Dnia 2-02-2010 o godz. 10:10 Hubert Choma napisał(a): > Dnia 28-01-2010 o godz. 15:20 Amos Jeffries napisał(a): > > Hubert Choma wrote: > > > Hello > > > > > > My squid ver. 2.6 stable Centos 2.6.18-164.el5 . > > > > > > I'm using the configuration of the WU from the example > > > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate > > > > > > I would like to force squid to cache all windows update (version V6) > > > files e.g .cab .exe and 700MB ISO files > > > > > > I am noticed that windows media player does not update via squid. WU > > > generates error 0x8024402F. > > > > > > I would like to setup squid cache maximum web content, antivirus updates > > > and WU. > > > > > > Where can I find example how to cache dynamic pages ? > > > > > > hierarchy_stoplist cgi-bin ? > > > acl QUERY urlpath_regex cgi-bin \? > > > > By deleting the above. And the lines which make use of QUERY they begin > > to cache. > I understand that I must hash these lines. Is that you meant ? > > # hierarchy_stoplist cgi-bin ? > # acl QUERY urlpath_regex cgi-bin \? > # cache deny QUERY > > Thaht's correct ? > > > Also see my notes in your refresh_pattern config below.... > > > > > > > > > > > Please correct my config > > > > > > windowsupdate.txt > > > .go.microsoft.com > > > .windowsupdate.microsoft.com > > > .update.microsoft.com > > > .update.microsoft.com/windowsupdate/v7/default.aspx > > > download.windowsupdate.com > > > .download.microsoft.com > > > ntservicepack.microsoft.com > > > activex.microsoft.com > > > redir.metaservices.microsoft.com > > > images.metaservices.microsoft.com > > > c.microsoft.com > > > crl.microsoft.com > > > codecs.microsoft.com > > > urs.microsoft.com > > > wustat.windows.com > > > > > > > > > squid.conf > > > > > > > > > http_port 192.168.0.12:8080 > > > hierarchy_stoplist cgi-bin ? > > > acl QUERY urlpath_regex cgi-bin \? > > > cache deny QUERY > > > acl apache rep_header Server ^Apache > > > broken_vary_encoding allow apache > > > cache_mem 650 MB > > > maximum_object_size 4194240 KB > > > cache_dir ufs /var/spool/squid 6500 16 256 > > > #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt > > > access_log /var/log/squid/access.log squid > > > mime_table /etc/squid/mime.conf > > > refresh_pattern ^ftp: 1440 20% 10080 > > > > Right here between the FTP default handling and the general traffic > > default handing (.) you need to add this: > > > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > > > to properly prevent evil dynamic content from sticking around longer > > than it should (ie if its not giving cache-control and/or expiry, drop > > it. if it is okay then). > > > > > refresh_pattern . 0 20% 4320 > > You mean like this ?? > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > "ie if its not giving cache-control and/or expiry, drop > > it." What to drop ? > > > > Hmm. "." matches every URL. Squid stops processing refresh_pattern at > > the first matching pattern. > > > > --> point: no refresh_pattern below here will ever be used. > "point: no refresh_pattern below here will ever be used." > > So what to do with this ? What makes "." ?? Remove first line and leave > yours ? I didn't understand. > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 > > 50% 7200 what with reload-into-ims ? > > > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200 > > > reload-into-ims > > > > Ahm... > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 > > 50% 7200 > > > > > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll) > > > 43200 100% 43200 reload-into-ims > > > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200 > > > reload-into-ims > > > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100% > > > 43200 reload-into-ims > > > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100% > > > 43200 reload-into-ims > > > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200 > > > 100% 43200 reload-into-ims > > > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200 > > > reload-into-ims > > > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200 > > > reload-into-ims > > > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200 > > > reload-into-ims > > > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims > > > refresh_pattern . 0 20% 4320 > > > > Aha!. The dot pattern did get copied down. (or cut-n-pasted from the > > wiki?) > On Wiki I cant' find this patterns where are they ? > > > > > > range_offset_limit -1 KB > > > ## MOJE ACL ##### > > > acl mojasiec src 192.168.0.0/255.255.255.0 > > > > thats 192.168.0.0/24. > > > > > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt" > > > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17 > > > 192.168.0.12 192.168.0.15 192.168.0.16 > > > acl poczta dstdom_regex .*poczta.* .*mail.* > > > > Hmm. you can drop the .* at beginning and end of squid patterns. They > > are added automatically. > No !! > without * eg. poczta.* .mail.* users can go on wembail and I would like > to denied webmail ! So * are necessary .*mail.* !! > > > > #acl sm9 src 192.168.0.3 > > > #http_access allow sm9 > > > acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt" > > > acl CONNECT method CONNECT > > > http_access allow dozwolone ograniczone_komputery !poczta > > > http_access allow CONNECT WindowsUpdate mojasiec > > > http_access allow WindowsUpdate mojasiec > > > > A bunch of download site which are allowed regardless of any other > > http_access security. Open WU proxy! yay. > > Yes I would like to deny for some IP's access to www sites only alowed > sites which are included in file "dozwolone.txt" = "allowedsites.txt" > are allowed. > Rest of IP's must have full access to WWW. > It's wrong idea ? > > > Your Internet connection does not get NAT'd to something inside > > 192.168.0.0/24 ... right? > > Squid (192.168.0.12) is behind NAT router redirect traffic to 80. > Now I change my net topology and would like to set squid as a > transparent proxy ( 2 NIC's with iptables redirect 80->8080 > 1) 192.168.0.12/24 (NIc From router) > 2) 192.168.0.13/24 (NiC to LAN) > > So I use squid for LAN users to accelerate HTTP trafic . > > > > > acl javascript rep_mime_type -i ^application/x-javascript$ > > > http_access allow javascript > > > What is it ?? I don't understand ? > > http_access _request_ test allowed if _reply_ contains... WTF? > > > > > acl all src 0.0.0.0/0.0.0.0 > > > acl hubert proto cache_object > > > acl localhost src 127.0.0.1/255.255.255.255 > > > acl to_localhost dst 127.0.0.0/8 > > > acl SSL_ports port 443 > > > acl Safe_ports port 80 # http > > > acl Safe_ports port 21 # ftp > > > acl Safe_ports port 443 # https > > > acl Safe_ports port 210 # wais > > > acl Safe_ports port 1025-65535 # unregistered ports > > > acl Safe_ports port 280 # http-mgmt > > > acl Safe_ports port 488 # gss-http > > > acl Safe_ports port 591 # filemaker > > > acl Safe_ports port 777 # multiling http > > > acl Safe_ports port 8080 > > > acl CONNECT method CONNECT > > > http_access allow hubert localhost > > > http_access deny hubert > > > http_access deny !Safe_ports > > > http_access deny CONNECT !SSL_ports > > > http_access deny to_localhost > > > http_access allow localhost > > > http_access deny all > > > http_reply_access allow all > > > icp_access allow all > > > cache_mgr hubert.ch@xxxxx > > > visible_hostname proliant > > > log_icp_queries off > > > cachemgr_passwd mojehasĹ‚o all > > > > Um. Bugger. You may want to change that password now. > > I know you have it locked down so only localhost can request the mgr: > > protocol, but still... > Password is old :) > > Thanks for reply :) > > > > > > Amos > > -- > > Please be using > > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 > > Current Beta Squid 3.1.0.15
