LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-15-2009, 11:46 AM   #1
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Squid questions, proxy bypass, and configuration


Hello all,

I have a Squid Proxy setup on and older Dell dual Pentium III server, it is not a transparent proxy, though I would eventually like to turn it into one, which leads to an issue I am having now. I have done several searches, and perhaps I am not searching for the correct wording, but I would like to exempt certain sites from actually being proxied, though I would still like to have stats, i.e. know that clients are requesting the site. Specifically we have a a vendor website that is accessed via SSL which has abysmal performance through the proxy, however, I still need to know how many requests are made for the site. As far as my searching goes I could not find a way to do this. I know with my proxy not being a transparent proxy I could exempt the site on the client browser, however, I would not know how many times it was accessed and this also would not work in a transparent proxy situation. Can anyone assist me with that configuration, as far as what I need to setup in the configuration, or ACLs etc...?

Second configuration question:
I would like to get a set of stats on a subgroup of users, specifically I want to know what the topsites are that our inside sales in visiting. I get top sites company wide, but I want just this subset if possible.
 
Old 10-16-2009, 04:57 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
Well it's impossible to NOT proxy something if you're trying to configure this behaviour *INSIDE* of squid. Too late, you're already proxied. What do you actually mean about performance of SSL? If you're decrypting the SSL on the proxy, scanning, and then reencrypting, then sure that performance could really suck the big one, but if you are simply permitting CONNECT on 443 then you are still proxying the traffic, you just can't see it, and there should be no performance issues whatsoever.

I should admit here though, I'm unclear exactly what Squid3.0 can do in terms of SSL maniuplation, I'm sure there are ways to make it do MITM decrpytion of HTTPS traffic, but can find so little information about it if it is possible.

Last edited by acid_kewpie; 10-16-2009 at 05:01 AM.
 
Old 10-16-2009, 12:07 PM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Original Poster
Rep: Reputation: 97
I sort of though that I was up a creek, I can't figure out why the performance seems to suffer I am not decrypting/re-encrypting traffic. But my co-worker in IT who also uses the system he said that he used it with the proxy and it was slower than hell, and when he turned off the proxy settings it ran great. THe only thing I could think of was that perhaps the system itself is just so old it is having a problem keeping up, but if I run top on it It utilizes nearly no CPU cycle so I don't know.

Thanks for the reply though
 
Old 10-16-2009, 01:41 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
Generally it so often comes down to DNS being a total arse when things are being oddly slow. If you're explicitly using the proxy, then squid should be doing the DNS, not the browser, and that should really be the only significant difference I'd think of, assuming that all routing changes are inconsequential, e.g. only one net feed on a basic lan etc. I'd check out DNS, maybe you have a duff entry in resolv.conf on the server? But then unencrypted data was ok?
 
Old 10-16-2009, 02:34 PM   #5
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Original Poster
Rep: Reputation: 97
Well I have a caching DNS server on the proxy box, But I thought that the browser would still be doing the lookup, even with all traffic going through the proxy. I can say that our Domain DNS server has previously slowed us down as it would sometimes take long times to resolve names.

On a side note, any way I can exempt local NetBios/DNS names from the proxy with Firefox on Linux. In other words when I am not on the proxy I type vmalpha and it brngs me to the web server on the machine vmalpha.hesco.local but when I am on the proxy vmalpha and vmalpha.hesconet.com do not work I can only access the local resource by IP. The Caching DNS caches off of the 2003 Domain controller with alternate DNS servers set to globa, so IP resolution of local resources should be ok. But I get an access denied on local resources, and I can't seem to figure out how to exempt local sites.
 
  


Reply

Tags
acl, bypass, configuration, debian, lenny, proxy, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 11:25 AM
Squid and Dansguardian in use, but users to bypass proxy on certain times of the day codenjanod Linux - Server 1 09-25-2009 11:47 AM
restrict users to bypass the squid proxy server rashid_47010 Linux - Server 2 08-05-2009 10:35 AM
How to bypass proxy auth using squid sixth_sense Linux - Networking 7 09-20-2007 06:43 PM
Using iptables to bypass squid proxy for a specific domain jcopley Linux - Security 3 07-18-2007 12:50 PM


All times are GMT -5. The time now is 03:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration