dear all,,,
saya punya tolopogy server proxy sbb ( di belakang firewall)
OS : Centos 5.7 squid : Squid 5.7-stable 9
(mem 4G)
eth1 --10.103.3.70
eth1:0 --10.103.3.71
eth1:1 --10.103.3.72
eth1:2 --10.103.3.73
eth1:3 --10.103.3.74
Network client ( 10.7.2.0/24 , 10.7.7.0/24) dimana setiap network untuk outgoingnya di arahkan ke masing-2 contohnya
untuk segemntasi 10.7.2.0/24 --- tcp_outgoing_address ke 10.103.3.74 ( karena bandwitd berbeda)
permasalaha yang saya hadapi sbb
apabila saya aktifkan tcp_outgoing_addreess ---hanya ip public saya yang bisa di akses ( ada hit)
apabila saya remark tcp_outgoing_addess -- hanya web server yang di private saja yang bisa di buka)
mohon pencerahanya
berikut ini configuration squid.conf
http_port 3128 transparent
# always_direct allow all
# ssl_unclean_shutdown off
icp_port 3130
# htcp_port 4827
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
#udp_outgoing_address 10.103.3.70
# TAG: cache_peer_domain
# TAG: neighbor_type_domain
# dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? .js .jar .asmx .net
acl QUERY urlpath_regex cgi-bin \? .js .jar .asmx .net .asp
no_cache deny QUERY
##tambahan
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 2048 MB
cache_swap_low 98
cache_swap_high 1670
maximum_object_size 2048 MB
minimum_object_size 128 KB
maximum_object_size_in_memory 512 KB
# max_filedesc 4096
ipcache_size 3072
ipcache_low 98
ipcache_high 99
fqdncache_size 3072
#cache_replacement_policy heap LFUDA
# memory_replacement_policy heap GDSF
cache_dir ufs /cache 25000 35 256
cache_dir ufs /cache1 25000 16 128
# cache_access_log /var/log/squid/access.log
cache_access_log /usr/local/squid/var/logs/access.log
logfile_rotate 40
# cache_log /var/log/squid/cache.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
##cache_store_log /usr/local/squid/var/logs/store.log
# TAG: cache_swap_log
# emulate_httpd_log off
log_ip_on_direct on
# mime_table /etc/squid/mime.conf
# log_mime_hdrs off
# TAG: useragent_log
# TAG: referer_log
# pid_filename /var/log/squid/squid.pid
pid_filename /usr/local/squid/var/logs/squid.pid
# debug_options ALL,1
# log_fqdn off
# client_netmask 255.255.255.255
ftp_user Squid@
ftp_list_width 48
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
# cache_dns_program /usr/lib/squid/dnsserver
#dns_children 5
#dns_retransmit_interval 5 seconds
#dns_timeout 2 minutes
# dns_defnames off
# TAG: dns_nameservers
hosts_file /etc/hosts
# diskd_program /usr/lib/squid/diskd-daemon
# unlinkd_program /usr/lib/squid/unlinkd
# pinger_program /usr/lib/squid/pinger
# TAG: redirect_program
# redirect_children 5
#Default:
redirect_rewrites_host_header on
# TAG: redirector_access
# TAG: auth_param
# authenticate_cache_garbage_interval 1 hour
# authenticate_ttl 1 hour
# authenticate_ip_ttl 0 seconds
# TAG: external_acl_type
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
# wais_relay_port 0
request_header_max_size 20 KB
# request_body_max_size 0 KB
##
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern ^ftp: 1440 90% 10080
refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern . 9999 99% 99990 override-expire reload-into-ims override-lastmod
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern ^http://.*\.gif$ 1440 50% 20160 reload-into-ims
#refresh_pattern ^http://.*\.asis$ 1440 50% 20160
#refresh_pattern -i \.png$ 10080 150% 40320 reload-into-ims
#refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
#refresh_pattern -i \.bmp$ 10080 150% 40320 reload-into-ims
#refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
#refresh_pattern -i \.ico$ 10080 300% 40320 reload-into-ims
#refresh_pattern -i \.swf$ 10080 300% 40320 reload-into-ims
#refresh_pattern -i \.flv$ 10080 300% 40320 reload-into-ims
#refresh_pattern -i \.rar$ 10080 150% 40320
