Squid
*******************************************************************************Instalar e Configurar o SquidCriado por: Alessandro C. M. KuramotoData: 19/09/2008Modificado em: 03/08/2009-08:44v.20090717-0844Palavras-chaves: squid*******************************************************************************
################################################################################ Temp:###############################################################################
authenticate_ip_ttl 0 secondsacl aclname max_user_ip [-s] number
## Nao faz cache das pagina do arquivo sitesSemCache.aclacl NOCACHE url_regex “/etc/squid/Rules/sitesSemCache.acl” \?### Aplicacao da ACL NOCACHE para nao fazer cache## das paginas do arquivo sitesSemCache.aclno_cache deny NOCACHE## Teste de acesso ao DOMINIO:#acl dominio-servers dstdomain dominio.com.bralways_direct allow NOCACHE
make[3]: *** [ldap_backend.o] Error 1(Fonte: http://www.squid-cache.org/mail-archive/squid-users/200806/0066.html)yum provides lber.hapt-get install libldap2-dev
|##########^ Temp ############################################################|
################################################################################ Servidor:###############################################################################
SO: Debian 4.0 EtchServidor: SquidServiço: Squid
Instalação básica (modo texto).
RAM
Swap /boot 100 MB/ /usr /var
===============================================================================Dados para referências/diferenciação: (Estudo de caso)===============================================================================
- Squid com 2350 conexões (pode ter tido sinais SIGABRT)
- Em quatro processos tem-se 5298 Conexões
SIGABRT(Fonte: http://pt.wikipedia.org/wiki/SIGABRT)
################################################################################ Conceitos: ###############################################################################
The meaning of reverse HTTPS proxy is to alow https connections to HTTPservers that do not support it, or to speed up http servers byu moving SSLfunctionalitty off them.
——————————————————————————-(Fonte: http://www.pollon.org/download2/squid.txt)O squid trabalha com 3 protocolos: http, ftp e https. Os dados do httpsnão ficam no cache porque o squid não consegue ler os dados (estão criptografados).
O tráfego do protocolo https dá-se pelo método CONNECT (conexão direta nas portas seguras).———————————————————————————-(Fonte: http://virtual01.lncc.br/~licht/linux/squid.html)É perigoso permitir ao Squid conectar-se a certas portas. Por exemplo, pode-seusar o Squid como relay de SMTP (email). Relays de SMTP são uma das formas possíveisde se “floodar” (lotar) nossos mailboxes. Para prevenir o relay de emails, o Squid nega requisições quando o número da porta da URL é 25 (porta SMTP). Outras portastambém são bloqueadas. —
——————————————————————————-
(Fonte: http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Appendix+A.+Config+File+Reference/auth_param/)
A nonce is a special string of data that changes from time to time.Its purpose is to prevent replay attacks with captured digestauthentication data.
—(Fonte: http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+12.+Authentication+Helpers/12.3+HTTP+Digest+Authentication/)A nonce is a special string of data, which changes occasionally. During the authentication process, the server (Squid in this case) provides a nonce value to the client. The client uses the nonce value when generating the digest. Without the nonce data, an attacker could simply intercept and replay the digest values to gain access to Squid.
—|
|—————————————————————————–|
################################################################################ Instalando: ###############################################################################
## Atualizando a lista de pacotesapt-get update
## Para instalar executeapt-get install squid
################################################################################ Arquivos de configuração: ################################################################################
################################################################################ Configurando: ###############################################################################===============================================================================Configuração Geral – Explicação:===============================================================================_______________________________________________________________________________Arquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–### Veja também: Configurando squid.conf – TAGS:
