[squid-users] Internet Browsing very slow after implementing Squid peek & splice + Access log not tracing full URL
Yuri
yvoinov at gmail.com
Thu May 19 13:56:39 UTC 2016
19.05.2016 18:03, Amos Jeffries пишет:
> On 19/05/2016 11:08 p.m., Sagar Malve wrote:
>> Hi Team,
>>
>> I have done some modification as per thread and temporary removed Refresh
>> pattern and have kept the Default refresh pattern ...
>>
>> This is how my Configuration looks like .....
>>
>>
>> # SSL bump acl
>> acl net_bump src "/etc/squid/net.bump"
>>
>> # TLD acl
>> acl block_tld url_regex "/etc/squid/dstdom.tld"
>>
> You called the file "dstdom", but it is not a dstdomain ACL type.
>
> To match when the domain is listed in the path or query string sections
> of URL this is right as-is. Though it would be worth making a note of
> that in the config so it doesn't get undone.
>
>
> To match only the URL domain section with regex use dstdom_regex as the
> ACL type. Or, since the unknown part of the listed domains is all the
> sub-domain section. Use dstdomain which is faster.
NB: Original ACL was:
# TLD acl
acl block_tld dstdomain "/usr/local/squid/etc/dstdom.tld"
NB2: This is brainless copy-n-paste from my config I've accidentally
shared here in the past.
NB3: facebook.com (and etc.) is NOT TLD (Top Level Domain). This is
SECOND level domain. Originally this part of my config uses for block
REAL TLD, like .tv, .xxx.
>
>
>> # Block top level domains
>> http_access deny block_tld
>> deny_info TCP_RESET block_tld
>>
>> # Rule allowing access from local networks
>> http_access allow localnet
>> http_access allow localhost
>>
> Notice how localnet and localhost are allowed through the proxy above
> without any further ACL conditions.
>
> That means the below "Windows Update rules" have nothing to do and never
> match any request which reaches them. You can remove.
>
>> # Windows updates rules
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow windowsupdate localnet
>> http_access allow windowsupdate localhost
>
>> # SSL bump rules
>> acl DiscoverSNIHost at_step SslBump1
> DiscoverSNIHost is never being used. You can remove it.
>
>> # ICQ/MRA must splice first
>> acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
>> ssl_bump splice NoSSLIntercept
>> ssl_bump bump net_bump
>> acl tls_s1_connect at_step SslBump1
>> acl tls_s3_server_hello at_step SslBump3
>>
> tls_s3_server_hello is never being used. You can remove it.
>
>> # TLS/SSL bumping steps
>> ssl_bump peek tls_s1_connect # peek at the incoming TLS/SSL
>> connect data
>> ssl_bump splice all # splice the stream:
>> pass-through mode
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
> <snip>
>
>> -------------Config End ---------------
>>
>> ------------net.bump File -------------------
>>
>> google.com
>> youtube.com
>> reddit.com
> This file is being loaded into a 'src' ACL.
>
> Firstly, why are the Google, YouTube, and Reddit servers making requests
> through your proxy? they are your customers?
>
> I think you meant 'dst' ACL for this. Your cutomers going *to* Google,
> YouTube, or Reddit.
>
>
> Secondly, the IP addresses of the listed hosts will be resolved on Squid
> startup *only* (applies to both src and dst ACL types).
>
> Any other IPs which the site rotates into its DNS RR set after the
> single resolve that Squid does for config loading will not match.
>
>
>
>> -------------------------------
>>
>> ------------dstdom.tld file --------------
>>
>> yahoo.com
>> facebook.com
>>
>> ---------------------------------------
>>
>>
>> --------------- Url.nobump--------
>>
>> axisbank.com
>> hdfcbank.com
>>
> This file is being used by an ACL which has nothing to do with URLs.
> That name is really confusing.
>
>
>> ------------------------------------------
>>
>>
>> Now issue is that I need to block yahoo and facebook but I am able to
>> access the facebook website and yahoo is getting blocked ....
>>
> Hint: The facebook website does not always use the domain "facebook.com"
> except in the URL part visible to people. Most people dont type URLs in
> to their address bar anyway, so most access to FB will be through Google
> etc. straight to the other domain name used for content display.
>
>
>> And also all Google website like google, gmail, youtube are working very
>> slow it takes lots of time to load this websites but other Https websites
>> like axisbank / hdfc etc are working properly ....
> Think about that. The domains that your net_bump ACL has told Squid to
> bump (decrypt) are going slow, the ones you have told it to splice
> (bypass decryption) are going "properly" (whatever that means).
>
>> Also somtime website does not work with Chrome browser like Gmail but same
>> is working in Mozilla Firefox but take time to load ......
>>
> 1) Same as above.
>
> 2) Chrome is a Google app. It has the TLS certs for Gmail and other
> Google services pinned (hard-coded) into it. If your Squid happens to
> try decrypting its traffic without having the Squid CA custom installed
> in a way that overrides that pinning, it refuses to work.
>
> 3) Sometimes (usually?) Chrome does not use HTTP or HTTPS to contact
> Gmail and other Google properties. Even if the URL in the address bar
> makes you think thats what its doing. There are 5 different protocols
> that can be used to contact servers and fetch https:// URLs.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
I cursed everything that once posted my config. They mindlessly copy,
mangling the parameters and hoping that it will work. I am a thousand
times told those fanboys of Linux that can not do this.
More information about the squid-users
mailing list