Dnia 28-01-2010 o godz. 15:20 Amos Jeffries napisał(a): > Hubert Choma wrote: > > Hello > > > > My squid ver. 2.6 stable Centos 2.6.18-164.el5 . > > > > I'm using the configuration of the WU from the example > > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate > > > > I would like to force squid to cache all windows update (version V6) > > files e.g .cab .exe and 700MB ISO files > > > > I am noticed that windows media player does not update via squid. WU > > generates error 0x8024402F. > > > > I would like to setup squid cache maximum web content, antivirus updates > > and WU. > > > > Where can I find example how to cache dynamic pages ? > > > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > > By deleting the above. And the lines which make use of QUERY they begin > to cache. I understand that I must hash these lines. Is that you meant ? # hierarchy_stoplist cgi-bin ? # acl QUERY urlpath_regex cgi-bin \? # cache deny QUERY Thaht's correct ? > Also see my notes in your refresh_pattern config below.... > > > > > > > Please correct my config > > > > windowsupdate.txt > > .go.microsoft.com > > .windowsupdate.microsoft.com > > .update.microsoft.com > > .update.microsoft.com/windowsupdate/v7/default.aspx > > download.windowsupdate.com > > .download.microsoft.com > > ntservicepack.microsoft.com > > activex.microsoft.com > > redir.metaservices.microsoft.com > > images.metaservices.microsoft.com > > c.microsoft.com > > crl.microsoft.com > > codecs.microsoft.com > > urs.microsoft.com > > wustat.windows.com > > > > > > squid.conf > > > > > > http_port 192.168.0.12:8080 > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > > cache deny QUERY > > acl apache rep_header Server ^Apache > > broken_vary_encoding allow apache > > cache_mem 650 MB > > maximum_object_size 4194240 KB > > cache_dir ufs /var/spool/squid 6500 16 256 > > #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt > > access_log /var/log/squid/access.log squid > > mime_table /etc/squid/mime.conf > > refresh_pattern ^ftp: 1440 20% 10080 > > Right here between the FTP default handling and the general traffic > default handing (.) you need to add this: > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > to properly prevent evil dynamic content from sticking around longer > than it should (ie if its not giving cache-control and/or expiry, drop > it. if it is okay then). > > > refresh_pattern . 0 20% 4320 You mean like this ?? refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 "ie if its not giving cache-control and/or expiry, drop > it." What to drop ? > Hmm. "." matches every URL. Squid stops processing refresh_pattern at > the first matching pattern. > > --> point: no refresh_pattern below here will ever be used. "point: no refresh_pattern below here will ever be used." So what to do with this ? What makes "." ?? Remove first line and leave yours ? I didn't understand. refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 > 50% 7200 what with reload-into-ims ? > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200 > > reload-into-ims > > Ahm... > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 > 50% 7200 > > > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll) > > 43200 100% 43200 reload-into-ims > > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200 > > reload-into-ims > > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100% > > 43200 reload-into-ims > > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100% > > 43200 reload-into-ims > > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200 > > 100% 43200 reload-into-ims > > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200 > > reload-into-ims > > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200 > > reload-into-ims > > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200 > > reload-into-ims > > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims > > refresh_pattern . 0 20% 4320 > > Aha!. The dot pattern did get copied down. (or cut-n-pasted from the > wiki?) On Wiki I cant' find this patterns where are they ? > > > range_offset_limit -1 KB > > ## MOJE ACL ##### > > acl mojasiec src 192.168.0.0/255.255.255.0 > > thats 192.168.0.0/24. > > > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt" > > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17 > > 192.168.0.12 192.168.0.15 192.168.0.16 > > acl poczta dstdom_regex .*poczta.* .*mail.* > > Hmm. you can drop the .* at beginning and end of squid patterns. They > are added automatically. No !! without * eg. poczta.* .mail.* users can go on wembail and I would like to denied webmail ! So * are necessary .*mail.* !! > > #acl sm9 src 192.168.0.3 > > #http_access allow sm9 > > acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt" > > acl CONNECT method CONNECT > > http_access allow dozwolone ograniczone_komputery !poczta > > http_access allow CONNECT WindowsUpdate mojasiec > > http_access allow WindowsUpdate mojasiec > > A bunch of download site which are allowed regardless of any other > http_access security. Open WU proxy! yay. Yes I would like to deny for some IP's access to www sites only alowed sites which are included in file "dozwolone.txt" = "allowedsites.txt" are allowed. Rest of IP's must have full access to WWW. It's wrong idea ? > Your Internet connection does not get NAT'd to something inside > 192.168.0.0/24 ... right? Squid (192.168.0.12) is behind NAT router redirect traffic to 80. Now I change my net topology and would like to set squid as a transparent proxy ( 2 NIC's with iptables redirect 80->8080 1) 192.168.0.12/24 (NIc From router) 2) 192.168.0.13/24 (NiC to LAN) So I use squid for LAN users to accelerate HTTP trafic . > > > acl javascript rep_mime_type -i ^application/x-javascript$ > > http_access allow javascript > What is it ?? I don't understand ? > http_access _request_ test allowed if _reply_ contains... WTF? > > > acl all src 0.0.0.0/0.0.0.0 > > acl hubert proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl Safe_ports port 8080 > > acl CONNECT method CONNECT > > http_access allow hubert localhost > > http_access deny hubert > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access deny to_localhost > > http_access allow localhost > > http_access deny all > > http_reply_access allow all > > icp_access allow all > > cache_mgr hubert.ch@xxxxx > > visible_hostname proliant > > log_icp_queries off > > cachemgr_passwd mojehasĹ‚o all > > Um. Bugger. You may want to change that password now. > I know you have it locked down so only localhost can request the mgr: > protocol, but still... Password is old :) Thanks for reply :) > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 > Current Beta Squid 3.1.0.15
