Search squid archive

Re: Domain & URL blacklists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thomas Raef wrote:
Squid can handle these by itself. With a regular "squid -k
reconfigure"
after updating the files.

For the list of pure hostnames a "dstdomain" acl is the best.
For the list of URI snippets a "urlpath_regex" acl probably with "-i"
is
needed.

If the domain/ip file is an pruned version of the domains with URI
entries, then the URI may not be useful as its all caught by the
domain.
If they are different then yes both have a use.

Amos


[Tom replied with:]
Amos, would you then recommend that the domain acl be listed before the
url acl?

Yes, its a small performance boost, but large lists sometimes need it.


That would block by domain if a url included an entry in the domain list
- if that's the desired result, thus avoiding the expensive (resource
wise) urlpath_regex lookup.

Thats the idea.

The catch-22 here is that sequencing acl only boost the matching requests. For denies, non-matching requests usually form the majority of web usage. Then both lists will be fully checked (returning false) and pruning the regex down as far as possible would still be a great idea.

There is a trick I sometimes use; mixing acl type within a single name.
Since each object in a name matches on OR, it should stop at first absolute match in there. But I have not done any rigorous testing of that. Nor am I certain of the order squid does the type tests so it could be making things worse if regex is mixed.


I guess it would all depend on the desired results but something that
should be considered when implementing acls.

Aha.

Amos

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux