Search squid archive

Re: Config Analysis for VPN Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/10/2013 10:41 p.m., Edmonds Namasenda wrote:
Hi Squid Users / Admins,

Below is my squid.conf of 3.1.23 running on openSuSe 11.4 32-bit using
transparent mode and Shoreline Firewall.
The server controls five networks, four of them through VPNs.

Problems...
- Failure to access Internet on VPNs unless proxy settings are added

Can only be a client software or routing problem for traffic reaching the proxy. If it were a proxy problem then manually configuring would have no effect either.

- Failure to reach DNS and HQ public IP Address

By who/what ?

- Some "admin" IP addresses are randomly (time) blocked from accessing
the Internet

You mean the ACL named "admin" ? see below.

Before we start note that "all" on the end of lines has _no meaning_ unless an authentication related ACL is immediately to its left.

You dont have authentication ACLs. So every single "all" on the end of lines is wasted CPU time.


Where could we be going wrong? How can the set-up be improved?

## Start squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

alnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

cut-n-past error?

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl usul src 10.40.1.0/24 10.40.2.0/24 10.40.3.0/24 10.40.4.0/24 10.40.5.0/24

Try:
  acl usul src 10.40.1.0-10.40.5.0/24


acl noaccess src "/etc/squid/noaccess.txt"
acl admin src "/etc/squid/admin.txt"
acl a37 src "/etc/squid/one37.txt"
acl srvips src "/etc/squid/srvips.txt"
acl mgrs src "/etc/squid/mgrs.txt"
acl clerix src "/etc/squid/clerix.txt"

acl NoGenNet time MTWHFA 08:00-12:59
acl NoGenNet time MTWHFA 13:59-16:59
acl NoGenNet time S 07:00-12:59
acl NoGenNet time SMTWHFA 19:00-23:59
acl NoGenNet time SMTWHFA 00:00-06:59

acl YouTube time SMTWHFA 19:00-23:59
acl YouTube time SMTWHFA 00:00-07:59

acl nommq req_mime_type -i "/etc/squid/nommq.txt"

acl donot urlpath_regex -i "/etc/squid/donot.txt"
acl srvurls dstdomain -i "/etc/squid/srvurls.txt"
acl fewurls dstdomain -i "/etc/squid/fewww.txt"
acl one37 dstdomain -i "/etc/squid/url37.txt"
acl malice dstdomain -i "/etc/squid/malware.acl"
acl porn dstdomain -i "/etc/squid/xxx.acl"
acl ads dstdomain -i "/etc/squid/ads.acl"
acl tubeyou dstdomain -i "/etc/squid/utube.txt"

http_access allow manager localhost

http_access allow srvurls all
http_access allow fewurls all
http_access allow admin mgrs all

Possible problem. Only admin who are both "admin" AND "mgrs" simultaneously are permitted here. Any "admin" IPs which are not "mgrs" as well will continue on down the access controls ...



http_access allow one37 a37

Note: admin who are not in "mgrs" but are in "a37" will be permitted to these sites.

http_access deny tubeyou !YouTube

Note: admin who are not in "mgrs" or "a37" will be time-blocked from tubeyou destinations.

http_access deny malice all
http_access deny porn all
http_access deny ads all

http_access deny noaccess
http_access deny srvips !srvurls all

Note: admin who are not in "mgrs" or "a37" MAY be blocked by any of the above denials.

http_access deny NoGenNet clerix all

Note: admin who are not in "mgrs" or "a37" but are in "clerix" WILL be time-blocked.


http_access deny donot !admin
http_access deny nommq !admin !mgrs
http_access allow usul all

Note: admin who are not in "mgrs" or "a37" but are n "usul" will be permitted by the above line.

Note also: general users matched by any of the above lines, including "usul" will have unlimited access through the proxy with CONNECT method and to any unsafe port (heard of many HTTP proxies relaying email to port 25 from infected clients? yours *is* one of those).

http_access deny manager noaccess

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localhost


http_access deny all

error_directory /usr/share/squid/errors/en

icp_access allow usul
icp_access deny all

htcp_access allow usul
htcp_access deny all


http_port 3128 intercept

It is best not to use port 3128 for interception. Pick a random port number for receiving intercepted traffic and firewall it away from direct access by any contact from outside the machine running Squid. The NAT operation should be done by the Squid machine firewall itself diverting port 80 to your port-X. Only that firewall and Squid should know the port number.

The current releases of Squid require a separate forward-proxy port separate from the interception port. You may as well use port 3128 for its intended purpose, although the exact port number for that is optional.

#http_port 80 intercept        ## ?!
#http_port 8080 intercept    ## ?!

#http_port all intercept    ## Best each port above or this?

hierarchy_stoplist cgi-bin ?

cache_mem 400 MB

cache_dir ufs /var/cache/squid 20000 16 256

coredump_dir /var/cache/squid

access_log /var/log/squid/access.log squid

minimum_object_size 512 KB
maximum_object_size 4 MB
maximum_object_size_in_memory 6 MB

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

dns_nameservers 41.##.##.# 41.##.##.#

visible_hostname ######
icp_port 3130
cache deny YouTube tubeyou

Why is caching of youtube contents only permitted during certain times?
This directive has the annoying side effect of starting to purge cache contents which it blocks, since they are non-cacheable they should not have been stored.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux