On Mon, Jan 11, 2010 at 6:50 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > Dave T wrote: >> >> Thank you. Comments inline. >> >> On Sun, Jan 10, 2010 at 5:49 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> >>> Dave T wrote: >>>> >>>> I just set up squid for the first time. It is on a Ubuntu box hosted >>>> on Linode.com. I have zero experience with proxy servers. I used this >>>> guide: >>>> http://news.softpedia.com/news/Seting-Up-a-HTTP-Proxy-Server-with-Authentication-and-Filtering-52467.shtml >>> >>> Eeek! That tutorial is advising people to create open proxies for global public access (allow all). >> >> I think that is just for initial testing. The tutorial actually >> changes that in the second step. >> >>> >>>> (I also looked at a few other guides such as this one: >>>> http://ubuntuforums.org/showthread.php?t=320733. However, I wanted to >>>> most barebones config to start with and the link I used was the >>>> simplest I found.) >>> >>> The simplest and safest documentation is in: >>> /usr/share/doc/squid-common/QUICKSTART >>> or >>> /usr/share/doc/squid3-common/QUICKSTART >>> >>> ... which outlines the minimal config changes to go from a clean install of your particular version to a working proxy. >> >> Thanks. Amazing that I looked everywhere else but on my local HDD. :) >>> >>>> So now that I have it set up, I'm testing it with FoxyProxy. It is not >>>> working well. Many web pages do not load completely. Some load very >>>> slowly. A few load fast (but even then, some images are often >>>> missing). Many times I have to try an address several times before a >>>> page will even start to load. >>>> >>>> I am using iptables. When I turn the firewall off, I have slightly >>>> less problems, but nothing significantly changes. I don't want to >>>> leave the firewall off, so I took a few ideas from here: >>>> http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html >>>> But the changes I put in actually made the performance a little worse >>>> than before. And like I said, even with the firewall off, the problems >>>> I described remain. >>>> >>>> What should I look at next to begin to understand my problem? Thanks. >>> >>> Coming here was a good start. >>> >>> We are going to need to known the version of Squid you are using, there are a dozen or more available on Ubuntu. >>> >> I assume this will give more than enough info: >> >> $ dpkg -s squid > > <snip> >> >> Version: 2.6.18-1ubuntu3 > > <snip> >> >> Linux Linode01 2.6.18.8-linode19 #1 SMP Mon Aug 17 22:19:18 UTC 2009 >> i686 GNU/Linux >> > > Excellent. > > A little old, there are some recent config alterations we recommend. I'm adding the ones 2.6 can use inline with your config below. > >> >>> Also, we are going to have to see what squid.conf you have ended up working with. Minus the documentation comments and empty lines please. >> >> Here is what I am using for TESTING only. I was getting TCP_DENIED/407 >> errors in the log, so I made an attempt to test it with no auth >> required at all. (Not sure if I achieved that with this config or not, >> but the problems didn't go away.) >> >> acl all src 0.0.0.0/0.0.0.0 > > all src all > >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 > > acl localhost src 127.0.0.1 > >> acl to_localhost dst 127.0.0.0/8 > > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 > >> acl purge method PURGE >> acl CONNECT method CONNECT > > NP: For non-testing use you will need to re-add the Safe_ports and SSL_ports security controls here. > They are the safety nets that prevent people, particularly infected clients, from opening tunnels via the proxy and sending spam or worse. > >> http_access allow all > > replace the above http_access line with: > > # alter to match your LAN range(s) currently allowed to use the proxy. > acl localnet src 192.168.0.0/16 > http_access allow localnet > http_access deny all > >> icp_access allow all > > NP: you probably want icp_access to be limited to local LAN same as http_access is above. > Thanks for the detailed feedback. I am about half way through reading it and I'm not sure if your suggestions will apply because my Squid proxy server is not on my LAN. It is hosted at Linode.com. I will be accessing it from an Android phone. I do not know what IP address the phone may have and I suspect it will be a NAT-style address (not a publicly addressable IP). Shall I follow the rest of your instructions, just leaving out the part about LAN addresses, or does this create larger issues?
