[squid-users] squid.conf blocking live video stream

Robert Watson robert at gillecaluim.com
Mon Dec 19 17:43:20 UTC 2016 

The site I was having trouble with was video.foxnews.com.  The page loads
but the actual video hangs with "spinning wheel of death".  I took Amos
suggestion and added deny via, request-x-forward and that fixed the issue
but I was trying to create the anonymous proxy paranoid setup initially,
and Amos suggestion won't achieve that.

On Mon, Dec 19, 2016 at 9:28 AM, Robert Watson <robert at gillecaluim.com>
wrote:

> The site I was having trouble with was video.foxnews.com.  I took Amos
> suggestion and added deny via, request-x-forward and that fixed the issue
> but I was trying to create the anonymous proxy paranoid setup initially,
> and Amos suggestion won't achieve that.
>
> On Sun, Dec 18, 2016 at 2:25 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
> wrote:
>
>> Hey Robert,
>>
>> Can you be more specific?
>> “Not working” can depend on couple things and on the nature of the
>> streaming system.
>> I know that many streaming sites do work under transparent squid so it’s
>> not really well understood what is not working from the spectrum of
>> options.
>> Can you give examples for streaming sites that do work and others that do
>> not?
>> The first that pops in my mind to test it would be:
>> https://www.youtube.com/
>> https://www.crunchyroll.com/
>> https://rutube.ru/
>> And many others that are mentioned at:
>> http://www.unveiltech.com/indexsquidvideobooster.php (under Smart Cache)
>>
>> And take Amos suggestion about restricting the headers more selectively.
>> Depends on your system policy you would be able to find that for most
>> sites
>> you won’t have any issues letting any headers pass but for selective sites
>> you would want to take another policy that would be to block in general
>> and
>> leaving aside the specific headers “allowed” approach.
>>
>> Also, have you tried to disable the virus scan to verify if it’s the
>> culprit for the streaming issue?
>>
>> Please give one example so I and maybe others would be able to grasp the
>> issue in some way.
>>
>> Thanks,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: eliezer at ngtech.co.il
>>
>>
>> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
>> Behalf Of Robert Watson
>> Sent: Saturday, December 17, 2016 7:00 AM
>> To: squid-users at lists.squid-cache.org
>> Subject: [squid-users] squid.conf blocking live video stream
>>
>> Sorry if this shows up twice on the mailing list...
>> I've setup a transparent proxy squid v3.5.22 on a x86_64 Arch Linux
>> server.
>> The transparent proxy is working fine for web page caching but live video
>> isn't getting through.  I thought it was a netfilter issue but bypassing
>> the
>> proxy fixes this issue.
>>
>> acl localnet src 10.20.0.0/16 <http://10.20.0.0/16>     # RFC1918
>> possible
>> internal network
>> acl SSL_ports port 443          # https
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 554 # rtsp
>> acl Safe_ports port 1935        # rtmp
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> visible_hostname server.ourhome.net <http://server.ourhome.net>
>> http_port 10.20.30.1:3128 <http://10.20.30.1:3128>  intercept
>> disable-pmtu-discovery=transparent
>> http_port 127.0.0.0:8181 <http://127.0.0.0:8181>
>> coredump_dir /var/cache/squid
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>> #
>> # Anonymous Proxy settings
>> include /etc/squid/extra/anonymous.conf
>> #
>> # Virus scanning via C-ICAP
>> #
>> include /etc/squid/extra/c-icap.conf
>> #
>>
>> By the process of elimination I've narrowed it down to the anonymous proxy
>> settings...
>> anonymous.conf
>>
>> forwarded_for off
>> request_header_access Allow allow all
>> request_header_access Authorization allow all
>> request_header_access WWW-Authenticate allow all
>> request_header_access Proxy-Authorization allow all
>> request_header_access Proxy-Authenticate allow all
>> request_header_access Cache-Control allow all
>> request_header_access Content-Encoding allow all
>> request_header_access Content-Length allow all
>> request_header_access Content-Type allow all
>> request_header_access Date allow all
>> request_header_access Expires allow all
>> request_header_access Host allow all
>> request_header_access If-Modified-Since allow all
>> request_header_access Last-Modified allow all
>> request_header_access Location allow all
>> request_header_access Pragma allow all
>> request_header_access Accept allow all
>> request_header_access Accept-Charset allow all
>> request_header_access Accept-Encoding allow all
>> request_header_access Accept-Language allow all
>> request_header_access Content-Language allow all
>> request_header_access Mime-Version allow all
>> request_header_access Retry-After allow all
>> request_header_access Title allow all
>> request_header_access Connection allow all
>> request_header_access Proxy-Connection allow all
>> request_header_access User-Agent allow all
>> request_header_access Cookie allow all
>> request_header_access All deny all
>>
>> could someone please tell me what request_header_access I need to all, or
>> how to further trouble shoot this configuration?
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161219/14252b4b/attachment.html>

More information about the squid-users mailing list