> On 2/14/08, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> > Here in my simple server, the squid works fine, but after post a >> > message about radio, Amos sad: >> > >> > " Squid is actually an >> > interceptor, not fully transparent. When they go down clients can >> expect >> > 'Unable to Connect' errors. " >> > >> > And, this is true. When my squid go down, my clients can't be surf >> > because squid is not working. >> > >> > I don't have anotherr server, and I don't need too. >> > >> > I need only control the navegation of my clients on the internet. >> > >> > So, if possible, I want if anyone can see my squid.conf and tell me if >> > it is good or need improvement. >> > >> > Thanks for all. >> > >> > My squid.conf: >> > >> > http_port 10.0.0.250:3128 transparent >> > >> > icp_port 0 >> > >> > cache_mem 128 MB >> > cache_swap_low 90 >> > cache_swap_high 95 >> > cache_dir ufs /usr/local/squid/var/cache 1024 16 256 >> > cache_access_log /usr/local/squid/var/logs/access.log >> > cache_log /usr/local/squid/var/logs/cache.log >> > cache_store_log none >> > maximum_object_size_in_memory 1 MB >> > maximum_object_size 100 MB >> > minimum_object_size 0 MB >> > >> > pid_filename /usr/local/squid/var/logs/squid.pid >> > >> > visible_hostname squid.provider.com.br >> > >> > cache_effective_user squidaemon >> > cache_effective_group squid >> > >> > acl autologinDSA dst 10.0.0.250/32 >> > >> > acl diretor src 10.0.0.55/32 >> > acl recepcao src 10.0.0.57/32 >> > acl financeiro src 10.0.0.56/32 >> > acl suporte src 10.0.0.248/32 >> > acl suporte2 src 10.0.0.13/32 >> > >> > acl vip1 src 10.0.1.0/28 >> > acl vip2 src 10.0.2.0/28 >> > acl vip3 src 10.0.3.0/28 >> > acl vip4 src 10.0.4.0/28 >> > >> > acl forbidden_words url_regex -i >> "/usr/local/squid/etc/forbidden_words" >> > acl forbidden_down url_regex -i >> "/usr/local/squid/etc/forbidden_down" >> > >> > external_acl_type checkip children=40 % SRC >> > /usr/local/mwsystem/squid/sbin/checkv2.sh >> >> no gap in " %SRC " >> >> > >> > acl checkblock external checkip >> > >> > acl all src 0.0.0.0/0.0.0.0 >> > acl localnet src 10.0.0.0/16 >> > acl localhost src 127.0.0.0/32 >> > acl method_control proto cache_object >> > >> > http_access allow method_control localhost >> > http_access deny method_control >> > >> > http_access allow autologinDSa >> > >> > http_access deny checkblock !autologinDSA >> > >> > http_access allow diretor >> > http_access allow diretor forbidden_down >> >> If s/he is allowed all access, no need to bother with regex. >> >> > >> > http_access allow recepcao autologinDSA >> >> If s/he is allowed all access, no need to bother with some destinations. >> >> > http_access allow recepcao >> > >> > http_access deny financeiro >> > >> > http_access allow suporte >> > http_access allow suporte2 >> > >> > http_access deny forbidden_words >> > http_access deny forbidden_down >> > >> > http_access allow vip1 >> > http_access allow vip2 >> > http_access allow vip3 >> > http_access allow vip4 >> > >> > http_access deny localnet !autologinDSA >> > http_access deny all >> > http_access deny localnet >> >> Only need the middle one there. >> For some reason there is no allow for checkbolck people. >> >> They get authenticated, then nothing matches for them until the final >> "deny all" >> >> Amos >> >> >> > > Checkblock is a external program. It verify the ip machine and block > if the ip is in a file configuration. So it has the ability to block people visiting the machine at autologinDSA, with a default-allow policy for diretor,recepcao,suporte,suporte2 and vip(1,2,3,4) BUT default-deny policy for everyone else? Amos