[squid-users] Squid Conf - Checking

From: Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>
Date: Tue, 27 Apr 2010 15:34:00 +0100

Hi,

I wondered whether I could have an eyeball on my squid.conf. It's very basic regarding access rules as there is a proxy filter further up chain - also I'm not caching. The main purpose is to ensure that where not explicitly allowed via ACL all traffic passes through the squid proxy and heads upstream. I also block on direct HTTP/S access from a client; only the proxy has access out. How does it look, I welcome any suggestions, inclusions or (importantly) glaring errors or omissions! Obviously, I appreciate there is a lot that one might allow like blocking Yahoo Messenger but I guess I'm after glaring errors!

Thanks in advance,

Nick

======

http_port proxy1:8080

auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 40

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

cache_peer [upstreamproxy] parent 8080 0 no-query proxy-only no-digest default

cache_mgr helpdesk_at_mydomain.com
visible_hostname proxy1.{fqdn}

######### ICAP SERVER #########
icap_enable on
icap_preview_enable on
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_service ss reqmod_precache 0 icap://localhost/ssreqmod
icap_class c1 ss
icap_access c1 allow all
###### LOGGING OPTIONS ########
## LOGGING SWITCHES
log_fqdn on
## LOG LOCATIONS
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log squid
useragent_log /var/log/squid/useragent.log squid

###### Delay Pool Definitions #######
# Total number of delay pools
delay_pools 1

#### ACCESS CONTROL LISTS #####

## USER-AGENT (Browser-type) ACLs
acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt"
acl MSNMessenger browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt"

## USER AUTHENTICATION ACLs
acl AuthenticatedUsers proxy_auth REQUIRED

## LAN IP ACLs
acl 172SUBNETS src 172.16.0.0/255.255.0.0
acl SERVERSUBNETS src 172.16.10.0/255.255.255.0

# Blocks CONNECT method to IP addresses (Blocks Skype amongst other things)
acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

## SEND DIRECT ACLs
acl SENDDIRECT_DstDomains dstdomain "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
acl SENDDIRECT_IPAddresses src "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"

# CONNECT Method Direct IP ACLs
acl IP_CONNECTALLOW src "/etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt"

## LOCALHOST ACLs
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

## QUERY ACLs
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache

## PORTS ACLs
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl RTMP_ports port 1935 # RTMP

# CONNECTION METHOD ACL
acl CONNECT method CONNECT
acl POST method POST

###### ACCESS RULES #####
## GLOBAL DENY RULES - Do NOT include User Authentication ACLs here
http_access deny StopDirectIP !IP_CONNECTALLOW
http_access deny MSNMessenger 172SUBNETS

http_access allow POST 172SUBNETS
http_access allow CONNECT 172SUBNETS

# USER AGENTS ALLOW #
http_access allow iTunes 172SUBNETS
http_access allow Java_jvm 172SUBNETS

## USERS AUTHENTICATION##
http_access allow AuthenticatedUsers
http_reply_access allow AuthenticatedUsers

## SEND DIRECT ALLOW
always_direct allow SENDDIRECT_DstDomains
always_direct allow SENDDIRECT_IPAddresses

## LOCAL HOST ALLOW ##
http_access allow localhost

###### DELAY ACCESS RULES ######
# First delay class pool is User allocated
delay_class 1 4

# First delay class pool is limited to 4mb i.e. all users not in exceptions: SERVERSUBNETS
delay_parameters 1 -1/-1 -1/-1 -1/-1 4000000/4000000

#First delay pool applied to Authenticated users except those in Server Subnet
delay_access 1 allow AuthenticatedUsers !SERVERSUBNETS
delay_access 1 deny all

###### DENY ######
always_direct deny all
never_direct allow all
snmp_access deny all
cache deny all
http_access deny all

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Tue Apr 27 2010 - 14:35:20 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 28 2010 - 12:00:31 MDT