## Porta na qual o squid irá escutar por conexões:# Default: 3128http_port 3128
## Quantidade de memória RAM que o Squid irá utilizar para cache e não para## o processo do squid:# cache_mem <mem>cache_mem 32 MB
## Espaço em disco que será utilizado com Cache:# cache_dir diskd Directory-Name Mbytes L1 L2 # Default: cache_dir ufs /var/spool/squid 100 16 256cache_dir ufs /cache01 128 16 256cache_dir ufs /cache02 128 16 256
## Arquivo de Log que serão gravados os acessos aos sitesaccess_log /var/log/squid/access.log squid
## Descomente esta linha para informar ao squid o usuário que## inicializará daemon do Squid:cache_effective_user proxy
## Grupo dono daemon do Squid:cache_effective_group proxy
## Nome que aparecerá na página de aviso para o usuário:visible_hostname proxy.lablinux.net.br
## Exemplo de exceções## Para permitir o acesso direto a um domínio sem passa por caches pais e irmãos:## Nesta configuração o acesso, por exemplo, ao sítio www.dominio.com.br será## direto:acl DOMINIO dstdomain .dominio.com.bralways_direct allow DOMINIO
|———-^ Arquivo: /etc/squid/squid.conf ———————————-|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++vi /etc/sysctl.confnet.ipv4.ip_local_port_range = 1024 65000+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# vim /etc/default/squid
SQUID_MAXFD=4096——–
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# vim /etc/security/limits.conf
* – nofile 65535———+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cat /proc/sys/net/ipv4/ip_local_port_range32768 61000
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
# cat /proc/sys/net/ipv4/tcp_max_syn_backlog1024
# echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
vi /etc/init.d/bootmisc.sh if [ -e /dev/.udev.log ] then mv -f /dev/.udev.log /var/log/udev fi
# Remove bootclean’s flag files. # Don’t run bootclean again after this! rm -f /tmp/.clean /var/run/.clean /var/lock/.clean
# aumentar o numero de file descriptors ulimit -HSn 4096}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++===============================================================================Configurando squid.conf – TAGS:===============================================================================
Geral:_______________________________________________________________________________Arquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–
# Faz a rotação de Logs, o valor 365 diz para criar 365 logs:logfile_rotate 365## Configura os IPs dos servidores de DNS:dns_nameservers 10.10.10.1 10.10.10.2
## Mostrar um página personalizada para determinado tipo de bloqueiodeny_info http://www.google.com.br bloqueado
## Para permitir o acesso direto a um domínio sem passa por caches pais e irmãos:acl DOMINIO dstdomain .dominio.com.bralways_direct allow DOMINIO
+—————————————————————————–|
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Exemplos de configuração – squid.conf:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++===============================================================================Configuração de ACL’s:===============================================================================
Exemplos de Configuração:_______________________________________________________________________________Arquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–……## Criar ACLs (Lista de Controle de Acesso):# TAG: acl
## Para liberar o acesso em conexão segura (HTTPS) para VMware:acl SSL_ports port 8333 # VMware https
### Exemplos de ACLs src:## Por endereço IP/rede de origem:acl REDE_INTERNA src 10.10.10.0/24
##acl ip_do_arquivo src “/etc/squid/rules/gerencia.acl”
## ACL para limitar o número máximo de conexões: acl MAXCONEXOES maxconn 10
## Criar a regra a Lista de Controle de Acesso:# TAG: http_access
http_access deny MAXCONEXOES REDE_INTERNA
http_access allow REDE_INTERNA
## Este http_access já é padrão no Squid:# Deny CONNECT to other than SSL portshttp_access deny CONNECT !SSL_ports
……
+—————————————————————————–|
VER:
Editando o squid.conf
Vamos ao squid.conf
Insira as linhas abaixo logo antes de acl all src 0.0.0.0/0.0.0.0:
acl blockedsites url_regex -i “/etc/squid/bloqueados/block.txt” acl unblockedsites url_regex -i “/etc/squid/bloqueados/unblock.txt”
ou
acl blockedsites url_regex -i “/usr/local/squid/etc/bloqueados/block.txt” acl unblockedsites url_regex -i “/usr/local/squid/etc/bloqueados/unblock.txt”
Agora procure no seu squid.conf a linha http_access deny all e coloqueantes dela:
http_access deny blockedsites !unblockedsites
DICA: O “!” Significa sempre negação de alguma coisa.
===============================================================================Configuração de Proxy Transparente:===============================================================================
Exemplos de Configuração:_______________________________________________________________________________DebianArquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–……## Inserir as seguintes linhas:httpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header on……+—————————————————————————–|
