Re: [squid-users] Balasan: [squid-users] Problem on ACL config and performance [SquidNT 2.5 Stable 9]

From: Andreas Woll <woll.andreas@dont-contact.us>
Date: Fri, 9 Sep 2005 06:45:34 +0200

To Problem 2:
It doesn't work. It seems to be a general issue.
Redirecting from http to ftp results in a timeout of about 30 sec.

----- Original Message -----
From: "pujo mulyono" <pudjo26@yahoo.com>
To: "Andreas Woll" <woll.andreas@web.de>; <squid-users@squid-cache.org>
Sent: Tuesday, September 06, 2005 9:13 AM
Subject: [squid-users] Balasan: [squid-users] Problem on ACL config and
performance [SquidNT 2.5 Stable 9]

> answer to question 1:
>
> you have to place allowed_url or allowed_dstdomain
> above blocked_url on the http_access rule:
>
> http_access allow allowed_url
> http_access allow allowed_dstdomain
> http_access deny blocked_url
>
> answer to question 2:
>
> try using ftp_user anonymous
>
> actually i dont like using squid for proxying ftp
> connection, i have some problem login some ftp servers
> also.
>
> regards,
> Pudjo@indonesia
>
> --- Andreas Woll <woll.andreas@web.de> menulis:
>
>> I've got a SQUID running on Windows 2000 Server
>> [SQUIDNT 2.5 Stable 9] with
>> DSL-Line.
>> Normally the system is very performant and working
>> fine, but I've
>> encountered two problems:
>>
>> 1. I've implemented a blocking acl (blocked_url) and
>> it worked fine, but
>> some special addresses (allowed_url) to be
>> accessable
>> are still blocked. Is it possible to build an
>> junction between these two
>> acls to get access to special addresses and all
>> non-blocked?
>> For example:
>> sex is blocked and msexchangefaq.de is allowed.
>>
>> 2. I've got performance problems with ftp downloads
>> especially from hp.com
>> There are normal ftp links but it takes quite a long
>> time for squid to start
>> serving the request.
>>
>> here is the squid.conf.
>>
>> http_port 3128
>> hierarchy_stoplist cgi-bin ?
>> cache_dir ufs E:/Squid/cache 20000 16 256
>> mime_table E:/Squid/etc/mime.conf
>> pid_filename E:/Squid/log/squid.pid
>> dns_nameservers IP1 IP2
>> ftp_user user@SquidNT
>> diskd_program E:/Squid/libexec/diskd.exe
>> unlinkd_program E:/Squid/libexec/unlinkd.exe
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web
>> server
>> auth_param basic credentialsttl 2 hours
>> refresh_pattern ftp: 1440 20Percent 10080
>> refresh_pattern gopher: 1440 0Percent 1440
>> refresh_pattern . 0 20Percent 4320
>> visible_hostname SquidNT
>> icon_directory E:/Squid/share/icons
>> error_directory E:/Squid/share/errors/english
>> coredump_dir E:/Squid/cache
>> cache_access_log E:/Squid/log/access.log
>> cache_log E:/Squid/log/cache.log
>> cache_store_log none
>> emulate_httpd_log off
>> client_netmask 0.0.0.0 #Anonymisierung der Clients
>> log_fqdn off
>> log_mime_hdrs off
>> acl QUERY urlpath_regex cgi-bin \?
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl CORP-NET src "Range 1"
>> acl CORP-NET src "Range 2"
>> acl CORP-NET src "Range 3"
>> acl CORP-NET src "Range 4"
>> acl CORP-NET src "Range 5"
>> acl CORP-NET src "Range 6"
>> acl VPN-ACCESS src "Range 7"
>> acl streaming rep_mime_type ^video/x-ms-asf
>> ^video/x-ms-sf ^audio/mpeg
>> ^audio/x-mpeg ^audio/x-pn-realaudio
>> ^audio/x-pn-realaudio-plugin
>> ^application/x-mms-framed
>> ^application/vnd.ms.wms-hdr.asfv1
>> acl block_stream urlpath_regex
>>
> \.(ra?m|ra|rpm|mpe?g?|mov|m3u|pls|ivf|asf|asx|avi|wax|wma|wmv|wvx|wmp|wmx|m1v|mp2|mp3|mpa|mpe|mpv2)($|\?)
>> acl blocked_url url_regex
>> "E:/Squid/etc/squid-block.acl"
>> acl allowed_url url_regex
>> "E:/Squid/etc/squid-allow.acl"
>> no_cache deny QUERY
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow CORP-NET
>> http_access allow VPN-ACCESS
>> http_access deny blocked_url
>> http_access deny all
>> http_reply_access deny block_stream
>> http_reply_access deny streaming
>> http_reply_access allow CORP-NET
>> http_reply_access allow VPN-ACCESS
>> http_reply_access deny blocked_url
>> http_reply_access deny all
>> icp_access deny all
>> snmp_access deny all
>>
>>
>> I would appreciate your help.
>> Thank you.
>>
>> Andreas
>>
>>
>>
>
>
>
>
>
>
>
> ________________________________________________________
> Apakah Anda Yahoo!?
> Sekarang dengan penyimpanan 1GB
> http://id.mail.yahoo.com/
>
Received on Thu Sep 08 2005 - 22:45:42 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT