Thanks for all helpful tips - I finally got everything under controll and my main problems appeared to be using "req_mime_type" instead of "rep_mime_type" as well as no clear understanding of "http_reply_access". I finally figured it out and for the future references here's filtering proxy config that I've came up with (filters out everything but HEAD requests from text/html and GET for various XML types (mainly RSS-related)). If anybody has any comments - I'd be glad to hear those. #squid.conf ################# # DEBUGGING # # debug_options ALL,0 33,2 28,7 ################# # General options http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_single_host off httpd_accel_uses_host_header on ### Cache tuning cache_mem 8 MB cache_swap_low 90 cache_swap_high 95 ### Size restrictions maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 16 KB reply_header_max_size 4 KB request_body_max_size 2 KB log_mime_hdrs on ### Paths useragent_log /var/log/squid/useragent.log referer_log /var/log/squid/referer.log cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern . 0 20% 4320 strip_query_terms off ################# # ACL Definitions ### IP definitions acl all src 0.0.0.0/0.0.0.0 acl from_clients src 192.168.1.0/255.255.255.0 acl to_clients dst 192.168.1.0/255.255.255.0 acl to_mynet dst 192.168.0.0/255.255.0.0 acl from_localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 ### Ports definitions acl SSL_ports port 443 # https acl Safe_ports port 80 # http ### protocols definitions acl allowed_protocols proto HTTP acl manager proto cache_object ### content type definitions acl xml_content rep_mime_type -i text/xml acl xml_content rep_mime_type -i application/xml acl xml_content rep_mime_type -i application/rdf+xml acl html_content rep_mime_type -i text/html acl html_content rep_mime_type -i text/xhtml ### methods definitions acl CONNECT_method method CONNECT acl HEAD_method method HEAD acl GET_method method GET ################# # ACL Rules ### REQUEST rules http_access deny !Safe_ports http_access deny to_mynet http_access deny !allowed_protocols http_access deny CONNECT_method !SSL_ports http_access allow manager from_localhost http_access deny manager http_access allow GET_method from_clients http_access allow HEAD_method from_clients http_access deny all ### REPLY rules (those are actually inspecting what's returned) http_reply_access allow GET_method xml_content from_clients http_reply_access allow HEAD_method html_content from_clients http_reply_access deny all ### Self-explanatory stuff icp_access deny all miss_access allow from_clients reply_body_max_size 20480 allow from_clients -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
Attachment:
pgpEFtlXGeYR4.pgp
Description: PGP signature
