Re: [squid-users] Re: SquidGuard not filtering

OK Vignesh,(am I right about the name?)

Couple things:
* squid 3.1.10 is pretty old compared to squid main development branch.
* We are not squidGuard but we can help try to help you.

If you can try to use the newer RPMs like for version 3.3.
You can find the latest RPM for CentOS at my repo and all the details
are at the bottom of this post in the mailing list:
http://www.squid-cache.org/mail-archive/squid-users/201311/0160.html

I do intend to release the 3.3.11 RPM in the next couple days and you
can wait a bit for that if you want.

There is a Debug Section inside squid that can be used to find the
source of the problem.
I am not sure what the issue with your squidGuard setup but since it's
version 1.4 I think it's a self compiled one..
In this case I would try to make sure that the permissions for all
squidGuard files are OK to allow all the needed users the right permissions.
If you would like to "simulate" squidGuard runtime the basic thing to do
is to get a command line using "su" command as the squid user.
Then you can navigate into the right location and then to run the
command using the same arguments you used at squid.conf.
You could then see if there is an issue that you can understand and see
that can cause your problems.
It can be permissions to the DB or another file\directory then the
executable one.

I would recommend you to use a 302 response instead of the
"http://www.google.com".
It can be used for example as
"302:http://domain.internal/blocked.php?you_got_blocked_by_squid" and
this will not lead the client\browser to cache the page in a way it was
not suppose to.
(I do not remember if the 302 syntax is like that)

Note that squid 3.3 has lots of resolved issues since 3.1.10 and also
couple advancements.

As you know squidGuard is a very nice product that can perform lots of
things which Squid cannot do bare naked.
But(a big one) squidGuard interface can cause a bottle neck for the
whole server traffic if not configured properly and wisely.
If you do have a small whitelist add them into squid to lower the need
for "consulting" squidGuard filters.
SquidGuard uses the url_rewrite interface which is slower then ICAP
which couple products do utilize.
Try to look at:
http://www.squid-cache.org/Misc/icap.html

I know that there are couple very advanced commercial products that do
offer an ICAP interface.
ICAP offers a far more advanced interface which by default enables
concurrency and also can take much more load then the other helpers.

Eliezer

On 04/12/13 09:02, vikkymoorthy wrote:
> Hey,
>
> Thanks for your revert. You are right, the issue is related to SquidGuard.
>
> Is there are way, we can use squid like content filtering? Please let me
> know.
>
> #squid -v
> Squid Cache: Version 3.1.10
> configure options: '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--enable-internal-dns' '--disable-strict-error-checking'
> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--with-logdir=$(localstatedir)/log/squid'
> '--with-pidfile=$(localstatedir)/run/squid.pid'
> '--disable-dependency-tracking' '--enable-arp-acl'
> '--enable-follow-x-forwarded-for'
> '--enable-auth=basic,digest,ntlm,negotiate'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
> '--enable-digest-auth-helpers=password,ldap,eDirectory'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
> '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log'
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' '--enable-wccpv2'
> '--enable-esi' '--with-aio' '--with-default-user=squid'
> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
> '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
> 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.10
>
>
>
> Here is my squid.conf file
<SNIP>
>
> url_rewrite_program /usr/local/bin/squidGuard -c
> /usr/local/squidGuard/squidGuard.conf
> url_rewrite_children 5
> url_rewrite_access allow all
>
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
Received on Wed Dec 04 2013 - 08:25:26 MST