Re: [squid-users] Request header too large & ip_conntrack

From: Shawn Wright <swright_at_shawnigan.ca>
Date: Mon, 17 Dec 2012 16:40:32 -0800 (PST)

Hi,

I was wondering about rate-limiting, as we have used it for inbound connections to our mail server. We've avoided this so far on the proxy in an effort to keep it simple and maximize performance, but that isn't working so well anymore. We recently turned off disk caching as the hit rate was so low, and our bandwidth fee is flat-rate.

I will have a look at iptables on the proxy box tonight, thanks again. Students leave soon, so I may not know until next year if it works...

Shawn Wright
Manager of Information Technology
Shawnigan Lake School

Please direct requests for support to helpdesk_at_shawnigan.ca

Shawn Wright Manager of Information Technology Shawnigan Lake School Please direct requests for support to helpdesk_at_shawnigan.ca

Shawn Wright
Manager of Information Technology
Shawnigan Lake School

Please direct requests for support to helpdesk_at_shawnigan.ca

----- Original Message -----

From: "Eliezer Croitoru" <eliezer_at_ngtech.co.il>
To: squid-users_at_squid-cache.org
Sent: Monday, 17 December, 2012 10:52:10 AM
Subject: Re: [squid-users] Request header too large & ip_conntrack

Hey,

In this case you can use a more collective way to defend this kind of
abuse using IPTABLES rate limiting.
Just use some a small nginx server with a Warning page no logs etc to
redirect blocked computers into.

They will come to you I promise!

