Re: https hanging on large attachments in webmail {Scanned}

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Dean Durant wrote:
> Hello, I have a squid that was working great with virtually all traffic.
> Then a few days ago people began reporting issues with sites that used
> https.
>
> If it was a large amount of data to be transferred, like attaching a large
> document to a webmail, it would just hang.
>
> Other https sites that used java, or aspx, or things like that would
> frequently hang too.
>
> I'm at my wits end trying to figure out what went wrong.   I didn't change
> anything.    If anyone has any ideas how I can troubleshoot this I would be
> so grateful.

Your configuration shows you are configured as an open-proxy for quite a 
number of domains. Including all the ebay.com domains, and anybody 
wanting to use port 443 traffic.

I suspect someone evil has discovered this recently.

I suggest you start by creating an ACL containing all your customer IP 
ranges and begin the config of with "http_access deny !customers"

Amos


> here is my squid.conf
> ---------------------------------------------------------------------------------------------------------------------
> http_port 3128
> http_port 80
> https_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> cache_mem 168 MB
>
> cache_dir ufs /usr/local/squid/cache 400 16 256
>
> cache_access_log /usr/local/squid/logs/access.log
>
> cache_log /usr/local/squid/logs/cache.log
>
> pid_filename /usr/local/squid/logs/squid.pid
>
> debug_options 4,10 26,3
>
> ftp_sanitycheck off
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
>
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl fulda dst 130.0.0.0/255.0.0.0
> acl origNet src 192.9.70.0/255.255.255.0
> acl abyzNetU src 130.16.64.0/255.255.192.0
> acl abyzNetW src 130.16.128.0/255.255.192.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl scanner dst 192.9.70.243
> acl autoweb dst 67.109.76.29
> acl SSL_ports port 443 563
> acl Safe_ports port 1025-4000
> acl CONNECT method CONNECT
>
>
> acl awubi src 130.16.128.193
> http_access allow awubi
>
> acl hp dstdomain .hp.com
> always_direct allow hp
>
> acl gms dstdomain .gmsupplypower.com
> always_direct allow gms
>
> acl tpm dstdomain .tripmanager.com
> always_direct allow tpm
>
> acl avgate dstdomain .avgate.net
> always_direct allow avgate
>
> acl gm dstdomain .gm.com
> always_direct allow gm
>
> acl aweb dstdomain .autoweb.net
> always_direct allow aweb
>
> acl pgc dstdomain .puregreencars.com
> always_direct allow pgc
>
> acl vpn dstdomain .customer1.com
> always_direct allow vpn
>
> acl dcx dstdomain .customer1.com
> always_direct allow dcx
>
> acl ead dstdomain .abyzaerodef.com
> always_direct allow ead
>
> acl scott dstdomain .scottrade.com
> always_direct allow scott
>
> acl interstate  dstdomain .interstatetraveler.us
> always_direct allow interstate
>
> acl volker1 dstdomain .cvent.com
> always_direct allow volker1
>
> acl sapallow dst 130.10.198.10/32
> acl gmutils dst 130.170.126.202/32
> acl gmutils2 dstdomain a.b.c.com
> acl gmutils3 dstdomain .gm.com
> acl gmutils4 dst 130.170.0.0/16
> acl gmutils5 port 443
> acl aribert dstdomain .dayrunner.com
> acl mariusz src 130.16.128.127
> acl ebay dstdomain .ebay.com
> acl sols dst 198.63.61.35
> acl sols2 dstdomain www2.abyz-us.com
> acl sols3 dstdomain .abyz-us.com
> acl chry4 dstdomain vpnpasswd.tcc.customer1.com
> acl chry5 dstdomain roadmap.tcc.cser.com
> acl chry6 dstdomain .customer1.com
> acl chry7 dstdomain intra-wiw.e.customer1.com
> acl chry8 dstdomain web3270.appl.customer1.com
> acl chryextra dstdomain web3270.extra.customer1.com
> acl chry9 dstdomain anywhere.customer1.com
> acl hotel5 dst 15.173.128.247/32
> acl hotel6 dst 155.72.128.147/32
> acl brasil1 dst 200.245.73.181
>
> acl abyz_forbidden url_regex
> "/usr/local/squid/etc/abyzforbidden/abyz_blocked.txt"
>
> acl abyz_forbidden_always url_regex
> "/usr/local/squid/etc/abyzforbidden/abyz_deny.always"
> acl abyz_forbidden_lunch url_regex
> "/usr/local/squid/etc/abyzforbidden/abyz_deny.lunch"
> http_access allow volker1
> http_access allow scanner
> http_access allow autoweb
> http_access allow sapallow
> http_access allow gmutils
> http_access allow gmutils2
> http_access allow gmutils4
> http_access allow gmutils5
> http_access allow ebay
> http_access allow mariusz
> http_access deny abyz_forbidden
> http_access allow sols
> http_access allow sols2
> http_access allow sols3
> http_access allow chry4
> http_access allow chry5
> http_access allow chry6
> http_access allow chry7
> http_access allow chry8
> http_access allow chry9
> http_access allow hotel5
> http_access allow hotel6
> http_access allow brasil1
> http_access allow aribert
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow fulda
> http_access allow origNet
> http_access allow abyzNetW
> http_access allow abyzNetU
>
> http_access deny all
>
> http_reply_access allow all
>
> icp_access allow all
>
> cache_mgr help@xxxxxxxxxxx
>
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname srvproxy228
>
> dns_testnames google.com internic.net nlanr.net ibm.com
>
> --------------------------------------------------------------------------------------------------
>
> Thanks,
>
> Dean Durant


--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5