On Mon, 5 Dec 2011 14:18:51 +0000, J. Webster wrote:
I have squid 3.1.4 but using this conf, the rate limiting to 1Mbps
does not seem to work.
Please consider an upgrade to 3.1.18. There are a lot of important bugs
resolved since 3.1.4.
What can I change in the conf / delay parameters?
The default in delay pools is not to limit. You must has an explicit
"delay_access allow" line defining what gets collected into each pool.
ie:
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 125000/125000
Add:
delay_access allow all
auth_param basic realm Myname proxy server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/squid_passwd
authenticate_cache_garbage_interval 1 hour
authenticate_ip_ttl 2 hours
acl all src 0.0.0.0/0.0.0.0
Erase the "acl all" line in squid-3. It is defined by default to a
different value. This will silence several warnings.
<snip>
http_access deny manager
http_access allow ncsa_users
So all logged in users have unlimited access?
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
These deny rules are placed below the allow rule letting ALL logged in
users through.
This means that for all machines on the Internet which can supply one
of your users insecure plain-text logins:
* the safe_ports rule preventing viral and P2P abuse relaying through
Squid has no effect
* the CONNECT rule preventing blind binary tunneling of data to any
protocol port through Squid has no effect.
* you maxuser policy has no effect.
http_access allow localhost
http_access deny all
icp_access allow all
http_port 8080
http_port xx.xx.xx.xx:80
And what are you expecting to arrive over port 80?
That port is reserved for reverse-proxy and origin server traffic.
It seems like you intended reverse-proxy or interception but have a
wrong config for it.
<snip>
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
Drop this QUERY stuff.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
Add:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
<snip>
visible_hostname MyNameProxyServer
Funny domain name. I hope that is obfuscated for the post not in the
config.
This is the domain name used in URLs your clients get told to use for
Squid error and FTP page icons. If it does not resolve back to this or
another Squid your clients will be facing page load problems on those
generated responses.
HTH
Amos