Regards,
Eliezer

On 12/17/2012 8:43 PM, Shawn Wright wrote:
>
> Hi,
>
> My mistake, the client IP is logged in the access.log. I have narrowed it down to a single client (a student) for the past several days, so I will bring the machine in to investigate what it is doing. It appears every time this machine connects, within 20 seconds of getting an IP address, it floods our proxy with these requests!
>
> Thanks
>
>
>
> Shawn Wright
> Manager of Information Technology
> Shawnigan Lake School
>
> Please direct requests for support to helpdesk_at_shawnigan.ca
>
>
>
> Shawn Wright Manager of Information Technology Shawnigan Lake School Please direct requests for support to helpdesk_at_shawnigan.ca
>
>
> Shawn Wright
> Manager of Information Technology
> Shawnigan Lake School
>
> Please direct requests for support to helpdesk_at_shawnigan.ca
>
>
>
> ----- Original Message -----
>
> From: "Eliezer Croitoru" <eliezer_at_ngtech.co.il>
> To: squid-users_at_squid-cache.org
> Sent: Monday, 17 December, 2012 9:01:49 AM
> Subject: Re: [squid-users] Request header too large & ip_conntrack
>
> Hey,
>
> The max header is 64KB by default.
> Change it to more then 64 to about 80KB just to make sure it's OK.
> There are debug_options that can help you with it:
> http://wiki.squid-cache.org/KnowledgeBase/DebugSections
>
> I do not know the exact section used with "Request header is too large"
> but a simple look-up in the source code will get you the section and by
> making the verbosity of this section to more then 1(2-3) you will might
> have the data you need.
> If I remember right section 33 will do what you need if not then 66 but
> i'm not sure which one of the sections should have the exact data you need.
>
> Try the HTTP sections as the best choice.
>
> If you are afraid of DDOS then this basic settings of 64KB protect you
> from it with the only exception of squid cache.log size explosion.
> Are you trying to protect the server from that?
>
> Regards,
> Eliezer
>
> On 12/17/2012 5:52 PM, Shawn Wright wrote:
>> Hi,
>>
>> Thanks - I did check the docs, and already increased the max header to 64K as per the RFC. If this client is causing a DOS (which it appears to be) surely there must be some way to determine the client IP? Debug log?
>>
>>
>> Shawn Wright
>> Manager of Information Technology
>> Shawnigan Lake School
>>
>> Please direct requests for support to helpdesk_at_shawnigan.ca
>>
>>
>>
>> ----- Original Message -----
>>
>> From: "Eliezer Croitoru" <eliezer_at_ngtech.co.il>
>> To: squid-users_at_squid-cache.org
>> Sent: Monday, 17 December, 2012 7:19:33 AM
>> Subject: Re: [squid-users] Request header too large & ip_conntrack
>>
>> Hey there,
>>
>> Take a look at:
>> http://www.squid-cache.org/Doc/config/request_header_max_size/
>> You dont see the logs since it's invalid Request.
>>
>> Try to make the size more then 64KB but I would consider trying to find
>> out what request is trying to use this kind of header for security reasons.
>>
>> Regards,
>> Eliezer
>>
>> On 12/17/2012 4:52 PM, Shawn Wright wrote:
>>> Hello,
>>>
>>>
>>> This problem continues. How can I locate where these request header too large are coming from? I don't see the client IP being logged. Or is it the line preceding?
>>>
>>>
>>> 2012/12/13 20:00:05| clientReadRequest: FD 165 (10.5.0.150:60948) Invalid Request
>>> 2012/12/13 20:00:20| Request header is too large (67792 bytes)
>>> 2012/12/13 20:00:20| Config 'request_header_max_size'= 65536 bytes.
>>> 2012/12/13 20:00:20| Request header is too large (67623 bytes)
>>>
>>>
>>> Shawn Wright
>>> Manager of Information Technology
>>> Shawnigan Lake School
>>>
>>> Please direct requests for support to helpdesk_at_shawnigan.ca
>>>
>>>
>>>
>>> ----- Original Message -----
>>>
>>> From: "Shawn Wright" <swright_at_shawnigan.ca>
>>> To: squid-users_at_squid-cache.org
>>> Sent: Friday, 14 December, 2012 11:53:35 AM
>>> Subject: [squid-users] Request header too large & ip_conntrack
>>>
>>> Hello,
>>>
>>> I have been trying to track down a congestion issue we have been seeing at 8pm each night for several weeks, where most of our clients see slow or no connectivity for 20-40 minutes.
>>>
>>> First issue was our firewall reaching ip_conntrack_max, so I increased it, and began logging the conn count every 5 minutes. The problem was gone for a week.
>>>
>>> Then it came back, just as before. The firewall was fine, no errors this time, and well below the ip_conntrack_max.
>>>
>>> I looked at proxy, and saw an excessive number of invalid requests during peak times, at one point over 100/sec from a single client. Adjusting some rules on our wireless controller to resolve this issue, and invalid requests dropped by a factor of 10, but the issue at 8pm continued. I also set:
>>>
>>> request_header_max_size 64 KB
>>> reply_header_max_size 64 KB
>>>
>>> as we were seeing many request header too large errors.
>>>
>>> I enabled conntrack logging every minute on the proxy, and saw it came very close to it's limit last night at 8pm, and stayed there for over an hour, but no errors were logged. However, at the instant that ip_conntrack climbed at 8pm (limit was 65536, now 262144):
>>>
>>> 2012-12-13 19:56:01 28754
>>> 2012-12-13 19:57:01 29398
>>> 2012-12-13 19:58:01 27449
>>> 2012-12-13 19:59:01 25355
>>> 2012-12-13 20:00:02 25551
>>> 2012-12-13 20:01:01 48476
>>> 2012-12-13 20:02:01 61525
>>> 2012-12-13 20:03:01 58012
>>> 2012-12-13 20:04:01 59262
>>> 2012-12-13 20:05:01 61038
>>> 2012-12-13 20:06:01 61023
>>>
>>> squid started logging this:
>>>
>>> 2012/12/13 19:59:55| clientReadRequest: FD 1027 (10.2.120.12:61069) Invalid Request
>>> 2012/12/13 20:00:00| parseHttpRequest: Requestheader contains NULL characters
>>> 2012/12/13 20:00:00| parseHttpRequest: Can't get request method
>>> 2012/12/13 20:00:00| clientReadRequest: FD 1901 (10.2.120.51:41435) Invalid Request
>>> 2012/12/13 20:00:05| clientReadRequest: FD 165 (10.5.0.150:60948) Invalid Request
>>> 2012/12/13 20:00:20| Request header is too large (67792 bytes)
>>> 2012/12/13 20:00:20| Config 'request_header_max_size'= 65536 bytes.
>>> 2012/12/13 20:00:20| Request header is too large (67623 bytes)
>>> 2012/12/13 20:00:20| Config 'request_header_max_size'= 65536 bytes.
>>> 2012/12/13 20:00:20| Request header is too large (67487 bytes)
>>> ...
>>>
>>> the above continues for >4000 lines, with 250 of them in the first second.
>>>
>>> squid is still servicing some requests during the outage, and things appear normal in the access.log, albeit lower volume. During the issue, there are very few other errors in cache.log - just the request header too large and a few invalid requests.
>>>
>>> MRTG shows squid hits/s drop from ~120 to ~10 for the 70 minute outage, slowly declining to near zero until 21:10 when the request header too large errors stop, and the hits/s climbs to ~100 immediately.
>>>
>>> The environment:
>>>
>>> Dual Xeon CPUs, 4Gb, Ubuntu 8.04 LTS 32bit
>>> Squid Cache: Version 2.6.STABLE20
>>> configure options: '--sysconfdir=/etc/squid' '--localstatedir=/var' '--enable-delay-pools' '--enable-snmp' '--enable-async-io=64' '--disable-ident-lookups' '--enable-auth=ntlm,basic' '--enable-removal-policies' '--enable-kill-parent-hack' '--with-filedescriptors=16384' '--with-large-files' '--enable-linux-netfilter'
>>>
>>> Approximately 700 active clients, most on wireless during this period. Aruba wireless controller DNATs all port 80 traffic to squid for transparent proxy.
>>>
>>> squid.conf:
>>> # Squid 2.6 stable 20, ubuntu 8.04 32bit
>>> # 26/Mar/2008 11:52
>>> # 5/Jan/2010 10:15 - recompile with large file support for logs >2Gb
>>> # 27/Aug/2010 11:32 - clone config & modify for transparent listening on 72.2.0.12:3128
>>> # 5/Nov/2010 10:27 remove WCCP2 & replace with DNATs on Aruba VLANs 5,6,80,90,100,110,120
>>> # 1/Oct/2012 - Disable Caching
>>>
>>> visible_hostname proxy.shawnigan.ca
>>> pid_filename /var/run/squid.pid
>>>
>>> append_domain .shawnigan.ca
>>> dns_nameservers 208.67.222.222 208.67.220.220
>>>
>>> # disable X-Forwarded-For: header -31/Mar/2006 8:43
>>> forwarded_for off
>>> via off
>>> client_db off
>>> #header_access Via deny all
>>>
>>> # increase request header to 64k as per RFC 2616
>>> request_header_max_size 64 KB
>>> reply_header_max_size 64 KB
>>>
>>>
>>> http_port 72.2.0.12:3128 transparent
>>>
>>> icp_port 0
>>>
>>> #wccp2_router 72.2.0.1
>>> #wccp2_forwarding_method 2
>>> #wccp2_return_method 1
>>> #wccp2_service standard 0
>>> #wccp2_assignment_method 1
>>>
>>> # test dynamic services later, nat for now.
>>> #wccp2_service dynamic 80
>>> #wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80,1935
>>> #http_port 72.2.0.12:1935 transparent
>>>
>>> strip_query_terms off
>>>
>>> cache_access_log /var/log/squid/access.log
>>> cache_log /var/log/squid/cache.log
>>> # cache_store_log /var/log/squid/store.log
>>> cache_store_log none
>>>
>>> #hierarchy_stoplist cgi-bin ?
>>> #acl QUERY urlpath_regex cgi-bin \?
>>> #no_cache deny QUERY
>>> # 26/May/2008 - replace above with squid 2.7/3.0 version to allow youtube caching etc.
>>> refresh_pattern (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>>
>>> error_directory /etc/squid/errors
>>> icon_directory /usr/local/squid/share/icons
>>> cache_effective_user squid
>>> cache_effective_group root
>>> # reduce RAM from 768 to 512 Apr 16 08
>>> #increase RAM from 512 to 1024 Apr 28 08
>>> # increase RAM from 128 to 1024 01Oct2012
>>> cache_mem 1024 MB
>>> cache_replacement_policy heap LFUDA
>>> memory_replacement_policy heap GDSF
>>> # Disable Caching Start
>>> #maximum_object_size 160000 KB
>>> maximum_object_size 0 KB
>>> minimum_object_size 0 KB
>>> # Disable Caching End
>>> maximum_object_size_in_memory 24 KB
>>> # 20% less than drive size used here
>>> # Disable Caching Start - Didn't work as need to recompile using --enable-storeio=null,...
>>> # cache_dir null /tmp
>>> cache_dir aufs /tmp/cache 5000 64 512
>>> #cache_dir aufs /cache2 55000 64 512
>>> #cache_dir aufs /cache3 55000 64 512
>>> #cache_dir aufs /cache4 55000 64 512
>>> # Disable Caching End
>>> #cache_dir aufs /var/cache 5000 16 256
>>>
>>>
>>> #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>>> # increase from 5 to 10 auth helpers Feb 4,2010
>>> #auth_param basic children 10
>>> #auth_param basic realm SLS Proxy Cache
>>> #auth_param basic credentialsttl 2 hours
>>>
>>> #Recommended minimum configuration:
>>> #####
>>> # SLS Updates follow Oct 25, 2004
>>> #####
>>> acl all src all
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> # SSL_ports entries must be duplicated in Safe_ports
>>> # Any port changes must be replected in the main firewall config and on this proxy's firewall
>>> acl SSL_ports port 21 443 444 563 1935 2048 2095 3389 4200 4343 4430 4443 4445 4446 8081 8100 8181 8443 20000 7230 58202 #added 8443 for dairyland.ca,4430&4436 for webct.uvic.ca,20000 for ubc changepass, 7230 for princeton, 58202 for King's college
>>> acl Safe_ports port 20 21 # ftp
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 83 # rugby port !
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 444 # non-standard http for U of Western Ontario
>>> acl Safe_ports port 843 # 6connex tabs admissions port
>>> acl Safe_ports port 1935 # rtsp streaming
>>> acl Safe_ports port 2048 # non-standard http for Vancouver Island University
>>> acl Safe_ports port 2082 # for georg's web admin
>>> acl Safe_ports port 2095 # webmail for returntoplay.ca
>>> acl Safe_ports port 3389 # MS RDP for Auction tracker
>>> acl Safe_ports port 4200 # non-standard http for berkeley
>>> acl Safe_ports port 4343 # Aruba guest account creation
>>> acl Safe_ports port 4430 # for webct.uvic.ca
>>> acl Safe_ports port 4443 # for bartleby.acadiau.ca password change
>>> acl Safe_ports port 4445 # for st francis xavier online application
>>> acl Safe_ports port 4446 # for bartleby.acadiau.ca login
>>> acl Safe_ports port 5222 # 6connex tabs admissions port
>>> acl Safe_ports port 7230 # non-standard http for Princeton
>>> acl Safe_ports port 7778 # non-standard http for bartleby.acadiau.ca
>>> acl Safe_ports port 8000 8008 8040 8080 8081 8100 8181 8095 8383 8443 # non-standard http
>>> acl Safe_ports port 8800 # non-standard http for webct
>>> acl Safe_ports port 20000 # non-standard http for ubc
>>> acl Safe_ports port 32000 # non-standard http for SD79
>>> acl Safe_ports port 58202 # non-standard http for King's College London
>>> acl Safe_ports port 9191 # non-standard http for PaperCut NG Trial - not needed on firewall
>>>
>>> #acl CONNECT method CONNECT
>>>
>>> #####################################
>>> # START OF SLS ACLs
>>>
>>> #acl domain_auth proxy_auth REQUIRED #replace with VLAN ACL
>>>
>>> acl none src 0.0.0.0/32
>>>
>>> acl to_helpdesk dstdomain "/etc/squid/fallback.txt"
>>>
>>> acl from_fallback src 10.9.0.0/255.255.0.0
>>> deny_info http://helpdesk.shawnigan.ca/DefaultVLAN/NoExternalAccess.html from_fallback
>>>
>>> acl sls_local dstdomain "/etc/squid/localservers.txt"
>>> no_cache deny sls_local
>>>
>>> acl no_delay dstdomain "/etc/squid/nodelay.txt"
>>>
>>> acl sls_anonymous dstdomain "/etc/squid/anonymous.txt"
>>>
>>> acl imagesearch dstdomain "/etc/squid/deny/imagesearch.txt"
>>> deny_info SLS_IMAGESEARCH imagesearch
>>>
>>> #acl sls_admin proxy_auth "/etc/squid/admin.txt"
>>> #acl sls_staff proxy_auth "/etc/squid/staff.txt"
>>>
>>> #acl nomsn proxy_auth "/etc/squid/nomsn.txt"
>>> #deny_info SLS_MSN nomsn
>>>
>>> acl fanfiction dstdomain "/etc/squid/deny/fanfiction.txt"
>>> deny_info SLS_DITHER fanfiction
>>>
>>> #acl nofanfiction proxy_auth "/etc/squid/nofanfiction.txt"
>>> #deny_info SLS_DITHER nofanfiction
>>>
>>> acl bigfiles url_regex -i .flv .avi .wmv .mpg .mpeg .divx .iso .exe .mp3
>>>
>>> acl mime_IM_q req_mime_type ^application/x-msn-messenger$
>>> acl mime_IM_q req_mime_type ^app/x-hotbar-xip20$
>>> acl mime_IM_q req_mime_type ^application/x-hotbar-xip20$
>>> acl mime_IM_q req_mime_type ^application/x-icq$
>>> acl mime_IM_q req_mime_type ^application/x-comet-log$
>>> acl mime_IM_q req_mime_type ^.*AIM.*
>>> acl mime_IM_q req_mime_type ^AIM/HTTP$
>>> acl mime_IM_q req_mime_type ^application/x-pncmd$
>>>
>>> acl mime_IM_p rep_mime_type ^application/x-msn-messenger$
>>> acl mime_IM_p rep_mime_type ^app/x-hotbar-xip20$
>>> acl mime_IM_p rep_mime_type ^application/x-hotbar-xip20$
>>> acl mime_IM_p rep_mime_type ^application/x-icq$
>>> acl mime_IM_p rep_mime_type ^application/x-comet-log$
>>> acl mime_IM_p rep_mime_type ^.*AIM.*
>>> acl mime_IM_p rep_mime_type ^AIM/HTTP$
>>> acl mime_IM_p rep_mime_type ^application/x-pncmd$
>>>
>>> acl mime_mpstream1 req_mime_type ^application/x-mms-framed$
>>> acl mime_mpstream2 req_mime_type ^application/vnd.ms.wms-hdr.asfv1$
>>>
>>> acl wmf_req req_mime_type -i ^application/x-msmetafile$
>>> acl wmf_req req_mime_type -i application/x-msmetafile
>>> acl wmf_rep rep_mime_type -i ^application/x-msmetafile$
>>> acl wmf_rep rep_mime_type -i application/x-msmetafile
>>> acl wmf_ext url_regex -i \.wmf$
>>>
>>> acl mime_video_q req_mime_type ^video/*
>>> acl youtube_video url_regex get_video
>>>
>>> # acl deny_porn dstdomain "/etc/squid/deny/porn.txt"
>>> # deny_info SLS_PORN deny_porn
>>> # acl deny_hate dstdomain "/etc/squid/deny/hate.txt"
>>> # deny_info SLS_HATE deny_hate
>>> # acl deny_violence dstdomain "/etc/squid/deny/violence.txt"
>>> # deny_info SLS_VIOLENCE deny_violence
>>> # acl deny_proxy dstdomain "/etc/squid/deny/proxy.txt"
>>> # deny_info SLS_PROXY deny_proxy
>>> # acl deny_gambling dstdomain "/etc/squid/deny/gambling.txt"
>>> # deny_info SLS_GAMBLING deny_gambling
>>> # acl fraud dst 211.78.189.50/255.255.255.255
>>>
>>>
>>> acl deny_drugs dstdomain "/etc/squid/deny/drugs.txt"
>>> deny_info SLS_DRUGS deny_drugs
>>>
>>> acl deny_essays dstdomain "/etc/squid/deny/essays.txt"
>>> deny_info SLS_ESSAYS deny_essays
>>>
>>> acl deny_warez dstdomain "/etc/squid/deny/warez.txt"
>>> deny_info SLS_WAREZ deny_warez
>>>
>>> acl deny_hacking dstdomain "/etc/squid/deny/hacking.txt"
>>> deny_info SLS_HACKING deny_hacking
>>>
>>> acl deny_ads dstdomain "/etc/squid/deny/ads.txt"
>>> deny_info SLS_ADS deny_ads
>>>
>>> acl deny_multimedia dstdomain "/etc/squid/deny/deny_multimedia.txt"
>>> deny_info SLS_MULTIMEDIA deny_multimedia
>>>
>>> acl delay_multimedia dstdomain "/etc/squid/deny/delay_multimedia.txt"
>>>
>>> acl deny_mail dstdomain "/etc/squid/deny/mail.txt"
>>> deny_info SLS_MAIL deny_mail
>>>
>>> acl deny_chat dstdomain "/etc/squid/deny/chat.txt"
>>> deny_info SLS_CHAT deny_chat
>>>
>>> acl deny_gchat dstdomain .talk.google.com
>>> deny_info SLS_CHAT deny_chat
>>>
>>> acl deny_dither dstdomain "/etc/squid/deny/dither.txt"
>>> deny_info SLS_DITHER deny_dither
>>>
>>> acl deny_social dstdomain "/etc/squid/deny/social.txt"
>>> deny_info SLS_DITHER deny_social
>>>
>>> acl wikipedia dstdomain .wikipedia.org
>>> acl wikiedit urlpath_regex action=edit
>>> deny_info SLS_WIKIEDIT wikiedit
>>>
>>> acl googleporn urlpath_regex safe=off
>>> deny_info SLS_SAFESEARCH googleporn
>>>
>>> acl sls_prep time MTWHF 19:00-21:00
>>> acl sls_prep time S 18:30-19:30
>>> acl sls_prep time A 10:00-11:00
>>> deny_info SLS_TIME sls_prep
>>>
>>> acl sls_exams time MTWHF 9:00-11:30
>>> acl sls_exams time SMTWHFA 13:00-15:30
>>> deny_info SLS_TIME sls_exams
>>>
>>> acl sls_schoolday time MTHF 8:15-15:15
>>> acl sls_schoolday time W 9:00-14:45
>>> deny_info SLS_TIME sls_schoolday
>>>
>>> acl sls_workday time MTHF 8:15-17:30
>>> acl sls_workday time W 9:00-17:30
>>> deny_info SLS_TIME sls_workday
>>>
>>> acl late_night time SMTWHFA 23:00-23:59
