IBT wrote:
I have added my config so that maybe someone with more experience can make
sure it ok
# NETWORK OPTIONS
http_port 8085
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
This QUERY stuff is just preventing some old crap pages from caching.
We now recommend using the refresh_patterns instead:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# OPTIONS WHICH AFFECT THE CACHE SIZE
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
cache_dir ufs c:/squid/var/cache 1000 16 256
access_log c:/squid/var/logs/access.log squid
cache_log c:/squid/var/logs/cache.log
cache_store_log c:/squid/var/logs/store.log
store.log not useful. Save some resources and kill it unless you have a
good reason to keep.
debug_options ALL,3
We recommend ALL,1 as highest for normal running.
Levels 2+ are mixed and various debug information.
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
allow_underscore on
dns_nameservers 192.168.2.3 192.168.2.1
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
external_acl_type NT_global_group %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G -c
# ACCESS CONTROL VALUES
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 87 # http required for Telstra Statistics website
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl our_networks src 192.168.0.0/16
acl java browser java/6
acl NoAuthDomains dstdomain "c:/squid/etc/domains/NoAuthDomains.txt"
http_access allow java
http_access allow NoAuthDomains our_networks Safe_ports
Optional speed hint: reorder to faster tests first:
http_access allow Safe_ports our_networks NoAuthDomains
acl proxyfullaccess external NT_global_group proxyfullaccess
acl password proxy_auth REQUIRED
acl DeniedDomains dstdomain "c:/squid/etc/domains/DeniedDomains.txt"
acl CONNECT method CONNECT
acl FTP proto FTP
always_direct allow FTP
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
The above block (5 lines) are the security safety nets. Unless you have
good reason for permitting the domains I'd stick them at te top and
shift the java and no-auth lines below them.
> http_access allow java
> http_access allow NoAuthDomains our_networks Safe_ports
http_access deny DeniedDomains
Wit this line here the DeniedDomains are blocked almost always. They are
accessible only to Java applications or if they are also listed in
NoAuthDomains.
I'm surprised that your indicated tests for Admin actually worked. They
should not have with this config. I suspect it has something to do with
the only cause for login to be fetched is 'proxyfullaccess' needing to
use it.
http_access allow password our_networks proxyfullaccess
http_access allow password our_networks Safe_ports
http_access deny all
# MISCELLANEOUS
logfile_rotate 10
error_directory c:/squid/share/errors/English
In case I have confused you. From what I understand of you needs, your
access lines to be should look like this:
# Admin 'localhost' access for cache management reports
http_access allow manager localhost
http_access deny manager
# basic safety nets
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny !our_networks
# general access rules
http_access allow java
http_access allow Safe_ports NoAuthDomains
http_access allow password proxyfullaccess
http_access allow Safe_ports !DeniedDomains password
http_access deny all
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
