Thanks Amos for your input, I will work through it.
Our security is done in the core (i.e. you cant get out our network without going through the core). That is why we have the > http_access allow all line, without it being locked down further.
Also you are correct about the slow links, the sites with caching appliances have generally a 512kbps link, shared with with 50 computers. The local cache box is to get the most out of the link as possible.
Though how would it explain pointing their proxy to the upstream proxy and it working? (i.e. its going over the same slow links).
The parent proxy has a 100MB link to an ISP.
________________________________________
From: Amos Jeffries [squid3_at_treenet.co.nz]
Sent: Friday, 12 June 2009 11:48 AM
To: web
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Web mail attachments page cannot display
web wrote:
> Hi, I have 500 squidnt 2.7 stable 5 appliances out at distributed
> offices. It is being reported to me that when connected to the local
> caching appliance, intermittently they are getting page cannot
> display messages when using webmail and adding attachments. If they
> point to the upstream (parent) cache, they are not experiencing the
> problem. What I have tried, is to put the URL for the webmail in the
> nocache.conf file, so it doesn't cache this information, therefore I
> would assume that its going direct (much the same way as if they
> pointed their caching appliance to upstream server).
You assume wrong. "no_cache" directive is an obsolete spelling of
"cache" directive.
The only way to make requests go directly to an outside server without
involving Squid is to do it at the browser (explicit settings or
WPAD/PAC file) or the fireawall (interception bypass rules).
Once the request reaches Squid its too late to not handle.
> The upstream
> (core) squid appliance is managed outside our company, so we dont
> have anything to do with it, but it shouldn't matter either as it
> works pointing directly to it. Does anyone have any suggestions to
> what I could try or what I am doing wrong? I have pasted the local
> caching appliance config to help with identifying the problem.
> Thanks in advance.
>
'always_direct' is the directive to make Squid use a direct link to the
outside server instead of one of the cache_peer links.
I'd try setting:
always_direct allow nocache
Which will cut the proxy hierarchy to one layer and improve the chances
of a successful request.
I've seen this type of thing with a slow link and large uploaded file
(order of MB such as MS office generated files).
Amos
> http_port 8080
> cache_peer proxy.xxxxxxxx parent 8080 3130 no-query default login=PASS
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
change that to "cache deny"
> cache_mem 32 MB
> maximum_object_size 30720 KB
> cache_dir aufs d:/squid/var/cache 60000 16 256
60GB of storage with a 30MB absolute cap on object size...
cap of 32MB worth of objects stored in RAM-cache at any point.
> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl snmppublic snmp_community xxxxxxxxxx
> acl snmpprivate snmp_community xxxxxxxxxx
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl block url_regex -i "d:/squid/var/logs/block.conf"
> acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
> acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
> no_cache deny nocache
> http_access deny block !unblock
Two regex ACL in a row. See how much of that you can alter into
dstdomain or such. It's much faster.
Best configuration for regex is where a fast ACL like dstdomain is
tested first to short-circuit the regex from being needed on as much
traffic as possible.
> http_access allow all
Eeek! mostly-open proxy. Better define some security on that right quick.
Start with an ACL defining what the local client networks are.
If you intended this as an accelerator then please use the recommended
accelerator configs to secure your destinations.
http://wiki.squid-cache.org/ConfigExamples
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr webmaster
> visible_hostname SquidNT.proxy.local
> always_direct deny all
> never_direct allow all
> snmp_port 3401
> snmp_access allow snmppublic
> snmp_access allow snmpprivate
> snmp_access deny all
> snmp_incoming_address 0.0.0.0
> snmp_outgoing_address 255.255.255.255
> coredump_dir d:/squid/var/cache
> access_log d:/squid/var/logs/access.log squid
> cache_log d:/squid/var/logs/cache.log
> mime_table d:/squid/var/logs/mime.conf
> cache_store_log d:/squid/var/logs/store.log
well, you can set that to "none" the store log is mostly a deep debug
info log.
> redirect_program c:/Perl/bin/perl.exe d:/squid/var/logs/redirector.pl
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1Received on Fri Jun 12 2009 - 06:03:49 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 12 2009 - 12:00:03 MDT