Squid and streaming apps

BESTYALL · May 27, 2022, 3:26am

good night,could someone explain to me why streaming apps work abnormally when i trigger squid explicitly, this only happens in tv and dvd video games and tv box apps

frollic · May 27, 2022, 6:14am

Define abnormally?

slh · May 27, 2022, 6:16am

Be aware that these days with https-everywhere, a proxy like squid can't actually cache anything.

BESTYALL · May 27, 2022, 6:20am

If you don't open the videos, it doesn't load images, it indicates connected in the device test but it doesn't load anything
If you put intercept on squid everything goes back to normal
Detail devices with proxy option also doesn't load anything

reinerotto · May 27, 2022, 6:20am

What does this mean ? Explicit (squid-) proxy configured in browser ?
squid runs on openwrtbox ?
Do the "streaming apps" use http(s) streaming, or other protocol ?
Would be helpful, providing a bit more detailed decription of setup.

BESTYALL · May 27, 2022, 6:23am

Using normal mode with redirect to host
In intercept mode everything is ok

reinerotto · May 27, 2022, 6:28am

"Normal mode" is explicit config of proxy in browser. Intercept I would call "Advanced normal mode". However, in case I understand your setup correctly, what you are doing, is neither, and should not work for https. You can not REDIR https because of problems with certs.

BESTYALL · May 27, 2022, 6:31am

I don't cache https, and that's what I find strange, samsumg tv and a sony dvd player have the same problem

BESTYALL · May 27, 2022, 6:33am

I don't cache https, when I disable intercept the problem starts

frollic · May 27, 2022, 6:33am

Let's try something else, what are you trying to achieve, beyond the usage of squid proxy?

BESTYALL · May 27, 2022, 6:38am

The increase in speed with the use of the proxy is notable
That's why I like the use of squid, I can also visualize the direct accesses of my network

reinerotto · May 27, 2022, 6:51am

Very interesting: Increase of speed when using intercepting squid. In openwrt-box, I assume, which is also the default gateway. Without caching ...
First of all, setting up squid this way is not trivial. And, in case properly done, to achieve a better speed is very surprising, as the pass-thru for https should degrade performance instead. Assuming, you are not using custom certs on your clients, to allow squid to REALLY intercept the data stream. Unfortunately, you are not providing details about your setup. Just guessing around using assumptions does not make much sense.
I.e. your squid.conf would be very interesting.
Any traffic limiting package in use ? firewall might also have an impact, regarding number of allowed connections.

frollic · May 27, 2022, 6:57am

Tried an ad blocker instead of squid?
Might be just as, or even more effective...

BESTYALL · May 27, 2022, 6:58am

Recommended minimum configuration:

Example rule allowing access from your local networks.

Adapt to list your (internal) IP networks from where browsing

should be allowed

acl localhost src 192.168.1.0/24
acl localhost src 2804:14d:4c86:8d92::/64
acl localnet src 192.168.1.0/24
acl localnet src 2804:14d:4c86:8d92::/64

acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)

acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_port 3128 transparent
http_port 3129
icp_port 0
htcp_port 0

Recommended minimum Access Permission configuration:

Deny requests to certain unsafe ports

http_access deny !Safe_ports

Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

We strongly recommend the following be uncommented to protect innocent

web applications running on the proxy server who think the only

one who can access services on "localhost" is a local user

http_access deny to_localhost

INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

Example rule allowing access from your local networks.

Adapt localnet in the ACL section to list your (internal) IP networks

from where browsing should be allowed

http_access allow localnet
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

Uncomment and adjust the following to add a disk cache directory.

cache_dir diskd /tmp/squid 400 16 226 Q1=64 Q2=72
minimum_object_size 0 bytes
maximum_object_size 419430400 bytes
cache_swap_low 90
cache_swap_high 95
cache_replacement_policy heap LFUDA
max_open_disk_fds 32
cache_mem 16 MB
maximum_object_size_in_memory 524288 bytes
ipcache_size 2097152 Bytes
ipcache_low 90
ipcache_high 93
dns_packet_max 9000 bytes

Add any of your own refresh_pattern entries above these.

refresh_pattern -i .(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms) 10800 80% 10800
refresh_pattern -i .(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)) 10800 80% 10800
refresh_pattern -i .(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 10800 80% 10800
refresh_pattern -i .(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 10800 80% 10800
refresh_pattern -i .(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 10800 80% 10800
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320

Squid user

cache_effective_user squid

Logs, best to use only for debugging as they can become very large

access_log none # daemon:/tmp/squid_access.log
cache_log /dev/null # /tmp/squid_cache.log
######### Speed Config ########
#quick_abort_min 0 KB
#quick_abort_max 0 KB
#quick_abort_pct 100
#negative_ttl 3 minutes
#positive_dns_ttl 5 minutes
#half_closed_clients off
memory_pools off
#forwarded_for on
#pipeline_prefetch 1
#detect_broken_pconn on

BESTYALL · May 27, 2022, 7:01am

no, on the internet in Brazil using a blocker is not very effective

frollic · May 27, 2022, 7:02am

Select all your squid config text, and click on the </> button, on top of the message window.

Why wouldn't as blockers be effective in Brazil?

reinerotto · May 27, 2022, 7:05am

So, first of all you are using ancient squid. Which version ? Which openwrt are you using ? Second, you are caching, for http, at least.
Which is incorrectly configured, regarding max_obj_size.

BESTYALL · May 27, 2022, 7:05am

many times to browse you always need to click on an ad or authorize ads to monetize

BESTYALL · May 27, 2022, 7:09am

OpenWrt 21.02.3 r16554,squid in open wrt 4.14-2

BESTYALL · May 27, 2022, 7:12am

sorry for the maximum size of the object I'm testing I'll change it to MB