Re: [squid-users] Verify Squid.conf File

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 22 Oct 2008 00:03:31 +1300

Tarak Ranjan wrote:
> hi List,
> can anyone provide me the url for verifying yhe
> squid.conf file. & i want suggestion from the list ,
> that how my current squid.conf file looks, & how can i
> improve the security as wl as performance level ,

Sorry I have not maintained the tester very well.
I figured out a better way to keep it up to date and took it down to
recode, but have not finished yet. I've picked out the important things
it would warn you about in a manual check below.

For now the best way is to ask your squid if it can find any problem
   squid -k check

I've put any comments from a manual check below the relevant config lines.

>
> http_port 8080 transparent
> hierarchy_stoplist cgi-bin ?

> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

We are now recommending that people drop the above two lines in favor of
a new refresh_pattern.

(If you don't have peering it works much better. If you have peering in
then it may cause problems marking some peer fetched items incorrectly
for cachability.)

> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mem 256 MB
> maximum_object_size 1024 KB
> cache_dir ufs /cache 10000 24 256
> access_log /var/log/squid/access.log
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320

Note new refresh pattern in position above.

> half_closed_clients off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl x-type req_mime_type -i ^application/x-mplayer2$
> acl x-type req_mime_type -i application/x-mplayer2
> acl x-type req_mime_type -i ^application/x-oleobject$
> acl x-type req_mime_type -i application/x-oleobject
> acl x-type req_mime_type -i application/x-pncmd
> acl x-type req_mime_type -i ^video/x-ms-asf$
> acl x-type2 rep_mime_type -i ^application/x-mplayer2$
> acl x-type2 rep_mime_type -i application/x-mplayer2
> acl x-type2 rep_mime_type -i ^application/x-oleobject$
> acl x-type2 rep_mime_type -i application/x-oleobject
> acl x-type2 rep_mime_type -i application/x-pncmd
> acl x-type2 rep_mime_type -i ^video/x-ms-asf$
> acl blocksites dstdomain "/etc/squid/squid-block.acl"
> acl extndeny url_regex -i "/etc/squid/extndeny"
> acl download method GET
> acl blockfiles urlpath_regex -i
> "/etc/squid/multimedia.files.acl"
> acl malware_block_list url_regex -i
> "/etc/squid/malware_block_list.txt"
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 25 # External Mail
> acl Safe_ports port 110 # External Mail
> acl Safe_ports port 1863 # MSN
> acl Safe_ports port 4883 #Articulate TEMP
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow manager localhost
> http_access deny manager
> http_access deny x-type all
> http_reply_access deny x-type all
> http_access deny x-type2 all
> http_reply_access deny x-type2 all
> http_access deny extndeny download

The lone above is obsolete in relation to the line below.
You can drop the one above for slightly faster processing.

> http_access deny extndeny
> http_reply_access deny blockfiles
> http_access deny blocksites

The above is the fastest of your deny ACLS, I'd move it up to just below
the manager controls for slightly faster processing on denials.

> http_access deny malware_block_list

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

These two above have already been done yes? so having again is a
complete waste of CPU.

> acl lk_network src 192.168.1.0/24
> acl localweb1 dstdomain .lk.com
> http_access allow lk_network
> acl local-servers1 dstdomain example.com
> always_direct deny local-servers1
> always_direct allow localweb1
> acl local-servers2 dstdomain lk.com
> always_direct deny local-servers2
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid

Try to stay away from setting effective group in squid. The OS controls
are much better at it than squid can be.

> coredump_dir /var/spool/squid
>

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Received on Tue Oct 21 2008 - 11:03:38 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 21 2008 - 12:00:04 MDT