Hi List,
I'm trying to get access to me.com working on my test proxy, but I keep
getting a timeout in my browsers: (110) Connection timed out. Access log
shows TCP_MISS/503. I have tried disabling various things to see if I can
get it working: authentication, send direct – even allow all at the top but
no joy.
On 3stable20 I've had this working ok..
Any help/pointers gratefully received,
Thanks
===
Squid 3.1.8 conf:
http_port 8080
auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r
auth_param negotiate children 120 startup=70 idle=10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 60 startup=20 idle=5
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 20 startup=10 idle =2
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
authenticate_ttl 1 hour
cache_mem 1024 MB
fqdncache_size 2048
ipcache_size 2048
ipcache_low 90
ipcache_high 95
maximum_object_size_in_memory 100 KB
max_filedesc 8072
cache_peer [omitted] parent 8080 0 no-query proxy-only no-digest default
cache_mgr [omitted]
cachemgr_passwd [omitted] all
client_persistent_connections on
#server_persistent_connections on
persistent_connection_after_error on
## LOG LOCATIONS
access_log /var/log/squid/access.log squid
cache_store_log none squid
cache_log /var/log/squid/cache.log squid
## USER-AGENT (Browser-type) ACLs
acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt"
acl MSNMessenger browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt"
## USER AUTHENTICATION ACLs
acl AuthenticatedUsers proxy_auth REQUIRED
## URL DESTINATION ACLs
acl URL_ALLOWDstDomains dstdom_regex
"/etc/squid/ACL/URL/URL_ALLOWDstDomains.txt"
## URL Regex
acl URL_AllowRegex url_regex -i "/etc/squid/ACL/URL/URL_ALLOWRegex.txt"
## IP ACLS ##
acl CLIENTIP src "/etc/squid/ACL/IPADDRESSES/IP_CLIENTIP.txt"
## Windows Update ACLS
acl WSUS_IP src 172.16.10.127
# LAN IP ACLs
acl 172SUBNETS src 172.16.0.0/16
acl SERVERSUBNETS src 172.16.10.0/24
acl SERVERSUBNETS src 172.16.100.0/24
# Blocks CONNECT method to IP addresses (Blocks Skype amongst other things)
acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
# MSN Messenger Allow IP ACL
acl IP_MSNMessenger src "/etc/squid/ACL/IPADDRESSES/IP_MSNMESSENGER.txt"
# SEND DIRECT ACLs
acl SENDDIRECT_DstDomains dstdom_regex
"/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
acl SENDDIRECT_IPAddresses src
"/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"
# CONNECT Method Direct IP ACLs
acl IP_CONNECTALLOW src "/etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt"
## LOCALHOST ACLs
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
## CACHEMGR ACL
acl manager proto cache_object
## PORTS ACLs
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl RTMP_ports port 1935 # RTMP
# CONNECTION METHOD ACL
acl CONNECT method CONNECT
acl POST method POST
######### ICAP SERVER #########
## ICAP-specific ACLs - required to be placed before ICAP settings
acl ICAP_BYPASS dstdom_regex "/etc/squid/ACL/ICAP/ICAP_BYPASS_URL.txt"
## ICAP Settings
icap_enable on
icap_preview_enable on
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service ss reqmod_precache 0 icap://localhost:1344/ssreqmod
icap_service_revival_delay 60
adaptation_service_set c1 ss
adaptation_access c1 deny ICAP_BYPASS
# We don't check for auth for these either, so no point sending them to ICAP
adaptation_access c1 deny POST
#adaptation_access c1 deny CONNECT
adaptation_access c1 deny URL_ALLOWDstDomains
adaptation_access c1 deny URL_AllowRegex
adaptation_access c1 deny CLIENTIP
adaptation_access c1 deny WSUS_IP
adaptation_access c1 deny iTunes
adaptation_access c1 deny Java_jvm
# Check everything else
adaptation_access c1 allow all
## CACHEMGR ALLOW
http_access allow manager 172SUBNETS
## GLOBAL DENY RULES
http_access deny !Safe_ports
http_access deny to_localhost
http_access deny !SSL_Ports !172SUBNETS CONNECT
http_access deny !SSL_Ports !RTMP_ports !172SUBNETS POST
http_access deny 172SUBNETS !IP_MSNMESSENGER MSNMessenger
http_access deny !IP_CONNECTALLOW StopDirectIP
http_access deny !172SUBNETS iTunes
http_access deny !172SUBNETS Java_jvm
# USER AGENTS ALLOW #
http_access allow 172SUBNETS iTunes
http_access allow 172SUBNETS Java_jvm
# URL and IP DESTINATIONS NOT REQUIRING AUTHENTICATION
http_access allow URL_ALLOWDstDomains
http_access allow URL_ALLOWRegex
http_access allow CLIENTIP
http_access allow WSUS_IP
#Auth
http_access allow AuthenticatedUsers
## SEND DIRECT ALLOW
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses
## LOCAL HOST ALLOW ##
http_access allow localhost
###### CATCH ALL DENY ######
never_direct allow all
snmp_access deny all
#cache deny all
http_access deny all
-- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/me-com-TCP-MISS-503-tp3319397p3319397.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Tue Feb 22 2011 - 15:37:28 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 23 2011 - 12:00:03 MST