Hello Amos,
I changed my squid.conf according your recommendations.
I'm facing a trouble that all IPs on unlimited_bandwidth file bypass
authentication.
If I remove my ip from unlimited_bandwidth file and check the
access.log working well:
[04/Oct/2012:08:20:25 -0300] leonardo.abrantes xxx.xxx.xxx.xxx CONNECT
TCP_MISS 200 www.google.com:443 (It's what I need)
however, if I put my ip that file, the authenticaiton is being ignored:
[04/Oct/2012:08:22:39 -0300] - xxx.xxx.xxx.xxx CONNECT TCP_MISS 200
www.google.com:443
####
http_port 3128
append_domain .contoso.local
cache_effective_user squid
cache_mem 2 GB
cache_effective_group squid
forwarded_for off
httpd_suppress_version_string on
visible_hostname proxy.contoso.local
retry_on_error on
pipeline_prefetch on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=contoso
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --domain=contoso
auth_param basic children 20
auth_param basic realm Para prosseguir e necessario digitar seu login de rede.
auth_param basic credentialsttl 1 hours
acl localnetwork src 192.168.10.0/25
acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl"
acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth"
acl localhost src 127.0.0.1
acl java browser Java/1.4 Java/1.5 Java/1.6
cache_dir ufs /var/spool/squid 6144 16 256
coredump_dir /var/spool/squid
maximum_object_size_in_memory 1 MB
maximum_object_size 64 MB
minimum_object_size 0 KB
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 65536/65536
delay_access 1 deny unlimitedBandwidth localhost
delay_access 1 allow localnetwork
delay_access 1 deny all
logformat combined [%tl] %un %>a %rm %Ss %Hs %ru
access_log /var/log/squid/access.log squid
access_log /var/log/squid/gerencia.log combined
cache_store_log /var/log/squid/store.log
redirect_program /etc/squidGuard/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
redirect_children 30
http_access deny CONNECT !SSL_ports
http_access allow unlimitedBandwidth
http_access allow java
http_access allow AuthorizedUsers
http_access deny all
cache_swap_low 90
cache_swap_high 95
dns_nameservers 192.168.10.2 192.168.10.3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access All allow all
####
can you help me please ?
many thanks!!
On Wed, Oct 3, 2012 at 10:35 AM, Leonardo Bacha Abrantes
<leonardo_at_lbasolutions.com> wrote:
> Hey Amos!!
>
> Thank you so much for your explanation my friend!!!!!!!
>
> have you a guide to recommend about increase squid's performance ?
>
>
>
> On Tue, Oct 2, 2012 at 7:17 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 03.10.2012 01:42, Leonardo Bacha Abrantes wrote:
>>>
>>> Hi Guys,
>>>
>>> I'm facing problems with one specific site which run java. The site
>>> open a window of java requesting to enter the credentials of proxy
>>> continuously.
>>> How can I ignore the authentication for an specific site ?
>>>
>>
>> Like Kinkie already said, you will find an example in the wiki.
>>
>> there are a few strange things in your config which need fixing. Comments
>> inline below...
>>
>>
>>> Squid Cache: Version 3.1.10
>>>
>>>
>>> my squid.conf:
>>>
>>> http_port xxx.xxx.xxx.xxx:3128
>>> append_domain .contoso.local
>>> cache_effective_user squid
>>> cache_mem 4 GB
>>> cache_effective_group squid
>>> forwarded_for off
>>> httpd_suppress_version_string on
>>> visible_hostname myserver.contoso.local
>>> hierarchy_stoplist cgi-bin ?
>>
>>
>> You can remove hierarchy_stoplist from squid-3.1+. It has no purpose without
>> cache_peer entries and in those cases the default regex patterns are not
>> useful nowdays anyway.
>>
>>
>>> retry_on_error on
>>> pipeline_prefetch on
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp --domain=contoso
>>> auth_param ntlm children 25
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic --domain=contoso
>>> auth_param basic children 15
>>> auth_param basic realm Para prosseguir e necessario digitar seu login
>>> de rede.
>>> auth_param basic credentialsttl 1 hours
>>>
>>> acl localnetwork src 192.168.10.0/25
>>> acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl"
>>> acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth"
>>> acl localhost src 127.0.0.1
>>>
>>> acl java browser Java/1.4 Java/1.5 Java/1.6
>>> http_access allow java
>>>
>>> cache_dir ufs /var/spool/squid 6144 16 256
>>> coredump_dir /var/spool/squid
>>> maximum_object_size_in_memory 1 MB
>>> maximum_object_size 64 MB
>>> minimum_object_size 0 KB
>>>
>>> acl manager proto cache_object
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 8080 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl purge method PURGE
>>> acl CONNECT method CONNECT
>>>
>>>
>>> delay_pools 2
>>>
>>> delay_class 1 2
>>> delay_parameters 1 -1/-1 -1/-1
>>> delay_access 1 allow unlimitedBandwidth localhost
>>> delay_access 1 deny all
>>
>>
>> You can remove this pool entirely. It does nothing but waste CPU calculating
>> bandwidth usage by the matched transactions.
>>
>>
>>
>>>
>>> delay_class 2 2
>>> delay_parameters 2 -1/-1 65536/65536
>>> delay_access 2 allow localnetwork !unlimitedBandwidth !localhost
>>> delay_access 2 deny all
>>
>>
>> Um, so limit people from the localnetwork who are not in unlimited
>> Bandawidth AND not going to localhost?
>> Meaning anyone outside the unlimitedBandwidth contacting the localhost has
>> unlimited speed.
>>
>>
>> The earlier pool seems to be acting as a complicated replacement for
>> "delay_access 2 deny unlimitedBandwidth localhost". So, I suspect you
>> actually want:
>>
>>
>> delay_pools 1
>> delay_class 1 2
>> delay_parameters 1 -1/-1 65536/65536
>>
>> delay_access 1 deny unlimitedBandwidth localhost
>> delay_access 1 allow localnetwork
>>
>> delay_access 1 deny all
>>
>>
>>>
>>> http_reply_access allow AuthorizedUsers
>>
>>
>> Remove the above http_reply_access line.
>>
>> It is FAR too late to bother with starting authentication. The remote server
>> has already been passed the request and is sending or sent the reply back
>> before the http_reply_access ever gets checked.
>>
>> You also have "http_access allow java" above, and several lines below which
>> bypasses authentication on requests. Doing auth on reply for those requests
>> will cause the client requests to happen, then present an auth page as the
>> response instead of whatever the server actually produced.
>>
>>
>>
>>> logformat combined [%tl] %un %>a %rm %Ss %Hs %ru
>>> access_log /var/log/squid/access.log squid
>>> access_log /var/log/squid/gerencia.log combined
>>> cache_store_log /var/log/squid/store.log
>>>
>>> redirect_program /etc/squidGuard/bin/squidGuard -c
>>> /usr/local/squidGuard/squidGuard.conf
>>> redirect_children 30
>>>
>>> http_access allow localhost unlimitedBandwidth SSL_ports
>>> http_access allow unlimitedBandwidth
>>
>>
>> NP: unlimitedBandwidth also has sub-meaning of "unlimited access
>> permissions". So allowing them access to localhost SSL ports specially as
>> well as "anywhere" is not useful and wastes CPU.
>>
>>
>>
>>> http_access allow AuthorizedUsers
>>> http_access deny CONNECT !SSL_ports
>>> http_access deny all
>>>
>>
>> A series of deny lines ending with "deny all" is almost meaningless. The
>> only way they could be useful is if it were testing some external ACL lookup
>> which had side effects on the transaction (user credentials assignment,
>> transaction tagging, deny_info redirect, etc).
>>
>> The "deny CONNECT !SSL_ports" is also a basic security measure to prevent
>> clients performing blind TCP tunnels (CONNECT requests) over the proxy to
>> any port they choose. Your "allow java" and "allow unlimitedBandwidth" being
>> above this are opening massive security holes through your proxy.
>>
>>
>> In summary, I recommend changing your http_access lines to:
>>
>> http_access deny CONNECT !SSL_ports
>> http_access allow unlimitedBandwidth
>> http_access allow java
>> http_access allow AuthorizedUsers
>>
>> http_access deny all
>>
>>
>>>
>>> cache_swap_low 90
>>> cache_swap_high 95
>>>
>>> dns_nameservers 192.168.10.2 192.168.10.3
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i exe$ 0 50% 259200
>>> refresh_pattern -i zip$ 0 50% 259200
>>> refresh_pattern -i rar$ 0 50% 259200
>>> refresh_pattern -i tar\.gz$ 0 50% 259200
>>
>>
>> The above can compact down to:
>> refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200
>>
>>
>> Although I rather think you mean it to be:
>> refresh_pattern -i \.(zip|rar|tar\.gz|exe)$ 0 50% 259200
>>
>>
>>
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> request_header_access All allow all
>>
>>
>> NP: permitting transaction request headers through the proxy is default. You
>> can remove the above request_header_access line.
>>
>>
>>
>> HTH
>> Amos
>>
Received on Thu Oct 04 2012 - 11:44:54 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 04 2012 - 12:00:03 MDT