Re: [squid-users] Squid config file administration, maintenance and partition

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 2 Feb 2009 16:26:55 +1300 (NZDT)

> Hi,
> I want to keep my ACLs separate form the main squid config file, so we can
> upgrade squid easily without touching this file too much (hopefully).
>
> The problem is that the user ACLs are supposed to be somewhere in the
> middle
> of the conf file.
>
> There are a couple of options that I was thinking about. I tried both and
> got both to work as reverse proxy, however I am not really sure about the
> rest of the services that may be disabled.
>
> Option 1
> In the main squid file just call my ACL. I still need to change this file,
> but not much:
>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> include my_acl.conf
>
> Option 2
> Call my ACLs in the beginning, and then call the default squid conf file:
>
> So my squid.conf file looks like this:
> include my_acl.conf
> include squid.conf.default
>
> Option 2 seems better since I can leave the quid conf files intact.
> It is also a way to run multiple instances of squid on the same box
> without
> duplicating configuration. Each instance conf file does some instance
> configuration, and then calls my ACL and the default squid ACL. Example:
>
> access_log /var/logs/squid/instance_1/access.log squid
> include my_acl.conf
> include squid.conf.default
> pid_filename /var/logs/squid/instance_1/squid.pid
>
> I am not sure that option 2 is OK. It may be blocking other services that
> squid uses in the default configuration (for administration and
> monitoring).
> Generally this is reverse proxy, so it should allow only HTTP to the
> origin
> server and nothing more.
>
> Is option 2 a workable solution or will it have problems working with the
> default configuration?
>
> E

Both are usable with some care.

(1) is the easier one. Several of the access controls (Safe_ports,
SSL_ports, and manager access) are provided by the default config and
usually NEED to be listed before any custom http_access lines.

(2) needs you to be extra careful and duplicate the proper order of those
controls in your own config.

Issues you will encounter with the many options 'required' settings in
squid.conf with older squid are being resolved from 3.1. So the
possibility of breakage errors is greatly reduced.

Amos
Received on Mon Feb 02 2009 - 03:26:59 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 03 2009 - 12:00:02 MST