Re: problem with java aplets squid stable 2.6

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Hubert Choma wrote:
> Hello
>
> I have squid 2.6 stable on Centos 5.3 from rpm.
>
> I have installed the apache server and proxy on one machine. I have a
> problem with java applets which are opened via a proxy very very
> slow.Without a proxy clients are connecting to this site very fast.

Many versions of Java have issues connecting through proxies. You need 
to be using the latest cutting edge java version on every client to have 
any confidence that it _might_ use the proxy correctly.


> Apache serves http://geodezja.wolomin.pl site and problem occurs with 
> caching
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/Wolomin.php.
>
> I see the java logo and a few minutes, and nothing happens...:(
>
> Please try to cache
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/Wolomin.php aplets
> to run fast on yours squd. It is possible?

Enter one of the URLs at http://www.redbot.org and find out.

> Please Check my squid.conf is error-free ?
> Another question is : how to configure Windows Update to pass through 
> the cache ?

http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

> Please Help!!!
>
> My
>
> squid.conf
>
> http_port 192.168.0.12:8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

Above two lines prevent dynamic pages (URL containing a ?) from being 
stored and sped up by the proxy.


> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mem 650 MB
> maximum_object_size 4194240 KB

 maximum_object_size 4 MB

> cache_dir ufs /var/spool/squid 6500 16 256

cache_dir aufs /var/spool/squid 6500 16 256

> #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
> access_log /var/log/squid/access.log squid
> mime_table /etc/squid/mime.conf
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern . 0 20% 4320

Above refresh_pattern matches every URL in existence.

NP: The default patterns provided with Squid are designed to be last and 
catch-all for websites with missing cache-control settings.

None of the refresh_patterns below will ever be used...

> refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> reload-into-ims

The regex pattern above collapses to pattern:  \.
which matches every URL with a dot in it.

> refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> 43200 100% 43200 reload-into-ims
> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> reload-into-ims
> refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> 43200 reload-into-ims
> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> 43200 reload-into-ims
> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> 100% 43200 reload-into-ims
> refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> reload-into-ims
> refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> reload-into-ims
> refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> reload-into-ims

Slightly better if you must use these:

  refresh_pattern 
((au\.download\.)?windowsupdate\.com|(download|update).microsoft.com)/.*\.(cab|exe|dll) 
43200 100% 43200 reload-into-ims

  refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200 
reload-into-ims

> refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> refresh_pattern . 0 20% 4320
> range_offset_limit -0 KB

range_offset_limit -1

> ## MOJE ACL #####
> acl mojasiec src 192.168.0.0/255.255.255.0

acl mojasiec src 192.168.0.0/24

> acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"

"-i" is not a valid domain name.

> acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> 192.168.0.12 192.168.0.15 192.168.0.16
> acl poczta dstdom_regex .*poczta.* .*mail.*

Using .* to start or stop a regex pattern is a huge waste of CPU time.

> #acl sm9 src 192.168.0.3
> #http_access allow sm9
> acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"

"-i" is not a valid domain name.


> acl CONNECT method CONNECT
> http_access allow dozwolone ograniczone_komputery !poczta

dozwolone is a specific set of master sites.
Best to make poczta another set of explicit sub-sites within that set 
which are omitted from the allow permission.

For example:
  acl poczta dstdomain mail.sun.com

> http_access allow CONNECT WindowsUpdate mojasiec
> http_access allow WindowsUpdate mojasiec
> acl javascript rep_mime_type -i ^application/x-javascript$

With HTTP/1.1 servers are starting to add strings ";q=N" as part of the 
mime types. Removing the $ from that pattern will catch them as well.

NP: the q-bits don't get logged since they are HTTP protocol syntax not 
mime type.

> http_access allow javascript

  rep_mime_type ACL can only have meaning on a http_reply_access line. 
This will never match.

> acl all src 0.0.0.0/0.0.0.0

acl all src all

> acl hubert proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255

 acl localhost src 127.0.0.1

> acl to_localhost dst 127.0.0.0/8

acl src to)localhost 127.0.0.0/8 0.0.0.0/8

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080
> acl CONNECT method CONNECT
> http_access allow hubert localhost
> http_access deny hubert
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> cache_mgr
> visible_hostname proliant
> log_icp_queries off
> cachemgr_passwd mojehasĹ&#65533;o all

You urgently need to change that password now...

> error_directory /usr/share/squid/errors/Polish
> coredump_dir /var/spool/squid
> #negative_ttl 1
>
>
> dozwolone.txt (allowed sites)
>
> .powiat-wolominski.pl
> .geodezja.wolomin.pl
> .epodgik.pl
> .igeomap.pl
> .geo-system.com.pl
> .gugik.gov.pl
> .geoportal.gov.pl
> .stat.4u.pl
> .adstat.4u.pl
> .home.pl
> .google-analytics.com
> .maps.google.pl
> maps.gstatic.com
> mt0.google.com
> mt1.google.com
> mt2.google.com
> mt3.google.com
>
> .java.com
> .macromedia.com
> .adobe.com
> .tvn24.pl
> .onetwl.pl
> .allegro.pl
> .allegroimg.pl
> .allegrostatic.pl
> .otomoto.pl
> .nasza-klasa.pl
> .update.microsoft.com/microsoftupdate/v6/

 " /microsoftupdate/v6/ " is not a domain name.


> .butikstyle.pl
> .butik.net.pl
> .onet.pl
> .wp.pl
> .zumi.pl
> .rosanegra.pl
> .rosanegra.iai-shop.com.
> .bonprix.pl
> .neckermann.com.pl
>
>
>
> windowsupdate.txt
>
> .go.microsoft.com
> .windowsupdate.microsoft.com
> .update.microsoft.com
> .update.microsoft.com/windowsupdate/v7/default.aspx

" /windowsupdate/v7/default.aspx " is not a domain name.

> download.windowsupdate.com
> .download.microsoft.com
> ntservicepack.microsoft.com
> activex.microsoft.com
> redir.metaservices.microsoft.com
> images.metaservices.microsoft.com
> c.microsoft.com
> crl.microsoft.com
> codecs.microsoft.com
> urs.microsoft.com
>
>
>
> access.log
>
> 14 192.168.0.3 TCP_MISS/200 2757 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/Zielonka.php - 
> DIRECT/83.18.17.30 text/html
> 1256109528.609     10 192.168.0.3 TCP_IMS_HIT/304 341 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/resize.js - NONE/- 
> application/x-javascript
> 1256109528.797    133 192.168.0.3 TCP_MISS/200 494 GET 
> http://www.google-analytics.com/__utm.gif? - DIRECT/74.125.43.100 
> image/gif
> 1256109529.075     10 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 262 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/webmap.jar - 
> DIRECT/83.18.17.30 -
> 1256109529.506     87 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 262 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/pg74.215.jdbc3.jar - 
> DIRECT/83.18.17.30 -
> 1256109529.514      8 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 261 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/postgis.jar - 
> DIRECT/83.18.17.30 -
> 1256109529.522      6 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 262 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/JimiProClassesS.jar - 
> DIRECT/83.18.17.30 -
> 1256109529.531      9 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 262 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/firebirdsql-full.jar - 
> DIRECT/83.18.17.30 -
> 1256109529.540      8 192.168.0.3 TCP_NEGATIVE_HIT/404 527 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/MessagesBundle.class - 
> NONE/- text/html
> 1256109529.545      0 192.168.0.3 TCP_NEGATIVE_HIT/404 532 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/MessagesBundle.properties 
> - NONE/- text/html
> 1256109529.549      1 192.168.0.3 TCP_NEGATIVE_HIT/404 530 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/MessagesBundle_pl.class - 
> NONE/- text/html
> 1256109529.553      1 192.168.0.3 TCP_NEGATIVE_HIT/404 535 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/MessagesBundle_pl.properties 
> - NONE/- text/html
> 1256109529.558      0 192.168.0.3 TCP_NEGATIVE_HIT/404 533 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/MessagesBundle_pl_PL.class 
> - NONE/- text/html
> 1256109529.605     32 192.168.0.3 TCP_CLIENT_REFRESH_MISS/200 901 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/Zielonka.cfg - 
> DIRECT/83.18.17.30 text/plain
> 1256109529.614      8 192.168.0.3 TCP_CLIENT_REFRESH_MISS/200 8238 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/iGeoMap.cfg - 
> DIRECT/83.18.17.30 text/plain
> 1256109529.627     12 192.168.0.3 TCP_MISS/404 509 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/iGeoMap.cfg - 
> DIRECT/83.18.17.30 text/html
> 1256109529.633      1 192.168.0.3 TCP_MISS/404 517 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/iGeoMap.cfg.gz - 
> DIRECT/83.18.17.30 text/html
> 1256109529.638      1 192.168.0.3 TCP_MISS/404 509 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/iGeoMap.cfg - 
> DIRECT/83.18.17.30 text/html
> 1256109531.142   1319 192.168.0.3 TCP_MISS/200 275 POST 
> http://www.igeomap.pl/stat.php - DIRECT/62.129.234.189 text/html
> 1256109531.311      4 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 260 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/Pictures/Markery/celownik0.gif 
> - DIRECT/83.18.17.30 -
> 1256109532.795   1473 192.168.0.3 TCP_CLIENT_REFRESH_MISS/304 329 GET 
> http://igeomap.home.pl/users/images/wolomin_mini.png - 
> DIRECT/62.129.234.189 text/html
> 1256109532.828     33 192.168.0.3 TCP_CLIENT_REFRESH_MISS/200 639 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/iGeoMap.adr - 
> DIRECT/83.18.17.30 text/plain
> 1256109532.835      3 192.168.0.3 TCP_CLIENT_REFRESH_MISS/200 639 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/iGeoMap.adr2 - 
> DIRECT/83.18.17.30 text/plain
> 1256109532.839      4 192.168.0.3 TCP_CLIENT_REFRESH_MISS/200 639 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/iGeoMap.usr - 
> DIRECT/83.18.17.30 text/plain
> 1256109532.862     22 192.168.0.3 TCP_MISS/404 521 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/asortyment.php.gz - 
> DIRECT/83.18.17.30 text/html
> 1256109532.873   3641 192.168.0.3 TCP_MISS/200 6764 CONNECT 
> urs.microsoft.com:443 - DIRECT/213.199.167.252 -
> 1256109532.885   3653 192.168.0.3 TCP_MISS/200 6763 CONNECT 
> urs.microsoft.com:443 - DIRECT/213.199.167.252 -
> 1256109532.979    113 192.168.0.3 TCP_MISS/200 920 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/asortyment.php - 
> DIRECT/83.18.17.30 text/html
> 1256109533.173      2 192.168.0.3 TCP_MISS/200 1113 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5921.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.178      4 192.168.0.3 TCP_MISS/200 841 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5171.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.182      4 192.168.0.3 TCP_MISS/200 841 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5172.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.186      4 192.168.0.3 TCP_MISS/200 908 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5216.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.192      2 192.168.0.3 TCP_MISS/200 728 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5151.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.197      4 192.168.0.3 TCP_MISS/200 694 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5152.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.201      4 192.168.0.3 TCP_MISS/200 694 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5153.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.205      3 192.168.0.3 TCP_MISS/200 962 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Data/Wolomin/InfoDef/5219.html - 
> DIRECT/83.18.17.30 text/html
> 1256109533.507    273 192.168.0.3 TCP_MISS/200 5114 POST 
> http://www.epodgik.pl/odgik/sprawdz.php - DIRECT/62.129.234.189 text/html
> 1256109533.601     85 192.168.0.3 TCP_MISS/200 460 POST 
> http://www.epodgik.pl/odgik/dostep.php - DIRECT/62.129.234.189 text/html
> 1256109533.679      9 192.168.0.3 TCP_MISS/200 3524 GET 
> http://www.geodezja.wolomin.pl/iGeoMap/Program/standard.fon.gz - 
> DIRECT/83.18.17.30 application/x-gzi
>
> ----------------------------------------------------
> Od dzisiaj kupujemy ZA TANIEJ na tanio.pl!
> http://klik.wp.pl/?adr=http%3A%2F%2Ftanio.pl%2F%3Fsrc01%3Dc6ac3&sid=888

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14