Hi List,
I'm having an issue with squid responding rather slowly when it is to
display an "Access Denied" message. Accessing sites on the whitelist
works fast and fine, however. There is no DNS server in the network,
all DNS lookups are supposed to take place with the parent proxy.
I'm guessing that upon displaying the error page, squid wants to do a
reverse DNS lookup, and times out. This assumption is based on the
fact that when I specify a fake DNS server in /etc/resolv.conf it
returns the error page immediately ("Fake" meaning the DNS server is
configured to listen on the port, but reject all requests not
originating from its own IP.)
How can I solve this issue? I would prefer not having to run a DNS
server, to keep the setup as simple as possible.
The following info might be of help in analyzing the issue:
Current OS is Debian stable, with a few unstable/testing packages mixed
in, but the same effect also appears on SuSE 8.2.
squid runs with the following parameters: -D -sYC
squid -version
Squid Cache: Version 2.5.STABLE7
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm --enable-carp --enable-large-files
i386-debian-linux
squid.conf:
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access.log
ftp_user info@xxxxxxxxxxxxxxx
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 631
acl Safe_ports port 777
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl unsernetz src my.network.here.0/255.255.0.0
acl whitelist dstdomain .some.domains.he.re
acl whitelistip dst some.ip.addresses.here
acl termserv_vollzugang src single.ip.he.re
acl downloads urlpath_regex -i \.exe$ \.zip$
acl unsereproxies src parent.proxy.he.re
never_direct allow all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny !unsernetz
http_access allow unsereproxies
http_access deny downloads
http_access allow whitelist
http_access allow whitelistip
http_access allow termserv_vollzugang
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname PROXYNAME
error_directory /usr/share/squid/errors/German
cache_peer parent.proxy..ip.here parent 8080 0 no-query
no-netdb-exchange
cache_mgr proxy-admin@xxxxxxxxxxxxxxx
unique_hostname PROXYNAME
Thanks in Advance & Kind Regards,
Stefan Baur
