Dean Durant wrote:
Hello, I posted my squid.conf before, and someone made the observation that
I was allowing a lot of different things and that "someone evil" had
figured this out. I have tried to tighten it up. And when I do a
netstat -vat, I keep seeing food?.foodconcepts.net, which is not a
legitimate hostname at all. Is this as bad as I fear it could be?
Access through this squid box continues to be slow for uploads. Thanks,
Dean
___________________________________________________
http_port 3128
http_port 80
https_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 64 MB
cache_dir ufs /usr/local/squid/cache 400 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
pid_filename /usr/local/squid/logs/squid.pid
debug_options 4,10 26,2 83,10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl fulda dst 130.0.0.0/255.0.0.0
acl origNet src 192.9.70.0/255.255.255.0
acl abyzNetU src 130.16.64.0/255.255.192.0
acl abyzNetW src 130.16.128.0/255.255.192.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl scanner dst 192.9.70.243
acl autoweb dst 67.109.76.29
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl abyz_forbidden url_regex
"/usr/local/squid/etc/abyzforbidden/abyz_blocked.txt"
acl abyz_forbidden_always url_regex
"/usr/local/squid/etc/abyzforbidden/abyz_deny.always"
acl abyz_forbidden_lunch url_regex
"/usr/local/squid/etc/abyzforbidden/abyz_deny.lunch"
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow fulda
http_access allow origNet
http_access allow abyzNetW
http_access allow abyzNetU
http_access deny all
http_reply_access allow all
cache_mgr help@xxxxxxxxxxx
cache_effective_user squid
cache_effective_group squid
visible_hostname srvproxy228
dns_testnames google.com internic.net nlanr.net ibm.com
_________________________________________________________________________________________________________________
Dean Durant
food?.* may be one of the new International domains. In which case its
probably bad. Check that with netstat -ant, and an rDNS of the IP.
The squid.conf here looks pretty good from an access point of view.
Just two things:
- why are you allowing blanket access to the 'fulda' 130.0.0.0/8
network? If you are trying to run an accelerator-mode proxy, you would
do better with configured cache_peers. For an internal->internal
accepting rule the blanket internal->anywhere rules should suffice.
- You are either not showing the entire squid.conf, or its not the one
you are running. Safe_Ports is used but undefined. That would crash
squid on startup.
Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5
