Hi all, I wanted to check with your accumulated wisdom the following squid configuration.
The config is working both for splice or bump (by commenting/uncommenting the respective line) using TPROXY. It is a config ported form an old installation of squid 3.1 for the new 3.5 and although I did some cleanup I am wondering if I am misusing any directive or missing any crucial one for better performance or just for sake of cleanliness. At the moment for filtering I am using squidGuard and considering to go with ufdbGuard instead as pointed from Amos (thanx for that). To avoid issues with some sites I am considering to use only splicing, although this has some caveats as bumping also does. I could go with a hybrid approach (splice some and bump all) but this sounds that this will cause periodically more administrative overhead to sort out the sites that need splicing. The config has also some ACLs as an attempt to block media streaming by those seem to not work. The hardware running the squid is somehow small with 4 GB of RAM, 4 CPU cores and 100 GB SSD in case one wonders. http_port 192.168.200.1:3128 tproxy https_port 192.168.200.1:3129 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 shutdown_lifetime 5 seconds # ACL #acl ncsa_users proxy_auth REQUIRED #acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 192.168.200.1/32 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 10080 acl Safe_ports port 10443 acl SSL method CONNECT acl CONNECT method CONNECT # multiling http #acl block_url dstdomain "/etc/squid/block_url.squid" #acl allow_url dstdomain "/etc/squid/allow_url.squid" acl ELAN src 192.168.200.0/24 acl QUERY urlpath_regex cgi-bin \? # SSL always_direct allow all # Video Streaming ACLs acl media rep_mime_type ^.*mms.* acl media rep_mime_type ^.*ms-hdr.* acl media rep_mime_type ^.*x-fcs.* acl media rep_mime_type ^.*x-ms-asf.* acl media2 urlpath_regex dvrplayer mediastream mms:// acl media2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$ acl flashvideo rep_mime_type -i video/flv acl flashvideo rep_mime_type -i video/x-flv acl shockwave rep_mime_type -i ^application/x-shockwave-flash$ acl x-type req_mime_type -i ^application/octet-stream$ acl x-type req_mime_type -i application/octet-stream acl x-type req_mime_type -i ^application/x-mplayer2$ acl x-type req_mime_type -i application/x-mplayer2 acl x-type req_mime_type -i ^application/x-oleobject$ acl x-type req_mime_type -i application/x-oleobject acl x-type req_mime_type -i application/x-pncmd acl x-type req_mime_type -i ^video/x-ms-asf$ acl x-type2 rep_mime_type -i ^application/octet-stream$ acl x-type2 rep_mime_type -i application/octet-stream acl x-type2 rep_mime_type -i ^application/x-mplayer2$ acl x-type2 rep_mime_type -i application/x-mplayer2 acl x-type2 rep_mime_type -i ^application/x-oleobject$ acl x-type2 rep_mime_type -i application/x-oleobject acl x-type2 rep_mime_type -i application/x-pncmd acl x-type2 rep_mime_type -i ^video/x-ms-asf$ # Block Media Streaming http_reply_access deny flashvideo http_reply_access deny shockwave http_reply_access deny media http_reply_access deny media2 http_reply_access deny x-type http_reply_access deny x-type2 # http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access deny block_url #http_access allow allow_url http_access allow LAN http_access allow ELAN http_access allow localhost #http_access allow ncsa_users http_reply_access allow all deny_info ERR_CUSTOM LAN ELAN media media2 flashvideo shockwave x-type x-type2 error_directory /usr/share/squid-langpack/en #icp_access allow all # Logging logfile_daemon /usr/lib/squid/log_db_daemon access_log daemon:/127.0.0.1/squid_log/access_log/squid/squid squid icap_log stdio:/var/log/squid/icap.log squid cache_store_log stdio:/var/log/squid/store.log # DNS dns_nameservers 127.0.0.1 positive_dns_ttl 8 hours negative_dns_ttl 30 seconds ipcache_size 2048 ipcache_low 95 ipcache_high 97 fqdncache_size 2048 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid cache_dir ufs /var/spool/squid 10240 16 256 minimum_object_size 0 KB maximum_object_size 30 MB maximum_object_size_in_memory 1024 KB # HTTPS filtering acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice all #ssl_bump bump all # SquidGuard url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 5 Your input is highly appreciated. Alex
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