## Criar a seguinte regra de Firewall (Exemplo do iptables)iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
acl redirecionado url_regex teste
http_acces deny redirecionado
## Mostrar um página personalizada para determinado tipo de bloqueiodeny_info http://www.sitiopersonalizado.com.br redirecionado
|——————————————————————————
——————–#!/bin/bash
test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate——————–#!/bin/sh
#DATE=`date +”%d%m%y-%H%M”`DATE=`date +”%d%m%Y-%T”`/usr/sbin/squid -k rotatesleep 5mv /var/log/squid/access.log.0 /var/log/squid/access.log.$DATEmv /var/log/squid/cache.log.0 /var/log/squid/cache.log.$DATEmv /var/log/squid/store.log.0 /var/log/squid/store.log.$DATE/usr/bin/bzip2 /var/log/squid/access.log.$DATE/usr/bin/bzip2 /var/log/squid/cache.log.$DATE/usr/bin/bzip2 /var/log/squid/store.log.$DATE
—————–===============================================================================Configuração de Cache Hierárquico – Configurando um cache filho: (Proxy Parent)===============================================================================(Fonte: http://br.geocities.com/cesarakg/peering-squid-caches.html)(Fonte: http://www.linuxman.pro.br/squid/node/1/#toc121)
Exemplos de Configuração:_______________________________________________________________________________DebianArquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–……## As configurações abaixo devem ser feitas no Proxy Filho# servidor_de_proxy – nome ou IP do cache-pai # (Fonte: http://www.linuxman.pro.br/squid/node/1/#toc121)# no-query – para o proxy não enviar queries para o outro# Use a opção no-query, se tiver somente “um” cache-pai# Essa opção será utilizada quando fazer requisições a caches que# não aceitam ou não suportam ICP. Caso utilize essa opção, configure# o quarto campo como 0# no-digest – similar ao de cima só que com relação a digest# #cache_peer servidor_de_proxy parent 3128 3130 no-query no-digestcache_peer servidor_de_proxy parent 3128 0 no-query no-digest
## Faz com que o Squid nunca saia direto para Internetnever_direct allow all……|—————————————————————————–|
——————————————————————————-(Fonte: http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/)## Em caso de vários Proxy Parent:cache_peer proxy.isp1.com parent 8080 0 no-query no-digest defaultcache_peer proxy.isp2.com parent 8080 0 no-query no-digest
# Oucache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2
# Ou o exemplo com round-robincache_peer proxy.isp1.com parent 8080 round-robin no-querycache_peer proxy.isp2.com parent 8080 round-robin no-querycache_peer proxy.isp3.com parent 8080 round-robin no-query
|—————————————————————————–|
|==========^ Proxy Parent ====================================================|
——————————————————————————-Configuração de ACLs———————————-
## deny_info – irá mostrar o motivo que determinado site foi bloqueadodeny_info http://www.dominio.com.br/alertaproxy.html nome_da_acl
———————————-
ERRORThe requested URL could not be retrieved
While trying to retrieve the URL: http://bn.uol.com.br/event.ng/Type=click&FlightID=33148&AdID=93866&TargetID=341&Segments=19,23,45,47,129,138,190,247,266,386,500,1043,1044,2149,2377,2408,2724,2848,2862,2881,3172,3173,3282,3719,3897,4137,4144,4145,4194,4203,4209,4220,4236,4261,4309,4359,4375,4391,4396,4398,4413&Targets=1,341&Values=30,50,60,84,100,110,150,199,204,237,286,323,347,350,356,366,381,389,409,434,484,593,642,958,959,998,1039,10540&RawValues=&Redirect=http://www.itau.com.br
The following error was encountered:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable.
Your cache administrator is webmaster.Generated Thu, 24 Jul 2008 15:04:24 GMT by squid.dominio.com.br (squid/2.6.STABLE5)
Alguns:
- Ver com o usuário se está digitando corretamente proxy.dominio.com.br
Testar:
HTTPS: www.bb.com.br -> acesso à conta
filedescription
Códigos de Acessos do Squid: TCP_MEM_HIT/200
Hi ,
The logs informs that cached object in the Squid got expired. Sorequest will besent to Orgin server. The Orgin Server replies with 304 Not Modified, (content notmodified).So squid logs TCP_REFRESH_HIT or TCP_IMS_HIT.
Erro:
debian:/# ssquid restartRestarting Squid HTTP proxy: squid* Creating squid spool directory structureFATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.CPU Usage: 0.016 seconds = 0.004 user + 0.012 sysMaximum Resident Size: 0 KBPage faults with physical i/o: 0/scripts/ssquid: line 74: 15033 Aborted $DAEMON -zFATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.CPU Usage: 0.064 seconds = 0.008 user + 0.056 sysMaximum Resident Size: 0 KBPage faults with physical i/o: 0/scripts/ssquid: line 74: 15035 Aborted start-stop-daemon –quiet –start –pidfile $PIDFILE –chuid $CHUID –exec $DAEMON — $SQUID_ARGS </dev/null failed!
