[squid-users] Squid - Can't visit (government site and Banking Site) - Please help

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 26 08:18:02 UTC 2020 

On 25/04/20 9:09 am, russel0901 wrote:
> I am having a problem on my squid proxy
> 

Which version of Squid are you using?
Output of squid -v would be best if you can provide.


> this settings is allow all but i can't visit sites like bancnetonline, rcbc,
> philhealth (govt and bank site)
> 
> sometimes it can be visited, sometimes not... (weird???)
> 
> Please Help thank you.
> 

Following is a free review of your config settings.

To actually determine your problem we will need log records of a failing
transaction. At least access.log entries you see for it, and maybe also
something from cache.log if that is not enough.

... which brings me to the first problem in your config.

"cache_log /dev/null" is a very bad idea. This completely hides all
information about problems from *you* - the problems still exist, still
seen by everyone else involved.
 All this does is erase most of your ability to troubleshoot.

If your objective is reduced log verbosity use this setting instead:
  debug_options ALL,0

That reduces cache.log contents to mentions about critical failures of
Squid.


> 
> here is my squid conf...
> 
> max_filedesc 4096

Why so low? and why the deprecated RedHat experimental directive?

Current squid.conf directive is max_filedescriptors. It is a backup to
the --with-max-filedescriptors build option and system ulimit setup.



> request_header_access X-Forwarded-For allow all

This is pointless. All it does is waste CPU cycles on every request
through Squid.

> via off
> httpd_suppress_version_string on
> 
> http_port 3333
> icp_port 3535
> 
> hierarchy_stoplist cgi-bin ?

This is pointless. It is the default setting for all Squid-3 and later
versions.

> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

QUERY is obsolete and actually somewhat harmful in current Squid.

For much improved caching you can add the missing refresh_pattern
mentioned below, then erase these and all other rules using QUERY ACL name.


> cache_mem 32 MB
> maximum_object_size 5480 KB
> cache_dir ufs /home/squidcache 6000 16 256
> #cache_dir ufs /home/squidcache2 6000 16 256
> cache_access_log /home/squidcache/access.log

This directive has been deprecated since early Squid-2.
Current Squid use:
  access_log /home/squidcache/access.log


> cache_log /dev/null

Already mentioned the problems with this. Please revert it to the
default for your Squid version. You will need this log to investigate
the current problem.


> cache_store_log none

This is pointless. It is the default for all current Squid.

> ftp_user Squid at mds.com.sg
> dns_defnames on
> request_body_max_size 10000 MB
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440

Missing pattern:

  refresh_pattern -i (/cgi-bin/|\?) 0     0%      0


> refresh_pattern .               0       20%     4320
> negative_ttl 1 minute
> negative_dns_ttl 5 minute
> connect_timeout 60 minute
> read_timeout 5 minute
> request_timeout 60 second
> client_lifetime 4 hour
> half_closed_clients off
> pconn_timeout 240 second
> shutdown_lifetime 5 second
> #acl localhost src 127.0.0.1/32 ::1
> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053
> acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method purge

Do you or clients actually use PURGE method requests?

It would be worth looking into why. That old Squid custom extension to
HTTP is deprecated.

Current Squid obey HTTP/1.1 caching far better than old Squid-2 and
earlier versions. You can use Cache-Control:no-cache *request* header to
update cache contents better than PURGE ever could.

Also, HTCP protocol is better for cache management with HTTP/1.1 than
either PURGE or ICP protocol. If you can find or adapt tools to use that
protocol they will be much better off.




> acl manager proto cache_object

This is also a deprecated manager ACL definition. This implies that your
Squid is quite old. Please upgrade to a more current version.


> acl apache src 10.20.0.245
> 
> acl QUERY urlpath_regex -i owa
> acl QUERY2 urlpath_regex cgi-bin \?
> acl QUERY3 urlpath_regex -i php
> acl dontcache dstdomain "/etc/squid/dontcache"
> no_cache deny QUERY
> no_cache deny QUERY2
> no_cache deny QUERY3

"no_cache" is deprecated. Above rules are actually doing "cache deny".


It would be worth investigating why any URL containing the letters "owa"
or "php" are apparently trying to be forced to cache.

Please notice these ACL regex match if those letters occur *anywhere* in
the URL path portion. That includes 'folder' , 'filename', query-string,
and fragment strings. Also in non-HTTP URLs which have 'path' portions
and such.


> always_direct allow dontcache

This is a routing control directive. ACL called 'dontcache' is confusing
as reason to prevent routing to cache_peer - which do not exist in this
config anyway.

As a result of this any domain not listed in "dontcache" ACL will be
prevented from service by this proxy.

If that is actually what you want to happen, it would be better
configuring this:

 http_access deny !dontcache

... but you have explicitly put the exact opposite in your http_access
rules below. Which implies these rules are completely broken.


> 
> #allowed sites
> acl blockedsites dstdomain "/etc/squid/blockedsites"
> acl allowedsites dstdomain "/etc/squid/authorizedsites"
> acl tahiti src 172.16.20.254/32
> acl elmo src 10.20.0.254/32
> acl mnlnet2 src "/etc/squid/authorized"
> 
> 
> http_access allow dontcache
> http_access allow manager apache
> http_access allow all

All following http_access rules are pointless.

Since all previous http_access rules are 'allow' they are also pointless
waste of CPU cycles.

This is an open proxy, with no logging. As such the only security
protection you have is the miss_access which *breaks* a huge amount of
traffic. If it were not for that your network would be completely open
to any type of attack.



> http_access allow elmo
> #http_access allow localhost
> #http_access allow purge localhost
> #http_access allow manager localhost
> http_access allow mnlnet2
> http_access allow tahiti
> http_access deny !Safe_ports
> #http_access deny manager
> http_access deny CONNECT !SSL_ports
> http_access deny purge
> http_access deny blockedsites
> 
> 
> #icp_access  allow  localhost
> icp_access allow all

None of the following icp_access rules have any effect.

This proxy does not have any cache_peer to send ICP traffic to.


> icp_access allow elmo
> icp_access allow tahiti
> icp_access allow mnlnet2
> miss_access allow all

This miss_access is pointless. It is the default behaviour of Squid.


Amos

More information about the squid-users mailing list