On 12/03/2017 8:11 p.m., Danny wrote: > Hi, > > Just want someone to confirm my current reply_body_max_size setup. I have a > simple network at home i.e: Debian with a wireless card (wlan0) which is bridged > (br0) to an ethernet card (eth0). All devices comes through the wireless card > (wlan0) and then of to the router. > > I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but > "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a > 5MB download limit. > > Here is my configuration: > ###################################################################################################################################### > acl localnet src 10.0.0.0/24 # RFC1918 possible internal network > acl localnet_sniper src 10.0.0.3 #(eth0) > acl localnet_bridge src 10.0.0.4 #(br0) > acl localnet_fever src 10.0.0.5 #(wlan0) > acl localnet_44081 src 10.0.0.11 #(RaspberryPi3) > acl localnet_dannyS4 src 10.0.0.54 > acl localnet_vS5mini src 10.0.0.55 > acl localnet_shotgun src 10.0.0.56 > acl localnet_anTab2 src 10.0.0.71 > acl localnet_vTab3 src 10.0.0.73 > acl localnet_samsungTV src 10.0.0.80 > acl localnet_samsungDVD src 10.0.0.81 > acl localnet_dhcp src 10.0.0.201 > acl localnet_dhcp src 10.0.0.202 > acl localnet_dhcp src 10.0.0.203 > acl localnet_dhcp src 10.0.0.204 > > http_access allow password > http_access allow localhost > http_access allow localnet The localnet ACL above matches and allows all requests from any IP in the 10.*/24 to use the proxy. So none of the below individual IP checks will ever be reached. They are pointless anyway since they do the same as the more generic "allow localnet". > http_access allow localnet_sniper > http_access allow localnet_bridge > http_access allow localnet_fever > http_access allow localnet_44081 > http_access allow localnet_dannyS4 > http_access allow localnet_vS5mini > http_access allow localnet_anTab2 > http_access allow localnet_vTab3 > http_access allow localnet_samsungTV > http_access allow localnet_samsungDVD > http_access allow localnet_dhcp The default security protections for Safe_ports, SSL_ports, CONNECT, manager access, and final "deny all" are missing. I hope you have just omited them from this mail, not removed them from your config. > > reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4 Squid understands the magic word "none" to mean no limit. The above is setting a large, but not impossible limit of ~9.3 PB. > reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp > The ACLs on both these lines are defining an impossible situation. See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for what is going wrong there and ways to fix it. Transactions which do not have a limit applied, are of course unlimited. So drop the ACL's explicitly listing what not to limit. You only need ACL to match what does get limited, and only one is needed (you are only matching on IP, nothing complex). Like so: acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp acl limit_5MB src 10.0.0.80 # samsung TV acl limit_5MB src 10.0.0.81 # samsung DVD ... reply_body_max_size 5 MB limit_5MB That is it. > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf redirect_program is a deprecated alias for url_rewrite_program. You can only have one configured for use. So, only the latter of the two directives will do anything. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
