Henrik/all;
You could be right on the order, I am also having some problems using the
cachemgr.cgi which I believe is due to the order. Also, I am able to ssh
out using my proxy, and I wish not to.
Since looking over a few other configs, I've modified my own and have
attached it.
I sincerely appreciate any input and/or suggestions from the community.
Regards.
.vp
Vadim
From: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>
To: Vadim Pushkin <wiskbroom@xxxxxxxxxxx>
ons 2006-04-05 klockan 14:33 +0000 skrev Vadim Pushkin:
> I have just entered the following into my squid.conf:
>
> header_access Via deny all
> header_access X-Forwarded-For deny all
>
> Restarted squid and visited http://www.dnsstuff.com/tools/aboutyou.ch
>
> which revealed:
>
> Proxy Server: 1.0 squidproxy1:1080 (squid/2.5.STABLE12)
> Real IP appears to be: 10.13.1.146www.dnsstuff.com [[Private IP]]
Check you config again. The directives as such works fine (verified).
"/path/to/sbin/squid -k parse"
and also check for other conflicting header_access directives..
> Am I missing something in order to hide this information?
What you have done looks entirely correct to me.
my primary guess on why it doesn't work for you is that you maybe added
the directives too early, before where the "all" acl is defined.
Regards
Henrik
debug_options ALL,1
http_port 8080
hierarchy_stoplist cgi-bin ?
#
# Revisit these two lines - perhaps move them elsewhere?
#
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir aufs /data/squidcache 51200 64 256
maximum_object_size 32 MB
cache_mem 4 MB
cache_swap_low 97
cache_swap_high 98
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 4096
buffered_logs off
cache_replacement_policy heap LFUDA
cache_access_log /data/squidlogs/access.log
cache_store_log none
ftp_user ftp@
#reference_age 6 month
quick_abort_min 1 KB
quick_abort_max 1048576 KB
quick_abort_pct 90
connect_timeout 30 seconds
read_timeout 5 minutes
request_timeout 30 seconds
client_lifetime 2 hour
half_closed_clients off
pconn_timeout 120 seconds
ident_timeout 10 second
shutdown_lifetime 15 seconds
request_header_max_size 100 KB
request_body_max_size 1000 KB
refresh_pattern ^ftp: 1440 50% 86400
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 50% 86400
############################
# ACL's
############################
acl bad-files url_regex -i "/u1/squid/etc/bad-files"
acl good-files url_regex "/u1/squid/etc/good-files"
# Reloate the next line to the http_access group area?
http_access deny bad-files !good-files
#
# Define networks
#
acl RAS src 192.168.0.0/16
acl Old_Bldg_One src 10.10.0.0/16
acl Future_Bldg src 10.11.0.0/16
acl Partner_Net src 10.12.0.0/16
acl Bldg_One src 10.13.0.0/16
acl Bldg_Two src 10.14.0.0/16
acl Bldg_Three src 10.15.0.0/16
acl Bldg_Four src 10.16.0.0/16
#
acl EXT_sixteen src 172.16.0.0/16
acl EXT_seventeen src 172.17.0.0/16
acl EXT_eighteen src 172.18.0.0/16
acl EXT_nineteen src 172.19.0.0/16
#
# Define the Cache Peers (these are on a private Conn)
#
acl ICP_ONE src 172.16.20.9
acl ICP_TWO src 172.16.20.10
#
acl manager proto cache_object
#
acl localhost src 127.0.0.1/255.255.255.255
#
# Define Safe Ports to use.
#
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#
# Define SSL Ports
#
acl SSL_ports port 443 563
#
acl CONNECT method CONNECT
#
#
# Everyone Else
#
acl all src 0.0.0.0/255.255.255.255
#
# Attempt to prevent us from being seen with tools
# like those at:
#
# http://www.dnsstuff.com/tools/aboutyou.ch
#
# This link shows alot more than what we wish
# to divulge here
header_access Via deny all
header_access X-Forwarded-For deny all
############################
# http_access
############################
# I've tried using http_access allow all, but it did
# not work, I assume because of the way I've defined networks?
#
http_access allow RAS
http_access allow Old_Bldg_One
http_access deny Future_Bldg
http_access allow Partner_Net
http_access allow Bldg_One
http_access allow Bldg_Two
http_access allow Bldg_Three
http_access allow Bldg_Four
#
http_access allow EXT_sixteen
http_access allow EXT_seventeen
http_access allow EXT_eighteen
http_access allow EXT_nineteen
#
http_access allow ICP_ONE
http_access allow ICP_TWO
#
#
http_access allow manager localhost
http_access allow manager Bldg_One
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
http_access deny all
############################
# http_reply_access
############################
#
# One per each network above
#
http_reply_access allow RAS
http_reply_access allow Old_Bldg_One
http_reply_access allow Future_Bldg
http_reply_access allow Partner_Net
http_reply_access allow Bldg_One
http_reply_access allow Bldg_Two
http_reply_access allow Bldg_Three
http_reply_access allow Bldg_Four
#
http_reply_access allow EXT_sixteen
http_reply_access allow EXT_seventeen
http_reply_access allow EXT_eighteen
http_reply_access allow EXT_nineteen
#
http_reply_access allow ICP_ONE
http_reply_access allow ICP_TWO
#
http_reply_access allow all
cache_mgr squidmgr@xxxxxxxxxx
visible_hostname squidproxy1
logfile_rotate 8
coredump_dir /u1/squid/var/cache
cache_effective_user nobody
cache_effective_group nobody
# TEMP
icp_port 3130
# Allow my peer
icp_access allow ICP_ONE
# Deny everyone else.
# Be sure to edit this in case you modify or add another cache.
#
icp_access deny all
# cache_peer 172.16.20.9 sibling 8080 3130 proxy-only
cache_peer 172.16.20.9 sibling 8080 3130
peer_connect_timeout 10 seconds
dns_testnames localhost