>>> deny_info SLS_TIME late_night
>>>
>>> acl early_morning time SMTWHFA 00:00-5:59
>>> deny_info SLS_TIME early_morning
>>>
>>> acl montothurs_0900 time MTWHF 21:00-23:59
>>> deny_info SLS_TIME montothurs_0900
>>>
>>> acl montothurs_0930 time MTWHF 21:30-23:59
>>> deny_info SLS_TIME montothurs_0930
>>>
>>> acl montothurs_1000 time MTWHF 22:00-23:59
>>> deny_info SLS_TIME montothurs_1000
>>>
>>> acl montothurs_1030 time MTWHF 22:30-23:59
>>> deny_info SLS_TIME montothurs_1030
>>>
>>> acl montothurs_1100 time MTWHF 23:00-23:59
>>> deny_info SLS_TIME montothurs_1100
>>>
>>> acl montothurs_1130 time MTWHF 23:30-23:59
>>> deny_info SLS_TIME montothurs_1130
>>>
>>> acl montothurs_1200 time MTWHF 23:58-23:59
>>> deny_info SLS_TIME montothurs_1200
>>>
>>> acl friday_0900 time F 21:00-23:59
>>> deny_info SLS_TIME friday_0900
>>>
>>> acl friday_0930 time F 21:30-23:59
>>> deny_info SLS_TIME friday_0930
>>>
>>> acl friday_1000 time F 22:00-23:59
>>> deny_info SLS_TIME friday_1000
>>>
>>> acl friday_1030 time F 22:30-23:59
>>> deny_info SLS_TIME friday_1030
>>>
>>> acl friday_1100 time F 23:00-23:59
>>> deny_info SLS_TIME friday_1100
>>>
>>> acl friday_1130 time F 23:30-23:59
>>> deny_info SLS_TIME friday_1130
>>>
>>> acl friday_1200 time F 23:58-23:59
>>> deny_info SLS_TIME friday_1200
>>>
>>> acl saturday_0900 time A 21:00-23:59
>>> deny_info SLS_TIME saturday_0900
>>>
>>> acl saturday_0930 time A 21:30-23:59
>>> deny_info SLS_TIME saturday_0930
>>>
>>> acl saturday_1000 time A 22:00-23:59
>>> deny_info SLS_TIME saturday_1000
>>>
>>> acl saturday_1030 time A 22:30-23:59
>>> deny_info SLS_TIME saturday_1030
>>>
>>> acl saturday_1100 time A 23:00-23:59
>>> deny_info SLS_TIME saturday_1100
>>>
>>> acl saturday_1130 time A 23:30-23:59
>>> deny_info SLS_TIME saturday_1130
>>>
>>> acl saturday_1200 time A 23:58-23:59
>>> deny_info SLS_TIME saturday_1200
>>>
>>> acl sunday_0900 time S 21:00-23:59
>>> deny_info SLS_TIME sunday_0900
>>>
>>> acl sunday_0930 time S 21:30-23:59
>>> deny_info SLS_TIME sunday_0930
>>>
>>> acl sunday_1000 time S 22:00-23:59
>>> deny_info SLS_TIME sunday_1000
>>>
>>> acl sunday_1030 time S 22:30-23:59
>>> deny_info SLS_TIME sunday_1030
>>>
>>> acl sunday_1100 time S 23:00-23:59
>>> deny_info SLS_TIME sunday_1100
>>>
>>> acl sunday_1130 time S 23:30-23:59
>>> deny_info SLS_TIME sunday_1130
>>>
>>> acl sunday_1200 time S 23:58-23:59
>>> deny_info SLS_TIME sunday_1200
>>>
>>>
>>> acl Vlan1 src 10.0.0.0/255.0.0.0
>>> acl Vlan72 src 72.2.0.0/255.255.255.128
>>> acl VlanVPN src 72.2.0.96/255.255.255.224
>>> acl Vlan3 src 10.3.0.0/255.255.0.0
>>> acl Vlan4 src 10.4.0.0/255.255.0.0
>>> acl Vlan5 src 10.5.0.0/255.255.252.0
>>> acl Vlan9 src 10.9.0.0/255.255.0.0
>>>
>>> acl VlanAdmin src 10.1.0.0/255.255.0.0
>>> acl Vlan10 src 10.1.10.0/255.255.255.0
>>> acl Vlan11 src 10.1.11.0/255.255.255.0
>>> acl Vlan12 src 10.1.12.0/255.255.255.0
>>> acl Vlan13 src 10.1.13.0/255.255.255.0
>>> acl Vlan14 src 10.1.14.0/255.255.255.0
>>>
>>> acl Vlan3-all src 10.3.0.0/255.255.0.0
>>> acl Vlan31 src 10.3.1.0/255.255.255.0
>>> acl Vlan32 src 10.3.2.0/255.255.255.0
>>> acl Vlan33 src 10.3.3.0/255.255.255.0
>>> acl Vlan34 src 10.3.4.0/255.255.255.0
>>> acl Vlan35 src 10.3.5.0/255.255.255.0
>>> acl VlanSouthLab src 10.3.1.0/255.255.255.0
>>> acl VlanNorthLab src 10.3.2.0/255.255.255.0
>>> acl VlanLibrary src 10.3.3.0/255.255.255.0
>>> acl VlanLanguageLab src 10.3.4.0/255.255.255.0
>>> acl VlanShawLab src 10.3.5.0/255.255.255.0
>>> acl VlanWorkLabs src 10.3.1.0/255.255.255.0
>>> acl VlanWorkLabs src 10.3.2.0/255.255.255.0
>>> # acl VlanWorkLabs src 10.3.4.0/255.255.255.0
>>> acl VlanWorkLabs src 10.3.5.0/255.255.255.0
>>>
>>> acl Vlan40 src 10.4.0.0/255.255.255.0
>>> acl Vlan41 src 10.4.1.0/255.255.255.0
>>>
>>> acl VlanStudent src 10.2.80.1-10.2.120.255
>>>
>>> acl Vlan80 src 10.2.80.0/255.255.254.0
>>> acl Vlan90 src 10.2.90.0/255.255.254.0
>>> acl Vlan100 src 10.2.100.0/255.255.254.0
>>> acl Vlan110 src 10.2.110.0/255.255.254.0
>>> acl Vlan120 src 10.2.120.0/255.255.254.0
>>>
>>> acl VlanJuniors src 10.2.80.0/255.255.254.0
>>> acl VlanJuniors src 10.2.90.0/255.255.254.0
>>> acl VlanJuniors src 10.2.100.0/255.255.254.0
>>>
>>> acl VlanSeniors src 10.2.110.0/255.255.254.0
>>> acl VlanSeniors src 10.2.120.0/255.255.254.0
>>>
>>> acl Vlan200 src 10.2.200.0/255.255.255.0
>>> acl Vlan201 src 10.2.201.0/255.255.255.0
>>> acl Vlan210 src 10.2.210.0/255.255.255.0
>>> acl Vlan220 src 10.2.220.0/255.255.255.0
>>> acl Vlan250 src 10.2.250.0/255.255.255.0
>>>
>>> acl VlanStaff src 10.2.220.0/255.255.255.0
>>> acl VlanStaff src 10.5.0.0/255.255.252.0
>>> acl VlanStaff src 10.6.0.0/255.255.252.0
>>>
>>> acl IEBrowser browser \MSIE
>>> deny_info SLS_IE IEBrowser
>>>
>>> # END OF SLS ACLs
>>> #####################################
>>>
>>> # START SLS DELAY POOLS
>>> # Dec 3, 4:45pm, new GE live, NO delay pools.
>>> # plan to leave no delay pools until Monday morning, Dec 7 , then enable by removing comments from lines below with #### (including ACL lines)
>>> # On Wed Dec 9 comment out the "Test 2" lines and replace with "Test 1"
>>> # squid -k reconfigure after each change, confirm in cachemgr delay pool levels
>>> # http://academic.shawnigan.ca/scripts/cachemgr.exe?host=proxy&port=80&user_name=admin&operation=delay&auth=
>>>
>>> delay_pools 2
>>> delay_class 1 3
>>>
>>> # 27/Apr/2009 - new settings: increase bucket sizes
>>> # Class 3 pool for all 10.x subnets, 1000KBs/8Mb agg, 300KBs/8Mb net, 96KBs/8Mb bucket individual.
>>> #delay_parameters 1 1000000/8000000 300000/8000000 96000/8000000
>>>
>>> # Dec 2009 GigE Testing -comment above & replace with below lines & note dates
>>> # Test 1 - increase to 100Mb effective total, 50/50 split, 15Mb per net, 4Mb per user
>>> # delay_parameters 1 6250000/6250000 1875000/5625000 500000/5000000
>>> # Test 2 - increase to 1000Mb effective total, 50/50 split, 100Mb per net, 10Mb per user
>>> # active from 11am Dec 3 to
>>> # delay_parameters 1 62500000/62500000 12500000/62500000 1250000/12500000
>>> # active from 10am Dec 11 to
>>> delay_parameters 1 62500000/62500000 12500000/62500000 1250000/12500000
>>>
>>>
>>>
>>> # 2nd delay pool for multimedia, youtube, etc.
>>> delay_class 2 3
>>>
>>> # 23/May/2008 - Limit high bandwidth video etc.
>>> # Class 2 pool for all 10.x subnets
>>> #delay_parameters 2 200000/2000000 100000/1000000 96000/300000
>>> #delay_parameters 2 1000000/8000000 300000/8000000 96000/8000000
>>>
>>> # Dec 2009 GigE Testing -comment above & replace with below lines & note dates
>>> # Test 1 - increase to 100Mb effective total, 50/50 split, 15Mb per net, 2.5Mb per user
>>> # delay_parameters 2 6250000/6250000 1875000/5625000 312500/3125000
>>> # Test 2 - increase to 1000Mb effective total, 50/50 split, 100Mb per net, 3Mb per user
>>> # active from 11am Dec 3 to
>>> # delay_parameters 2 62500000/62500000 12500000/62500000 375000/3750000
>>> # active from 10am Dec 11 to
>>> delay_parameters 2 62500000/62500000 12500000/62500000 575000/5750000
>>>
>>>
>>> # add VLAN41 for IT testing 26/May/2008
>>> #delay_access 1 allow vlan41 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan5 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan80 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan90 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan100 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan110 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan120 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan200 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan210 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 allow vlan220 !sls_local !no_delay !delay_multimedia
>>> delay_access 1 deny all
>>>
>>> delay_access 2 allow delay_multimedia
>>> delay_access 2 deny all
>>>
>>> # END SLS DELAY POOLS
>>>
>>> #Recommended minimum configuration:
>>> #
>>> # Only allow cachemgr access from localhost
>>>
>>> cachemgr_passwd xxxxx 5min 60min authenticator dns histograms info io ipcache netdb non_peers pconn peer_select redirector refresh server_list store_digest storedir utilization via_headers vm_objects
>>>
>>> http_access allow manager vlan72
>>> http_access deny manager
>>>
>>> # Deny requests to unknown ports
>>> http_access deny !Safe_ports
>>> # Deny CONNECT to other than SSL ports
>>> #http_access deny CONNECT !SSL_ports
>>>
>>> #### REMOVE THIS AFTER UPDATING ACLS!!!
>>> #http_access allow all
>>> #### REMOVE THIS AFTER UPDATING ACLS!!!
>>>
>>>
>>> http_access allow to_helpdesk
>>> http_access allow sls_anonymous
>>>
>>> http_access deny from_fallback
>>> http_access allow sls_local
>>>
>>> # http_access deny wmf_rep
>>> # http_access deny wmf_req
>>> # http_access deny wmf_ext
>>>
>>>
>>> # http_access deny Vlan80 sls_exams
>>> # http_access deny Vlan90 sls_exams
>>> # http_access deny Vlan100 sls_exams
>>>
>>> #http_access allow sls_admin
>>>
>>> # following is denied by opendns
>>> # http_access deny fraud
>>>
>>> #http_access deny domain_auth none
>>>
>>> # following are denied by opendns
>>> # http_access deny deny_porn
>>> # http_access deny deny_proxy
>>>
>>> http_access deny deny_chat Vlan72
>>> http_access deny mime_IM_q Vlan72
>>> http_reply_access deny mime_IM_p Vlan72
>>>
>>> http_access deny VlanVPN
>>>
>>> # http_access deny deny_chat Vlan3
>>> http_access deny mime_IM_q Vlan3
>>> http_reply_access deny mime_IM_p Vlan3
>>> http_access deny deny_gchat Vlan3
>>>
>>> # http_access deny deny_chat VlanAdmin
>>> http_access deny mime_IM_q VlanAdmin
>>> http_reply_access deny mime_IM_p VlanAdmin
>>> http_access deny deny_gchat VlanAdmin
>>>
>>> # http_access deny mime_mpstream1
>>> # http_access deny mime_mpstream2
>>>
>>> http_access deny IEBrowser Vlan210
>>> # http_access deny IEBrowser Vlan72
>>> # http_access deny IEBrowser Vlan3
>>> http_access deny IEBrowser VlanAdmin !Vlan12 !Vlan11 !Vlan10 !Vlan13
>>>
>>> # http_access deny deny_dither Vlan3
>>> # http_access deny deny_dither Vlan12
>>>
>>> # denied by opendns
>>> # http_access deny deny_gambling
>>>
>>> http_access deny deny_warez
>>>
>>> #http_access deny deny_chat nomsn
>>> #http_access deny mime_IM_q nomsn
>>> #http_reply_access deny mime_IM_p nomsn
>>>
>>> http_access deny imagesearch googleporn
>>>
>>> #http_access allow sls_staff ##replaced with below, sort of...
>>> http_access allow VlanStaff
>>> http_access allow VlanAdmin
>>> http_access allow Vlan3-all
>>> http_access allow Vlan40
>>> http_access allow Vlan41
>>>
>>> http_access deny wikipedia wikiedit
>>>
>>> http_access deny deny_essays
>>> http_access deny deny_hacking
>>>
>>> # following is denied by OpenDNS
>>> # http_access deny deny_hate
>>> # http_access deny deny_violence
>>>
>>> #http_access deny fanfiction nofanfiction
>>>
>>> #http_access deny deny_multimedia
>>>
>>> # Deny these during prep to 8,9,10 but allow 11 & 12
>>> http_access deny mime_IM_q sls_prep !VlanStaff !VlanSeniors
>>> http_reply_access deny mime_IM_p sls_prep !VlanStaff !VlanSeniors
>>> http_access deny deny_chat sls_prep !VlanStaff !VlanSeniors
>>> http_access deny deny_mail sls_prep !VlanStaff !VlanSeniors
>>> http_access deny deny_dither sls_prep !VlanStaff !VlanSeniors
>>> http_access deny deny_social sls_prep !VlanStaff !VlanSeniors
>>>
>>> # Deny these until 2:45 if in student residence and is junior
>>> http_access deny mime_IM_q sls_schoolday VlanStudent !VlanSeniors
>>> http_reply_access deny mime_IM_p sls_schoolday VlanStudent !VlanSeniors
>>> http_access deny deny_chat sls_schoolday VlanStudent !VlanSeniors
>>> http_access deny deny_mail sls_schoolday VlanStudent !VlanSeniors
>>> http_access deny deny_dither sls_schoolday VlanStudent !VlanSeniors
>>> http_access deny deny_social sls_schoolday VlanStudent !VlanSeniors
>>>
>>> # Deny these during until after fine art (5:30) if in North, South, Language, Shaw
>>> #http_access deny mime_IM_q sls_workday VlanWorkLabs
>>> #http_reply_access deny mime_IM_p sls_workday VlanWorkLabs
>>> #http_access deny deny_chat sls_workday VlanWorkLabs
>>> #http_access deny deny_mail sls_workday VlanWorkLabs
>>> #http_access deny deny_dither sls_workday VlanWorkLabs
>>> #http_access deny deny_social sls_workday VlanWorkLabs
>>>
>>>
>>> # Deny 12am - 6am for all students
>>> http_access deny early_morning
>>>
>>>
>>> # below is commented out; allow cat6000 to deny prior to midnight
>>> #http_access deny late_night
>>>
>>> #http_access allow domain_auth
>>> #http_access allow VlanStudent
>>> http_access allow all
>>>
>>> http_reply_access allow all
>>> icp_access allow all
>>>
>>> # SNMP setup for MRTG
>>> snmp_port 3401
>>>
>>> acl snmppublic snmp_community public
>>> snmp_access allow snmppublic localhost
>>> snmp_access allow snmppublic vlan72
>>> snmp_access allow snmppublic vlan40
>>> snmp_access deny all
>>>
>>>
>>>
>>> Thanks for any help you can offer!
>>>
>>>
>>>
>>>
>>> Shawn Wright
>>> Manager of Information Technology
>>> Shawnigan Lake School
>>>
>>
>

-- 
Eliezer Croitoru 
https://www1.ngtech.co.il 
sip:ngtech_at_sip2sip.info 
IT consulting for Nonprofit organizations 
eliezer <at> ngtech.co.il 
Received on Tue Dec 18 2012 - 00:40:39 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 18 2012 - 12:00:08 MST