Re: Re: defined localnet to mean your local clients ???

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Ah, you beat me to it. :-)

Response inline as usual ...

On 23/08/2013 8:47 p.m., HillTopsGM wrote:
> I don't know if this helps, but this is everything that is NOT commented out
> in my squid.conf file.
> mysquid.conf
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661731/mysquid.conf>
>
> It looks like this:
>
>
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/32 ::1
> > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> >
> > # Below is where I added my local network IP range. I am not sure if this
> > # correct . . . do I need to exclude my squid Static IP of 192.168.1.6
> > # and my routers IP of 192.168.1.1 ???
> > acl localnet src 192.168.1.0/24
> >
> > acl SSL_ports port 443
> > acl Safe_ports port 80          # http
> > acl Safe_ports port 21          # ftp
> > acl Safe_ports port 443         # https
> > acl Safe_ports port 70          # gopher
> > acl Safe_ports port 210         # wais
> > acl Safe_ports port 1025-65535  # unregistered ports
> > acl Safe_ports port 280         # http-mgmt
> > acl Safe_ports port 488         # gss-http
> > acl Safe_ports port 591         # filemaker
> > acl Safe_ports port 777         # multiling http
> > acl CONNECT method CONNECT
> >
> > # Here is where I entered the Windows Update code from the FAQ:
> >
> > acl windowsupdate dstdomain windowsupdate.microsoft.com
> > acl windowsupdate dstdomain .update.microsoft.com
> > acl windowsupdate dstdomain download.windowsupdate.com
> > acl windowsupdate dstdomain redir.metaservices.microsoft.com
> > acl windowsupdate dstdomain images.metaservices.microsoft.com
> > acl windowsupdate dstdomain c.microsoft.com
> > acl windowsupdate dstdomain www.download.windowsupdate.com
> > acl windowsupdate dstdomain wustat.windows.com
> > acl windowsupdate dstdomain crl.microsoft.com
> > acl windowsupdate dstdomain sls.microsoft.com
> > acl windowsupdate dstdomain productactivation.one.microsoft.com
> > acl windowsupdate dstdomain ntservicepack.microsoft.com
> >
> > acl CONNECT method CONNECT
> > acl wuCONNECT dstdomain www.update.microsoft.com
> > acl wuCONNECT dstdomain sls.microsoft.com
> >
> > http_access allow CONNECT wuCONNECT localnet
> > http_access allow windowsupdate localnet
> >
> > # The 2 lines below I have still left commented out as Squid will not
> > restart with them enabled.
> > # http_access allow windowsupdate localnet
> > # http_access allow windowsupdate localhost

Okay.
FYI: All these windows stuff are about allow updates to happen easily on 
a network where authentication or other complex rules are blocking the 
updates from happening.

Ideally they shoudl be down ....
> > http_access allow manager localhost
> > http_access deny manager
> >
> > http_access deny !Safe_ports
> >
> > http_access deny CONNECT !SSL_ports

... here.
There is a comment i the default config file about local configuration 
going here.

There also should be a line "http_access allow localnet" about here 
somewhere.

> > http_access allow localhost
> >
> > http_access allow all

And a "deny all" line at the end of the http_access list to ensure 
nothing like an attack can sneak past your access controls.

> > http_port 8080
> >
> > # I tweaked this
> > cache_mem 512 MB
> >
> > # I tweaked this as well:
> > maximum_object_size_in_memory 2048 KB
> >
> > # I increased the cache size here, but would like to make it much bigger
> > if possible. I just wanted to start small and get it working first.
> > cache_dir ufs /var/spool/squid3 45000 16 256
> >
> > # This was a Squid Windows Update suggested tweak:
> > maximum_object_size 200 MB
> >
> > coredump_dir /var/spool/squid3
> >
> > # This was a Squid Windows Update suggested tweak (the FAQ said to place
> > it above the other refresh_pattern entries):
> > refresh_pattern -i
> > microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 1051200
> > reload-into-ims
> > refresh_pattern -i
> > windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80%
> > 1051200 reload-into-ims
> > refresh_pattern -i
> > my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)
> > 4320 80% 1051200 reload-into-ims
> >
> > # Add any of your own refresh_pattern entries above these.
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

The above cgi-bin pattern needs to be the second to last.

The Debian caching rules are being patched into the wrong place, and 
with squid-3.2 and later are not actually necessary anyway.

> > refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> > # example lin deb packages
> > #refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
> > refresh_pattern .               0       20%     4320
> >
> > # This was a Squid Windows Update suggested tweak:
> > quick_abort_min -1
> >
> > # This was a Squid Windows Update suggested tweak:
> > range_offset_limit -1 KB
> Pretty much everything is otherwise untouched.
>
> Hopefully someone can see what it is that I am missing.
>
> Again, thanks for the help.

Apart from the access control problems this looks okay for a proxy doing 
protocol compliant caching. Perhapse redbot.org will give you more clues 
about the problem.

Amos