Re: [squid-users] ACLs + Some Questions

From: Henrik Nordstrom <[email protected]>
Date: Wed, 14 Apr 2004 09:37:50 +0200 (CEST)

On Tue, 13 Apr 2004, Santiago Montalvan wrote:

> I am running Squid 2.5 STABLE3 on a RedHat 7.3 machine w/ a 400Mhz AMD K6-2,
> 128MB of RAM, and a 15.7GB HD. That said I believe I can move on and
> address some of the questions I have.
>
> 1) I would like to change the error messages to show the actual time and not
> the GMT time but I cannot find how to do this.

See http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.25 and
http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#custom-err-msgs referenced
from there..

> So now I have decided I want to use the rules above but I don't want to
> cache, do I need to add the following entries?
> No_cache deny urls
> No_cache deny ips
> If the above is correct where do I add those two entries?

http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.20
or http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.8 if you want
detailed control of what gets cached.

> And then I would do:
>
> Http_access allow pc1 urls
> Http_access allow pc1 ips
> Http_access allow pc2 urls
> Http_access allow pc2 ips

Looks reasonable, but you could join pc1 & pc2 into a single acl as they
have the same level of access, thereby reducing the number of http_access
rules you need.

> 4) So now that I have the rules for pc1 and pc2 for urls and ips I want to
> make sure I can use rules porn and porn1 for all computers. So now I am not
> sure what the order of all this is supposed to be and also if my little
> 400Mhz w/ 128MB of RAM can handle all requests from about 80 clients (again
> I don't wanna cache anything).

The basic rule is that you need to deny before you allow the same request.
Squid looks for the first matching http_access rule to determine if the
request is to be allowed or denied.

So to deremine if a specific request is to be allowed or denied, just look
at your http_access rules top-down starting with the first. As soon as you
find a rule which matches the request (all acl elements are true) you know
if it is allowed or denied.

>
> http_access allow pc1 pc2 urls
> http_access allow pc1 pc2 ips

These should go below the Safe_ports thing... and as said above you could
join pc1 & pc2 into a single acl.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Where is the Safe_ports thing? Should be here..

> http_access allow localhost
> no_cache deny urls
> no_cache deny ips

Try not to mix http_access and no_cache directives, this makes it harder
to read the rules of each class.

> http_access deny pc1
> http_access deny pc2

possible to join as above reference to pc1 & pc2..
> http_access allow al

You reall should have more detailed control than this on what you allow.
At a minimum

acl my_clients src your.internal.lan/mask
http_access allow my_clients
http_access deny all

Regards
Henrik
Received on Wed Apr 14 2004 - 01:37:56 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT