Re: [squid-users] Squid not caching, plz help

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 04 Jun 2011 21:08:18 +1200

On 04/06/11 09:16, MrNicholsB wrote:
> Ok Ive had squid3 running rock solid for months, I recently migrated
> from Ubuntu 9 to 10.04 and now Squid is clearly not caching, but traffic
> IS passing through it, my conf is the same as it was before but now im
> getting an error on cache.log every time squid gets a request, any help
> would be great, im sure its something simple Im just not seeing..THANK
> YOU!!
>
>
> ERRORs from cache.log
> ==============================
> 2011/06/03 13:57:32| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST)
> failed: (92) Protocol not available

You have a http_port configured with "transparent" or "intercept".
Tellign Squid to lookup NAT for the IP details.
  It is being sent traffic which apparently never went through NAT. Your
access.log will contain lies about what client IP was making the
request. *THIS IS BAD*. Your squid.conf is making you vulnerable to
security attack CVE-2009-0801

Solution:
  * pick a random port number for the NAT-to-Squid packet arrival. Use a
second port for regular proxy requests.

  * follow the config details for iptables "mangle" table:
     http://wiki.squid-cache.org/ConfigExamples/LinuxDnat

>
> =======================
> #squid..conf
>
> visible_hostname central.server
> http_port 3128 transparent
> icp_port 0
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> dns_nameservers 127.0.0.1
> cache_swap_low 95
> cache_swap_high 98
> access_log /var/log/squid3/access.log
> cache_mem 2048 MB
> memory_pools on
> maximum_object_size_in_memory 50 MB
> log_icp_queries off
> cache_mgr Admin_at_meatspin.com
> cache_dir ufs /var/spool/squid3 20000 32 256
>
>
> acl localhost src 127.0.0.1/32
> acl manager proto cache_object
> acl our_networks src 10.10.1.0/24
>
> acl localnet src 127.0.0.1/255.255.255.255
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
> acl SSL_ports port 443
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
>
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
>
> http_access allow our_networks
> http_access allow localnet

"our_networks" and "localnet" both means "LAN" in Squid terminology.
They are the same, one is the Squid-2 default ACL name, one is the
Squid-3 default naming.

Though you have configured "localnet" to means IPv4-only localhost. You
could alter the localhost definition to mean that.

> http_access allow CONNECT wuCONNECT our_networks
> http_access allow windowsupdate our_networks

The windows update config is only necessary when you have enabled
features such as authentication which Windows update cannot handle.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow manager localhost
> http_access deny manager
> http_access allow all

"allow all" is a proxy which intercepts traffic is amazingly unsafe.

Since I'm tired of repeating myself day after day about what these
default ACL actually mean and why breaking the defaults is BAD...
Please read http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls

In short:

  http_access allow manager localhost
  http_access deny manager
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow our_networks
  http_access allow localhost
  http_access deny all

Notice how this is almost exactly the upstream default configuration.
The only change you have needed is to define the LAN IP range ACL.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
Received on Sat Jun 04 2011 - 09:08:30 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 04 2011 - 12:00:01 MDT