[squid-users] Re: defined localnet to mean your local clients ???

From: HillTopsGM <emailgregagain_at_gmail.com>
Date: Fri, 23 Aug 2013 11:58:51 -0700 (PDT)

I appreciate you helping me Amos! Thanks Again in Advance
I am using Squid v3.1.2 because that is what apt-get pulled from the
repository.

Hopefully I'll be able to sum up my response to your last 2 posts in a way
that makes sense.

*The First Thing I'd like to inquire about*: you mentioned that;

>>> http_access deny all
> ... [show rest of quote]
*/
> Which is what it should be.
/*

Among the other places that I have been researching on how to set up squid -
I found this video here:
https://www.youtube.com/watch?v=qRx_RkdvpS4
<https://www.youtube.com/watch?v=qRx_RkdvpS4>

At the 27Min34Second mark he mentions that from an absolutely clean install
the only thing you have to do to get squid to start working is change that
line from "*http_access /deny/ all*" to "*http_access /allow/ all*"

Now he admits this is not a best security practice - this just gets it
running and the caching started.
This is why I did it, and frankly, I am not worried about my internal
network from a security point of view at this point in time - I'd simply
like to see the caching to start working.

So, even though I obviously have a
> . . .very strong sign that your configuration is broken."

. . . should the system not have started to cache something anyway?

===========================

As suggested, I took this link:
http://www.nvidia.com/object/notebook-win8-win7-64bit-320.49-whql-driver.html
<http://www.nvidia.com/object/notebook-win8-win7-64bit-320.49-whql-driver.html>
. . . and this link:
http://www.mozilla.org/en-US/firefox/all/
<http://www.mozilla.org/en-US/firefox/all/>
. . .and did as you suggested:

> Step #1: take the URL and paste it into redbot.org.

If I am reading this right, the downloads on those pages should be
cacheable.
Am I reading that info right?

============================

Thanks for looking into mysquid.conf file.
This is still like drinking from a fire hose, but I have made the tweaks you
suggested. If I have understood what you have said it should look like this
now:

my_tweaked_squid.conf
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4661751/my_tweaked_squid.conf>

> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
> # Below is where I added my local network IP range. I am not sure if this
> # correct . . . do I need to exclude my squid Static IP of 192.168.1.6
> # and my routers IP of 192.168.1.1 ???
> acl localnet src 192.168.1.0/24
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
>
> # Here is where I entered the Windows Update code from the FAQ:
> # Amos, I have moved it to the position that "I think" you were referring
> to
>
> acl windowsupdate dstdomain windowsupdate.microsoft.com
> acl windowsupdate dstdomain .update.microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain redir.metaservices.microsoft.com
> acl windowsupdate dstdomain images.metaservices.microsoft.com
> acl windowsupdate dstdomain c.microsoft.com
> acl windowsupdate dstdomain www.download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate dstdomain crl.microsoft.com
> acl windowsupdate dstdomain sls.microsoft.com
> acl windowsupdate dstdomain productactivation.one.microsoft.com
> acl windowsupdate dstdomain ntservicepack.microsoft.com
>
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> # The 2 lines below I have still left commented out as Squid will not
> restart with them enabled.
> # http_access allow windowsupdate localnet
> # http_access allow windowsupdate localhost
>
>
> # Amos - I have added this next line as you have suggested
> http_access allow localnet
>
>
> http_access allow localhost
> http_access deny all
>
> http_port 8080
>
> # I tweaked this
> cache_mem 512 MB
>
> # I tweaked this as well:
> maximum_object_size_in_memory 2048 KB
>
> # I increased the cache size here, but would like to make it much bigger
> if possible. I just wanted to start small and get it working first.
> cache_dir ufs /var/spool/squid3 45000 16 256
>
> # This was a Squid Windows Update suggested tweak:
> maximum_object_size 200 MB
>
> coredump_dir /var/spool/squid3
>
> # This was a Squid Windows Update suggested tweak:
> quick_abort_min -1
>
> # This was a Squid Windows Update suggested tweak:
> range_offset_limit -1 KB
>
>
> # This was a Squid Windows Update suggested tweak (the FAQ said to place
> it above the other refresh_pattern entries):
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 1051200
> reload-into-ims
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80%
> 1051200 reload-into-ims
> refresh_pattern -i
> my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)
> 4320 80% 1051200 reload-into-ims
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> # example lin deb packages
> #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
> refresh_pattern . 0 20% 4320
>
> ## Amos - is this what you meant by placing the ". . . above cgi-bin
> pattern needs to be the second to last."?

Did I write my acl rule correctly?

> acl localnet src 192.168.1.0/24

Do I need to exclude my squid Static IP of 192.168.1.6 and my routers IP of
192.168.1.1 ?

If I understand this correctly, the reason I was not able to access the
internet was BECAUSE I didn't have an http_access rule written for it:

> http_access allow localnet

That is why I couldn't get to the internet with the "http_access deny all"
rule in place.

I simply have to make sure that the

> http_access allow localnet

. . . is above the "http_access deny all" rule - correct?

Sorry for the long post.
Would making these changes using "Webmin" place all the rules, etc, in the
correct position? 

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/defined-localnet-to-mean-your-local-clients-tp4661726p4661751.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Fri Aug 23 2013 - 18:59:34 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 24 2013 - 12:00:07 MDT