Tarak Ranjan wrote:
hi List,
can anyone provide me the url for verifying yhe
squid.conf file. & i want suggestion from the list ,
that how my current squid.conf file looks, & how can i
improve the security as wl as performance level ,
Sorry I have not maintained the tester very well.
I figured out a better way to keep it up to date and took it down to
recode, but have not finished yet. I've picked out the important things
it would warn you about in a manual check below.
For now the best way is to ask your squid if it can find any problem
squid -k check
I've put any comments from a manual check below the relevant config lines.
http_port 8080 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
We are now recommending that people drop the above two lines in favor of
a new refresh_pattern.
(If you don't have peering it works much better. If you have peering in
then it may cause problems marking some peer fetched items incorrectly
for cachability.)
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 256 MB
maximum_object_size 1024 KB
cache_dir ufs /cache 10000 24 256
access_log /var/log/squid/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Note new refresh pattern in position above.
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
acl blocksites dstdomain "/etc/squid/squid-block.acl"
acl extndeny url_regex -i "/etc/squid/extndeny"
acl download method GET
acl blockfiles urlpath_regex -i
"/etc/squid/multimedia.files.acl"
acl malware_block_list url_regex -i
"/etc/squid/malware_block_list.txt"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 25 # External Mail
acl Safe_ports port 110 # External Mail
acl Safe_ports port 1863 # MSN
acl Safe_ports port 4883 #Articulate TEMP
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access deny x-type all
http_reply_access deny x-type all
http_access deny x-type2 all
http_reply_access deny x-type2 all
http_access deny extndeny download
The lone above is obsolete in relation to the line below.
You can drop the one above for slightly faster processing.
http_access deny extndeny
http_reply_access deny blockfiles
http_access deny blocksites
The above is the fastest of your deny ACLS, I'd move it up to just below
the manager controls for slightly faster processing on denials.
http_access deny malware_block_list
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
These two above have already been done yes? so having again is a
complete waste of CPU.
acl lk_network src 192.168.1.0/24
acl localweb1 dstdomain .lk.com
http_access allow lk_network
acl local-servers1 dstdomain example.com
always_direct deny local-servers1
always_direct allow localweb1
acl local-servers2 dstdomain lk.com
always_direct deny local-servers2
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
Try to stay away from setting effective group in squid. The OS controls
are much better at it than squid can be.
coredump_dir /var/spool/squid
Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
