Re: [squid-users] Lack of understanding ? from Dmitry S. Makovey on 2006-04-04 (squid-users)

From: Dmitry S. Makovey <dmitry@dont-contact.us>
Date: Tue, 04 Apr 2006 08:47:36 -0600

Thanks for all helpful tips - I finally got everything under controll
and my main problems appeared to be using "req_mime_type" instead of
"rep_mime_type" as well as no clear understanding of
"http_reply_access". I finally figured it out and for the future
references here's filtering proxy config that I've came up with
(filters out everything but HEAD requests from text/html and GET for
various XML types (mainly RSS-related)).

If anybody has any comments - I'd be glad to hear those.

#squid.conf
#################
# DEBUGGING
#
# debug_options ALL,0 33,2 28,7

#################
# General options
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_single_host off
httpd_accel_uses_host_header on

### Cache tuning
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95

### Size restrictions
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 16 KB
reply_header_max_size 4 KB
request_body_max_size 2 KB

log_mime_hdrs on

### Paths
useragent_log /var/log/squid/useragent.log
referer_log /var/log/squid/referer.log
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

refresh_pattern . 0 20% 4320
strip_query_terms off

#################
# ACL Definitions

### IP definitions
acl all src 0.0.0.0/0.0.0.0

acl from_clients src 192.168.1.0/255.255.255.0
acl to_clients dst 192.168.1.0/255.255.255.0
acl to_mynet dst 192.168.0.0/255.255.0.0
acl from_localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

### Ports definitions
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http

### protocols definitions
acl allowed_protocols proto HTTP
acl manager proto cache_object

### content type definitions
acl xml_content rep_mime_type -i text/xml
acl xml_content rep_mime_type -i application/xml
acl xml_content rep_mime_type -i application/rdf+xml
acl html_content rep_mime_type -i text/html
acl html_content rep_mime_type -i text/xhtml

### methods definitions
acl CONNECT_method method CONNECT
acl HEAD_method method HEAD
acl GET_method method GET

#################
# ACL Rules

### REQUEST rules
http_access deny !Safe_ports
http_access deny to_mynet
http_access deny !allowed_protocols
http_access deny CONNECT_method !SSL_ports

http_access allow manager from_localhost
http_access deny manager
http_access allow GET_method from_clients
http_access allow HEAD_method from_clients
http_access deny all

### REPLY rules (those are actually inspecting what's returned)
http_reply_access allow GET_method xml_content from_clients
http_reply_access allow HEAD_method html_content from_clients
http_reply_access deny all

### Self-explanatory stuff
icp_access deny all

miss_access allow from_clients

reply_body_max_size 20480 allow from_clients

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

application/pgp-signature attachment: stored

Received on Tue Apr 04 2006 - 08:47:50 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT