<div dir="ltr"><div><div><div><div><div>Dear Amos,<br><br></div>i get error :<br>-- init_password: Wiping the computer password structure<br>
-- generate_new_password: Generating a new, random password for the<br>
computer account<br>
-- generate_new_password: Characters read from /dev/udandom = 90<br>
-- create_fake_krb5_conf: Created a fake krb5.conf file:<br>
/tmp/.msktkrb5.conf-F6iL9e<br>
-- reload: Reloading Kerberos Context<br>
-- finalize_exec: SAM Account Name is: PROXYAGIT01-K$<br>
-- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$<br>
from <span class="">local</span> keytab...<br>
-- try_machine_keytab_princ: <span class="">Error</span>: krb5_get_init_creds_keytab <span class="">failed</span><br>
(Client not found in Kerberos database)<br>
-- try_machine_keytab_princ: Authentication with keytab <span class="">failed</span><br>
-- try_machine_keytab_princ: Trying to authenticate for host/<br>
<a href="http://proxyagit01.ag-it.com" target="_blank">proxyagit01.ag-it.com</a> from <span class="">local</span> keytab...<br>
-- try_machine_keytab_princ: <span class="">Error</span>: krb5_get_init_creds_keytab <span class="">failed</span><br>
(Client not found in Kerberos database)<br>
-- try_machine_keytab_princ: Authentication with keytab <span class="">failed</span><br>
-- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with<br>
password.<br>
-- create_default_machine_password: Default machine password for<br>
PROXYAGIT01-K$ is proxyagit01-k<br>
-- try_machine_password: <span class="">Error</span>: krb5_get_init_creds_keytab <span class="">failed</span> (Client<br>
not found in Kerberos database)<br>
-- try_machine_password: Authentication with password <span class="">failed</span><br>
-- try_user_creds: Checking if default ticket cache has tickets...<br>
-- finalize_exec: Authenticated using method 4<br>
<br>
-- ldap_connect: Connecting to LDAP server: <a href="http://svr-resdmn22.ag-it.com" target="_blank">svr-resdmn22.ag-it.com</a><br>
try_tls=YES<br>
-- ldap_connect: Connecting to LDAP server: <a href="http://svr-resdmn22.ag-it.com" target="_blank">svr-resdmn22.ag-it.com</a><br>
try_tls=NO<br><br>
<b>SASL/GSSAPI authentication started<br>
<span class="">Error</span>: <span class="">ldap_sasl_interactive_bind_s</span> <span class="">failed</span> (<span class="">Local</span> <span class="">error</span>)<br>
<span class="">Error</span>: ldap_connect <span class="">failed</span><br>
--> Is your kerberos ticket expired? You might try re-"kinit"ing.<br>
-- ~KRB5Context: Destroying Kerberos Context</b><br>
<br></div>in auth.log :<br>" msktutil: GSSAPI <span class="">Error</span>: Unspecified GSS failure. Minor<br>
code may provide more information (Server not found in Kerberos database)"<br><br></div>help me<br><br></div>thanks,<br></div>kukuhga<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 23, 2015 at 4:41 PM, <span dir="ltr"><<a href="mailto:squid-users-request@lists.squid-cache.org" target="_blank">squid-users-request@lists.squid-cache.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send squid-users mailing list submissions to<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:squid-users-request@lists.squid-cache.org">squid-users-request@lists.squid-cache.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:squid-users-owner@lists.squid-cache.org">squid-users-owner@lists.squid-cache.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: ERR_ONLY_IF_CACHED_MISS and cache digests problem<br>
(Victor Sudakov)<br>
2. GSSAPI problem when try create keytab using msktutil<br>
(kukuh amukti)<br>
3. Re: [squid ] externalAclLookup: 'wbinfo_group_helper' queue<br>
overload. (Jagannath Naidu)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 23 Apr 2015 14:35:24 +0600<br>
From: Victor Sudakov <<a href="mailto:sudakov@sibptus.tomsk.ru">sudakov@sibptus.tomsk.ru</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>, Amos Jeffries<br>
<<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br>
Subject: Re: [squid-users] ERR_ONLY_IF_CACHED_MISS and cache digests<br>
problem<br>
Message-ID: <<a href="mailto:20150423083524.GA92752@admin.sibptus.tomsk.ru">20150423083524.GA92752@admin.sibptus.tomsk.ru</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Amos Jeffries wrote:<br>
<br>
[dd]<br>
<br>
><br>
> I dont think anything is wrong wth either. Its more a collision in how<br>
> the features work vs the protocols.<br>
><br>
> Cache Digests (CD) are exchanged periodically and updated approx hourly.<br>
> Also they are based on just the URL. So there is always a gap where they<br>
> may not be accurate for any highly volatile objects, and variant objects<br>
> (using Vary headers) will have a high false-positive rate.<br>
><br>
> only-if-cached requires the *right now* state of the object to be fresh<br>
> and in cache. It takes account of both the URL and the entire HTTP<br>
> headers. So<br>
><br>
> The ICP protocol used as a backup to confirm objects existence also<br>
> suffers the same URL basis problem as CD. They work fine for HTTP/1.0<br>
> but HTTP/1.1 features dont fare quite so well.<br>
<br>
Thank you Amos, now I understand the mechanics behind this. However,<br>
I'd prefer that users do not receive this frustrating error in a setup<br>
with has nothing inherently wrong about it (especially frustrating is<br>
the fact that they receive the error from the wrong proxy server, not the<br>
one they have configured in the browser settings).<br>
<br>
Do I understand correctly that the only way to avoid this error<br>
message is to switch to HTCP (and ditch both ICP and CD)?<br>
<br>
--<br>
Victor Sudakov, VAS4-RIPE, VAS47-RIPN<br>
<a href="mailto:sip%3Asudakov@sibptus.tomsk.ru">sip:sudakov@sibptus.tomsk.ru</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 23 Apr 2015 16:40:44 +0700<br>
From: kukuh amukti <<a href="mailto:kukuh.amukti@gmail.com">kukuh.amukti@gmail.com</a>><br>
To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
Subject: [squid-users] GSSAPI problem when try create keytab using<br>
msktutil<br>
Message-ID:<br>
<<a href="mailto:CAKHWrNFg7vUzmDpDJSpQvMRgc4eTCFONYYUnijyNNZRO2U0zTw@mail.gmail.com">CAKHWrNFg7vUzmDpDJSpQvMRgc4eTCFONYYUnijyNNZRO2U0zTw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Dear All,<br>
i've building squid in W2K12 and there is no problem but when i try running<br>
in W2K3,<br>
i get problem when try create keytab with msktutil command to win server<br>
2003.<br>
and when i run msktutil :<br>
<br>
msktutil -c -b "OU=WSUS - Server,OU=Astragraphia-ITS" -s<br>
HTTP/<a href="http://proxyagit01.ag-it.com" target="_blank">proxyagit01.ag-it.com</a> -k /etc/squid3/PROXY.keytab --computer-name<br>
PROXYAGIT-01 --upn HTTP/<a href="http://proxyagit01.ag-it.com" target="_blank">proxyagit01.ag-it.com</a> --server<br>
<a href="http://svr-resdmn22.ag-it.com" target="_blank">svr-resdmn22.ag-it.com</a> --verbose<br>
<br>
and get some error<br>
<br>
-- init_password: Wiping the computer password structure<br>
-- generate_new_password: Generating a new, random password for the<br>
computer account<br>
-- generate_new_password: Characters read from /dev/udandom = 90<br>
-- create_fake_krb5_conf: Created a fake krb5.conf file:<br>
/tmp/.msktkrb5.conf-F6iL9e<br>
-- reload: Reloading Kerberos Context<br>
-- finalize_exec: SAM Account Name is: PROXYAGIT01-K$<br>
-- try_machine_keytab_princ: Trying to authenticate for PROXYAGIT01-K$<br>
from local keytab...<br>
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed<br>
(Client not found in Kerberos database)<br>
-- try_machine_keytab_princ: Authentication with keytab failed<br>
