Search squid archive

Re: Re: defined localnet to mean your local clients ???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ah, you beat me to it. :-)

Response inline as usual ...

On 23/08/2013 8:47 p.m., HillTopsGM wrote:
I don't know if this helps, but this is everything that is NOT commented out
in my squid.conf file.
mysquid.conf
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661731/mysquid.conf>

It looks like this:


acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Below is where I added my local network IP range. I am not sure if this
# correct . . . do I need to exclude my squid Static IP of 192.168.1.6
# and my routers IP of 192.168.1.1 ???
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Here is where I entered the Windows Update code from the FAQ:

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

# The 2 lines below I have still left commented out as Squid will not
restart with them enabled.
# http_access allow windowsupdate localnet
# http_access allow windowsupdate localhost

Okay.
FYI: All these windows stuff are about allow updates to happen easily on a network where authentication or other complex rules are blocking the updates from happening.

Ideally they shoudl be down ....
http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

... here.
There is a comment i the default config file about local configuration going here.

There also should be a line "http_access allow localnet" about here somewhere.

http_access allow localhost

http_access allow all

And a "deny all" line at the end of the http_access list to ensure nothing like an attack can sneak past your access controls.

http_port 8080

# I tweaked this
cache_mem 512 MB

# I tweaked this as well:
maximum_object_size_in_memory 2048 KB

# I increased the cache size here, but would like to make it much bigger
if possible. I just wanted to start small and get it working first.
cache_dir ufs /var/spool/squid3 45000 16 256

# This was a Squid Windows Update suggested tweak:
maximum_object_size 200 MB

coredump_dir /var/spool/squid3

# This was a Squid Windows Update suggested tweak (the FAQ said to place
it above the other refresh_pattern entries):
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 1051200
reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80%
1051200 reload-into-ims
refresh_pattern -i
my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)
4320 80% 1051200 reload-into-ims

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

The above cgi-bin pattern needs to be the second to last.

The Debian caching rules are being patched into the wrong place, and with squid-3.2 and later are not actually necessary anyway.

refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .               0       20%     4320

# This was a Squid Windows Update suggested tweak:
quick_abort_min -1

# This was a Squid Windows Update suggested tweak:
range_offset_limit -1 KB
Pretty much everything is otherwise untouched.

Hopefully someone can see what it is that I am missing.

Again, thanks for the help.

Apart from the access control problems this looks okay for a proxy doing protocol compliant caching. Perhapse redbot.org will give you more clues about the problem.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux