[squid-users] Restrictons to CONNECT, Google-Talk and Space Usage/Expiration

Hello All Once More;

I am attaching my squid.conf in hopes of finding some solutions to what I
have been unsuccessful at accomplishing.

1. I would like to create a list of either domains, sites and/or IP
addresses that would be used to restrict the use of CONNECT to just
sites/URL's contained in this list.

I was thinking of using this:
acl allowed-CONNECTS url_regex -i "/home/squid/etc/allowed-CONNECTS"
http_access deny CONNECT !allowed-CONNECTS

2. I've had some issues recently whereby Squid died and was unable to
restart due to a disk-full condition, though at the time my 60GB partition
was at just 87% full. I was wondering if perhaps I did not specify the size
allocated properly in this config, and/or if I had misused the LFUDA
directive?

3. I am trying to block, if at all possible, google-talk, which can be used
with the mail.google.com URL, but I do *NOT* wish to prevent users from
using google-mail.

Many, many thanks in advance,

.vp

----SQUID.CONF BELOW-------

##################################
# PROXY1
# squid.conf
##################################

debug_options ALL,1

###################################
# General Options
###################################

http_port 8080

hierarchy_stoplist cgi-bin ?

#
# Revisit these two lines later - perhaps move them as well.
#
acl QUERY urlpath_regex cgi-bin \?
#
cache_dir aufs /data/squidcache 51200 64 256
# Increase maximum object size:
maximum_object_size 32 MB
# maximum_object_size 5000000 KB

cache_mem 4 MB
cache_swap_low 97
cache_swap_high 98

ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 4096
buffered_logs off

# Use heap LFUDA replacement policy:

cache_replacement_policy heap LFUDA

cache_access_log /data/squidlogs/access.log

# cache_access_log /data/squidcache
# cache_log /dev/null
# cache_log /tmp/cache.log
# cache_store_log none

#
# Keep this log here? Need if using debug.
#
# cache_store_log /home/squid/var/logs/store.log
cache_store_log none

ftp_user ftp@mydomain.EDU

# Keep? (Not with current AUFS use)
# diskd_program /home/squid/libexec/diskd

#reference_age 6 month
quick_abort_min 1 KB
quick_abort_max 1048576 KB
quick_abort_pct 90
connect_timeout 30 second
read_timeout 5 minute
request_timeout 30 second
client_lifetime 2 hour
half_closed_clients off
pconn_timeout 120 second
ident_timeout 10 second
shutdown_lifetime 15 second

# request_body_max_size 50 MB
request_header_max_size 100 KB
request_body_max_size 2000 KB

refresh_pattern ^ftp: 1440 50% 86400
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 50% 86400

############################
# ACL's
############################

#
# Below is an example of how to block some language/sites.
#

# acl porn url_regex "/home/squid/etc/porn-list"
# acl noporn url_regex "/home/squid/etc/noporn-list"
# http_access deny porn !noporn

# Below is an example of how to prevent certain types of
# files from being downloaded (I.e. .exe, .scr, etc)

# Currently in use to prevent WMF virus. (.wmf files)

acl bad-files url_regex -i "/home/squid/etc/bad-files"
acl good-files url_regex "/home/squid/etc/good-files"

# Reloate the next line to the http_access group?
http_access deny bad-files !good-files

#
# Begin to define networks
#
acl Remote_Access src 192.168.0.0/16
#
acl Building-1 src 8.90.0.0/16
acl Building-2 src 8.93.0.0/16
acl Building-3 src 8.94.0.0/16
acl Building-4 src 8.95.0.0/16
acl Building-5 src 8.96.0.0/16
#
acl DMZ_1 src 192.100.0.0/16
acl DMZ_2 src 192.17.0.0/16
acl DMZ_3 src 192.18.0.0/16
#
acl ICP-ONE src 192.100.2.9
acl ICP-TWO src 192.100.2.10
#
# App uses port 80 for CONNECT
# Only this app should be allowed to use "CONNECT".
#
acl GOOD-APP dst 10.12.161.211
#
#
acl manager proto cache_object
#
# acl localhost src 127.0.0.1/255.0.0.0
acl localhost src 127.0.0.1/32
#
# Define Safe Ports to use.
#
acl Safe_ports port 21
acl Safe_ports port 22
acl Safe_ports port 80
acl Safe_ports port 443 563 8087
#
# Can I just place all of these on one line? Does it matter?
#
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 19638
acl Safe_ports port 8087
#
# Define SSL Ports
#
acl SSL_ports port 443 563
#
acl CONNECT method CONNECT
#
#
# Everyone Else who has not been stated above as a valid Network.
#
acl all src 0.0.0.0/0

# What does this do?
no_cache deny QUERY
#

http_access allow CONNECT GOOD-APP Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

header_access Via deny all
header_access X-Forwarded-For deny all

############################
# http_access
############################
#
#
http_access allow Building-1
http_access allow Building-2
http_access allow Building-3
http_access allow Building-4
http_access allow Building-5
#
http_access allow DMZ_1
http_access allow DMZ_2
http_access allow DMZ_3
#
http_access allow ICP-ONE
http_access allow ICP-TWO
#
http_access allow manager localhost
#
http_access allow manager Building-1
#
#
http_access deny manager
http_access deny all

http_reply_access allow all

cache_mgr cashman@MyDomain.Edu

visible_hostname proxy1

logfile_rotate 8

coredump_dir /home/squid/var/cache

cache_effective_user nobody
cache_effective_group nobody

# TEMP
icp_port 3130

# Allow my peer (proxy2)
icp_access allow ICP-ONE

# Deny everyone else.
# Be sure to edit this in case you modify or add another cache.
#
icp_access deny all

# cache_peer 192.100.1.1 sibling 8080 3130 proxy-only
cache_peer 192.100.1.1 sibling 8080 3130
peer_connect_timeout 10 seconds

# Entry added in case internet is down, squid will still start.
# You may wish to remove it.
dns_testnames localhost

-----END OF SQUID.CONF-------
Received on Mon Apr 02 2007 - 11:45:43 MDT