On 17/10/11 07:04, Marlon Bastida wrote:
Hi,
I would like some help with this squid.conf, bellow. Because I will
try let as smaller as possible.
For example when I try to enter the word `porn` in the google box and
do a search let me static in this field and doesn`t give me an error
page.
Check your exception list for which patterns match the rest of the googe
URL.
You are making a lot of use of regex, which is both the slowest ACL
matching Squid has available and the most difficult to get right.
Marlon
squid.conf
-----------------
## hostname port
http_port 3128
##visible_hostname server
error_directory /usr/share/squid/errors/Portuguese/
## memory cache and disk
cache_mem 300 MB
## object size - before 128 KB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 2 KB
## management of cache policy swap
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
## cache exclusion limits
cache_swap_low 90
cache_swap_high 95
## 8192 16 256
cache_dir ufs /var/spool/squid 10240 16 256
cache_access_log /var/log/squid/access.log
cache_store_log none
## connections
half_closed_clients off
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
## acls
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
## SSL(https)
acl SSL_ports port 443 563
## safe ports
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
acl localnetwork src 10.0.0.0/23
##### test - release sites to work without authentication
#acl websites_without_auth dstdom_regex "/etc/squid/websites_without_auth"
#always_direct allow websites_without_auth
## NCSA_AUTH authentication
auth_param basic realm ENTERPRISE
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic credentialsttl 1 hour
acl authenticated proxy_auth REQUIRED
## releases IPs from workstations without ask AUTH
acl releases_ips src "/etc/squid/releases_ips"
always_direct allow releases_ips
## block proibit words with exceptions
acl exception_words url_regex -i "/etc/squid/exception_words"
acl proibit_words url_regex -i "/etc/squid/proibit_words"
deny_info ERR_PROIBIT_WORDS proibit_words
## celebrities
acl name_celebrities url_regex -i "/etc/squid/name_celebrities"
deny_info ERR_NAME_CELEBRITIES name_celebrities
## release bank sites without going though proxy auth
acl websites_bank dstdom_regex "/etc/squid/websites_bank"
always_direct allow websites_bank
## sales dept rules
#acl users_sales proxy_auth "/etc/squid/users_sales"
#acl users_sales dstdom_regex "/etc/squid/users_sales"
## lunch hour - released sites
#acl lunch_hours time 12:00-13:00
#acl lunch_hours dstdom_regex "/etc/squid/lunch_hours
## pcp rules
#acl users_pcp proxy_auth "/etc/squid/users_pcp"
## blocked IPs
acl blocked_ips src "/etc/squid/blocked_ips"
always_direct allow blocked_ips
deny_info ERR_BLOCKED_IPS blocked_ips
## releases websites without going through AUTH
Wrong.
auth is performed by http_access. Which always happens first.
"always_direct" only prevents cache_peer being used.
You seem to have the common misunderstanding that always_direct means
bypassing _this_ Squid in some form or another.
I see no cache_peer directives in your config. Which means all the
always_direct lines are useless and can be erased.
acl released_websites dstdom_regex "/etc/squid/released_websites"
always_direct allow released_websites
## blocked websites with fun pages, specific error page
acl fun_sites url_regex -i "/etc/squid/fun_sites"
deny_info ERR_FUN_SITES fun_sites
## blocked websites with specific page
acl websites_blocked url_regex -i "/etc/squid/websites_blocked"
deny_info ERR_BLOCKED_SITES websites_blocked
## blocked porn sites with specific error page
acl websites_porn url_regex -i "/etc/squid/websites_porn"
deny_info ERR_PORN_SITES websites_porn
## download banned extensions
acl banned_extension url_regex -i "/etc/squid/banned_extension"
deny_info ERR_BANNED_EXT banned_extension
## permissions rules
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
Do you actually need purge? If not drop it entirely from the config.
Including the "acl purge" line. Simply creating the ACL turns on a lot
of background calculations which slow down Squid.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
## permissions / restrictions
http_access deny banned_extension
http_access deny websites_porn
http_access deny websites_blocked
http_access deny fun_sites
IMPORTANT. Replace these:
http_access allow exception_words
http_access deny proibit_words
With this:
http_access deny !exception_words proibit_words
Why:
What yours did was allow _anybody_ access if they typed an exception
word into certain positions of any URL. Joining two together like above
makes exeception_words only affect the test result of proibit_words.
They can still use that trick to get past proibit_words. But not to
get past other security controls like auth and IP checks below.
http_access deny name_celebrities
http_access allow releases_ips
http_access allow released_websites
http_access deny blocked_ips
#http_access allow lunch_hours users_pcp
#http_access deny !users_sales users_sales
http_access allow
Missing piece of a line above. What is allowed?
http_access allow authenticated
#http_access allow websites_without_auth
A few things to notice at this point.
Firstly, in order for "authenticated" to be tested Squid must have or
fetch the authentication details. It will trigger an auth challenge.
The localhost and localnet ACLs machines will be allowed after they FAIL
authentication. Since the auth line above has no conditions to prevent
challenging repeatedly this makes very little sense. You could either
drop the localnet/localhost allow lines entirely, or move them up if the
intention was to permit those machines access without a valid login.
http_access allow localhost
http_access allow localnetwork
http_access deny all
-----------------
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.16
Beta testers wanted for 3.2.0.13
