José Illescas Pérez wrote:
> El jue, 03-12-2009 a las 12:50 +1300, Amos Jeffries escribió:
>> On Thu, 03 Dec 2009 00:00:29 +0100, José Illescas Pérez <jip_at_jccm.es>
>> wrote:
>>> Amos Jeffries escribió:
>>>> On Wed, 02 Dec 2009 20:36:38 +0100, José Illescas Pérez <jip_at_jccm.es>
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> I'm interesed in install squid for my organization.
>>>>>
>>>>> I want to configure large acl's of ip lists, 20.000 more o less.
>>>>>
>>>>> Can I use external acl with MySQL for create this acl ip list?. What's
>>>>> the performance in this case?.
>>>>>
>>>>> I want to configure large acl of url lists in MySQL too, for example a
>>>>> blacklist with categories. What's the performance in this case?.
>>>>>
>>>>> Perhaps, is more convenient use squidguard for blacklist of urls and
>>>>> create the group categories. Any ideas?.
>>>>>
>>>>> Greetings.
>>>> Individual IPs with individual blocklists? this is extremely
>> inefficient.
>>>> If you must, you can easily use external_acl_type to pull details from
>>>> mysql during live traffic processing. Speed depends on the query
>>>> efficiency
>>>> and network lag to mysql server.
>>>>
>>>> If you find that too slow look at ufdbGuard.
>>>>
>>>> Amos
>>>>
>>> We have five or six ip groups, with permissions in categories of
>>> blacklist for each group. Each group contains between 1,000 and 10,000
>>> ip addresses.
>> If by group you mean some network topology grouping. The network admin
>> should have some CIDR range that describes each group. That can be
>> implemented in Squid ACLs for a simpler and faster config.
>>
>> For example something like this filtering grouped by network, then some
>> individual IPs with a blocklist applied;
>>
>> acl networkA src 10.2.0.0/16
>> acl networkB src 10.15.0.0/16
>> acl ipsA1 src "file_with_A1_group_IPs"
>> acl ipsA2 src "file_with_A2_group_IPs"
>> acl blockA1domains dstdomain "file_with_A_group_blocklist"
>>
>> http_access deny networkA ipsA1 blockA1domains
>> http_access deny networkA ipsA2
>> http_access allow networkB
>
> Hello,
>
> We have ip groups with individual ips. We can't group by networks. For
> example:
>
> Group Filter IT 10.30.1.2,10.30.1.8,10.30.1.28,10.40.2.56, 10.50.5.5,
> etc, etc. (5000 ip addresses more or less).
>
> Group Filter Press 10.30.1.29,10.40.2.22,10.60.1.200, etc (10000 ip
> addresses, aproximately).
> .
> .
> .
>
> Keep in mind that these groups are constantly changing.
>
> Each group has permission to access one or more categories blacklists.
>
> In this scenario, what is the ideal solution for best performance?:
>
> - A file with lists ips in squid?.
No. files of IPs in Squid need to be static for reasonably long periods.
several hours to a day etc.
> - A file with lists ips in squidguard?.
> - A query to mysql database for external acl in squid or squidguard?.
AFAIK squidguard does not do external ACL.
> - A query to ldap for external acl in squid or squidguard?. (We have ip
> addresses for user saved in ldap server).
One of the last two with Squid. External ACL can even return the user=*
tag with its result to get the Squid logs linked to individual accounts.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15Received on Fri Dec 04 2009 - 09:55:45 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST