On Thu, 03 Dec 2009 00:00:29 +0100, José Illescas Pérez <jip_at_jccm.es>
wrote:
> Amos Jeffries escribió:
>> On Wed, 02 Dec 2009 20:36:38 +0100, José Illescas Pérez <jip_at_jccm.es>
>> wrote:
>>> Hello,
>>>
>>> I'm interesed in install squid for my organization.
>>>
>>> I want to configure large acl's of ip lists, 20.000 more o less.
>>>
>>> Can I use external acl with MySQL for create this acl ip list?. What's
>>> the performance in this case?.
>>>
>>> I want to configure large acl of url lists in MySQL too, for example a
>>> blacklist with categories. What's the performance in this case?.
>>>
>>> Perhaps, is more convenient use squidguard for blacklist of urls and
>>> create the group categories. Any ideas?.
>>>
>>> Greetings.
>>
>> Individual IPs with individual blocklists? this is extremely
inefficient.
>>
>> If you must, you can easily use external_acl_type to pull details from
>> mysql during live traffic processing. Speed depends on the query
>> efficiency
>> and network lag to mysql server.
>>
>> If you find that too slow look at ufdbGuard.
>>
>> Amos
>>
>
> We have five or six ip groups, with permissions in categories of
> blacklist for each group. Each group contains between 1,000 and 10,000
> ip addresses.
If by group you mean some network topology grouping. The network admin
should have some CIDR range that describes each group. That can be
implemented in Squid ACLs for a simpler and faster config.
For example something like this filtering grouped by network, then some
individual IPs with a blocklist applied;
acl networkA src 10.2.0.0/16
acl networkB src 10.15.0.0/16
acl ipsA1 src "file_with_A1_group_IPs"
acl ipsA2 src "file_with_A2_group_IPs"
acl blockA1domains dstdomain "file_with_A_group_blocklist"
http_access deny networkA ipsA1 blockA1domains
http_access deny networkA ipsA2
http_access allow networkB
...
>
> The blacklist categories can be urlblacklist, for example.
>
> Where can I configure this, in squid or squidguard?.
The above type config. either.
If you go with external_acl_type thats in Squid.
Though I would suggest looking at ufdbguard. It's geared around database
backend fetches, where squidGuard would require some additional system
creating the squidGuard config on changes.
Amos
Received on Wed Dec 02 2009 - 23:50:14 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 04 2009 - 12:00:01 MST