Re: [squid-users] better squid.conf

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 17 Oct 2011 18:26:52 +1300

On 17/10/11 07:04, Marlon Bastida wrote:
> Hi,
>
> I would like some help with this squid.conf, bellow. Because I will
> try let as smaller as possible.
>
> For example when I try to enter the word `porn` in the google box and
> do a search let me static in this field and doesn`t give me an error
> page.

Check your exception list for which patterns match the rest of the googe
URL.

You are making a lot of use of regex, which is both the slowest ACL
matching Squid has available and the most difficult to get right.

>
> Marlon
>
> squid.conf
> -----------------
> ## hostname port
> http_port 3128
>
> ##visible_hostname server
> error_directory /usr/share/squid/errors/Portuguese/
>
> ## memory cache and disk
> cache_mem 300 MB
>
> ## object size - before 128 KB
> maximum_object_size_in_memory 64 KB
> maximum_object_size 512 MB
> minimum_object_size 2 KB
>
> ## management of cache policy swap
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
>
> ## cache exclusion limits
> cache_swap_low 90
> cache_swap_high 95
>
> ## 8192 16 256
> cache_dir ufs /var/spool/squid 10240 16 256
> cache_access_log /var/log/squid/access.log
> cache_store_log none
>
> ## connections
> half_closed_clients off
> refresh_pattern ^ftp: 15 20% 2280
> refresh_pattern ^gopher: 15 0% 2280
> refresh_pattern . 15 20% 2280
>
> ## acls
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
>
> ## SSL(https)
> acl SSL_ports port 443 563
>
> ## safe ports
> acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl localnetwork src 10.0.0.0/23
>
> ##### test - release sites to work without authentication
> #acl websites_without_auth dstdom_regex "/etc/squid/websites_without_auth"
> #always_direct allow websites_without_auth
>
> ## NCSA_AUTH authentication
> auth_param basic realm ENTERPRISE
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
> auth_param basic credentialsttl 1 hour
> acl authenticated proxy_auth REQUIRED
>
> ## releases IPs from workstations without ask AUTH
> acl releases_ips src "/etc/squid/releases_ips"
> always_direct allow releases_ips
>
> ## block proibit words with exceptions
> acl exception_words url_regex -i "/etc/squid/exception_words"
> acl proibit_words url_regex -i "/etc/squid/proibit_words"
> deny_info ERR_PROIBIT_WORDS proibit_words
>
> ## celebrities
> acl name_celebrities url_regex -i "/etc/squid/name_celebrities"
> deny_info ERR_NAME_CELEBRITIES name_celebrities
>
> ## release bank sites without going though proxy auth
> acl websites_bank dstdom_regex "/etc/squid/websites_bank"
> always_direct allow websites_bank
>
> ## sales dept rules
> #acl users_sales proxy_auth "/etc/squid/users_sales"
> #acl users_sales dstdom_regex "/etc/squid/users_sales"
>
> ## lunch hour - released sites
> #acl lunch_hours time 12:00-13:00
> #acl lunch_hours dstdom_regex "/etc/squid/lunch_hours
>
> ## pcp rules
> #acl users_pcp proxy_auth "/etc/squid/users_pcp"
>
> ## blocked IPs
> acl blocked_ips src "/etc/squid/blocked_ips"
> always_direct allow blocked_ips
> deny_info ERR_BLOCKED_IPS blocked_ips
>
> ## releases websites without going through AUTH

Wrong.
  auth is performed by http_access. Which always happens first.
"always_direct" only prevents cache_peer being used.

You seem to have the common misunderstanding that always_direct means
bypassing _this_ Squid in some form or another.

I see no cache_peer directives in your config. Which means all the
always_direct lines are useless and can be erased.

> acl released_websites dstdom_regex "/etc/squid/released_websites"
> always_direct allow released_websites
>
> ## blocked websites with fun pages, specific error page
> acl fun_sites url_regex -i "/etc/squid/fun_sites"
> deny_info ERR_FUN_SITES fun_sites
>
> ## blocked websites with specific page
> acl websites_blocked url_regex -i "/etc/squid/websites_blocked"
> deny_info ERR_BLOCKED_SITES websites_blocked
>
> ## blocked porn sites with specific error page
> acl websites_porn url_regex -i "/etc/squid/websites_porn"
> deny_info ERR_PORN_SITES websites_porn
>
> ## download banned extensions
> acl banned_extension url_regex -i "/etc/squid/banned_extension"
> deny_info ERR_BANNED_EXT banned_extension
>
> ## permissions rules
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge

Do you actually need purge? If not drop it entirely from the config.
Including the "acl purge" line. Simply creating the ACL turns on a lot
of background calculations which slow down Squid.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> ## permissions / restrictions
>
> http_access deny banned_extension
> http_access deny websites_porn
> http_access deny websites_blocked
> http_access deny fun_sites

IMPORTANT. Replace these:

> http_access allow exception_words
> http_access deny proibit_words

With this:
   http_access deny !exception_words proibit_words

Why:
   What yours did was allow _anybody_ access if they typed an exception
word into certain positions of any URL. Joining two together like above
makes exeception_words only affect the test result of proibit_words.

  They can still use that trick to get past proibit_words. But not to
get past other security controls like auth and IP checks below.

> http_access deny name_celebrities
> http_access allow releases_ips
> http_access allow released_websites
> http_access deny blocked_ips
> #http_access allow lunch_hours users_pcp
> #http_access deny !users_sales users_sales
> http_access allow

Missing piece of a line above. What is allowed?

> http_access allow authenticated
> #http_access allow websites_without_auth
>

A few things to notice at this point.

  Firstly, in order for "authenticated" to be tested Squid must have or
fetch the authentication details. It will trigger an auth challenge.

The localhost and localnet ACLs machines will be allowed after they FAIL
authentication. Since the auth line above has no conditions to prevent
challenging repeatedly this makes very little sense. You could either
drop the localnet/localhost allow lines entirely, or move them up if the
intention was to permit those machines access without a valid login.

> http_access allow localhost
> http_access allow localnetwork
> http_access deny all
> -----------------

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.16
   Beta testers wanted for 3.2.0.13
Received on Mon Oct 17 2011 - 05:26:59 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 17 2011 - 12:00:03 MDT