setar a tag visible_hostname
===============================================================================Comandos de testes: Verifica a quantidade de Filedescriptors abertos:ls /proc/17927/fd/ |wc -l
ip_contrack
cat /proc/net/ip_conntrackcat /proc/sys/net/ipv4/ip_conntrack_max
——————————————————————————- Casos:
Acesso ao INFOSEG:
www.infoseg.gov.br
Erro: aparece tela com o triângulo amarelo e uma exclamação em preto
Solução de Contorno: Sair para Internet sem passar pelo Proxy;
CONNECT
TCP_IMS_HIT/304
TCP_MEM_HIT/200
TCP_NEGATIVE_HIT
TCP_REFRESH_MISS/200
===============================================================================Autenticação no Squid:===============================================================================>Autenticação no SquidTags: Auntenticação no Squid
——————————————————————————-Autenticação no Squid Usando Digest com o OpenLDAP:—————————————————-
(Fonte: http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication#)
—### Para adicionar um usuário ao OpenLDAP:# 1) Criar um arquivo ldif:
vim newcard.ldif—– Arquivo: newcard.ldif ————————–dn: uid=alessandro.kuramoto,dc=dominio,dc=com,dc=brobjectClass: inetOrgPersonobjectClass: posixAccountuid: alessandro.kuramotouserpassword: passworduidNumber: 1000gidNumber: 1000cn: Alessandro C. M. KuramotogivenName: Alessandrosn: KuramotohomeDirectory: /home/alessandro.kuramoto|——^ Arquivo: newcard.ldif ———————-|
## Execute:ldapadd -x -D “cn=admin,dc=dominio,dc=com,dc=br” -w Senha_do_Admin -f ~/newcard.ldif
—|
### Para criar um Hash de teste:REALM=”Servidor de Proxy” HASH=`echo -n “alessandro.kuramoto:$REALM:senha” | md5sum | cut -f1 -d’ ‘` ldapmodify -x -D “cn=admin,dc=dominio,dc=com,dc=br” -w “Senha_do_Admin” << EOFdn: uid=alessandro.kuramoto,dc=dominio,dc=com,dc=brl: $REALM:$HASHEOF
|———-^ Autenticação no Squid Usando Digest com o OpenLDAP ————–|
|==========^ Autenticação no Squid ===========================================|
===============================================================================Configuração o Squid com Múltiplos Processos (Vários Processos do Squid):===============================================================================
/sbin/mkreiserfs -h r5 /dev/sdb1chown -Rv proxy.proxy /cache1chown -Rv proxy.proxy /cache2
(Fonte: http://www.devshed.com/c/a/Administration/High-Performance-Web-Caching-With-Squid/2/)Exemplos de Configuração:_______________________________________________________________________________DebianArquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–……## Coloque uma porta diferente das que estão sendo utilizadas:http_port 3122
## Especifique um locar dos arquivos de cache diferente:cache_dir aufs /cache2 10000 22 256
## Modifique os seguintes arquivos:access_log /var/log/squid/access-proc2.log squidcache_log /var/log/squid/cache-proc2.logpid_filename /var/run/squid-proc2.pid……|—————————————————————————–|
|=========================================================================| ^Configuração o Squid com Múltiplos Processos (Vários Processos do Squid)|=============================================================================|
===============================================================================Configuração do Squid com Acesso de Gerência:Palavra-chave: squidclient===============================================================================
_______________________________________________________________________________DebianArquivo: /etc/squid/squid.conf (Permissões: -rwxr–r– 1 root root)——————————————————————–……
acl ips_de_gerencia src “/etc/squid/Rules/gerencia.acl”http_access allow manager ips_de_gerencia
……|—————————————————————————–|
|=========================================================================| ^Configuração o Squid com Múltiplos Processos (Vários Processos do Squid)|=============================================================================|
################################################################################ Gerenciando o Squid: ###############################################################################
## Para saber a versão do Squid:squid -v
## Para instalar o squidclient no Debian:apt-get install squidclient
## (Fonte: http://www.nabble.com/squidaio_queue_request:-WARNING—Queue-congestion-td22308518.html)## How to find hit/secsquidclient mgr:utilization## Na saída do comando procurar por: client_http.requests = 102.190863/sec ## Neste caso em um forum também tinha o Warning: ## squidaio_queue_request: WARNING – Queue congestion ## Nossa situação: client_http.requests = 97.351837/sec ## Situação top: client_http.requests = 113.670925/sec ## Situação top (máx): client_http.requests = 1.670925/sec
squidclient -h 10.10.10.1 -p 3128 mgr:utilization
squidclient -h 10.2.130.21 -p 3128 mgr:info
## Para ver as informações dos descritores (Files Descriptors – FDs)squidclient mgr:info | grep “file desc”
|##########^ Gerenciando o Squid #############################################|
################################################################################ Troubleshooting ###############################################################################>Troubleshooting
FATAL: Could not determine fully qualified hostname. Please set ‘visible_hostname’
FD 2317 Closing HTTP connectionsquidaio_queue_request: WARNING – Queue congestion
Consider increasing the number of url_rewriter processes to at least 895 in your config file.
urlParse: Illegal character in hostname ‘[2a01:138:a001:201:'
WARNING: unparseable HTTP header field {HTTP/1.1 200 OK}
2009/08/05 08:48:57| WARNING: All url_rewriter processes are busy.2009/08/05 08:48:57| WARNING: up to 661 pending requests queued2009/08/05 08:48:57| Consider increasing the number of url_rewriter processes to at least 811 in your config file.
2009/08/05 10:45:40| /cache1/swap.state: (13) Permission deniedFATAL: storeAufsDirOpenSwapLog: Failed to open swap log.Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
## O mesmo cache_peer foi especificado duas vezesFATAL: ERROR: cache_peer 10.10.10.23 specified twice|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------### Erros Conhecidos: (Known Errors)
## Questão/Problema: (Question/Issue)## Sintoma: (Symptom)
Caso receba uma mensagem de erro do tipo:
Squid Parent: child process XXXX exited due to signal 25
## Causa: (Cause)
This error is only seen if there is a log file which has grown beyond 2GB. (Fonte: http://osdir.com/ml/web.squid.general/2003-03/msg01172.html)
## Solução: (Solution)
Para corrigir o problema é necessário rotacionar os arquivos de Logs.
Sorry, but I did not have time to translate, then try to use "Google Translate"and use Portuguese <> English: http://www.google.com/dictionary|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------### Erros conhecidos:## Sintoma:
No browser aparece a seguinte mensagem de erro:
* Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
* The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable.
## Causa:
Este erro aconteceu porque o Squid estava configurado para usar caches "parents" e a configuração foi retirada, porém restou a linha:
---- squid.conf ------------ never_direct allow all |--------------------------|
## Solução:
Comente a linha mencionada:
---- squid.conf ------------ # never_direct allow all |--------------------------|
|-----------------------------------------------------------------------------|
-------------------------------------------------------------------------------## Erros conhecidos:## Sintoma:
Ao tentar acessar a Internet usando o Proxy aparece a seguinte mensagem no navegador web:
Em português: * O administrador do cache não permite que este cache faça conexões diretas para servidores, e * Todos os caches configurados não estão disponíveis.
Ou em Inglês:
* The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable.
## Causa:
A diretiva "never_direct allow all" está habilitada e não há nenhum servidor Proxy Pai para enviar a solicitação.
## Solução:
Comente a linha "never_direct allow all"
|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------### Erros conhecidos:## Questão/ Problema: (Question/Issue)
Squid lento e travando.
## Sintoma: (Symptoms)
No arquivo cache.log aparece a seguinte mensagem de erro
WARNING! Your cache is running out of filedescriptors
## Causa: (Cause)
O Squid chegou no limite de filedescriptors.
## Solução: (Solution) http://www.vivaolinux.com.br/dica/Squid-caindo-devido-ao-erro-WARNING-Your-cache-is-running-out-of-filedescriptors
|-----------------------------------------------------------------------------|
debian1:/etc/squid# /etc/init.d/squid restartRestarting Squid HTTP proxy: squid* Creating squid spool directory structure2009/05/30 23:53:21| Creating Swap DirectoriesFATAL: Failed to make swap directory /cache01/00: (13) Permission denied
Verificar:Aug 3 15:25:52 proxynome squid[2779]: Detected REVIVED Parent: proxy.dominio.com.brAug 3 15:28:41 proxynome squid[2779]: Detected DEAD Parent: proxy.dominio.com.br
http://www.mail-archive.com/squid-users@squid-cache.org/msg19447.html
TCP connection to 10.2.130.23/3128 failed
===============================================================================squidaio_queue_request: WARNING – Queue congestion===============================================================================
Estranhamente este erro apareceu em um servidor com 16 GB de RAM e quando ocache_mem foi aumentado de 1024 MB para 3072 MB, verificar se há relação.|=============================================================================|
===============================================================================squidaio_queue_request: WARNING – Queue congestion===============================================================================
TCP connection to proxy.dominio.com.br/3128 failed
|##########^ Troubleshooting #################################################|
################################################################################ Sites Importantes: ###############################################################################
Versões do Squid:
Para baixar os fontes da versão 2.6:http://www.squid-cache.org/Versions/v2/2.6/
http://www.squid-cache.org/Versions/v2/2.7/
www.vivaolinux.com.br http://www.squid-cache.org/mail-archive/squid-users/200308/1261.html http://www.mail-archive.com/squid-br@yahoogrupos.com.br/msg00222.html
Rascunho 2——————
I think the best thing to do here is to inspect the traffic withssldump. You may need the certificate key of the web server to makesense of the exchanged data..
clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (1/-1)
################################################################################ Referências: ###############################################################################>Referências
Autenticação e o Squid:http://br.geocities.com/cesarakg/AuthenticationAndSquid.html
Chapter: auth_param: (Muito bom)http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Appendix+A.+Config+File+Reference/auth_param/
Como configurar um servidor proxy utilizando o squid?:http://virtual01.lncc.br/~licht/linux/squid.html
Configurando um Squid “Ninja”:http://www.linuxman.pro.br/squid/node/1/#toc27http://www.linuxman.pro.br/squid/node/1/node/1/#toc60
Configure squid for LDAP authentication using squid_ldap_auth helper:http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html
Proxy SQUID – Integração Perfeita com o GOsa:http://www.nisled.org/?tag=squid
SQUID – DICAS DE CONFIGURAÇÃO:http://www.pollon.org/download2/squid.txt
RFC 2817:http://www.ietf.org/rfc/rfc2817.txt
RFC 2817 Tradução Português:http://www.normes-internet.com/normes.php?rfc=rfc2817&lang=pt
Referência muito boa:Quais as dúvidas e problemas freqüentes do Aker Web Content Analyzer e Squid?http://www1.aker.com.br/108/10802002.asp?ttCD_CHAVE=295
Squid Autenticando em Base OPENLDAP:http://wiki.forumdebian.com.br/index.php/Squid_Autenticando_em_Base_OPENLDAP
Samba + LDAP + Squid no Debian:http://www.vivaolinux.com.br/artigo/Samba-+-LDAP-+-Squid-no-Debian/?pagina=4
Muito Show (assistir este vídeo)http://video.google.com/videoplay?docid=6401267248000251210#
Using RAID with Squid cache directories:http://wiki.squid-cache.org/SquidFaq/RAID
Using the digest LDAP authentication helper:http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication#
|##########^ Referências #####################################################|
################################################################################ Dicas: ###############################################################################
- Cuidado com o logrotate com o loffile_rotate; - Lembre-se do SSL_port;
http://www.mail-archive.com/squid-br@yahoogrupos.com.br/msg00222.html6.13 Which log files can I delete safely?You should never delete access.log, store.log, cache.log, or swap.state while Squid is running. With Unix, you can delete a file when a process has the file opened. However, the filesystem space is not reclaimed until the process closes the file.If you accidentally delete swap.state while Squid is running, you can recover it by following the instructions in the previous questions. If you delete the others while Squid is running, you can not recover them.The correct way to maintain your log files is with Squid’s “rotate” feature. You should rotate your log files at least once per day. The current log files are closed and then renamed with numeric extensions (.0, .1, etc). If you want to, you can write your own scripts to archive or remove the old log files. If not, Squid will only keep up to logfile_rotate versions of each log file. The logfile rotation procedure also writes a clean swap.state file, but it does not leave numbered versions of the old files.If you set logfile_rotate to 0, Squid simply closes and then re-opens the logs. This allows third-party logfile management systems, such as newsyslog, to maintain the log files.To rotate Squid’s logs, simple use this command:
squid -k rotate
For example, use this cron entry to rotate the logs at midnight:
0 0 * * * /usr/local/squid/bin/squid -k rotate
6.14 How can I disable Squid’s log files?For Squid 2.4:To disable access.log:
cache_access_log /dev/null
To disable store.log:
cache_store_log none
To disable cache.log:
cache_log /dev/null
For Squid 2.5:To disable access.log:
cache_access_log none
To disable store.log:
cache_store_log none
To disable cache.log:
cache_log /dev/null
Note : It is a bad idea to disable the cache.log because this file contains many important status and debugging messages. However, if you really want to, you can.Warning : If /dev/null is specified to any of the above log files, logfile rotate must also be set to 0 or else risk Squid rotating away /dev/null making it a plain log file.Tip : Instead of disabling the log files, it is advisable to use a smaller value for logfile_rotate and properly rotating Squid’s log files in your cron. That way, your log files are more controllable and self-maintained by your system.6.15 My log files get very big!You need to rotate your log files with a cron job. For example:
0 0 * * * /usr/local/squid/bin/squid -k rotate
===========================================================
O ideal é você fazer o rotate todos os dias. Isso pode ser feito via seus próprios scripts ou simplesmente com esse comando acima. Aqui onde trabalho, gero relatórios de acesso todos os dias e de quebra aproveito pra zerar meus logs.
Dessa forma, meu squid tá sempre rodando redondinho e dificilmente apresenta algum problema.
O tamanho do arquivo de logs vai depender de quantos usuários você tem passando por ele, pois em uma rede de 500 máquinas os logs vão ser maiores que em uma rede de 50.
Portanto, prepare seus scripts e gerencie os logs diariamente que você não vai ter problemas.
——————————————————————————-Rascunho:
apt-get install apt-build
apt-get source squidapt-get build-dep squidapt-get install devscripts build-essential fakerootcd squid-2.6.1vim debian/rulesAdd –enable-ssl \ to ?# Configure the package? section./configuredebuild -us -uc -bcd ..dpkg -i squid??? squid-common???
> Henrik:>> Again thanks for the help.>> I went through the apache mod_ssl directions to the letter, and still> having trouble.> here are the commands they refer to.>>> openssl genrsa -des3 -out www.virtualhost.com.key 1024
If you use encrypted RSA keys then you must start Squid with the -Noption.
> [root@owa openssl]# /usr/local/squid/sbin/squid -D -d 1> Enter PEM pass phrase:> 2003/08/27 16:17:24| Failed to acquire SSL private key> ‘/etc/openssl/owa.clinedavis.com.key’: error:0906406D:PEM> routines:DEF_CALLBACK:problems getting password
Or else you get the above error…
——————————————————————————-Erro: este é falta de permissão correta:
Restarting Squid HTTP proxy: squid* Creating squid spool directory structure2009/06/07 20:42:41| Creating Swap DirectoriesFATAL: Failed to make swap directory /cache01/00: (13) Permission deniedSquid Cache (Version 2.6.STABLE5): Terminated abnormally.CPU Usage: 0.004 seconds = 0.000 user + 0.004 sysMaximum Resident Size: 0 KBPage faults with physical i/o: 0
——————————————————————————-Ver UltraSurf
===============================================================================Dicas para melhorar o desempenho (performance) do Proxy:===============================================================================
Melhores aplicações:
Sistema de arquivos:
Com reiserfs:
Colocar:
noatime
noatime Do not update inode access times on this file system (e.g, for faster access on the news spool to speed up news servers)
notail By default, reiserfs stores small files and ‘file tails’ directly into its tree. This confuses some utilities such as LILO(8). This option is used to disable packing of files into the tree.
## Veja este link:http://wiki.squid-cache.org/BestOsForSquid
(Fonte: http://www.squid-cache.org/mail-archive/squid-users/200810/0083.html)noatime, nodiratime, data=writeback
(Fonte: http://www.squid-cache.org/mail-archive/squid-users/200810/0087.html)notail
(Fonte: http://www1.aker.com.br/108/10802002.asp?ttCD_CHAVE=295)
Uma forma de calcular a quantia de RAM necessária para qualquer cache é 10MB RAM para cada 1GB de espaço de cache em disco. Sugestão: distribuir um pouco mais quando usado um squid compilado para usar threads. Também é preciso incluir na conta o que seu sistema usa para outras coisas.
Seguem, abaixo, as tags do squid.conf que mais influenciam no desempenho da aplicação:
cache_mem Este parâmetro dimensiona o quanto de memória o squid irá utilizar para objetos “quentes”, que são os objetos mais consultados no cachê. O valor padrão de 8mb é um valor seguro para a maioria dos sistemas, sendo que normalmente são usados valores entre 32 e 50mb para máquinas com memória >= que 512 de ram. É importante ressaltar que esse parâmetro não limita o tamanho do(s) processo(s) do squid. Os ganhos de performance aumentando esse valor não são muito altos, mas perceptíveis em proxys com tráfego alto.
cache_dir
Este é o diretório onde ficarão os arquivos que o squid guarda em cache. Primeiro, é melhor usar aproximadamente 60% ou menos de cada diretório de cache. Se usar mais que isso você começará a perceber uma perda leve de desempenho. Lembre-se que tamanho de cache não é tão importante quanto velocidade de cache. Você também necessitará definir o número de diretórios e subdiretórios. A fórmula para decidir que é isto:
x=tamanho do diretório de cache em kb(ex.: 6GB=~6,000,000kb) y=tamanho aproximado dos objetos (p/ efeito de cálculo 13kb é um bom valor) z=número de diretório de primeiro nível.
(((x / y) / 256) / z) * 2 = Nº de diretórios
Como exemplo, foi usado 6GB de um hd para cache:
6,000,000 / 13 = 461538.5 / 256 = 1802.9 / 256 = 7 * 2 = 14
Assim, meu cache_dir ficaria dessa forma:
cache_dir 6000 14 256(Fonte:http://www.devshed.com/c/a/Administration/High-Performance-Web-Caching-With-Squid/2/)
Estes são os dois valores mais importantes, os outros valores são apenas ajustes menores e também para não desperdiçar espaço em disco com alguns logs que para a administração não interessam.
O cache_store_log é dos logs que o squid gera o que mais usa espaço em disco e que para o administrador não traz nenhuma informação útil, assim podemos desabilitá-lo com:
cache_store_log none
|===========================================================| ^Acima: Dicas para melhorar o desempenho (performance) do Proxy:|=============================================================================|
################################################################################ COMANDOS E PROGRAMAS ÚTEIS: ###############################################################################
iotop
tail
|=====================================| ^Acima: COMANDOS E PROGRAMAS ÚTEIS|#############################################################################|
################################################################################ MAIS CONCEITOS: ###############################################################################
Cache Digest:(Fonte: http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TYT-3VY4SS7-B&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId=958102447&_rerunOrigin=google&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=6ee7d68f131ef82b53a1771eb1adece6)This paper presents cache digest, a novel protocol and optimization technique for cooperative Web caching. Cache digest allows proxies to make information about their cache contents available to peers in a compact form. A peer uses digests to identify neighbors that are likely to have a given document. Cache digest is a promising alternative to traditional per-request query/reply schemes such as ICP. We discuss the design ideas behind cache digest and its implementation in the Squid proxy cache. The performance of cache digest is compared to ICP using real-world Web caches operated by NLANR. Our analysis shows that cache digest outperforms ICP in several categories. Finally, we outline improvements to the techniques we are currently working on.
