Re: [squid-users] Changes to config file issues

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 11 Sep 2013 14:18:12 +1200

On 11/09/2013 4:59 a.m., Gomes, Rich wrote:
> Hi Eliezer,
>
> Yes, it is firewalled off.
>
> I tried matching the lines in the old to the corresponding new config with no luck.
> I copied back the original squid.conf from the EL6 install and added just the lines you mentioned below with the same results
> 503 and 404 errors

Are you able to try the 3.3 package and see if the issues persist?
http://wiki.squid-cache.org/KnowledgeBase/RedHat. It has a lot more
upgrade support for 2.x versions built in than the 3.1 series does.

Dont forget to run "squid -k parse" to check the config is accepted by
Squid before other testing.

The 503 issues would seem to be something outside of Squid blocking
Squid from contacting the requested server. Perhapse DNS issues or bad
firewall or router configurations.
Squid does not produce 404 IIRC.

Squid only produces 404 responses on DNS failure, invalid URLs, or
requests for Squid-generated objects which do not exist.

Amos

>
>
>
>
> Rich
>
> Rich Gomes | Senior Systems Administrator, AUCA System Services | ARAMARK Uniform & Career Apparel
> Tel: 781.763.4508 | Fax: 781.763.2508
> Rich.Gomes_at_uniform.aramark.com | www.aramark-uniform.com
>
>
> -----Original Message-----
> From: Eliezer Croitoru [mailto:eliezer_at_ngtech.co.il]
> Sent: Tuesday, September 10, 2013 12:49 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Changes to config file issues
>
> Hey there,
>
> From the squid.conf it seems like a basic squid server config which allows all and any user in the world to use the proxy hence it is recommended to firewall it and even if it's under nat restrict the access to the server.
>
> I do not know exactly how the squid.conf that comes from with EL6 looks like now but I would recommend you to use it and add\change the needed lines.
> I would recommend to use a newer version of squid like 3.2.X or 3.3.X but it's up to you..(and since you are testing..).
>
> add the following settings to the squid.conf.default that comes with 3.1.10
>
> http_access allow all
> http_port 8021
>
> The above lines are the only needed additions commpared to the old squid.conf file.
>
> If you will need some more help just ask and dont forget to respond to the mail with the results.
>
> Eliezer
>
> On 09/10/2013 07:24 PM, Gomes, Rich wrote:
>> We had Squid 2.6.Stable21 running on an EL 5 server. Due to some new
>> requirements we needed to build a new server with EL6. This came with
>> Squid 3.1.10
>>
>> Copying the old config file to the new server hasn't worked. We have had to comment out some lines which the new version no longer supports.
>> Squid is now able to start but every time we try to connect to an external host we receive TCP_MISS/503 and TCP_MISS/404 errors in the access log.
>>
>> Here is the config from the EL5 server.
>> What need to be corrected to get this to work as before?
>>
>> NOTE: We can switch to the EL5 server and connect without issue so it
>> is clearly an issue with the upgrade from 2.6.x to 3.1.x
>>
>>
>>
>> #Recommended minimum configuration:
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
>> 127.0.0.0/8 acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow all
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny all
>>
>> icp_access allow all
>>
>> http_port 8021
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> access_log /var/log/squid/access.log squid
>>
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>>
>> coredump_dir /var/spool/squid
>>
>>
>>
>> Thanks in advance
>>
>>
>>
>>
>>
>>
>> Rich Gomes | Senior Systems Administrator, AUCA System Services |
>> ARAMARK Uniform & Career Apparel
>> Tel: 781.763.4508 | Fax: 781.763.2508 Rich.Gomes_at_uniform.aramark.com
>> | www.aramark-uniform.com
>>
Received on Wed Sep 11 2013 - 02:18:20 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 11 2013 - 12:00:04 MDT