[squid-users] reply_body_max_size question
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 15 02:49:04 UTC 2017
On 12/03/2017 8:11 p.m., Danny wrote:
> Hi,
>
> Just want someone to confirm my current reply_body_max_size setup. I have a
> simple network at home i.e: Debian with a wireless card (wlan0) which is bridged
> (br0) to an ethernet card (eth0). All devices comes through the wireless card
> (wlan0) and then of to the router.
>
> I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but
> "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a
> 5MB download limit.
>
> Here is my configuration:
> ######################################################################################################################################
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
> acl localnet_sniper src 10.0.0.3 #(eth0)
> acl localnet_bridge src 10.0.0.4 #(br0)
> acl localnet_fever src 10.0.0.5 #(wlan0)
> acl localnet_44081 src 10.0.0.11 #(RaspberryPi3)
> acl localnet_dannyS4 src 10.0.0.54
> acl localnet_vS5mini src 10.0.0.55
> acl localnet_shotgun src 10.0.0.56
> acl localnet_anTab2 src 10.0.0.71
> acl localnet_vTab3 src 10.0.0.73
> acl localnet_samsungTV src 10.0.0.80
> acl localnet_samsungDVD src 10.0.0.81
> acl localnet_dhcp src 10.0.0.201
> acl localnet_dhcp src 10.0.0.202
> acl localnet_dhcp src 10.0.0.203
> acl localnet_dhcp src 10.0.0.204
>
> http_access allow password
> http_access allow localhost
> http_access allow localnet
The localnet ACL above matches and allows all requests from any IP in
the 10.*/24 to use the proxy.
So none of the below individual IP checks will ever be reached. They are
pointless anyway since they do the same as the more generic "allow
localnet".
> http_access allow localnet_sniper
> http_access allow localnet_bridge
> http_access allow localnet_fever
> http_access allow localnet_44081
> http_access allow localnet_dannyS4
> http_access allow localnet_vS5mini
> http_access allow localnet_anTab2
> http_access allow localnet_vTab3
> http_access allow localnet_samsungTV
> http_access allow localnet_samsungDVD
> http_access allow localnet_dhcp
The default security protections for Safe_ports, SSL_ports, CONNECT,
manager access, and final "deny all" are missing.
I hope you have just omited them from this mail, not removed them from
your config.
>
> reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4
Squid understands the magic word "none" to mean no limit. The above is
setting a large, but not impossible limit of ~9.3 PB.
> reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp
>
The ACLs on both these lines are defining an impossible situation.
See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for
what is going wrong there and ways to fix it.
Transactions which do not have a limit applied, are of course unlimited.
So drop the ACL's explicitly listing what not to limit. You only need
ACL to match what does get limited, and only one is needed (you are only
matching on IP, nothing complex).
Like so:
acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp
acl limit_5MB src 10.0.0.80 # samsung TV
acl limit_5MB src 10.0.0.81 # samsung DVD
...
reply_body_max_size 5 MB limit_5MB
That is it.
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_program is a deprecated alias for url_rewrite_program. You can
only have one configured for use. So, only the latter of the two
directives will do anything.
Amos
More information about the squid-users
mailing list