Just a followup: Since squid rules are evaluated in order of placement, shouldn't "Custom options" come up before "# Setup allowed acls" in the block below? Those shown are my own custom options..
# Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Custom options acl audiovideo rep_mime_type audio|video ^application/x-mms-framed http_reply_access deny audiovideo # Default block all to be sure http_access deny all On Mon, Jun 6, 2011 at 19:52, Odhiambo Washington <odhia...@gmail.com>wrote: > > > On Mon, Jun 6, 2011 at 15:25, Jim Pingle <li...@pingle.org> wrote: > >> On 6/6/2011 5:43 AM, Odhiambo Washington wrote: >> > On Sun, Jun 5, 2011 at 18:04, Jim Pingle <li...@pingle.org >> [snip] >> > http://forum.pfsense.org/index.php/topic,32923.msg191044.html >> [snip] >> >> > So in essence, we need: >> > >> > (12:25:03 <~>) 0 $ diff squid.inc squid.inc.local >> > 527c527 >> > < } >> > --- >> >> } >> > 813,814c813,814 >> > < acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0> >> > < acl localhost src 127.0.0.1/255.255.255.255 >> > <http://127.0.0.1/255.255.255.255> >> > --- >> >> acl all src all >> >> acl localhost src 127.0.0.1/32 <http://127.0.0.1/32> >> >> We have that now. Have since the middle of May: >> >> 2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21 >> -0400 807) acl all src all >> >> > 903c903 >> > < $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny >> > all\n"; >> > --- >> >> $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " >> all\n"; >> >> We do that now. Have since late May: >> 54c49bf2 config/squid3/squid.inc (jim-p 2011-05-25 14:39:07 >> -0400 898) $conf .= 'reply_body_max_size ' . ($down_limit >> * 1024) . " all \n"; >> >> > Another issue with regard to squid 3.1.x concerns this block in >> squid.inc: >> > >> > if ($settings['allow_interface'] == 'on') { >> > $src = ''; >> > foreach ($real_ifaces as $iface) { >> > list($ip, $mask) = $iface; >> > $ip = long2ip(ip2long($ip) & ip2long($mask)); >> > $src .= " $ip/$mask"; >> > } >> > $conf .= "# Allow local network(s) on interface(s)\n"; >> > $conf .= "acl localnet src $src\n"; >> > $valid_acls[] = 'localnet'; >> > } >> > >> > >> > For squid 3.x netmasks are deprecated. CIDR masks are used instead. >> >> Looks like that was also changed mid-May... >> 2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21 >> -0400 677) $mask = 32-log((ip2long($mask) ^ >> ip2long('255.255.255.255'))+1,2); >> >> >> > So, someone needs to change something in this block:-) >> > >> > Plus - could the package maintainer keep upto date with the squid >> > branch? It's lagging much behind. >> >> Well there is no active maintainer of Squid 3. I poke at it now and then >> when people submit patches, but I don't have any sort of focus on it, as >> 2.7.x does what I want and it's stable. >> >> The current package is at 3.1.9 which is a couple months behind, but not >> ancient. The FreeBSD port is up to 3.1.12. The tags are on the package >> to build it automatically, but it may not be happening since the squid >> 2.7.x build is probably conflicting with it. If I get some time I may >> compile a new copy in a VM and upload it, but it may not be any time soon. >> >> I did find a couple things off in the xml for which files it was >> pulling. I'll commit a fix here in a few. Try to reinstall it later today. >> >> Jim >> > > Thanks, Jim, for all the hard work you are doing. I will try to reinstall > later today and see what comes up. > > I hope you did see my email after this one you have responded to, which > contained detailed explanations > about this reply_body_max_size. > I must say I am still a little confused about the correct params for that > directive, even after the explanation > I got from squid-dev. > > At the moment, my squid.conf contains: > > reply_body_max_size 307200 KB all > > It still mesmerizes me how it works, but my understanding seems to suggest > that what we need in squid.inc is: > > $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " KB" . " all\n"; > > ... which is what I am working with now. > > Once again, thanks for taking this up. > > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254733744121/+254722743223 > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > I can't hear you -- I'm using the scrambler. > Please consider the environment before printing this email. > > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. Please consider the environment before printing this email.
<<image001.png>>
<<image001.png>>