Re: [squid-users] 3.1.x compile errors using ssl_crtd

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 30 May 2012 11:30:59 +1200

On 30.05.2012 09:23, Linos wrote:
> El 29/05/12 19:32, Eliezer Croitoru escribió:
>> On 29/05/2012 17:23, Linos wrote:
>>> El 29/05/12 15:43, Eliezer Croitoru escribió:
>>>> well i have tried compiling squid 3.2.0.17 and it was built fine.
>>>>
>>>> i wrote a basic way to compile squid on ubuntu 10.04 and 12.04
>>>> with all the dev
>>>> dependencies required to compile it at:
>>>>
>>>> http://ubuntuforums.org/showpost.php?p=11958889&postcount=2
>>>>
>>>> Eliezer
>>>>
>>>
>>> I am using squid-3.2.0.17-20120527-r11561 (the last daily build)
>>> right now, it
>>> compiles cleanly but have any bugs (well it is a beta version so it
>>> isn't
>>> unexpected), i have reported one at
>>> http://bugs.squid-cache.org/show_bug.cgi?id=3556
>>>
>>> So i can't compile stable versions and beta versions have bugs,
>>> given this is a
>>> production machine i don't have still a working solution.
>>>
>>> Regards,
>>> Miguel Angel.
>> as i wrote.. i have compiled the stable versions without any
>> problem.
>> can you share you squid.conf?
>>
>> Eliezer
>>
>
> you wrote that you compiled 3.2.0.17, like you can see here
> http://www.squid-cache.org/Versions/ 3.2.0.17 it's a beta version,
> like i wrote
> i have compiled this too and found any bugs in it.

What do you mean by "found any bugs"? I assumed it was a typo of "many
bugs" earlier, but you have been using it consistently across multiple
emails.

>
> I am not sure what it is the value of squid.conf in a compilation
> problem but
> anyway this are the uncommented lines:
>

Small audit check, not related to your current problems ...

> external_acl_type request_body children-max=20 %{Content-Length}
> /etc/squid3/request_body_max_size.sh
> acl request_max_aulas external request_body 104857
> acl srv_aulas src 192.168.2.200/32
> acl oficinas src 192.168.0.0/24
> acl aulas1 src 192.168.2.0/24
> acl aulas2 src 192.168.3.0/24
> acl wifi_alumnos src 192.168.4.71-192.168.4.254/32
> acl wifi_profesores src 192.168.4.1-192.168.4.70/32
> acl hostsprohibidos src "/etc/squid3/hostsprohibidos"
> acl urlaprobadas url_regex -i "/etc/squid3/urlaprobadas"
> acl urlprohibidasaulas url_regex -i "/etc/squid3/urlprohibidasaulas"
> acl urlprohibidasoficinas url_regex -i
> "/etc/squid3/urlprohibidasoficinas"
> acl extensionesprohibidas url_regex -i
> "/etc/squid3/extensionesprohibidas"
> acl whitenet src "/etc/squid3/whitehosts"
> acl maniana time SMTWHFA 06:00-16:00
> acl tarde time SMTWHFA 16:00-23:59 00:00-06:00
> acl extensionestarde url_regex -i "/etc/squid3/extensionestarde"
> acl msnmsg url_regex
> ^http://gateway\.messenger\.hotmail\.com/gateway/gateway\.dll
> acl msnmsg url_regex ^http://64\.4\.[^/]*/gateway/gateway\.dll
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny aulas1 request_max_aulas
> http_access deny aulas2 request_max_aulas

NOTE: CONNECT requests should never have a specific content-length
size. They are tested by the http_access ACLs prior to ssl-bump
unwrapping them. Look carefully at what your request_max_aulas helper
does when it receives "-" or no content-length. If it rejects a CONNECT
it will be blocking ssl-bump from operating on that tunnel request.

> http_access allow whitenet
> http_access allow all urlaprobadas
> http_access allow oficinas !urlprohibidasoficinas
> http_access allow wifi_alumnos !urlprohibidasoficinas
> http_access allow wifi_profesores !urlprohibidasoficinas
> http_access allow aulas1 maniana !msnmsg !hostsprohibidos
> !urlprohibidasaulas
> !extensionesprohibidas
> http_access allow aulas2 maniana !msnmsg !hostsprohibidos
> !urlprohibidasaulas
> !extensionesprohibidas
> http_access allow aulas1 tarde !msnmsg !hostsprohibidos
> !urlprohibidasaulas
> !extensionestarde
> http_access allow aulas2 tarde !msnmsg !hostsprohibidos
> !urlprohibidasaulas
> !extensionestarde
> http_access deny all

hint 1) aulas1 and aulas2 are identical type of ACL, and are always
listed in identical pairs of http_access or delay_access lines.
   You can improve the proxy service time by merging both IP ranges into
one ACL name and dropping all the duplicated ACL testing.

hint 2) "!msnmsg !hostsprohibidos !urlprohibidasaulas
!extensionesprohibidas" are also the same type and only used together.
  You can merge all of them into one ACL same as above.
HOWEVER, they are url_regex, which is one of the slowest ACL types. You
should consider splitting the file entries out into a dstdomain or other
faster ACL types where possible.

> http_port 3128 transparent

"intercept".

> http_port 3150 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid3/ssl_cert/cert.pem
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid_ssl_db
> -M 16MB
> sslcrtd_children 16
> memory_replacement_policy heap LFUDA
> cache_replacement_policy heap LFUDA
> cache_dir aufs /var/spool/squid3 15000 16 256
> maximum_object_size 40960 KB
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
> store_avg_object_size 50 KB
> delay_pools 2
> delay_class 1 2 # pool 1 is a class 2 pool
> delay_class 2 2 # pool 2 is a class 2 pool
> delay_access 1 allow oficinas
> delay_access 1 allow wifi_profesores
> delay_access 1 deny all
> delay_access 2 allow wifi_alumnos
> delay_access 2 allow aulas1
> delay_access 2 allow aulas2
> delay_access 2 deny all
> delay_parameters 1 2500000/3125000 1024000/1296000
> delay_parameters 2 2500000/3125000 512000/600000
> delay_initial_bucket_level 90
> dns_nameservers 80.58.61.250 8.8.8.8
>
>
> Regards,
> Miguel Angel.
Received on Tue May 29 2012 - 23:31:04 MDT

This archive was generated by hypermail 2.2.0 : Wed May 30 2012 - 12:00:06 MDT