Asim Ahmed @ Folio3 wrote:
One more thing to confirm. I am using IP ranges of my subnet to allow
access to internet like this:
#following lines are put in a file named "gerrys_groups.acl" and
referenced in an ACL statement.
192.168.4.25-192.168.4.50
192.168.4.101-192.168.4.150
Is this valid and supported by squid?
Yes.
Asim Ahmed @ Folio3 wrote:
Hi,
I am using smoothwall 3.0SP1-polar that comes with Squid2.7STABLE6
built in. I configure the squid with following parameters. Problem is
that squid works fine for 1 or 2 users but when I open it for whole
subnet or range of IPs, it crashes down. I mean it start behaving
wierdly like most of the time it does not respond to http requests and
users have to keep pressing F5 several times to get the request done.
Even access log does not show any requests coming in. In cache log i
find many entries like "Invalid request" etc. Some times I also find
That does not sound good. We will need some more details to track down
what it is though. Can you post a chunk of the log with those lines in
it and a few before and after please?
"Cache DIRTY" words during restart of squid. My ACLs are as follows:
SQUID-Settings
===========
visible_hostname smoothwall
acl localnetgreen src 192.168.4.0/255.255.255.0
AKA:
acl localnetgreen src 192.168.4.0/24
http_port 192.168.4.123:800 transparent
cache_mem 1024 MB
maximum_object_size_in_memory 32 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
half_closed_clients off
cache_swap_high 100%
cache_swap_low 95%
shutdown_lifetime 5 seconds
This may explain "Cache DIRTY".
1) Squid has only 5 seconds to clear out its memory, finish all active
connections and dump the index state for 10GB of cached data to disk.
2) If its not done in time it will abandon any unfinished tasks.
3) "Cache DIRTY" means that on startup Squid has detecetd the index
journal state to be incorrect and is moving to a background scan for the
entire disk cache object by object to recover the meta information.
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
Drop the above.
Hmm. The HTTP basic requirement refresh_patterns are all missing.
Please add:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
Not a particularly good idea to use cache_effective_group unless
absolutely necessary. Better to have the system 'squid' user a member of
the group 'squid' instead.
pid_filename /var/run/squid.pid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
error_directory /usr/share/errors/English
log_mime_hdrs off
forwarded_for off
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl all src all
acl localhost src 127.0.0.1
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#######################################
# ACLs #
#######################################
acl super_users src "/var/smoothwall/proxy/f3_acls/super_users.acl"
acl ISP1_users src "/var/smoothwall/proxy/f3_acls/gerrys_groups.acl"
acl ISP2_users src "/var/smoothwall/proxy/f3_acls/netsat_groups.acl"
acl managers src "/var/smoothwall/proxy/f3_acls/managers.acl"
acl blocked_extensions urlpath_regex -i
"/var/smoothwall/proxy/f3_acls/blocked_extensions.acl"
acl blocked_sites url_regex -i
"/var/smoothwall/proxy/f3_acls/blocked_sites.acl"
acl blocked_request_mt req_mime_type -i
"/var/smoothwall/proxy/f3_acls/blocked_mimetypes.acl"
acl blocked_reply_mt rep_mime_type -i
"/var/smoothwall/proxy/f3_acls/blocked_mimetypes.acl"
acl gaming_sites url_regex -i
"/var/smoothwall/proxy/f3_acls/gaming_sites.acl"
acl server_machines src
"/var/smoothwall/proxy/f3_acls/server_machines.acl"
acl working_hours time MTWHF 09:00-12:30
acl working_hours time MTWHF 14:00-18:30
acl gaming_hours time MTWHF 21:00-23:59
acl gaming_hours time MTWHF 01:00-07:00
########################################
# HTTP_ACCESS #
########################################
http_access allow super_users
http_access deny blocked_sites working_hours
http_access deny blocked_request_mt working_hours
http_access deny blocked_reply_mt working_hours
invalid: "http_access deny blocked_reply_mt "...
Maybe you meant:
http_reply_access deny !super_users working_hours blocked_reply_mt
http_reply_access allow all
http_access deny gaming_sites !gaming_hours
http_access allow managers
#http_access deny blocked_extensions working_hours
One thing I note from all the above http_access lines is that you are
placing the regex pattern matches first.
regex in Squid is _the_ slowest ACL type to be using. It's best to avoid
it like plague where possible and to restrict when its used where needed.
Without knowing details I'd guess that most of the blocked_sites and
gaming_sites lists can become a dstdomain ACL to avoid regex matching.
Also placing the fast "working_hours" first on each line will reduce the
regex to only being tested when working_hours is true.
For example:
http_access deny working_hours blocked_request_mt
http_access allow ISP1_users
#http_access allow ISP2_users
http_access allow server_machines
http_access deny localnetgreen
Missing basic security:
http_access deny all
umask 022
maximum_object_size 4096 KB
minimum_object_size 0 KB
# Smoothwall does not allow this parameter to be changed. I can only
change cache size
cache_dir diskd /var/spool/squid/cache 10240 16 256
request_body_max_size 0 KB
reply_body_max_size 0 allow all
defaults. Also the syntax is broken. Remove the two above.
logfile_rotate 0
strip_query_terms off
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15
