[squid-users] Proxy Parent

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 12 23:09:13 UTC 2015 

On 13/06/2015 7:27 a.m., Jonathan Filogna wrote:
> Hi all, here's my new situation (still on squid 2.7)

Much easier to do these types of things during or after upgrading to
current version.
1) The current Squid actually obey HTTP behaviour requirements by
default a LOT better than 2.7 is even capable.
2) The current Squid can audit your squid.conf with just "squid -k
parse" and suggest improvements where things have changed.
3) we can possibly suggest using features only in current version that
might do what you want (if its possible).



> 
> i want to send by DIRECT uservipstr, uservip
> i want to send by PARENT userti, userlimitado, user200mb, userinternet
> 
> i want to send by DIRECT all the NTLM users that don't belong to any list
> of above
> 
> (ikr, my english sucks)
> 
> i want to block streaming (blockstr, blockstr2, audyvid, vidyaud) for all
> but uservipstr
> 
> if i remove the line "always_direct allow ntlm" DIRECT/PARENT tules works
> but doesn't streaming rules
> 
> if i let that line, streaming works but doesn't DIRECT/PARENT
> 
> here's my squid.conf. I'll put here all because can't find where's my error
> 
> 
> ########################
> 
> ##NOMBRE VISIBLE DEL PROXY
> 
> visible_hostname prana
> 
> ##NTLM
> #
> ##DECLARADO
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5
> auth_param ntlm keep_alive off
> 
> ##DECLARACION DE NTLM EXTERNO PARA BLOQUEO DE DESCARGA DE ARCHIVOS
> ##BALANCEO DE CARGA Y TAMAÑOS DE ARCHIVOS DESCARGADOS
> #
> ##DECLARADO
> 
> external_acl_type ntlm_group ttl=3600 children=100 %LOGIN /usr/lib/squid/
> wbinfo_group.pl
> 
> ##ACA DECLARO LISTAS DE ACCESO DE ROEMMERS
> #
> ##DECLARADO
> 
> acl porno url_regex -i "/etc/squid/listas/porno.lst"
> acl permitidos dstdomain -i "/etc/squid/listas/permitidos.lst"
> acl directo url_regex -i "/etc/squid/listas/direct.lst"
> acl vidyaud rep_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl useragent browser -i "/etc/squid/blockejec/browser.lst"
> acl blockstr req_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl blockejec url_regex -i "/etc/squid/blockejec/blockejec.lst"
> acl audyvid req_mime_type -i "/etc/squid/listas/blockstr.lst"
> acl blockstr2 rep_mime_type -i "/etc/squid/blockejec/blocstreaming.lst"
> acl destinolimitado dstdomain -i "/etc/squid/listas/limitado.lst"
> 
> ###ACL DE SKYPE
> acl skype external ntlm_group "/etc/squid/listas/skype.lst"
> acl numeric_ips dstdom_regex
> ^(([0-9]+.[0-9]+.[0-9]+.[0-9]+)|([([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?])):443
> acl skype_ua browser ^skype
> acl validuseragent browser \S+
> #
> ##DECLARADO
> acl all src all
> acl CONNECT method CONNECT
> ##DECLARO SQSTAT
> ##ACL SQSTAT
> acl manager proto cache_object
> acl webserver src 192.168.8.121/255.255.255.255
> http_access allow manager webserver
> http_reply_access allow manager webserver
> http_access deny manager
> 
> #REGLAS DE NAVEGACION
> http_access deny porno all
> http_reply_access deny porno all
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers porno
> acl uservipstr external ntlm_group "/etc/squid/listas/uservipstr.lst"
> http_access deny blockejec uservipstr
> http_access allow uservipstr
> http_reply_access allow uservipstr
> http_access deny blockstr !uservipstr all
> http_reply_access deny blockstr !uservipstr all
> http_access deny blockstr2 !uservipstr all
> http_reply_access deny blockstr2 !uservipstr all
> http_access deny audyvid !uservipstr all
> http_access deny vidyaud !uservipstr all

vidyaud is checkign a details about the *reply*. Which does not exist in
requests so does nothing in http_access. Remove all the useless access
control lines doing things like that. It will be much easier to read and
understand.


> http_reply_access deny audyvid !uservipstr all
> http_reply_access deny vidyaud !uservipstr all
> reply_body_max_size 9999999999999999999999999999999 deny uservipstr

Ah, 32-bit rounding. The above is a number between 0 and 2GB, it is
guaranteed smaller than you expect.

Hint: use "none" for no limit (or "0" if thats not accepted by 2.7)

Same for the other lines below.

> acl uservip external ntlm_group "/etc/squid/listas/uservip.lst"
> http_access deny blockejec uservip
> http_access allow uservip
> reply_body_max_size 9999999999999999999999999999999 deny uservip
> http_reply_access allow uservip
> always_direct allow uservip
> acl userti external ntlm_group "/etc/squid/listas/userti.lst"
> http_access deny blockejec !userti
> http_access allow userti
> http_reply_access allow userti
> 
> reply_body_max_size 9999999999999999999999999999999 deny userti
> acl user200mb external ntlm_group "/etc/squid/listas/user200mb.lst"
> http_access allow user200mb
> http_reply_access allow user200mb
> reply_body_max_size 500000000 deny user200mb
> acl userinternet external ntlm_group "/etc/squid/listas/userinternet.lst"
> http_access allow userinternet
> http_reply_access allow userinternet
> reply_body_max_size 45000000 deny userinternet
> acl userlimitado external ntlm_group "/etc/squid/listas/userlimitado.lst"
> http_access deny userlimitado !destinolimitado
> http_reply_access deny userlimitado !destinolimitado
> never_direct allow userlimitado
> #deny
> deny_info http://www.pranaglobal.com.ar/restringidos/roemmers
> destinolimitado
> reply_body_max_size 45000000 deny userlimitado
> ##DECLARO LISTAS DE ACCESO EXTRAS
> 
> 
> 
> ##LISTO
> 
> ##ACL COMUNES
> acl localnet src 192.168.0.0/16
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 78 69 #Spotify
> 
> ##SRC'S DECLARADAS
> #
> ##ACA DECLARO ACCESOS HTTP Y FILTRADO POR GRUPO DE AD
> 
> 

Um. The purpose of these ...

> 
> # Deny requests to unknown ports
> #http_access allow Safe_ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> ##ACCESOS HTTP DECLARADOS

... down to here. Is to protect the proxy, the network, and prevent a
lot of CPU cycles or expensive socket resources being consumed by attackers.

They only can be succesful at that task if you put them above the
http_access controls that do a lot of that work. Such as all the many
many external ACL group lookups earlier in your config.


> #
> ##ACA INICIA SSO
> acl ntlm proxy_auth REQUIRED
> #http_access deny !ntlm
> ########################################## DESCOMENTAR SI VAMOS CON
> BLACKLIST
> http_access deny numeric_ips !skype
> http_access deny skype_ua !skype
> http_access deny !validuseragent !skype
> ##########################################
> http_access allow permitidos ntlm
> http_reply_access allow permitidos ntlm
> http_access allow permitidos !userlimitado
> http_reply_access allow permitidos !userlimitado
> http_access deny all
> http_reply_access deny all
> reply_body_max_size 500000 deny all
> ##ACA TERMINA
> #
> ##Allow ICP queries from local networks only
> icp_access allow localnet
> icp_access deny all
> ##
> #
> ## Squid normally listens to port 3128
> http_port 3128
> ##PUERTO SQUID DECLARADO
> #
> ##LOG
> access_log /var/log/squid/access.log squid
> ##HECHO
> #
> #LIMITANDO DESCARGA A 40 MB
> #reply_body_max_size 0 allow userti
> #reply_body_max_size 0 allow uservip
> #reply_body_max_size 0 allow uservipstr
> #reply_body_max_size 4000000 allow user200mb
> #reply_body_max_size 4000  allow userinternet
> #reply_body_max_size 4000 allow userlimitado
> #reply_body_max_size 0 deny all
> ##HECHO
> 
> ##PROXY PARENT!! EN CASO DE QUE SE CAIGA EL PROXY PARENT
> ## O AL MOMENTO DE REEMPLAZAR EL FIREWALL POR UN ACTIVO-ACTIVO
> ##COMENTAR ESTAS LINEAS
> cache_peer 192.168.26.15 parent 3128 0 no-digest proxy-only no-delay
> no-query
> 
> dead_peer_timeout 30 seconds
> #
> #HECHO
> 
> ##EN QUE CASOS ES DIRECT?
> ##
> ##EL RESTO NAVEGARA POR PARENT
> always_direct allow uservipstr
> always_direct allow uservip
> always_direct allow directo
> always_direct allow blockejec
> always_direct deny blockstr
> always_direct allow permitidos all
> never_direct allow blockstr
> never_direct allow userti
> always_direct allow ntlm
> always_direct deny all
> never_direct allow all
> 
> 
> ##LLAMADO A SQUIDGUARD
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 50
> 
> ##############################
> 
> Thanks for your attention
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list