Re: [squid-users] https://weather.yahoo.com redirect loop
On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
[squid-users] https://weather.yahoo.com redirect loop
Hello All, I am using SSL Bump in transparent mode in squid 3.3.12. And when I browse to https://weather.yahoo.com then it goes in a redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. On checking the developer console I found that response code received for the GET is 301 Moved Permanently. But when I go to the same site direct (without squid in the middle) then it works normally and I see 200 OK for the same GET. Thanks, Jatin
Re: [squid-users] Poor cache
On 08/20/2014 12:21 AM, Délsio Cabá wrote: 3107 TCP_MISS/304 The above is good... It means that the file was not downloaded from the internet\src and was used the local(machine) copy of the file. Eliezer
Re: [squid-users] unbound and squid not resolving SSL sites
I wasn't sure but I am now. You are doing something wrong and I cannot tell what exactly. Try to share this script output: http://www1.ngtech.co.il/squid/basic_data.sh There are missing parts in the whole setup such as clients IP and server IP, what GW are you using etc.. Eliezer On 08/19/2014 02:37 PM, sq...@proxyplayer.co.uk wrote: Take a look at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP Your squid.conf seems to be too incomplete to allow SSL-Bump to work. Eliezer I recompiled to 3.4.6 and ran everything in your page there. squid started correctly. However, it is the same problem. Any https page that I had configured does not resolve. It is being redirected by unbound but as soon as it hits the proxy, it just gets dropped somehow: # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5454:2633080] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW -j ACCEPT COMMIT # Completed on Tue Aug 19 03:14:13 2014 # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *nat :PREROUTING ACCEPT [23834173:1866373947] :POSTROUTING ACCEPT [22194:1519446] :OUTPUT ACCEPT [22194:1519446] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Aug 19 03:14:13 2014
Re: [squid-users] what AV products have ICAP support?
Thanks for that, shouldn't squid be listed there as an ICAP client? On 19/08/14 17:56, Amos Jeffries wrote: > http://www.icap-forum.org/icap?do=products&isServer=checked -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[squid-users] Poor cache
Hi guys,
Need some help on cache. Basically I do not see many caches.
root@c /]# cat /var/log/squid/access.log | awk '{print $4}' | sort |
uniq -c | sort -rn
17403 TCP_MISS/200
3107 TCP_MISS/304
1903 TCP_MISS/000
1452 TCP_MISS/204
1421 TCP_MISS/206
1186 TCP_MISS/302
659 TCP_MISS/503
641 NONE/400
548 TCP_MISS/301
231 TCP_OFFLINE_HIT/200
189 TCP_MISS/404
126 TCP_IMS_HIT/304
112 TCP_MISS/504
68 TCP_MISS/401
56 TCP_MEM_HIT/200
50 TCP_SWAPFAIL_MISS/304
49 TCP_REFRESH_UNMODIFIED/200
46 TCP_SWAPFAIL_MISS/200
39 TCP_MISS/500
36 TCP_MISS/502
34 TCP_REFRESH_UNMODIFIED/304
31 TCP_MISS/403
25 TCP_MISS/400
19 TCP_CLIENT_REFRESH_MISS/200
17 TCP_REFRESH_MODIFIED/200
11 NONE/417
9 TCP_MISS/303
6 TCP_HIT/000
5 TCP_MISS/501
5 TCP_HIT/200
4 TCP_MISS/202
3 TCP_MISS/412
2 TCP_SWAPFAIL_MISS/000
2 TCP_MISS/408
1 TCP_MISS/522
1 TCP_MISS/410
1 TCP_MISS/405
1 TCP_CLIENT_REFRESH_MISS/000
The cache dir is raiserfs
Config:
cache_dir ufs /cache 640 32 512 max-size=1048576
minimum_object_size 0 KB
maximum_object_size 10 MB
cache_swap_low 90
cache_swap_high 95
snmp_port 0
snmp_access deny all
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
pipeline_prefetch on
shutdown_lifetime 1 second
visible_hostname c.webmasters.co.mz
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
#debug_options rotate=1 ALL,1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src x.x.x.0/24# RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow all
acl winupdate dstdomain .windowsupdate.com
acl peakperiod time 10:00-16:00
delay_pools 1
delay_class 1 1
# 64 Kbit/s
delay_parameters 1 8000/8000
delay_access 1 allow winupdate peakperiod
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3401
http_port 0.0.0.0:3401 intercept
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
maximum_object_size 1280096 KB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 144000 20% 1008000
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i
\.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|mpg|wma|ogg|wmv|asx|asf)$
26 90% 260009 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf|uxx)$ 26
90% 260009 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i \.index.(html|htm)$ 1440 90% 40320
refresh_pattern -i \.(html|htm|css|js)$ 1440 90% 40320
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 5259487 100% 9259487 ignore-no-cache ignore-private
override-lastmod override-expire ignore-no-store
ignore-must-revalidate
# caching windows update various windows versions
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|
[squid-users] Re: server failover/backup
I got help by email: removed intercept from http port (bc i dont use nat) and removed quick_abort_min. (i got told it bugs sometimes) Still battle.net is not working. I cant believe im the only one with this problem... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667265.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] unbound and squid not resolving SSL sites
Take a look at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP Your squid.conf seems to be too incomplete to allow SSL-Bump to work. Eliezer I recompiled to 3.4.6 and ran everything in your page there. squid started correctly. However, it is the same problem. Any https page that I had configured does not resolve. It is being redirected by unbound but as soon as it hits the proxy, it just gets dropped somehow: # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5454:2633080] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW -j ACCEPT COMMIT # Completed on Tue Aug 19 03:14:13 2014 # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014 *nat :PREROUTING ACCEPT [23834173:1866373947] :POSTROUTING ACCEPT [22194:1519446] :OUTPUT ACCEPT [22194:1519446] -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Aug 19 03:14:13 2014 #acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7# RFC 4193 local private network range acl localnet src fe80::/10# RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access deny to_localhost external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth acl interval_auth external time_squid_auth http_access allow interval_auth http_access deny all http_port 80 accel vhost allow-direct https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB sslcrtd_children 10 ssl_bump server-first all #sslproxy_cert_error allow all #sslproxy_flags DONT_VERIFY_PEER hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 0 0%0 refresh_pattern . 020% 4320
[squid-users] Re: Very slow site via squid
>The latest squid-3.x stable releases may be able to help with this. < Actually, I am trying to use the standard package of squid for openWRT, which is squid2.7. So I would need to build my own one. >Also, in my experiene the worst slow domains like this are usually advertising hosts. So blocking their transactions outright (and quickly) can boost page load time a huge amount. < Correct, it is an advert side. Using hosts I block it already; however, I was wondering, why this does not happen when running without squid. This site is using varying names, like dcXX.s290.meetrics.net, with XX changing on almost every browser session, which points to a DNS issue. Could there be any "interference" between TRANSPARENT squid and fast DNS-resolution ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Very-slow-site-via-squid-tp4667243p4667263.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] CDN / JS 503 Service Unavailable
Hello Yes we tried disabling ufdbguard. I first suspected it was doing something with proxy tunnels but it made no difference. The dev has moved the .js file to another site so theres no pressure. I'll look at spinning up a basic squid and work through the config, see if i can identify whats or where the issue is. Thanks for your help On 19 August 2014 01:30, Eliezer Croitoru wrote: > On 08/18/2014 10:37 AM, Paul Regan wrote: >> >> @Eliezer - Sorry to say the acl lines made no difference. Can I use >> any of the debugging options to get deeper into this? > > Well it depends on the 503 content. > it can be a network issue or an application level issue. > Since you can download the file using wget from the proxy machine it seems > like a proxy settings error but there is an option that you are using some > wrong settings. > > For me and many others it do work with proper proxy settings. > Have you tried to remove the ufdbguard from the settings? > It might be the reason.. > > Eliezer
