[squid-users] acl Question

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 13 07:15:03 UTC 2015 

On 13/10/2015 12:19 p.m., joe wrote:
> ok again i filter out most of the squid conf  with this minimum config should
> i get any static img or anything as hit or not
> caus i dont get any  
>  i test on squid 3.5.8 and up same think

Please continue to use that later version. In absence of any other
useful information about yoru Squid or what it supposed to be doing the
below response assumes you are using 3.5.8.

Please do supply a description of how your Squid is _supposed_ to be
used. And any access policies you are expecting to be enforced by the proxy.


> 
> via off
> forwarded_for off
> 
> # should be allowed
> acl localnet src 10.2.3.0/24
> acl localnet src 10.2.2.0/24
> acl localnet src 10.3.2.0/24
> acl localnet src 10.4.4.0/24
> 
> #http_access deny all
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl CONNECT method CONNECT
> 
> # STOREID ACCESS LIST 
> acl domaincache dstdomain .dailymotion.com
> 
> cache allow domaincache

This rule allows URLs within the *.dailymotion.com domains to be cached.
The implicit followup prevents any others from being stored.

To let everything be cached properly, just remove the above "cache
allow" rule.


> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow localnet
> http_access allow manager

Allowing anyone who can access the proxy to view the proxy management
reports and controls.


> # And finally deny all other access to this proxy
> http_access allow all

"allow all" does not deny anything. You have an "open proxy".
<https://en.wikipedia.org/wiki/Open_proxy>

> 
> http_port 8079 
> http_port 8080 accel vhost allow-direct

What do you think this is doing?


> 
> store_dir_select_algorithm least-load
> cache_dir aufs /mnt/sdb 500000 26 256
> cache_dir aufs /mnt/sdc 500000 26 256
> 
> memory_pools off
> memory_pools_limit 4 GB

You disabled memory pools. No need to set a limit for it.

> cache_mem 5 GB
> #maximum_object_size_in_memory 64 KB
> maximum_object_size_in_memory 2048 KB

Meaning you can store 2 of the big objects in memory. The rest has to be
on disk.

This can cause major latency problems when Squid has to export up to 1
million small (1KB+) objects out of memory for one of these big objects.

Then when the big object expires it happens all over again, as up to 1
million small objects get loaded back from back from disk or network.


> minimum_object_size 1 KB 
> maximum_object_size 3 GB
> cache_swap_low 98
> cache_swap_high 99
> logfile_rotate 0
> cache_store_log none

This is a default. You can remove the cache_store_log line entirely.

> access_log daemon:/var/log/squid3/access.log !CONNECT

You have an open proxy. CONNECT is usually the method used to send abuse
through open proxies. Ignoring it all is a bad idea.

> cache_log /var/log/squid3/cache.log

This should be a default. You can remove the cache_log line entirely.

> 
> # FILES TYPE
> refresh_pattern -i \.(exe|crx|esd)(\?|\/\?) 10080 100% 799000
> override-expire override-lastmod ignore-reload ignore-no-store
> ignore-private ignore-auth ignore-must-revalidate store-stale
> reload-into-ims
> 
> refresh_pattern -i
> \.(3gp|m1v|ace|web(m|p|a)|m2(v|p)|swf|dat|cup|dvr-ms|ram|avi|mk(a|v)|vob|wm(a|v)|flv|x-flv|JPG)
> 10080 100% 129600 override-expire override-lastmod ignore-reload
> ignore-no-store ignore-private ignore-auth ignore-must-revalidate
> store-stale reload-into-ims
> refresh_pattern -i
> \.(m3u8|jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|mp(e?g|a|e|1|2|3|4)|deb|ad|f4(f|v)|abst|dll)
> 10080 100% 129600 override-expire override-lastmod ignore-reload
> ignore-no-store ignore-private ignore-auth ignore-must-revalidate
> store-stale reload-into-ims
> refresh_pattern -i
> \.(rar|jar|gz|tgz|bz2|iso|7z|asx|mo(d|v)|arj|lha|lzh|zip|tar|pak|cup|ipa|apk)
> 10080 100% 43800 override-expire override-lastmod ignore-reload
> ignore-no-store ignore-private ignore-auth ignore-must-revalidate
> store-stale
> refresh_pattern -i
> \.(rpm|ac4|bin|ms(i|u|p)|og(x|v|a|g)|rm|r(a|p)m|snd|inc|cod|jad|txt) 10080
> 100% 43800 override-expire override-lastmod ignore-reload ignore-no-store
> ignore-private ignore-auth ignore-must-revalidate store-stale
> refresh_pattern -i
> \.(pp(t?x)|s|t)|pdf|rtf|wax|cab|wmx|wpl|cb(r|z|t)|xl(s?x)|do(c?x)|qt|vpx)
> 10080 100% 43800 override-expire override-lastmod ignore-reload
> ignore-no-store ignore-private ignore-auth ignore-must-revalidate
> store-stale

These options do nothing useful, and are quite harmful:
 ignore-private ignore-auth ignore-must-revalidate


Since you are running a reverse proxy, claiming to be the CDN operator
for the domain dailmotion.com and others you should also stop screwing
your clients over with "override-expire override-lastmod ignore-reload
ignore-no-store" and get their origin servers fixed instead.


> refresh_pattern -i .(html|htm|css|js|xml)$ 1440 75% 40320
> refresh_pattern -i .index.(html|htm)$ 0 75% 43800
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (/cgi-bin/\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> 
> cache_effective_user proxy
> cache_effective_group proxy
> visible_hostname xcache
> unique_hostname xcache

"xcache" is not a publicly resolvable domain name. The visible_hostname
should be the CDN hostname used to access your proxy. It *will* be
displayed to visitors.

Please also read the unique_hostname documentation. It is rarely
necessary to use that directive. If you dont need it, remove it.


> dns_nameservers 8.8.8.8 8.8.4.4 4.2.2.4

So, you are running a CDN to mirror Google hosted websites?


> shutdown_lifetime 10 second

Many of the lines below are default settings for Squid-3.5. You should
check them and remove the ones that are only setting a default value.

> icp_port 0
> htcp_port 0
> check_hostnames off
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> forward_timeout 240 seconds
> connect_timeout 60 seconds
> #read_timeout 15 minute
> peer_connect_timeout 30 seconds
> read_timeout 600 second
> request_timeout 60 second
> ipcache_size 16384
> ipcache_low 98
> ipcache_high 99
> ipcache_size 2048
> ipcache_low 98
> ipcache_high 99
> quick_abort_min 0
> quick_abort_max 0
> quick_abort_pct 100
> fqdncache_size 16384
> icp_hit_stale on
> query_icmp off
> strip_query_terms off
> retry_on_error on
> check_hostnames off
> minimum_expiry_time 0 seconds
> positive_dns_ttl 6 hour
> negative_dns_ttl 60 second
> half_closed_clients off
> memory_pools off
> reload_into_ims on
> store_avg_object_size 82 KB
> client_db on
> max_filedescriptors 32768
> # QoS MARKING
> qos_flows local-hit=0x30
> tcp_outgoing_tos 0x30 all
> 

Amos

More information about the squid-users mailing list