Free config audit inline ...
On 6/06/24 05:24, Kevin wrote:
Understood. Here it is:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl windows_net src 172.18.114.0/24
acl sample_host src 172.18.115.1/32
acl rsync port 873
You can remove the above line. This "rsync" ACL is unused and the port
is added directly to the SSL_Ports and Safe_ports.
acl SSL_ports port 443
acl SSL_ports port 873 #873 is rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873
acl CONNECT method CONNECT
You can remove the above line. "CONNECT" is a built-in ACL.
acl PURGE method PURGE
Your proxy is configured with "cache deny all" preventing anything being
stored.
As such you can improve performance somewhat by removing the "acl PURGE"
and all config below that uses it.
acl localhost src 127.0.0.1
You can remove the above line. "localhost" is a built-in ACL.
http_access allow PURGE localhost
http_access deny PURGE
acl URN proto URN
http_access deny URN
http_access deny manager
acl API_FIREFOX dstdomain api.profiler.firefox.com
http_access deny API_FIREFOX
acl ff_browser browser ^Mozilla/5\.0
acl rma_ua browser ^RMA/1\.0.*compatible;.RealMedia
uri_whitespace encode
Hmm. Accepting whitespace in URLs is a risky choice. One can never be
completely sure how third-party agents in the network are handling it
before the request arrived.
If (big IF) you are able to use "uri_whitespace deny" this proxy would
be a bit more secure. This is just a suggestion, you know best here.
acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com
http_access deny trellix_phone_cloud
external_acl_type host_based_filter children-max=15 ttl=0 %ACL %DATA %SRC %>rd %>rP /PATH/TO/FILTER/SCRIPT.py
acl HostBasedRules external host_based_filter
http_access allow HostBasedRules
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
auth_param digest realm squid
auth_param digest children 2
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/basic_passwd
auth_param basic children 2
auth_param basic realm squidb
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
external_acl_type custom_acl_db children-max=15 ttl=0 %ACL %DATA %ul %SRC %>rd %>rP %credentials /PATH/TO/FILTER/SCRIPT.py
acl CustomAclDB external custom_acl_db
http_access allow CustomAclDB
Hmm, this use of combined authentication+authorization is a bit tricky
with two layers of asynchronous helper lookups going on. That alone
might be what is going on with the weird 403's.
A better sequence would be:
# ensure login is performed
http_access deny !auth_users
# check the access permissions for whichever user logged in
http_access allow CustomAclDB
acl CRLs url_regex "/etc/squid/conf.d/CRL_urls.txt"
http_access allow CRLs
deny_info 303:https://abc.def.com/
FYI; deny_info is a way to customize what happens when the "deny" action
is performed an a specific ACL match.
The above deny_info line does nothing unless you name which ACL(s) it is
to become the action for and also those ACLs are used in a "deny" rule.
For example:
acl redirect_HTTPS url_regex ^http://example\.com
deny_info 303:https://example.com%rp redirect_HTTPS
http_access deny redirect_HTTPS
http_access deny all
So ... none of the http_access lines below here are doing anything.
acl apache rep_header Server ^Apache
icp_access allow localnet
icp_access deny all
These lines...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
.. to here are supposed to protect your proxy against some nasty DDoS
type attacks.
They need to be first out of all your http_access lines in order to do
that efficiently.
The http_access below are optional from our default squid.conf setup.
Since your install does not appear to need them they can just be removed.
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_port 3128
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logformat squid %ts.%03tu %6tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt
logformat squidmime %ul %ts.%03tu %6tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
Please do not re-define the "squid", "common" and "combined" names for
custom logformat names. Use custom format names for your customized outputs.
logformat ip_port %ts %tu %>a %>p %<lp %<a %<p %dt %tr %un %>ru %Ss
access_log daemon:/var/log/squid/access.log combined
access_log daemon:/var/log/squid/network.log ip_port
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
You have defined "cache deny all" to prevent anything being stored.
You should be able to remove the above line entirely.
access_log daemon:/var/log/squid/useragent.log useragent
visible_hostname proxy.abc.com
cache deny all
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
