Hi there,
Many thank for the reply. Here is my squid.conf. I have renamed ACLs to protect comany name, since
this is a public list. :-)
Thanks in advance,
D.Radel.
# -----------------------------------------------------------------------------
# MODIFIED SQUID CONFIGURATION FILE
# - much of the original has been pruned out. See: squid.conf.original
# -----------------------------------------------------------------------------
# Set cache directory and max cache size to 7GB.
cache_dir ufs /var/spool/squid 7000 16 256
cache_mem 16 MB
cache_store_log none
half_closed_clients off
# -----------------------------------------------------------------------------
# TAG: hierarchy_stoplist
# -----------------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
# -----------------------------------------------------------------------------
# Sites not cached
# -----------------------------------------------------------------------------
# Do not cache cgi-bin scripts
#------------------------------
acl cgi_scripts urlpath_regex cgi-bin \?
no_cache deny cgi_scripts
# Do not cache sites in our list
#--------------------------------
acl sites_not_cached url_regex -i "/squid/sites_not_cached.txt"
no_cache deny sites_not_cached
# Do not cache our local webservers
#-----------------------------------
acl local_webservers dst 192.168.1.0/24 192.168.100.0/24
no_cache deny local_webservers
# Any urls that do not include a full domain name, append our web domain
#-----------------------------------------------------------------------
# -----------------------------------------------------------------------------
# TAG: refresh_pattern
# -----------------------------------------------------------------------------
# usage: refresh_pattern [-i] regex min percent max [options]
#Suggested default:
#-------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# -----------------------------------------------------------------------------
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#Recommended minimum configuration:
#-----------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl behemoth src 192.168.1.221
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8443
acl SSL_ports port 3690
acl Safe_ports port 80 # http
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 83
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8443
acl Safe_ports port 3690
acl purge method PURGE
acl CONNECT method CONNECT
# -----------------------------------------------------------------------------
# TAG: http_access
# -----------------------------------------------------------------------------
# Allowing or Denying access based on defined access lists
# Only allow cachemgr access from localhost
#-------------------------------------------
http_access allow manager localhost behemoth
http_access deny manager
# Only allow purge requests from localhost
#------------------------------------------
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
#--------------------------------
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
#--------------------------------------
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# -----------------------------------------------------------------------------
# Company Related Access
# -----------------------------------------------------------------------------
# Allow these websites without requiring authentication
#--------------------------------------------------------------
acl NO_AUTH_NEEDED dstdomain -i "/squid/no_auth_needed.txt"
http_access allow NO_AUTH_NEEDED
http_reply_access allow NO_AUTH_NEEDED
# Authenticate against domain using LDAP, not SAMBA
#------------------------------------------------------------
# Use our homebrew script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an "OK" or an "ERR" back to Squid.
auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm Squidward Proxy
auth_param basic credentialsttl 5 hours
# Test whether user is a member of Security Groups on either domain.
# One security group has been set up on each Domain and will have
# differing rules of what sites their can visit.
# The tests are performed in various shell scripts.
#--------------------------------------------------------------------
external_acl_type co_ldap_group %LOGIN /etc/squid/co_www_access.sh
external_acl_type music_ldap_group %LOGIN /etc/squid/co_www_access.sh
# Block websites using url or keywords.
# Uses "\.file$" format to block file extensions
#-------------------------------------------------
acl blocked_content url_regex -i "/squid/blocked_sites.txt"
acl blocked_media url_regex -i "/squid/multimedia.txt"
acl streaming_media rep_mime_type ^audio/mpeg ^audio/x-mpeg ^application/x-mms-framed
^application/vnd.ms.wms-hdr.asfv1
acl download method GET
# All computers on LAN must be prompted for password
#-------------------------------------------------------
acl computers_on_lan proxy_auth REQUIRED src 192.168.1.0/24 192.168.100.0/24
# Define ACLs for the Security Groups
#-----------------------------------------------------
acl co_group external co_ldap_group co_www_access
acl music_group external music_ldap_group music_www_access
http_access deny blocked_content download all
http_access deny blocked_content all
http_reply_access deny blocked_content all
http_access deny streaming_media co_group
http_access deny blocked_media co_group
http_access deny blocked_media download co_group
http_reply_access deny streaming_media co_group
http_reply_access deny blocked_media co_group
http_reply_access deny blocked_media download co_group
# Allow access to various ACLs
#-----------------------------
http_access allow co_group
http_access allow music_group
http_access allow localhost
# And finally deny all other access to this proxy
#-------------------------------------------------
http_access deny all
# -----------------------------------------------------------------------------
# TAG: http_reply_access
# -----------------------------------------------------------------------------
http_reply_access allow all
# -----------------------------------------------------------------------------
# TAG: icp_access
# -----------------------------------------------------------------------------
icp_access allow all
# -----------------------------------------------------------------------------
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
# Email address displayed when error occurs or access is denied
#---------------------------------------------------------------
cache_mgr radel@inet.net.nz
Amos Jeffries wrote:
> D & E Radel wrote:
>> Hi there,
>>
>> I was running Debian old stable until today. I upgraded to current
>> stable, rebooted and all was fine. Squid seemed fine.
>>
>> I then installed Squish - which went badly, so I removed it as per
>> their FAQ file. Squid was a no go. I then reverted to my old
>> previously working squid.conf and now have the error:
>>
>> squidFATAL no ports defined!
>>
>> Dang! Adding the line: "HTTP_PORT 3128" stops the error, but now I get
>> no authentication prompt in my browser. Restarting squid is fine, but
>> it doesn't seem to talk to my client's browser anymore.
>>
>> I guess that I need to back-track, so armed with my old squid.conf,
>> what can I do now - besides reverting to an early image of my drive?
>> My squid.conf uses LDAP authentication with a Windows 2003 Server.
>>
>> Thanks in advance.
>> D.Radel.
>
> You will need to check all the settings in your old working conf against
> the Release Notes about changes between 2.5 and 2.6. There have been
> quite a few improvements at the boundary.
>
> For more detailed help we will need to see a copy of the original conf
> to point out the new ways of setting some parts up.
>
>
> Amos
>
Received on Tue May 29 2007 - 14:48:43 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT