Squid about

24 11 2011

CHECK SQUID with COMMAND LINE

Alternatively, you can use the squidclient program that comes with Squid:

% squidclient http://www.squid-cache.org/


CHECK CONFIGURATION FILE

Before trying to start Squid, you should verify that your squid.conf file makes sense. This is easy to do. Just run the following command:

% squid -k parse

Re-INIT CACHE with PROGRESS

Cache directory initialization may take a couple of minutes, depending on the size and number of cache directories, and the speed of your disk drives. If you want to watch the progress, use the -X option:

% squid -zX

EXAMPLE CONFIG SQUID for ACL

(1) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41

To use MAC address in ACL rules. Configure with option -enable-arp-acl.

acl all src 0.0.0.0/0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all

(2) To restrict access to work hours (9am – 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl src 192.168.2.0/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

(3) Can i use multitime access control list for different users for different timing.

AclDefnitions

acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59

Access Controls
http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch

This is wrong. The description follows:
Here access line “http_access allow xyz morning lunch” will not work. So ACLs are interpreted like this …

http_access RULE statement1 AND statement2 AND statement3 OR
http_access ACTION statement1 AND statement2 AND statement3 OR

……..

So, the ACL “http_access allow xyz morning lunch” will never work, as pointed, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false).

That’s because this line is in two. If now read:

http_access allow xyz AND morning OR
http_access allow xyz lunch

If request comes from xyz, and we’re in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted.

Finally Access Control looks…

http_access allow abc morning
http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all

(4) Rules are read from top to bottom. The first rule matched will be used. Other rules won’t be applied.

Example:

http_access allow xyz morning
http_access deny xyz
http_access allow xyz lunch

If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched before the ‘xyz lunch’ rule.

FOR LIMIT DOWNLOAD AND UPLOAD

Tag Name request_body_max_size
Usage request_body_max_size (KB)

Description
This specifies the maximum size for an HTTP request body. In other words, the maximum size of a PUT/POST request. A user, who attempts to send a request with a body larger than this limit receives an “Invalid Request” error message. If you set this parameter to a zero, there will be no limit imposed.
Default request_body_max_size 1 MB

Tag Name reply_body_max_size
Usage reply_body_max_size (KB)

Description
This option specifies the maximum size of a reply body. It can be used to prevent users from downloading very large files, such as MP3′s and movies. The reply size is checked twice. First when we get the reply headers, we check the content-length value. If the content length value exists and is larger than this parameter, the request is denied and the user receives an error message that says “the request or reply is too large.” If there is no content-length, and the reply size exceeds this limit, the client’s connection is just closed and they will receive a partial reply.
Default reply_body_max_size 0
If this parameter is set to zero (the default), there will be no limit imposed.

Caution
Downstream caches probably cannot detect a partial reply if there is no content-length header, so they will cache partial responses and give them out as hits. You should NOT use this option, if you have downstream caches.

Advertisement

«


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s


Follow

Get every new post delivered to your Inbox.