I would certainly be willing to give it a shot, yes! Thank you!
Jason <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Wed, Mar 13, 2024 at 4:38 AM <ngtech1...@gmail.com> wrote: > Hey Jason, > > I can try to build Squid 6.8 for RHEL 9, would this help you to test it as > a solution? > > Eliezer > > From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf > Of Jason Marshall > Sent: Wednesday, March 6, 2024 4:49 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Recommended squid settings when using IPS-based > domain blocking > > Good morning, > > We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a > simple pass-through proxy without issue for the past month or so. Recently > our security team implemented an IPS product that intercepts domain names > known to be associated with malware and ransomware command and control. > Once this was in place, we started having issues with the behavior of squid. > > Through some troubleshooting, it appears that what is happening is that > that when a user's machine make a request through squid for one of these > bad domains, the request is dropped by the IPS, squid waits for the DNS > timeout, and then all requests made to squid after that result in > NONE_NONE/500 errors, and it never seems to recover until we do a restart > or reload of the service. > > Initially the dns_timeout was set for 30 seconds. I reduced this, thinking > that perhaps requests were building up or something along those lines. I > set it to 5 seconds, but that just got us to a failure state faster. > > I also found the negative_dns_ttl setting and thought it might be having > an effect, but setting this to 0 seconds resulted in no change to the > behavior. > > Are there any configuration tips that anyone can provide that might work > better with dropped/intercepted DNS requests? My current configuration is > included here: > acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) > acl localnet src http://10.0.0.0/8 # RFC 1918 local private > network (LAN) > acl localnet src http://100.64.0.0/10 # RFC 6598 shared address > space (CGN) > acl localnet src http://169.254.0.0/16 # RFC 3927 link-local > (directly plugged) machines > acl localnet src http://172.16.0.0/12 # RFC 1918 local private > network (LAN) > acl localnet src http://192.168.0.0/16 # RFC 1918 local private > network (LAN) > > acl localnet src fc00::/7 # RFC 4193 local private network > range > acl localnet src fe80::/10 # RFC 4291 link-local (directly > plugged) machines > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > acl Safe_ports port 9191 # papercut > http_access deny !Safe_ports > http_access allow localhost manager > http_access deny manager > > http_access allow localnet > http_access allow localhost > http_access deny all > http_port http://0.0.0.0:3128 > http_port http://0.0.0.0:3129 > cache deny all > coredump_dir /var/spool/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > debug_options rotate=1 ALL,2 > negative_dns_ttl 0 seconds > dns_timeout 5 seconds > > Thank you for any help that you can provide. > > Jason Marshall > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
