On Mon, 20 Sep 2010 14:31:45 -0700, Andrei <funactivities@xxxxxxxxx> wrote: > Thank you so much! I'm not sure if I understood everything, but here > is what I have so far. > > 1) 1GB of RAM in this machine (P4, 40GB IDE, 1GB RAM). > 2) Running Squid 3.1.3 now :-) > 3) Not sure what you meant with AUFS. Does this need to be changed? > cache_dir ufs /var/spool/squid3 7000 16 256 Yes: cache_dir aufs /var/spool/squid3 7000 16 256 > 4) Random port for interception? Like this: http_port 3128 transparent Nevermind. Irrelevant due to (5) > 5) No NATing is done on this machine. Ah, "transparent" flag does not means what you think then. In Squid-3.2 and older it means "traffic arriving at this port has been redirected here via NAT in the firewall". What did you actually want? > 6) Added Safe_Ports and SSL_Ports > > Here is a complete config file. Please let me know if missed anything > and thank you again! > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 176.16.0.0/21 #176.16.0.-176.16.3.254 range /21 includes .255. if you want to exclude the final .255 you will need to write these as: acl localnet src 176.16.0.0-176.16.3.254 > acl localnet2 src 192.168.11.0/24 #192.168.11.0-254 range > acl localnet3 src 192.168.200.0/24 #192.168.200.0-254 range > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow localnet > http_access allow localnet2 > http_access allow localnet3 > http_access allow all #not restricted because its behind the firewall > and serving local LAN only. I'm just trying to get this working for > now... Testing with the right config is always better then changing things during the "make live" step. You can collapse all the localnet ranges down to a single allow, and leave the "deny all" blocking unknown things. Such as multicast sourced requests from the internal devices and/or people piggy-backing on your LAN without your knowledge. > icp_access allow all > htcp_access allow all > http_port 3128 transparent # ok, transparent proxy, no NATing. Not > sure what WPAD/PAC is... Enjoy: http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers <snip> > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern (cgi-bin|\?) 0 0% 0 The -i and slashes around /cgi-bin/ are important: -i (/cgi-bin/|\?) > refresh_pattern . 0 40% 40320 > icp_port 3130 ICP is used between cache_peer. If you don't used that set this to '0' Amos
