Hi,
Vadim Pushkin wrote:
Hello;
I've attached my condensed (without comments) squid.conf that is
giving me some trouble. My problems are as follows:
1. I am unable to connect to the cachemgr.cgi from machines in
"Bldg_One" or "Bldg_Two". I am trying to connect to cachemgr.cgi via
webmin.
2. My disk space allocated seems to get used up within about three
months and I am not sure how to properly set up my config to expire
my cache sooner, don't even know what it is expiring at now for that
matter. When my allocated disk space is met, squid dies. The last
time that this happened I ran a clear and rebuild cache, this was a
terrible mistake as it had taken an entire day to run.
3. I am able to connect using ports that I thought I had forbidden
using "CONNECT". Is my ordering wrong?
4. I have at my disposal another 64GB partition contained in this
machine and I would like to get some suggestions for the best way to
use it. I.e, shall I just newfs this other partition and initialize
it so as to pre-stage a new cache in case my hard drive dies? Or,
can I just use it alongside what I have now and have squid continue
to work even if one of the two partitions dies?
As you can see from my attached config file, I have come a long way,
but I am not completely aware of all that squid can do.
OK, remember that the order of rules is important (OK, very
important). The reason that you can connect to any port is that the
following rules come _after_ the rules that grant access from your SRCs
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
That is the way the config is written that comes with the distro, so I
just assumed that it was correct.
I will try swapping them. Is their a known good config that is close
to what I am trying to achive that I may evaluate for this purpose?
OK, which distribution are you using because it looks as if someone's
screwed up. If you build from source a default squid.conf is built that
is fully commented and correct in structure.
They therefore are never evaluated. You need to put these first and
then test once again. Do you really need those http_reply_access
lines at all?
Without them, my users are denied access :-(
You should be able to get away with 'http_reply_access allow all' unless
you want to block specific mime types or do something else fancy.
Neil.
--
Neil Hillard hillardn@xxxxxxxxx
Westland Helicopters Ltd. http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.