El 30/05/12 01:30, Amos Jeffries escribió: > On 30.05.2012 09:23, Linos wrote: >> El 29/05/12 19:32, Eliezer Croitoru escribió: >>> On 29/05/2012 17:23, Linos wrote: >>>> El 29/05/12 15:43, Eliezer Croitoru escribió: >>>>> well i have tried compiling squid 3.2.0.17 and it was built fine. >>>>> >>>>> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04 with all the >>>>> dev >>>>> dependencies required to compile it at: >>>>> >>>>> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2 >>>>> >>>>> Eliezer >>>>> >>>> >>>> I am using squid-3.2.0.17-20120527-r11561 (the last daily build) right now, it >>>> compiles cleanly but have any bugs (well it is a beta version so it isn't >>>> unexpected), i have reported one at >>>> http://bugs.squid-cache.org/show_bug.cgi?id=3556 >>>> >>>> So i can't compile stable versions and beta versions have bugs, given this is a >>>> production machine i don't have still a working solution. >>>> >>>> Regards, >>>> Miguel Angel. >>> as i wrote.. i have compiled the stable versions without any problem. >>> can you share you squid.conf? >>> >>> Eliezer >>> >> >> you wrote that you compiled 3.2.0.17, like you can see here >> http://www.squid-cache.org/Versions/ 3.2.0.17 it's a beta version, >> like i wrote >> i have compiled this too and found any bugs in it. > > What do you mean by "found any bugs"? I assumed it was a typo of "many bugs" > earlier, but you have been using it consistently across multiple emails. Sorry, i was trying to mean "some bugs", bad usage of "any" here :( > >> >> I am not sure what it is the value of squid.conf in a compilation problem but >> anyway this are the uncommented lines: >> > > > Small audit check, not related to your current problems ... > > >> external_acl_type request_body children-max=20 %{Content-Length} >> /etc/squid3/request_body_max_size.sh >> acl request_max_aulas external request_body 104857 >> acl srv_aulas src 192.168.2.200/32 >> acl oficinas src 192.168.0.0/24 >> acl aulas1 src 192.168.2.0/24 >> acl aulas2 src 192.168.3.0/24 >> acl wifi_alumnos src 192.168.4.71-192.168.4.254/32 >> acl wifi_profesores src 192.168.4.1-192.168.4.70/32 >> acl hostsprohibidos src "/etc/squid3/hostsprohibidos" >> acl urlaprobadas url_regex -i "/etc/squid3/urlaprobadas" >> acl urlprohibidasaulas url_regex -i "/etc/squid3/urlprohibidasaulas" >> acl urlprohibidasoficinas url_regex -i "/etc/squid3/urlprohibidasoficinas" >> acl extensionesprohibidas url_regex -i "/etc/squid3/extensionesprohibidas" >> acl whitenet src "/etc/squid3/whitehosts" >> acl maniana time SMTWHFA 06:00-16:00 >> acl tarde time SMTWHFA 16:00-23:59 00:00-06:00 >> acl extensionestarde url_regex -i "/etc/squid3/extensionestarde" >> acl msnmsg url_regex >> ^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll >> acl msnmsg url_regex ^http://64\.4\.[^/]*/gateway/gateway\.dll >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost >> http_access deny aulas1 request_max_aulas >> http_access deny aulas2 request_max_aulas > > > NOTE: CONNECT requests should never have a specific content-length size. They > are tested by the http_access ACLs prior to ssl-bump unwrapping them. Look > carefully at what your request_max_aulas helper does when it receives "-" or no > content-length. If it rejects a CONNECT it will be blocking ssl-bump from > operating on that tunnel request. I am checking for "-" in the helper so this should be not a problem. >> http_access allow whitenet >> http_access allow all urlaprobadas >> http_access allow oficinas !urlprohibidasoficinas >> http_access allow wifi_alumnos !urlprohibidasoficinas >> http_access allow wifi_profesores !urlprohibidasoficinas >> http_access allow aulas1 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas >> !extensionesprohibidas >> http_access allow aulas2 maniana !msnmsg !hostsprohibidos !urlprohibidasaulas >> !extensionesprohibidas >> http_access allow aulas1 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas >> !extensionestarde >> http_access allow aulas2 tarde !msnmsg !hostsprohibidos !urlprohibidasaulas >> !extensionestarde >> http_access deny all > > > hint 1) aulas1 and aulas2 are identical type of ACL, and are always listed in > identical pairs of http_access or delay_access lines. > You can improve the proxy service time by merging both IP ranges into one ACL > name and dropping all the duplicated ACL testing. > hint 2) "!msnmsg !hostsprohibidos !urlprohibidasaulas !extensionesprohibidas" > are also the same type and only used together. > You can merge all of them into one ACL same as above. > HOWEVER, they are url_regex, which is one of the slowest ACL types. You should > consider splitting the file entries out into a dstdomain or other faster ACL > types where possible. Thanks! i will try to merge all of them :), about the dstdomain and faster acl types, many of the lines of this file are real regex but i started adding real domains that could be in a dstdomain acl, i will split them. The performance of the proxy it is not a problem right now because this machine it's too powerful for the number of users but anyway a waste of resources should be avoided. >> http_port 3128 transparent > > "intercept". > >> http_port 3150 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem >> always_direct allow all >> ssl_bump allow all >> sslproxy_cert_error allow all >> sslproxy_flags DONT_VERIFY_PEER >> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db -M 16MB >> sslcrtd_children 16 >> memory_replacement_policy heap LFUDA >> cache_replacement_policy heap LFUDA >> cache_dir aufs /var/spool/squid3 15000 16 256 >> maximum_object_size 40960 KB >> coredump_dir /var/spool/squid3 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >> refresh_pattern . 0 20% 4320 >> store_avg_object_size 50 KB >> delay_pools 2 >> delay_class 1 2 # pool 1 is a class 2 pool >> delay_class 2 2 # pool 2 is a class 2 pool >> delay_access 1 allow oficinas >> delay_access 1 allow wifi_profesores >> delay_access 1 deny all >> delay_access 2 allow wifi_alumnos >> delay_access 2 allow aulas1 >> delay_access 2 allow aulas2 >> delay_access 2 deny all >> delay_parameters 1 2500000/3125000 1024000/1296000 >> delay_parameters 2 2500000/3125000 512000/600000 >> delay_initial_bucket_level 90 >> dns_nameservers 80.58.61.250 8.8.8.8 >> >> >> Regards, >> Miguel Angel. >
