Re: [squid-users] Squid not caching, plz help

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Sat, 04 Jun 2011 16:33:45 +0300

seems like amos gave you many things to see the result in...

Eliezer

On 04/06/2011 12:08, Amos Jeffries wrote:

> On 04/06/11 09:16, MrNicholsB wrote:
>> Ok Ive had squid3 running rock solid for months, I recently migrated
>> from Ubuntu 9 to 10.04 and now Squid is clearly not caching, but traffic
>> IS passing through it, my conf is the same as it was before but now im
>> getting an error on cache.log every time squid gets a request, any help
>> would be great, im sure its something simple Im just not seeing..THANK
>> YOU!!
>>
>>
>> ERRORs from cache.log
>> ==============================
>> 2011/06/03 13:57:32| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST)
>> failed: (92) Protocol not available
>
> You have a http_port configured with "transparent" or "intercept".
> Tellign Squid to lookup NAT for the IP details.
> It is being sent traffic which apparently never went through NAT.
> Your access.log will contain lies about what client IP was making the
> request. *THIS IS BAD*. Your squid.conf is making you vulnerable to
> security attack CVE-2009-0801
>
> Solution:
> * pick a random port number for the NAT-to-Squid packet arrival. Use
> a second port for regular proxy requests.
>
> * follow the config details for iptables "mangle" table:
> http://wiki.squid-cache.org/ConfigExamples/LinuxDnat
>
>
>
>>
>> =======================
>> #squid..conf
>>
>> visible_hostname central.server
>> http_port 3128 transparent
>> icp_port 0
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>>
>> dns_nameservers 127.0.0.1
>> cache_swap_low 95
>> cache_swap_high 98
>> access_log /var/log/squid3/access.log
>> cache_mem 2048 MB
>> memory_pools on
>> maximum_object_size_in_memory 50 MB
>> log_icp_queries off
>> cache_mgr Admin_at_meatspin.com
>> cache_dir ufs /var/spool/squid3 20000 32 256
>>
>>
>> acl localhost src 127.0.0.1/32
>> acl manager proto cache_object
>> acl our_networks src 10.10.1.0/24
>>
>> acl localnet src 127.0.0.1/255.255.255.255
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> acl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain download.windowsupdate.com
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> acl windowsupdate dstdomain c.microsoft.com
>> acl windowsupdate dstdomain www.download.windowsupdate.com
>> acl windowsupdate dstdomain wustat.windows.com
>> acl windowsupdate dstdomain crl.microsoft.com
>> acl windowsupdate dstdomain sls.microsoft.com
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>> acl SSL_ports port 443
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>>
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomain www.update.microsoft.com
>>
>> http_access allow our_networks
>> http_access allow localnet
>
> "our_networks" and "localnet" both means "LAN" in Squid terminology.
> They are the same, one is the Squid-2 default ACL name, one is the
> Squid-3 default naming.
>
> Though you have configured "localnet" to means IPv4-only localhost.
> You could alter the localhost definition to mean that.
>
>
>> http_access allow CONNECT wuCONNECT our_networks
>> http_access allow windowsupdate our_networks
>
> The windows update config is only necessary when you have enabled
> features such as authentication which Windows update cannot handle.
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow all
>
> "allow all" is a proxy which intercepts traffic is amazingly unsafe.
>
>
>
> Since I'm tired of repeating myself day after day about what these
> default ACL actually mean and why breaking the defaults is BAD...
> Please read http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
>
> In short:
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow our_networks
> http_access allow localhost
> http_access deny all
>
>
> Notice how this is almost exactly the upstream default configuration.
> The only change you have needed is to define the LAN IP range ACL.
>
> Amos
Received on Sat Jun 04 2011 - 13:33:53 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 04 2011 - 12:00:01 MDT