[squid-users] Slow Squid

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 9 23:00:50 UTC 2015 

On 10/12/2015 4:29 a.m., Patrick Flaherty wrote:
> Hi ,
> 
> I have changed my 3.5.11 squid.conf based on your excellent feedback Amos.
> Please have a look at my edits to see if it is improved.
> 
> Thank You,
> Patrick
> 
> # Squid Proxy Configuration
> 
> # listening port
> http_port     3128
> 
> # max_filedesc
> max_filedesc  2048
> 

FYI: the directive name is actually "max_filedescriptors". The
"filedesc" thing is a RHEL hack, Squid accepts it but only for backward
compatibility.


> # debug_options	ALL,2
> 
> 
> # acl directives for ports and protocols
> acl http      proto      http
> acl https     proto      https
> acl port_80   port       80
> acl sslports  port       443
> acl CONNECT   method     CONNECT
> 
> 
> # acl and http_access ("rmsc.txt")
> acl whitelist dstdomain  "c:/squid/etc/squid/rmsc.txt"
> http_access 	allow 	whitelist

This is no change from before. Everything matching whitelist is allowed.
No other rules about whitelist are reachable.


FYI:
Squid checks access controls from the top down, left to right.
The first non-matching ACL check on a line wins and no following ACLs
are checked.
The first fully matching line wins and no following lines are checked.


So;
* whenever "allow localnet" matches, the "deny localnet" line will not
be processed.
* whenever "allow localnet" does not match, the "deny localnet" line is
also a non-match.

Understand?


Also, if you are going to let "anyone" access the listed domains, at
least place the basic security protections in at the top. They protect
against abuses like people sending Spam or VPN tunnels through the proxy.

These ones that are set in the default squid.conf:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_Ports

 ... then your whitelist rule:

  http_access allow whitelist


> http_access 	deny 	whitelist

> 
> # network source of proxy traffic (Specific Network Example 192.168.1.0/24)
> acl localnet  src        172.16.50.0/24
> http_access allow localnet

Thats better.


> http_access deny localnet
> 

Same as with whitelist rules above. Denying something has no effect if
you already allowed it.


> # dns servers (Change dns_nameservers to client dns servers for consistency
> and better performance)
> dns_nameservers 172.16.50.9 172.16.9.13
> 

Or if your system registry settings are the same ones the clients are
using, remove the dns_nameservers entirely and Squid will use the
networks normal resolver(s).


> # cache web pages
> cache_mem 512 MB
> 
> # roll log file daily and keep 30 days
> logfile_rotate 30
> 
> # access log format         (Having one problem with the Default Squid log
> and that is the timestamp being Epoch and not human readable on Windows
> platform)
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

The problem I pointed out was the *name* of the logformat.

 logformat something %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
 access_log stdio:/var/log/squid/access.log something

(or whatever the local path equivalent needs to be).


Amos

More information about the squid-users mailing list