On 10/12/2015 4:29 a.m., Patrick Flaherty wrote:
> Hi ,
>
> I have changed my 3.5.11 squid.conf based on your excellent feedback Amos.
> Please have a look at my edits to see if it is improved.
>
> Thank You,
> Patrick
>
> # Squid Proxy Configuration
>
> # listening port
> http_port 3128
>
> # max_filedesc
> max_filedesc 2048
>
FYI: the directive name is actually "max_filedescriptors". The
"filedesc" thing is a RHEL hack, Squid accepts it but only for backward
compatibility.
> # debug_options ALL,2
>
>
> # acl directives for ports and protocols
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl sslports port 443
> acl CONNECT method CONNECT
>
>
> # acl and http_access ("rmsc.txt")
> acl whitelist dstdomain "c:/squid/etc/squid/rmsc.txt"
> http_access allow whitelist
This is no change from before. Everything matching whitelist is allowed.
No other rules about whitelist are reachable.
FYI:
Squid checks access controls from the top down, left to right.
The first non-matching ACL check on a line wins and no following ACLs
are checked.
The first fully matching line wins and no following lines are checked.
So;
* whenever "allow localnet" matches, the "deny localnet" line will not
be processed.
* whenever "allow localnet" does not match, the "deny localnet" line is
also a non-match.
Understand?
Also, if you are going to let "anyone" access the listed domains, at
least place the basic security protections in at the top. They protect
against abuses like people sending Spam or VPN tunnels through the proxy.
These ones that are set in the default squid.conf:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
... then your whitelist rule:
http_access allow whitelist
> http_access deny whitelist
>
> # network source of proxy traffic (Specific Network Example 192.168.1.0/24)
> acl localnet src 172.16.50.0/24
> http_access allow localnet
Thats better.
> http_access deny localnet
>
Same as with whitelist rules above. Denying something has no effect if
you already allowed it.
> # dns servers (Change dns_nameservers to client dns servers for consistency
> and better performance)
> dns_nameservers 172.16.50.9 172.16.9.13
>
Or if your system registry settings are the same ones the clients are
using, remove the dns_nameservers entirely and Squid will use the
networks normal resolver(s).
> # cache web pages
> cache_mem 512 MB
>
> # roll log file daily and keep 30 days
> logfile_rotate 30
>
> # access log format (Having one problem with the Default Squid log
> and that is the timestamp being Epoch and not human readable on Windows
> platform)
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
The problem I pointed out was the *name* of the logformat.
logformat something %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log stdio:/var/log/squid/access.log something
(or whatever the local path equivalent needs to be).
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
