squid 3.5 conf setup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 3.5 conf setup

James Adams
We have a few squid setups to handle large number of /24 IP blocks.
I want to know is there an easier configuration to do this as we have to manually configure each conf file and can take a long time plus the fact of human error. I am trying to reduce the number of lines needed and make it a little more efficient. Below is a snippet of a conf file. The bold text is what I am trying to reduce.
acl localnet src all

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
max_filedesc 65535

acl CONNECT method CONNECT

#http_access allow localnet
#http_access allow all
visible_hostname this.that.com

auth_param basic program basic_ncsa_auth squid/etc/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
###########################################################
# Section: xxx.yyy.zzz.0 / 24
###########################################################
http_port xxx.yyy.zzz.1:3128 name=1
acl 1 myportname 1 src all
http_access allow 1
tcp_outgoing_address xxx.yyy.zzz.1 1
http_port xxx.yyy.zzz.2:3128 name=2
acl 2 myportname 2 src all
http_access allow 2
tcp_outgoing_address xxx.yyy.zzz.2 2
http_port xxx.yyy.zzz.3:3128 name=3
acl 3 myportname 3 src all
http_access allow 3
tcp_outgoing_address xxx.yyy.zzz.3 3
http_port xxx.yyy.zzz.4:3128 name=4
acl 4 myportname 4 src all
http_access allow 4
tcp_outgoing_address xxx.yyy.zzz.4 4
http_port xxx.yyy.zzz.5:3128 name=5
acl 5 myportname 5 src all
http_access allow 5
tcp_outgoing_address xxx.yyy.zzz.5 5
......

......
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320 

  


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5 conf setup

Amos Jeffries
Administrator
On 21/04/20 2:48 am, James Adams wrote:
> We have a few squid setups to handle large number of /24 IP blocks.
> I want to know is there an easier configuration to do this as we have to
> manually configure each conf file and can take a long time plus the fact
> of human error. I am trying to reduce the number of lines needed and
> make it a little more efficient. Below is a snippet of a conf file. The
> bold text is what I am trying to reduce.


From what I can see in this config file that is not going to be possible
for any Squid.

Best you will get is automating the config lines creation to avoid that
human error situation. Squid can use "include /path/to/file" to pull in
config lines from an auto-generated file.



> acl localnet src all
>

Your LAN is the entire Internet? I think not.


> ......
> request_header_access Allow allow all
> request_header_access Authorization allow all
> request_header_access WWW-Authenticate allow all

I suggest looking at all these headers. Many are not relevant to *requests*.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5 conf setup

Alex Rousskov
In reply to this post by James Adams
On 4/20/20 10:48 AM, James Adams wrote:
> acl 1 myportname 1 src all

I agree with Amos that you should consider automating these
configuration lines. Your access control and request routing
requirements are probably too special to warrant adding a new Squid feature.

While writing the config-generating script, please remove the "src all"
trailing garbage(?) from myportname ACL definitions. I would also
recommend avoiding using bare numbers as port and ACL _names_: It is
very confusing for many human readers, and might even cause parsing
failures in future Squid versions.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5 conf setup

James Adams
So I am new to squid and trying to take over from what was already in place.
Do you have an example of what it should look like or a best practice guide to use.
 We can have up to 32 /24 blocks in our configurations.
I want to try and make the systems as efficient as possible knowing the large amount of IPs we are using.

Thanks

On 4/20/2020 15:16, Alex Rousskov wrote:
On 4/20/20 10:48 AM, James Adams wrote:
acl 1 myportname 1 src all
I agree with Amos that you should consider automating these
configuration lines. Your access control and request routing
requirements are probably too special to warrant adding a new Squid feature.

While writing the config-generating script, please remove the "src all"
trailing garbage(?) from myportname ACL definitions. I would also
recommend avoiding using bare numbers as port and ACL _names_: It is
very confusing for many human readers, and might even cause parsing
failures in future Squid versions.


HTH,

Alex.

-- 
James Adams
Sr. Systems Engineer
MOD Mission Critical

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 3.5 conf setup

Matus UHLAR - fantomas
On 20.04.20 15:29, James Adams wrote:
>So I am new to squid and trying to take over from what was already in
>place.
>Do you have an example of what it should look like or a best practice
>guide to use.
> We can have up to 32 /24 blocks in our configurations.
>I want to try and make the systems as efficient as possible knowing
>the large amount of IPs we are using.

is there any need to use multiple IP addresses on squid for multiple client
subnets?
Can't one address manage all those clients?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users