Re: [squid-users] Squid - some Websites are not correct build

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 14 Jun 2013 23:18:30 +1200

On 14/06/2013 8:11 p.m., guzzzi wrote:
> Hello,
>
> there are some Website when i use Squid they doesnt build up correct. If i
> open the Website without Squid i get see the Website correct.

Given your refresh_pattern lines are screwed up this is not surprising.
Try commenting those out and see what starts working.

What version of Squid? if it is older than 3.3.5 try an upgrade and see
if this is an old fixed bug of any kind.

>
> My squid.conf
>
> # Auth
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm keep_alive on
>
> #auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> #auth_param basic children 10
> #auth_param basic realm Squid Proxy Server
> #auth_param basic credentialsttl 2 hours
> #auth_param basic casesensitive off
>
> authenticate_ttl 1 hour
> authenticate_cache_garbage_interval 10 minutes
>
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>
> acl SSL_ports port 443 3000
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 21
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl FTP_ports port 21
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl AuthorizedUsers proxy_auth REQUIRED
>
> #acl block-fnes urlpath_regex -i .*/fnes/echo
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet

You here allow *all* machines matching the ACL "localnet"....

> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet

... the above two lines restricting machines matching ACL "localnet"
will never do anything.

> http_access allow AuthorizedUsers
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128 transparent

Split this into two ports. One to receive the intercepted origin / port
80 traffic "transparent" stuff. And leave 3128 to receive the
explicitly configured proxy traffic.

> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?

That above line can go.

>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/cache/squid 51200 36 256
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern -i \.(html|htm|html\?|htm\?)$ 9440 90% 100000

I will use the above as an example to document what is wrong with those
refresh_patterns.

* the explicit duplication of patterns "htm" "html" and "htm\?" and
"html\?" can be compacted to "html?\??"

* The "?" character in an HTTP URl signifies the start of a query string
and is very rarely ever existing without a query string portion.

The above pattern should be replaced with:
    -i \.html?(\?.*)?$

> override-expire reload-into-ims
> refresh_pattern -i
> \.(gif|png|jpg|jpeg|ico|bmp|tiff|webp|bif|gif\?|png\?|jpg\?|jpeg\?|ico\?|bmp\?|tiff\?|webp\?|bif\?)$

   -i \.(gif|bif|tiff|png|jpe?g|ico|bmp|webp)(\?.*)?$

> 36000 90% 100000 overr$
> refresh_pattern \.(swf|swf\?|js|js\?|wav|css|css\?|class|dat|zsci)$ 36000
> 90% 100000 override-expire reload-into-ims
> refresh_pattern -i
> \.(bin|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|docx|tiff|pdf|uxx|gz|xls|xlsx|psd|crl|msi|dll|dll\?|crx|enc|skl|arc)$
> 36$

Several of these patterns appear to be missing the ends of their lines,
cut-n-paste errors? can you show the whole lines please.

> refresh_pattern -i \.(xml)$ 0 90% 100000
> refresh_pattern -i \.(json|json\?)$ 1440 90% 5760 override-expire
> reload-into-ims

Overriding the expiry timestamp on JSON datasets. Uhm, one of the worst
ideas I've seen in a long while. JSON is used *only* for relaying
dynamic data to running scripts - caching it for longer than it is
supposed to exist for is bound to cause problems.

> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern ^ftp: 5440 90% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i . 0 90% 5760
> ignore_expect_100 on

Bad thing to do. Upgrade to 3.2 or later release and you can stop
causing Expect:100-continue problems :-)

> minimum_object_size 0 KB
> #pipeline_prefetch on
> maximum_object_size 250 MB
> maximum_object_size_in_memory 1 MB
> #visible_hostname shadow
> #ique_hostname shadow-DHS
> client_db off
> cache_store_log none
> #positive_dns_ttl 16 day
> #shutdown_lifetime 0 second
> cache_mem 768 MB
> memory_pools on
> #read_ahead_gap 1 MB
> #half_closed_clients off
>
> access_log /var/log/squid3/access.log
>
> and the Website of "www.kia.de" look like this, and this is not correct
>
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4660603/kia.jpg>

CSS missing or an old .css file downloaded out of the cache. Missing is
likely not a Squid problem, overly old objects coming out of the cache
could be due to your refresh_pattern overriding the website authors
description of the objects validity states.

Amos
Received on Fri Jun 14 2013 - 11:18:43 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 14 2013 - 12:00:29 MDT