-- try_machine_keytab_princ: Trying to authenticate for host/<br>
<a href="http://proxyagit01.ag-it.com" target="_blank">proxyagit01.ag-it.com</a> from local keytab...<br>
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed<br>
(Client not found in Kerberos database)<br>
-- try_machine_keytab_princ: Authentication with keytab failed<br>
-- try_machine_password: Trying to authenticate for PROXYAGIT01-K$ with<br>
password.<br>
-- create_default_machine_password: Default machine password for<br>
PROXYAGIT01-K$ is proxyagit01-k<br>
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client<br>
not found in Kerberos database)<br>
-- try_machine_password: Authentication with password failed<br>
-- try_user_creds: Checking if default ticket cache has tickets...<br>
-- finalize_exec: Authenticated using method 4<br>
<br>
-- ldap_connect: Connecting to LDAP server: <a href="http://svr-resdmn22.ag-it.com" target="_blank">svr-resdmn22.ag-it.com</a><br>
try_tls=YES<br>
-- ldap_connect: Connecting to LDAP server: <a href="http://svr-resdmn22.ag-it.com" target="_blank">svr-resdmn22.ag-it.com</a><br>
try_tls=NO<br>
SASL/GSSAPI authentication started<br>
Error: ldap_sasl_interactive_bind_s failed (Local error)<br>
Error: ldap_connect failed<br>
--> Is your kerberos ticket expired? You might try re-"kinit"ing.<br>
-- ~KRB5Context: Destroying Kerberos Context<br>
<br>
<br>
in auth.log say " msktutil: GSSAPI Error: Unspecified GSS failure. Minor<br>
code may provide more information (Server not found in Kerberos database)"<br>
<br>
what should i do?<br>
<br>
thanks,<br>
kukuhga<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/95123d16/attachment-0001.html" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/95123d16/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 23 Apr 2015 15:11:09 +0530<br>
From: Jagannath Naidu <<a href="mailto:jagannath.naidu@fosteringlinux.com">jagannath.naidu@fosteringlinux.com</a>><br>
To: Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br>
Cc: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
Subject: Re: [squid-users] [squid ] externalAclLookup:<br>
'wbinfo_group_helper' queue overload.<br>
Message-ID:<br>
<CA+8bHvzhgS=-<a href="mailto:u5zx1a82uWk0jC62qS1HmaUoawn7eW1W43ZHfA@mail.gmail.com">u5zx1a82uWk0jC62qS1HmaUoawn7eW1W43ZHfA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Amos,<br>
<br>
regrets, I am late.<br>
<br>
On 21 April 2015 at 09:15, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br>
<br>
> On 20/04/2015 7:31 p.m., Jagannath Naidu wrote:<br>
> > Hi,<br>
> ><br>
> > I am having this issue very frequently. Please help on this.<br>
> ><br>
> > I get these errors randomly, mostly when usage is at very peak. (800<br>
> users)<br>
> ><br>
> ><br>
> > /var/log/squid/cache.log<br>
> ><br>
> > 2015/04/20 12:37:40| externalAclLookup: 'wbinfo_group_helper' queue<br>
> > overload (ch=0x7fc99e2ce518)<br>
><br>
> What do you think "overload" means?<br>
> The helper is unable to cope with the traffic load being passed to it.<br>
><br>
> Here is the biggest hint:<br>
> ><br>
> > in /var/log/messages, I get the following errors<br>
> ><br>
> > pr 20 12:59:15 GGNPROXY01 winbindd[1910]: winbindd: Exceeding 200<br>
> client<br>
> > connections, no idle connection found<br>
><br>
><br>
><br>
><br>
> > Then squid stops working. For squid to start work again, I have to dlete<br>
> > the cache and restart the squid "squid -k reconfigure", and then squid<br>
> > restart.<br>
><br>
> What Squid version are you using?<br>
><br>
> my squid version squid-3.1.10-19.el6_4.x86_64<br>
<br>
<br>
<br>
> ><br>
> > squid.conf<br>
> ><br>
> > max_filedesc 17192<br>
> > acl manager proto cache_object<br>
> > acl localhost src <a href="http://172.16.50.61/24" target="_blank">172.16.50.61/24</a><br>
><br>
> changed to "acl localhost src 172.16.50.6*1*" already<br>
<br>
<br>
> You have an entire /24 (256 IPs) assigned to this machine?<br>
><br>
> I think you need to remove that "/24" part if the *.61 is the local<br>
> machines *public* IP.<br>
><br>
><br>
> > http_access allow manager localhost<br>
> > dns_nameservers 172.16.3.34 10.1.2.91<br>
> > acl allowips src 172.16.58.187 172.16.16.192 172.16.58.113 172.16.58.63<br>
> > 172.16.58.98 172.16.60.244 172.16.58.165 172.16.58.157<br>
> > http_access allow allowips<br>
><br>
> > auth_param basic realm Squid proxy-caching web server<br>
> > auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0<br>
> > children=60 %LOGIN /usr/lib64/squid/<a href="http://wbinfo_group.pl" target="_blank">wbinfo_group.pl</a><br>
><br>
> The above two very mangled config lines are useless. Remove them.<br>
><br>
> > acl localnet src <a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a><br>
><br>
<br>
<br>
changed<br>
<br>
<br>
> Its a bit strange that none of the localhost machine IPs<br>
> (172.16.50.0-172.16.50.255) are part of the LAN its plugged into<br>
> 172.16.0.0-172.16.0.255.<br>
><br>
><br>
> > acl localnet src fc00::/7 # RFC 4193 local private network range<br>
> > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)<br>
> machines<br>
> > auth_param ntlm program /usr/bin/ntlm_auth --diagnostics<br>
> > --helper-protocol=squid-2.5-ntlmssp --domain=<a href="http://HTMEDIA.NET" target="_blank">HTMEDIA.NET</a><br>
><br>
> Okay you have configured NTLM...<br>
><br>
> > auth_param ntlm program /usr/bin/ntlm_auth<br>
> > --helper-protocol=squid-2.5-ntlmssp --domain=<a href="http://HTMEDIA.NET" target="_blank">HTMEDIA.NET</a><br>
><br>
> ... but twice. With different settings. Only these last ones will have<br>
> any effect.<br>
><br>
><br>
> > auth_param ntlm children 600<br>
> > auth_param ntlm keep_alive off<br>
><br>
> > auth_param negotiate children 150<br>
> > auth_param negotiate keep_alive off<br>
> > visible_hostname <a href="http://GGNPROXY01.HTMEDIA.NET" target="_blank">GGNPROXY01.HTMEDIA.NET</a><br>
> > external_acl_type wbinfo_group_helper ttl=0 children=40 %LOGIN<br>
> > /usr/lib64/squid/<a href="http://wbinfo_group.pl" target="_blank">wbinfo_group.pl</a> -d<br>
> > auth_param negotiate keep_alive off<br>
><br>
> You have several useless configuration lines for Negotiate auth which is<br>
> not being used in any way. Remove those.<br>
><br>
><br>
> > acl Safe_ports port 8080 #https<br>
> > acl SSL_ports port 443<br>
> > acl Safe_ports port 80 # http<br>
> > acl Safe_ports port 21 # ftp<br>
> > acl Safe_ports port 443 # https<br>
> > acl Safe_ports port 70 # gopher<br>
> > acl Safe_ports port 210 # wais<br>
> > acl Safe_ports port 1025-65535 # unregistered ports<br>
> > acl Safe_ports port 280 # http-mgmt<br>
> > acl Safe_ports port 488 # gss-http<br>
> > acl Safe_ports port 591 # filemaker<br>
> > acl Safe_ports port 777 # multiling http<br>
> > acl CONNECT method CONNECT<br>
> > acl auth proxy_auth REQUIRED<br>
> > acl google dstdomain -i "/etc/squid/<a href="http://google_site.com" target="_blank">google_site.com</a>"<br>
> > http_access allow google<br>
> > acl sq1 external wbinfo_group_helper "/etc/squid/HT/sq1"<br>
> > acl sq2 external wbinfo_group_helper "/etc/squid/HT/sq2"<br>
> > acl sq3 external wbinfo_group_helper "/etc/squid/HT/sq3"<br>
> > acl sq4 external wbinfo_group_helper "/etc/squid/HT/sq4"<br>
> > acl sq5 external wbinfo_group_helper "/etc/squid/HT/sq5"<br>
> > acl pro1 external wbinfo_group_helper "/etc/squid/HT/pro1"<br>
> > acl pro2 external wbinfo_group_helper "/etc/squid/HT/pro2"<br>
> > acl pro3 external wbinfo_group_helper "/etc/squid/HT/pro3"<br>
> > acl pro4 external wbinfo_group_helper "/etc/squid/HT/pro4"<br>
