[squid-users] squid.conf blocking live video stream

Eliezer Croitoru eliezer at ngtech.co.il
Sun Dec 18 22:25:47 UTC 2016


Hey Robert,

Can you be more specific?
“Not working” can depend on couple things and on the nature of the
streaming system.
I know that many streaming sites do work under transparent squid so it’s
not really well understood what is not working from the spectrum of options.
Can you give examples for streaming sites that do work and others that do
not?
The first that pops in my mind to test it would be:
https://www.youtube.com/
https://www.crunchyroll.com/
https://rutube.ru/
And many others that are mentioned at:
http://www.unveiltech.com/indexsquidvideobooster.php (under Smart Cache)

And take Amos suggestion about restricting the headers more selectively.
Depends on your system policy you would be able to find that for most sites
you won’t have any issues letting any headers pass but for selective sites
you would want to take another policy that would be to block in general and
leaving aside the specific headers “allowed” approach.

Also, have you tried to disable the virus scan to verify if it’s the
culprit for the streaming issue?

Please give one example so I and maybe others would be able to grasp the
issue in some way.

Thanks,
Eliezer

----
Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
 

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of Robert Watson
Sent: Saturday, December 17, 2016 7:00 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] squid.conf blocking live video stream

Sorry if this shows up twice on the mailing list...
I've setup a transparent proxy squid v3.5.22 on a x86_64 Arch Linux server.
The transparent proxy is working fine for web page caching but live video
isn't getting through.  I thought it was a netfilter issue but bypassing the
proxy fixes this issue.

acl localnet src 10.20.0.0/16 <http://10.20.0.0/16> 	# RFC1918 possible
internal network
acl SSL_ports port 443		# https
acl Safe_ports port 80		# http
acl Safe_ports port 554	# rtsp
acl Safe_ports port 1935	# rtmp
acl Safe_ports port 21		# ftp
acl Safe_ports port 443	# https
acl Safe_ports port 1025-65535  # unregistered ports 
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname server.ourhome.net <http://server.ourhome.net> 
http_port 10.20.30.1:3128 <http://10.20.30.1:3128>  intercept
disable-pmtu-discovery=transparent
http_port 127.0.0.0:8181 <http://127.0.0.0:8181> 
coredump_dir /var/cache/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
#
# Anonymous Proxy settings
include /etc/squid/extra/anonymous.conf
#
# Virus scanning via C-ICAP
#
include /etc/squid/extra/c-icap.conf
#

By the process of elimination I've narrowed it down to the anonymous proxy
settings...
anonymous.conf

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

could someone please tell me what request_header_access I need to all, or
how to further trouble shoot this configuration?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 68721 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161219/b27b303d/attachment-0001.bin>


More information about the squid-users mailing list