Ubuntu
Squid(代理)正在消耗它自己的資源(和其他問題)
我有幾個魷魚問題,但一次一個;
警告!您的記憶體已用完文件描述符
當代理接到很多電話時可能會發生這種情況,並且可以通過增加限制來解決,但我的甚至還沒有“打開”..
我發現它是魷魚,它以某種方式不斷地連接到它自己?
(來自我的 access.log)
1628674032.019 59108 192.168.0.129 NONE/200 0 CONNECT 192.168.0.129:3129 - ORIGINAL_DST/192.168.0.129 - 1628674032.019 59098 192.168.0.129 NONE/200 0 CONNECT 192.168.0.129:3129 - ORIGINAL_DST/192.168.0.129 - 1628674032.019 59087 192.168.0.129 NONE/200 0 CONNECT 192.168.0.129:3129 - ORIGINAL_DST/192.168.0.129 -我的配置最初是由 pfsense 創建的,但用於在 Ubuntu 20.04 上執行的獨立 squid
# This file is automatically generated by pfSense # Do not edit manually ! acl all src all http_access allow all http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem cafile=/usr/local/squid/etc/ssl_cert/myCA.crt capath=/usr/local/squid/etc/rootca/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem cafile=/usr/local/squid/etc/rootca/ca-root-nss.crt capath=/usr/local/squid/etc/rootca/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/usr/local/squid/etc/dhparam.pem options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE #tcp_outgoing_address 10.10.66.1 icp_port 0 #digest_generation off dns_v4_first on #pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en #icon_directory /usr/local/etc/squid/icons visible_hostname Satan cache_mgr admin@localhost access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none netdb_filename /var/log/squid/netdb.state pinger_enable on pinger_program /usr/lib/squid/pinger sslcrtd_program /usr/lib/squid/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB -b 4096 tls_outgoing_options cafile=/usr/local/squid/etc/rootca/ca-root-nss.crt tls_outgoing_options capath=/usr/local/squid/etc/rootca/ tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_children 5 logfile_rotate 10 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.0.0/24 forwarded_for delete via off httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 2048 MB maximum_object_size_in_memory 8192 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 16 MB cache_dir aufs /cache 10000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS # SslBump Peek and Splice # http://wiki.squid-cache.org/Features/SslPeekAndSplice # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit # Match against the current step during ssl_bump evaluation [fast] # Never matches and should not be used outside the ssl_bump context. # # At each SslBump step, Squid evaluates ssl_bump directives to find # the next bumping action (e.g., peek or splice). Valid SslBump step # values and the corresponding ssl_bump evaluation moments are: # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting TLS Client Hello info. # SslBump3: After getting TLS Server Hello info. # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that # they can be used there for custom configuration. acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Custom options before auth ssl_bump peek step1 ssl_bump bump all # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc其他獎勵問題是:
2.我只使用https/ssl時是否需要http配置(埠3128)
- 是的,顯然這是必要的
- acl all src all(配置中的第一個命令)在 syslog 中產生以下結果,這只是一個警告,但我該如何解決呢?
Aug 11 12:28:46 socks squid[2718]: WARNING: because of this '::/0' is ignored to keep splay tree searching predictable Aug 11 12:28:46 socks squid[2718]: WARNING: You should probably remove '::/0' from the ACL named 'all'
- 如果您發現其他任何問題,請說出來,如果可能,請解釋原因(以便我們學習)
這種情況下的壞人實際上是一個禁用的選項..
#tcp_outgoing_address 10.10.66.1
由於某種原因,squid 伺服器顯然不知道將輸出數據發送到哪裡,並將其發送給自己,從而導致無休止的循環。
通過啟用此命令並將其指向我的外部 ip,這樣做可以避免環回。
對我來說,這將是一個不必要的命令,並且無法理解為什麼它是必要的,魷魚應該知道網際網路在哪裡..