On Mon, 2009-08-24 at 17:05 +1200, Amos Jeffries wrote:
> On Mon, 24 Aug 2009 10:24:41 +0600, Muhammad Sharfuddin
> <m.sharfuddin_at_nds.com.pk> wrote:
> Note: the netfilter guys recommend using the iptables-restore tool for
> firewall setup. It's much faster and much more secure than an incremental
> build of the rules like this.
Ok, I will try.
> NOTE: The following rules only apply to external people attempting to
> connect to your internal LAN machines.
>
> ... Or to people using your proxy as a free gateway to elsewhere on the
> Internet.
>
> They can do that to your proxy by simply sending an HTTP request to any one
> of your internal LAN IPs with a forged HTTP header and URL.
>
I think only the following rule is for anyone(internal/external)
acl allowed_for_all url_regex -i "/etc/squid/allowed_for_all.txt"
http_access allow allowed_for_all
acl ftp_site url_regex -i ftp://ftp.sight-board.de
http_access allow ftp_site
all the other rules are *only* for specific machines/IPes e.g
acl hod_ip src "/etc/squid/ipes/hod_ip.txt"
http_access allow hod_ip
acl cad_ip src "/etc/squid/ipes/cad_ip.txt"
http_access deny cad_ip
acl hod_tl_ip src "/etc/squid/ipes/hod_and_tl_ip.txt"
http_access allow hod_tl_ip
So I really dont understand why you said/wrote 'The following rules
*ONLY* apply to external people'
>> cache_dir diskd /var/cache/squid 50000 16 256
>
> diskd is probably your problem.
> From the use of iptables as a firewall I would guess that this is a linux
> box. On linux you should try AUFS storage for fastest speed.
> If that label is the only change on the config line you can test it with a
> simple re-config.
>
well same results with aufs.
you are recommending aufs over diskd, and the following url suggest 'diskd'
as the the store type of choice for the Cache-off's
http://www.linuxsa.org.au/pipermail/linuxsa/2004-June/070228.html
> Also with ~50GB of storage you are probably wanting to use something like
> 32 or 64 for the Level-1 value (currently 16). Changing that requires a
> cache delete and rebuild with 'squid -z' though.
whats the rule/formula for Level-1 and Level-2 value ? is it related
with storage size ?
>
>
> These days I'm advising people terminate their file extension patterns with
> (\?.*)?$ instead of just $ to catch all the sites using dynamic parts in
> their URLs.
>
>
you mean the following ?
(\?.swf)?$
(\?.mdi)?$
e.g
refresh_pattern -i (\?.swf)?$ 43200 100% 43200 override-lastmod
override-expire
Regards
--ms
Received on Mon Aug 24 2009 - 05:54:51 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 24 2009 - 12:00:04 MDT