-   Linux - Server (
-   -   Squid questions, proxy bypass, and configuration (

scheidel21 10-15-2009 12:46 PM

Squid questions, proxy bypass, and configuration
Hello all,

I have a Squid Proxy setup on and older Dell dual Pentium III server, it is not a transparent proxy, though I would eventually like to turn it into one, which leads to an issue I am having now. I have done several searches, and perhaps I am not searching for the correct wording, but I would like to exempt certain sites from actually being proxied, though I would still like to have stats, i.e. know that clients are requesting the site. Specifically we have a a vendor website that is accessed via SSL which has abysmal performance through the proxy, however, I still need to know how many requests are made for the site. As far as my searching goes I could not find a way to do this. I know with my proxy not being a transparent proxy I could exempt the site on the client browser, however, I would not know how many times it was accessed and this also would not work in a transparent proxy situation. Can anyone assist me with that configuration, as far as what I need to setup in the configuration, or ACLs etc...?

Second configuration question:
I would like to get a set of stats on a subgroup of users, specifically I want to know what the topsites are that our inside sales in visiting. I get top sites company wide, but I want just this subset if possible.

acid_kewpie 10-16-2009 05:57 AM

Well it's impossible to NOT proxy something if you're trying to configure this behaviour *INSIDE* of squid. Too late, you're already proxied. What do you actually mean about performance of SSL? If you're decrypting the SSL on the proxy, scanning, and then reencrypting, then sure that performance could really suck the big one, but if you are simply permitting CONNECT on 443 then you are still proxying the traffic, you just can't see it, and there should be no performance issues whatsoever.

I should admit here though, I'm unclear exactly what Squid3.0 can do in terms of SSL maniuplation, I'm sure there are ways to make it do MITM decrpytion of HTTPS traffic, but can find so little information about it if it is possible.

scheidel21 10-16-2009 01:07 PM

I sort of though that I was up a creek, I can't figure out why the performance seems to suffer I am not decrypting/re-encrypting traffic. But my co-worker in IT who also uses the system he said that he used it with the proxy and it was slower than hell, and when he turned off the proxy settings it ran great. THe only thing I could think of was that perhaps the system itself is just so old it is having a problem keeping up, but if I run top on it It utilizes nearly no CPU cycle so I don't know.

Thanks for the reply though

acid_kewpie 10-16-2009 02:41 PM

Generally it so often comes down to DNS being a total arse when things are being oddly slow. If you're explicitly using the proxy, then squid should be doing the DNS, not the browser, and that should really be the only significant difference I'd think of, assuming that all routing changes are inconsequential, e.g. only one net feed on a basic lan etc. I'd check out DNS, maybe you have a duff entry in resolv.conf on the server? But then unencrypted data was ok?

scheidel21 10-16-2009 03:34 PM

Well I have a caching DNS server on the proxy box, But I thought that the browser would still be doing the lookup, even with all traffic going through the proxy. I can say that our Domain DNS server has previously slowed us down as it would sometimes take long times to resolve names.

On a side note, any way I can exempt local NetBios/DNS names from the proxy with Firefox on Linux. In other words when I am not on the proxy I type vmalpha and it brngs me to the web server on the machine vmalpha.hesco.local but when I am on the proxy vmalpha and do not work I can only access the local resource by IP. The Caching DNS caches off of the 2003 Domain controller with alternate DNS servers set to globa, so IP resolution of local resources should be ok. But I get an access denied on local resources, and I can't seem to figure out how to exempt local sites.

All times are GMT -5. The time now is 07:07 PM.