On 14/05/2016 12:14 a.m., Dzaczek wrote: > http://codepaste.net/pvx4j1 > Doesn't seem to be anything obviously relating to your problem in there. Though I have a few recommendations for improvements: * use of always_direct is deviously the opposite of what one might expecte from reading the config file. I suggest replacing it with: http_access deny !whitelist which better describes what it actually does currently: cause denial of anything not on the whitelist. Note that since nobody can get *out* of the proxy to any other site there can't be any cached content for those requests to use. So no point at all in even letting them into Squid. Which brings up... * Your Squid could be doing a lot of work internally for things that are not allowed to happen anyway. Get better performance out of your proxy by doing the security checks on traffic ingress (http_access) not on traffic egress (miss_access / always_direct, request_header_access). * the workday_site ACL is very dangerous. It currently allows anyone to put the word "workday" into any URL to bypass the other proxy ingress security. I cant actually see any reason why this ACL and http_access exist. localnet and localhost are permitted to do what they like anyway within the whitelisted sites set. Ditto for the FTP / ftp ACL and http_access lines * You have lost the default security check "http_access deny CONNECT !SSL_ports" That one is particularly important seeing as CONNECT tunnels are not subject to always_direct which is your main access control currently. AND you have several http_access control allowing * you have several things above the basic port security checks. I know we used to say that was okay, but the world has moved on. Please make sure "http_access deny !Safe_ports" is at the top of the http_access list, and reinstate the above mentioned CONNECT rule right after it. Instead of placing things above these rules, adjust the Safe_ports and SSL_ports lists as needed and only after careful consideration of whether you have to. * ignore-no-cache is obsolete since Squid-3.2. It also does the opposite of what most people want to use it for. As in: it _prevents_ caching of things in HTTP/1.1, or at least it would if Squid did not ignore the obsolete config. Likewise ignore-no-store and ignore-private are highly dangerous, but for privacy breach reasons. Current releases of Squid the ignore-private will make CC:private response headers operate as if they were CC:must-revalidate. * "header_replace Accept" does nothing unless you also "request_header_access Accept deny ..." * request_header_access does nothing useful on response headers. Have a look through <http://www.iana.org/assignments/message-headers/message-headers.xhtml> referenced RFCs to see which ones are actually request headers. RFC 723x (x being 0, 1, 2, 3, 4, 5, 8) are the main HTTP documents. There are some like Transfer-Encoding, If-Match, If-None-Match, If-Unodified-Since that you are causing to be removed but are needed by Squid. * there are quite a few directives being set to their current default values. You could simplify the config file a bit by removing those lines. In Squid-3 you only need to configure things that you are changing from their default behaviour. Phew, hope thats the lot. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users