ryl0 wrote:
>> A peek at your broken config would be appreciated so we can point out the
>> correct config settings to you.
>>
>> /etc/hosts should not be needed for peering relationships.
>>
>> Also your squid release version.
>>
>> Amos
>
Okay, lots of trouble in that config.
>
> # WELCOME TO SQUID 2.6.STABLE18
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> #acl SSL_ports port 563 # snews
> #acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> #acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> #acl Safe_ports port 70 # gopher
> #acl Safe_ports port 210 # wais
> #acl Safe_ports port 1025-65535 # unregistered ports
> #acl Safe_ports port 280 # http-mgmt
> #acl Safe_ports port 488 # gss-http
> #acl Safe_ports port 591 # filemaker
> #acl Safe_ports port 777 # multiling http
> #acl Safe_ports port 631 # cups
> #acl Safe_ports port 873 # rsync
> #acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl 82.0_network src A.B.82.0/24
> acl 81.0_network src A.B.81.0/24
> acl C.D.15_network src C.D.15.0/24
> acl C.D.16_network src C.D.16.0/24
> acl C.D.17_network src C.D.17.0/26
> acl blocksites url_regex "/etc/squid/blacklist"
regex is the slowest of the possible blocks you could be doing. try
converting that to a dstdomain ACL.
>
> http_access deny blocksites
> http_access allow 82.0_network
> http_access allow 81.0_network
> http_access allow C.D.15_network
> http_access allow C.D.16_network
> http_access allow C.D.17_network
All the above networks then have unlimited access? beyond a handful of
blocked URL?
> http_access allow manager localhost
> http_access deny manager
>
>
> http_access allow purge localhost
The following deny lines have no effect, all the allow permissions above
let people out without limit.
> http_access deny purge
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost
>
> http_access deny all
>
> icp_access allow all
>
> http_port 8888
>
> hierarchy_stoplist cgi-bin ?
>
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>
> visible_hostname squidproxy01
> hosts_file /etc/hosts
> coredump_dir /var/spool/squid
>
What you are missing there is:
acl internal_domain dstdomain .example.org
cache_peer <ip-of-internal-web-server> parent 80 0 no-query no-digest
name=internalA
cache_peer_access internalA allow internal_domain
cache_peer_access internalA deny all
also, see
Amos
-- Please use Squid 2.7.STABLE4 or 3.0.STABLE8Received on Sun Aug 31 2008 - 04:54:53 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 31 2008 - 12:00:04 MDT