On Thu, 03 Dec 2009 00:00:29 +0100, José Illescas Pérez <jip@xxxxxxx> wrote: > Amos Jeffries escribió: >> On Wed, 02 Dec 2009 20:36:38 +0100, José Illescas Pérez <jip@xxxxxxx> >> wrote: >>> Hello, >>> >>> I'm interesed in install squid for my organization. >>> >>> I want to configure large acl's of ip lists, 20.000 more o less. >>> >>> Can I use external acl with MySQL for create this acl ip list?. What's >>> the performance in this case?. >>> >>> I want to configure large acl of url lists in MySQL too, for example a >>> blacklist with categories. What's the performance in this case?. >>> >>> Perhaps, is more convenient use squidguard for blacklist of urls and >>> create the group categories. Any ideas?. >>> >>> Greetings. >> >> Individual IPs with individual blocklists? this is extremely inefficient. >> >> If you must, you can easily use external_acl_type to pull details from >> mysql during live traffic processing. Speed depends on the query >> efficiency >> and network lag to mysql server. >> >> If you find that too slow look at ufdbGuard. >> >> Amos >> > > We have five or six ip groups, with permissions in categories of > blacklist for each group. Each group contains between 1,000 and 10,000 > ip addresses. If by group you mean some network topology grouping. The network admin should have some CIDR range that describes each group. That can be implemented in Squid ACLs for a simpler and faster config. For example something like this filtering grouped by network, then some individual IPs with a blocklist applied; acl networkA src 10.2.0.0/16 acl networkB src 10.15.0.0/16 acl ipsA1 src "file_with_A1_group_IPs" acl ipsA2 src "file_with_A2_group_IPs" acl blockA1domains dstdomain "file_with_A_group_blocklist" http_access deny networkA ipsA1 blockA1domains http_access deny networkA ipsA2 http_access allow networkB ... > > The blacklist categories can be urlblacklist, for example. > > Where can I configure this, in squid or squidguard?. The above type config. either. If you go with external_acl_type thats in Squid. Though I would suggest looking at ufdbguard. It's geared around database backend fetches, where squidGuard would require some additional system creating the squidGuard config on changes. Amos
