IBT wrote:
> I have added my config so that maybe someone with more experience can make
> sure it ok
>
> # NETWORK OPTIONS
> http_port 8085
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
This QUERY stuff is just preventing some old crap pages from caching.
We now recommend using the refresh_patterns instead:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> cache_mem 32 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 4096 KB
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> cache_dir ufs c:/squid/var/cache 1000 16 256
> access_log c:/squid/var/logs/access.log squid
> cache_log c:/squid/var/logs/cache.log
> cache_store_log c:/squid/var/logs/store.log
store.log not useful. Save some resources and kill it unless you have a
good reason to keep.
> debug_options ALL,3
We recommend ALL,1 as highest for normal running.
Levels 2+ are mixed and various debug information.
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> allow_underscore on
> dns_nameservers 192.168.2.3 192.168.2.1
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 5
> external_acl_type NT_global_group %LOGIN
> c:/squid/libexec/mswin_check_lm_group.exe -G -c
>
> # ACCESS CONTROL VALUES
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 87 # http required for Telstra Statistics website
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl our_networks src 192.168.0.0/16
> acl java browser java/6
> acl NoAuthDomains dstdomain "c:/squid/etc/domains/NoAuthDomains.txt"
> http_access allow java
> http_access allow NoAuthDomains our_networks Safe_ports
Optional speed hint: reorder to faster tests first:
http_access allow Safe_ports our_networks NoAuthDomains
> acl proxyfullaccess external NT_global_group proxyfullaccess
> acl password proxy_auth REQUIRED
> acl DeniedDomains dstdomain "c:/squid/etc/domains/DeniedDomains.txt"
> acl CONNECT method CONNECT
> acl FTP proto FTP
> always_direct allow FTP
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
The above block (5 lines) are the security safety nets. Unless you have
good reason for permitting the domains I'd stick them at te top and
shift the java and no-auth lines below them.
> http_access allow java
> http_access allow NoAuthDomains our_networks Safe_ports
> http_access deny DeniedDomains
Wit this line here the DeniedDomains are blocked almost always. They are
accessible only to Java applications or if they are also listed in
NoAuthDomains.
I'm surprised that your indicated tests for Admin actually worked. They
should not have with this config. I suspect it has something to do with
the only cause for login to be fetched is 'proxyfullaccess' needing to
use it.
> http_access allow password our_networks proxyfullaccess
> http_access allow password our_networks Safe_ports
> http_access deny all
>
> # MISCELLANEOUS
> logfile_rotate 10
> error_directory c:/squid/share/errors/English
In case I have confused you. From what I understand of you needs, your
access lines to be should look like this:
# Admin 'localhost' access for cache management reports
http_access allow manager localhost
http_access deny manager
# basic safety nets
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny !our_networks
# general access rules
http_access allow java
http_access allow Safe_ports NoAuthDomains
http_access allow password proxyfullaccess
http_access allow Safe_ports !DeniedDomains password
http_access deny all
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7Received on Sun May 17 2009 - 06:59:28 MDT
This archive was generated by hypermail 2.2.0 : Sun May 17 2009 - 12:00:01 MDT