[squid-users] Request header too large & ip_conntrack

Hello,

I have been trying to track down a congestion issue we have been seeing at 8pm each night for several weeks, where most of our clients see slow or no connectivity for 20-40 minutes.

First issue was our firewall reaching ip_conntrack_max, so I increased it, and began logging the conn count every 5 minutes. The problem was gone for a week.

Then it came back, just as before. The firewall was fine, no errors this time, and well below the ip_conntrack_max.

I looked at proxy, and saw an excessive number of invalid requests during peak times, at one point over 100/sec from a single client. Adjusting some rules on our wireless controller to resolve this issue, and invalid requests dropped by a factor of 10, but the issue at 8pm continued. I also set:

request_header_max_size 64 KB
reply_header_max_size 64 KB

as we were seeing many request header too large errors.

I enabled conntrack logging every minute on the proxy, and saw it came very close to it's limit last night at 8pm, and stayed there for over an hour, but no errors were logged. However, at the instant that ip_conntrack climbed at 8pm (limit was 65536, now 262144):

2012-12-13 19:56:01 28754
2012-12-13 19:57:01 29398
2012-12-13 19:58:01 27449
2012-12-13 19:59:01 25355
2012-12-13 20:00:02 25551
2012-12-13 20:01:01 48476
2012-12-13 20:02:01 61525
2012-12-13 20:03:01 58012
2012-12-13 20:04:01 59262
2012-12-13 20:05:01 61038
2012-12-13 20:06:01 61023

squid started logging this:

2012/12/13 19:59:55| clientReadRequest: FD 1027 (10.2.120.12:61069) Invalid Request
2012/12/13 20:00:00| parseHttpRequest: Requestheader contains NULL characters
2012/12/13 20:00:00| parseHttpRequest: Can't get request method
2012/12/13 20:00:00| clientReadRequest: FD 1901 (10.2.120.51:41435) Invalid Request
2012/12/13 20:00:05| clientReadRequest: FD 165 (10.5.0.150:60948) Invalid Request
2012/12/13 20:00:20| Request header is too large (67792 bytes)
2012/12/13 20:00:20| Config 'request_header_max_size'= 65536 bytes.
2012/12/13 20:00:20| Request header is too large (67623 bytes)
2012/12/13 20:00:20| Config 'request_header_max_size'= 65536 bytes.
2012/12/13 20:00:20| Request header is too large (67487 bytes)
...

the above continues for >4000 lines, with 250 of them in the first second.

squid is still servicing some requests during the outage, and things appear normal in the access.log, albeit lower volume. During the issue, there are very few other errors in cache.log - just the request header too large and a few invalid requests.

MRTG shows squid hits/s drop from ~120 to ~10 for the 70 minute outage, slowly declining to near zero until 21:10 when the request header too large errors stop, and the hits/s climbs to ~100 immediately.

The environment:

Dual Xeon CPUs, 4Gb, Ubuntu 8.04 LTS 32bit
Squid Cache: Version 2.6.STABLE20
configure options: '--sysconfdir=/etc/squid' '--localstatedir=/var' '--enable-delay-pools' '--enable-snmp' '--enable-async-io=64' '--disable-ident-lookups' '--enable-auth=ntlm,basic' '--enable-removal-policies' '--enable-kill-parent-hack' '--with-filedescriptors=16384' '--with-large-files' '--enable-linux-netfilter'

Approximately 700 active clients, most on wireless during this period. Aruba wireless controller DNATs all port 80 traffic to squid for transparent proxy.

squid.conf:
# Squid 2.6 stable 20, ubuntu 8.04 32bit
# 26/Mar/2008 11:52
# 5/Jan/2010 10:15 - recompile with large file support for logs >2Gb
# 27/Aug/2010 11:32 - clone config & modify for transparent listening on 72.2.0.12:3128
# 5/Nov/2010 10:27 remove WCCP2 & replace with DNATs on Aruba VLANs 5,6,80,90,100,110,120
# 1/Oct/2012 - Disable Caching

visible_hostname proxy.shawnigan.ca
pid_filename /var/run/squid.pid

append_domain .shawnigan.ca
dns_nameservers 208.67.222.222 208.67.220.220

# disable X-Forwarded-For: header -31/Mar/2006 8:43
forwarded_for off
via off
client_db off
#header_access Via deny all

# increase request header to 64k as per RFC 2616
request_header_max_size 64 KB
reply_header_max_size 64 KB

http_port 72.2.0.12:3128 transparent

icp_port 0

#wccp2_router 72.2.0.1
#wccp2_forwarding_method 2
#wccp2_return_method 1
#wccp2_service standard 0
#wccp2_assignment_method 1

# test dynamic services later, nat for now.
#wccp2_service dynamic 80
#wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80,1935
#http_port 72.2.0.12:1935 transparent

strip_query_terms off

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
# cache_store_log /var/log/squid/store.log
cache_store_log none

#hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
# 26/May/2008 - replace above with squid 2.7/3.0 version to allow youtube caching etc.
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

error_directory /etc/squid/errors
icon_directory /usr/local/squid/share/icons
cache_effective_user squid
cache_effective_group root
# reduce RAM from 768 to 512 Apr 16 08
#increase RAM from 512 to 1024 Apr 28 08
# increase RAM from 128 to 1024 01Oct2012
cache_mem 1024 MB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# Disable Caching Start
#maximum_object_size 160000 KB
maximum_object_size 0 KB
minimum_object_size 0 KB
# Disable Caching End
maximum_object_size_in_memory 24 KB
# 20% less than drive size used here
# Disable Caching Start - Didn't work as need to recompile using --enable-storeio=null,...
# cache_dir null /tmp
cache_dir aufs /tmp/cache 5000 64 512
#cache_dir aufs /cache2 55000 64 512
#cache_dir aufs /cache3 55000 64 512
#cache_dir aufs /cache4 55000 64 512
# Disable Caching End
#cache_dir aufs /var/cache 5000 16 256

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
# increase from 5 to 10 auth helpers Feb 4,2010
#auth_param basic children 10
#auth_param basic realm SLS Proxy Cache
#auth_param basic credentialsttl 2 hours

#Recommended minimum configuration:
#####
# SLS Updates follow Oct 25, 2004
#####
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
# SSL_ports entries must be duplicated in Safe_ports
# Any port changes must be replected in the main firewall config and on this proxy's firewall
acl SSL_ports port 21 443 444 563 1935 2048 2095 3389 4200 4343 4430 4443 4445 4446 8081 8100 8181 8443 20000 7230 58202 #added 8443 for dairyland.ca,4430&4436 for webct.uvic.ca,20000 for ubc changepass, 7230 for princeton, 58202 for King's college
acl Safe_ports port 20 21 # ftp
acl Safe_ports port 80 # http
acl Safe_ports port 83 # rugby port !
acl Safe_ports port 443 # https
acl Safe_ports port 444 # non-standard http for U of Western Ontario
acl Safe_ports port 843 # 6connex tabs admissions port
acl Safe_ports port 1935 # rtsp streaming
acl Safe_ports port 2048 # non-standard http for Vancouver Island University
acl Safe_ports port 2082 # for georg's web admin
acl Safe_ports port 2095 # webmail for returntoplay.ca
acl Safe_ports port 3389 # MS RDP for Auction tracker
acl Safe_ports port 4200 # non-standard http for berkeley
acl Safe_ports port 4343 # Aruba guest account creation
acl Safe_ports port 4430 # for webct.uvic.ca
acl Safe_ports port 4443 # for bartleby.acadiau.ca password change
acl Safe_ports port 4445 # for st francis xavier online application
acl Safe_ports port 4446 # for bartleby.acadiau.ca login
acl Safe_ports port 5222 # 6connex tabs admissions port
acl Safe_ports port 7230 # non-standard http for Princeton
acl Safe_ports port 7778 # non-standard http for bartleby.acadiau.ca
acl Safe_ports port 8000 8008 8040 8080 8081 8100 8181 8095 8383 8443 # non-standard http
acl Safe_ports port 8800 # non-standard http for webct
acl Safe_ports port 20000 # non-standard http for ubc
acl Safe_ports port 32000 # non-standard http for SD79
acl Safe_ports port 58202 # non-standard http for King's College London
acl Safe_ports port 9191 # non-standard http for PaperCut NG Trial - not needed on firewall

#acl CONNECT method CONNECT

#####################################
# START OF SLS ACLs

#acl domain_auth proxy_auth REQUIRED #replace with VLAN ACL

acl none src 0.0.0.0/32

acl to_helpdesk dstdomain "/etc/squid/fallback.txt"

acl from_fallback src 10.9.0.0/255.255.0.0
deny_info http://helpdesk.shawnigan.ca/DefaultVLAN/NoExternalAccess.html from_fallback

acl sls_local dstdomain "/etc/squid/localservers.txt"
no_cache deny sls_local

acl no_delay dstdomain "/etc/squid/nodelay.txt"

acl sls_anonymous dstdomain "/etc/squid/anonymous.txt"

acl imagesearch dstdomain "/etc/squid/deny/imagesearch.txt"
deny_info SLS_IMAGESEARCH imagesearch

#acl sls_admin proxy_auth "/etc/squid/admin.txt"
#acl sls_staff proxy_auth "/etc/squid/staff.txt"

#acl nomsn proxy_auth "/etc/squid/nomsn.txt"
#deny_info SLS_MSN nomsn

acl fanfiction dstdomain "/etc/squid/deny/fanfiction.txt"
deny_info SLS_DITHER fanfiction

#acl nofanfiction proxy_auth "/etc/squid/nofanfiction.txt"
#deny_info SLS_DITHER nofanfiction

acl bigfiles url_regex -i .flv .avi .wmv .mpg .mpeg .divx .iso .exe .mp3

acl mime_IM_q req_mime_type ^application/x-msn-messenger$
acl mime_IM_q req_mime_type ^app/x-hotbar-xip20$
acl mime_IM_q req_mime_type ^application/x-hotbar-xip20$
acl mime_IM_q req_mime_type ^application/x-icq$
acl mime_IM_q req_mime_type ^application/x-comet-log$
acl mime_IM_q req_mime_type ^.*AIM.*
acl mime_IM_q req_mime_type ^AIM/HTTP$
acl mime_IM_q req_mime_type ^application/x-pncmd$

acl mime_IM_p rep_mime_type ^application/x-msn-messenger$
acl mime_IM_p rep_mime_type ^app/x-hotbar-xip20$
acl mime_IM_p rep_mime_type ^application/x-hotbar-xip20$
acl mime_IM_p rep_mime_type ^application/x-icq$
acl mime_IM_p rep_mime_type ^application/x-comet-log$
acl mime_IM_p rep_mime_type ^.*AIM.*
acl mime_IM_p rep_mime_type ^AIM/HTTP$
acl mime_IM_p rep_mime_type ^application/x-pncmd$

acl mime_mpstream1 req_mime_type ^application/x-mms-framed$
acl mime_mpstream2 req_mime_type ^application/vnd.ms.wms-hdr.asfv1$

acl wmf_req req_mime_type -i ^application/x-msmetafile$
acl wmf_req req_mime_type -i application/x-msmetafile
acl wmf_rep rep_mime_type -i ^application/x-msmetafile$
acl wmf_rep rep_mime_type -i application/x-msmetafile
acl wmf_ext url_regex -i \.wmf$

acl mime_video_q req_mime_type ^video/*
acl youtube_video url_regex get_video

# acl deny_porn dstdomain "/etc/squid/deny/porn.txt"
# deny_info SLS_PORN deny_porn
# acl deny_hate dstdomain "/etc/squid/deny/hate.txt"
# deny_info SLS_HATE deny_hate
# acl deny_violence dstdomain "/etc/squid/deny/violence.txt"
# deny_info SLS_VIOLENCE deny_violence
# acl deny_proxy dstdomain "/etc/squid/deny/proxy.txt"
# deny_info SLS_PROXY deny_proxy
# acl deny_gambling dstdomain "/etc/squid/deny/gambling.txt"
# deny_info SLS_GAMBLING deny_gambling
# acl fraud dst 211.78.189.50/255.255.255.255

acl deny_drugs dstdomain "/etc/squid/deny/drugs.txt"
deny_info SLS_DRUGS deny_drugs

acl deny_essays dstdomain "/etc/squid/deny/essays.txt"
deny_info SLS_ESSAYS deny_essays

acl deny_warez dstdomain "/etc/squid/deny/warez.txt"
deny_info SLS_WAREZ deny_warez

acl deny_hacking dstdomain "/etc/squid/deny/hacking.txt"
deny_info SLS_HACKING deny_hacking

acl deny_ads dstdomain "/etc/squid/deny/ads.txt"
deny_info SLS_ADS deny_ads

acl deny_multimedia dstdomain "/etc/squid/deny/deny_multimedia.txt"
deny_info SLS_MULTIMEDIA deny_multimedia

acl delay_multimedia dstdomain "/etc/squid/deny/delay_multimedia.txt"

acl deny_mail dstdomain "/etc/squid/deny/mail.txt"
deny_info SLS_MAIL deny_mail

acl deny_chat dstdomain "/etc/squid/deny/chat.txt"
deny_info SLS_CHAT deny_chat

acl deny_gchat dstdomain .talk.google.com
deny_info SLS_CHAT deny_chat

acl deny_dither dstdomain "/etc/squid/deny/dither.txt"
deny_info SLS_DITHER deny_dither

acl deny_social dstdomain "/etc/squid/deny/social.txt"
deny_info SLS_DITHER deny_social

acl wikipedia dstdomain .wikipedia.org
acl wikiedit urlpath_regex action=edit
deny_info SLS_WIKIEDIT wikiedit

acl googleporn urlpath_regex safe=off
deny_info SLS_SAFESEARCH googleporn

acl sls_prep time MTWHF 19:00-21:00
acl sls_prep time S 18:30-19:30
acl sls_prep time A 10:00-11:00
deny_info SLS_TIME sls_prep

acl sls_exams time MTWHF 9:00-11:30
acl sls_exams time SMTWHFA 13:00-15:30
deny_info SLS_TIME sls_exams

acl sls_schoolday time MTHF 8:15-15:15
acl sls_schoolday time W 9:00-14:45
deny_info SLS_TIME sls_schoolday

acl sls_workday time MTHF 8:15-17:30
acl sls_workday time W 9:00-17:30
deny_info SLS_TIME sls_workday

acl late_night time SMTWHFA 23:00-23:59
deny_info SLS_TIME late_night

acl early_morning time SMTWHFA 00:00-5:59
deny_info SLS_TIME early_morning

acl montothurs_0900 time MTWHF 21:00-23:59
deny_info SLS_TIME montothurs_0900

acl montothurs_0930 time MTWHF 21:30-23:59
deny_info SLS_TIME montothurs_0930

acl montothurs_1000 time MTWHF 22:00-23:59
deny_info SLS_TIME montothurs_1000

acl montothurs_1030 time MTWHF 22:30-23:59
deny_info SLS_TIME montothurs_1030

acl montothurs_1100 time MTWHF 23:00-23:59
deny_info SLS_TIME montothurs_1100

acl montothurs_1130 time MTWHF 23:30-23:59
deny_info SLS_TIME montothurs_1130

acl montothurs_1200 time MTWHF 23:58-23:59
deny_info SLS_TIME montothurs_1200

acl friday_0900 time F 21:00-23:59
deny_info SLS_TIME friday_0900

acl friday_0930 time F 21:30-23:59
deny_info SLS_TIME friday_0930

acl friday_1000 time F 22:00-23:59
deny_info SLS_TIME friday_1000

acl friday_1030 time F 22:30-23:59
deny_info SLS_TIME friday_1030

acl friday_1100 time F 23:00-23:59
deny_info SLS_TIME friday_1100

acl friday_1130 time F 23:30-23:59
deny_info SLS_TIME friday_1130

acl friday_1200 time F 23:58-23:59
deny_info SLS_TIME friday_1200

acl saturday_0900 time A 21:00-23:59
deny_info SLS_TIME saturday_0900

acl saturday_0930 time A 21:30-23:59
deny_info SLS_TIME saturday_0930

acl saturday_1000 time A 22:00-23:59
deny_info SLS_TIME saturday_1000

acl saturday_1030 time A 22:30-23:59
deny_info SLS_TIME saturday_1030

acl saturday_1100 time A 23:00-23:59
deny_info SLS_TIME saturday_1100

acl saturday_1130 time A 23:30-23:59
deny_info SLS_TIME saturday_1130

acl saturday_1200 time A 23:58-23:59
deny_info SLS_TIME saturday_1200

acl sunday_0900 time S 21:00-23:59
deny_info SLS_TIME sunday_0900

acl sunday_0930 time S 21:30-23:59
deny_info SLS_TIME sunday_0930

acl sunday_1000 time S 22:00-23:59
deny_info SLS_TIME sunday_1000

acl sunday_1030 time S 22:30-23:59
deny_info SLS_TIME sunday_1030

acl sunday_1100 time S 23:00-23:59
deny_info SLS_TIME sunday_1100

acl sunday_1130 time S 23:30-23:59
deny_info SLS_TIME sunday_1130

acl sunday_1200 time S 23:58-23:59
deny_info SLS_TIME sunday_1200

acl Vlan1 src 10.0.0.0/255.0.0.0
acl Vlan72 src 72.2.0.0/255.255.255.128
acl VlanVPN src 72.2.0.96/255.255.255.224
acl Vlan3 src 10.3.0.0/255.255.0.0
acl Vlan4 src 10.4.0.0/255.255.0.0
acl Vlan5 src 10.5.0.0/255.255.252.0
acl Vlan9 src 10.9.0.0/255.255.0.0

acl VlanAdmin src 10.1.0.0/255.255.0.0
acl Vlan10 src 10.1.10.0/255.255.255.0
acl Vlan11 src 10.1.11.0/255.255.255.0
acl Vlan12 src 10.1.12.0/255.255.255.0
acl Vlan13 src 10.1.13.0/255.255.255.0
acl Vlan14 src 10.1.14.0/255.255.255.0

acl Vlan3-all src 10.3.0.0/255.255.0.0
acl Vlan31 src 10.3.1.0/255.255.255.0
acl Vlan32 src 10.3.2.0/255.255.255.0
acl Vlan33 src 10.3.3.0/255.255.255.0
acl Vlan34 src 10.3.4.0/255.255.255.0
acl Vlan35 src 10.3.5.0/255.255.255.0
acl VlanSouthLab src 10.3.1.0/255.255.255.0
acl VlanNorthLab src 10.3.2.0/255.255.255.0
acl VlanLibrary src 10.3.3.0/255.255.255.0
acl VlanLanguageLab src 10.3.4.0/255.255.255.0
acl VlanShawLab src 10.3.5.0/255.255.255.0
acl VlanWorkLabs src 10.3.1.0/255.255.255.0
acl VlanWorkLabs src 10.3.2.0/255.255.255.0
# acl VlanWorkLabs src 10.3.4.0/255.255.255.0
acl VlanWorkLabs src 10.3.5.0/255.255.255.0

acl Vlan40 src 10.4.0.0/255.255.255.0
acl Vlan41 src 10.4.1.0/255.255.255.0

acl VlanStudent src 10.2.80.1-10.2.120.255

acl Vlan80 src 10.2.80.0/255.255.254.0
acl Vlan90 src 10.2.90.0/255.255.254.0
acl Vlan100 src 10.2.100.0/255.255.254.0
acl Vlan110 src 10.2.110.0/255.255.254.0
acl Vlan120 src 10.2.120.0/255.255.254.0

acl VlanJuniors src 10.2.80.0/255.255.254.0
acl VlanJuniors src 10.2.90.0/255.255.254.0
acl VlanJuniors src 10.2.100.0/255.255.254.0

acl VlanSeniors src 10.2.110.0/255.255.254.0
acl VlanSeniors src 10.2.120.0/255.255.254.0

acl Vlan200 src 10.2.200.0/255.255.255.0
acl Vlan201 src 10.2.201.0/255.255.255.0
acl Vlan210 src 10.2.210.0/255.255.255.0
acl Vlan220 src 10.2.220.0/255.255.255.0
acl Vlan250 src 10.2.250.0/255.255.255.0

acl VlanStaff src 10.2.220.0/255.255.255.0
acl VlanStaff src 10.5.0.0/255.255.252.0
acl VlanStaff src 10.6.0.0/255.255.252.0

acl IEBrowser browser \MSIE
deny_info SLS_IE IEBrowser

# END OF SLS ACLs
#####################################

# START SLS DELAY POOLS
# Dec 3, 4:45pm, new GE live, NO delay pools.
# plan to leave no delay pools until Monday morning, Dec 7 , then enable by removing comments from lines below with #### (including ACL lines)
# On Wed Dec 9 comment out the "Test 2" lines and replace with "Test 1"
# squid -k reconfigure after each change, confirm in cachemgr delay pool levels
# http://academic.shawnigan.ca/scripts/cachemgr.exe?host=proxy&port=80&user_name=admin&operation=delay&auth=

delay_pools 2
delay_class 1 3

# 27/Apr/2009 - new settings: increase bucket sizes
# Class 3 pool for all 10.x subnets, 1000KBs/8Mb agg, 300KBs/8Mb net, 96KBs/8Mb bucket individual.
#delay_parameters 1 1000000/8000000 300000/8000000 96000/8000000

# Dec 2009 GigE Testing -comment above & replace with below lines & note dates
# Test 1 - increase to 100Mb effective total, 50/50 split, 15Mb per net, 4Mb per user
# delay_parameters 1 6250000/6250000 1875000/5625000 500000/5000000
# Test 2 - increase to 1000Mb effective total, 50/50 split, 100Mb per net, 10Mb per user
# active from 11am Dec 3 to
# delay_parameters 1 62500000/62500000 12500000/62500000 1250000/12500000
# active from 10am Dec 11 to
delay_parameters 1 62500000/62500000 12500000/62500000 1250000/12500000

# 2nd delay pool for multimedia, youtube, etc.
delay_class 2 3

# 23/May/2008 - Limit high bandwidth video etc.
# Class 2 pool for all 10.x subnets
#delay_parameters 2 200000/2000000 100000/1000000 96000/300000
#delay_parameters 2 1000000/8000000 300000/8000000 96000/8000000

# Dec 2009 GigE Testing -comment above & replace with below lines & note dates
# Test 1 - increase to 100Mb effective total, 50/50 split, 15Mb per net, 2.5Mb per user
# delay_parameters 2 6250000/6250000 1875000/5625000 312500/3125000
# Test 2 - increase to 1000Mb effective total, 50/50 split, 100Mb per net, 3Mb per user
# active from 11am Dec 3 to
# delay_parameters 2 62500000/62500000 12500000/62500000 375000/3750000
# active from 10am Dec 11 to
delay_parameters 2 62500000/62500000 12500000/62500000 575000/5750000

# add VLAN41 for IT testing 26/May/2008
#delay_access 1 allow vlan41 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan5 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan80 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan90 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan100 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan110 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan120 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan200 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan210 !sls_local !no_delay !delay_multimedia
delay_access 1 allow vlan220 !sls_local !no_delay !delay_multimedia
delay_access 1 deny all

delay_access 2 allow delay_multimedia
delay_access 2 deny all

# END SLS DELAY POOLS

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost

cachemgr_passwd xxxxx 5min 60min authenticator dns histograms info io ipcache netdb non_peers pconn peer_select redirector refresh server_list store_digest storedir utilization via_headers vm_objects

http_access allow manager vlan72
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
#http_access deny CONNECT !SSL_ports

#### REMOVE THIS AFTER UPDATING ACLS!!!
#http_access allow all
#### REMOVE THIS AFTER UPDATING ACLS!!!

http_access allow to_helpdesk
http_access allow sls_anonymous

http_access deny from_fallback
http_access allow sls_local

# http_access deny wmf_rep
# http_access deny wmf_req
# http_access deny wmf_ext

# http_access deny Vlan80 sls_exams
# http_access deny Vlan90 sls_exams
# http_access deny Vlan100 sls_exams

#http_access allow sls_admin

# following is denied by opendns
# http_access deny fraud

#http_access deny domain_auth none

# following are denied by opendns
# http_access deny deny_porn
# http_access deny deny_proxy

http_access deny deny_chat Vlan72
http_access deny mime_IM_q Vlan72
http_reply_access deny mime_IM_p Vlan72

http_access deny VlanVPN

# http_access deny deny_chat Vlan3
http_access deny mime_IM_q Vlan3
http_reply_access deny mime_IM_p Vlan3
http_access deny deny_gchat Vlan3

# http_access deny deny_chat VlanAdmin
http_access deny mime_IM_q VlanAdmin
http_reply_access deny mime_IM_p VlanAdmin
http_access deny deny_gchat VlanAdmin

# http_access deny mime_mpstream1
# http_access deny mime_mpstream2

http_access deny IEBrowser Vlan210
# http_access deny IEBrowser Vlan72
# http_access deny IEBrowser Vlan3
http_access deny IEBrowser VlanAdmin !Vlan12 !Vlan11 !Vlan10 !Vlan13

# http_access deny deny_dither Vlan3
# http_access deny deny_dither Vlan12

# denied by opendns
# http_access deny deny_gambling

http_access deny deny_warez

#http_access deny deny_chat nomsn
#http_access deny mime_IM_q nomsn
#http_reply_access deny mime_IM_p nomsn

http_access deny imagesearch googleporn

#http_access allow sls_staff ##replaced with below, sort of...
http_access allow VlanStaff
http_access allow VlanAdmin
http_access allow Vlan3-all
http_access allow Vlan40
http_access allow Vlan41

http_access deny wikipedia wikiedit

http_access deny deny_essays
http_access deny deny_hacking

# following is denied by OpenDNS
# http_access deny deny_hate
# http_access deny deny_violence

#http_access deny fanfiction nofanfiction

#http_access deny deny_multimedia

# Deny these during prep to 8,9,10 but allow 11 & 12
http_access deny mime_IM_q sls_prep !VlanStaff !VlanSeniors
http_reply_access deny mime_IM_p sls_prep !VlanStaff !VlanSeniors
http_access deny deny_chat sls_prep !VlanStaff !VlanSeniors
http_access deny deny_mail sls_prep !VlanStaff !VlanSeniors
http_access deny deny_dither sls_prep !VlanStaff !VlanSeniors
http_access deny deny_social sls_prep !VlanStaff !VlanSeniors

# Deny these until 2:45 if in student residence and is junior
http_access deny mime_IM_q sls_schoolday VlanStudent !VlanSeniors
http_reply_access deny mime_IM_p sls_schoolday VlanStudent !VlanSeniors
http_access deny deny_chat sls_schoolday VlanStudent !VlanSeniors
http_access deny deny_mail sls_schoolday VlanStudent !VlanSeniors
http_access deny deny_dither sls_schoolday VlanStudent !VlanSeniors
http_access deny deny_social sls_schoolday VlanStudent !VlanSeniors

# Deny these during until after fine art (5:30) if in North, South, Language, Shaw
#http_access deny mime_IM_q sls_workday VlanWorkLabs
#http_reply_access deny mime_IM_p sls_workday VlanWorkLabs
#http_access deny deny_chat sls_workday VlanWorkLabs
#http_access deny deny_mail sls_workday VlanWorkLabs
#http_access deny deny_dither sls_workday VlanWorkLabs
#http_access deny deny_social sls_workday VlanWorkLabs

# Deny 12am - 6am for all students
http_access deny early_morning

# below is commented out; allow cat6000 to deny prior to midnight
#http_access deny late_night

#http_access allow domain_auth
#http_access allow VlanStudent
http_access allow all

http_reply_access allow all
icp_access allow all

# SNMP setup for MRTG
snmp_port 3401

acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access allow snmppublic vlan72
snmp_access allow snmppublic vlan40
snmp_access deny all

Thanks for any help you can offer!

Shawn Wright
Manager of Information Technology
Shawnigan Lake School
Received on Fri Dec 14 2012 - 19:53:42 MST