<div dir="ltr"><div>Hi Amos,<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/05/18 00:24, Alex K wrote:<br>
> Hi all,<br>
> <br>
> I wanted to check with your accumulated wisdom the following squid<br>
> configuration.<br>
> <br>
> The config is working both for splice or bump (by<br>
> commenting/uncommenting the respective line) using TPROXY. It is a<br>
> config ported form an old installation of squid 3.1 for the new 3.5 and<br>
> although I did some cleanup I am wondering if I am misusing any<br>
> directive or missing any crucial one for better performance or just for<br>
> sake of cleanliness.<br>
> <br>
> At the moment for filtering I am using squidGuard and considering to go<br>
> with ufdbGuard instead as pointed from Amos (thanx for that).<br>
> <br>
> To avoid issues with some sites I am considering to use only splicing,<br>
> although this has some caveats as bumping also does. I could go with a<br>
> hybrid approach (splice some and bump all) but this sounds that this<br>
> will cause periodically more administrative overhead to sort out the<br>
> sites that need splicing.<br>
> <br>
> The config has also some ACLs as an attempt to block media streaming by<br>
> those seem to not work.<br>
<br>
</span>The ACL checking for mms:// URL will not work because MMS protocol is<br>
not HTTP. Any client using that protocol will not be going through<br>
Squid. So quite likely none of the other checks will work for its<br>
non-proxied traffic either.<br>
<br>
"working" can also depend on what you are looking at. Your rules are<br>
only blocking *reply* access. Which means only that the client does not<br>
get the response delivered. It still gets fetched from the server -<br>
maybe in full. So checking your logs etc can still show things arriving<br>
and lots of bandwidth usage.<br>
<br>
The urlpath and req_mime_type can be checked in http_access instead to<br>
block those requests from ever happening. That MAY work better, but no<br>
guarantees.<br>
<span class=""><br>
<br>
<br>
> <br>
> The hardware running the squid is somehow small with 4 GB of RAM, 4 CPU<br>
> cores and 100 GB SSD in case one wonders.<br>
> <br>
> <br>
> http_port <a href="http://192.168.200.1:3128" rel="noreferrer" target="_blank">192.168.200.1:3128</a> tproxy<br>
> https_port <a href="http://192.168.200.1:3129" rel="noreferrer" target="_blank">192.168.200.1:3129</a> tproxy \<br>
> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=<wbr>4MB \<br>
> cert=/etc/squid/ssl_cert/myCA.<wbr>pem<br>
> <br>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s<br>
> /usr/local/squid/var/lib/ssl_<wbr>db -M 4MB<br>
> sslcrtd_children 5<br>
> <br>
> shutdown_lifetime 5 seconds<br>
> <br>
> # ACL<br>
> #acl ncsa_users proxy_auth REQUIRED<br>
> #acl all src <a href="http://0.0.0.0/0.0.0.0" rel="noreferrer" target="_blank">0.0.0.0/0.0.0.0</a><br>
> acl manager proto cache_object<br>
<br>
</span>'manager' ACL is now built-in, and has a different type signature. The<br>
above needs to be removed. Same with 'all'. It is not a good idea to<br>
leave them even commented out because the old definitions are no longer<br>
true.<br>
<br>
ok, removed these entries (<span class="gmail-">ncsa_users</span>, all, manager)<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> acl localhost src <a href="http://192.168.200.1/32" rel="noreferrer" target="_blank">192.168.200.1/32</a><br>
<br>
192.168.200.1 is assigned to your lo interface?<br></blockquote><div>Yes, this is the IP of one of the interfaces of the device at the network where the users use squid to reach Internet. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> <br>
> acl SSL_ports port 443<br>
> acl Safe_ports port 80<br>
> acl Safe_ports port 21<br>
> acl Safe_ports port 443<br>
> acl Safe_ports port 10080<br>
> acl Safe_ports port 10443<br>
> acl SSL method CONNECT<br>
<br>
</span>The above can be quite deceptive,<br></blockquote><div>I removed port 21 as I don't think I am using FTP. <br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> acl CONNECT method CONNECT # multiling http<br>
> #acl block_url dstdomain "/etc/squid/block_url.squid"<br>
> #acl allow_url dstdomain "/etc/squid/allow_url.squid"<br>
> acl ELAN src <a href="http://192.168.200.0/24" rel="noreferrer" target="_blank">192.168.200.0/24</a><br>
> <br>
> acl QUERY urlpath_regex cgi-bin \?<br>
<br>
</span>The QUERY is not being used. It is also no longer necessary so can be<br>
removed.<br></blockquote><div>Removed. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
> <br>
> # SSL<br>
> always_direct allow all<br>
<br>
</span>That should not be. You do not have any cache_peer configured.<br>
<span class=""><br></span></blockquote><div>Removed<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> <br>
> # Video Streaming ACLs<br>
> acl media rep_mime_type ^.*mms.*<br>
> acl media rep_mime_type ^.*ms-hdr.*<br>
> acl media rep_mime_type ^.*x-fcs.*<br>
> acl media rep_mime_type ^.*x-ms-asf.*<br>
> acl media2 urlpath_regex dvrplayer mediastream mms://<br>
> acl media2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$<br>
> acl flashvideo rep_mime_type -i video/flv<br>
> acl flashvideo rep_mime_type -i video/x-flv<br>
> acl shockwave rep_mime_type -i ^application/x-shockwave-<wbr>flash$<br>
<br>
> acl x-type req_mime_type -i ^application/octet-stream$<br>
> acl x-type req_mime_type -i application/octet-stream<br>
<br>
</span>All the lines like the two above are duplicates.<br>
The "^foo$" pattern is a sub-set of "foo" pattern.<br>
<div><div class="h5"><br></div></div></blockquote><div>Removed duplicates <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<br>
> acl x-type req_mime_type -i ^application/x-mplayer2$<br>
> acl x-type req_mime_type -i application/x-mplayer2<br>
> acl x-type req_mime_type -i ^application/x-oleobject$<br>
> acl x-type req_mime_type -i application/x-oleobject<br>
> acl x-type req_mime_type -i application/x-pncmd<br>
> acl x-type req_mime_type -i ^video/x-ms-asf$<br>
> acl x-type2 rep_mime_type -i ^application/octet-stream$<br>
> acl x-type2 rep_mime_type -i application/octet-stream<br>
> acl x-type2 rep_mime_type -i ^application/x-mplayer2$<br>
> acl x-type2 rep_mime_type -i application/x-mplayer2<br>
> acl x-type2 rep_mime_type -i ^application/x-oleobject$<br>
> acl x-type2 rep_mime_type -i application/x-oleobject<br>
> acl x-type2 rep_mime_type -i application/x-pncmd<br>
> acl x-type2 rep_mime_type -i ^video/x-ms-asf$<br>
> <br>
> # Block Media Streaming<br>
> http_reply_access deny flashvideo<br>
> http_reply_access deny shockwave<br>
> http_reply_access deny media<br>
> http_reply_access deny media2<br>
> http_reply_access deny x-type<br>
> http_reply_access deny x-type2<br>
> <br>
> #<br>
> http_access deny manager<br>
> http_access deny !Safe_ports<br>
> http_access deny CONNECT !SSL_ports<br>
<br>
</div></div>FYI: current best-practice recommendation is to place the manager access<br>
line down here after the faster port checks.<br>
<span class=""><br></span></blockquote><div>Placed the manager line after the "http_access deny CONNECT !SSL_ports". <br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> #http_access deny block_url<br>
> #http_access allow allow_url<br>
> http_access allow LAN<br>
> http_access allow ELAN<br>
> <br>
> http_access allow localhost<br>
> #http_access allow ncsa_users<br>
> http_reply_access allow all<br>
<br>
</span>This http_reply_access line should be up with the others so it does not<br>
fool anyone into thinking its placement here with the http_access lines<br>
has any meaning.<br></blockquote><div>Moved it at http_reply block <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div><br>
> <br>
> deny_info ERR_CUSTOM LAN ELAN media media2 flashvideo shockwave x-type<br>
> x-type2<br>
> error_directory /usr/share/squid-langpack/en<br>
> <br>
> #icp_access allow all<br>
> <br>
> # Logging<br>
> logfile_daemon /usr/lib/squid/log_db_daemon<br>
> access_log daemon:/<a href="http://127.0.0.1/squid_log/access_log/squid/squid" rel="noreferrer" target="_blank">127.0.0.1/squid_log/<wbr>access_log/squid/squid</a> squid<br>
> icap_log stdio:/var/log/squid/icap.log squid<br>
> cache_store_log stdio:/var/log/squid/store.log<br>
> <br>
> # DNS<br>
> dns_nameservers 127.0.0.1<br>
> positive_dns_ttl 8 hours<br>
> negative_dns_ttl 30 seconds<br>
> ipcache_size 2048<br>
> ipcache_low 95<br>
> ipcache_high 97<br>
> fqdncache_size 2048<br>
> <br>
> # Leave coredumps in the first cache dir<br>
> coredump_dir /var/spool/squid<br>
> cache_dir ufs /var/spool/squid 10240 16 256<br>
> minimum_object_size 0 KB<br>
> maximum_object_size 30 MB<br>
> maximum_object_size_in_memory 1024 KB<br>
> <br></div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
> # HTTPS filtering<br>
> acl step1 at_step SslBump1<br>
> <br>
> ssl_bump peek step1<br>
> ssl_bump splice all<br>
> #ssl_bump bump all<br>
> <br>
> # SquidGuard<br>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.<wbr>conf<br>
> url_rewrite_children 5<br>
> <br>
> <br>
> Your input is highly appreciated.<br>
> <br>
> Alex<br>
> <br>
> <br>
</div></div>> ______________________________<wbr>_________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
> <br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
</blockquote></div><br></div></div>