Re: [squid-users] Re: defined localnet to mean your local clients ???

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 23 Aug 2013 20:59:00 +1200

Ah, you beat me to it. :-)

Response inline as usual ...

On 23/08/2013 8:47 p.m., HillTopsGM wrote:
> I don't know if this helps, but this is everything that is NOT commented out
> in my squid.conf file.
> mysquid.conf
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661731/mysquid.conf>
>
> It looks like this:
>
>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>
>> # Below is where I added my local network IP range. I am not sure if this
>> # correct . . . do I need to exclude my squid Static IP of 192.168.1.6
>> # and my routers IP of 192.168.1.1 ???
>> acl localnet src 192.168.1.0/24
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # Here is where I entered the Windows Update code from the FAQ:
>>
>> acl windowsupdate dstdomain windowsupdate.microsoft.com
>> acl windowsupdate dstdomain .update.microsoft.com
>> acl windowsupdate dstdomain download.windowsupdate.com
>> acl windowsupdate dstdomain redir.metaservices.microsoft.com
>> acl windowsupdate dstdomain images.metaservices.microsoft.com
>> acl windowsupdate dstdomain c.microsoft.com
>> acl windowsupdate dstdomain www.download.windowsupdate.com
>> acl windowsupdate dstdomain wustat.windows.com
>> acl windowsupdate dstdomain crl.microsoft.com
>> acl windowsupdate dstdomain sls.microsoft.com
>> acl windowsupdate dstdomain productactivation.one.microsoft.com
>> acl windowsupdate dstdomain ntservicepack.microsoft.com
>>
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>>
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow windowsupdate localnet
>>
>> # The 2 lines below I have still left commented out as Squid will not
>> restart with them enabled.
>> # http_access allow windowsupdate localnet
>> # http_access allow windowsupdate localhost

Okay.
FYI: All these windows stuff are about allow updates to happen easily on
a network where authentication or other complex rules are blocking the
updates from happening.

Ideally they shoudl be down ....
>> http_access allow manager localhost
>> http_access deny manager
>>
>> http_access deny !Safe_ports
>>
>> http_access deny CONNECT !SSL_ports

... here.
There is a comment i the default config file about local configuration
going here.

There also should be a line "http_access allow localnet" about here
somewhere.

>> http_access allow localhost
>>
>> http_access allow all

And a "deny all" line at the end of the http_access list to ensure
nothing like an attack can sneak past your access controls.

>> http_port 8080
>>
>> # I tweaked this
>> cache_mem 512 MB
>>
>> # I tweaked this as well:
>> maximum_object_size_in_memory 2048 KB
>>
>> # I increased the cache size here, but would like to make it much bigger
>> if possible. I just wanted to start small and get it working first.
>> cache_dir ufs /var/spool/squid3 45000 16 256
>>
>> # This was a Squid Windows Update suggested tweak:
>> maximum_object_size 200 MB
>>
>> coredump_dir /var/spool/squid3
>>
>> # This was a Squid Windows Update suggested tweak (the FAQ said to place
>> it above the other refresh_pattern entries):
>> refresh_pattern -i
>> microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 1051200
>> reload-into-ims
>> refresh_pattern -i
>> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80%
>> 1051200 reload-into-ims
>> refresh_pattern -i
>> my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)
>> 4320 80% 1051200 reload-into-ims
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

The above cgi-bin pattern needs to be the second to last.

The Debian caching rules are being patched into the wrong place, and
with squid-3.2 and later are not actually necessary anyway.

>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
>> # example lin deb packages
>> #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
>> refresh_pattern . 0 20% 4320
>>
>> # This was a Squid Windows Update suggested tweak:
>> quick_abort_min -1
>>
>> # This was a Squid Windows Update suggested tweak:
>> range_offset_limit -1 KB
> Pretty much everything is otherwise untouched.
>
> Hopefully someone can see what it is that I am missing.
>
> Again, thanks for the help.

Apart from the access control problems this looks okay for a proxy doing
protocol compliant caching. Perhapse redbot.org will give you more clues
about the problem.

Amos
Received on Fri Aug 23 2013 - 08:59:14 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 24 2013 - 12:00:07 MDT