[squid-users] MS update woes

Alex Samad alex at samad.com.au
Mon Jan 25 10:56:45 UTC 2016


Hi

Sorry I had redacted some

"
auth_param negotiate program /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid
auth_param negotiate children 20 startup=0 idle=3
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --configfile
/etc/samba/smb.conf-squid
auth_param ntlm children 20 startup=0 idle=3
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic --configfile
/etc/samba/smb.conf-squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
acl localnet src 10.32.80.0/24
acl localnet_auth src 10.32.0.0/14
acl localnet_auth src 10.172.0.0/16
acl localnet_auth src 10.43.200.51/32
acl localnet_guest src 10.172.202.0/24
acl localnet_appproxy src 10.172.203.30/32
acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
acl FTP proto FTP
acl DMZSRV src 10.32.20.110
acl DMZSRV src 10.32.20.111
acl DirectExceptions url_regex -i
^http://(www.|)smh.com.au/business/markets-live/.*
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
acl SQUIDSPECIAL urlpath_regex ^/squid-internal-static/
acl AuthorizedUsers proxy_auth REQUIRED
acl icp_allowed src 10.32.20.110/32
acl icp_allowed src 10.32.20.111/32
acl icp_allowed src 10.172.203.30/32
acl icp_allowed src 10.172.203.34/32
acl windowsupdate_url url_regex -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
acl windowsupdate_url url_regex -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
acl windowsupdate_url url_regex -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
acl notwindowsupdate_url dstdomain ctldl.windowsupdate.com
http_access allow manager localhost
http_access allow manager icp_allowed
http_access deny manager
http_access allow icp_allowed
http_access allow SQUIDSPECIAL
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localnet_appproxy
http_access deny !localnet_auth
http_access allow localnet_guest sblYBOveride
http_access deny localnet_guest sblMal
http_access deny localnet_guest sblPorn
http_access allow localnet_guest
http_access allow nonAuthSrc
http_access allow nonAuthDom
http_access allow sblYBOveride FTP
http_access allow sblYBOveride AuthorizedUsers
http_access deny sblMal
http_access deny sblPorn
http_access allow FTP
http_access allow AuthorizedUsers
http_access deny all
http_port 3128
http_port 8080
cache_mem 40960 MB
cache_mgr operations.manager at abc.com
cachemgr_passwd abc all
cache_dir aufs /var/spool/squid 550000 16 256
always_direct allow FTP
always_direct allow DMZSRV
always_direct allow DirectExceptions
never_direct deny notwindowsupdate_url
never_direct allow !DMZSRV windowsupdate_url
ftp_passive off
ftp_epsv_all off
miss_access allow notwindowsupdate_url
miss_access deny !DMZSRV windowsupdate_url
coredump_dir /var/spool/squid
range_offset_limit 800 MB
maximum_object_size 800 MB
quick_abort_min -1
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
80% 129600 reload-into-ims
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
4320 80% 129600 reload-into-ims
refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
80% 129600 reload-into-ims
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_peer gsdmz1.abc.com sibling 3128 4827 proxy-only htcp no-query no-delay
icp_port 0
icp_access allow icp_allowed
icp_access deny all
htcp_port 4827
htcp_access allow icp_allowed
htcp_access deny all
acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
cache deny nonCacheDom
acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
cache deny nonCacheURL
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/srv_clamav
adaptation_access service_resp allow all
ipcache_size 10240
forwarded_for delete
cache_swap_low 90
cache_swap_high 95
log_icp_queries off
icap_preview_enable on
icap_preview_size 1024
httpd_suppress_version_string on
max_filedesc 8192
delay_pools 1
delay_class 1 1
delay_parameters 1 1310720/2621440
acl Delay_Domain dstdomain -i "/etc/squid/lists/delayDom.lst"
delay_access 1 deny DMZSRV
delay_access 1 allow Delay_Domain

"

On 25 January 2016 at 12:09, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 25/01/2016 11:20 a.m., Alex Samad wrote:
>> Hi
>>
>> Seems like I getting a bit confused in my conf now .. with
>> never_direct, always_direct. and miss_access
>>
>
> never_direct and always_direct determine whether cache_peer are required
> or allowed to be used on that connection respectively. You dont have
> cache_peer so only never_direct will have an effect via preventing any
> server connections from Squid.
>
> miss_access determines whether Squid is allowed to service a MISS
> transaction.
>
> In your setup never_direct and miss_access are roughly the same end
> result. But Squid does a lot more work in the never_direct case.
>
>
>>
>> # ##
>> # acl
>> # ##
>> acl sblMal dstdomain -i "/etc/squid/lists/squid-malicious.acl"
>> acl sblPorn dstdomain -i "/etc/squid/lists/squid-porn.acl"
>> acl localnet src 10.32.80.0/24
>> acl localnet_auth src 10.32.0.0/14
>> acl localnet_auth src 10.172.0.0/16
>> acl localnet_auth src 10.43.200.51/32
>> acl localnet_guest src 10.172.202.0/24
>> acl localnet_appproxy src 10.172.203.30/32
>> acl sblYBOveride dstdomain -i "/etc/squid/lists/yb-nonsquidblacklist.acl"
>> acl nonAuthDom dstdomain -i "/etc/squid/lists/nonAuthDom.lst"
>> acl nonAuthSrc src "/etc/squid/lists/nonAuthServer.lst"
>> acl FTP proto FTP
>> acl DMZSRV src 10.32.20.110
>> acl DMZSRV src 10.32.20.111
>> acl DirectExceptions url_regex -i
>> ^http://(www.|)smh.com.au/business/markets-live/.*
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl CONNECT method CONNECT
>> acl SQUIDSPECIAL urlpath_regex ^/squid-internal-static/
>> acl AuthorizedUsers proxy_auth REQUIRED
>> acl icp_allowed src 10.32.20.110/32
>> acl icp_allowed src 10.32.20.111/32
>> acl icp_allowed src 10.172.203.30/32
>> acl icp_allowed src 10.172.203.34/32
>> acl windowsupdate_url url_regex -i
>> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
>> acl windowsupdate_url url_regex -i
>> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
>> acl windowsupdate_url url_regex -i
>> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
>> acl notwindowsupdate_url dstdomain ctldl.windowsupdate.com
>> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
>> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
>> acl Delay_Domain dstdomain -i "/etc/squid/lists/delayDom.lst"
>>
>>
>>
>> ##http_access
>> ## presume this is processed first
>>
>> # manager access
>> http_access allow manager localhost
>> http_access allow manager icp_allowed
>> http_access deny manager
>>
>> # icp access
>> http_access allow icp_allowed
>>
>> # the squid special url
>> http_access allow SQUIDSPECIAL
>> # block non safe ports
>> http_access deny !Safe_ports
>> # block ssl non non ssl  ports
>> http_access deny CONNECT !SSL_ports
>>
>> #http_access deny to_localhost
>>
>> # Who can access
>> # network with no auth
>> http_access allow localnet
>> # local machine
>> http_access allow localhost
>> # other downstreams
>> http_access allow localnet_appproxy
>>
>> # this is my just in case MS update goes wild again turn this on ACL
>> #http_access deny !DMZSRV windowsupdate_url
>>
>
> That should be above the "allow localnet" line
> ... and maybe also above "allow icp_allowed" line.
>
>
>> # the catch all for ip address range
>> http_access deny !localnet_auth
>>
>> # special guest network rules (basically non auth)
>> http_access allow localnet_guest sblYBOveride
>> http_access deny localnet_guest sblMal
>> http_access deny localnet_guest sblPorn
>> http_access allow localnet_guest
>>
>> # non guest sources that can access via non auth
>> http_access allow nonAuthSrc
>> # non auth dest domains
>> http_access allow nonAuthDom
>>
>> # over ride some black list sites
>> http_access allow sblYBOveride FTP
>> http_access allow sblYBOveride AuthorizedUsers
>>
>> # squid blacklists
>> http_access deny sblMal
>> http_access deny sblPorn
>>
>> # allow FTP
>> http_access allow FTP
>> # allow Authorised
>> http_access allow AuthorizedUsers
>> # deny every one else
>> http_access deny all
>>
>>
>>
>>
>> # Alway direct
>> # if its FTP then go direct
>> always_direct allow FTP
>> # stop the looping. so peer cache requests are always direct
>> always_direct allow DMZSRV
>> # Some url's still have issues with looping and caching back responses
>> # this makes them allways do direct and never loop
>> always_direct allow DirectExceptions
>>
>> # never Direct
>> # there are some MS urls that should be direct (they are usually not cached)
>> never_direct deny notwindowsupdate_url
>> # block all MS update's except from certain sources from going direct
>> # does this allow a cache peer to start a windows update ???
>> never_direct allow !DMZSRV windowsupdate_url
>>
>>
>> # ### This is my newly added
>> # miss_access
>> # http://www.squid-cache.org/Doc/config/miss_access/
>> # Some MS urls are need and can't be cached !
>> miss_access allow notwindowsupdate_url
>> # Deny Access to MS Update only from DMZ boxes
>> miss_access deny !DMZSRV windowsupdate_url
>>
>>
>> # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>> # 800M for MS SQL patch file
>> # made bigger to handle bigger Patch files !
>> range_offset_limit 800 MB
>> maximum_object_size 800 MB
>> quick_abort_min -1
>>
>>
>> # special refresh pattarns that force files to be cached. I have
>> changed it up to 90days of caching
>> # also added in the [^?] to stop it trying to cache those
>> refresh_pattern -i
>> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
>> 80% 129600 reload-into-ims
>> refresh_pattern -i
>> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?]
>> 4320 80% 129600 reload-into-ims
>> refresh_pattern -i
>> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)[^?] 4320
>> 80% 129600 reload-into-ims
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>>
>> # NON Cache Domain
>> acl nonCacheDom dstdomain -i "/etc/squid/lists/nonCacheDom.lst"
>> cache deny nonCacheDom
>>
>> # NON Cache URL
>> acl nonCacheURL urlpath_regex /x86_64/repodata/repomd.xml$
>> cache deny nonCacheURL
>>
>>
>>
>> So what I have hoped to have done here is
>> 1) stop all except DMZSRV hosts from access the Microsoft Update urls,
>> unless its cached ...
>> 2) allowed DMZSRV hosts to request those files and place them in the cache.
>>
>>
>> I had thought I had done that before, but i noticed this morning a
>> spike as machine where turned on and they started to make request
>
>
> I do not see any cache_dir lines in your config file. Which means the
> Squid is operating with only its default 256MB memory cache.
>
> Objects bigger than the cache itself (eg the 600 MB ones) will not be
> stored. Objects in there will be removed whenever Squid restarts even if
> they can be stored. Raising the limits to 800MB wont help when there is
> only 256MB total space.
>
> Amos
>


More information about the squid-users mailing list