The site I was having trouble with was video.foxnews.com. The page loads but the actual video hangs with "spinning wheel of death". I took Amos suggestion and added deny via, request-x-forward and that fixed the issue but I was trying to create the anonymous proxy paranoid setup initially, and Amos suggestion won't achieve that.
On Mon, Dec 19, 2016 at 9:28 AM, Robert Watson <rob...@gillecaluim.com> wrote: > The site I was having trouble with was video.foxnews.com. I took Amos > suggestion and added deny via, request-x-forward and that fixed the issue > but I was trying to create the anonymous proxy paranoid setup initially, > and Amos suggestion won't achieve that. > > On Sun, Dec 18, 2016 at 2:25 PM, Eliezer Croitoru <elie...@ngtech.co.il> > wrote: > >> Hey Robert, >> >> Can you be more specific? >> “Not working” can depend on couple things and on the nature of the >> streaming system. >> I know that many streaming sites do work under transparent squid so it’s >> not really well understood what is not working from the spectrum of >> options. >> Can you give examples for streaming sites that do work and others that do >> not? >> The first that pops in my mind to test it would be: >> https://www.youtube.com/ >> https://www.crunchyroll.com/ >> https://rutube.ru/ >> And many others that are mentioned at: >> http://www.unveiltech.com/indexsquidvideobooster.php (under Smart Cache) >> >> And take Amos suggestion about restricting the headers more selectively. >> Depends on your system policy you would be able to find that for most >> sites >> you won’t have any issues letting any headers pass but for selective sites >> you would want to take another policy that would be to block in general >> and >> leaving aside the specific headers “allowed” approach. >> >> Also, have you tried to disable the virus scan to verify if it’s the >> culprit for the streaming issue? >> >> Please give one example so I and maybe others would be able to grasp the >> issue in some way. >> >> Thanks, >> Eliezer >> >> ---- >> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> >> Linux System Administrator >> Mobile: +972-5-28704261 >> Email: elie...@ngtech.co.il >> >> >> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On >> Behalf Of Robert Watson >> Sent: Saturday, December 17, 2016 7:00 AM >> To: squid-users@lists.squid-cache.org >> Subject: [squid-users] squid.conf blocking live video stream >> >> Sorry if this shows up twice on the mailing list... >> I've setup a transparent proxy squid v3.5.22 on a x86_64 Arch Linux >> server. >> The transparent proxy is working fine for web page caching but live video >> isn't getting through. I thought it was a netfilter issue but bypassing >> the >> proxy fixes this issue. >> >> acl localnet src 10.20.0.0/16 <http://10.20.0.0/16> # RFC1918 >> possible >> internal network >> acl SSL_ports port 443 # https >> acl Safe_ports port 80 # http >> acl Safe_ports port 554 # rtsp >> acl Safe_ports port 1935 # rtmp >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 1025-65535 # unregistered ports >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access deny to_localhost >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> visible_hostname server.ourhome.net <http://server.ourhome.net> >> http_port 10.20.30.1:3128 <http://10.20.30.1:3128> intercept >> disable-pmtu-discovery=transparent >> http_port 127.0.0.0:8181 <http://127.0.0.0:8181> >> coredump_dir /var/cache/squid >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> # >> # Anonymous Proxy settings >> include /etc/squid/extra/anonymous.conf >> # >> # Virus scanning via C-ICAP >> # >> include /etc/squid/extra/c-icap.conf >> # >> >> By the process of elimination I've narrowed it down to the anonymous proxy >> settings... >> anonymous.conf >> >> forwarded_for off >> request_header_access Allow allow all >> request_header_access Authorization allow all >> request_header_access WWW-Authenticate allow all >> request_header_access Proxy-Authorization allow all >> request_header_access Proxy-Authenticate allow all >> request_header_access Cache-Control allow all >> request_header_access Content-Encoding allow all >> request_header_access Content-Length allow all >> request_header_access Content-Type allow all >> request_header_access Date allow all >> request_header_access Expires allow all >> request_header_access Host allow all >> request_header_access If-Modified-Since allow all >> request_header_access Last-Modified allow all >> request_header_access Location allow all >> request_header_access Pragma allow all >> request_header_access Accept allow all >> request_header_access Accept-Charset allow all >> request_header_access Accept-Encoding allow all >> request_header_access Accept-Language allow all >> request_header_access Content-Language allow all >> request_header_access Mime-Version allow all >> request_header_access Retry-After allow all >> request_header_access Title allow all >> request_header_access Connection allow all >> request_header_access Proxy-Connection allow all >> request_header_access User-Agent allow all >> request_header_access Cookie allow all >> request_header_access All deny all >> >> could someone please tell me what request_header_access I need to all, or >> how to further trouble shoot this configuration? >> >> >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users