On 25/04/20 9:09 am, russel0901 wrote: > I am having a problem on my squid proxy > Which version of Squid are you using? Output of squid -v would be best if you can provide. > this settings is allow all but i can't visit sites like bancnetonline, rcbc, > philhealth (govt and bank site) > > sometimes it can be visited, sometimes not... (weird???) > > Please Help thank you. > Following is a free review of your config settings. To actually determine your problem we will need log records of a failing transaction. At least access.log entries you see for it, and maybe also something from cache.log if that is not enough. ... which brings me to the first problem in your config. "cache_log /dev/null" is a very bad idea. This completely hides all information about problems from *you* - the problems still exist, still seen by everyone else involved. All this does is erase most of your ability to troubleshoot. If your objective is reduced log verbosity use this setting instead: debug_options ALL,0 That reduces cache.log contents to mentions about critical failures of Squid. > > here is my squid conf... > > max_filedesc 4096 Why so low? and why the deprecated RedHat experimental directive? Current squid.conf directive is max_filedescriptors. It is a backup to the --with-max-filedescriptors build option and system ulimit setup. > request_header_access X-Forwarded-For allow all This is pointless. All it does is waste CPU cycles on every request through Squid. > via off > httpd_suppress_version_string on > > http_port 3333 > icp_port 3535 > > hierarchy_stoplist cgi-bin ? This is pointless. It is the default setting for all Squid-3 and later versions. > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY QUERY is obsolete and actually somewhat harmful in current Squid. For much improved caching you can add the missing refresh_pattern mentioned below, then erase these and all other rules using QUERY ACL name. > cache_mem 32 MB > maximum_object_size 5480 KB > cache_dir ufs /home/squidcache 6000 16 256 > #cache_dir ufs /home/squidcache2 6000 16 256 > cache_access_log /home/squidcache/access.log This directive has been deprecated since early Squid-2. Current Squid use: access_log /home/squidcache/access.log > cache_log /dev/null Already mentioned the problems with this. Please revert it to the default for your Squid version. You will need this log to investigate the current problem. > cache_store_log none This is pointless. It is the default for all current Squid. > ftp_user Squid@xxxxxxxxxx > dns_defnames on > request_body_max_size 10000 MB > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 Missing pattern: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > negative_ttl 1 minute > negative_dns_ttl 5 minute > connect_timeout 60 minute > read_timeout 5 minute > request_timeout 60 second > client_lifetime 4 hour > half_closed_clients off > pconn_timeout 240 second > shutdown_lifetime 5 second > #acl localhost src 127.0.0.1/32 ::1 > #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 > acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053 > acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535 > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl PURGE method purge Do you or clients actually use PURGE method requests? It would be worth looking into why. That old Squid custom extension to HTTP is deprecated. Current Squid obey HTTP/1.1 caching far better than old Squid-2 and earlier versions. You can use Cache-Control:no-cache *request* header to update cache contents better than PURGE ever could. Also, HTCP protocol is better for cache management with HTTP/1.1 than either PURGE or ICP protocol. If you can find or adapt tools to use that protocol they will be much better off. > acl manager proto cache_object This is also a deprecated manager ACL definition. This implies that your Squid is quite old. Please upgrade to a more current version. > acl apache src 10.20.0.245 > > acl QUERY urlpath_regex -i owa > acl QUERY2 urlpath_regex cgi-bin \? > acl QUERY3 urlpath_regex -i php > acl dontcache dstdomain "/etc/squid/dontcache" > no_cache deny QUERY > no_cache deny QUERY2 > no_cache deny QUERY3 "no_cache" is deprecated. Above rules are actually doing "cache deny". It would be worth investigating why any URL containing the letters "owa" or "php" are apparently trying to be forced to cache. Please notice these ACL regex match if those letters occur *anywhere* in the URL path portion. That includes 'folder' , 'filename', query-string, and fragment strings. Also in non-HTTP URLs which have 'path' portions and such. > always_direct allow dontcache This is a routing control directive. ACL called 'dontcache' is confusing as reason to prevent routing to cache_peer - which do not exist in this config anyway. As a result of this any domain not listed in "dontcache" ACL will be prevented from service by this proxy. If that is actually what you want to happen, it would be better configuring this: http_access deny !dontcache ... but you have explicitly put the exact opposite in your http_access rules below. Which implies these rules are completely broken. > > #allowed sites > acl blockedsites dstdomain "/etc/squid/blockedsites" > acl allowedsites dstdomain "/etc/squid/authorizedsites" > acl tahiti src 172.16.20.254/32 > acl elmo src 10.20.0.254/32 > acl mnlnet2 src "/etc/squid/authorized" > > > http_access allow dontcache > http_access allow manager apache > http_access allow all All following http_access rules are pointless. Since all previous http_access rules are 'allow' they are also pointless waste of CPU cycles. This is an open proxy, with no logging. As such the only security protection you have is the miss_access which *breaks* a huge amount of traffic. If it were not for that your network would be completely open to any type of attack. > http_access allow elmo > #http_access allow localhost > #http_access allow purge localhost > #http_access allow manager localhost > http_access allow mnlnet2 > http_access allow tahiti > http_access deny !Safe_ports > #http_access deny manager > http_access deny CONNECT !SSL_ports > http_access deny purge > http_access deny blockedsites > > > #icp_access allow localhost > icp_access allow all None of the following icp_access rules have any effect. This proxy does not have any cache_peer to send ICP traffic to. > icp_access allow elmo > icp_access allow tahiti > icp_access allow mnlnet2 > miss_access allow all This miss_access is pointless. It is the default behaviour of Squid. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
