On 2/14/08, Amos Jeffries <squid3@treenet.co.nz> wrote:
> > Here in my simple server, the squid works fine, but after post a
> > message about radio, Amos sad:
> >
> > " Squid is actually an
> > interceptor, not fully transparent. When they go down clients can expect
> > 'Unable to Connect' errors. "
> >
> > And, this is true. When my squid go down, my clients can't be surf
> > because squid is not working.
> >
> > I don't have anotherr server, and I don't need too.
> >
> > I need only control the navegation of my clients on the internet.
> >
> > So, if possible, I want if anyone can see my squid.conf and tell me if
> > it is good or need improvement.
> >
> > Thanks for all.
> >
> > My squid.conf:
> >
> > http_port 10.0.0.250:3128 transparent
> >
> > icp_port 0
> >
> > cache_mem 128 MB
> > cache_swap_low 90
> > cache_swap_high 95
> > cache_dir ufs /usr/local/squid/var/cache 1024 16 256
> > cache_access_log /usr/local/squid/var/logs/access.log
> > cache_log /usr/local/squid/var/logs/cache.log
> > cache_store_log none
> > maximum_object_size_in_memory 1 MB
> > maximum_object_size 100 MB
> > minimum_object_size 0 MB
> >
> > pid_filename /usr/local/squid/var/logs/squid.pid
> >
> > visible_hostname squid.provider.com.br
> >
> > cache_effective_user squidaemon
> > cache_effective_group squid
> >
> > acl autologinDSA dst 10.0.0.250/32
> >
> > acl diretor src 10.0.0.55/32
> > acl recepcao src 10.0.0.57/32
> > acl financeiro src 10.0.0.56/32
> > acl suporte src 10.0.0.248/32
> > acl suporte2 src 10.0.0.13/32
> >
> > acl vip1 src 10.0.1.0/28
> > acl vip2 src 10.0.2.0/28
> > acl vip3 src 10.0.3.0/28
> > acl vip4 src 10.0.4.0/28
> >
> > acl forbidden_words url_regex -i "/usr/local/squid/etc/forbidden_words"
> > acl forbidden_down url_regex -i "/usr/local/squid/etc/forbidden_down"
> >
> > external_acl_type checkip children=40 % SRC
> > /usr/local/mwsystem/squid/sbin/checkv2.sh
>
> no gap in " %SRC "
>
> >
> > acl checkblock external checkip
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl localnet src 10.0.0.0/16
> > acl localhost src 127.0.0.0/32
> > acl method_control proto cache_object
> >
> > http_access allow method_control localhost
> > http_access deny method_control
> >
> > http_access allow autologinDSa
> >
> > http_access deny checkblock !autologinDSA
> >
> > http_access allow diretor
> > http_access allow diretor forbidden_down
>
> If s/he is allowed all access, no need to bother with regex.
>
> >
> > http_access allow recepcao autologinDSA
>
> If s/he is allowed all access, no need to bother with some destinations.
>
> > http_access allow recepcao
> >
> > http_access deny financeiro
> >
> > http_access allow suporte
> > http_access allow suporte2
> >
> > http_access deny forbidden_words
> > http_access deny forbidden_down
> >
> > http_access allow vip1
> > http_access allow vip2
> > http_access allow vip3
> > http_access allow vip4
> >
> > http_access deny localnet !autologinDSA
> > http_access deny all
> > http_access deny localnet
>
> Only need the middle one there.
> For some reason there is no allow for checkbolck people.
>
> They get authenticated, then nothing matches for them until the final
> "deny all"
>
> Amos
>
>
>
Checkblock is a external program. It verify the ip machine and block
if the ip is in a file configuration.
Received on Thu Feb 14 2008 - 03:42:32 MST
This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST