Dear Amos ,
Thanks so much for your help, I hope this changes makes more sense. I
have been following your comments and I feel squid is running better
than before.
The setting now feels more cleaner and squid out less errors, but
mainly now I'm suffering from one thing, sometimes , I get this error
:
clientNegotiateSSL: Error negotiating SSL connection on FD 355:
WSAENOTCONN, Socket is not connected. (10057)
clientNegotiateSSL: Error negotiating SSL connection on FD 356:
Resource temporarily unavailable (11)
Both servers are connected peer-to-peer (back-to-back) and a running
ping confirms connection is up all the time!
One thing to note about the above problem, that this mainly causing
errors in IE , saying that the certificate has expired (this is really
random and not sure what is wrong with it, waiting few minutes
certificate is OK again ! ).
Other than that, it's perfect !
Also I did those :
1- I have removed all http (port : 80 ) as this reverse proxy running
only on SSL. Also do I need all this Safe_Ports for a site that only
serves port 433 ?!
2- Removed cache & unwanted logs .
3- Still confused with defaultsite=www.eservices.mycompany.com , I
kinda got the point , but not sure what is the perfect alternative
(removing it caused a header error in browser ).
4- Also my rule "http_access allow all" I guess that is needed in
reverse proxy as I want to allow all to hit my site.
5- The redirector, mostly output blanks (99%) , and in rare event it
intercept and rewrite the url. for concurrent rewrite isn't why we can
load many helpers and that will help in concurrency? I'm good in
Threading in Java, but what I'm afraid of is to confuse squid , when
printing stuff out of order in multi-threaded application.
6-Not sure about this as it's a windows server , "refresh_pattern -i
(/cgi-bin/|\?) 0 0% 0"
7-finally , I wasn't able to get squid to work without
'sslflags=DONT_VERIFY_PEER"' , what is the impact ?
Once again, thanks for your help. You have no idea how much this is
helping me :)
Best Regards,
Alaa Murad
----------------------------------------------------------------------------------------
https_port 443 cert=C:/Interceptor/cert/baj.cert
key=C:/Interceptor/cert/baj.key
defaultsite=www.eservices.mycompany.com
cache_peer 192.168.1.2 parent 443 0 no-query no-digest originserver
ssl sslflags=DONT_VERIFY_PEER name=bajsite
redirect_children 25
redirect_rewrites_host_header on
redirect_program C:/java/bin/java.exe
-Djava.util.logging.config.file=C:/Interceptor/redirector/RedirectorLogging.properties
-jar C:/Interceptor/redirector/Redirector.jar
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log c:\squid\var\logs\access.log common
cache_log c:\squid\var\logs\cache.log
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/32
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8080
acl CONNECT method CONNECT
http_access allow to_localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow all
http_reply_access allow all
coredump_dir /var/spool/squid
forwarded_for on
redirect_rewrites_host_header on
buffered_logs on
never_direct allow all
cache deny all
On Wed, Feb 15, 2012 at 4:37 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 15/02/2012 2:26 a.m., ALAA MURAD wrote:
>>
>> Dear All,
>>
>> First thanks for this great great open source project, I would really
>> appropriated if someone could look at my configuration and ensure that
>> my configuration is correct and clean.
>
>
> Sure.
>
>
>>
>> We are doing a simple reverse proxy in our SSL :443 website. So far so
>> good, but sometimes I notice different kind of errors in the log file.
>>
>> I'm running M$ Windows Server and Squid 2.7, my proxy is 94.168.1.112
>> and connecting to the web server as back to back at 94.168.1.2
>>
>> I want :
>> * Reverse Proxy to keep working
>> * Redirector to keep working
>> * I don't want to server port 80 or any other ports only SSL
>> connection in this server.
>> * I don't want to cache anything
>>
>> Again my squid is working but I feel that the configuration need some
>> tweaking (and fat reduction!).
>>
>> Thanks in advance .
>>
>>
>> Here is my configurations :
>>
>> https_port 443 cert=C:/Interceptor/cert/mycompany.cert
>> key=C:/Interceptor/cert/mycompany.key defaultsite=www.mysite.com
>> cache_peer 192.168.1.2 parent 443 0 no-query originserver ssl
>> sslflags=DONT_VERIFY_PEER name=mycompanysite
>> acl mycompanyserver dstdomain www.mysite.com
>> redirector_access allow mycompanyserver
>
>
> http_port 443 and 80 using "defaultsite=www.mysite.com" forces (re-writes!)
> the URI domain value to be 'www.mysite.com'. This affects *all* traffic
> arriving at that port regardless of the actually requested domain from the
> client.
>
> This means that the ACL above will match *everything* arriving on those
> ports. You may as well remove the access control entirely (replace with
> "all" when used). Squid defaults to passing everrything to the redirector
> (if any) and the cache_peer_access below is also redundant . The recent
> releases are optimized for fast handling when a particular *_access is left
> at its default (unset) value.
>
>
>> redirect_children 20
>> redirect_rewrites_host_header on
>> redirect_program C:/java/bin/java.exe
>>
>> -Djava.util.logging.config.file=C:/Interceptor/redirector/RedirectorLogging.properties
>> -jar C:/Interceptor/redirector/Redirector.jar
>
>
> * What does this redirector do?
> * What does it output when there is no change to be made to the URI?
> (affects performance if non-empty result is sent back)
> * Can it handle concurrency or by updated to do so? (concurrency raises
> both speed and traffic handling capacity for these helpers)
>
> In general Redirectors/rewriters usually add problems. This is something to
> consider carefully whether it is needed. Depending on what this does it
> coulc be quite beneficial taking time to work out ACL tests for
> redirect_access that bypass it (deny) whenever possible.
>
>
>> cache_peer_access mycompanysite allow mycompanyserver
>> http_access allow mycompanyserver
>> http_port 80 accel defaultsite=www.mysite.com
>> cache_peer 192.168.1.2 parent 80 0 no-query originserver login=PASS
>
>
> What traffic is this peer supposed to be getting? just a backup server?
>
> The way your cache_peer are ordered means the port 443 one is preferred, and
> cache_peer_access permits all reverse-proxy traffic to use it. So the only
> reason this would be used is if the first one was overloaded or failed.
> This *is* a good setup to have the secure peer being preferred and insecure
> peer being a second-rate backup peer. Just pointing it out for anyone
> unaware of the behaviour.
>
>
>> #acl apache rep_header Server ^Apache
>> #broken_vary_encoding allow apache
>> cache_dir ufs c:/squid/var/spool 10000 16 256
>> cache_mem 256 MB
>> maximum_object_size_in_memory 32 KB
>> logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
>> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
>> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>> access_log c:/squid/var/logs/access.log squid
>> cache_log c:/squid/var/logs/cache.log
>> cache_store_log c:/squid/var/logs/store.log
>
>
> This cache_store_log is usually not useful (it is a debug storage log). You
> can configure it as "none" to save a lot of CPU and disk cycles.
>
>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>
>
> Add:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
>
>> refresh_pattern . 0 20% 4320
>> acl all src 0.0.0.0/0.0.0.0
>> acl mydomain dstdomain mysite.com
>> acl myweb src 127.0.0.1
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>
>
> "myweb" and "localhost" are defined as the same thing. Consider using
> "localhost" ACL and dropping "myweb".
>
> NP: "/255.255.255.255" and "/32" can be dropped off IPv4 addresses for
> simplicity. It makes no diffference to Squid, and can help you and
> co-workers understanding of the ACL.
>
>> acl to_localhost dst 127.0.0.0/8
>
>
> Add "0.0.0.0/32" to the to_localhost definition.
>
>
>> acl SSL_ports port 443 # https
>> acl SSL_ports port 563 # snews
>> acl SSL_ports port 873 # rsync
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 81 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl Safe_ports port 8080
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>> http_access allow purge myweb
>
> "localhost" and "myweb" beig the same test, you can drop the second of those
> purge lines.
>
> Also on the topic of purge. Consider carefully whether you actually need it
> (good use of cache-control/Expires header can avoid needing it).
> Removing all use of the "purge" (including the ACL definition earlier) will
> allow Squid to optimize a bit by skipping a lot of background cache
> management required by purge.
>
> pPS: below you use "cache deny all"
>
>
>> http_access deny purge
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access allow all
>> http_access allow mydomain
>
>
> "allow all" makes following "allow mydomain" and "deny all" useless. Having
> it present is a strong sign that something is wrong with the rest of the
> http_access controls or network design. In this case if it is required for
> reverse-proxy requests that means your "mycompanyserver" ACL definition is
> incomplete or incorrect.
>
> Also note the reverse-proxy config "http_access allow mycompanyserver" and
> the behavioud defaultsite= does to requests means none of these set of
> http_access lines has any effect on working reverse-proxy traffic. It is
> worth keeping them though and adding a http_port 3128 or similar for your
> Squid management requests to use. These http_access lines will have effect
> then on the requests coming in the management port, but will need some
> adaptations to match your policy of what such requests are allowed to do.
> "allow all" is not a good idea regardless.
>
>
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> cache_effective_group proxy
>> coredump_dir c:/squid/var/spool/squid
>> forwarded_for on
>> emulate_httpd_log on
>
>
> Drop emulate_httpd_log.
>
> Instead, change the access_log directive format option from "squid" to be
> "common".
>
>
>> redirect_rewrites_host_header on
>> buffered_logs on
>> never_direct allow all
>> cache deny all
>
>
> Ah. Not caching? (cache deny all)
> * this makes "purge" ACL and controls useless. Either drop the purge stuff
> above completely or start caching.
> * this also makes the ~10GB cache_dir you allocated useless. Nothing is
> allowed to be stored there. Either drop the cache_dir line or start caching.
>
>
> Hope this helps.
> Amos
Received on Fri Feb 17 2012 - 19:21:35 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 18 2012 - 12:00:03 MST