|
Squid Query Error
Starting squid: [FAILED]
[root@test ~]# service squid start Starting squid: [FAILED] [root@test ~]# grep | squid Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. 2012/05/07 16:38:31| ACL name 'QUERY' not defined! FATAL: Bungled squid.conf line 609: cache deny QUERY Squid Cache (Version 2.6.STABLE21): Terminated abnormally. [root@test ~]# vim /squid.conf # WELCOME TO SQUID 2.6.STABLE21 # ---------------------------- # # # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,} # # acl acl_name external class_name [arguments...] # # external ACL lookup via a helper class defined by the # # external_acl_type directive. # # acl urlgroup group1 ... # # match against the urlgroup as indicated by redirectors # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate # # attribute is one of DN/C/O/CN/L/ST # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate # # attribute is one of DN/C/O/CN/L/ST # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... # # string match on username returned by external acl helper # # use REQUIRED to accept any non-null user name. # #Examples: #acl macaddress arp 09:00:2b:23:45:67 #acl myexample dst_as 1241 #acl password proxy_auth REQUIRED #acl fileupload req_mime_type -i ^multipart/form-data$ #acl javascript rep_mime_type -i ^application/x-javascript$ # #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 172.20.0.0/255.255.240.0 acl localuser src "/etc/squid/localuser" acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Blockdomain dstdomain "/etc/squid/blockdomain" acl BlockSites dstdom_regex "/etc/squid/wordbasis" acl fullinternet src "/etc/squid/fullinternet" acl blockinternet src "/etc/squid/blockinternet" acl allowsiteip src "/etc/squid/allowsiteip" acl allowskype src "/etc/squid/allowskype" acl allowsite url_regex -i "/etc/squid/allowsite" acl CONNECT method CONNECT acl deny_tor rep_mime_type -i ^application/x-bittorrent acl ipacl url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+ acl datacenter url_regex "/etc/squid/datacenter" acl team url_regex 5983 acl DenyFile urlpath_regex -i .mp3$ .exe$ .mp4$ .mpeg$ .wav$ .AVI$ .MKV$ .MOV$ .MP4$ .DivX$ .FLV$ .ogg$ .ogv$ acl skype dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl skype_UA browser ^skype^ acl full_without_social src "/etc/squid/full_without_social" acl social url_regex -i "/etc/squid/social" cache deny QUERY visible_hostname proxy.gtsl.gcl.in deny_info http://a11ybugs.org/images/fix-the-web.jpg accessdenied cache_mgr tsgitsupport@gcl.in # TAG: http_access # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: # # If there are no "access" lines present, the default is to deny # the request. # # If none of the "access" lines cause a match, the default is the # opposite of the last line in the list. If the last line was # deny, the default is allow. Conversely, if the last line # is allow, the default will be deny. For these reasons, it is a # good idea to have an "deny all" or "allow all" entry at the end # of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access allow localhost #http_access deny manager http_access allow datacenter http_access allow team http_access allow fullinternet http_access deny deny_tor http_access deny full_without_social social http_access allow full_without_social # Deny requests to unknown ports http_access deny !Safe_ports #http_access deny manager # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow !Safe_ports http_access deny ipacl http_access deny numeric_IPs #http_access deny myacl # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks # And finally deny all other access to this proxy http_access allow allowskype skype_UA http_access allow allowskype skype http_access allow allowsiteip allowsite http_access allow localhost #http_access deny all #http_access allow all http_access deny CONNECT !SSL_ports http_access deny Blockdomain http_access deny BlockSites http_access deny blockinternet http_access allow allowsiteip http_access allow allowskype http_access allow localuser http_access deny DenyFile !DenyFile http_access deny all http_access deny localnet # TAG: http_access2 # Allowing or Denying access based on defined access lists # # Identical to http_access, but runs after redirectors. If not set # then only http_access is used. # #Default: # none # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. # # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow # all replies # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules # with an "allow all" or "deny all" entry. # #Default: http_reply_access allow all # TAG: icp_access # Allowing or Denying access to the ICP port based on defined # access lists # # icp_access allow|deny [!]aclname ... # # See http_access for details # #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all # TAG: htcp_access # Note: This option is only available if Squid is rebuilt with the # --enable-htcp option # # Allowing or Denying access to the HTCP port based on defined # access lists # # htcp_access allow|deny [!]aclname ... # # See http_access for details # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers # using the htcp or htcp-oldsquid options. # ##Allow HTCP queries from everyone #htcp_access allow all # #Default: # htcp_access deny all # TAG: htcp_clr_access # Note: This option is only available if Squid is rebuilt with the # --enable-htcp option # # Allowing or Denying access to purge content using HTCP based # on defined access lists # # htcp_clr_access allow|deny [!]aclname ... # # See http_access for details # ##Allow HTCP CLR requests from trusted peers #acl htcp_clr_peer src 172.16.1.2 #htcp_clr_access allow htcp_clr_peer # #Default: # htcp_clr_access deny all # TAG: miss_access # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # # This means only your local clients are