Re: [squid-users] newbie question - URGENT

From: System Administrator <admin@dont-contact.us>
Date: Sun, 06 May 2001 11:49:16 +1000

Hi,

> (you are not using apache as your proxy server, right?)
I beleive this is correct.

> You have your local clients in your LAN. and you have your dialup
> clients (your customer) who are accessing your LAN also.
Yup - I have a single class C network. 203.36.180.0 There are half a
dozen computers on the LAN that are used by staff. Then there are 200
dialup customers. The dialup customers do not need to access any
computer on the LAN, only the web, mail and news servers.

> Suppose your dialup client can only access the webpages you
> host, but they are accessing non-local web sites and the
> bandwidth has been taken up. As a result, your local clients get
> very poor response from your squid server.
Essentially correct.

There are three scenarios I want to allow.

1. All LAN users can surf anywhere.
2. Dialup customers can surf anywhere (but cannot access computers on
the LAN except the Internet servers).
3. Since I host some websites I want the public at large to be able to
access my website, and those that I host.

> Basically Cooper got the excellent idea for you to control your
> client http access.
Yes, I agree with both your approaches, unfortunately, due to a lack of
communcation skills on my part, the problem hasn't been clearly
explained.

Apart from the three scenarios above all other traffic into and out of
my network (ie. the router), should be banned.

The following appears to be happening:

1. People outside my network appear to be using my ISDN line to send and
received data. Receive at 700mb per day (at present), and send at 1 gig
per day). They are requests that (according to squids access_log),
appear to be originating from IPs all over the world and going to web
sites all over the world.

2. My squid cache is slowly but surely emptying. I have a 14gig cache
and it's now down to 8 gigs (it was full two weeks ago, and happily
working with it's LRU algorytrhm).

This is my current squid config I haven't applied Joe's or your
suggestions to it yet so you can see how it has always been).

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl admin src 203.36.180.5/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow manager admin
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

> But I would to add in few things based on my limitted knowledge
> (1) define a acl list for your local web sites
> create a file contain all your local web sites (URL), let say,
> localweb.acl
> and allow all your local client and dialup client access to this
> (2) you need to define 2 set of acl list for your local and dialup
> make sure you got the ip address range correct if you are using
> dhcp
I'm not using DHCP. I'm using MGETTY for the dialups and LAN users have
static addresses.

But I like your solution. I will apply it.

Do you think this will address the problems as explained above?

Thanks for your help people.

Phillip

--
Are you in business?
Are you able to be found worldwide?
Get into the premier online directory for only $52AU per year
Quickpages Business Directories
http://www.quickpages.com.au/netbiz
Received on Sat May 05 2001 - 19:48:21 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:50 MST