Silamael wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Silamael wrote:
Amos Jeffries wrote:
This is usually a configuration problem.
Please provide your squid.conf file contents (minus empty and comment
lines)
Amos
No one has some idea what's wrong with our configuration?
Amos Jeffries wrote:
> This is usually a configuration problem.
>
> Please provide your squid.conf file contents (minus empty and comment
> lines)
>
> Amos
Hello Amos,
Here is our configuration.
Thank you for your help.
-- Matthias
Sorry, got a bit busy.
Here is a quick audit of your config...
#
# WARNING: Do not edit this file, it has been automatically generated.
#
# Prepends
append_domain .domain.de
unlinkd_program /usr/local/libexec/unlinkd
ipcache_high 95
icp_port 0
ipcache_size 1024
http_port 127.0.0.1:8000
cache_dir ufs /var/squid/cache/cache-8000 100MB 8 16
debug_options ALL,1
server_persistent_connections on
cache_swap_high 95
log_ip_on_direct off
maximum_object_size 20000 KB
minimum_direct_hops 4
udp_incoming_address 127.0.0.1
pid_filename /var/squid/logs/squid-8000.pid
ftp_user squid@xxxxxxxxx
forwarded_for off
cache_access_log /var/squid/logs/access-8000.log
The above is obsolete since 2.6.
Use access_log directive instead.
visible_hostname domaind193.domain.de
client_persistent_connections on
cache_swap_low 90
logfile_rotate 0
ipcache_low 90
cache_effective_user _squid
cache_log /var/squid/logs/cache-8000.log
cache_effective_group _squid
hosts_file none
refresh_pattern . 0 20% 14400
cache_mem 8 MB
cache_store_log none
hierarchy_stoplist cgi-bin ?
error_directory /usr/local/share/squid/errors/de
Sure about that? 3.1 handles error languages nicely so the _visitors_
can read the message. The above specifies that 100% of your visitors
must read German.
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localdomain srcdomain domain.de
acl localdst dstdomain .domain.de
acl localhost-dst dst 127.0.0.1/32
'dst' ACL requires DNS lookups. This will be the cause of your problems.
You require it to be checked before permitting anyone access.
# user defined ACLs
always_direct deny all
refresh_pattern .domain.de 0 1% 0
refresh_pattern www.domain.de 0 1% 0
cache_peer 10.254.0.17 parent 8888 0 default no-query
always_direct allow localdst
This will never happen. You already specified 'always_direct deny all'.
never_direct allow all
This is redundant with 'always_direct deny all'
# Authentication
# User options
# Append
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
http_access deny Dangerous_ports
http_access deny manager !localhost
acl SSL_ports port 443 563 881
http_access deny CONNECT !SSL_ports
http_access deny localhost-dst
Above test requires DNS lookups.
AND seems to have no purpose....
always_direct/never_direct settings force all requests to be passed
to the parent proxy.
anything resolving to 127.0.0.1 on this host is not necessarily
resolving to 127.0.0.1 on any other host (ie the parent proxy)
NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.13
