On Mon, 2009-08-24 at 17:05 +1200, Amos Jeffries wrote: > On Mon, 24 Aug 2009 10:24:41 +0600, Muhammad Sharfuddin > <m.sharfuddin@xxxxxxxxxx> wrote: > Note: the netfilter guys recommend using the iptables-restore tool for > firewall setup. It's much faster and much more secure than an incremental > build of the rules like this. Ok, I will try. > NOTE: The following rules only apply to external people attempting to > connect to your internal LAN machines. > > ... Or to people using your proxy as a free gateway to elsewhere on the > Internet. > > They can do that to your proxy by simply sending an HTTP request to any one > of your internal LAN IPs with a forged HTTP header and URL. > I think only the following rule is for anyone(internal/external) acl allowed_for_all url_regex -i "/etc/squid/allowed_for_all.txt" http_access allow allowed_for_all acl ftp_site url_regex -i ftp://ftp.sight-board.de http_access allow ftp_site all the other rules are *only* for specific machines/IPes e.g acl hod_ip src "/etc/squid/ipes/hod_ip.txt" http_access allow hod_ip acl cad_ip src "/etc/squid/ipes/cad_ip.txt" http_access deny cad_ip acl hod_tl_ip src "/etc/squid/ipes/hod_and_tl_ip.txt" http_access allow hod_tl_ip So I really dont understand why you said/wrote 'The following rules *ONLY* apply to external people' >> cache_dir diskd /var/cache/squid 50000 16 256 > > diskd is probably your problem. > From the use of iptables as a firewall I would guess that this is a linux > box. On linux you should try AUFS storage for fastest speed. > If that label is the only change on the config line you can test it with a > simple re-config. > well same results with aufs. you are recommending aufs over diskd, and the following url suggest 'diskd' as the the store type of choice for the Cache-off's http://www.linuxsa.org.au/pipermail/linuxsa/2004-June/070228.html > Also with ~50GB of storage you are probably wanting to use something like > 32 or 64 for the Level-1 value (currently 16). Changing that requires a > cache delete and rebuild with 'squid -z' though. whats the rule/formula for Level-1 and Level-2 value ? is it related with storage size ? > > > These days I'm advising people terminate their file extension patterns with > (\?.*)?$ instead of just $ to catch all the sites using dynamic parts in > their URLs. > > you mean the following ? (\?.swf)?$ (\?.mdi)?$ e.g refresh_pattern -i (\?.swf)?$ 43200 100% 43200 override-lastmod override-expire Regards --ms
