Search squid archive

Re: Squid 3.1.12 - Parent Proxy and DNS queries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Silamael wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Silamael wrote:
Amos Jeffries wrote:
This is usually a configuration problem.

Please provide your squid.conf file contents (minus empty and comment
lines)

Amos


No one has some idea what's wrong with our configuration?

Amos Jeffries wrote:
> This is usually a configuration problem.
> > Please provide your squid.conf file contents (minus empty and comment
> lines)
> > Amos

Hello Amos,

Here is our configuration.
Thank you for your help.

-- Matthias


Sorry, got a bit busy.

Here is a quick audit of your config...



#
# WARNING: Do not edit this file, it has been automatically generated.
#
# Prepends
append_domain .domain.de
unlinkd_program /usr/local/libexec/unlinkd
ipcache_high 95
icp_port 0
ipcache_size 1024
http_port 127.0.0.1:8000
cache_dir ufs /var/squid/cache/cache-8000 100MB 8 16
debug_options ALL,1
server_persistent_connections on
cache_swap_high 95
log_ip_on_direct off
maximum_object_size 20000 KB
minimum_direct_hops 4
udp_incoming_address 127.0.0.1
pid_filename /var/squid/logs/squid-8000.pid
ftp_user squid@xxxxxxxxx
forwarded_for off
cache_access_log /var/squid/logs/access-8000.log

The above is obsolete since 2.6.
Use access_log directive instead.

visible_hostname domaind193.domain.de
client_persistent_connections on
cache_swap_low 90
logfile_rotate 0
ipcache_low 90
cache_effective_user _squid
cache_log /var/squid/logs/cache-8000.log
cache_effective_group _squid
hosts_file none
refresh_pattern . 0 20% 14400
cache_mem 8 MB
cache_store_log none
hierarchy_stoplist cgi-bin ?
error_directory /usr/local/share/squid/errors/de

Sure about that? 3.1 handles error languages nicely so the _visitors_ can read the message. The above specifies that 100% of your visitors must read German.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localdomain srcdomain domain.de
acl localdst dstdomain .domain.de
acl localhost-dst dst 127.0.0.1/32


'dst' ACL requires DNS lookups. This will be the cause of your problems. You require it to be checked before permitting anyone access.


# user defined ACLs
always_direct deny all
refresh_pattern .domain.de 0 1% 0
refresh_pattern www.domain.de 0 1% 0
cache_peer 10.254.0.17 parent 8888 0 default no-query

always_direct allow localdst

This will never happen. You already specified 'always_direct deny all'.

never_direct allow all


This is redundant with 'always_direct deny all'

# Authentication

# User options

# Append
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
http_access deny Dangerous_ports
http_access deny manager !localhost
acl SSL_ports port 443 563 881
http_access deny CONNECT !SSL_ports

http_access deny localhost-dst

Above test requires DNS lookups.

AND seems to have no purpose....

always_direct/never_direct settings force all requests to be passed to the parent proxy.

anything resolving to 127.0.0.1 on this host is not necessarily resolving to 127.0.0.1 on any other host (ie the parent proxy)

NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.13

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux