Re: [squid-users] Help configuriing Squid with delay pools

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 17 Jun 2010 00:09:18 +1200

Jorge Perez wrote:
> Hello, we are implementing a squid proxy server in my office.
>
> The principal idea is to limit bandwith using delay pools and also block some websites.
>
> We have made our config and its working, but we dont know if everyting is correct specially in the delay pools part.
>
> **Introduction:
>
> We have dedicated broadband with :
> 4MB FOR INTERNATIONAL TRAFIC
> 100MB FOR NATIONAL
> PROXY: 192.168.169.3
> GATEWAY: 192.168.169.2
> Users: like 150 daily
>
> **We want to divide our internal lan in 5 groups with the following rules PER USER.
>
> GROUP 1: normales from 192.168.169.30 to 192.168.169.129
>
> -If a user exceeds 10mb when downloading a file limit to 10kb of download speed.
>
> GROUP 2: tecnicos from 192.168.169.130 to 192.168.169.149
>
> -File bigger than 50mb, limit to 30kb
>
> GROUP 3: administrador 192.168.169.150 to 192.168.169.189
>
> -File bigger than 100mb limit to 30kb
>
> GROUP 4: estudio 192.168.169.190 to 192.168.169.219
>
> -No downloads for files or very slow, but freely web surfing including youtube.
>
> GROUP 5: gerencia 192.168.169.220 to 192.168.169.252
>
> -Everyting unlimited
>
> **We want to block the following sites from 192.168.169.1 to 192.168.169.129 :
>
> BLOCK:
> [CODE].facebook.com .twitter.com .doubleclick.com .fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .mediafire.com .hotfile.com .myspace.com .fotolog.terra.cl .fotologs.com .portalnet.cl .taringa.net .antro.cl .chilewarez.cl .chilebt.com .shared.cl .comparte.cl .mininova.org .torrentz.com .flickr.com .flicker.net .keepvid.com .kotteshiro.com .no-ip.org .no-ip.com .redtube.com .xnxx.com .muyzorras.com .bananacorp.cl .orgasmatrix.com .depositfiles.com[/CODE]
>
> **From: 192.168.169.130 to 192.168.169.149
> BLOCK: Same as above unless facebook.com
>
> **Deny from 192.168.169.1 to 192.168.169.29 DOWNLOADING THE FOLLOWING EXTENSIONS:
> [CODE].exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov[/CODE]
>
> [B]We dont know if the rules per group are possible with the bandwidth we have, also everyone surfs a lot youtube, we need that to not eat so much bandwith[/B].
>
> Here is our current squid.conf
>
> [QUOTE]
> http_port 192.168.169.3:3128 transparent

Problem #1: CVE_2009-0801 "transparent" mode can be easily abused to
infect entire networks if the proxy port can be reached by non-NATed
traffic. Port 3128 is not safe to use for this.

> cache_dir ufs /usr/local/squid/var/cache 250 16 256
> cache_effective_user squid
> cache_effective_group squid
> access_log /usr/local/squid/var/logs/access.log squid
> ################################
> acl localnet src 192.168.169.0/255.255.255.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #### SITIOS BLOKEADOS #####
> acl restobb src 192.168.169.1-192.168.169.129
> acl sucky_urls dstdomain .facebook.com .twitter.com .doubleclick.com .fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .medi$
> deny_info [url]http://www.xxxxxxx.xx/error.html[/url] sucky_urls
> http_access deny restobb sucky_urls
> ######################## NO DESCARGAS #####
> acl resto src 192.168.169.1-192.168.169.29/32
> acl descargas_negadas url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
> deny_info [url]http://www.xxxxxxxxxx.xx/error.html[/url] descargas_negadas
> http_access deny resto descargas_negadas
> ######################## SITIOS CASI BLOKEADOS ###############
> acl restobb2 src 192.168.169.130-192.168.169.149
> acl sucky_urls2 dstdomain .twitter.com .doubleclick.com .fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .mediafire.com .de$
> deny_info [url]http://www.xxxxxxxx.xx/error.html[/url] sucky_urls2
> http_access deny restobb2 sucky_urls2
> ########################
> http_access allow CONNECT SSL_ports

The above line is a wide open security hole. It lets ANYONE who can
reach your proxy send traffic to HTTPS ports.

I assume the intended affect was to permit your local networks HTTPS?
That is already configured by the current combination of "deny CONNECT
!SSL_ports" and "allow localnet" rules below.

NP: the lines that follows this contain the basic security safety nets
for DoS and other abuse protection. It really should be above all the
local custom http_access rules.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> ########################
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> ##############################
> http_reply_access allow localnet

Good. This is the only thing in Squid config protecting you from that
CONNECT security hole opened above.

> http_reply_access deny all
> #############################
> #REGLAS DESCARGAS
> acl normales src 192.168.169.30-192.168.169.129/32
> acl tecnicos src 192.168.169.130-192.168.169.149/32
> acl administrador src 192.168.169.150-192.168.169.189/32
> acl estudio src 192.168.169.190-192.168.169.219/32
> acl gerencia src 192.168.169.220-192.168.169.252/32

> acl descargas url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

Not doing what you expect.

Use this instead for the file types (its one line):

   acl descrgas_files urlpath_regex -i
\.(exe|vqf|gz|zip|r[ap][rwm]|avi|mpe?g?3?|qt|ra?m|iso|wav|mov)(\?.*)?$

NP: was the "ftp" pattern meant to match FTP protocol or actually any
domain or file with "ftp" in the name?

For FTP protocol:
   acl FTP proto FTP

>
> delay_pools 5
>
> delay_class 1 1
> delay_parameters 1 10240/10485760 10240/10485760
> delay_access 1 allow normales descargas
> delay_access 1 deny all
>
> delay_class 2 1
> delay_parameters 2 30720/104857600 30720/104857600
> delay_access 2 allow tecnicos descargas
> delay_access 2 deny all
>
> delay_class 3 1
> delay_parameters 3 30720/104857600 30720/104857600
> delay_access 3 allow administrador descargas
> delay_access 3 deny all
>
> delay_class 4 1
> delay_parameters 4 -1/-1 -1/-1
> delay_access 4 allow gerencia descargas
> delay_access 4 deny all

The above pool means no limit. It's much better simply to not pool these
people.

>
> delay_class 5 1
> delay_parameters 5 10240/10240 10240/10240
> delay_access 5 allow estudio descargas
> delay_access 5 deny all
>
> [/QUOTE]
>
> [B]I hope that u guys can help us out to achieve what we are looking for.[/B]
>
> You can see this more clearly at http://www.linuxquestions.org/questions/showthread.php?p=4004534#post4004534
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Wed Jun 16 2010 - 12:09:33 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 16 2010 - 12:00:03 MDT