Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 20 Sep 2009 23:26:08 +1200

Silamael wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Silamael wrote:
>> Amos Jeffries wrote:
>>> This is usually a configuration problem.
>>>
>>> Please provide your squid.conf file contents (minus empty and comment
>>> lines)
>>>
>>> Amos
>
>
> No one has some idea what's wrong with our configuration?
>
> Amos Jeffries wrote:
>> > This is usually a configuration problem.
>> >
>> > Please provide your squid.conf file contents (minus empty and comment
>> > lines)
>> >
>> > Amos
>
> Hello Amos,
>
> Here is our configuration.
> Thank you for your help.
>
> -- Matthias
>

Sorry, got a bit busy.

Here is a quick audit of your config...

>
> #
> # WARNING: Do not edit this file, it has been automatically generated.
> #
> # Prepends
> append_domain .domain.de
> unlinkd_program /usr/local/libexec/unlinkd
> ipcache_high 95
> icp_port 0
> ipcache_size 1024
> http_port 127.0.0.1:8000
> cache_dir ufs /var/squid/cache/cache-8000 100MB 8 16
> debug_options ALL,1
> server_persistent_connections on
> cache_swap_high 95
> log_ip_on_direct off
> maximum_object_size 20000 KB
> minimum_direct_hops 4
> udp_incoming_address 127.0.0.1
> pid_filename /var/squid/logs/squid-8000.pid
> ftp_user squid_at_domain.de
> forwarded_for off
> cache_access_log /var/squid/logs/access-8000.log

The above is obsolete since 2.6.
Use access_log directive instead.

> visible_hostname domaind193.domain.de
> client_persistent_connections on
> cache_swap_low 90
> logfile_rotate 0
> ipcache_low 90
> cache_effective_user _squid
> cache_log /var/squid/logs/cache-8000.log
> cache_effective_group _squid
> hosts_file none
> refresh_pattern . 0 20% 14400
> cache_mem 8 MB
> cache_store_log none
> hierarchy_stoplist cgi-bin ?
> error_directory /usr/local/share/squid/errors/de

Sure about that? 3.1 handles error languages nicely so the _visitors_
can read the message. The above specifies that 100% of your visitors
must read German.

> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localdomain srcdomain domain.de
> acl localdst dstdomain .domain.de
> acl localhost-dst dst 127.0.0.1/32

'dst' ACL requires DNS lookups. This will be the cause of your problems.
You require it to be checked before permitting anyone access.

> # user defined ACLs
> always_direct deny all
> refresh_pattern .domain.de 0 1% 0
> refresh_pattern www.domain.de 0 1% 0
> cache_peer 10.254.0.17 parent 8888 0 default no-query

> always_direct allow localdst

This will never happen. You already specified 'always_direct deny all'.

> never_direct allow all
>

This is redundant with 'always_direct deny all'

> # Authentication
>
> # User options
>
> # Append
> acl Dangerous_ports port 7 9 19
> acl CONNECT method CONNECT
> http_access deny Dangerous_ports
> http_access deny manager !localhost
> acl SSL_ports port 443 563 881
> http_access deny CONNECT !SSL_ports

> http_access deny localhost-dst

Above test requires DNS lookups.

AND seems to have no purpose....

    always_direct/never_direct settings force all requests to be passed
to the parent proxy.

    anything resolving to 127.0.0.1 on this host is not necessarily
resolving to 127.0.0.1 on any other host (ie the parent proxy)

NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Sun Sep 20 2009 - 11:26:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT