José Illescas Pérez wrote:
El jue, 03-12-2009 a las 12:50 +1300, Amos Jeffries escribió:
On Thu, 03 Dec 2009 00:00:29 +0100, José Illescas Pérez <jip@xxxxxxx>
wrote:
Amos Jeffries escribió:
On Wed, 02 Dec 2009 20:36:38 +0100, José Illescas Pérez <jip@xxxxxxx>
wrote:
Hello,
I'm interesed in install squid for my organization.
I want to configure large acl's of ip lists, 20.000 more o less.
Can I use external acl with MySQL for create this acl ip list?. What's
the performance in this case?.
I want to configure large acl of url lists in MySQL too, for example a
blacklist with categories. What's the performance in this case?.
Perhaps, is more convenient use squidguard for blacklist of urls and
create the group categories. Any ideas?.
Greetings.
Individual IPs with individual blocklists? this is extremely
inefficient.
If you must, you can easily use external_acl_type to pull details from
mysql during live traffic processing. Speed depends on the query
efficiency
and network lag to mysql server.
If you find that too slow look at ufdbGuard.
Amos
We have five or six ip groups, with permissions in categories of
blacklist for each group. Each group contains between 1,000 and 10,000
ip addresses.
If by group you mean some network topology grouping. The network admin
should have some CIDR range that describes each group. That can be
implemented in Squid ACLs for a simpler and faster config.
For example something like this filtering grouped by network, then some
individual IPs with a blocklist applied;
acl networkA src 10.2.0.0/16
acl networkB src 10.15.0.0/16
acl ipsA1 src "file_with_A1_group_IPs"
acl ipsA2 src "file_with_A2_group_IPs"
acl blockA1domains dstdomain "file_with_A_group_blocklist"
http_access deny networkA ipsA1 blockA1domains
http_access deny networkA ipsA2
http_access allow networkB
Hello,
We have ip groups with individual ips. We can't group by networks. For
example:
Group Filter IT 10.30.1.2,10.30.1.8,10.30.1.28,10.40.2.56, 10.50.5.5,
etc, etc. (5000 ip addresses more or less).
Group Filter Press 10.30.1.29,10.40.2.22,10.60.1.200, etc (10000 ip
addresses, aproximately).
.
.
.
Keep in mind that these groups are constantly changing.
Each group has permission to access one or more categories blacklists.
In this scenario, what is the ideal solution for best performance?:
- A file with lists ips in squid?.
No. files of IPs in Squid need to be static for reasonably long periods.
several hours to a day etc.
- A file with lists ips in squidguard?.
- A query to mysql database for external acl in squid or squidguard?.
AFAIK squidguard does not do external ACL.
- A query to ldap for external acl in squid or squidguard?. (We have ip
addresses for user saved in ldap server).
One of the last two with Squid. External ACL can even return the user=*
tag with its result to get the Squid logs linked to individual accounts.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15