#refresh_pattern -i \.ram$ 10080 150% 40320
#refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
#refresh_pattern -i \.css$ 1440 60% 20160
#refresh_pattern -i \.3gp$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
#refresh_pattern -i \.rm$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
#refresh_pattern -i \.wma$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
#refresh_pattern -i \.mpeg$ 10080 90% 10080 override-expire override-lastmod reload-into-ims
#refresh_pattern -i \.(gif|jp?g|xbm|png|swf|bmp)$ 21600 90% 43200 override-expire override-lastmod reload-into-ims
#refresh_pattern -i \.(mov|avi|qtm|mp?)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
#refresh_pattern -i \.(3gp|wmv|wma|mpg|mpeg|mpga|rm|rv|vgp)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
#refresh_pattern -i \.(zip|exe|gz|Z|lha||rar|arj)$ 21600 90% 43200 override-expire override-lastmod ignore-reload reload-into-ims
#refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 100000 500% 99000000 ignore-reload override-expire
#batas akhir
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
##quick_abort_min 0 KB
##quick_abort_max 0 KB
##quick_abort_pct 95
# negative_ttl 10 minutes
# positive_dns_ttl 6 hours
# negative_dns_ttl 1 minute
# range_offset_limit 0 KB
# TIMEOUTS
# -----------------------------------------------------------------------------
# forward_timeout 4 minutes
# connect_timeout 1 minute
# peer_connect_timeout 30 seconds
read_timeout 10 minutes
# request_timeout 5 minutes
# persistent_request_timeout 1 minute
# client_lifetime 10 hours
half_closed_clients off
# pconn_timeout 120 seconds
# ident_timeout 10 seconds
shutdown_lifetime 11 seconds
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl itexclude src 10.7.2.153 10.103.3.74
acl squidproj src 10.7.7.25 10.7.7.189
#acl dropinternet src 10.7.7.210
#acl banned_ip src 10.7.7.200
acl amglan src 10.7.7.0/24
acl itlan src 10.7.2.0/24
acl guestlan src 10.63.0.0/16
#---------------------------------
#acl untuk banned url tertentu
#acl banned_ip src 10.7.7.240 ---> disimpan di atas
acl social_network url_regex "/etc/squid/block_social_network.txt"
#acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
acl pagi time MTWHF 08:30-11:30
acl sore time MTWHF 13:30-16:30
acl porn url_regex -i "/etc/squid/block_porn.txt"
#acl datacenter dst 10.33.3.0/24
#acl extensiondeny url_regex -i "/etc/squid/extensiondeny"
#acl download method GET
#---------------------------------
#acl cache_prevent2 url_regex Servlet
#no_cache deny cache_prevent2
acl local_domain dstdomain .theenergy.co.id
#always_direct allow datacenter
#always_direct allow local_domain
# 2005-01-19
acl Gopher proto gopher
http_access deny Gopher
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
# http_access allow manager localhost
http_access allow itexclude
http_access allow squidproj
http_access deny social_network pagi
http_access deny social_network sore
http_access allow manager localhost
http_access allow manager
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#http_access allow purge localhost
#http_access deny purge all
http_access deny porn
http_access allow amglan
http_access allow guestlan
http_access allow itlan
# And finally deny all other access to this proxy
http_access allow all
http_reply_access allow all
###icp_access allow all
#
miss_access allow itexclude
miss_access allow squidproj
miss_access allow amglan
miss_access allow itlan
miss_access allow guestlan
miss_access allow all
tcp_outgoing_address 10.103.3.74 itexclude
#tcp_outgoing_address 10.103.3.75 squidproj
#tcp_outgoing_address 10.103.3.70 amglan
#tcp_outgoing_address 10.103.3.72 guestlan
#tcp_outgoing_address 10.103.3.73 itlan
reply_header_max_size 20 KB
