Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-15-2009, 12:46 PM
|
#1
|
Senior Member
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323
Rep:
|
Squid questions, proxy bypass, and configuration
Hello all,
I have a Squid Proxy setup on and older Dell dual Pentium III server, it is not a transparent proxy, though I would eventually like to turn it into one, which leads to an issue I am having now. I have done several searches, and perhaps I am not searching for the correct wording, but I would like to exempt certain sites from actually being proxied, though I would still like to have stats, i.e. know that clients are requesting the site. Specifically we have a a vendor website that is accessed via SSL which has abysmal performance through the proxy, however, I still need to know how many requests are made for the site. As far as my searching goes I could not find a way to do this. I know with my proxy not being a transparent proxy I could exempt the site on the client browser, however, I would not know how many times it was accessed and this also would not work in a transparent proxy situation. Can anyone assist me with that configuration, as far as what I need to setup in the configuration, or ACLs etc...?
Second configuration question:
I would like to get a set of stats on a subgroup of users, specifically I want to know what the topsites are that our inside sales in visiting. I get top sites company wide, but I want just this subset if possible.
|
|
|
10-16-2009, 05:57 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Well it's impossible to NOT proxy something if you're trying to configure this behaviour *INSIDE* of squid. Too late, you're already proxied. What do you actually mean about performance of SSL? If you're decrypting the SSL on the proxy, scanning, and then reencrypting, then sure that performance could really suck the big one, but if you are simply permitting CONNECT on 443 then you are still proxying the traffic, you just can't see it, and there should be no performance issues whatsoever.
I should admit here though, I'm unclear exactly what Squid3.0 can do in terms of SSL maniuplation, I'm sure there are ways to make it do MITM decrpytion of HTTPS traffic, but can find so little information about it if it is possible.
Last edited by acid_kewpie; 10-16-2009 at 06:01 AM.
|
|
|
10-16-2009, 01:07 PM
|
#3
|
Senior Member
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323
Original Poster
Rep:
|
I sort of though that I was up a creek, I can't figure out why the performance seems to suffer I am not decrypting/re-encrypting traffic. But my co-worker in IT who also uses the system he said that he used it with the proxy and it was slower than hell, and when he turned off the proxy settings it ran great. THe only thing I could think of was that perhaps the system itself is just so old it is having a problem keeping up, but if I run top on it It utilizes nearly no CPU cycle so I don't know.
Thanks for the reply though
|
|
|
10-16-2009, 02:41 PM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Generally it so often comes down to DNS being a total arse when things are being oddly slow. If you're explicitly using the proxy, then squid should be doing the DNS, not the browser, and that should really be the only significant difference I'd think of, assuming that all routing changes are inconsequential, e.g. only one net feed on a basic lan etc. I'd check out DNS, maybe you have a duff entry in resolv.conf on the server? But then unencrypted data was ok?
|
|
|
10-16-2009, 03:34 PM
|
#5
|
Senior Member
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323
Original Poster
Rep:
|
Well I have a caching DNS server on the proxy box, But I thought that the browser would still be doing the lookup, even with all traffic going through the proxy. I can say that our Domain DNS server has previously slowed us down as it would sometimes take long times to resolve names.
On a side note, any way I can exempt local NetBios/DNS names from the proxy with Firefox on Linux. In other words when I am not on the proxy I type vmalpha and it brngs me to the web server on the machine vmalpha.hesco.local but when I am on the proxy vmalpha and vmalpha.hesconet.com do not work I can only access the local resource by IP. The Caching DNS caches off of the 2003 Domain controller with alternate DNS servers set to globa, so IP resolution of local resources should be ok. But I get an access denied on local resources, and I can't seem to figure out how to exempt local sites.
|
|
|
All times are GMT -5. The time now is 07:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|