El jue, 03-12-2009 a las 12:50 +1300, Amos Jeffries escribió:
> On Thu, 03 Dec 2009 00:00:29 +0100, José Illescas Pérez <jip_at_jccm.es>
> wrote:
> > Amos Jeffries escribió:
> >> On Wed, 02 Dec 2009 20:36:38 +0100, José Illescas Pérez <jip_at_jccm.es>
> >> wrote:
> >>> Hello,
> >>>
> >>> I'm interesed in install squid for my organization.
> >>>
> >>> I want to configure large acl's of ip lists, 20.000 more o less.
> >>>
> >>> Can I use external acl with MySQL for create this acl ip list?. What's
>
> >>> the performance in this case?.
> >>>
> >>> I want to configure large acl of url lists in MySQL too, for example a
>
> >>> blacklist with categories. What's the performance in this case?.
> >>>
> >>> Perhaps, is more convenient use squidguard for blacklist of urls and
> >>> create the group categories. Any ideas?.
> >>>
> >>> Greetings.
> >>
> >> Individual IPs with individual blocklists? this is extremely
> inefficient.
> >>
> >> If you must, you can easily use external_acl_type to pull details from
> >> mysql during live traffic processing. Speed depends on the query
> >> efficiency
> >> and network lag to mysql server.
> >>
> >> If you find that too slow look at ufdbGuard.
> >>
> >> Amos
> >>
> >
> > We have five or six ip groups, with permissions in categories of
> > blacklist for each group. Each group contains between 1,000 and 10,000
> > ip addresses.
>
> If by group you mean some network topology grouping. The network admin
> should have some CIDR range that describes each group. That can be
> implemented in Squid ACLs for a simpler and faster config.
>
> For example something like this filtering grouped by network, then some
> individual IPs with a blocklist applied;
>
> acl networkA src 10.2.0.0/16
> acl networkB src 10.15.0.0/16
> acl ipsA1 src "file_with_A1_group_IPs"
> acl ipsA2 src "file_with_A2_group_IPs"
> acl blockA1domains dstdomain "file_with_A_group_blocklist"
>
> http_access deny networkA ipsA1 blockA1domains
> http_access deny networkA ipsA2
> http_access allow networkB
Hello,
We have ip groups with individual ips. We can't group by networks. For
example:
Group Filter IT 10.30.1.2,10.30.1.8,10.30.1.28,10.40.2.56, 10.50.5.5,
etc, etc. (5000 ip addresses more or less).
Group Filter Press 10.30.1.29,10.40.2.22,10.60.1.200, etc (10000 ip
addresses, aproximately).
.
.
.
Keep in mind that these groups are constantly changing.
Each group has permission to access one or more categories blacklists.
In this scenario, what is the ideal solution for best performance?:
- A file with lists ips in squid?.
- A file with lists ips in squidguard?.
- A query to mysql database for external acl in squid or squidguard?.
- A query to ldap for external acl in squid or squidguard?. (We have ip
addresses for user saved in ldap server).
Greetings.
--
_ ____ ____ __ __
| |/ ___/ ___| \/ | Jose Illescas Perez. Linux User #73559
_ | | | | | | |\/| | TFNO: +34 925 266 219 FAX: +34 925 266 300
| |_| | |__| |___| | | | El Webteam de http://www.jccm.es
\___/ \____\____|_| |_| Junta de Comunidades de Castilla-La Mancha
Received on Thu Dec 03 2009 - 23:29:51 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST