[squid-users] Squid proxy not working when upgrade from 27 to 3.5
Amos Jeffries
squid3 at treenet.co.nz
Tue Oct 23 07:05:49 UTC 2018
On 23/10/18 4:28 PM, Angus J. wrote:
> Squid proxy not working when upgrade from 27 to 3.5
>
Please run "squid -k parse" with the new Squid version. It is especially
important when jumping many versions like a 2.x to 3.5 does.
All issues it highlights as FATAL and ERROR must be fixed before you can
expect Squid to run properly. Anything labeled WARNING should also be
looked into and fixed where possible to avoid odd or annoying behaviours.
Have you checked the release notes for all the skipped Squid-3.x versions?
While Squid operates mostly the same there have been some significant
changes to both HTTP and TLS/SSL in the last decade that result in some
very different visible behaviours at times.
If the problem(s) remain after doing the above please explain "not working".
What you do see _exactly_ which makes you think something is going
wrong? we need details of the problem to provide any useful help.
> Squid proxy not working when upgrade to 3.5 and it will not caching anything
>
The lack of caching is easily explained by reading the comments in your
config file(s):
> # Disable caching
> cache deny all
and
> # the proxy-only indicates that caching will not be performed.
> cache_peer ... proxy-only ...
You display two config files below. How does this relate to your Squid?
are you running two proxies and how are they related?
> ----------------------------------------------------------------------------
>
> #Default:
> # windows_ipaddrchangemonitor on
>
> visible_hostname oul163.hkbb.edu.hk
> http_port 3128 accel vhost defaultsite=oul163.hkbb.edu.hk
> https_port 80 accel cert=/etc/squid/certs/ouhk.crt
> key=/etc/squid/certs/ouhk.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
Port 80 is a reserved port for HTTP traffic. Not for HTTPS traffic.
> https_port 8000 accel cert=/etc/squid/certs/ouhk.crt
> key=/etc/squid/certs/ouhk.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
> #https_port 8004 accel cert=/etc/squid/certs/ouhk.crt
> key=/etc/squid/certs/ouhk.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
> https_port 8004 accel cert=/etc/squid/certs/ouhk2.crt
> key=/etc/squid/certs/ouhk2.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
> #https_port 8005 accel cert=/etc/squid/certs/ouhk.crt
> key=/etc/squid/certs/ouhk.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
> https_port 8005 accel cert=/etc/squid/certs/ouhk3.crt
> key=/etc/squid/certs/ouhk3.key defaultsite=oul163.hkbb.edu.hk vhost
> protocol=https options=NO_SSLv3:NO_SSLv2
FYI: Squid does understands line wrapping in the config. For very long
lines you can end a line with slash '\' and start the next with
whitespace to make it easier to read.
> #ssl_bump allow all
> # Disable the following one
> #ssl_bump options=NO_SSLv3
> #always_direct allow all
> # Disable the following one
> #sslproxy_cert_error allow all
> sslproxy_options NO_SSLv3:NO_SSLv2
> access_log /var/log/squid/access.log squid
> cache_effective_user squid
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
>
> # the proxy-only indicates that caching will not be performed.
> cache_peer 192.168.31.113 parent 8001 0 proxy-only name=prdhrms
> cache_peer_domain prdhrms prdhrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_DOMAIN
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> cache_peer_domain uathrms uathrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8004 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=sithrms ssloptions=NO_SSLv3:NO_SSLv2
> cache_peer_domain sithrms sithrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8000 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=devhrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8000 0 proxy-only originserver
> name=devhrms ssll sslcafile=/certs/star_ouhk_edu_hk.crt
> cache_peer_domain devhrms devhrms.hkbb.edu.hk
NP: cache_peer_domain is deprecated and has been removed from Squid-4
and later. You should replace these with cache_peer_access lines in
Squid-3 to avoid further problems on later upgrades.
Also, you are using reverse-proxy ports (accel vhost) but do not have
originserver set for any of the enabled cache_peer.
This is one of the major changes between HTTP/1.0 (Squid-2.x) and
HTTP/1.1 (Squid-3.x) that the origin servers have different syntax to
proxy traffic. Squid should be told accurately what type of peer it is
communicating with to properly optimize traffic performance and protocol
behaviours for the channel.
>
> # Create an additional ACL for local network access
> acl localip src 192.168.31.0/24
>
Squid-3 and later configs define the above as an ACL called "localnet".
> # access control list
> acl hrmsacl dstdomain .hkbb.edu.hk
> http_access allow hrmsacl
> #acl hrmsacl2 dstdomain devhrms.hkbb.edu.hk
> #cache_peer_access devhrms allow hrmsacl2
> cache_peer_access prdhrms allow hrmsacl
> cache_peer_access uathrms allow hrmsacl
> cache_peer_access sithrms allow hrmsacl
> cache_peer_access devhrms allow hrmsacl
> #cache_peer_access secure allow SSL_ports
>
> # Additional ACL definitions
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl purge method PURGE
> acl CONNECT method CONNECT
All of the above common ACL definitions are now built-in to Squid and
can be removed from the config file. They were incrementally changed
though, so see the output of squid -k parse for which ones in your
particular release.
>
> # Restrictions
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny all
These can be simplified to:
http_access deny !localhost
http_access allow manager
http_access allow purge
http_access deny all
>
> # Disable caching
> cache deny all
>
> logfile_rotate 10
>
The logfile_rotate default value is 10 unless your Squid has explicitly
been patched to use a different value (eg. as done by Debian/Ubuntu).
In Squid-3 and later there is no need to define anything to its default
value. So the above line can probably be removed.
The below appears to be a different config file, but contains all the
same issues with cache_peer.
> oul163:/etc/squid # vi squid.conf
> cache_peer 192.168.31.113 parent 8001 0 proxy-only name=prdhrms
> cache_peer_domain prdhrms prdhrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8005 0 ssl sslflags=DONT_VERIFY_DOMAIN
> proxy-only name=uathrms ssloptions=NO_SSLv3:NO_SSLv2
> cache_peer_domain uathrms uathrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8004 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=sithrms ssloptions=NO_SSLv3:NO_SSLv2
> cache_peer_domain sithrms sithrms.hkbb.edu.hk
> cache_peer 192.168.31.134 parent 8000 0 ssl sslflags=DONT_VERIFY_PEER
> proxy-only name=devhrms ssloptions=NO_SSLv3:NO_SSLv2
> #cache_peer 192.168.31.134 parent 8000 0 proxy-only originserver
> name=devhrms ssll sslcafile=/certs/star_ouhk_edu_hk.crt
> cache_peer_domain devhrms devhrms.hkbb.edu.hk
>
> # Create an additional ACL for local network access
> acl localip src 192.168.31.0/24
>
> # access control list
> acl hrmsacl dstdomain .hkbb.edu.hk
> http_access allow hrmsacl
> #acl hrmsacl2 dstdomain devhrms.hkbb.edu.hk
> #cache_peer_access devhrms allow hrmsacl2
> cache_peer_access prdhrms allow hrmsacl
> cache_peer_access uathrms allow hrmsacl
> cache_peer_access sithrms allow hrmsacl
> cache_peer_access devhrms allow hrmsacl
> #cache_peer_access secure allow SSL_ports
>
> # Additional ACL definitions
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> # Restrictions
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny all
>
> # Disable caching
> cache deny all
>
> logfile_rotate 10
>
>
Amos
More information about the squid-users
mailing list