> > acl pro5 external wbinfo_group_helper "/etc/squid/HT/pro5"<br>
> > acl pro6 external wbinfo_group_helper "/etc/squid/HT/pro6"<br>
> > acl webvip external wbinfo_group_helper "/etc/squid/HT/webvip"<br>
> > acl allgroup external wbinfo_group_helper "/etc/squid/HT/allgreop"<br>
> > acl restricted external wbinfo_group_helper "/etc/squid/HT/restricted"<br>
> > acl ad_auth proxy_auth REQUIRE<br>
><br>
> You already have an ACL named "auth" which performs authentication.<br>
> The above line is not useful. Remove it and replace all uses of<br>
> "ad_auth" ACL with "auth" ACL.<br>
><br>
> > acl allowwebsites dstdomain -i "/blacklists/allowedwebsite/domains"<br>
> > acl allowwebsites_url url_regex -i "/blacklists/allowedwebsite/url"<br>
> > http_access allow allowwebsites<br>
> > http_access allow allowwebsites_url<br>
> > acl shopping dstdomain -i "/etc/squid/shopping.txt"<br>
> > acl social_networking dstdomain -i "/blacklists/social/social.networking"<br>
> > acl youtube dstdomain -i .<a href="http://youtube.com" target="_blank">youtube.com</a><br>
> > http_access allow Safe_ports pro1 pro2 pro3 pro4 pro5 pro6 webvip<br>
><br>
> Incorrect use of "Safe_ports" security check. Correct usage is to deny<br>
> access to all *unsafe* ports. They are unsafe because HTTP can be<br>
> smuggled within the ports native protocol to attack your proxy.<br>
><br>
> Once the correct security protections for Safe_port and CONNECT tunnels<br>
> have been moved up the top remove the "Safe_ports" check from this line.<br>
><br>
> This line is also very odd in another way. ACL tests in a single line<br>
> are AND'ed together - so this means the request must be from a user who is:<br>
> authenticated AND a member of group pro1 AND pro2 AND pro3 AND pro4<br>
> AND pro5 AND pro6 AND webvip<br>
><br>
> This hints at what your main helper problem is. The above line requires<br>
> 7 group helper lookups *per request*. The winbind helper has a maximum<br>
> of 200 simultaneous connections. This line alone will limit your proxy<br>
> just under 30 new visitors per second (that becomes 60 lookups/sec<br>
> before queue overload).<br>
> The helper result caching will help a lot, but you also have a LOT of<br>
> other group checks being made and 800 users.<br>
><br>
><br>
> > http_access allow youtube pro5<br>
> > http_access allow youtube pro6<br>
> > http_access allow youtube webvip<br>
> > http_access deny youtube<br>
> > http_access allow shopping pro5<br>
> > http_access allow shopping pro6<br>
> > http_access allow shopping webvip<br>
> > http_access deny shopping<br>
><br>
> Optimization hint:<br>
> "youtube" and "shopping" have the same allow/deny criteria. It would be<br>
> worth combining them into one ACL.<br>
><br>
> > http_access allow social_networking pro2<br>
> > http_access allow social_networking pro4<br>
> > http_access allow social_networking pro6<br>
> > http_access allow social_networking webvip<br>
> > http_access deny social_networking<br>
> > acl porn_site1 dstdomain "/etc/squid/blacklists/porn/domains.txt"<br>
> > acl porn_site2 dstdom_regex -i "/etc/squid/blacklists/porn/expressions"<br>
> > acl porn_site3 dstdom_regex -i "/etc/squid/blacklists/porn/urls.txt"<br>
> > acl audio_video1 dstdomain "/etc/squid/blacklists/audio-video/urls.txt"<br>
> > ###################### THERE ARE TOO MANY acls and http_access , so not<br>
> > bothering with vast linux<br>
><br>
> I will bet a lot of those ACLs are also calling the group helper too yes?<br>
><br>
> > http_access allow liquorinfo webvip<br>
> > http_access deny liquorinfo<br>
> > http_access allow ad_auth<br>
> > http_access allow auth<br>
><br>
> Once you have removed ad_auth ACL, this becomes:<br>
> http_access allow auth<br>
> http_access allow auth<br>
><br>
> I hope you can see how redundant that is.<br>
><br>
> Also, its very likely that the "allow auth" is a useless operation after<br>
> a great many group checks have also performed authentication. That "TOO<br>
> MANY acls and https_access" list you omitted will be needed to determine<br>
> that.<br>
><br>
><br>
> > http_access allow sq1 sq2<br>
> > acl NTLMUsers proxy_auth REQUIRED<br>
><br>
> You already have an ACL named "auth" which performs authentication.<br>
> The above line is not being used in any way. Remove it.<br>
><br>
> > http_access deny !Safe_ports<br>
> > http_access deny CONNECT !SSL_ports<br>
><br>
> These are basic security protection against Denial of Service and other<br>
> types of protocol smuggling attacks. They only work when they are used<br>
> *above* your custom "allow" rules.<br>
><br>
> Move these two lines above your "http_access allow google" line.<br>
><br>
><br>
><br>
> > http_port 8080<br>
> > hierarchy_stoplist cgi-bin ?<br>
><br>
> The above line is not useful these days. Remove it.<br>
><br>
> > cache_effective_user squid<br>
> > cache_dir aufs /var/spool/squid 20384 32 512<br>
> > cache_mem 50 MB<br>
> > cache_replacement_policy heap LFUDA<br>
> > cache_swap_low 85<br>
> > cache_swap_high 95<br>
> > maximum_object_size 5 MB<br>
> > maximum_object_size_in_memory 50 KB<br>
> > ipcache_size 5240<br>
> > ipcache_low 90<br>
> > ipcache_high 95<br>
> > cache_mgr amit<br>
> > acl SSL_ports port 443<br>
><br>
> The above is a duplicate config line. Remove it.<br>
><br>
> > http_access allow CONNECT SSL_ports<br>
> > coredump_dir /var/spool/squid<br>
> > refresh_pattern ^ftp: 1440 20% 10080<br>
> > refresh_pattern ^gopher: 1440 0% 1440<br>
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
> > refresh_pattern . 0 20% 4320<br>
> > url_rewrite_program /usr/local/bin/squidGuard -c<br>
> > /usr/local/squidGuard/squidGuard.conf<br>
> ><br>
><br>
><br>
> Now, as to solving your problem:<br>
><br>
> 1) Clean up your config. Reduce the amount of redundant or unused<br>
> things. I've mentioned a few above.<br>
><br>
> 2) Run "squid -k parse" and fix any other problems it highlights.<br>
><br>
> 3) optimize your ACls and http_access rules. I've mentioned a few, such<br>
> as moving the main security checks to the top so DoS traffic does not<br>
> put load on the helpers and other ACLs.<br>
><br>
> I believe though that you will probably find Squid works much better<br>
> having the following access controls pattern:<br>
> "<br>
> http_access deny !Safe_ports<br>
> http_access deny CONNECT !SSL_ports<br>
><br>
> # if they are not authenticated, they will not be in a group<br>
> http_access deny !auth<br>
><br>
> # assuming that webvip are the group with full access?<br>
> http_access allow webvip<br>
><br>
> # your long list of per-site group check ACLs go here<br>
> ...<br>
><br>
> # this is where defining the LAN ranges correctly comes in.<br>
> # note that users have authenticated simply to get near here<br>
> http_access allow localnet<br>
> http_access deny all<br>
> "<br>
><br>
><br>
> 4) consider an upgrade to Squid 3.4+. The "notes" ACL type offers much<br>
> more efficient ACL testing with a custom group lookup helper. The all-of<br>
> and any-of ACL types can also much reduce your http_access lines.<br>
><br>
> HTH<br>
> Amos<br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
<br>
<br>
<br>
Thank you Amos, I will check and will update the list.<br>
<br>
<br>
--<br>
Thanks & Regards<br>
<br>
B Jagannath<br>
Keen & Able Computers Pvt. Ltd.<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/4e7744c9/attachment.html" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/attachments/20150423/4e7744c9/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 8, Issue 52<br>
******************************************<br>
</blockquote></div><br></div>