Re: [squid-users] Upgrading from 2.5.9 to 2.6.5 - woes + squish woes

From: D & E Radel <radel@dont-contact.us>
Date: Wed, 30 May 2007 08:48:30 +1200

Hi there,

Many thank for the reply. Here is my squid.conf. I have renamed ACLs to protect comany name, since
this is a public list. :-)

Thanks in advance,
D.Radel.

# -----------------------------------------------------------------------------
# MODIFIED SQUID CONFIGURATION FILE
# - much of the original has been pruned out. See: squid.conf.original
# -----------------------------------------------------------------------------

# Set cache directory and max cache size to 7GB.
cache_dir ufs /var/spool/squid 7000 16 256
cache_mem 16 MB
cache_store_log none
half_closed_clients off

# -----------------------------------------------------------------------------
# TAG: hierarchy_stoplist
# -----------------------------------------------------------------------------

hierarchy_stoplist cgi-bin ?

# -----------------------------------------------------------------------------
# Sites not cached
# -----------------------------------------------------------------------------

# Do not cache cgi-bin scripts
#------------------------------
acl cgi_scripts urlpath_regex cgi-bin \?
no_cache deny cgi_scripts

# Do not cache sites in our list
#--------------------------------
acl sites_not_cached url_regex -i "/squid/sites_not_cached.txt"
no_cache deny sites_not_cached

# Do not cache our local webservers
#-----------------------------------
acl local_webservers dst 192.168.1.0/24 192.168.100.0/24
no_cache deny local_webservers

# Any urls that do not include a full domain name, append our web domain
#-----------------------------------------------------------------------

# -----------------------------------------------------------------------------
# TAG: refresh_pattern
# -----------------------------------------------------------------------------
# usage: refresh_pattern [-i] regex min percent max [options]

#Suggested default:
#-------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# -----------------------------------------------------------------------------
# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#Recommended minimum configuration:
#-----------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl behemoth src 192.168.1.221
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8443
acl SSL_ports port 3690

acl Safe_ports port 80 # http
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 83
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8443
acl Safe_ports port 3690
acl purge method PURGE
acl CONNECT method CONNECT

# -----------------------------------------------------------------------------
# TAG: http_access
# -----------------------------------------------------------------------------
# Allowing or Denying access based on defined access lists

# Only allow cachemgr access from localhost
#-------------------------------------------
http_access allow manager localhost behemoth
http_access deny manager

# Only allow purge requests from localhost
#------------------------------------------
http_access allow purge localhost
http_access deny purge

# Deny requests to unknown ports
#--------------------------------
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
#--------------------------------------
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# -----------------------------------------------------------------------------
# Company Related Access
# -----------------------------------------------------------------------------

# Allow these websites without requiring authentication
#--------------------------------------------------------------
acl NO_AUTH_NEEDED dstdomain -i "/squid/no_auth_needed.txt"
http_access allow NO_AUTH_NEEDED
http_reply_access allow NO_AUTH_NEEDED

# Authenticate against domain using LDAP, not SAMBA
#------------------------------------------------------------

# Use our homebrew script called multi_domains.sh which authenticates
# against more than one domain by making multiple calls to the standard
# /usr/lib/squid/ldap_auth program and evaluating the result. The script
# passed either an "OK" or an "ERR" back to Squid.

auth_param basic program /etc/squid/multi_domains.sh
auth_param basic children 5
auth_param basic realm Squidward Proxy
auth_param basic credentialsttl 5 hours

# Test whether user is a member of Security Groups on either domain.
# One security group has been set up on each Domain and will have
# differing rules of what sites their can visit.
# The tests are performed in various shell scripts.
#--------------------------------------------------------------------
external_acl_type co_ldap_group %LOGIN /etc/squid/co_www_access.sh
external_acl_type music_ldap_group %LOGIN /etc/squid/co_www_access.sh

# Block websites using url or keywords.
# Uses "\.file$" format to block file extensions
#-------------------------------------------------
acl blocked_content url_regex -i "/squid/blocked_sites.txt"
acl blocked_media url_regex -i "/squid/multimedia.txt"

acl streaming_media rep_mime_type ^audio/mpeg ^audio/x-mpeg ^application/x-mms-framed
^application/vnd.ms.wms-hdr.asfv1

acl download method GET

# All computers on LAN must be prompted for password
#-------------------------------------------------------
acl computers_on_lan proxy_auth REQUIRED src 192.168.1.0/24 192.168.100.0/24

# Define ACLs for the Security Groups
#-----------------------------------------------------
acl co_group external co_ldap_group co_www_access
acl music_group external music_ldap_group music_www_access

http_access deny blocked_content download all
http_access deny blocked_content all
http_reply_access deny blocked_content all

http_access deny streaming_media co_group
http_access deny blocked_media co_group
http_access deny blocked_media download co_group
http_reply_access deny streaming_media co_group
http_reply_access deny blocked_media co_group
http_reply_access deny blocked_media download co_group

# Allow access to various ACLs
#-----------------------------
http_access allow co_group
http_access allow music_group
http_access allow localhost

# And finally deny all other access to this proxy
#-------------------------------------------------
http_access deny all

# -----------------------------------------------------------------------------
# TAG: http_reply_access
# -----------------------------------------------------------------------------

http_reply_access allow all

# -----------------------------------------------------------------------------
# TAG: icp_access
# -----------------------------------------------------------------------------

icp_access allow all

# -----------------------------------------------------------------------------
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------

# Email address displayed when error occurs or access is denied
#---------------------------------------------------------------
cache_mgr radel@inet.net.nz

Amos Jeffries wrote:
> D & E Radel wrote:
>> Hi there,
>>
>> I was running Debian old stable until today. I upgraded to current
>> stable, rebooted and all was fine. Squid seemed fine.
>>
>> I then installed Squish - which went badly, so I removed it as per
>> their FAQ file. Squid was a no go. I then reverted to my old
>> previously working squid.conf and now have the error:
>>
>> squidFATAL no ports defined!
>>
>> Dang! Adding the line: "HTTP_PORT 3128" stops the error, but now I get
>> no authentication prompt in my browser. Restarting squid is fine, but
>> it doesn't seem to talk to my client's browser anymore.
>>
>> I guess that I need to back-track, so armed with my old squid.conf,
>> what can I do now - besides reverting to an early image of my drive?
>> My squid.conf uses LDAP authentication with a Windows 2003 Server.
>>
>> Thanks in advance.
>> D.Radel.
>
> You will need to check all the settings in your old working conf against
> the Release Notes about changes between 2.5 and 2.6. There have been
> quite a few improvements at the boundary.
>
> For more detailed help we will need to see a copy of the original conf
> to point out the new ways of setting some parts up.
>
>
> Amos
>
Received on Tue May 29 2007 - 14:48:43 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT