[squid-users] Two connections per client
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 16 12:57:37 UTC 2016
On 17/03/2016 1:25 a.m., Chris Nighswonger wrote:
> On Wed, Mar 16, 2016 at 1:03 AM, Amos Jeffries wrote:
>
>> On 16/03/2016 12:38 p.m., Chris Nighswonger wrote:
>>> Why does netstat show two connections per client connection to Squid:
>>>
>>> tcp 0 0 127.0.0.1:3128 127.0.0.1:34167
>>> ESTABLISHED
>>> tcp 0 0 127.0.0.1:34167 127.0.0.1:3128
>>> ESTABLISHED
>>>
>>> In this case, there is a content filter running in front of Squid on the
>>> same box. The same netstat command filtered on the content filter port
>>> shows only one connection per client:
>>>
>>> tcp 0 0 192.168.x.x:8080 192.168.x.y:1310
>> ESTABLISHED
>>>
>>
>> Details of your Squid configuration are needed to answer that.
>>
>
>
> Here it is. I've stripped out all of the acl lines to reduce the length:
>
> tcp_outgoing_address 184.x.x.x
> http_port 127.0.0.1:3128
It would seem that it is not Squid making those connections outbound
from 127.0.0.1:3128. Squid uses that 184.x.x.x address with random
source ports for *all* its outbound connections.
You don't seem to have NAT involved anywhere, which was my main
suspicion. Forwarding loops via NAT rules can show up as this type of thing.
> hierarchy_stoplist cgi-bin ?
stoplist is obsolete. You can remove it.
> cache_mem 4 GB
> maximum_object_size 32768 KB
> maximum_object_size_in_memory 200 KB
> cache_dir aufs /var/cache/squid3 375000 65 256
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> cache_store_log none
> cachemgr_passwd SuperSecretPW all
> debug_options ALL,1
> auth_param basic program /usr/lib/squid3/basic_ldap_auth <connection
> parameters go here>
> auth_param basic children 60
> auth_param basic realm Campus Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> forwarded_for truncate
> follow_x_forwarded_for allow all
This is bad. It allows any of your clients to forge XFF headers and get
data of their choice added to your logs.
follow_x_forwarded_for should *only* allow your frontend softwares IPs
to be 'followed'.
> log_uses_indirect_client on
> http_reply_access allow all
> icp_access allow all
> cache_mgr support at organization.tld
> store_avg_object_size 20 KB
> coredump_dir /var/spool/squid3
> client_persistent_connections on
> server_persistent_connections on
> persistent_connection_after_error on
> visible_hostname gateway.intranet.organization.tld
> negative_ttl 5 minutes
> negative_dns_ttl 1 minutes
> cache_effective_user proxy
> cache_effective_group proxy
>
Quite a few of the above settings are defaults and defaults do not need
to be configured for Squid-3. If you have some time you might want to go
through and remove the unnecessary ones.
Amos
More information about the squid-users
mailing list