OT: squid a nefunkcnost internetbankingu

Jozef Drahovsky freebsdcz2 at jozef.drahovsky.sk
Tue Dec 18 12:00:02 CET 2007


Riesil som ten isty problem,
po dlhych perepatich a nevysvetlitelnych chybach som sa dozvedel,
ze bankovy software na servere v banke ma nastavene prisne timeouty.
Ak klient komunikoval na linke sam, tak vsetko bolo ok, ak 
linka/proxyserver
bol zatazeny v case rovnomerne (napr. vela ftp prenosov) tak vsetko
bolo vsetko tiez ok, ale ak zataz bola dynamicka a vyrazne sa menila 
doba odozvy,
tak to bankova strana zhodila.

V prvej faze sa zaviedlo pridelovenie pasma cez dummynet a poprosila banka
o spolupracu. V druhej faze sa navysila rychlost linky a bezi to bez 
problemov doteraz.

S pozdravom

Jozef Drahovsky


Petr Macek  wrote / napísal(a):
> Zdravim,
> omlouvam se za OT a rovnou priznavam, ze squid proste nemam rad a spatne
> konfiguruji :-) Zakaznik pozadoval proxy s autorizaci, to jede, ale mam
> problem s jednou bankou. Po restartu squidu se to prvnimu uzivateli pry
> obcas povede, potom uz ne. Porad to jen zobrazuje autorizacni dialog. V
> logu je tohle:
>
> 1195632938.606     62 10.10.110.59 TCP_DENIED/407 1851 GET
> http://www.volksbank.cz/vb/jnp/cz/home/index.html - NONE/- text/html
> 1195632938.751    145 10.10.110.59 TCP_MISS/200 17043 GET
> http://www.volksbank.cz/vb/jnp/cz/home/index.html test
> DIRECT/195.39.69.100 text/html
> 1195632938.752      1 10.10.110.59 TCP_DENIED/407 1896 GET
> http://www.volksbank.cz/vb/public/75/17/80/e/25_9356_general.css -
> NONE/- text/html
> 1195632938.767      0 10.10.110.59 TCP_DENIED/407 1890 GET
> http://www.volksbank.cz/vb/public/5c/21/1/ea/23_9389_print.css - NONE/-
> text/html
> 1195632938.782     29 10.10.110.59 TCP_MISS/304 224 GET
> http://www.volksbank.cz/vb/public/75/17/80/e/25_9356_general.css test
> DIRECT/195.39.69.100 -
>
> Temer defaultni konfigurace vypada takhle:
> auth_param digest program /usr/local/libexec/squid/digest_pw_auth
> /usr/local/etc/squid/squid_pass
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl password proxy_auth REQUIRED
> http_access allow password
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> cache_dir ufs /usr/local/squid/cache 5000 16 256
> access_log /usr/local/squid/logs/access.log squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> coredump_dir /usr/local/squid/cache
>
>
> Jsem vdecny za jakoukoli radu
>
> PM
>
>
>   




More information about the Users-l mailing list