reply_body_max_size 0 allow all
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
cache_mgr admin@satukamu.com
cache_effective_user squid
cache_effective_group squid
visible_hostname th.satukamu.com
# TAG: unique_hostname
# TAG: hostname_aliases
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# -----------------------------------------------------------------------------
# announce_period 0
#announce_period 1 day
# announce_host tracker.ircache.net
# announce_port 3131
# HTTPD-ACCELERATOR OPTIONS
# -----------------------------------------------------------------------------
# TAG: httpd_accel_host
# TAG: httpd_accel_port
# httpd_accel_single_host off
# httpd_accel_with_proxy off
####tambahan baru
#httpd_accel_uses_host_header on
# MISCELLANEOUS
# -----------------------------------------------------------------------------
logfile_rotate 40
# tcp_recv_bufsize 0 bytes
# TAG: err_html_text
# TAG: deny_info
#deny_info ERR_BLOCKED_FILES blockfiles
memory_pools on
# TAG: memory_pools_limit (bytes)
# forwarded_for on
# log_icp_queries on
# icp_hit_stale off
# minimum_direct_hops 4
# minimum_direct_rtt 400
cachemgr_passwd tepass all
# store_avg_object_size 13 KB
store_objects_per_bucket 50
client_db off
# netdb_low 900
# netdb_high 1000
# netdb_ping_period 5 minutes
# query_icmp off
# test_reachability off
# buffered_logs off
# reload_into_ims off
# TAG: always_direct
# TAG: never_direct
###tandinya deny
header_access Server allow all
# TAG: header_replace
# icon_directory /usr/share/squid/icons
#error_directory /etc/squid/errors
maximum_single_addr_tries 3
# snmp_port 0
# snmp_access allow snmppublic localhost
# snmp_access deny all
# snmp_incoming_address 0.0.0.0
# snmp_outgoing_address 255.255.255.255
# as_whois_server whois.ra.net
# as_whois_server whois.ra.net
# wccp_router 0.0.0.0
# wccp_version 4
# wccp_incoming_address 0.0.0.0
# wccp_outgoing_address 255.255.255.255
# delay_pools 0
# delay_pools 2 # 2 delay pools
# delay_class 1 2 # pool 1 is a class 2 pool
# delay_class 2 3 # pool 2 is a class 3 pool
# delay_access 1 allow some_big_clients
# delay_access 1 deny all
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
#delay_parameters 2 32000/32000 8000/8000 600/8000
# delay_initial_bucket_level 50
# incoming_icp_average 6
# incoming_http_average 4
#incoming_dns_average 4
# min_icp_poll_cnt 8
#min_dns_poll_cnt 8
# min_http_poll_cnt 8
# max_open_disk_fds 0
# offline_mode off
# uri_whitespace strip
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
# mcast_miss_addr 255.255.255.255
# mcast_miss_ttl 16
# mcast_miss_port 3135
# mcast_miss_encode_key XXXXXXXXXXXXXXXX
# nonhierarchical_direct on
prefer_direct on
# strip_query_terms on
# coredump_dir none
# coredump_dir /var/spool/squid
# redirector_bypass on
# ignore_unknown_nameservers on
# digest_generation on
# digest_bits_per_entry 5
# digest_rebuild_period 1 hour
# digest_rewrite_period 1 hour
# digest_swapout_chunk_size 4096 bytes
# digest_rebuild_chunk_percentage 10
# TAG: chroot
# client_persistent_connections on
# server_persistent_connections on
# detect_broken_pconn off
balance_on_multiple_ip off
pipeline_prefetch on
# TAG: extension_methods
# request_entities off
# high_response_time_warning 0
# high_page_fault_warning 0
# high_memory_warning 0
# store_dir_select_algorithm least-load
# TAG: forward_log
ie_refresh on
vary_ignore_expire on
# sleep_after_fork 0
# relaxed_header_parser on
thanks
adama
squid error log tcp_miss/000
Moderator: Moderators
2 posts
• Page 1 of 1
squid error log tcp_miss/000
by adamsemprul » Fri Mar 16, 2012 2:19 pm
- adamsemprul
- New Member
- Posts: 1
- Joined: Fri Mar 16, 2012 2:04 pm
Re: squid error log tcp_miss/000
by mulyadi.santosa » Wed Mar 21, 2012 7:24 pm
Halo Pak Adam...
