Re: [squid-users] best practice for transparent

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 08 Dec 2010 03:35:09 +0000

On Tue, 7 Dec 2010 19:35:08 -0500, BASDarchive
<basdarchive_at_beth.k12.pa.us>
wrote:
> On Dec 7, 2010, at 5:13 PM, Amos Jeffries wrote:
>
>> On 08/12/10 05:32, donovan jeffrey j wrote:
>>> greetings
>>>
>>> i recently updated my transparent proxy to sq 3.1.9, which also uses
>>> squidguard for url filters.
>>
>> First "best practice" is to use the right terminology.
> sorry i forgot we changed that ;)
>>
>> Your log traces says "Accepting intercepted HTTP connections at
>> 10.0.2.3:3128" So they are NAT interception connections.
>
> yes I am using NAT after Squid.
>
> client --- > [ squid ] ----> [ NAT ] --->
>

??
 interception proxy is done with NAT before squid. Doing NAT on the
outside looping back into Squid could be causing the long waits you saw.

clients <--> NAT snips --> World
             \NAT <--> Squid <--> World

>>
>>>
>>> this have been bogging down. browser always says ,.." waiting for
>>> google,... or waiting for www.abc.com
>>> I could have a dns issue or I could have a cache swap issue or a
>>> squidguard issue. I first wanted to make sure that running 3.1.9
>>> transparent is the best version for the job. I had read a while back
in
>>> a thread that v2.7 might be better than 3.1.x. Can anyone confirm ?
>>
>> 2.7 should not be.
>>
>> I've not had anyone explicitly mention whether the NAT logic upgrades
to
>> 3.x worked or not in Mac. The BSD ones needed some extra fixes which
were
>> done back around 3.1.6
>
> So basically 3.1.9 should be fine for my purposes then.
>
> here is my config. does anything stand out as wrong or should be
adjusted ?
>
>
> # squid.conf
> #
>
> #
> #
> # set logging to the lowest level
> debug_options ALL,1
>
> #access to squid and the cache manager
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255

In 3.1 that is: acl src localhost 127.0.0.1 ::1

>
> acl all src 0.0.0.0/0.0.0.0

Remove the above line for 3.x. "all" is now built in.

> acl noc src 10.3.1.0/24 10.135.0.0/16 10.235.0.0/16 10.35.1.0/24
> acl admin src 10.139.0.0/16 10.136.0.0/16 10.103.0.0/16
> acl hs src 10.150.0.0/16 10.149.0.0/16 10.151.0.0/16 10.152.0.0/16
> 10.153.0.0/16
> acl ms src 10.142.0.0/16 10.140.0.0/16
> acl ele src 10.104.0.0/16

NP: In 3.1 you may want to add the IPv6 ranges fe80::/16 and fc00::/7 for
local administration access.

>
> #no cache settings
> no_cache deny noc
> no_cache deny admin
> no_cache deny hs
> no_cache deny ms
> no_cache deny ele
> no_cache deny all

"no_cache" has been renamed to "cache".

NP: Following a list of denials with "deny all" is a waste of CPU cycles.
The rules all collapse down to a single "deny all" action.

>
> http_access allow manager localhost
> #http_access allow manager apache
> http_access allow noc
> http_access allow admin
> http_access allow hs
> http_access allow ms
> http_access allow ele
> http_access deny all
>
> #Squid's user and group
> cache_effective_user squid squid

Only one entry on this line. Second one is dropped. Configure the OS user
"squid" to only be a member of the OS group "squid".

>
> #visible hostname
> visible_hostname T1-2

This is ideally a full domain name with working DNS.
If gethostname() returns a properly DNS resolvable domain name this
setting is not needed either.

>
> # set log directories
> cache_access_log /var/log/squid/access.log

Directive name changed to "access_log" now.

> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log

You can drop the cache_store_log line. Default is not to log it now.

>
> # set cache directories of 16GB each
> cache_dir ufs /usr/local/squid/var/cache 100 16 256
>
>
> request_header_max_size 1000 KB
>
>
> # set the cache memory target for the Squid process
> cache_mem 100 MB
>
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on

None of the httpd_accel_* settings are valid any more.

... the above config lines mean this:
   http_port 80 accel vhost
   http_port 3128

For NAT interception proxy in 3.1 it should now be this:

  http_port 3128
  http_port 3129 intercept

(3129 being some unusual port only known between NAT and Squid)

> #
> redirect_program /usr/local/bin/squidGuard
> redirect_children 100
> client_persistent_connections off
> server_persistent_connections off

You may want to reconsider that disabling now. Squid 3.1 is mostly
HTTP/1.1 compliant and pconn support is expected by servers.

Amos
Received on Wed Dec 08 2010 - 03:35:14 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 08 2010 - 12:00:01 MST