On Wed, 30 Sep 2009 06:35:06 -0700 (PDT), ant2ne <tcygne_at_altonschools.org>
wrote:
> Thanks for the continued support!
>
> You say "The CONNECT rule does need to be "deny CONNECT !SSL_Ports". " -
> But
> I dont' see a !SSL_Ports
The ! means NOT in boolean and squid.conf access language.
The very next thing I said was "With SSL_Ports defining what HTTPS ports
are safe to use."
... meaning that you had to add back in the SSL_Ports acl definition which
appears to have been lost somewhere.
acl SSL_Ports port 443
>
> You say "I'd shift that one http pattern above up above the ftp pattern."
> But I dont see http as a refresh pattern. I do see html. Is this what you
> mean?
Yes that was the one. Best to keep all the file extension patterns together
if you can so you don't miss one when changing things later.
>
> My currrent squid.conf
>
> http_port 3128
> acl QUERY urlpath_regex cgi-bin \?
> #no_cache deny QUERY
> cache_mem 512 MB
> maximum_object_size_in_memory 2048 KB
> maximum_object_size 1 GB
> cache_dir aufs /cache 500000 256 256
> redirect_rewrites_host_header off
> cache_replacement_policy lru
> #acl QUERY urlpath_regex cgi-bin \?
> acl all src all
> acl localnet src 10.60.0.0/255.255.0.0
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/8
> acl Safe_ports port 80 443 210 119 70 21 1025-65535
> acl CONNECT method CONNECT
> http_access allow localnet
> http_access allow localhost
> http_access deny !Safe_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny CONNECT
> http_access deny CONNECT !Safe_Ports
> http_access deny all
> icp_port 0
> refresh_pattern \.jpg$ 3600 50% 60 ignore-reload
> refresh_pattern \.gif$ 3600 50% 60 ignore-reload
> refresh_pattern \.css$ 3600 50% 60 ignore-reload
> refresh_pattern \.js$ 3600 50% 60 ignore-reload
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern \.html$ 300 50% 10 ignore-reload
> refresh_pattern . 60 50% 10 ignore-reload
> refrsh_pattern . 0 20% 4320
Ah, well both of the above two dot patterns do the same thing. Catching all
requested objects not matched by something in the patterns above it. I
hadn't read the other email when I wrote that, pick the one you want to
use.
Note that the 'reload' being ignored is an explicit instruction sent by the
browser when the user goes to all the trouble of pressing shift+f5. They
usually do this when they have clue AND know that the page and stuff on it
is obsolete. There were some very old versions of IE that sent this with
each request, but those are fast being replaced with fixed versions
nowdays.
Amos
Received on Wed Sep 30 2009 - 23:15:39 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 01 2009 - 12:00:05 MDT