Re: [squid-users] problems upgrading from squid 2.4stable6 to 2.5stabel2 from markus.rietzler@dont-contact.us on 2003-05-27 (squid-users)

From: <markus.rietzler@dont-contact.us>
Date: Tue, 27 May 2003 09:52:01 +0200

still having performance problems with squid 2.5. i'll send you the part
from squid.conf with our acls/http_access/cache_peer_access.

there are 3 parent proxies via cache_peer defined.

proxy-intra (intranet), proxy-lvn (another "intranet") and proxy-inter
(internet)

then we have 3 user-level: a) access to both intranets, but no
internet-access except some sites we have defined to be "open"
b) surfer - access to both intranets and internet but without download
rights.
c) downloader - access to both intranets, internet and downloads from
internet.

access to our proxy is only allowed to clients from local-net
(123.45.xxx.xxx), and one central proxy (proxy-intra). there are local
servers, which can be accessed direct, all other systems must use one of
the parents. but only local clients are allowed to access servers that
are "internal" (intern).

via acl-rules the proxies decides which parent to ask.

in our acls "ausn" stands for "exceptions", "tunnel" are the open
servers in the web, that can be accessed from all clients.

==== cut ====

acl srcip_manager src "/users/www/files/squid/etc/srcip_manager"
acl srcip_proxy src "/users/www/files/squid/etc/srcip_proxy"
acl srcip_local src "/users/www/files/squid/etc/srcip_local"
acl srcip_surfer src "/users/www/files/squid/etc/srcip_surfer"
acl srcip_downloader src "/users/www/files/squid/etc/srcip_downloader"
acl srcip_powersurfer src "/users/www/files/squid/etc/srcip_powersurfer"
acl dstregex_local dstdom_regex -i ^[acdiklvz]011[0-9-][0-9][0-9]
acl dstregex_intra dstdom_regex -i
^[acdiklvz][0-9][0-9][0-9][0-9-][0-9][0-9]
acl urlpath_download urlpath_regex -i
"/users/www/files/squid/etc/urlpath_download"
acl dstdomain_downloadausn dstdomain
"/users/www/files/squid/etc/dstdomain_downloadausn"
acl urlpath_downloadausn urlpath_regex -i
"/users/www/files/squid/etc/urlpath_downloadausn"
acl dstdomain_intern dstdomain
"/users/www/files/squid/etc/dstdomain_intern"
acl url_intern url_regex -i "/users/www/files/squid/etc/url_intern"
acl urlpath_intern urlpath_regex -i
"/users/www/files/squid/etc/urlpath_intern"
acl dstdomain_intramisc dstdomain
"/users/www/files/squid/etc/dstdomain_intramisc"
acl url_intramisc url_regex -i
"/users/www/files/squid/etc/url_intramisc"
acl dstdomain_local dstdomain
"/users/www/files/squid/etc/dstdomain_local"
acl dstdomain_lvn dstdomain "/users/www/files/squid/etc/dstdomain_lvn"
acl dstregex_lvn dstdom_regex -i
"/users/www/files/squid/etc/dstregex_lvn"
acl url_lvn url_regex -i "/users/www/files/squid/etc/url_lvn"
acl dstdomain_lvnausn dstdomain
"/users/www/files/squid/etc/dstdomain_lvnausn"
acl urlpath_nocache urlpath_regex -i
"/users/www/files/squid/etc/urlpath_nocache"
acl dstdomain_tunnel dstdomain
"/users/www/files/squid/etc/dstdomain_tunnel"
acl url_tunnel url_regex -i "/users/www/files/squid/etc/url_tunnel"
acl url_tunnelausn url_regex -i
"/users/www/files/squid/etc/url_tunnelausn"

acl www url_regex .*
acl manager proto cache_object
acl purge method purge
acl all src 0.0.0.0/0.0.0.0

http_access allow manager srcip_local
http_access allow purge srcip_local
http_access allow manager srcip_manager
http_access allow purge srcip_manager
http_access allow all srcip_manager

# access from other locations on local servers
http_access deny dstdomain_intern srcip_proxy
http_access deny url_intern srcip_proxy
http_access deny urlpath_intern srcip_proxy
http_access allow dstdomain_local srcip_proxy
http_access deny all srcip_proxy

# Intranet for local clients
http_access allow dstdomain_intern srcip_local
http_access allow url_intern srcip_local
http_access allow urlpath_intern srcip_local
http_access deny dstdomain_intern all
http_access deny url_intern all
http_access deny urlpath_intern all
http_access allow dstdomain_local srcip_local
http_access deny dstdomain_local all
http_access allow dstregex_intra srcip_local
http_access deny dstregex_intra all
http_access allow dstdomain_intramisc srcip_local
http_access allow url_intramisc srcip_local
http_access deny dstdomain_intramisc all
http_access deny url_intramisc all

# Powersurfer access to all and everything
http_access allow www srcip_powersurfer

# tunnel to some internet sites for all
http_access deny url_tunnelausn !srcip_surfer !srcip_downloader
http_access deny url_tunnelausn urlpath_download srcip_surfer
http_access allow dstdomain_tunnel srcip_local
http_access allow url_tunnel srcip_local

# extranet
http_access allow dstdomain_lvn srcip_local
http_access allow dstregex_lvn srcip_local
http_access allow url_lvn srcip_local

# downloader: access to internet with downloads
http_access allow urlpath_download srcip_downloader
http_access allow www srcip_downloader

# surfer: access to internet without downloads
http_access allow dstdomain_downloadausn srcip_surfer
http_access allow urlpath_downloadausn srcip_surfer
http_access deny urlpath_download srcip_surfer
http_access allow www srcip_surfer

# default
http_access deny all
http_access deny purge
http_access deny manager

# proxy-intra: everything that "looks" like intranet and is not local
cache_peer_access proxy-intra allow dstregex_intra
cache_peer_access proxy-intra allow dstdomain_intramisc
cache_peer_access proxy-intra allow url_intramisc
cache_peer_access proxy-intra deny all

# proxy-lvn: (extranet) no systems from "intranet"
cache_peer_access proxy-lvn deny dstregex_intra
cache_peer_access proxy-lvn deny dstdomain_intramisc
cache_peer_access proxy-lvn deny url_intramisc
cache_peer_access proxy-lvn deny dstdomain_lvnausn
cache_peer_access proxy-lvn allow dstdomain_lvn
cache_peer_access proxy-lvn allow dstregex_lvn
cache_peer_access proxy-lvn allow url_lvn
cache_peer_access proxy-lvn deny all

# proxy-inter: everything that is not intranet or extranet
cache_peer_access proxy-inter deny dstregex_intra
cache_peer_access proxy-inter deny dstdomain_intramisc
cache_peer_access proxy-inter deny url_intramisc
cache_peer_access proxy-inter allow dstdomain_lvnausn
cache_peer_access proxy-inter deny dstdomain_lvn
cache_peer_access proxy-inter deny dstregex_lvn
cache_peer_access proxy-inter deny url_lvn
cache_peer_access proxy-inter allow all

# RZF Ende Proxy Auswahl

always_direct allow dstdomain_local
always_direct allow dstregex_local
always_direct allow dstdomain_intern
always_direct allow url_intern
always_direct allow urlpath_intern
never_direct allow all

==== cut ====

just to give a "number" of the size of our acl-files:

17 url_intern
22 url_intramisc
2 url_local
17 url_lvn
57 url_tunnel
15 url_tunnelausn
36 urlpath_download
4 urlpath_downloadausn
3 urlpath_intern
3 urlpath_nocache
1 dstdomain_auth
1 dstdomain_authausn
1 dstdomain_dmz
2 dstdomain_downloadausn
6 dstdomain_intern
188 dstdomain_intramisc
63 dstdomain_local
24 dstdomain_lvn
2 dstdomain_lvnausn
1 dstdomain_power
1 dstdomain_powerausn
511 dstdomain_tunnel
2 dstregex_lvn

-- 
mfg
Markus Rietzler
* <rietzler_software/> | http://www.rietzler-software.de
* eMail: markus@rietzler-software.de
Neue Nordstrasse 43
42105 Wuppertal
Fon: 0700.RIETZLER (0700.7438 9537)

Received on Tue May 27 2003 - 01:52:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:02 MST