On Tue, 23 Nov 2010 17:46:39 +0100, Florian Bannasch <f.bannasch@xxxxxxxx> wrote: > Hi, > > I have a small network with 3 computers (WinXP, Ubuntu, Win7). > Is the configuration correct or do I have to improve something? > > Squid: 3.0.STABLE19 > Server: Ubuntu 10.04 LTS, PIV 3,4Ghz, 2GB > > TIA, Flo > > http_port 192.168.2.253:3128 > > icp_port 0 > htcp_port 0 > > # cache_access_log /var/log/squid3/access.log > > dns_nameservers 192.168.2.253 Um, DNS server running on the local machine? Use 127.0.0.1 to contact it. Packet handling is faster over the localhost interface than trying to fit into the external traffic stream then be turned back into the machine. > > cache_mem 1024 MB > > maximum_object_size 1 GB > maximum_object_size_in_memory 64 KB You can raise this. 1GB or memory cache gives your few PCs plenty of space. > > cache_replacement_policy heap LFUDA > memory_replacement_policy heap GDSF > > cache_dir aufs /Squid 16384 64 512 > > quick_abort_min -1 KB > quick_abort_max -1 KB > quick_abort_pct 100 > > pipeline_prefetch on > half_closed_clients off > > refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 > refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 > > refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 1440 40% 43200 > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ > 1440 40% 43200 > refresh_pattern -i > \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 1440 40% 43200 > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 40% 40320 > > coredump_dir /var/spool/squid3 > > redirect_children 20 redirect_* is obsolete. Use: url_rewrite_children 20 > url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf > Hmm, good time to ask I suppose. Why use squidguard? because you actually need the capacity to process hundreds of thousands of blocklist entries and respond wit a corporate denial page like some ISP? or because everyone else is doing it and the tutorials all say so? > hierarchy_stoplist cgi-bin ? > > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl localnet src 192.168.0.0/16 Um, you are missing the basic security lines which protect against infections spreading via your Squid. http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports ... with the matching default ACL definitions. http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Do_you_have_a_squid.conf_example.3F > > http_access allow localnet > http_access allow localhost > > http_access allow manager localhost > http_access allow manager localnet > http_access deny manager These "manager" ACL controls need to be above the network-wide allow permission. > > http_access deny all Amos