Hi there,
Many thank for the reply. Here is my squid.conf. I have renamed ACLs to protect comany name, since
this is a public list. :-)
Thanks in advance,
D.Radel.
# -----------------------------------------------------------------------------
# MODIFIED SQUID CONFIGURATION FILE
# - much of the original has been pruned out. See: squid.conf.original
# -----------------------------------------------------------------------------
# Set cache directory and max cache size to 7GB.
cache_dir ufs /var/spool/squid 7000 16 256
cache_mem 16 MB
cache_store_log none
half_closed_clients off
# -----------------------------------------------------------------------------
# TAG: hierarchy_stoplist
# -----------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
# -----------------------------------------------------------------------------
# Sites not cached
# -----------------------------------------------------------------------------
# Do not cache cgi-bin scripts
#------------------------------
acl cgi_scripts urlpath_regex cgi-bin \?
no_cache deny cgi_scripts
# Do not cache sites in our list
#--------------------------------
acl sites_not_cached url_regex -i "/squid/sites_not_cached.txt"
no_cache deny sites_not_cached
# Do not cache our local webservers
#-----------------------------------
acl local_webservers dst 192.168.1.0/24 192.168.100.0/24
no_cache deny local_webservers
# Any urls that do not include a full domain name, append our web domain
#-----------------------------------------------------------------------
# -----------------------------------------------------------------------------
# TAG: refresh_pattern
# -----------------------------------------------------------------------------
# usage: refresh_pattern [-i] regex min percent max [options]
#Suggested default:
#-------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# -----------------------------------------------------------------------------
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#Recommended minimum configuration:
#-----------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl behemoth src 192.168.1.221
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8443
acl SSL_ports port 3690
acl Safe_ports port 80 # http
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 83
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8443
acl Safe_ports port 3690
acl purge method PURGE
acl CONNECT method CONNECT
# -----------------------------------------------------------------------------
# TAG: http_access
# -----------------------------------------------------------------------------
# Allowing or Denying access based on defined access lists
# Only allow cachemgr access from localhost
#-------------------------------------------
http_access allow manager localhost behemoth
http_access deny manager
# Only allow purge requests from localhost
#------------------------------------------
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
#--------------------------------
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
#--------------------------------------
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# -----------------------------------------------------------------------------
# Company Related Access
# -----------------------------------------------------------------------------
# Allow these websites without requiring authentication
#--------------------------------------------------------------
acl NO_AUTH_NEEDED dstdomain -i "/squid/no_auth_needed.txt"
http_access allow NO_AUTH_NEEDED
http_reply_access allow NO_AUTH_NEEDED
# Authenticate against domain using LDAP, not SAMBA
#------------------------------------------------------------
# Use our homebrew script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an "OK" or an "ERR" back to Squid.
auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm Squidward Proxy
auth_param basic credentialsttl 5 hours
# Test whether user is a member of Security Groups on either domain.
# One security group has been set up on each Domain and will have
# differing rules of what sites their can visit.
# The tests are performed in various shell scripts.
#--------------------------------------------------------------------
external_acl_type co_ldap_group %LOGIN /etc/squid/co_www_access.sh
external_acl_type music_ldap_group %LOGIN /etc/squid/co_www_access.sh
# Block websites using url or keywords.
# Uses "\.file$" format to block file extensions
#-------------------------------------------------
acl blocked_content url_regex -i "/squid/blocked_sites.txt"
acl blocked_media url_regex -i "/squid/multimedia.txt"
acl streaming_media rep_mime_type ^audio/mpeg ^audio/x-mpeg ^application/x-mms-framed
^application/vnd.ms.wms-hdr.asfv1
acl download method GET
# All computers on LAN must be prompted for password
#-------------------------------------------------------
acl computers_on_lan proxy_auth REQUIRED src 192.168.1.0/24 192.168.100.0/24
# Define ACLs for the Security Groups
#-----------------------------------------------------
acl co_group external co_ldap_group co_www_access
acl music_group external music_ldap_group music_www_access
http_access deny blocked_content download all
http_access deny blocked_content all
http_reply_access deny blocked_content all
http_access deny streaming_media co_group
http_access deny blocked_media co_group
http_access deny blocked_media download co_group
http_reply_access deny streaming_media co_group
http_reply_access deny blocked_media co_group
http_reply_access deny blocked_media download co_group
# Allow access to various ACLs
#-----------------------------
http_access allow co_group
http_access allow music_group
http_access allow localhost
# And finally deny all other access to this proxy
#-------------------------------------------------
http_access deny all
# -----------------------------------------------------------------------------
# TAG: http_reply_access
# -----------------------------------------------------------------------------
http_reply_access allow all
# -----------------------------------------------------------------------------
# TAG: icp_access
# -----------------------------------------------------------------------------
icp_access allow all
# -----------------------------------------------------------------------------
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
# Email address displayed when error occurs or access is denied
#---------------------------------------------------------------
cache_mgr radel@xxxxxxxxxxx
Amos Jeffries wrote:
D & E Radel wrote:
Hi there,
I was running Debian old stable until today. I upgraded to current
stable, rebooted and all was fine. Squid seemed fine.
I then installed Squish - which went badly, so I removed it as per
their FAQ file. Squid was a no go. I then reverted to my old
previously working squid.conf and now have the error:
squidFATAL no ports defined!
Dang! Adding the line: "HTTP_PORT 3128" stops the error, but now I get
no authentication prompt in my browser. Restarting squid is fine, but
it doesn't seem to talk to my client's browser anymore.
I guess that I need to back-track, so armed with my old squid.conf,
what can I do now - besides reverting to an early image of my drive?
My squid.conf uses LDAP authentication with a Windows 2003 Server.
Thanks in advance.
D.Radel.
You will need to check all the settings in your old working conf against
the Release Notes about changes between 2.5 and 2.6. There have been
quite a few improvements at the boundary.
For more detailed help we will need to see a copy of the original conf
to point out the new ways of setting some parts up.
Amos
