Vadim Anatoly Pushkin
-- The Ukranian Stallion --
>From: "Neil A. Hillard" <hillardn@whl.co.uk>
>To: Vadim Pushkin <wiskbroom@hotmail.com>
>Hi,
>
>Vadim Pushkin wrote:
>>Hello;
>>
>>I've attached my condensed (without comments) squid.conf that is giving me
>>some trouble. My problems are as follows:
>>
>>1. I am unable to connect to the cachemgr.cgi from machines in "Bldg_One"
>>or "Bldg_Two". I am trying to connect to cachemgr.cgi via webmin.
>>
>>2. My disk space allocated seems to get used up within about three months
>>and I am not sure how to properly set up my config to expire my cache
>>sooner, don't even know what it is expiring at now for that matter. When
>>my allocated disk space is met, squid dies. The last time that this
>>happened I ran a clear and rebuild cache, this was a terrible mistake as
>>it had taken an entire day to run.
>>
>>3. I am able to connect using ports that I thought I had forbidden using
>>"CONNECT". Is my ordering wrong?
>>
>>4. I have at my disposal another 64GB partition contained in this machine
>>and I would like to get some suggestions for the best way to use it. I.e,
>>shall I just newfs this other partition and initialize it so as to
>>pre-stage a new cache in case my hard drive dies? Or, can I just use it
>>alongside what I have now and have squid continue to work even if one of
>>the two partitions dies?
>>
>>As you can see from my attached config file, I have come a long way, but I
>>am not completely aware of all that squid can do.
>
>OK, remember that the order of rules is important (OK, very important).
>The reason that you can connect to any port is that the following rules
>come _after_ the rules that grant access from your SRCs
>
>http_access allow manager localhost
>http_access deny manager
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
That is the way the config is written that comes with the distro, so I just
assumed that it was correct.
I will try swapping them. Is their a known good config that is close to
what I am trying to achive that I may evaluate for this purpose?
>They therefore are never evaluated. You need to put these first and then
>test once again. Do you really need those http_reply_access lines at all?
Without them, my users are denied access :-(
.vp
Received on Tue Apr 04 2006 - 07:41:34 MDT
This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT