Thank you Amos for the detailed reply. Never too old to learn are we? Have a nice day Danny On Mar 15 17, Amos Jeffries : > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Date: Wed, 15 Mar 2017 15:49:04 +1300 > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > Subject: Re: reply_body_max_size question > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 > Thunderbird/45.8.0 > X-BeenThere: squid-users@xxxxxxxxxxxxxxxxxxxxx > > On 12/03/2017 8:11 p.m., Danny wrote: > > Hi, > > > > Just want someone to confirm my current reply_body_max_size setup. I have a > > simple network at home i.e: Debian with a wireless card (wlan0) which is bridged > > (br0) to an ethernet card (eth0). All devices comes through the wireless card > > (wlan0) and then of to the router. > > > > I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but > > "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a > > 5MB download limit. > > > > Here is my configuration: > > ###################################################################################################################################### > > acl localnet src 10.0.0.0/24 # RFC1918 possible internal network > > acl localnet_sniper src 10.0.0.3 #(eth0) > > acl localnet_bridge src 10.0.0.4 #(br0) > > acl localnet_fever src 10.0.0.5 #(wlan0) > > acl localnet_44081 src 10.0.0.11 #(RaspberryPi3) > > acl localnet_dannyS4 src 10.0.0.54 > > acl localnet_vS5mini src 10.0.0.55 > > acl localnet_shotgun src 10.0.0.56 > > acl localnet_anTab2 src 10.0.0.71 > > acl localnet_vTab3 src 10.0.0.73 > > acl localnet_samsungTV src 10.0.0.80 > > acl localnet_samsungDVD src 10.0.0.81 > > acl localnet_dhcp src 10.0.0.201 > > acl localnet_dhcp src 10.0.0.202 > > acl localnet_dhcp src 10.0.0.203 > > acl localnet_dhcp src 10.0.0.204 > > > > http_access allow password > > http_access allow localhost > > http_access allow localnet > > The localnet ACL above matches and allows all requests from any IP in > the 10.*/24 to use the proxy. > > So none of the below individual IP checks will ever be reached. They are > pointless anyway since they do the same as the more generic "allow > localnet". > > > > http_access allow localnet_sniper > > http_access allow localnet_bridge > > http_access allow localnet_fever > > http_access allow localnet_44081 > > http_access allow localnet_dannyS4 > > http_access allow localnet_vS5mini > > http_access allow localnet_anTab2 > > http_access allow localnet_vTab3 > > http_access allow localnet_samsungTV > > http_access allow localnet_samsungDVD > > http_access allow localnet_dhcp > > > The default security protections for Safe_ports, SSL_ports, CONNECT, > manager access, and final "deny all" are missing. > > I hope you have just omited them from this mail, not removed them from > your config. > > > > > reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4 > > Squid understands the magic word "none" to mean no limit. The above is > setting a large, but not impossible limit of ~9.3 PB. > > > > reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp > > > > The ACLs on both these lines are defining an impossible situation. > See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for > what is going wrong there and ways to fix it. > > Transactions which do not have a limit applied, are of course unlimited. > So drop the ACL's explicitly listing what not to limit. You only need > ACL to match what does get limited, and only one is needed (you are only > matching on IP, nothing complex). > > Like so: > > acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp > acl limit_5MB src 10.0.0.80 # samsung TV > acl limit_5MB src 10.0.0.81 # samsung DVD > ... > reply_body_max_size 5 MB limit_5MB > > That is it. > > > > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf > > > redirect_program is a deprecated alias for url_rewrite_program. You can > only have one configured for use. So, only the latter of the two > directives will do anything. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
