OT: squid a nefunkcnost internetbankingu
Jozef Drahovsky
freebsdcz2 at jozef.drahovsky.sk
Tue Dec 18 12:00:02 CET 2007
Riesil som ten isty problem,
po dlhych perepatich a nevysvetlitelnych chybach som sa dozvedel,
ze bankovy software na servere v banke ma nastavene prisne timeouty.
Ak klient komunikoval na linke sam, tak vsetko bolo ok, ak
linka/proxyserver
bol zatazeny v case rovnomerne (napr. vela ftp prenosov) tak vsetko
bolo vsetko tiez ok, ale ak zataz bola dynamicka a vyrazne sa menila
doba odozvy,
tak to bankova strana zhodila.
V prvej faze sa zaviedlo pridelovenie pasma cez dummynet a poprosila banka
o spolupracu. V druhej faze sa navysila rychlost linky a bezi to bez
problemov doteraz.
S pozdravom
Jozef Drahovsky
Petr Macek wrote / napísal(a):
> Zdravim,
> omlouvam se za OT a rovnou priznavam, ze squid proste nemam rad a spatne
> konfiguruji :-) Zakaznik pozadoval proxy s autorizaci, to jede, ale mam
> problem s jednou bankou. Po restartu squidu se to prvnimu uzivateli pry
> obcas povede, potom uz ne. Porad to jen zobrazuje autorizacni dialog. V
> logu je tohle:
>
> 1195632938.606 62 10.10.110.59 TCP_DENIED/407 1851 GET
> http://www.volksbank.cz/vb/jnp/cz/home/index.html - NONE/- text/html
> 1195632938.751 145 10.10.110.59 TCP_MISS/200 17043 GET
> http://www.volksbank.cz/vb/jnp/cz/home/index.html test
> DIRECT/195.39.69.100 text/html
> 1195632938.752 1 10.10.110.59 TCP_DENIED/407 1896 GET
> http://www.volksbank.cz/vb/public/75/17/80/e/25_9356_general.css -
> NONE/- text/html
> 1195632938.767 0 10.10.110.59 TCP_DENIED/407 1890 GET
> http://www.volksbank.cz/vb/public/5c/21/1/ea/23_9389_print.css - NONE/-
> text/html
> 1195632938.782 29 10.10.110.59 TCP_MISS/304 224 GET
> http://www.volksbank.cz/vb/public/75/17/80/e/25_9356_general.css test
> DIRECT/195.39.69.100 -
>
> Temer defaultni konfigurace vypada takhle:
> auth_param digest program /usr/local/libexec/squid/digest_pw_auth
> /usr/local/etc/squid/squid_pass
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl password proxy_auth REQUIRED
> http_access allow password
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> cache_dir ufs /usr/local/squid/cache 5000 16 256
> access_log /usr/local/squid/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> coredump_dir /usr/local/squid/cache
>
>
> Jsem vdecny za jakoukoli radu
>
> PM
>
>
>
More information about the Users-l
mailing list