It sounds like you have access control problems. When removing DG you
>> also
>> need to make Squid do whatever controls DG was doing (or ensure
>> omitted
>> rules were not actually needed for connectivity), and remove anything
>> in
>> squid.conf which was specifically for DG (such as only allowing
>> traffic from
>> the IP address used by DG).
>>
>> Perhapse if you would share your squid.conf we could be a bit more
>> helpful.
>
>
> Thanks. I was actually going to do that. Just got it out a bit a go.
> Here it is if you see anything that should not be there. I really
> thought I had done exactly what I did before and it worked. Maybe I
> have changed somethign along the way.
What version of Squid are you running? I see a lot of lines here for
things which have been obsoleted or deprecated since 2.6 and one which
is only relevant to squid-2.5 down there at the end. If you have
anything older than 3.2 please seriously consider an upgrade ASAP, and
if you have something newer please at least run squid -k parse and
followup on the messages it emits.
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> auth_param basic program /usr/local/squid/bin/ncsa_auth
> /usr/local/squid/etc/passwdauth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl username proxy_auth REQUIRED
> acl update-micro-dom dstdomain .microsoft.com
> acl update-micro-dom dstdomain .windowsupdate.com
> acl all src 0.0.0.0/0.0.0.0
> acl banned_ips src 10.1.1.1
> acl limituserconStudent maxconn 3
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563 2443
> acl Safe_ports port 80-81
> acl Safe_ports port 21
> acl Safe_ports port 443 563
> acl Safe_ports port 210
> acl Safe_ports port 8080 3123
> acl CONNECT method CONNECT
These ...
> follow_x_forwarded_for allow localhost
> acl_uses_indirect_client on
> delay_pool_uses_indirect_client on
> log_uses_indirect_client on
... are all Squid config lines to integrate with DG. Try removing them,
or at least commenting out the first one.
> no_cache deny no_cache_sites
> http_access deny limituserconStudent
> http_access allow manager localhost
> http_access deny manager
> http_access deny banned_ips
> http_access allow update-micro-dom
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow username
> http_access allow localhost
Um, only localhost services or authenticated traffic is permitted. Is
that correct for your policy?
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname localhost
Proxy hostname of "localhost" leads to many problems. This should be the
public (at least in the LAN) accessible FQDN for your proxy service.
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> httpd_accel_with_proxy off
Er, httpd_accel_with_proxy is so old we do not even document it anymore.
Amos
Received on Tue Jan 21 2014 - 21:59:30 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 22 2014 - 12:00:05 MST