Re: [squid-users] organization squid.conf

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 20 Jun 2009 21:33:05 +1200

Riccardo Castellani wrote:
>> Neither. Look at what the requirements are for each and create logical
>> groupigs that do not interfere with each other and in order configured
>> do what your policy requires.
>>
>> Also, be extremely careful about http_reply_access.
>> It's often over-blocked by using rules that duplicate http_access.
>> This can either prevent access denied pages getting out to bad
>> viewers, or cause extra useless load.
>> Only use it to filter requests that cannot be checked earlier in
>> http_access.
>>
>>
>> Amos
>
>
>
>
> Ok I can looking for requirements for all my acl, but what means creating
> logical groups ?
> It means that group can contain both acl and directives ?
>
> I thought acl should be next to directive where it's used so there is more
> cleaning. What do you think ?
>

I think I mean roughly the same thing with grouping the directives used
for a particular purpose together. But going a little further than just acl.

What I mean is more like the way I've written the wiki ConfigExamples/*
pages.

So that in later Squid people can place the whole directive group into a
file and use "include" directive on the file at the right place of
squid.conf.

for example...

/etc/squid/squid.conf.d/00-accel-website-X:
#
http_port 80 accel vhost
cache_peer X ...
#
acl Xdom ....
cache-peer_access X allow ...
http_access allow X

/etc/squid/squid.conf.d/cache:
#
cache_mem ...
#
cache_dir ...
#
maximum_object_size ...
#
cache allow all

squid.conf:
#
# local configuration
include /etc/squid/squid.conf.d/*
...

Amos

>
>
>
> ----- Original Message ----- From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: "Riccardo Castellani" <r.castellani_at_usl6.toscana.it>
> Cc: <squid-users_at_squid-cache.org>
> Sent: Wednesday, June 17, 2009 5:21 PM
> Subject: Re: [squid-users] organization squid.conf
>
>
>> Riccardo Castellani wrote:
>>> What do you suggest to prepare a clean squid.conf ?
>>> I have many many ACL which I use in these directive:
>>>
>>> no_cache deny
>>
>> change #1:
>> no_cache deny X
>> to:
>> cache deny X
>>
>> no_cache is an obsolete option name.
>>
>>> http_access deny
>>> http_access allow
>>>
>>>
>>> 1- To collect ACL all together or I can insert specific ACL groups
>>> next to
>>> directives where they are used, e.g.
>>>
>>>
>>> Acl A...
>>> Acl B...
>>> Acl C...
>>> no_cache deny A
>>> no_cache deny B
>>> no_cache deny C
>>>
>>> Acl E...
>>> Acl F..
>>> Acl G...
>>> http_access allow E
>>> http_access allow F
>>> http_access allow G
>>>
>>> Acl H...
>>> Acl I..
>>> Acl L...
>>> http_reply_access allow H
>>> http_reply_access allow I
>>> http_reply_access deny L
>>>
>>
>> Neither. Look at what the requirements are for each and create logical
>> groupigs that do not interfere with each other and in order configured
>> do what your policy requires.
>>
>> Also, be extremely careful about http_reply_access.
>> It's often over-blocked by using rules that duplicate http_access.
>> This can either prevent access denied pages getting out to bad
>> viewers, or cause extra useless load.
>> Only use it to filter requests that cannot be checked earlier in
>> http_access.
>>
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>> Current Beta Squid 3.1.0.8
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Sat Jun 20 2009 - 09:33:15 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 20 2009 - 12:00:03 MDT