allowed to fetch # MISSES and all other clients can only fetch HITS. # # By default, allow all clients who passed the http_access rules # to fetch MISSES from us. # #Default setting: # miss_access allow all # TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident # (RFC931) lookup to be performed for this request. For # example, you might choose to always perform ident lookups # for your main multi-user Unix boxes, but not for your Macs # and PCs. By default, ident lookups are not performed for # any requests. # # To enable ident lookups for specific client addresses, you # can follow this example: # # acl ident_aware_hosts src 198.168.1.0/255.255.255.0 # ident_lookup_access allow ident_aware_hosts # ident_lookup_access deny all # # Only src type ACL checks are fully supported. A src_domain # ACL might work at times, but it will not always provide # the correct result. # #Default: # ident_lookup_access deny all # TAG: reply_body_max_size bytes allow|deny acl acl... # This option specifies the maximum size of a reply body in bytes. # It can be used to prevent users from downloading very large files, # such as MP3's and movies. When the reply headers are received, # the reply_body_max_size lines are processed, and the first line with # a result of "allow" is used as the maximum body size for this reply. # This size is checked twice. First when we get the reply headers, # we check the content-length value. If the content length value exists # and is larger than the allowed size, the request is denied and the # user receives an error message that says "the request or reply # is too large." If there is no content-length, and the reply # size exceeds this limit, the client's connection is just closed # and they will receive a partial reply. # # WARNING: downstream caches probably can not detect a partial reply # if there is no content-length header, so they will cache # partial responses and give them out as hits. You should NOT # use this option if you have downstream caches. # # If you set this parameter to zero (the default), there will be # no limit imposed. # #Default: # reply_body_max_size 0 allow all #Default: # none LOG_FACILITY|LOG_PRIORITY access_log /var/log/squid/access.log squid #Default: # coredump_dir none # # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # #Default: # max_filedesc 1024 |
Hi,
You are using: Quote:
See the example here for details Regards |
Quote:
|
[root@linux ~]# /etc/init.d/squid reload
2012/05/31 12:13:12| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'. 2012/05/31 12:13:12| SECURITY NOTICE: Overriding config setting. Using 'all' instead. 2012/05/31 12:13:12| WARNING: (B) '::/0' is a subnetwork of (A) '::/0' 2012/05/31 12:13:12| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable 2012/05/31 12:13:12| WARNING: You should probably remove '::/0' from the ACL named 'all' 2012/05/31 12:13:12| WARNING: Netmasks are deprecated. Please use CIDR masks instead. 2012/05/31 12:13:12| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges. 2012/05/31 12:13:12| WARNING: For now we will assume you meant to write /32 2012/05/31 12:13:12| aclParseAclList: ACL name 'QUERY' not found. FATAL: Bungled squid.conf line 40: cache deny QUERY Squid Cache (Version 3.1.19): Terminated abnormally. CPU Usage: 0.015 seconds = 0.012 user + 0.003 sys Maximum Resident Size: 21520 KB Page faults with physical i/o: 0 [root@linux ~]# |
My squid confgiuration file
# # Recommended minimum configuration: # acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl localnet src 172.20.0.0/255.255.255.255 acl localuser src "/etc/squid/localuser" acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 5983 acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Blockdomain dstdomain "/etc/squid/blockdomain" acl BlockSites dstdom_regex "/etc/squid/wordbasis" acl fullinternet src "/etc/squid/fullinternet" acl blockinternet src "/etc/squid/blockinternet" acl allowsiteip src "/etc/squid/allowsiteip" acl allowskype src "/etc/squid/allowskype" acl allowsite url_regex -i "/etc/squid/allowsite" acl CONNECT method CONNECT acl DenyFile urlpath_regex -i .mp3$ .exe$ .mp4$ .mpeg$ .wav$ .AVI$ .MKV$ .MOV$ .MP4$ .DivX$ .FLV$ .ogg$ .ogv$ acl deny_tor rep_mime_type -i ^application/x-bittorrent acl ipacl url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+ acl datacenter url_regex "/etc/squid/datacenter" acl team url_regex 5983 acl skype dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl skype_UA browser ^skype^ acl full_without_social src "/etc/squid/full_without_social" acl social url_regex -i "/etc/squid/social" cache deny QUERY visible_hostname linux.gtsl.in cache_mgr tsgtsupport@gcl.in # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access allow localhost #http_access deny manager http_access allow datacenter http_access allow team http_access allow fullinternet http_access deny deny_tor http_access deny full_without_social social http_access allow full_without_social # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports http_access deny ipacl http_access deny numeric_IPs #http_access deny myacl # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all http_access allow allowskype skype_UA http_access allow allowskype skype http_access allow allowsiteip allowsite http_access allow localhost #http_access deny all #http_access allow all http_access deny CONNECT !SSL_ports http_access deny Blockdomain http_access deny BlockSites http_access deny blockinternet http_access allow allowsiteip http_access allow allowskype http_access allow localuser http_access deny DenyFile !DenyFile http_access deny all http_access deny localnet # Squid normally listens to port 3128 http_port 8080 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 |
Quote:
Quote:
Quote:
|
| All times are GMT -5. The time now is 01:46 AM. |