RE: [squid-users] How to make Allow/Deny Rules process faster ...

On 16.08.2012 12:41, Christopher Kurtis Koeber wrote:
> Here is the squid.conf. If there are any optimizations I can do let
> me know.
>
> The application that uses the "acl Citrix_Ports port 2598" rule is
> what I am
> concerned about.
>
> I probably commented out some safety/admin stuff due to
> troubleshooting.
>
> Just as a note, the actual proxy process works fast; everything comes
> up
> fine on the network. Just slow for certain apps.
>
> ------------------------------------------
>
> http_port 3128
>
> visible_hostname [Our Proxy FQDN]
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> acl manager url_regex -i ^cache_object:// +i
> ^https?://[^/]+/squid-internal-mgr/
> #acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
>
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network
> range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly
> plugged)
> machine                                                              
>      
>                                                                      
>      
>             s
>
> acl blacklist-sites dstdom_regex -i "/etc/squid/blacklist-sites"
> acl whitelist-sites dstdom_regex -i "/etc/squid/whitelist-sites"
>
> acl SSL_ports port 443
>
> ###########################################
> ####### Ports for Particular User ####################
> ###########################################
> acl Citrix_Ports port 2598
> acl Citrix_Ports port 2589
> acl Citrix_Ports port 1494
> acl Citrix_Ports port 1452
> # acl Citrix_Ports port 8080
> # acl Citrix_Ports port 443
> # acl Citrix_Ports port 80
> # acl Citrix_Ports port 433
> ###########################################
> ###########################################
> ###########################################
>
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> http_access deny manager
> # http_access deny !Safe_ports
> # http_access deny CONNECT !SSL_ports
> http_access deny adobe-sites

Um, adobe-sites is not defined anywhere above.

> http_access allow Citrix_Ports
> http_access allow CONNECT Citrix_Ports

This CONNECT line is useless, the ports are already all allowed
globally by the "allow Citrix_Ports" line directly above it.

> http_access allow whitelist-sites
> http_access allow manager localhost
> http_access allow manager localnet

all "manager" access is blocked by a "deny manager" above. These lines
are useless.

> http_access allow localhost
> http_access allow localnet

A series of allow are all equivalent, sort by fastest test or
most-inclusive test. In this case "localnet" numeric comparison is
faster than "whitelist-sites" regex string comparisons.

  http_access allow localhost
  http_access allow localnet
  http_access allow whitelist-sites

Amos
Received on Thu Aug 16 2012 - 03:37:47 MDT