Thanks , i learn some thing new from you all. however ill update the
results in few days as i am monitoring the stuff as how things are
going.
Thanks,
On Wed, Apr 25, 2012 at 7:38 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 25/04/2012 3:34 a.m., Eliezer Croitoru wrote:
>>
>> On 24/04/2012 18:14, Muhammad Yousuf Khan wrote:
>>>
>>> ok i trim down config file to this as you suggested of blocking
>>> whitelist to local net.. let see how things work tommorw. ill update.
>>> but block list is like 10MB big do you think it could be the
>>> problem.as every query has to be matched with 10 MB database.
>>>
>>> ?
>>
>> in any case a dstdomain of 10MB is a very bad idea from what i know.
>> one thing about dstdomain is that squid must validate the request dns
>> records and it will take more bandwidth on dns queries.
>
>
> Only if comparing a raw-IP to a domain name. If the raw-IP is on teh tested
> URL it is faster as the DNS result gets re-used for all tests. The common
> case though is straight domain-vs-domain comparisons.
>
> Amos
>
>
>> if you still dont have local dns server for cahing only this is the time
>> to add it.
>>
>> i think that 10MB of domains can be optimized into some basic DST DOMAINS
>> REGEX and some blacklist DSTDOMS REGEX.
>>
>> i think that some db application for this kind of amount of dstdoms can
>> much more effective.
>> you can also use squidguard for that.
>>
>> if you can share some (1MB) of the dstdoms of the whole list i might be
>> able to try to optimize it in a way.
>>
>>
>> Regards,
>> Eliezer
>>
>>>
>>>
>>>
>>> #-------------Allow All ACL-------------
>>> acl aci_lan src 10.51.100.0/24
>>> acl aci_general src 10.51.100.0/24
>>>
>>> #---------------------Assurety Whitelist---------------
>>> acl aci_whitelist dstdomain "/blocklist/aci_list/whitelist"
>>> http_access allow aci_whitelist aci_general
>>>
>>> #----------TimeDomainBlock
>>> acl aci_dest dstdomain "/blocklist/aci_list/time_block_domains"
>>>
>>> #--General Timing------------ Normal Days Working hours--------------
>>> acl aci_working_hours time MTWH 10:04-13:04
>>> acl aci_working_hours time MTWH 14:04-18:04
>>> #--General Timing-------------Friday------------------------
>>> acl aci_working_hours time F 10:04-13:04
>>> acl aci_working_hours time F 15:04-18:04
>>>
>>> http_access deny aci_dest aci_working_hours aci_general
>>>
>>>
>>> On Tue, Apr 24, 2012 at 1:11 PM, Eliezer Croitoru<eliezer_at_ngtech.co.il>
>>> wrote:
>>>>
>>>> are you taking about the delay pools rules?
>>>> also if it's a proxy that is open to the internet i would limit the
>>>> access
>>>> to port 3128 to only lan.
>>>> your http_access rules are allowing anyone to use the proxy for the
>>>> whitelist.
>>>>
>>>> Regards,
>>>> Eliezer
>>>>
>>>>
>>>>
>>>> On 24/04/2012 09:06, Muhammad Yousuf Khan wrote:
>>>>>
>>>>>
>>>>> ok i just disabled all the rules and it works for me now ill test
>>>>> which rule is making a problem and let you know also.
>>>>>
>>>>> Thanks
>>>>>
>>>>> On Mon, Apr 23, 2012 at 11:20 PM, Muhammad Yousuf
>>>>> Khan<sirtcp_at_gmail.com>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> here is the log for bbc.co.uk . first and last msg of log
>>>>>>
>>>>>> so you can see the time delay.
>>>>>>
>>>>>> 335205033.183 841 10.51.100.240 TCP_MISS/200 24506 GET
>>>>>> http://www.bbc.co.uk/ - DIRECT/212.58.244.66 text/html
>>>>>> 1335205057.936 328 10.51.100.240 TCP_REFRESH_HIT/304 435 GET
>>>>>>
>>>>>> http://static.bbci.co.uk/wwhomepage-3.5/1.0.41/img/broadcast-sprite.png
>>>>>> - DIRECT/80.239.148.70 image/png
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 23, 2012 at 11:12 PM, Muhammad Yousuf
>>>>>> Khan<sirtcp_at_gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Here you go with my squid.conf
>>>>>>>
>>>>>>> acl all src all
>>>>>>> acl manager proto cache_object
>>>>>>> acl localhost src 127.0.0.1/32
>>>>>>> acl to_localhost dst 127.0.0.0/8
>>>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>>>> acl SSL_ports port 443 # https
>>>>>>> acl SSL_ports port 563 # snews
>>>>>>> acl SSL_ports port 873 # rsync
>>>>>>> acl Safe_ports port 80 # http
>>>>>>> acl Safe_ports port 21 # ftp
>>>>>>> acl Safe_ports port 443 # https
>>>>>>> acl Safe_ports port 70 # gopher
>>>>>>> acl Safe_ports port 210 # wais
>>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>>> acl Safe_ports port 488 # gss-http
>>>>>>> acl Safe_ports port 591 # filemaker
>>>>>>> acl Safe_ports port 777 # multiling http
>>>>>>> acl Safe_ports port 631 # cups
>>>>>>> acl Safe_ports port 873 # rsync
>>>>>>> acl Safe_ports port 901 # SWAT
>>>>>>> acl purge method PURGE
>>>>>>> acl CONNECT method CONNECT
>>>>>>>
>>>>>>> # sqstat
>>>>>>> acl manager proto cache_object
>>>>>>> acl webserver src 10.51.100.206/255.255.255.255
>>>>>>> http_access allow manager webserver
>>>>>>> http_access deny manager
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> # Skype
>>>>>>> acl numeric_IPs dstdom_regex
>>>>>>>
>>>>>>>
>>>>>>> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
>>>>>>> acl Skype_UA browser ^skype
>>>>>>> acl validUserAgent browser \S+
>>>>>>>
>>>>>>> # for cheetah only
>>>>>>>
>>>>>>> #acl usman src 10.51.100.107
>>>>>>> #delay_pools 1
>>>>>>> #delay_class 1 1
>>>>>>> #delay_parameters 1 22000/22000
>>>>>>> #delay_access 1 allow usman
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> #-------------Allow All ACL-------------
>>>>>>> acl aci_lan src 10.51.100.0/24
>>>>>>> acl aci_general src 10.51.100.0/24
>>>>>>>
>>>>>>>
>>>>>>> #----My ip
>>>>>>> acl my_ip src 10.51.100.240
>>>>>>> http_access allow my_ip
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> # Testing delay pool
>>>>>>> delay_pools 1
>>>>>>> delay_class 1 1
>>>>>>> delay_parameters 1 22000/10240000
>>>>>>> delay_access 1 allow aci_general
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> #---------------------Assurety Whitelist---------------
>>>>>>> acl aci_whitelist dstdomain "/blocklist/aci_list/whitelist"
>>>>>>> http_access allow aci_whitelist
>>>>>>>
>>>>>>> #--Senior Allow Domainlist------------------------------
>>>>>>> acl aci_seniors dstdomain "/blocklist/aci_list/whitelist_seniors"
>>>>>>> #---------------------------------------------------------#See
>>>>>>> implimentation in ACI implimentation section
>>>>>>>
>>>>>>> #--------------------Assurety Hard_Block--------------
>>>>>>> acl aci_hard_block dstdomain "/blocklist/aci_list/hard_block_domains"
>>>>>>> http_access deny aci_hard_block
>>>>>>>
>>>>>>> #--------------------Hard_Block EXE and E.T.C---------------------
>>>>>>> #acl mime_block_hard rep_mime_type -i
>>>>>>> "/blocklist/aci_list/hard_mime_block"
>>>>>>> #http_reply_access deny mime_block_hard
>>>>>>>
>>>>>>>
>>>>>>> #--General------Streaming Block------------------------------
>>>>>>> acl mime_block rep_mime_type -i "/blocklist/aci_list/time_mime_block"
>>>>>>>
>>>>>>> #--General Domainlist------------------------------
>>>>>>> acl aci_dest dstdomain "/blocklist/aci_list/time_block_domains"
>>>>>>>
>>>>>>> #--Seniors MAC list mouting------------------------------
>>>>>>> acl aci_mac_seniors arp "/blocklist/aci_list/mac_list_seniors"
>>>>>>>
