Quantcast

reply_body_max_size question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

reply_body_max_size question

Danny-2
Hi,

Just want someone to confirm my current reply_body_max_size setup. I have a
simple network at home i.e: Debian with a wireless card (wlan0) which is bridged
(br0) to an ethernet card (eth0). All devices comes through the wireless card
(wlan0) and then of to the router.

I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but
"localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a
5MB download limit.

Here is my configuration:
######################################################################################################################################
acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
acl localnet_sniper src 10.0.0.3        #(eth0)
acl localnet_bridge src 10.0.0.4        #(br0)
acl localnet_fever src 10.0.0.5         #(wlan0)
acl localnet_44081 src 10.0.0.11        #(RaspberryPi3)
acl localnet_dannyS4 src 10.0.0.54
acl localnet_vS5mini src 10.0.0.55
acl localnet_shotgun src 10.0.0.56
acl localnet_anTab2 src 10.0.0.71
acl localnet_vTab3 src 10.0.0.73
acl localnet_samsungTV src 10.0.0.80
acl localnet_samsungDVD src 10.0.0.81
acl localnet_dhcp src 10.0.0.201
acl localnet_dhcp src 10.0.0.202
acl localnet_dhcp src 10.0.0.203
acl localnet_dhcp src 10.0.0.204

http_access allow password
http_access allow localhost
http_access allow localnet
http_access allow localnet_sniper
http_access allow localnet_bridge
http_access allow localnet_fever
http_access allow localnet_44081
http_access allow localnet_dannyS4
http_access allow localnet_vS5mini
http_access allow localnet_anTab2
http_access allow localnet_vTab3
http_access allow localnet_samsungTV
http_access allow localnet_samsungDVD
http_access allow localnet_dhcp

reply_body_max_size 9999999999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4
reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#######################################################################################################################################

Any help will be greatly appreciated.

Thank you

Danny
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: reply_body_max_size question

Amos Jeffries
Administrator
On 12/03/2017 8:11 p.m., Danny wrote:

> Hi,
>
> Just want someone to confirm my current reply_body_max_size setup. I have a
> simple network at home i.e: Debian with a wireless card (wlan0) which is bridged
> (br0) to an ethernet card (eth0). All devices comes through the wireless card
> (wlan0) and then of to the router.
>
> I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but
> "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a
> 5MB download limit.
>
> Here is my configuration:
> ######################################################################################################################################
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
> acl localnet_sniper src 10.0.0.3        #(eth0)
> acl localnet_bridge src 10.0.0.4        #(br0)
> acl localnet_fever src 10.0.0.5         #(wlan0)
> acl localnet_44081 src 10.0.0.11        #(RaspberryPi3)
> acl localnet_dannyS4 src 10.0.0.54
> acl localnet_vS5mini src 10.0.0.55
> acl localnet_shotgun src 10.0.0.56
> acl localnet_anTab2 src 10.0.0.71
> acl localnet_vTab3 src 10.0.0.73
> acl localnet_samsungTV src 10.0.0.80
> acl localnet_samsungDVD src 10.0.0.81
> acl localnet_dhcp src 10.0.0.201
> acl localnet_dhcp src 10.0.0.202
> acl localnet_dhcp src 10.0.0.203
> acl localnet_dhcp src 10.0.0.204
>
> http_access allow password
> http_access allow localhost
> http_access allow localnet

The localnet ACL above matches and allows all requests from any IP in
the 10.*/24 to use the proxy.

So none of the below individual IP checks will ever be reached. They are
pointless anyway since they do the same as the more generic "allow
localnet".


> http_access allow localnet_sniper
> http_access allow localnet_bridge
> http_access allow localnet_fever
> http_access allow localnet_44081
> http_access allow localnet_dannyS4
> http_access allow localnet_vS5mini
> http_access allow localnet_anTab2
> http_access allow localnet_vTab3
> http_access allow localnet_samsungTV
> http_access allow localnet_samsungDVD
> http_access allow localnet_dhcp


The default security protections for Safe_ports, SSL_ports, CONNECT,
manager access, and final "deny all" are missing.

I hope you have just omited them from this mail, not removed them from
your config.

>
> reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4

Squid understands the magic word "none" to mean no limit. The above is
setting a large, but not impossible limit of ~9.3 PB.


> reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp
>

The ACLs on both these lines are defining an impossible situation.
See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for
what is going wrong there and ways to fix it.

Transactions which do not have a limit applied, are of course unlimited.
So drop the ACL's explicitly listing what not to limit. You only need
ACL to match what does get limited, and only one is needed (you are only
matching on IP, nothing complex).

Like so:

 acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp
 acl limit_5MB src 10.0.0.80    # samsung TV
 acl limit_5MB src 10.0.0.81    # samsung DVD
 ...
 reply_body_max_size 5 MB limit_5MB

That is it.


> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf


redirect_program is a deprecated alias for url_rewrite_program. You can
only have one configured for use. So, only the latter of the two
directives will do anything.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: reply_body_max_size question

Danny-2
Thank you Amos for the detailed reply. Never too old to learn are we?

Have a nice day

Danny

On Mar 15 17, Amos Jeffries :

> To: [hidden email]
> Date: Wed, 15 Mar 2017 15:49:04 +1300
> From: Amos Jeffries <[hidden email]>
> Subject: Re: [squid-users] reply_body_max_size question
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
>  Thunderbird/45.8.0
> X-BeenThere: [hidden email]
>
> On 12/03/2017 8:11 p.m., Danny wrote:
> > Hi,
> >
> > Just want someone to confirm my current reply_body_max_size setup. I have a
> > simple network at home i.e: Debian with a wireless card (wlan0) which is bridged
> > (br0) to an ethernet card (eth0). All devices comes through the wireless card
> > (wlan0) and then of to the router.
> >
> > I want "localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4" to have unlimited download capabilty but
> > "localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp" must be limited to a
> > 5MB download limit.
> >
> > Here is my configuration:
> > ######################################################################################################################################
> > acl localnet src 10.0.0.0/24 # RFC1918 possible internal network
> > acl localnet_sniper src 10.0.0.3        #(eth0)
> > acl localnet_bridge src 10.0.0.4        #(br0)
> > acl localnet_fever src 10.0.0.5         #(wlan0)
> > acl localnet_44081 src 10.0.0.11        #(RaspberryPi3)
> > acl localnet_dannyS4 src 10.0.0.54
> > acl localnet_vS5mini src 10.0.0.55
> > acl localnet_shotgun src 10.0.0.56
> > acl localnet_anTab2 src 10.0.0.71
> > acl localnet_vTab3 src 10.0.0.73
> > acl localnet_samsungTV src 10.0.0.80
> > acl localnet_samsungDVD src 10.0.0.81
> > acl localnet_dhcp src 10.0.0.201
> > acl localnet_dhcp src 10.0.0.202
> > acl localnet_dhcp src 10.0.0.203
> > acl localnet_dhcp src 10.0.0.204
> >
> > http_access allow password
> > http_access allow localhost
> > http_access allow localnet
>
> The localnet ACL above matches and allows all requests from any IP in
> the 10.*/24 to use the proxy.
>
> So none of the below individual IP checks will ever be reached. They are
> pointless anyway since they do the same as the more generic "allow
> localnet".
>
>
> > http_access allow localnet_sniper
> > http_access allow localnet_bridge
> > http_access allow localnet_fever
> > http_access allow localnet_44081
> > http_access allow localnet_dannyS4
> > http_access allow localnet_vS5mini
> > http_access allow localnet_anTab2
> > http_access allow localnet_vTab3
> > http_access allow localnet_samsungTV
> > http_access allow localnet_samsungDVD
> > http_access allow localnet_dhcp
>
>
> The default security protections for Safe_ports, SSL_ports, CONNECT,
> manager access, and final "deny all" are missing.
>
> I hope you have just omited them from this mail, not removed them from
> your config.
>
> >
> > reply_body_max_size 9 999 999 999 MB localnet_sniper localnet_bridge localnet_fever localnet_44081 localnet_dannyS4
>
> Squid understands the magic word "none" to mean no limit. The above is
> setting a large, but not impossible limit of ~9.3 PB.
>
>
> > reply_body_max_size 5 MB localnet_vS5mini localnet_anTab2 localnet_vTab3 localnet_samsungTV localnet_samsungDVD localnet_dhcp
> >
>
> The ACLs on both these lines are defining an impossible situation.
> See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for
> what is going wrong there and ways to fix it.
>
> Transactions which do not have a limit applied, are of course unlimited.
> So drop the ACL's explicitly listing what not to limit. You only need
> ACL to match what does get limited, and only one is needed (you are only
> matching on IP, nothing complex).
>
> Like so:
>
>  acl limit_5MB src 10.0.0.201-10.0.0.204 # dhcp
>  acl limit_5MB src 10.0.0.80    # samsung TV
>  acl limit_5MB src 10.0.0.81    # samsung DVD
>  ...
>  reply_body_max_size 5 MB limit_5MB
>
> That is it.
>
>
> > url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> > redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
>
>
> redirect_program is a deprecated alias for url_rewrite_program. You can
> only have one configured for use. So, only the latter of the two
> directives will do anything.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...