Re: [squid-users] squid cache problem

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 15 Apr 2009 10:15:30 -0800

Luciano Sousa wrote:
> hello.
>
> i'm having a problem with idiot.
> at least once every two days I have to clear the cache of my squid,
> because it begins to deny all access, probably because it is full ...
>

Your cache.log (/usr/local/squid/logs/cache.log) might give more
information on what's going on.

> my squid.conf
>
> http_port 3128
> icp_port 3128
> hierarchy_stoplist cgi-bin ?
> cache_mem 500 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 4096 KB
> ipcache_size 1024
> ipcache_low 90
> ipcache_high 95
> cache_dir ufs /usr/local/squid/cache 1500 32 256
> cache_access_log /usr/local/squid/logs/access.log
> pid_filename /usr/local/squid/logs/squid.pid
> acl manager proto cache_object
> cache_log /usr/local/squid/logs/cache.log
> cache_store_log /usr/local/squid/logs/store.log
>
> logformat logluciano IP do cliente: %>a - Username: %un - Horario:
> [%tl] - Metodo: %rm - URL: %ru - Status HTTP: %Hs - Status Squid: %Ss
> - Porta: %>p
> cache_access_log /usr/local/squid/logs/logteste.log logluciano
>
> auth_param ntlm program /usr/bin/ntlm_auth domain/pdc
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param basic children 5
> auth_param basic realm Digite o LOGIN/SENHA
> auth_param basic credentialsttl 1 minute
> auth_param basic casesensitive off
>
> external_acl_type nt_group %LOGIN /usr/local/squid/etc/wbinfo_group.pl
> acl AllowedWindowsGroups external nt_group testnet
> http_access allow AllowedWindowsGroups
>
> acl localhost src 127.0.0.1/255.255.255.255
> acl redelocal src 192.168.1.0/24
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 6959 #mirc
> acl Safe_ports port 900 #mirc
> acl Safe_ports port 23 #smtp
> acl Safe_ports port 143 #imap
>
> acl CONNECT method CONNECT
> acl acesso proxy_auth REQUIRED
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow acesso
> http_access allow redelocal
>

For what it's worth, you are allowing unauthenticated requests from your
local network. Authentication is requested, the client is allowed if
authentication is provided (but not denied if it's not). The next step
checks the client's source IP and allows based on that (with an implicit
deny following). Perhaps that's to plan, but I thought it might be
worth a mention.

> icp_access allow all
> debug_options ALL,1 33,2
>
>
> thank's.
>

Chris
Received on Wed Apr 15 2009 - 18:15:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 16 2009 - 12:00:01 MDT