[squid-users] Internet Browsing very slow after implementing Squid peek & splice + Access log not tracing full URL

Amos Jeffries squid3 at treenet.co.nz
Thu May 19 12:03:07 UTC 2016 

On 19/05/2016 11:08 p.m., Sagar Malve wrote:
> Hi Team,
> 
> I have done some modification as per thread and temporary removed Refresh
> pattern and have kept the Default refresh pattern ...
> 
> This is how my Configuration looks like .....
> 
> 

> # SSL bump acl
> acl net_bump src "/etc/squid/net.bump"
> 
> # TLD acl
> acl block_tld url_regex "/etc/squid/dstdom.tld"
> 

You called the file "dstdom", but it is not a dstdomain ACL type.

To match when the domain is listed in the path or query string sections
of URL this is right as-is. Though it would be worth making a note of
that in the config so it doesn't get undone.


To match only the URL domain section with regex use dstdom_regex as the
ACL type. Or, since the unknown part of the listed domains is all the
sub-domain section. Use dstdomain which is faster.


> 
> # Block top level domains
> http_access deny block_tld
> deny_info TCP_RESET block_tld
> 
> # Rule allowing access from local networks
> http_access allow localnet
> http_access allow localhost
> 

Notice how localnet and localhost are allowed through the proxy above
without any further ACL conditions.

That means the below "Windows Update rules" have nothing to do and never
match any request which reaches them. You can remove.

> # Windows updates rules
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost


> 
> # SSL bump rules
> acl DiscoverSNIHost at_step SslBump1

DiscoverSNIHost is never being used. You can remove it.

> # ICQ/MRA must splice first
> acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
> ssl_bump splice NoSSLIntercept
> ssl_bump bump net_bump
> acl tls_s1_connect      at_step SslBump1
> acl tls_s3_server_hello at_step SslBump3
> 

tls_s3_server_hello is never being used. You can remove it.

> # TLS/SSL bumping steps
> ssl_bump peek   tls_s1_connect        # peek at the incoming TLS/SSL
> connect data
> ssl_bump splice all                          # splice the stream:
> pass-through mode
> 
> # And finally deny all other access to this proxy
> http_access deny all
>

<snip>

> -------------Config End ---------------
> 
> ------------net.bump File -------------------
> 
> google.com
> youtube.com
> reddit.com

This file is being loaded into a 'src' ACL.

Firstly, why are the Google, YouTube, and Reddit servers making requests
through your proxy? they are your customers?

I think you meant 'dst' ACL for this. Your cutomers going *to* Google,
YouTube, or Reddit.


Secondly, the IP addresses of the listed hosts will be resolved on Squid
startup *only* (applies to both src and dst ACL types).

Any other IPs which the site rotates into its DNS RR set after the
single resolve that Squid does for config loading will not match.



> -------------------------------
> 
> ------------dstdom.tld file --------------
> 
> yahoo.com
> facebook.com
> 
> ---------------------------------------
> 
> 
> --------------- Url.nobump--------
> 
> axisbank.com
> hdfcbank.com
> 

This file is being used by an ACL which has nothing to do with URLs.
That name is really confusing.


> ------------------------------------------
> 
> 
> Now issue is that I need to block yahoo and facebook but I am able to
> access the facebook website and yahoo is getting blocked ....
> 

Hint: The facebook website does not always use the domain "facebook.com"
except in the URL part visible to people. Most people dont type URLs in
to their address bar anyway, so most access to FB will be through Google
etc. straight to the other domain name used for content display.


> And also all Google website like google, gmail, youtube are working very
> slow it takes lots of time to load this websites but other Https websites
> like axisbank / hdfc etc are working properly ....

Think about that. The domains that your net_bump ACL has told Squid to
bump (decrypt) are going slow, the ones you have told it to splice
(bypass decryption) are going "properly" (whatever that means).

> 
> Also somtime website does not work with Chrome browser like Gmail but same
> is working in Mozilla Firefox but take time to load ......
> 

1) Same as above.

2) Chrome is a Google app. It has the TLS certs for Gmail and other
Google services pinned (hard-coded) into it. If your Squid happens to
try decrypting its traffic without having the Squid CA custom installed
in a way that overrides that pinning, it refuses to work.

3) Sometimes (usually?) Chrome does not use HTTP or HTTPS to contact
Gmail and other Google properties. Even if the URL in the address bar
makes you think thats what its doing. There are 5 different protocols
that can be used to contact servers and fetch https:// URLs.


Amos

More information about the squid-users mailing list