Joshua Chamas wrote:
> I would like to use squid as a raw httpd accelerator.
> Nothing else. As security is a concern to me, I would
> like to not compile in other functionality. Is there
> some --enable-raw-httpd-accl compile tag I can use
> to achieve this affect? I am not interested in ICP,
> nor other protocols like ftp, snmp, dns, etc.
No. Most of these are non-optional parts of Squid (http, ftp, gopher,
ICP and dns loookups). SNMP is an optional feature which has to be
explicitly enabled at build time. You can however configure Squid to not
use or listen for ICP, and reject all but the kind of requests you are
interested in.
Squid is mainly a HTTP proxy server. The accelerator mode is a bonus,
but I would not say that Squid is a very good or even fast HTTP server
accelerator.
Simplest and secure squid.conf accelerating a single server with a
single domain:
icp_port 0
htcp_port 0 # if enabled
httpd_accel_host backendserver.example.com
httpd_accel_uses_host_header off
httpd_accel_with_proxy off
"httpd_accel_with_proxy off" takes care of denying all but HTTP server
requests. Similar thing can be acheived using access control lists but
then a substatial larger amount of code is being used to deny the
requests.
> I know I can strip it, and when I do, I get a squid 500K,
> but I would rather avoid the strip in case of a core dump.
> My 11M squid only gzip's down to 3.5 M.
As long as you keep the unstripped binary somewhere close to your
debugger and sources there is no problem running off a stripped binary.
Debug information does not affect core dumps in any way, so you will be
able to analyze the coredump using the unstripped binary even if it was
generated running a stripped binary. You need howevere to be track your
build versions carefully. A coredump is useless unless analysed with
exactly the same binary build.
-- Henrik Nordstrom Spare time Squid hackerReceived on Wed Apr 07 1999 - 20:07:37 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:45 MST