On 2014-01-22 09:52, Scott Mayo wrote:
On Tue, Jan 21, 2014 at 2:45 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
wrote:
On 2014-01-22 03:14, Scott Mayo wrote:
I have run a DG/Squid setup for quite some time. I am having
problems
with slowness. It seems DG has too many processes open. I wanted to
test this to remove DG from the mix.
DG listens on 8080 and Squid on 3128. I have it set to authenticate
users.
Since I wanted to test I did the following:
1. Edited squid.conf to listen on 8080
2. Stopped DG
3. Restarted squid 'squid -k reconfigure'
After that did not work I even set squid.conf back to listening to
port 3128 and had my test client proxy settings changed to 3128
instead of 8080. I even cleared my squid cache out.
It sounds like you have access control problems. When removing DG you
also
need to make Squid do whatever controls DG was doing (or ensure
omitted
rules were not actually needed for connectivity), and remove anything
in
squid.conf which was specifically for DG (such as only allowing
traffic from
the IP address used by DG).
Perhapse if you would share your squid.conf we could be a bit more
helpful.
Thanks. I was actually going to do that. Just got it out a bit a go.
Here it is if you see anything that should not be there. I really
thought I had done exactly what I did before and it worked. Maybe I
have changed somethign along the way.
What version of Squid are you running? I see a lot of lines here for
things which have been obsoleted or deprecated since 2.6 and one which
is only relevant to squid-2.5 down there at the end. If you have
anything older than 3.2 please seriously consider an upgrade ASAP, and
if you have something newer please at least run squid -k parse and
followup on the messages it emits.
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwdauth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl username proxy_auth REQUIRED
acl update-micro-dom dstdomain .microsoft.com
acl update-micro-dom dstdomain .windowsupdate.com
acl all src 0.0.0.0/0.0.0.0
acl banned_ips src 10.1.1.1
acl limituserconStudent maxconn 3
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 2443
acl Safe_ports port 80-81
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 210
acl Safe_ports port 8080 3123
acl CONNECT method CONNECT
These ...
follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
... are all Squid config lines to integrate with DG. Try removing them,
or at least commenting out the first one.
no_cache deny no_cache_sites
http_access deny limituserconStudent
http_access allow manager localhost
http_access deny manager
http_access deny banned_ips
http_access allow update-micro-dom
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow username
http_access allow localhost
Um, only localhost services or authenticated traffic is permitted. Is
that correct for your policy?
cache_effective_user squid
cache_effective_group squid
visible_hostname localhost
Proxy hostname of "localhost" leads to many problems. This should be the
public (at least in the LAN) accessible FQDN for your proxy service.
http_access deny all
http_reply_access allow all
icp_access allow all
httpd_accel_with_proxy off
Er, httpd_accel_with_proxy is so old we do not even document it anymore.
Amos
