Search squid archive

Re: Allow MSN messenger

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/02/11 08:44, David Touzeau wrote:



Le mardi 08 fÃvrier 2011 Ã 13:35 -0500, Chad Naugle a Ãcrit :
Which all looks ok, but is there an "http_access" that allows anything
other than the "CONNECT" method, such as:

http_access allow MSN_hosts
http_access allow MSN_domains
http_access allow MSN_net

Not to mention any other sites / hosts / ports (Such as port 80) before
the "http_access deny all", because whenever stacking ACL's there is an
implied "AND" operator, so each line only works like this:

"Method is CONNECT" AND "Ports" AND "Destination is<list>"

Otherwise DENY ALL is the likely culprit.


David Touzeau<david@xxxxxxxxxx>  2/8/2011 1:22 PM>>>

Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass
trough squid

According wikis i did this :

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com
.passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT


http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow MSN_methods MSN_ports MSN_domains
http_access allow MSN_methods MSN_ports MSN_net

But MSN still did want to connect with these errors:

192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST
http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
1662 TCP_MISS:DIRECT
192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
1662 TCP_MISS:DIRECT
192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
1662 TCP_MISS:DIRECT

Where i'm wrong ??

Best regards




This is the entire content of the squid.conf if you see something wrong,
let me know....


acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds

Setting credentials timeouts but not otherwise configuring or using auth at all. The above auth bits can all be dropped until needed.

#--------- TWEEKS PERFORMANCES
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off

Hmm, this is optimization only on 64-bit machines with broken default alloc implementations and some fairly rare people who suffer under strange memory leaks problems we fail to replicate.

What it does is cause Squid to call out to the OS for every individual piece of memory used, instead of allocating larger whole swap-page sized chunks.

May be worth experimenting and doing your own measurements.

quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- squidGard

#IS C-ICAP enabled = 1
redirect_program /usr/bin/squidGuard
redirect_children 20

Style fix:
That directive was renamed "url_rewrite_program" and "url_rewrite_children" some time ago.


#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^Windows-Media-Player.* -i
^.*player.*

The regex library Squid uses places an implicit ".*" at the beginning and end of the pattern unless you manually add ^ and $ anchors. So you can drop the trailing .*

Also, -i (case ignored) ^.*player contains ^Windows-Media-Player. You can drop the ^Windows-Media-Player one completely for a doubling of speed on that ACL test.



acl bigfiles_types urlpath_regex -i \.deb$
acl bigfiles_types urlpath_regex -i \.rpm$
acl bigfiles_types urlpath_regex -i \.iso$
acl bigfiles_types urlpath_regex -i \.tar\.gz$
acl bigfiles_types urlpath_regex -i \.gz$
acl bigfiles_types urlpath_regex -i \.bz$
acl bigfiles_types urlpath_regex -i \.tar$
acl bigfiles_types urlpath_regex -i \.cue$
acl bigfiles_types urlpath_regex -i \.nrg$
acl bigfiles_types urlpath_regex -i \.crf$
acl bigfiles_types urlpath_regex -i \.bwi$
acl bigfiles_types urlpath_regex -i \.bwt$
acl bigfiles_types urlpath_regex -i \.lcd$
acl bigfiles_types urlpath_regex -i \.ccd$
acl bigfiles_types urlpath_regex -i \.mdf$
acl bigfiles_types urlpath_regex -i \.mds$
acl bigfiles_types urlpath_regex -i \.vcd$
acl bigfiles_types urlpath_regex -i \.cif$
acl bigfiles_types urlpath_regex -i \.vdi$
acl bigfiles_types urlpath_regex -i \.img$

Optimization:
each test has to be run individually. compacting those down to one pattern will allow the library to do some small optimizations and test faster.
   acl bigfiles_types urlpath_regex -i \.(lcd|ccd|mdf|mds)$

Also, these days it is very popular to use query string parameters. Which will break the ACL which expect filename to be last in the URL.

This pattern will catch a file extension even if it is followed by "?garbage" or inserted in the query string itself:
 acl bigfiles_types urlpath_regex -i \.(lcd|ccd|mdf|mds)((\?|&).*)?$


acl office_network src 192.168.82.0/24


#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 1443        #FortiPartner
acl Safe_ports port 80  #http
acl Safe_ports port 443 #https
acl Safe_ports port 21  #ftp
acl Safe_ports port 1863        #MSN
acl Safe_ports port 20  #ftp-data#
acl SSL_ports port 9000 #Artica
acl SSL_ports port 443  #HTTPS
acl SSL_ports port 563  #https, snews
acl SSL_ports port 6667 #tchat
acl SSL_ports port 4343 #FortiGate

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT

acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video
\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|
application\/ogg)
$

Bit simpler: (just a manual compaction on my part)

-i ^(audio\/(x-)?mpeg(url)?|video\/(x-)?flv|application\/x-shockwave-flash|.*\/ogg)$

* three variations of MPEG audio
* two variations of flash video
* one variation of flash animation
* any type using ogg encapsulation.


# ---------  RULES DEFINITIONS
http_access deny blockedsites

"blockedsites" can be dropped below the string MSN rules unless you are blocking some of the MSN sites from the MSN "friend sites" browser.

http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow MSN_methods MSN_ports MSN_domains
http_access allow MSN_methods MSN_ports MSN_nets
http_access allow localhost
http_access allow manager localhost
ttp_access allow purge localhost
http_access deny purge
url_rewrite_access deny localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

The "allow localhost", manager and purge rules should probably drop down to here.


"blockedsites" rule could probably go right here for a much reduced CPU workload on garbage and DoS attacks. Of the types caught by CONNECT and Safe_ports security rules.


http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(1 service(s))
# --------- icap_service C-ICAP mode 3.1.x
icap_service  service_antivir respmod_precache routing=on bypass=on
icap://127.0.0.1:1345/srv_clamav



# --------- adaptation for C-ICAP service

adaptation_service_set  class_antivirus service_antivir
adaptation_access       class_antivirus deny MULTIMEDIA
adaptation_access       class_antivirus allow all


icap_enable on
icap_preview_size 128
icap_service_failure_limit -1
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on




# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname proxyweb


# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes

in 3.1 DNS timeout of 2 minutes is default.

connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds


# --------- Objects limits
request_body_max_size 5 MB
request_header_max_size 64 KB
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB


#http/https ports
http_port 3128 ssl-bump cert=/etc/squid3/ssl/cacert.pem
key=/etc/squid3/ssl/privkey.pem


# --------- SSL Rules
ssl_bump allow all
always_direct allow all


# --------- Caches
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 204 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200


# --------- SPECIFIC DNS SERVERS
dns_nameservers 192.168.82.2

#--------- FTP specific parameters
ftp_list_width 50
ftp_passive on
ftp_sanitycheck off
ftp_epsv off

Did EPSV cause problems for you?
This directive is for things like sending two EPSV requests through a certain router model causes it to buffer overflow.

ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440

Missing:
  refresh_pattern -i (/cg-bin/|\?) 0 0% 0

FYI:
This is carefully crafted pattern to match certain dynamic requests and responses according to a exception sub-clause of RFC 2616 which allows Squid to cache dynamic responses *unless* they are missing Cache-Control AND the Expires header.

At most the safe changes that may be made are additions to include other dynamic page signatures. Though only old CGI apps are confirmed to have the relevant legacy problems.


refresh_pattern .                  0    20%     4320
icp_port 3130

Logs-------------------------------------------------
#fqdn is disabled to provide IP addresses to filters
log_fqdn off
coredump_dir    /var/squid/cache
cache_store_log /var/log/squid/store.log
cache_log       /var/log/squid/cache.log
pid_filename    /var/run/squid.pid
access_log      none manager
access_log /var/log/squid/access.log common
access_log /var/log/squid/sarg.log squid
icap_log /var/log/squid/icap_access.log

cache_dir       ufs /var/cache/squid 20000 16 256
# --------- OTHER CACHES


20 GB on UFS (slowest available disk storage IO system) just seems wrong. If this is a BSD derived system used diskd, if its Linux use aufs.

I'm not aware of any remaining problems in 3.1.10 the aufs/diskd areas.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.4


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux