Search squid archive

Re: squid slows when more user connect to it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21.05.2012 15:19, Ali Esf wrote:
hello dear Amos
according to your reply to my last email i change the configuration
of the squid to the following:
we need authentication only by user name password over wan and do not
need any proxy access from lan.
is it a good configuration?

That is okay. I was just checking you were aware of and wanted it.
The new config you show seems to have dropped that policy and moved to authenticating everyone.

The problem was with the "allow all" at the end of the http_access config. You fixed that now.



NOTE: You dropped the CONNECT safety rule.
what do you mean by this statement?
is it possible to explain it?

The default config supplies a line, which you are still missing from your config:

  # Deny CONNECT to other than secure SSL ports
  http_access deny CONNECT !SSL_Ports

What that does is prevent clients pushing anonymous binary tunnels through your Squid to any port they want.

Allowing CONNECT tunnels is a major problem, since it does not have to be done with your clients knowledge. It is very much the same as configuring your networks border firewall with "Allow all". It can be abused by malware installed on the client machines or even just a malicious javascript running in a web advert.


#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports


# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow user_pass_auth
http_access deny all

access_log none

cache_store_log none

cache_log /dev/null

This is not good. Squid requires a cache_log file for critical error messages.

If you can, run squid as "debug_options ALL,1" and fix the warnings so there are no messages. Warnings at level 1 are problems which affect the client experience in a bad way, but do not cause fatal problems to Squid.

Or set "debug_options ALL,0" to limit Squid to only producing critical errors. The messages appearing at level 0 once Squid is operating are often the only sign you have about why squid is crashing. They *need* to be fixed, ASAP.


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux