[squid-users] Squid with proxy

Amos Jeffries squid3 at treenet.co.nz
Sat May 23 04:20:16 UTC 2015


On 23/05/2015 2:05 a.m., Silvio Siefke wrote:
> On Fri, 22 May 2015 23:26:13 +1200 Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> 
>> Without NextProxy is correct if ziproxy is on the "outside" of Squid.
>> Like so:
>>
>>  client -> Squid -> ziproxy -> Internet
> 
> In my browser i speak only with squid, other make squid i hope. I use
> ziproxy for compress the traffic, but when i saw the rate is not really
> much.
> 
> http://silviosiefke.de/squid/zip.html
> 

Small, but reasonable.

Note that Squid is an HTTP/1.1 proxy designed to optimize traffic.
HTTP/1.1 contains features like revalidation and conditional requests
which are more efficient with bandwidth than even 100% compression would
be. So there is not much uncompressed but compressible content for
ziproxy to be working with.


>> If you set ziproxy to pass *requests* to Squid, the traffic will
>> enter a loop:
>>   client -> Squid -> ziproxy -> Squid -> ziproxy -> ...
> 
> client > squid > ziproxy > squid > client so is my plan

Squid is fetchng content from the client?

I think you are misunderstanding the "->" diagram syntax and how
connectivity works.

Request messages go:
 client -> Squid -> ziproxy -> Internet

Response messages go:
 Internet -> ziproxy -> Squid -> client

You only need to configure the request hop order - the cache_peer in
Squid, maybe proxy settings in client. The response chain is handled
automatically by TCP based on where the request went.

Squi dneeds teh cache_peer so that it goes to ziproxy instead of
straight to Internet.
 ziproxy needs *nothing* - so that is does go to Internet. If you see it
with Squid you get the infinite loop, and the client gets nothing or
errors back when the loop causes enough trouble to be noticed.

>  
>> In your squid.conf all traffic requires authenticating. Nothing is
>> allowed through without it. Although anything from localhost is
>> allowed to send wrong credentials and get through :-( .
> 
> localhost should work without authenticating. I think this is problem
> why NextProxy in ziproxy.conf not work correct. 
>  

You had two problems. The auth was one. The forwarding loop (NextProxy
being used) was another.

>> - "deny ads" is not useful like this, anything getting to that check
>> will also be blocked by the "deny all" which follows it and is a
>> faster check.
>>
>> - also missing the basic HTTP abuse and DoS security protections.
>>
>> To let localhost I would write them like this:
>>
>>  # basic security potections.
>>  # To let special ports through; check carefully its not abuse
>>  # then adjust Safe_ports and SSL_ports appropriately
>>  http_access deny !Safe_ports
>>  http_access deny CONNECT !SSL_Ports
>>
>>  # To use the deny ads ACL it would go here in the ordering,
>>  # before the allow rules.
>>  http_access deny ads
>>
>>  # localhost does not require authentication
>>  http_access allow localhost
>>
>>  # manager access only permitted from localhost
>>  http_access deny !localhost manager
>>
>>  # anyone with a valid auth credentials is allowed
>>  http_access allow checkpw
>>
>>  http_access deny all
>>
>>
>> You will need to re-add the CONNECT, Safe_ports and SSL_Ports ACL
>> definitions from the default config.
> 
> Okay thank you, im shamed but i really has not understand what mean 
> SSL Ports and so now i understand more. 

No shame. Thats what we do here in this mailing list, help people with
mistakes and problems. :-)

> 
>> You dont really need to exempt localhost from authentication. But that
>> is your choice.
> 
> Only connection over port 15000 need authentication because is extern and
> best were only my login goes. Localhost should work without any limitiation.

Then you may be interested in using a myportname ACL to enforce that.
Like this:
 http_port 15000 ... name=blah
 ...
 acl port15000 myportname blah
 http_access allow port15000 checkpw


Amos


More information about the squid-users mailing list