Re: [squid-users] About my squid.conf

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 14 Feb 2008 16:19:43 +1300 (NZDT)

> Here in my simple server, the squid works fine, but after post a
> message about radio, Amos sad:
>
> " Squid is actually an
> interceptor, not fully transparent. When they go down clients can expect
> 'Unable to Connect' errors. "
>
> And, this is true. When my squid go down, my clients can't be surf
> because squid is not working.
>
> I don't have anotherr server, and I don't need too.
>
> I need only control the navegation of my clients on the internet.
>
> So, if possible, I want if anyone can see my squid.conf and tell me if
> it is good or need improvement.
>
> Thanks for all.
>
> My squid.conf:
>
> http_port 10.0.0.250:3128 transparent
>
> icp_port 0
>
> cache_mem 128 MB
> cache_swap_low 90
> cache_swap_high 95
> cache_dir ufs /usr/local/squid/var/cache 1024 16 256
> cache_access_log /usr/local/squid/var/logs/access.log
> cache_log /usr/local/squid/var/logs/cache.log
> cache_store_log none
> maximum_object_size_in_memory 1 MB
> maximum_object_size 100 MB
> minimum_object_size 0 MB
>
> pid_filename /usr/local/squid/var/logs/squid.pid
>
> visible_hostname squid.provider.com.br
>
> cache_effective_user squidaemon
> cache_effective_group squid
>
> acl autologinDSA dst 10.0.0.250/32
>
> acl diretor src 10.0.0.55/32
> acl recepcao src 10.0.0.57/32
> acl financeiro src 10.0.0.56/32
> acl suporte src 10.0.0.248/32
> acl suporte2 src 10.0.0.13/32
>
> acl vip1 src 10.0.1.0/28
> acl vip2 src 10.0.2.0/28
> acl vip3 src 10.0.3.0/28
> acl vip4 src 10.0.4.0/28
>
> acl forbidden_words url_regex -i "/usr/local/squid/etc/forbidden_words"
> acl forbidden_down url_regex -i "/usr/local/squid/etc/forbidden_down"
>
> external_acl_type checkip children=40 % SRC
> /usr/local/mwsystem/squid/sbin/checkv2.sh

 no gap in " %SRC "

>
> acl checkblock external checkip
>
> acl all src 0.0.0.0/0.0.0.0
> acl localnet src 10.0.0.0/16
> acl localhost src 127.0.0.0/32
> acl method_control proto cache_object
>
> http_access allow method_control localhost
> http_access deny method_control
>
> http_access allow autologinDSa
>
> http_access deny checkblock !autologinDSA
>
> http_access allow diretor
> http_access allow diretor forbidden_down

If s/he is allowed all access, no need to bother with regex.

>
> http_access allow recepcao autologinDSA

If s/he is allowed all access, no need to bother with some destinations.

> http_access allow recepcao
>
> http_access deny financeiro
>
> http_access allow suporte
> http_access allow suporte2
>
> http_access deny forbidden_words
> http_access deny forbidden_down
>
> http_access allow vip1
> http_access allow vip2
> http_access allow vip3
> http_access allow vip4
>
> http_access deny localnet !autologinDSA
> http_access deny all
> http_access deny localnet

Only need the middle one there.
For some reason there is no allow for checkbolck people.

They get authenticated, then nothing matches for them until the final
"deny all"

Amos
Received on Wed Feb 13 2008 - 20:19:47 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST