Hi,
>> Vadim Pushkin wrote:
>>> Hello;
>>>
>>> I've attached my condensed (without comments) squid.conf that is
>>> giving me some trouble. My problems are as follows:
>>>
>>> 1. I am unable to connect to the cachemgr.cgi from machines in
>>> "Bldg_One" or "Bldg_Two". I am trying to connect to cachemgr.cgi via
>>> webmin.
>>>
>>> 2. My disk space allocated seems to get used up within about three
>>> months and I am not sure how to properly set up my config to expire
>>> my cache sooner, don't even know what it is expiring at now for that
>>> matter. When my allocated disk space is met, squid dies. The last
>>> time that this happened I ran a clear and rebuild cache, this was a
>>> terrible mistake as it had taken an entire day to run.
>>>
>>> 3. I am able to connect using ports that I thought I had forbidden
>>> using "CONNECT". Is my ordering wrong?
>>>
>>> 4. I have at my disposal another 64GB partition contained in this
>>> machine and I would like to get some suggestions for the best way to
>>> use it. I.e, shall I just newfs this other partition and initialize
>>> it so as to pre-stage a new cache in case my hard drive dies? Or,
>>> can I just use it alongside what I have now and have squid continue
>>> to work even if one of the two partitions dies?
>>>
>>> As you can see from my attached config file, I have come a long way,
>>> but I am not completely aware of all that squid can do.
>>
>> OK, remember that the order of rules is important (OK, very
>> important). The reason that you can connect to any port is that the
>> following rules come _after_ the rules that grant access from your SRCs
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
> That is the way the config is written that comes with the distro, so I
> just assumed that it was correct.
>
> I will try swapping them. Is their a known good config that is close
> to what I am trying to achive that I may evaluate for this purpose?
OK, which distribution are you using because it looks as if someone's
screwed up. If you build from source a default squid.conf is built that
is fully commented and correct in structure.
>> They therefore are never evaluated. You need to put these first and
>> then test once again. Do you really need those http_reply_access
>> lines at all?
>
> Without them, my users are denied access :-(
You should be able to get away with 'http_reply_access allow all' unless
you want to block specific mime types or do something else fancy.
Neil.
-- Neil Hillard hillardn@whl.co.uk Westland Helicopters Ltd. http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.Received on Tue Apr 04 2006 - 07:49:13 MDT
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT