Re: [squid-users] Squid2.7STABLE6 with smoothwall ...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 Dec 2009 19:21:41 +1300

Asim Ahmed @ Folio3 wrote:
> One more thing to confirm. I am using IP ranges of my subnet to allow
> access to internet like this:
>
> #following lines are put in a file named "gerrys_groups.acl" and
> referenced in an ACL statement.
>
> 192.168.4.25-192.168.4.50
> 192.168.4.101-192.168.4.150
>
> Is this valid and supported by squid?

Yes.

>
> Asim Ahmed @ Folio3 wrote:
>> Hi,
>>
>> I am using smoothwall 3.0SP1-polar that comes with Squid2.7STABLE6
>> built in. I configure the squid with following parameters. Problem is
>> that squid works fine for 1 or 2 users but when I open it for whole
>> subnet or range of IPs, it crashes down. I mean it start behaving
>> wierdly like most of the time it does not respond to http requests and
>> users have to keep pressing F5 several times to get the request done.
>> Even access log does not show any requests coming in. In cache log i
>> find many entries like "Invalid request" etc. Some times I also find

That does not sound good. We will need some more details to track down
what it is though. Can you post a chunk of the log with those lines in
it and a few before and after please?

>> "Cache DIRTY" words during restart of squid. My ACLs are as follows:
>>
>> SQUID-Settings
>> ===========
>>
>> visible_hostname smoothwall
>> acl localnetgreen src 192.168.4.0/255.255.255.0

AKA:
  acl localnetgreen src 192.168.4.0/24

>> http_port 192.168.4.123:800 transparent
>> cache_mem 1024 MB
>> maximum_object_size_in_memory 32 KB
>>
>> cache_replacement_policy heap GDSF
>> memory_replacement_policy heap GDSF
>>
>> half_closed_clients off
>>
>> cache_swap_high 100%
>> cache_swap_low 95%
>>
>> shutdown_lifetime 5 seconds

This may explain "Cache DIRTY".

1) Squid has only 5 seconds to clear out its memory, finish all active
connections and dump the index state for 10GB of cached data to disk.

2) If its not done in time it will abandon any unfinished tasks.

3) "Cache DIRTY" means that on startup Squid has detecetd the index
journal state to be incorrect and is moving to a background scan for the
entire disk cache object by object to recover the meta information.

>> icp_port 0
>>
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY

Drop the above.

Hmm. The HTTP basic requirement refresh_patterns are all missing.
Please add:

   refresh_pattern ^ftp: 1440 20% 10080
   refresh_pattern ^gopher: 1440 0% 1440
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
   refresh_pattern . 0 20% 4320

>>
>> cache_effective_user squid
>> cache_effective_group squid
>>

Not a particularly good idea to use cache_effective_group unless
absolutely necessary. Better to have the system 'squid' user a member of
the group 'squid' instead.

>> pid_filename /var/run/squid.pid
>>
>> cache_access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>> cache_store_log none
>> error_directory /usr/share/errors/English
>> log_mime_hdrs off
>>
>> forwarded_for off
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl localhost src 127.0.0.1/255.255.255.255

acl all src all
acl localhost src 127.0.0.1

>>
>> acl SSL_ports port 445 443 441 563
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 81 # smoothwall http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 445 443 441 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> #######################################
>> # ACLs #
>> #######################################
>> acl super_users src "/var/smoothwall/proxy/f3_acls/super_users.acl"
>> acl ISP1_users src "/var/smoothwall/proxy/f3_acls/gerrys_groups.acl"
>> acl ISP2_users src "/var/smoothwall/proxy/f3_acls/netsat_groups.acl"
>> acl managers src "/var/smoothwall/proxy/f3_acls/managers.acl"
>> acl blocked_extensions urlpath_regex -i
>> "/var/smoothwall/proxy/f3_acls/blocked_extensions.acl"
>> acl blocked_sites url_regex -i
>> "/var/smoothwall/proxy/f3_acls/blocked_sites.acl"
>> acl blocked_request_mt req_mime_type -i
>> "/var/smoothwall/proxy/f3_acls/blocked_mimetypes.acl"
>> acl blocked_reply_mt rep_mime_type -i
>> "/var/smoothwall/proxy/f3_acls/blocked_mimetypes.acl"
>> acl gaming_sites url_regex -i
>> "/var/smoothwall/proxy/f3_acls/gaming_sites.acl"
>> acl server_machines src
>> "/var/smoothwall/proxy/f3_acls/server_machines.acl"
>> acl working_hours time MTWHF 09:00-12:30
>> acl working_hours time MTWHF 14:00-18:30
>> acl gaming_hours time MTWHF 21:00-23:59
>> acl gaming_hours time MTWHF 01:00-07:00
>> ########################################
>> # HTTP_ACCESS #
>> ########################################
>> http_access allow super_users
>> http_access deny blocked_sites working_hours
>> http_access deny blocked_request_mt working_hours
>> http_access deny blocked_reply_mt working_hours

invalid: "http_access deny blocked_reply_mt "...

Maybe you meant:
   http_reply_access deny !super_users working_hours blocked_reply_mt
   http_reply_access allow all

>> http_access deny gaming_sites !gaming_hours
>> http_access allow managers
>> #http_access deny blocked_extensions working_hours

One thing I note from all the above http_access lines is that you are
placing the regex pattern matches first.
regex in Squid is _the_ slowest ACL type to be using. It's best to avoid
it like plague where possible and to restrict when its used where needed.

Without knowing details I'd guess that most of the blocked_sites and
gaming_sites lists can become a dstdomain ACL to avoid regex matching.

Also placing the fast "working_hours" first on each line will reduce the
regex to only being tested when working_hours is true.

For example:
  http_access deny working_hours blocked_request_mt

>> http_access allow ISP1_users
>> #http_access allow ISP2_users
>> http_access allow server_machines
>> http_access deny localnetgreen

Missing basic security:

   http_access deny all

>> umask 022
>>
>> maximum_object_size 4096 KB
>> minimum_object_size 0 KB
>>
>> # Smoothwall does not allow this parameter to be changed. I can only
>> change cache size
>> cache_dir diskd /var/spool/squid/cache 10240 16 256
>>
>> request_body_max_size 0 KB
>> reply_body_max_size 0 allow all

defaults. Also the syntax is broken. Remove the two above.

>>
>> logfile_rotate 0
>>
>> strip_query_terms off
>>
>> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
>> upgrade_http0.9 deny shoutcast
>>
>>
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.15
Received on Wed Dec 02 2009 - 06:21:59 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 02 2009 - 12:00:01 MST