Re: [squid-users] About my squid.conf

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 15 Feb 2008 10:35:27 +1300 (NZDT)

> On 2/14/08, Amos Jeffries <squid3@treenet.co.nz> wrote:
>> > Here in my simple server, the squid works fine, but after post a
>> > message about radio, Amos sad:
>> >
>> > " Squid is actually an
>> > interceptor, not fully transparent. When they go down clients can
>> expect
>> > 'Unable to Connect' errors. "
>> >
>> > And, this is true. When my squid go down, my clients can't be surf
>> > because squid is not working.
>> >
>> > I don't have anotherr server, and I don't need too.
>> >
>> > I need only control the navegation of my clients on the internet.
>> >
>> > So, if possible, I want if anyone can see my squid.conf and tell me if
>> > it is good or need improvement.
>> >
>> > Thanks for all.
>> >
>> > My squid.conf:
>> >
>> > http_port 10.0.0.250:3128 transparent
>> >
>> > icp_port 0
>> >
>> > cache_mem 128 MB
>> > cache_swap_low 90
>> > cache_swap_high 95
>> > cache_dir ufs /usr/local/squid/var/cache 1024 16 256
>> > cache_access_log /usr/local/squid/var/logs/access.log
>> > cache_log /usr/local/squid/var/logs/cache.log
>> > cache_store_log none
>> > maximum_object_size_in_memory 1 MB
>> > maximum_object_size 100 MB
>> > minimum_object_size 0 MB
>> >
>> > pid_filename /usr/local/squid/var/logs/squid.pid
>> >
>> > visible_hostname squid.provider.com.br
>> >
>> > cache_effective_user squidaemon
>> > cache_effective_group squid
>> >
>> > acl autologinDSA dst 10.0.0.250/32
>> >
>> > acl diretor src 10.0.0.55/32
>> > acl recepcao src 10.0.0.57/32
>> > acl financeiro src 10.0.0.56/32
>> > acl suporte src 10.0.0.248/32
>> > acl suporte2 src 10.0.0.13/32
>> >
>> > acl vip1 src 10.0.1.0/28
>> > acl vip2 src 10.0.2.0/28
>> > acl vip3 src 10.0.3.0/28
>> > acl vip4 src 10.0.4.0/28
>> >
>> > acl forbidden_words url_regex -i
>> "/usr/local/squid/etc/forbidden_words"
>> > acl forbidden_down url_regex -i
>> "/usr/local/squid/etc/forbidden_down"
>> >
>> > external_acl_type checkip children=40 % SRC
>> > /usr/local/mwsystem/squid/sbin/checkv2.sh
>>
>> no gap in " %SRC "
>>
>> >
>> > acl checkblock external checkip
>> >
>> > acl all src 0.0.0.0/0.0.0.0
>> > acl localnet src 10.0.0.0/16
>> > acl localhost src 127.0.0.0/32
>> > acl method_control proto cache_object
>> >
>> > http_access allow method_control localhost
>> > http_access deny method_control
>> >
>> > http_access allow autologinDSa
>> >
>> > http_access deny checkblock !autologinDSA
>> >
>> > http_access allow diretor
>> > http_access allow diretor forbidden_down
>>
>> If s/he is allowed all access, no need to bother with regex.
>>
>> >
>> > http_access allow recepcao autologinDSA
>>
>> If s/he is allowed all access, no need to bother with some destinations.
>>
>> > http_access allow recepcao
>> >
>> > http_access deny financeiro
>> >
>> > http_access allow suporte
>> > http_access allow suporte2
>> >
>> > http_access deny forbidden_words
>> > http_access deny forbidden_down
>> >
>> > http_access allow vip1
>> > http_access allow vip2
>> > http_access allow vip3
>> > http_access allow vip4
>> >
>> > http_access deny localnet !autologinDSA
>> > http_access deny all
>> > http_access deny localnet
>>
>> Only need the middle one there.
>> For some reason there is no allow for checkbolck people.
>>
>> They get authenticated, then nothing matches for them until the final
>> "deny all"
>>
>> Amos
>>
>>
>>
>
> Checkblock is a external program. It verify the ip machine and block
> if the ip is in a file configuration.

So it has the ability to block people visiting the machine at
autologinDSA, with a default-allow policy for
diretor,recepcao,suporte,suporte2 and vip(1,2,3,4) BUT default-deny policy
for everyone else?

Amos
Received on Thu Feb 14 2008 - 14:35:31 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST