Re: [squid-users] Squid config file administration, maintenance and partition

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 04 Feb 2009 17:19:27 +1300

Elli Albek wrote:
> Thanks.
>
> We are using 2.6 in the production server, apparently include is not
> possible. Is there any alternative in 2.6 for splitting the config file?
>
> E

Not in 2.6.

Amos

>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Sunday, February 01, 2009 7:27 PM
> To: Elli Albek
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid config file administration, maintenance and
> partition
>
>> Hi,
>> I want to keep my ACLs separate form the main squid config file, so we can
>> upgrade squid easily without touching this file too much (hopefully).
>>
>> The problem is that the user ACLs are supposed to be somewhere in the
>> middle
>> of the conf file.
>>
>> There are a couple of options that I was thinking about. I tried both and
>> got both to work as reverse proxy, however I am not really sure about the
>> rest of the services that may be disabled.
>>
>> Option 1
>> In the main squid file just call my ACL. I still need to change this file,
>> but not much:
>>
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> include my_acl.conf
>>
>> Option 2
>> Call my ACLs in the beginning, and then call the default squid conf file:
>>
>> So my squid.conf file looks like this:
>> include my_acl.conf
>> include squid.conf.default
>>
>> Option 2 seems better since I can leave the quid conf files intact.
>> It is also a way to run multiple instances of squid on the same box
>> without
>> duplicating configuration. Each instance conf file does some instance
>> configuration, and then calls my ACL and the default squid ACL. Example:
>>
>> access_log /var/logs/squid/instance_1/access.log squid
>> include my_acl.conf
>> include squid.conf.default
>> pid_filename /var/logs/squid/instance_1/squid.pid
>>
>> I am not sure that option 2 is OK. It may be blocking other services that
>> squid uses in the default configuration (for administration and
>> monitoring).
>> Generally this is reverse proxy, so it should allow only HTTP to the
>> origin
>> server and nothing more.
>>
>> Is option 2 a workable solution or will it have problems working with the
>> default configuration?
>>
>> E
>
> Both are usable with some care.
>
> (1) is the easier one. Several of the access controls (Safe_ports,
> SSL_ports, and manager access) are provided by the default config and
> usually NEED to be listed before any custom http_access lines.
>
> (2) needs you to be extra careful and duplicate the proper order of those
> controls in your own config.
>
> Issues you will encounter with the many options 'required' settings in
> squid.conf with older squid are being resolved from 3.1. So the
> possibility of breakage errors is greatly reduced.
>
> Amos
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE12
   Current Beta Squid 3.1.0.4
Received on Wed Feb 04 2009 - 04:19:23 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST