Search squid archive

Re: Fwd: Webapp problems with squid 2.7.STABLE3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jan 9, 2009 at 9:22 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>> BTW, we started back up for the spring semester yesterday. I did my
>> upgrade over the break. Now I am having multiple sites (many are ssl)
>> unaccessible which were accessible under 2.6.STABLE12. Did I miss some
>> major changes between 2.6 and 2.7? I'm considering rolling back to 2.6
>> to quell the rebellion... :-(
>
> We can't really tell what or if you missed anything without config details
> :).
> Whats the current config and the diff between the old and new squid.conf?

Attached is the current config. The config on the upgrade was a simple
cp of the previous config file. The only thing different now is the
addition of "ignore_expect_100 on" at the end per the suggestion
earlier in this thread. (Which did allow the webapp to work
correctly.)

Regarding ssl sites
(https://pob-w.fidelitybanknc.com/servlet/cefs/online/login-tfb.html
is one example that hangs and times out via squid): Several tcpdumps
seem to indicate that the client sends a connect frame to squid, squid
acknowledges but never passes any traffic on to the internet site.
Generally clients are authenticated via ntlm helper, but I have some
clients that are authenticated based on ip. These clients (ipauthex)
do not have this problem: they connect to these sites fine. This would
seem to indicate an config issue, but what?

I have also attached a pcap file for traffic between an ntlm auth
client and squid. There is no pcap for the same squid to fidelity
connection as there is never any traffic there.

Thanks for the help on this one. If anyone sees any other
optimizations I should have in my squid.conf, feel free to point them
out.

Note: fidelity.txt is really a pcap file.

Kind Regards,
Chris

--
Christopher Nighswonger
Faculty Member
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
www.fbcradio.org

Ôò¡ÿÿ?gI+I
66 }9ÀW¥$E(­!@@JÀ¨÷À¨?
?Q|M?Õ?+P Ûñ?gI!J
<<ÀW¥$ }9E(F@?a%À¨À¨÷
??Õ?+Q|M?Pÿÿõ?gI,K
<<ÀW¥$ }9E(G@?a$À¨À¨÷
??Õ?+Q|M?Pÿÿõ?gI6K
66 }9ÀW¥$E(@@¸kÀ¨÷À¨?
?Q|M?Õ?,P Ûð?gI7*>>ÀW¥$ }9E0L@?`À¨À¨÷
??	?¦epÿÿ&?´?gIJ*>> }9ÀW¥$E0@@¸cÀ¨÷À¨?
?Âk¤£	?¦fpШ¬´?gIC+<<ÀW¥$ }9E(N@?`À¨À¨÷
??	?¦fÂk¤¤Pÿÿì@?gI<,11ÀW¥$ }9E#O@?_!À¨À¨÷
??	?¦fÂk¤¤PÿÿX?CONNECT pob-w.fidelitybanknc.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: pob-w.fidelitybanknc.com
Pragma: no-cache

?gIF,66 }9ÀW¥$E(´î@@}À¨÷À¨?
?Âk¤¤	?§aP Ò%
http_port 192.168.0.247:3128
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 12 MB
maximum_object_size 32768 KB
maximum_object_size_in_memory 200 KB
cache_dir aufs /var/spool/squid 477184 65 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
cachemgr_passwd VerySecret all
debug_options ALL,1
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 17
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm Campus Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.0.0.0
acl masada src 192.168.0.23/255.255.255.255
acl cnighswonger-lt src 192.168.0.105/255.255.255.255
acl campusnet src 192.168.0.0/24
acl farswap src 192.168.254.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 334
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 10000
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl AuthorizedUsers proxy_auth REQUIRED
acl WindowsUpdate dstdomain download.microsoft.com ntservicepack.microsoft.com .update.microsoft.com .windowsupdate.com windowsupdate.microsoft.com wustat.windows.com c.microsoft.com crl.microsoft.com watson.microsoft.com
acl Webmin src 192.168.0.247-192.168.0.247/255.255.255.255
acl Zipcode dstdomain dail-a-zip.com
acl USPSShipping dstdomain webtoolsdevprod.usps.com production.shippingapis.com secure.shippingapis.com
acl UnauthAccess dstdomain update.services.openoffice.org .ibackup.com ding.southwest.com www.ncsecu.org .snapfish.com .viastreaming.net .harcourtassessment.com .linux.ncsu.edu yui.yahooapis.com .toshibapc.com .verisign.com
acl AntiVirusAccess dstdomain .symantechliveupdate.com .avast.com .avg.com .grisoft.com .grisoft.cz .trendmicro.com .ca.com
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl JavaUpdate urlpath_regex -i ^http://java.sun.com/update
acl JavaRelated dstdomain sjremetrics.java.com
acl ipauthex src 192.168.0.111/255.255.255.255 192.168.0.119/255.255.255.255 192.168.0.37/255.255.255.255 192.168.0.45/255.255.255.255
follow_x_forwarded_for allow all
log_uses_indirect_client on
http_access allow localhost
http_access allow manager localhost
http_access allow manager masada
http_access allow manager cnighswonger-lt
http_access deny manager
http_access allow localhost PURGE
http_access allow masada PURGE
http_access allow cnighswonger-lt PURGE
http_access allow cnighswonger-lt
http_access deny PURGE
http_access allow CONNECT Zipcode campusnet
http_access deny CONNECT !SSL_ports
http_access allow campusnet AntiVirusAccess
http_access allow campusnet UnauthAccess
http_access allow campusnet USPSShipping
http_access allow campusnet WindowsUpdate
http_access allow campusnet JavaRelated
http_access allow campusnet JavaUpdate
http_access allow campusnet Java
http_access allow ipauthex
http_access allow farswap 
http_access allow campusnet AuthorizedUsers
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr support@xxxxxxxxxxxxxxx
append_domain .campus.foundations.edu
store_avg_object_size 20 KB
coredump_dir /var/spool/squid
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error on
visible_hostname masada.campus.foundations.edu
#redirect_program /usr/local/bin/squid_redirect/wrapzap
#redirect_children 10
negative_ttl 5 minutes
negative_dns_ttl 1 minutes
ignore_expect_100 on
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux