ACL-by time- not working. Help!

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL-by time- not working. Help!

Luis Mario Niedas Hernández
Hello. I need restrict some site by time, but i am not doing well.
This is my squid.conf. Please help me to fix the problem. I don't know
why it is not working.


### autenticacion de los usuarios (http
básica)############################################
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet
auth_param basic realm Introduzca su usuario para navegar por la WEB.

### por donde responde el squid ###
####################################################

http_port 192.168.1.3:3128
http_port 127.0.0.1:3128

########## ACL ###########################################################################
#
# Recommended minimum configuration:

acl all src all
acl localhost src 127.0.0.1/32
acl localnet src 192.168.1.0/24
acl manager_proto_cache proto cache_object
acl peticion_identificacion proxy_auth REQUIRED
acl intranet dstdomain intra.xzy

acl ocio dstdomain  .facebook.com .youtube.com

acl ocio_medio_dia time MTWHF 12:00-13:10
acl ocio_tarde time MTWHF 14:00-14:30
acl ocio_mannana time MTWHF 6:00-8:30

http_access allow localnet manager_proto_cache
http_access allow localhost manager_proto_cache
http_access deny manager_proto_cache
http_access allow ocio ocio_tarde
http_access allow ocio ocio_medio_dia
http_access allow ocio ocio_mannana

http_access allow intranet
http_access allow localnet peticion_identificacion

always_direct allow intranet
http_access deny all
never_direct allow all



####### cahce padre #################################################

cache_peer proxy_padre parent 3128 0  proxy-only
#cache_peer_domain  proxy_padre !intra.xzy

##### correo cache manager ####

cache_mgr lmniedas
cachemgr_passwd tu_password all
#### tamanno de la cache ####################################

cache_dir aufs /var/spool/squid 20280 16 256

#### limites para comenzar a limpiar la cache #####################

cache_swap_low 90
cache_swap_high 95

#### tamanno de los objetos en la cache como maximo ####################

maximum_object_size  15 MB

### memoria cache ###########################

cache_mem 500 MB

### idioma de las paginas de error de squid ##########################

error_directory /usr/share/squid/errors/Spanish

##### debug_options cantidad de información en cache_log #################

debug_options ALL,0 ALL,1 rotate=8760

######### LOGS #######################################

cache_log /var/log/squid/cache.log
access_log stdio:/var/log/squid/access.log  rotate=8760
cache_store_log stdio:/var/log/squid/store.log

##################

#AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG

logfile_rotate 8760

#### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab


--
"El futuro tiene muchos nombres. Para los débiles es lo inalcanzable.
Para los temerosos, lo desconocido. Para los valientes es la
oportunidad"
Victor Hugo
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL-by time- not working. Help!

Amos Jeffries
Administrator
On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
> Hello. I need restrict some site by time, but i am not doing well.
> This is my squid.conf. Please help me to fix the problem. I don't know
> why it is not working.
>

It is not clear what your problem actually is.

An educated guess tells me that you have missed two important details:

 1) your http_access lines are just a long list of allow, allow, allow.
Squid has no reason to deny.

To resolve this you need to write out your policy(s) in the form of
denials. Allowing only the good traffic that remains.

For best performance sort the lines by ACL checking speed and how much
traffic they can drop. The faster it can identify and deny bad traffic
the more speed can go towards the good traffic.


 2) those FB and YT websites use HTTPS and http_access controls only
apply when an HTTPS connection is established. The TLS connection itself
may remain open and continue to be used indefinitely.

You can use the client_lifetime directive to shorten the time CONNECT
tunnels are allowed to remain in use. For your specific case I would set
it to something like 5 minutes. Browsers can auto-recover so this length
should not be visible to clients, but you will want to test that to
confirm what is good for your needs.


There are several other things about your config file that indicate
extremely outdated practices or Squid version. Below is a free audit
report of things that need fixing.


If you are running a Squid older than 3.5 please update ASAP. Then apply
the changes below.

If you are running a Squid v3.5 or newer then you can fix these issues
now with just a check to confirm the change is okay.


>
> ### autenticacion de los usuarios (http
> básica)############################################
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet
> auth_param basic realm Introduzca su usuario para navegar por la WEB.
>
> ### por donde responde el squid ###
> ####################################################
>
> http_port 192.168.1.3:3128
> http_port 127.0.0.1:3128

Are there other IPs assigned to the machine Squid is running on which
you definitely don't want offering proxy service?

If no, then you can replace both those with this line:
  http_port 3128

If yes, then you should replace just the second one with:
  http_port localhost:3128


>
> ########## ACL ###########################################################################
> #
> # Recommended minimum configuration:
>

You are missing the very critical port safety checks. These are to
prevent your proxy being DoS'ed or uses as an attack vector against
other software in your LAN.

At worst, you may need to "open" some specific ports by adding them to
the Safe_ports and/or SSL_ports ACL definitions. But generally this is
not necessary, and should only be done after investigating carefully
what that port is used for, including things *other* than the reason you
are asked to open it.


> acl all src all

Since Squid-3.1 the "all "ACL has been built into Squid. You can remove
this line, it does nothing.


> acl localhost src 127.0.0.1/32

On all modern machines localhost include the ::1/128 address. Even when
the machine is IPv4-only connectivity to the network. Localhost is about
connections within the machine itself and IPv4-only OS no longer exist.


> acl localnet src 192.168.1.0/24

No LAN IPv6 ranges? that is something everyone should be planning for a
decade ago.


> acl manager_proto_cache proto cache_object

Since Squid-3.2 the "manager" ACL has been built into Squid. There are
feature changes to the management URLs that need to be controlled by it
and the built-in definition handles those.

Please remove the above ACL line and convert anything that used it to
use the ACL named "manager" instead.


> acl peticion_identificacion proxy_auth REQUIRED
> acl intranet dstdomain intra.xzy
>
> acl ocio dstdomain  .facebook.com .youtube.com
>
> acl ocio_medio_dia time MTWHF 12:00-13:10
> acl ocio_tarde time MTWHF 14:00-14:30
> acl ocio_mannana time MTWHF 6:00-8:30
>
> http_access allow localnet manager_proto_cache
> http_access allow localhost manager_proto_cache
> http_access deny manager_proto_cache

> http_access allow ocio ocio_tarde
> http_access allow ocio ocio_medio_dia
> http_access allow ocio ocio_mannana

Do you really want your proxy to be allowing anyone anywhere in the
world to access those websites through your proxy?

I think these "ocio" lines should look like:

  http_access deny ocio !ocio_tarde !ocio_medio_dia !ocio_mannana

Or, you can combine the time periods into one ACL check for better speed
and understanding:

  acl ocio_tempo time MTWHF 12:00-13:10
  acl ocio_tempo time MTWHF 14:00-14:30
  acl ocio_tempo time MTWHF 6:00-8:30

  http_access deny ocio !ocio_tempo


>
> http_access allow intranet

I am guessing here. But I think this means you do not want to require
login to access the intranet website.


> http_access allow localnet peticion_identificacion

For more reliable authentication this should be:

  http_access deny !peticion_identificacion
  http_access allow localnet

Or, assuming the above about intranet:

  http_access deny !intranet !peticion_identificacion
  http_access allow localnet

>
> always_direct allow intranet
> http_access deny all
> never_direct allow all
>

In summary, I think this access control section should look like the
below lines:

  acl SSL_ports port 443

  acl Safe_ports port 80 # http
  acl Safe_ports port 21 # ftp
  acl Safe_ports port 443 # https
  acl Safe_ports port 70 # gopher
  acl Safe_ports port 210 # wais
  acl Safe_ports port 1025-65535 # unregistered ports
  acl Safe_ports port 280 # http-mgmt
  acl Safe_ports port 488 # gss-http
  acl Safe_ports port 591 # filemaker
  acl Safe_ports port 777 # multiling http

  acl localhost src 127.0.0.1/32 ::1/128
  acl localnet src 192.168.1.0/24

  acl peticion_identificacion proxy_auth REQUIRED
  acl intranet dstdomain intra.xzy

  acl ocio dstdomain  .facebook.com .youtube.com

  acl ocio_tempo time MTWHF 12:00-13:10
  acl ocio_tempo time MTWHF 14:00-14:30
  acl ocio_tempo time MTWHF 6:00-8:30

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access deny manager !localnet !localhost

  # Prevent occio domains outside permitted times
  http_access deny ocio !ocio_tempo

  # Login required unless visiting intranet site(s)
  http_access deny !intranet !peticion_identificacion

  http_access allow localnet

  http_access deny all

  always_direct allow intranet
  never_direct allow all


>
>
> ####### cahce padre #################################################
>
> cache_peer proxy_padre parent 3128 0  proxy-only
> #cache_peer_domain  proxy_padre !intra.xzy


NP: if you want to restore that !intra.xyz behaviour with modern Squid
use this:

 cache_peer_access proxy_padre allow !intranet


>
> ##### correo cache manager ####
>
> cache_mgr lmniedas

This should be an admin contact email. The documentation is not very
clear, sorry about that. It will receive reports about proxy crashes (if
the feature is built) and is displayed on error pages as the address to
contact about problems using the proxy.

For Example;

 cachemgr  [hidden email]

or the prettier version:

 cache_mgr Luis Mario Niedas Hernández <[hidden email]>


> cachemgr_passwd ***

I hope that was not your actual password. If it was you now need to
change it.


> #### tamanno de la cache ####################################
>
> cache_dir aufs /var/spool/squid 20280 16 256
>
> #### limites para comenzar a limpiar la cache #####################
>
> cache_swap_low 90
> cache_swap_high 95
>
> #### tamanno de los objetos en la cache como maximo ####################
>
> maximum_object_size  15 MB
>
> ### memoria cache ###########################
>
> cache_mem 500 MB
>
> ### idioma de las paginas de error de squid ##########################
>
> error_directory /usr/share/squid/errors/Spanish

Since Squid-3.2 error pages can automatically be delivered in a language
the person receiving it can read.

To allow that to happen, but with Spanish as the default use this
directive instead of error_directory:

 error_default_language es


FYI, you can also apply branding to the pages display by editing
/etc/squid/errorpages.css


>
> ##### debug_options cantidad de información en cache_log #################
>
> debug_options ALL,0 ALL,1 rotate=8760

This directive applies the options configured left-to-right.

The "ALL" setting resets *ALL* debug sections to the level given.

That means you should only use debug section "ALL" once in the whole of
squid.conf and it should be done before any other N,N pairs.

Your config actually means this:

  debug_options ALL,1 rotate=8760


>
> ######### LOGS #######################################
>
> cache_log /var/log/squid/cache.log
> access_log stdio:/var/log/squid/access.log  rotate=8760
> cache_store_log stdio:/var/log/squid/store.log

Is there any reason you need this log?
It typically is only useful for debugging and this line could be removed
to speed up your proxy and save disk space.


>
> ##################
>
> #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
>
> logfile_rotate 8760
>
> #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab

Does that mean you are running logrotate every hour of every day?

Perhapse there is some better way to do log handling?

Begin with deciding whether you need store.log at all. If that is not
enough and you want assistance with ideas about further improvements
please tell what is the reason why this proxy is rotating to often.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL-by time- not working. Help!

Luis Mario Niedas Hernández
El vie., 28 de ago. de 2020 a la(s) 00:03, Amos Jeffries
([hidden email]) escribió:
>
> On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
> > Hello. I need restrict some site by time, but i am not doing well.
> > This is my squid.conf. Please help me to fix the problem. I don't know
> > why it is not working.
> >
>
> It is not clear what your problem actually is.

Well. My problem is that  i had to block facebook and youtube but i
did not how to do it. Your correction works fine. Thanks for
explaining me some stuff. I appreciate that.

>
> An educated guess tells me that you have missed two important details:
>
>  1) your http_access lines are just a long list of allow, allow, allow.
> Squid has no reason to deny.

 jajajaja Honestly, I don't understand how squid work. I mean, I don't
know what it is the logic to follow with the acl directives and
http_access allow | deny. I am learning about it. If you can recommend
me a book or a place to look for learning about how to build
adequately my rules in squid. I need it. i don't want copy and paste
acl from some plate and put it in my config, I really want to know how
I have to think. LEARN

>
> To resolve this you need to write out your policy(s) in the form of
> denials. Allowing only the good traffic that remains.
>
I guess that when we put  this:

http_access deny all.

we are telling squid that everything that has not a http_access allow,
it is blocked. So,  why I have to put http_access deny
!peticion_identificacion, instead http_access allow
peticion_identificacion ?


> For best performance sort the lines by ACL checking speed and how much
> traffic they can drop. The faster it can identify and deny bad traffic
> the more speed can go towards the good traffic.
>
>  2) those FB and YT websites use HTTPS and http_access controls only
> apply when an HTTPS connection is established. The TLS connection itself
> may remain open and continue to be used indefinitely.
>
> You can use the client_lifetime directive to shorten the time CONNECT
> tunnels are allowed to remain in use. For your specific case I would set
> it to something like 5 minutes. Browsers can auto-recover so this length
> should not be visible to clients, but you will want to test that to
> confirm what is good for your needs.
>
>
> There are several other things about your config file that indicate
> extremely outdated practices or Squid version. Below is a free audit
> report of things that need fixing.
>
>
> If you are running a Squid older than 3.5 please update ASAP. Then apply
> the changes below.

I am running squid 4.6.

>
> If you are running a Squid v3.5 or newer then you can fix these issues
> now with just a check to confirm the change is okay.
>
>
> >
> > ### autenticacion de los usuarios (http
> > básica)############################################
> > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet
> > auth_param basic realm Introduzca su usuario para navegar por la WEB.
> >
> > ### por donde responde el squid ###
> > ####################################################
> >
> > http_port 192.168.1.3:3128
> > http_port 127.0.0.1:3128
>
> Are there other IPs assigned to the machine Squid is running on which
> you definitely don't want offering proxy service?

Yes, my machine has two different interfaces with  different ranges
and I want to offer squid service only for one. ;-)

>
> If no, then you can replace both those with this line:
>   http_port 3128
>
> If yes, then you should replace just the second one with:
>   http_port localhost:3128
>
>
> >
> > ########## ACL ###########################################################################
> > #
> > # Recommended minimum configuration:
> >
>
> You are missing the very critical port safety checks. These are to
> prevent your proxy being DoS'ed or uses as an attack vector against
> other software in your LAN.
>
> At worst, you may need to "open" some specific ports by adding them to
> the Safe_ports and/or SSL_ports ACL definitions. But generally this is
> not necessary, and should only be done after investigating carefully
> what that port is used for, including things *other* than the reason you
> are asked to open it.
>
>
> > acl all src all
>
> Since Squid-3.1 the "all "ACL has been built into Squid. You can remove
> this line, it does nothing.
>
>
> > acl localhost src 127.0.0.1/32
>
> On all modern machines localhost include the ::1/128 address. Even when
> the machine is IPv4-only connectivity to the network. Localhost is about
> connections within the machine itself and IPv4-only OS no longer exist.
>
>
> > acl localnet src 192.168.1.0/24
>
> No LAN IPv6 ranges? that is something everyone should be planning for a
> decade ago.

I don't need IPv6. It is a small office.

>
>
> > acl manager_proto_cache proto cache_object
>
> Since Squid-3.2 the "manager" ACL has been built into Squid. There are
> feature changes to the management URLs that need to be controlled by it
> and the built-in definition handles those.
>
> Please remove the above ACL line and convert anything that used it to
> use the ACL named "manager" instead.
>
>
> > acl peticion_identificacion proxy_auth REQUIRED
> > acl intranet dstdomain intra.xzy
> >
> > acl ocio dstdomain  .facebook.com .youtube.com
> >
> > acl ocio_medio_dia time MTWHF 12:00-13:10
> > acl ocio_tarde time MTWHF 14:00-14:30
> > acl ocio_mannana time MTWHF 6:00-8:30
> >
> > http_access allow localnet manager_proto_cache
> > http_access allow localhost manager_proto_cache
> > http_access deny manager_proto_cache
>
> > http_access allow ocio ocio_tarde
> > http_access allow ocio ocio_medio_dia
> > http_access allow ocio ocio_mannana
>
> Do you really want your proxy to be allowing anyone anywhere in the
> world to access those websites through your proxy?
>
> I think these "ocio" lines should look like:
>
>   http_access deny ocio !ocio_tarde !ocio_medio_dia !ocio_mannana
>
> Or, you can combine the time periods into one ACL check for better speed
> and understanding:
>
>   acl ocio_tempo time MTWHF 12:00-13:10
>   acl ocio_tempo time MTWHF 14:00-14:30
>   acl ocio_tempo time MTWHF 6:00-8:30
>
>   http_access deny ocio !ocio_tempo

Thanks for this recommendation. I did not know how to do it fine.

>
> >
> > http_access allow intranet
>
> I am guessing here. But I think this means you do not want to require
> login to access the intranet website.

jajaja No, here i wanted to say: Squid you should allow the connection
to intranet, but with authentication. I thought that we only had to
request authentication only one time and squid will know that every
http request  made for the same user will be checked  again the rest
of ACL.  :-( I am configuring my squid blink, i meant, i read and test
what happens, but it is a little hard. It is the reason that I wrote
to the squid-user list.

>
>
> > http_access allow localnet peticion_identificacion
>
> For more reliable authentication this should be:
>
>   http_access deny !peticion_identificacion
>   http_access allow localnet
>
> Or, assuming the above about intranet:
>
>   http_access deny !intranet !peticion_identificacion
>   http_access allow localnet
>
> >
> > always_direct allow intranet
> > http_access deny all
> > never_direct allow all
> >
>
> In summary, I think this access control section should look like the
> below lines:
>
>   acl SSL_ports port 443
>
>   acl Safe_ports port 80                # http
>   acl Safe_ports port 21                # ftp
>   acl Safe_ports port 443               # https
>   acl Safe_ports port 70                # gopher
>   acl Safe_ports port 210               # wais
>   acl Safe_ports port 1025-65535        # unregistered ports
>   acl Safe_ports port 280               # http-mgmt
>   acl Safe_ports port 488               # gss-http
>   acl Safe_ports port 591               # filemaker
>   acl Safe_ports port 777               # multiling http
>
>   acl localhost src 127.0.0.1/32 ::1/128
>   acl localnet src 192.168.1.0/24
>
>   acl peticion_identificacion proxy_auth REQUIRED
>   acl intranet dstdomain intra.xzy
>
>   acl ocio dstdomain  .facebook.com .youtube.com
>
>   acl ocio_tempo time MTWHF 12:00-13:10
>   acl ocio_tempo time MTWHF 14:00-14:30
>   acl ocio_tempo time MTWHF 6:00-8:30
>
>   http_access deny !Safe_ports
>   http_access deny CONNECT !SSL_ports
>   http_access deny manager !localnet !localhost
>
>   # Prevent occio domains outside permitted times
>   http_access deny ocio !ocio_tempo
>
>   # Login required unless visiting intranet site(s)
>   http_access deny !intranet !peticion_identificacion
>
>   http_access allow localnet
>
>   http_access deny all
>
>   always_direct allow intranet
>   never_direct allow all
>
>
> >
> >
> > ####### cahce padre #################################################
> >
> > cache_peer proxy_padre parent 3128 0  proxy-only
> > #cache_peer_domain  proxy_padre !intra.xzy
>
>
> NP: if you want to restore that !intra.xyz behaviour with modern Squid
> use this:
>
>  cache_peer_access proxy_padre allow !intranet
>
>
> >
> > ##### correo cache manager ####
> >
> > cache_mgr lmniedas
>
> This should be an admin contact email. The documentation is not very
> clear, sorry about that. It will receive reports about proxy crashes (if
> the feature is built) and is displayed on error pages as the address to
> contact about problems using the proxy.
>
> For Example;
>
>  cachemgr  [hidden email]
>
> or the prettier version:
>
>  cache_mgr Luis Mario Niedas Hernández <[hidden email]>
>
>
> > cachemgr_passwd ***
>
> I hope that was not your actual password. If it was you now need to
> change it.
>

jajajaja i changed the information, just to not compromise my security
or at least just to not show all the real information about my
network. ;-)

>
> > #### tamanno de la cache ####################################
> >
> > cache_dir aufs /var/spool/squid 20280 16 256
> >
> > #### limites para comenzar a limpiar la cache #####################
> >
> > cache_swap_low 90
> > cache_swap_high 95
> >
> > #### tamanno de los objetos en la cache como maximo ####################
> >
> > maximum_object_size  15 MB
> >
> > ### memoria cache ###########################
> >
> > cache_mem 500 MB
> >
> > ### idioma de las paginas de error de squid ##########################
> >
> > error_directory /usr/share/squid/errors/Spanish
>
> Since Squid-3.2 error pages can automatically be delivered in a language
> the person receiving it can read.
>
> To allow that to happen, but with Spanish as the default use this
> directive instead of error_directory:
>
>  error_default_language es
>

I didn't know this. thanks again.

> FYI, you can also apply branding to the pages display by editing
> /etc/squid/errorpages.css
>
>
> >
> > ##### debug_options cantidad de información en cache_log #################
> >
> > debug_options ALL,0 ALL,1 rotate=8760
>
> This directive applies the options configured left-to-right.
>
> The "ALL" setting resets *ALL* debug sections to the level given.
>
> That means you should only use debug section "ALL" once in the whole of
> squid.conf and it should be done before any other N,N pairs.
>
> Your config actually means this:
>
>   debug_options ALL,1 rotate=8760
>
>
> >
> > ######### LOGS #######################################
> >
> > cache_log /var/log/squid/cache.log
> > access_log stdio:/var/log/squid/access.log  rotate=8760
> > cache_store_log stdio:/var/log/squid/store.log
>
> Is there any reason you need this log?
> It typically is only useful for debugging and this line could be removed
> to speed up your proxy and save disk space.

My boss told me that I must save  all my logs, just to check later
what the people are doing and where they are surfing on the internet.

>
> >
> > ##################
> >
> > #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
> >
> > logfile_rotate 8760
> >
> > #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab
>
> Does that mean you are running logrotate every hour of every day?
>
Yes, I am rotating every one hours all squid's logs. Honestly, because
i thought that it is the more easy way to make analytics work. What
you can recommend me??

> Perhapse there is some better way to do log handling?
>
> Begin with deciding whether you need store.log at all. If that is not
> enough and you want assistance with ideas about further improvements
> please tell what is the reason why this proxy is rotating to often.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users



--
"El futuro tiene muchos nombres. Para los débiles es lo inalcanzable.
Para los temerosos, lo desconocido. Para los valientes es la
oportunidad"
Victor Hugo
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL-by time- not working. Help!

Amos Jeffries
Administrator
On 29/08/20 3:50 am, Luis Mario Niedas Hernández wrote:

> El vie., 28 de ago. de 2020 a la(s) 00:03, Amos Jeffries
> ([hidden email]) escribió:
>>
>> On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
>>> Hello. I need restrict some site by time, but i am not doing well.
>>> This is my squid.conf. Please help me to fix the problem. I don't know
>>> why it is not working.
>>>
>>
>> It is not clear what your problem actually is.
>
> Well. My problem is that  i had to block facebook and youtube but i
> did not how to do it. Your correction works fine. Thanks for
> explaining me some stuff. I appreciate that.
>
>>
>> An educated guess tells me that you have missed two important details:
>>
>>  1) your http_access lines are just a long list of allow, allow, allow.
>> Squid has no reason to deny.
>
>  jajajaja Honestly, I don't understand how squid work. I mean, I don't
> know what it is the logic to follow with the acl directives and
> http_access allow | deny. I am learning about it. If you can recommend
> me a book or a place to look for learning about how to build
> adequately my rules in squid. I need it. i don't want copy and paste
> acl from some plate and put it in my config, I really want to know how
> I have to think. LEARN
>

Certainly. The details of access controls are all documented at
<http://wiki.squid-cache.org/SquidFaq/SquidAcl>

or if you prefer a physical book the "Squid 3.1: Beginners Guide" is
still a good learning resource to begin with. What it lacks is mostly
detail on new features.


>>
>> To resolve this you need to write out your policy(s) in the form of
>> denials. Allowing only the good traffic that remains.
>>
> I guess that when we put  this:
>
> http_access deny all.
>
> we are telling squid that everything that has not a http_access allow,
> it is blocked. So,  why I have to put http_access deny
> !peticion_identificacion, instead http_access allow
> peticion_identificacion ?


ACLs actually have three states: YES, NO, UNKNOWN. Authentication is one
ACL type where the third state is important.

"allow peticion_identificacion" lets all the traffic which is-YES through.
 Meaning it will try to get credentials, but if they do not validate as
correct Squid skips on to checking the next access control line.


"deny !peticion_identificacion" blocks all the traffic which is not-YES.

Meaning Squid will block clients who cannot login with valid credentials.


>
>
>> For best performance sort the lines by ACL checking speed and how much
>> traffic they can drop. The faster it can identify and deny bad traffic
>> the more speed can go towards the good traffic.
>>
>>  2) those FB and YT websites use HTTPS and http_access controls only
>> apply when an HTTPS connection is established. The TLS connection itself
>> may remain open and continue to be used indefinitely.
>>
>> You can use the client_lifetime directive to shorten the time CONNECT
>> tunnels are allowed to remain in use. For your specific case I would set
>> it to something like 5 minutes. Browsers can auto-recover so this length
>> should not be visible to clients, but you will want to test that to
>> confirm what is good for your needs.
>>
>>
>> There are several other things about your config file that indicate
>> extremely outdated practices or Squid version. Below is a free audit
>> report of things that need fixing.
>>
>>
>> If you are running a Squid older than 3.5 please update ASAP. Then apply
>> the changes below.
>
> I am running squid 4.6.
>

Okay. The changes should all work, but please plan to upgrade ASAP.
There have been quite a few critical security vulnerabilities fixed this
past year.


>>>
>>> ######### LOGS #######################################
>>>
>>> cache_log /var/log/squid/cache.log
>>> access_log stdio:/var/log/squid/access.log  rotate=8760
>>> cache_store_log stdio:/var/log/squid/store.log
>>
>> Is there any reason you need this log?
>> It typically is only useful for debugging and this line could be removed
>> to speed up your proxy and save disk space.
>
> My boss told me that I must save  all my logs, just to check later
> what the people are doing and where they are surfing on the internet.
>

Okay. For that you need the access.log. Not the store.log or cache.log.


>>
>>>
>>> ##################
>>>
>>> #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
>>>
>>> logfile_rotate 8760
>>>
>>> #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab
>>
>> Does that mean you are running logrotate every hour of every day?
>>
> Yes, I am rotating every one hours all squid's logs. Honestly, because
> i thought that it is the more easy way to make analytics work. What
> you can recommend me??

Okay. I would double check that assumption.

Modern Squid have the logging modules for different outputs. Depending
on what analytics system you are using it may not need the rotation at
all or takes input directly somehow other than from the disk file.

Some analytics use "tail" or similar to watch the end of the access.log
and update the reports shortly after a transaction is logged. Less
rotating works better for them.

Some tools can take input from syslog. Squid has a log module to write
access.log records to syslog for those.

Then there is the daemon module. A fairly simple helper can deliver the
log lines to anywhere. For example; any unusual APIs the analytics has.

My CDN analytics dashboard and billing work off an SQL database. So I
co-wrote the helper to drop logs into a database and customers can see
their usage real-time.

Just something to think about when you have time.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users