Hello Amos, I changed my squid.conf according your recommendations. I'm facing a trouble that all IPs on unlimited_bandwidth file bypass authentication. If I remove my ip from unlimited_bandwidth file and check the access.log working well: [04/Oct/2012:08:20:25 -0300] leonardo.abrantes xxx.xxx.xxx.xxx CONNECT TCP_MISS 200 www.google.com:443 (It's what I need) however, if I put my ip that file, the authenticaiton is being ignored: [04/Oct/2012:08:22:39 -0300] - xxx.xxx.xxx.xxx CONNECT TCP_MISS 200 www.google.com:443 #### http_port 3128 append_domain .contoso.local cache_effective_user squid cache_mem 2 GB cache_effective_group squid forwarded_for off httpd_suppress_version_string on visible_hostname proxy.contoso.local retry_on_error on pipeline_prefetch on auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=contoso auth_param ntlm children 30 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --domain=contoso auth_param basic children 20 auth_param basic realm Para prosseguir e necessario digitar seu login de rede. auth_param basic credentialsttl 1 hours acl localnetwork src 192.168.10.0/25 acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl" acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth" acl localhost src 127.0.0.1 acl java browser Java/1.4 Java/1.5 Java/1.6 cache_dir ufs /var/spool/squid 6144 16 256 coredump_dir /var/spool/squid maximum_object_size_in_memory 1 MB maximum_object_size 64 MB minimum_object_size 0 KB acl manager proto cache_object acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 65536/65536 delay_access 1 deny unlimitedBandwidth localhost delay_access 1 allow localnetwork delay_access 1 deny all logformat combined [%tl] %un %>a %rm %Ss %Hs %ru access_log /var/log/squid/access.log squid access_log /var/log/squid/gerencia.log combined cache_store_log /var/log/squid/store.log redirect_program /etc/squidGuard/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf redirect_children 30 http_access deny CONNECT !SSL_ports http_access allow unlimitedBandwidth http_access allow java http_access allow AuthorizedUsers http_access deny all cache_swap_low 90 cache_swap_high 95 dns_nameservers 192.168.10.2 192.168.10.3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 request_header_access All allow all #### can you help me please ? many thanks!! On Wed, Oct 3, 2012 at 10:35 AM, Leonardo Bacha Abrantes <leonardo@xxxxxxxxxxxxxxxx> wrote: > Hey Amos!! > > Thank you so much for your explanation my friend!!!!!!! > > have you a guide to recommend about increase squid's performance ? > > > > On Tue, Oct 2, 2012 at 7:17 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 03.10.2012 01:42, Leonardo Bacha Abrantes wrote: >>> >>> Hi Guys, >>> >>> I'm facing problems with one specific site which run java. The site >>> open a window of java requesting to enter the credentials of proxy >>> continuously. >>> How can I ignore the authentication for an specific site ? >>> >> >> Like Kinkie already said, you will find an example in the wiki. >> >> there are a few strange things in your config which need fixing. Comments >> inline below... >> >> >>> Squid Cache: Version 3.1.10 >>> >>> >>> my squid.conf: >>> >>> http_port xxx.xxx.xxx.xxx:3128 >>> append_domain .contoso.local >>> cache_effective_user squid >>> cache_mem 4 GB >>> cache_effective_group squid >>> forwarded_for off >>> httpd_suppress_version_string on >>> visible_hostname myserver.contoso.local >>> hierarchy_stoplist cgi-bin ? >> >> >> You can remove hierarchy_stoplist from squid-3.1+. It has no purpose without >> cache_peer entries and in those cases the default regex patterns are not >> useful nowdays anyway. >> >> >>> retry_on_error on >>> pipeline_prefetch on >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp --domain=contoso >>> auth_param ntlm children 25 >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic --domain=contoso >>> auth_param basic children 15 >>> auth_param basic realm Para prosseguir e necessario digitar seu login >>> de rede. >>> auth_param basic credentialsttl 1 hours >>> >>> acl localnetwork src 192.168.10.0/25 >>> acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl" >>> acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth" >>> acl localhost src 127.0.0.1 >>> >>> acl java browser Java/1.4 Java/1.5 Java/1.6 >>> http_access allow java >>> >>> cache_dir ufs /var/spool/squid 6144 16 256 >>> coredump_dir /var/spool/squid >>> maximum_object_size_in_memory 1 MB >>> maximum_object_size 64 MB >>> minimum_object_size 0 KB >>> >>> acl manager proto cache_object >>> acl SSL_ports port 443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 8080 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl purge method PURGE >>> acl CONNECT method CONNECT >>> >>> >>> delay_pools 2 >>> >>> delay_class 1 2 >>> delay_parameters 1 -1/-1 -1/-1 >>> delay_access 1 allow unlimitedBandwidth localhost >>> delay_access 1 deny all >> >> >> You can remove this pool entirely. It does nothing but waste CPU calculating >> bandwidth usage by the matched transactions. >> >> >> >>> >>> delay_class 2 2 >>> delay_parameters 2 -1/-1 65536/65536 >>> delay_access 2 allow localnetwork !unlimitedBandwidth !localhost >>> delay_access 2 deny all >> >> >> Um, so limit people from the localnetwork who are not in unlimited >> Bandawidth AND not going to localhost? >> Meaning anyone outside the unlimitedBandwidth contacting the localhost has >> unlimited speed. >> >> >> The earlier pool seems to be acting as a complicated replacement for >> "delay_access 2 deny unlimitedBandwidth localhost". So, I suspect you >> actually want: >> >> >> delay_pools 1 >> delay_class 1 2 >> delay_parameters 1 -1/-1 65536/65536 >> >> delay_access 1 deny unlimitedBandwidth localhost >> delay_access 1 allow localnetwork >> >> delay_access 1 deny all >> >> >>> >>> http_reply_access allow AuthorizedUsers >> >> >> Remove the above http_reply_access line. >> >> It is FAR too late to bother with starting authentication. The remote server >> has already been passed the request and is sending or sent the reply back >> before the http_reply_access ever gets checked. >> >> You also have "http_access allow java" above, and several lines below which >> bypasses authentication on requests. Doing auth on reply for those requests >> will cause the client requests to happen, then present an auth page as the >> response instead of whatever the server actually produced. >> >> >> >>> logformat combined [%tl] %un %>a %rm %Ss %Hs %ru >>> access_log /var/log/squid/access.log squid >>> access_log /var/log/squid/gerencia.log combined >>> cache_store_log /var/log/squid/store.log >>> >>> redirect_program /etc/squidGuard/bin/squidGuard -c >>> /usr/local/squidGuard/squidGuard.conf >>> redirect_children 30 >>> >>> http_access allow localhost unlimitedBandwidth SSL_ports >>> http_access allow unlimitedBandwidth >> >> >> NP: unlimitedBandwidth also has sub-meaning of "unlimited access >> permissions". So allowing them access to localhost SSL ports specially as >> well as "anywhere" is not useful and wastes CPU. >> >> >> >>> http_access allow AuthorizedUsers >>> http_access deny CONNECT !SSL_ports >>> http_access deny all >>> >> >> A series of deny lines ending with "deny all" is almost meaningless. The >> only way they could be useful is if it were testing some external ACL lookup >> which had side effects on the transaction (user credentials assignment, >> transaction tagging, deny_info redirect, etc). >> >> The "deny CONNECT !SSL_ports" is also a basic security measure to prevent >> clients performing blind TCP tunnels (CONNECT requests) over the proxy to >> any port they choose. Your "allow java" and "allow unlimitedBandwidth" being >> above this are opening massive security holes through your proxy. >> >> >> In summary, I recommend changing your http_access lines to: >> >> http_access deny CONNECT !SSL_ports >> http_access allow unlimitedBandwidth >> http_access allow java >> http_access allow AuthorizedUsers >> >> http_access deny all >> >> >>> >>> cache_swap_low 90 >>> cache_swap_high 95 >>> >>> dns_nameservers 192.168.10.2 192.168.10.3 >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i exe$ 0 50% 259200 >>> refresh_pattern -i zip$ 0 50% 259200 >>> refresh_pattern -i rar$ 0 50% 259200 >>> refresh_pattern -i tar\.gz$ 0 50% 259200 >> >> >> The above can compact down to: >> refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200 >> >> >> Although I rather think you mean it to be: >> refresh_pattern -i \.(zip|rar|tar\.gz|exe)$ 0 50% 259200 >> >> >> >>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>> refresh_pattern . 0 20% 4320 >>> request_header_access All allow all >> >> >> NP: permitting transaction request headers through the proxy is default. You >> can remove the above request_header_access line. >> >> >> >> HTH >> Amos >>
