[squid-users] doubts about the squid3

Amos Jeffries squid3 at treenet.co.nz
Sat Dec 5 05:36:23 UTC 2015 

On 5/12/2015 11:20 a.m., Marcio Demetrio Bacci wrote:
> Hi Amos,
> 
> Thanks for help me.
> 
> Follow my whole squid.conf

<snip>
> acl manager proto cache_object


I see you still have the old Squid-2 definition for "manager" ACL. If
your Squid is not complaining about that, it means you are using a very
old version and need to upgrade.
 The config should work, so I think you are hitting bugs in Squid. With
Squid older than 3.4 it could be bug 2305 and the related nest of
horrible auth code that used to exist in Squid.

Please ensure you are using a Squid-3.4 or later. If the problem
remains, you will have to try to isolate some situatino that always
causes it. With that a ALL,9 debug log from Squid could help.


Also, be aware that there is always the possibility of browser bugs
being involved. Firefx 25-40 did not do NTLM properly, and Chrome 47
just had a major regression where it broke all NTLM to a proxy - similar
but less high profile things have happened before with both of them, and
old IE 0-8 can be randomly problems as they do their own undocumented
things.


<snip>
> acl Safe_ports port 80 8080 21 443 563 70 210 280 488 591 777 3001
> 1025-65535

You don't have to add port 8080 or 3001 to that list. They are included
in the 1025-65535 set.

<snip>
> acl connect_abertas maxconn 8

connect_abertas is unused. You should remove it.

> acl grupo_admins external ad_group gg_admins
> acl grupo_users external ad_group gg_users
> acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
> acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
> acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
> acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
> acl autenticados proxy_auth REQUIRED
> http_access deny !autenticados
> http_access allow grupo_admins
> http_access deny extensoes_bloqueadas
> http_access allow sites_liberados
> http_access deny sites_bloqueados
> http_access deny palavras_bloqueadas
> http_access allow grupo_users
> http_access allow autenticados

Only autenticados can get past the "deny !autenticados" at the top. So
this "allow autenticados" will always match. The below lines do nothing
useful.

So you could replace the above "allow autenticados" with "allow all" and
save some extra auth checking.


> acl network_servers src 192.168.0.0/25
> acl Lan1 src 192.168.1.0/24
> acl lan2 src 192.168.2.0/23
> http_access allow  network_servers
> http_access allow lan1
> http_access allow lan2
> http_access deny all
> error_directory /usr/share/squid3/errors/pt-br

I hear Brazil is a multi-cultural country. You might want to seriously
consider removing that line which forces all users and clients to read
Portuguese (Brazi) language messages from the proxy.

Amos

More information about the squid-users mailing list