Re: organization squid.conf

["Riccardo Castellani" <ric.castellani@xxxxxxxx>]

> Neither. Look at what the requirements are for each and create logical 
> groupigs that do not interfere with each other and in order configured do 
> what your policy requires.
>
> Also, be extremely careful about http_reply_access.
>  It's often over-blocked by using rules that duplicate http_access. This 
> can either prevent access denied pages getting out to bad viewers, or 
> cause extra useless load.
> Only use it to filter requests that cannot be checked earlier in 
> http_access.
>
>
> Amos




Ok I can looking for requirements for all my acl, but what means creating
logical groups ?
It means that group can contain both acl and directives ?

I thought acl should be next to directive where it's used so there is more
cleaning. What do you think ?




----- Original Message ----- 
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Riccardo Castellani" <r.castellani@xxxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, June 17, 2009 5:21 PM
Subject: Re:  organization squid.conf


> Riccardo Castellani wrote:
> > What do you suggest to prepare a clean squid.conf ?
> > I have many many ACL which I use in these directive:
> >
> > no_cache deny
>
> change #1:
>   no_cache deny X
> to:
>   cache deny X
>
> no_cache is an obsolete option name.
>
> > http_access deny
> > http_access allow
> >
> >
> > 1- To collect ACL all together or I can insert specific ACL groups next 
> > to
> > directives where they are used, e.g.
> >
> >
> > Acl A...
> > Acl B...
> > Acl C...
> > no_cache deny A
> > no_cache deny B
> > no_cache deny C
> >
> > Acl E...
> > Acl F..
> > Acl G...
> > http_access allow E
> > http_access allow F
> > http_access allow G
> >
> > Acl H...
> > Acl I..
> > Acl L...
> > http_reply_access allow H
> > http_reply_access allow I
> > http_reply_access deny L
>
> Neither. Look at what the requirements are for each and create logical 
> groupigs that do not interfere with each other and in order configured do 
> what your policy requires.
>
> Also, be extremely careful about http_reply_access.
>  It's often over-blocked by using rules that duplicate http_access. This 
> can either prevent access denied pages getting out to bad viewers, or 
> cause extra useless load.
> Only use it to filter requests that cannot be checked earlier in 
> http_access.
>
>
> Amos
> --
> Please be using
>   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>   Current Beta Squid 3.1.0.8