#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 350000 16 256
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
visible_hostname isn-phc-cache
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 350000 16 256
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
visible_hostname isn-phc-cache
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30
access.log:
1426267535.210 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.223 301 10.0.0.23 TCP_MISS/200 222 GET http://rma-api.gravity.com/v1/beacons/log? - ORIGINAL_DST/80.239.148.18 text/html
1426267535.244 195 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.333 423 10.0.0.23 TCP_MISS/200 1420 GET http://hpr.outbrain.com/utils/get? - ORIGINAL_DST/50.31.185.42 text/x-json
1426267535.345 412 10.0.0.23 TCP_MISS/200 11179 GET http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40 text/_javascript_
1426267535.346 411 10.0.0.23 TCP_MISS/200 423 GET http://t1.visualrevenue.com/? - ORIGINAL_DST/64.74.232.44 image/gif
1426267535.363 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.381 193 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.406 189 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.408 190 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.408 191 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.418 200 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.437 188 10.0.0.23 TCP_MISS/200 431 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.464 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.494 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.604 217 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.609 256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17 text/_javascript_
1426267535.619 206 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.622 208 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.696 129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png - ORIGINAL_DST/80.239.152.153 image/png
1426267536.071 656 10.0.0.23 TCP_MISS/302 849 GET http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? - ORIGINAL_DST/66.235.141.144 text/plain
1426267536.075 257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/80.239.148.17 text/_javascript_
1426267536.203 128 10.0.0.23 TCP_MISS/200 381 GET http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif
1426267536.570 393 10.0.0.23 TCP_MISS/304 338 GET http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js - ORIGINAL_DST/80.239.148.32 text/_javascript_
1426267536.746 125 10.0.0.23 TCP_MISS/304 340 GET http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243 application/x-_javascript_
1426267536.819 199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/157.166.238.237 -
1426267536.942 260 10.0.0.23 TCP_MISS/200 677 GET http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30 text/_javascript_
1426267537.027 236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.146 362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.171 388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.230 432 10.0.0.23 TCP_MISS/302 481 GET http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html
1426267537.603 173 10.0.0.23 TCP_MISS/204 676 GET http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif
1426267537.618 247 10.0.0.23 TCP_MISS/200 322 GET http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif
1426267537.892 388 10.0.0.23 TCP_MISS/200 68649 GET http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/80.239.152.153 application/x-shockwave-flash
1426267538.024 130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/80.239.148.9 application/x-_javascript_
1426267535.210 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.223 301 10.0.0.23 TCP_MISS/200 222 GET http://rma-api.gravity.com/v1/beacons/log? - ORIGINAL_DST/80.239.148.18 text/html
1426267535.244 195 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.333 423 10.0.0.23 TCP_MISS/200 1420 GET http://hpr.outbrain.com/utils/get? - ORIGINAL_DST/50.31.185.42 text/x-json
1426267535.345 412 10.0.0.23 TCP_MISS/200 11179 GET http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40 text/_javascript_
1426267535.346 411 10.0.0.23 TCP_MISS/200 423 GET http://t1.visualrevenue.com/? - ORIGINAL_DST/64.74.232.44 image/gif
1426267535.363 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.381 193 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.406 189 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.408 190 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.408 191 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.418 200 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.437 188 10.0.0.23 TCP_MISS/200 431 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.464 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.494 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-_javascript_
1426267535.604 217 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.609 256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17 text/_javascript_
1426267535.619 206 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.622 208 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif
1426267535.696 129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png - ORIGINAL_DST/80.239.152.153 image/png
1426267536.071 656 10.0.0.23 TCP_MISS/302 849 GET http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? - ORIGINAL_DST/66.235.141.144 text/plain
1426267536.075 257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/80.239.148.17 text/_javascript_
1426267536.203 128 10.0.0.23 TCP_MISS/200 381 GET http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif
1426267536.570 393 10.0.0.23 TCP_MISS/304 338 GET http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js - ORIGINAL_DST/80.239.148.32 text/_javascript_
1426267536.746 125 10.0.0.23 TCP_MISS/304 340 GET http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243 application/x-_javascript_
1426267536.819 199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/157.166.238.237 -
1426267536.942 260 10.0.0.23 TCP_MISS/200 677 GET http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30 text/_javascript_
1426267537.027 236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.146 362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.171 388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif
1426267537.230 432 10.0.0.23 TCP_MISS/302 481 GET http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html
1426267537.603 173 10.0.0.23 TCP_MISS/204 676 GET http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif
1426267537.618 247 10.0.0.23 TCP_MISS/200 322 GET http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif
1426267537.892 388 10.0.0.23 TCP_MISS/200 68649 GET http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/80.239.152.153 application/x-shockwave-flash
1426267538.024 130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/80.239.148.9 application/x-_javascript_
On Fri, Mar 13, 2015 at 12:18 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
13.03.15 21:58, Monah Baki пишет:
> Hi All,
>
> Installed squid on CentOS 6.6 and it's working, but mY access.log
> shows all TCP_MISS and no TCP_HIT. The following config:
>
> squid.conf # Squid normally listens to port 3128 http_port 3128
> http_port 3129 intercept
And that's all????
>
>
>
> iptables
>
> # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
> *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT
> ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m
> tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT #
> Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save
> v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j
> REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j
> ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state
> --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp
> --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j
> REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT
> --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13
> 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13
> 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT
> [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064]
> :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport
> 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015
>
>
> Accessing sites, shows the IP address of the proxy 147.245.252.13.
>
> Am I missing something in IPTables that it is not caching?
>
>
> Thanks Monah
>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
