[squid-users] reply_body_max_size question

Danny mynixmail at gmail.com
Sat Mar 18 13:53:22 UTC 2017 

Thank you Amos for the detailed reply. Never too old to learn are we?

Have a nice day

Danny

On Mar 15 17, Amos Jeffries :
> To: squid-users at lists.squid-cache.org
> Date: Wed, 15 Mar 2017 15:49:04 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> Subject: Re: [squid-users] reply_body_max_size question
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
>  Thunderbird/45.8.0
> X-BeenThere: squid-users at lists.squid-cache.org
> 
> On 12/03/2017 8:11 p.m., Danny wrote:
> > Hi,
> > 
> > Just want someone to confirm my current reply_body_max_size setup. I have a
> > simple network at home i.e: Debian with a wireless card (wlan0) which is bridged
> > (br0) to an ethernet card (eth0). All devices comes through the wireless card
> > (wlan0) and then of to the router.
> > 
> > I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but
> > "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a
> > 5MB download limit.
> > 
> > Here is my configuration:
> > ######################################################################################################################################
> > acl localnet src 10.0.0.0/24	# RFC1918 possible internal network
> > acl localnet_sniper src 10.0.0.3        #(eth0)
> > acl localnet_bridge src 10.0.0.4        #(br0)
> > acl localnet_fever src 10.0.0.5         #(wlan0)
> > acl localnet_44081 src 10.0.0.11        #(RaspberryPi3)
> > acl localnet_dannyS4 src 10.0.0.54
> > acl localnet_vS5mini src 10.0.0.55
> > acl localnet_shotgun src 10.0.0.56
> > acl localnet_anTab2 src 10.0.0.71
> > acl localnet_vTab3 src 10.0.0.73
> > acl localnet_samsungTV src 10.0.0.80
> > acl localnet_samsungDVD src 10.0.0.81
> > acl localnet_dhcp src 10.0.0.201
> > acl localnet_dhcp src 10.0.0.202
> > acl localnet_dhcp src 10.0.0.203
> > acl localnet_dhcp src 10.0.0.204
> > 
> > http_access allow password
> > http_access allow localhost
> > http_access allow localnet
> 
> The localnet ACL above matches and allows all requests from any IP in
> the 10.*/24 to use the proxy.
> 
> So none of the below individual IP checks will ever be reached. They are
> pointless anyway since they do the same as the more generic "allow
> localnet".
> 
> 
> > http_access allow localnet_sniper
> > http_access allow localnet_bridge
> > http_access allow localnet_fever
> > http_access allow localnet_44081
> > http_access allow localnet_dannyS4
> > http_access allow localnet_vS5mini
> > http_access allow localnet_anTab2
> > http_access allow localnet_vTab3
> > http_access allow localnet_samsungTV
> > http_access allow localnet_samsungDVD
> > http_access allow localnet_dhcp
> 
> 
> The default security protections for Safe_ports, SSL_ports, CONNECT,
> manager access, and final "deny all" are missing.
> 
> I hope you have just omited them from this mail, not removed them from
> your config.
> 
> > 
> > reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4
> 
> Squid understands the magic word "none" to mean no limit. The above is
> setting a large, but not impossible limit of ~9.3 PB.
> 
> 
> > reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp
> > 
> 
> The ACLs on both these lines are defining an impossible situation.
> See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for
> what is going wrong there and ways to fix it.
> 
> Transactions which do not have a limit applied, are of course unlimited.
> So drop the ACL's explicitly listing what not to limit. You only need
> ACL to match what does get limited, and only one is needed (you are only
> matching on IP, nothing complex).
> 
> Like so:
> 
>  acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp
>  acl limit_5MB src 10.0.0.80    # samsung TV
>  acl limit_5MB src 10.0.0.81    # samsung DVD
>  ...
>  reply_body_max_size 5 MB limit_5MB
> 
> That is it.
> 
> 
> > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> 
> 
> redirect_program is a deprecated alias for url_rewrite_program. You can
> only have one configured for use. So, only the latter of the two
> directives will do anything.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list