On 29/02/2016 9:46 a.m., Karl-Philipp Richter wrote: > > squid.conf > <sip> > > acl SSL_ports port 443 <snip> > acl git_ports port 9418 # git protocol Combine these two by addng port 9418 into SSL_ports ACL. > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access allow CONNECT git_ports > http_access deny CONNECT !SSL_ports > http_access allow CONNECT git_ports ... then you can remove these duplicated "allow CONNECT git_ports" lines. > http_access allow localhost manager > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access deny all > > > ## Service configuration > http_port 192.168.178.20:3128 intercept > > https_port 192.168.178.20:3130 intercept ssl-bump cert=/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > ssl_bump bump all > > # sslproxy_capath /etc/ssl/certs # obsolete in 4.0.1 > > #sslproxy_cafile /usr/local/openssl/cabundle.file # unclear where it is in package manager installation > > # insecure -> use for debugging only > sslproxy_cert_error allow all > # sslproxy_flags DONT_VERIFY_PEER # obsolete in 4.0.1 > > > cache_dir ufs /var/squid/cache 100 16 256 > > coredump_dir /var/squid/cache > > #refresh_pattern ^ftp: 1440 20% 10080 > #refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 432000 99% 4320000 > refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|tar\.gz|txz|tar\.xz|ram|rar|bin|ppt|doc|tiff|gz|git)$ 100800 99% 432000 store-stale You are missing the .bz2 and .xz extensions. Then you can remove the tar.gz and tar.xz entries. And if RAR are really that popular you will want to add r[0-9][0-9] extensions as well. And stuffing a query string on the URL is also common so for all of the file extension lines you will want to replace the "$" at the end with this: (\?.*)?$ Remove this line: > refresh_pattern -i .* 100800 99% 432000 store-stale ... it is unsafe and clobbers the finely tuned protocol behaviour initiated by the below defaults. Instead adjust the pct and max values of the '.' pattern rule below (leaving the min as 0), and add store-stale to it as well. > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > ftp_port 192.168.178.20:3129 > > cache_effective_user squid > cache_effective_group squid > > access_log /usr/local/squid/var/log/access.log > cache_store_log /usr/local/squid/var/log/cache_store.log > cache_log /usr/local/squid/var/log/cache.log You should not need store.log. Unless you have some tool specially needing it, you can remove the above line completely and gain a bit of performance. The other logs look like the default paths for Squid. If that is right you can remove them from your config file Squid will still log there. > > pid_filename /usr/local/squid/var/run/squid.pid > Likewise, the .pid file location should not need to be explicit. Try removing. > > ## Cache access > acl domain_all dstdom_regex -i .* > cache allow domain_all > > # avoid caching of results from IP lookup services (unclear why they're cached > # anyway, i.e. whether squid configuration of HTTP reply is badly configured) > acl ip_services dstdomain "/etc/squid3/no-cache.acl" > cache deny ip_services To answer the implied question. This is probably a side effect of the unusual ".*" refresh pattern and/or the domain_all ACL used. Try removing all of the above "cache" lines. If you still need to deny these after fixing the refresh_patterns, then add back only the p_services rule with ACL entries relevant to the new situation. > > always_direct allow ip_services > Okay, remove the always_direct line. You are not using cache_peer's. > > ## Cache storage > maximum_object_size 20 GB > maximum_object_size_in_memory 20 MB > minimum_object_size 0 KB > > > ## Others > range_offset_limit -1 > > dns_v4_first on See if you can remove the above. A properly working network does not need it. If issues appear when its not used, then they *need* to be fixed. Regular attempts should be tried anyway even if you find you have to add it back in for a while. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
