Re: [squid-users] Optimizing Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 23 Nov 2010 22:16:50 +0000

On Tue, 23 Nov 2010 17:46:39 +0100, Florian Bannasch <f.bannasch_at_arcor.de>
wrote:
> Hi,
>
> I have a small network with 3 computers (WinXP, Ubuntu, Win7).
> Is the configuration correct or do I have to improve something?
>
> Squid: 3.0.STABLE19
> Server: Ubuntu 10.04 LTS, PIV 3,4Ghz, 2GB
>
> TIA, Flo
>
> http_port 192.168.2.253:3128
>
> icp_port 0
> htcp_port 0
>
> # cache_access_log /var/log/squid3/access.log
>
> dns_nameservers 192.168.2.253

Um, DNS server running on the local machine? Use 127.0.0.1 to contact it.
Packet handling is faster over the localhost interface than trying to fit
into the external traffic stream then be turned back into the machine.

>
> cache_mem 1024 MB
>
> maximum_object_size 1 GB
> maximum_object_size_in_memory 64 KB

You can raise this. 1GB or memory cache gives your few PCs plenty of
space.

>
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
>
> cache_dir aufs /Squid 16384 64 512
>
> quick_abort_min -1 KB
> quick_abort_max -1 KB
> quick_abort_pct 100
>
> pipeline_prefetch on
> half_closed_clients off
>
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
>
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 1440 40% 43200
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$
> 1440 40% 43200
> refresh_pattern -i
> \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 1440 40% 43200
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 40% 40320
>
> coredump_dir /var/spool/squid3
>
> redirect_children 20

redirect_* is obsolete.
Use: url_rewrite_children 20

> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>

Hmm, good time to ask I suppose. Why use squidguard?
 because you actually need the capacity to process hundreds of thousands
of blocklist entries and respond wit a corporate denial page like some ISP?
 or because everyone else is doing it and the tutorials all say so?

> hierarchy_stoplist cgi-bin ?
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl localnet src 192.168.0.0/16

Um, you are missing the basic security lines which protect against
infections spreading via your Squid.

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports

... with the matching default ACL definitions.
http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#Do_you_have_a_squid.conf_example.3F

>
> http_access allow localnet
> http_access allow localhost
>
> http_access allow manager localhost
> http_access allow manager localnet
> http_access deny manager

These "manager" ACL controls need to be above the network-wide allow
permission.

>
> http_access deny all

Amos
Received on Tue Nov 23 2010 - 22:16:53 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 24 2010 - 12:00:03 MST