On 14/06/2013 8:11 p.m., guzzzi wrote:
Hello,
there are some Website when i use Squid they doesnt build up correct. If i
open the Website without Squid i get see the Website correct.
Given your refresh_pattern lines are screwed up this is not surprising.
Try commenting those out and see what starts working.
What version of Squid? if it is older than 3.3.5 try an upgrade and see
if this is an old fixed bug of any kind.
My squid.conf
# Auth
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
#auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
#auth_param basic children 10
#auth_param basic realm Squid Proxy Server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
authenticate_ttl 1 hour
authenticate_cache_garbage_interval 10 minutes
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 3000
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 21
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl FTP_ports port 21
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl AuthorizedUsers proxy_auth REQUIRED
#acl block-fnes urlpath_regex -i .*/fnes/echo
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
You here allow *all* machines matching the ACL "localnet"....
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
... the above two lines restricting machines matching ACL "localnet"
will never do anything.
http_access allow AuthorizedUsers
http_access deny all
# Squid normally listens to port 3128
http_port 3128 transparent
Split this into two ports. One to receive the intercepted origin / port
80 traffic "transparent" stuff. And leave 3128 to receive the
explicitly configured proxy traffic.
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
That above line can go.
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 51200 36 256
# Add any of your own refresh_pattern entries above these.
refresh_pattern -i \.(html|htm|html\?|htm\?)$ 9440 90% 100000
I will use the above as an example to document what is wrong with those
refresh_patterns.
* the explicit duplication of patterns "htm" "html" and "htm\?" and
"html\?" can be compacted to "html?\??"
* The "?" character in an HTTP URl signifies the start of a query string
and is very rarely ever existing without a query string portion.
The above pattern should be replaced with:
-i \.html?(\?.*)?$
override-expire reload-into-ims
refresh_pattern -i
\.(gif|png|jpg|jpeg|ico|bmp|tiff|webp|bif|gif\?|png\?|jpg\?|jpeg\?|ico\?|bmp\?|tiff\?|webp\?|bif\?)$
-i \.(gif|bif|tiff|png|jpe?g|ico|bmp|webp)(\?.*)?$
36000 90% 100000 overr$
refresh_pattern \.(swf|swf\?|js|js\?|wav|css|css\?|class|dat|zsci)$ 36000
90% 100000 override-expire reload-into-ims
refresh_pattern -i
\.(bin|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|docx|tiff|pdf|uxx|gz|xls|xlsx|psd|crl|msi|dll|dll\?|crx|enc|skl|arc)$
36$
Several of these patterns appear to be missing the ends of their lines,
cut-n-paste errors? can you show the whole lines please.
refresh_pattern -i \.(xml)$ 0 90% 100000
refresh_pattern -i \.(json|json\?)$ 1440 90% 5760 override-expire
reload-into-ims
Overriding the expiry timestamp on JSON datasets. Uhm, one of the worst
ideas I've seen in a long while. JSON is used *only* for relaying
dynamic data to running scripts - caching it for longer than it is
supposed to exist for is bound to cause problems.
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern ^ftp: 5440 90% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i . 0 90% 5760
ignore_expect_100 on
Bad thing to do. Upgrade to 3.2 or later release and you can stop
causing Expect:100-continue problems :-)
minimum_object_size 0 KB
#pipeline_prefetch on
maximum_object_size 250 MB
maximum_object_size_in_memory 1 MB
#visible_hostname shadow
#ique_hostname shadow-DHS
client_db off
cache_store_log none
#positive_dns_ttl 16 day
#shutdown_lifetime 0 second
cache_mem 768 MB
memory_pools on
#read_ahead_gap 1 MB
#half_closed_clients off
access_log /var/log/squid3/access.log
and the Website of "www.kia.de" look like this, and this is not correct
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4660603/kia.jpg>
CSS missing or an old .css file downloaded out of the cache. Missing is
likely not a Squid problem, overly old objects coming out of the cache
could be due to your refresh_pattern overriding the website authors
description of the objects validity states.
Amos