Author Keywords: Proxy cache; Peer selection; Cache digest; ICP
################################################################################ VER: ###############################################################################
IMPORTANTE:http://clubedohacker.com.br/tutoriaisartigos-mainmenu-31/36-sistemas-linux/251-curso-de-proxy-com-linux-aula-4-examinando-o-squid.html
http://clubedohacker.com.br/tutoriaisartigos-mainmenu-31/36-sistemas-linux/238-instale-e-configure-o-ntop.html
http://www.linofee.org/~jel/proxy/Squid/accesslog.shtml
http://www.vivaolinux.com.br/artigo/Squid-atuando-como-proxy-reverso?pagina=3
http://www.koruja.org/wikiti/index.php?title=Squid_-_caso_1&printable=yes&printable=yes
https://antigosite.matik.com.br/infomatik/squid/manual.php
Secure Connection Failed
An error occurred during a connection to www2.bancobrasil.com.br.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem
################################################################################ Tópicos dos Sites: ###############################################################################
http://linuxdevcenter.com/pub/a/linux/2001/07/26/squid.html?page=last&x-maxdepth=0Disk space and memory
A cache can always use more disk space, but as the size of your disk-cache grows, you will need more memory to index it. There’s a straightforward rule for memory.
Divide the size of your disk cache by 13 Kbytes, and multiply that by 130 bytes. Add the size of cache_mem, and add about 2.5 Mbytes more for executable files, libraries, and other sundry overhead. For example: We have a 10-Gbyte drive, and a cache_mem of 8 Mbytes.
10 Gbytes/13 Kbytes = 769,230769,230 x 130 bytes = 99,999,900 bytes (or 97,656 Kbytes)97,656 Kbytes + 2.5 Mbytes + 8 Mbytes = 10,849,656 Kbytes or about 108 Mbytes
The example server needs 108 Mbytes available to Squid to support 10 Gbytes of cache_dir.
Provide as much disk space as you can provide RAM to support it. Squid performs very badly when it starts to swap. Remember to set aside memory for anything else on the machine (DNS, cron, operating system, etc.).
################################################################################ MAIS – PESQUISAR: ###############################################################################
===============================================================================http://www.squid-cache.org/mail-archive/squid-users/199908/0506.htmlUnable to allocate 4096 blocks of 1 bytes!|=============================================================================|===============================================================================http://www.mail-archive.com/freebsd@fug.com.br/msg41161.htmlexatamente…
80 gb * 15mb = 1.2gb
o squid consome por volta de 15mb de ram para cada GB de cache… ai aconta acima da 1.2gb .. voce adicionou 300gb.. entao:
300 * 15 = 4.5gb …
o squid tenta alocar mais do que o permitido pelo sistema e naoconsegue, entao ele da este erro ai !! as opções para resolver:
- ter no minimo 6gb de ram neste servidor- permitir o usuario do squid “escrachar” no consumo de ram, no bsdnao sei onde, mas no linux redhat like fica no/etc/security/limits.conf
qual o cache_mem que voce esta utilizando ? talvez abaixar o calorpara 128mb ou 64mb .. libere mais memoria e o squid consiga alocarmais memoria para o uso… (lembrando que cache_mem limita apenas oconsumo para os objetos em transito (fetch)) ..
outro detalhe importante.. esta margem de 15mb por giga de cachepeguei uma “media” .. acredito q em 64bits.. PODE ser maior.. ou igualisso.. em 32bits me parece que sao 10 a 12 mb por gb de cache.. mascaimos na limitação do 32bits de 4gb de ram com PAE ativo…
entao as recomendações:- sistema em 64bits- 6gb ou + de ram- alterar as limitações do sistema para o usuário do squid (ou rodar osquid como root, mas .. isso ´so para loucos ) hehehhe
2008/9/23 Anderson Eduardo <[EMAIL PROTECTED]>:>> Olá Galera!>> O problema é que antes tinha um HD de 80 GB pra cache,agora coloquei um de > 300GB depois disso começou a aconteçer esses erros!>> _________________________________________________________________> Confira vídeos com notícias do NY Times, gols direto do Lance, > videocassetadas e muito mais no MSN Video!> http://video.msn.com/?mkt=pt-br> ————————-> Histórico: http://www.fug.com.br/historico/html/freebsd/> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd>|=============================================================================|
——————————————————————————-Proxy na Internet—————————
http://www.allprivate.infohttp://phproxyfirefox.cn
|———-^ Proxy na Internet ———————————————–|
