Hello,
I need some help using squid browsing through a ipsec-isakmp tunnel.
We have been using squid internally now for quite a while and recently
implemented a ipsec-isakmp tunnel to manage one of our customers
services remotely (via http), the way its setup is as follows;
192.168.2.0/24 Network (local lan)
_[ Squid ]____________________________________
|
|
Dial-On-Demand
|___________ _ _ _ _ _ _ [
ipsec-isakmp tunnel ] _ _ _ _ _ _________
|
|
_[ Workstations ]______|_______________________
____________________|_________________
192.168.1.0/24 Network (local lan)
192.168.102.160/32 Network (customer lan)
Our workstations are on the internal 192.168.1.0 network and the way the
tunnel is setup it the remote router will only accept connections from
our 192.168.2.0 network (due to another company using their 1.0
network). We have moved our proxy server to the 2.0 network
(192.168.2.220) and the traffic through squid on this network seems fine
outbound to the internet but through the tunnel it is quite slow, if we
remove the proxy server from IE settings and go direct to the
192.168.102.0 network the speed is increased dramatically, we are unsure
if this has something to-do with the configuration of squid or the fact
that the web service on the remote site we are trying to view contains
POST data and java data, could you please help and if I can provide any
debugs I will be more than willing.
Many Thanks
Darren
Squid Configuration;
cat squid.conf
# Squid Configuration File 02/11/06
http_port 3128
ssl_unclean_shutdown off
icp_port 0
mcast_groups none
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
icp_query_timeout 0
maximum_icp_query_timeout 2000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 10 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_dir ufs /var/cache/squid 15000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /etc/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.255
hosts_file /etc/hosts
diskd_program /usr/lib/squid/diskd-daemon
unlinkd_program /usr/lib/squid/unlinkd
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Direct Visual
auth_param basic credentialsttl 5 hours
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 0 seconds
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
read_ahead_gap 16 KB
acl all src 192.168.0.0/255.255.0.0
acl tms src 192.168.1.215/255.255.255.255
acl tms src 192.168.1.216/255.255.255.255
acl tms src 192.168.1.217/255.255.255.255
acl tms src 192.168.1.218/255.255.255.255
acl tms src 192.168.1.219/255.255.255.255
acl tms src 192.168.1.1/255.255.255.255
acl tms src 192.168.1.2/255.255.255.255
acl tms src 192.168.1.3/255.255.255.255
acl tms src 192.168.1.4/255.255.255.255
acl tms src 192.168.1.5/255.255.255.255
acl tms src 192.168.1.6/255.255.255.255
acl tms src 192.168.1.7/255.255.255.255
acl tms src 192.168.1.8/255.255.255.255
acl tms src 192.168.1.9/255.255.255.255
acl tms src 192.168.1.10/255.255.255.255
acl tms src 192.168.1.11/255.255.255.255
acl tms src 192.168.1.12/255.255.255.255
acl tms src 192.168.1.13/255.255.255.255
acl tms src 192.168.1.14/255.255.255.255
acl tms src 192.168.1.15/255.255.255.255
acl tms src 192.168.1.16/255.255.255.255
acl tms src 192.168.1.17/255.255.255.255
acl tms src 192.168.1.18/255.255.255.255
acl tms src 192.168.1.19/255.255.255.255
acl xxxtms dst 192.168.102.160/255.255.255.255
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl purge method PURGE
acl CONNECT method CONNECT
acl NTLMUsers proxy_auth REQUIRED
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl bad_sites url_regex -i myspace .premiumtv .youtube .connextra
.spikedhumor .doubleclick.net .flashtalking.com .photobucket.com
files.ea.com .allofmp3.com adserver.adtech.de the-cloak
http_access allow xxxtms NTLMUsers
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tms
http_access deny bad_sites
http_access allow all NTLMUsers
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/cache/squid
max_open_disk_fds 0
offline_mode off
uri_whitespace strip
nonhierarchical_direct on
prefer_direct off
strip_query_terms off
redirector_bypass off
ignore_unknown_nameservers on
digest_generation on
digest_bits_per_entry 5
digest_rebuild_period 1 hour
digest_rewrite_period 1 hour
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error off
detect_broken_pconn off
balance_on_multiple_ip on
pipeline_prefetch off
request_entities off
high_response_time_warning 0
high_page_fault_warning 0
high_memory_warning 0
store_dir_select_algorithm least-load
ie_refresh off
vary_ignore_expire off
sleep_after_fork 0
minimum_expiry_time 60 seconds
relaxed_header_parser on
deny_info ERR_ACCESS_DENIED bad_sites
-----------------------------------------------------------------------------------------------------------------------
Direct Visual Ltd is registered in the UK, reg. no: 03018453
Direct Visual Ltd, The Gateway, Lowfields Close, Lowfields Business Park, Elland, West Yorkshire, HX5 9DX
STRICTLY CONFIDENTIAL. The contents of this email and any attachments are strictly confidential and may contain privileged information. If you are not the named addressee(s), any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If this message has been sent to you in error, please inform the sender immediately and delete this email and any copies (including attachments), from your system.
Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Direct Visual or any of its subsidiaries or affiliates. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. Internet communications are not secure and therefore Direct Visual does not accept legal responsibility for the contents of this message.
All emails sent and received by Direct Visual are virus checked with the latest available anti-virus systems, you should take whatever measures you deem to be appropriate to ensure that this email is virus free. Direct Visual reserves the right to monitor the content of all emails sent and received via its network for the purposes of ensuring compliance with its policies and procedures.