Saya hanya sekedar membaca mengenai tcp_outgoing_address disini:
http://www.squid-cache.org/Doc/config/t ... g_address/
Saya simpulkan bahwa parameter ini bersifat seperti routing, namun tidak jelas routing seperti apa dan apakah dia me rewrite ulang packet data (source address dalam hal ini).
Akibat dari rewrite header packet ini, kemungkinan menyebabkan firewall anda melakukan dua hal yang sama persis seperti yang bapak tuliskan:
1. Jika digunakan tcp_outgoing_address, maka digunakan suatu address misal X. Nah X ini diijinkan mengakses ke arah Internet (IP Public) namun tidak bisa ke dalam DMZ. Ini dengan asumsi web server Intranet ada di DMZ
2. Jika tidak digunakan tcp_outgoing_address, maka digunakan address Y. Y ini diblokir untuk akses ke arah Internet, namun sebaliknya bisa ke DMZ.
Dengan demikian, solusinya yang bisa dicoba:
1. Mencari suatu alamat IP yang diijinkan oleh firewall untuk mengakses keduanya
Atau
2. Mengatur ulang setting firewall agar IP hasil redirection Squid bisa menuju ke DMZ sekaligus Internet.
Semoga membantu....
Saya hanya sekedar membaca mengenai tcp_outgoing_address disini:
http://www.squid-cache.org/Doc/config/t ... g_address/
Saya simpulkan bahwa parameter ini bersifat seperti routing, namun tidak jelas routing seperti apa dan apakah dia me rewrite ulang packet data (source address dalam hal ini).
Akibat dari rewrite header packet ini, kemungkinan menyebabkan firewall anda melakukan dua hal yang sama persis seperti yang bapak tuliskan:
1. Jika digunakan tcp_outgoing_address, maka digunakan suatu address misal X. Nah X ini diijinkan mengakses ke arah Internet (IP Public) namun tidak bisa ke dalam DMZ. Ini dengan asumsi web server Intranet ada di DMZ
2. Jika tidak digunakan tcp_outgoing_address, maka digunakan address Y. Y ini diblokir untuk akses ke arah Internet, namun sebaliknya bisa ke DMZ.
Dengan demikian, solusinya yang bisa dicoba:
1. Mencari suatu alamat IP yang diijinkan oleh firewall untuk mengakses keduanya
Atau
2. Mengatur ulang setting firewall agar IP hasil redirection Squid bisa menuju ke DMZ sekaligus Internet.
Semoga membantu....
regards,
Mulyadi Santosa
freelance Linux trainer and consultant
Blog: the-hydra.blogspot.com
e-business: mulyaditraining.blogspot.com
Yahoo Messenger : paul_phoenix2779
Google Talk: mulyadi.santosa
Mulyadi Santosa
freelance Linux trainer and consultant
Blog: the-hydra.blogspot.com
e-business: mulyaditraining.blogspot.com
Yahoo Messenger : paul_phoenix2779
Google Talk: mulyadi.santosa
-
mulyadi.santosa - Senior Member
- Posts: 673
- Joined: Sat Jun 27, 2009 11:15 pm
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests