<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hey Acid,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Haven’t seen you here for a very long time.<o:p></o:p></p><p class=MsoNormal>The first thing is to upgrade squid if possible…<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It’s better that you won’t use squid -kreconf for big blacklists.<o:p></o:p></p><p class=MsoNormal>Instead you should use some external software to match the blacklists.<o:p></o:p></p><p class=MsoNormal>The most recommended software these days is ufdbguard.<o:p></o:p></p><p class=MsoNormal>Depends on the size of your blacklist your might need to find the right solution.<o:p></o:p></p><p class=MsoNormal>The best solution would be to store the list in ram somehow.<o:p></o:p></p><p class=MsoNormal>Have you tried some kind of rbl server?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>At the time I wrote some code to and some of it was merged into:<o:p></o:p></p><p class=MsoNormal><a href="https://github.com/looterz/grimd">https://github.com/looterz/grimd</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>It has a reload url so you can update the files on disk and send a reload.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Another service I am using is:<o:p></o:p></p><p class=MsoNormal><a href="https://github.com/andybalholm/redwood">https://github.com/andybalholm/redwood</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Which has a “Classification Service” function.<o:p></o:p></p><p class=MsoNormal>It’s pretty easy to write a json http client that can run queries against this classification service.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Also you’d better use a file In the dstdomain ac ie:<o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>acl Blacklist dstdomain “/var/blacklists/xyx.list”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>http_access deny Blacklist<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>and inside the xyx.list file just add lines of domains like<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>.blacklisted-domain.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>.example.com<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Etc..<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>All The Bests,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Eliezer</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal>Eliezer Croitoru<o:p></o:p></p><p class=MsoNormal>Tech Support<o:p></o:p></p><p class=MsoNormal>Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoNormal>Email: <a href="mailto:ngtech1ltd@gmail.com"><span style='color:blue'>ngtech1ltd@gmail.com</span></a><o:p></o:p></p><p class=MsoNormal>Zoom: Coming soon<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> <b>On Behalf Of </b>acidflash acidflash<br><b>Sent:</b> Saturday, March 27, 2021 10:55 AM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [SPAM] [squid-users] Squid stops serving requests after squid -k reconfigure<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>I have gone through the forums, and I haven't found an answer to the question, although it has been asked more than once.<o:p></o:p></span></p><p><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>I am running squid 3.5.X on Centos 7, the compile options are:<br>"configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'"</span><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'><o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>I have a service which adds domains to a blacklist file, and then calls squid -k reconfigure.<br>Instead of writing to the file, this service updates the file completely with new rules,<br>by deleting the old file, and creating a new one in its place, and then calling squid -k reconfigure.<br>After doing this, on odd occasions, squid will stop serving traffic completely,<br>until you do a squid stop, and squid start. After shutting down squid,<br>and starting squid up with the same rules, squid will continue to work normally.<br>Its probably worth mentioning that during the time that these events are taking place,<br>the server is under quite a bit of load, and clients don't stop sending requests via the server.<br>What these directives look like:<br><br>acl Porn dstdomain .xnxx.com .sex.com <br>acl Drugs dstdomain .drugs.com .silkroad.eu <br>http_access deny Porn<br>http_access deny Drugs<o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p><p><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>This also seems to be amplified when there are several squid workers (child processes) running.<br>In regards to order, these ACL's are above any other ACL's in the list. We have a very basic squid conf file that looks like this:<br>## START OF FILE<br>http_port 3128<br>cache deny all<br>#<br>access_log /var/log/squid/access.log <br>cache_store_log none<br>cache_log /dev/null<br>logfile_rotate 4<br>#<br>auth_param basic program /usr/lib64/squid/basic_db_auth --dsn "DBI:mysql:host=XX.XX.XX.XX;port=XXXX;database=XXXXX" --user XXXXXX --password XXXXXXXX --plaintext --persist<br># <br>acl db-auth proxy_auth REQUIRED<br>auth_param basic credentialsttl 2 hours<br>auth_param basic casesensitive on<br>#<br>connect_timeout 55 minutes<br>#<br>request_header_access Allow allow all<br>request_header_access Authorization allow all<br>request_header_access WWW-Authenticate allow all<br>request_header_access Proxy-Authorization allow all<br>request_header_access Proxy-Authenticate allow all<br>request_header_access Cache-Control allow all<br>request_header_access Content-Encoding allow all<br>request_header_access Content-Length allow all<br>request_header_access Content-Type allow all<br>request_header_access Date allow all<br>request_header_access Expires allow all<br>request_header_access Host allow all<br>request_header_access If-Modified-Since allow all<br>request_header_access Last-Modified allow all<br>request_header_access Location allow all<br>request_header_access Pragma allow all<br>request_header_access Accept allow all<br>request_header_access Accept-Charset allow all<br>request_header_access Accept-Encoding allow all<br>request_header_access Accept-Language allow all<br>request_header_access Content-Language allow all<br>request_header_access Mime-Version allow all<br>request_header_access Retry-After allow all<br>request_header_access Title allow all<br>request_header_access Connection allow all<br>request_header_access Proxy-Connection allow all<br>request_header_access User-Agent allow all<br>request_header_access Cookie allow all<br>request_header_access All deny all<br>dns_v4_first on<br>via off<br>forwarded_for off<br>follow_x_forwarded_for deny all<br>dns_nameservers 8.8.8.8 8.8.4.4<br>## END OF FILE</span><o:p></o:p></p><p><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p><p style='margin-bottom:3.75pt'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'>Your help is greatly appreciated, maybe there has been some insight into this issue after 10+ years since the last time it was asked.<o:p></o:p></span></p><p style='margin-bottom:9.75pt'><span style='font-size:9.0pt;font-family:"Verdana",sans-serif'> <o:p></o:p></span></p></div></div></body></html>