>>>>>>> #--General Timing------------ Normal Days Working hours--------------
>>>>>>> acl aci_working_hours time MTWH 10:04-13:04
>>>>>>> acl aci_working_hours time MTWH 14:04-18:04
>>>>>>> #--General Timing-------------Friday------------------------
>>>>>>> acl aci_working_hours time F 10:04-13:04
>>>>>>> acl aci_working_hours time F 15:04-18:04
>>>>>>>
>>>>>>> #--General/Seniors-------------Implimentation------------------
>>>>>>> http_access allow aci_seniors aci_mac_seniors
>>>>>>> http_access deny aci_dest aci_working_hours aci_general
>>>>>>> http_reply_access deny mime_block aci_working_hours aci_general
>>>>>>> !my_ip
>>>>>>>
>>>>>>> #skype deny
>>>>>>> http_access deny numeric_IPS aci_working_hours
>>>>>>> http_access deny Skype_UA aci_working_hours
>>>>>>> http_access deny !validUserAgent aci_working_hours
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> #Error Directory by Ykhan
>>>>>>> error_directory /usr/share/squid/errors/en-us/
>>>>>>> #------------------------TheEnd----------------------
>>>>>>> http_access allow aci_lan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http_access allow manager localhost
>>>>>>> http_access deny manager
>>>>>>> http_access allow purge localhost
>>>>>>> http_access deny purge
>>>>>>> http_access deny !Safe_ports
>>>>>>> http_access deny CONNECT !SSL_ports
>>>>>>> http_access allow localhost
>>>>>>> http_access deny all
>>>>>>> icp_access allow localnet
>>>>>>> icp_access deny all
>>>>>>> http_port 3128
>>>>>>> hierarchy_stoplist cgi-bin ?
>>>>>>> access_log /var/log/squid/access.log squid
>>>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>>>>> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
>>>>>>> refresh_pattern . 0 20% 4320
>>>>>>> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
>>>>>>> upgrade_http0.9 deny shoutcast
>>>>>>> acl apache rep_header Server ^Apache
>>>>>>> broken_vary_encoding allow apache
>>>>>>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>>>>>>> hosts_file /etc/hosts
>>>>>>> coredump_dir /var/spool/squid
>>>>>>>
>>>>>>> ##ykhan squid redirection to squidguard
>>>>>>>
>>>>>>> #redirect_program /usr/bin/squidGuard
>>>>>>> #url_rewrite_program /usr/bin/squidGuard
>>>>>>> #url_rewrite_children 5
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Apr 23, 2012 at 8:42 PM, Eliezer
>>>>>>> Croitoru<eliezer_at_ngtech.co.il>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 23/04/2012 18:38, Muhammad Yousuf Khan wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> well i have been experiencing slow Internet browsing. not very slow
>>>>>>>>> but comparatively slower then IPCOP firewall. i can not understand
>>>>>>>>> how
>>>>>>>>> come i diagnose the issue.
>>>>>>>>> i mean. i increase the RAM , i checked the DNS every thing is fine
>>>>>>>>> but
>>>>>>>>> my browser stuck at "connecting" ones it start download it do it
>>>>>>>>> fast
>>>>>>>>> but then stop for something then start. i am not getting the clear
>>>>>>>>> picture. can anyone help
>>>>>>>>>
>>>>>>>>> i am suing debian 6.0.4 with 2.7 stable squid.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> MYK
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> what is your exact problem? slow downloads?
>>>>>>>> what is your squid setup?transparent ?regular forward proxy?
>>>>>>>> what browser are you using?
>>>>>>>> do you have some squid logs? or squid.conf?
>>>>>>>> what dns server are you using?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Eliezer
>>>>>>>>
>>>>>>>> --
>>>>>>>> Eliezer Croitoru
>>>>>>>> https://www1.ngtech.co.il
>>>>>>>> IT consulting for Nonprofit organizations
>>>>>>>> eliezer<at> ngtech.co.il
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Eliezer Croitoru
>>>> https://www1.ngtech.co.il
>>>> IT consulting for Nonprofit organizations
>>>> eliezer<at> ngtech.co.il
>>
>>
>>
>
Received on Wed Apr 25 2012 - 16:13:39 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 27 2012 - 12:00:03 MDT