Squid: Difference between revisions
Jump to navigation
Jump to search
| Line 45: | Line 45: | ||
*TAG: acl | *TAG: acl | ||
<pre> | <pre> | ||
#Recommended minimum configuration: | |||
acl manager proto cache_object | |||
acl localhost src 127.0.0.1/32 | |||
acl to_localhost dst 127.0.0.0/8 | |||
# acl <aclname> <acltype> <definition> | # acl <aclname> <acltype> <definition> | ||
# members of the ADS group WWW | # members of the ADS group WWW | ||
| Line 61: | Line 65: | ||
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
# | |||
acl SSL_ports port 443 | |||
acl Safe_ports port 80 # http | |||
acl Safe_ports port 21 # ftp | |||
acl Safe_ports port 443 # https | |||
acl Safe_ports port 70 # gopher | |||
acl Safe_ports port 210 # wais | |||
acl Safe_ports port 1025-65535 # unregistered ports | |||
acl Safe_ports port 280 # http-mgmt | |||
acl Safe_ports port 488 # gss-http | |||
acl Safe_ports port 591 # filemaker | |||
acl Safe_ports port 777 # multiling http | |||
acl Safe_ports port 901 # SWAT | |||
acl purge method PURGE | |||
acl CONNECT method CONNECT | |||
</pre> | </pre> | ||
*TAG: http_access | *TAG: http_access | ||
<pre> | <pre> | ||
#Recommended minimum configuration: | |||
# | |||
# Only allow cachemgr access from localhost | |||
http_access allow manager localhost | |||
http_access deny manager | |||
# Only allow purge requests from localhost | |||
http_access allow purge localhost | |||
http_access deny purge | |||
# Deny requests to unknown ports | |||
http_access deny !Safe_ports | |||
# Deny CONNECT to other than SSL ports | |||
http_access deny CONNECT !SSL_ports | |||
# comment out, we don't want access for the whole localnet | # comment out, we don't want access for the whole localnet | ||
#http_access allow localnet | #http_access allow localnet | ||
# Allow the localhost to have access by default | |||
http_access allow localhost | |||
# allow intranet access for unauthorized/all users | # allow intranet access for unauthorized/all users | ||
http_access allow local-servers | http_access allow local-servers | ||
| Line 72: | Line 106: | ||
# allow access for authorized users | # allow access for authorized users | ||
http_access allow AuthorizedUsers ProxyUsers | http_access allow AuthorizedUsers ProxyUsers | ||
# And finally deny all other access to this proxy | |||
http_access deny all | |||
</pre> | </pre> | ||
*TAG: icp_access | *TAG: icp_access | ||
| Line 77: | Line 114: | ||
# comment out since we don't have a localnet acl anymore | # comment out since we don't have a localnet acl anymore | ||
#icp_access allow localnet | #icp_access allow localnet | ||
icp_access deny all | |||
</pre> | </pre> | ||
*TAG: htcp_access | *TAG: htcp_access | ||
| Line 82: | Line 120: | ||
# comment out since we don't have a localnet acl anymore | # comment out since we don't have a localnet acl anymore | ||
#htcp_access allow localnet | #htcp_access allow localnet | ||
htcp_access deny all | |||
</pre> | |||
*TAG: http_port | |||
<pre> | |||
# Squid normally listens to port 3128 | |||
http_port 3128 | |||
</pre> | </pre> | ||
*TAG: cache_peer | *TAG: cache_peer | ||
| Line 88: | Line 132: | ||
# comment this out if you don't have another proxy infront of Squid | # comment this out if you don't have another proxy infront of Squid | ||
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default | cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default | ||
</pre> | |||
*TAG: hierarchy_stoplist | |||
<pre> | |||
hierarchy_stoplist cgi-bin ? | |||
</pre> | |||
*TAG: access_log | |||
<pre> | |||
access_log /var/log/squid/access.log squid | |||
</pre> | |||
*TAG: refresh_pattern | |||
<pre> | |||
#Suggested default: | |||
refresh_pattern ^ftp: 1440 20% 10080 | |||
refresh_pattern ^gopher: 1440 0% 1440 | |||
refresh_pattern (cgi-bin|\?) 0 0% 0 | |||
refresh_pattern . 0 20% 4320 | |||
</pre> | </pre> | ||
*TAG: cache_mgr | *TAG: cache_mgr | ||
| Line 103: | Line 163: | ||
snmp_access allow snmppublic localhost | snmp_access allow snmppublic localhost | ||
snmp_access deny all | snmp_access deny all | ||
</pre> | |||
*TAG: icp_port | |||
<pre> | |||
icp_port 3130 | |||
</pre> | </pre> | ||
*TAG: error_directory | *TAG: error_directory | ||
| Line 119: | Line 183: | ||
# tell Squid to use our cache_peer for everything else | # tell Squid to use our cache_peer for everything else | ||
never_direct allow all | never_direct allow all | ||
</pre> | |||
*TAG: forwarded_for | |||
<pre> | |||
forwarded_for off | |||
</pre> | |||
*TAG: coredump_dir | |||
<pre> | |||
# Leave coredumps in the first cache dir | |||
coredump_dir /var/cache/squid | |||
</pre> | </pre> | ||
}} | }} | ||
Revision as of 14:30, 22 April 2008
Description
Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.
Dependencies
USE-Flags
Packages
Installation
# emerge squid
# chown root:squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged
Configuration
Finalize
# /etc/init.d/squid start
# rc-update add squid default