--- /etc/squid.conf.rpmnew Sat Nov 20 17:13:55 1999 +++ /etc/squid.conf Sat Mar 3 20:38:47 2001 @@ -294,8 +294,8 @@ # There is no default. We recommend you uncomment the following # two lines. # -#acl QUERY urlpath_regex cgi-bin \? -#no_cache deny QUERY +acl QUERY urlpath_regex cgi-bin \? +no_cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZEModifications recommended by comments: do not cache pages whose URL contains a question mark (likely to be a dynamically generated page, which is pointless to cache)
@@ -434,6 +434,7 @@ # disable it. # #cache_store_log /var/squid/logs/store.log +cache_store_log none # TAG: cache_swap_log # Location for the cache "swap.log." This log file holds theModifications recommended by comments: do not maintain this logfile, as there are no tools for exploiting it anyways
@@ -638,7 +639,7 @@ # # authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd # -#authenticate_program none +authenticate_program /usr/bin/smb_auth -W keller # TAG: authenticate_children # The number of authenticator processes to spawn (default 5). If youAuthentication program used to connect to Samba server of the keller domain to verify user's passwords
@@ -889,7 +890,7 @@ # # This option may be disabled by using --disable-ident with # the configure script. -#ident_timeout 10 seconds +ident_timeout 10 seconds # TAG: shutdown_lifetime time-units # When SIGTERM or SIGHUP is received, the cache is put intoModifications recommended by comments: provide timeout for the case where ident is too slow to answer
@@ -996,6 +997,40 @@ acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl CONNECT method CONNECT +deny_info ERR_PASSWORD_FAILED password +deny_info ERR_LOCKED_USER lockedUsers +deny_info ERR_LOCKED_USER identLockedUsers +deny_info ERR_IDENT_FAILED ident +deny_info ERR_MSIE_SUCKS msie +deny_info ERR_TRANSP_FAILED explicit +deny_info ERR_CENSORED_SITE censoredDomains +deny_info ERR_CENSORED_SITE censoredIps +deny_info ERR_LTNB_FAILED localNetsError messages to be displayed when the corresponding access control list fails. deny_info file acl
The following changes are maintained by Webmin.
First come the acl lines. They define an access control list, which may later be used in a rule. An access control list by itself just defines a set of queries, without saying yet at this point whether these queries should fail or succeed. Acl have the following syntax:
acl name kind item1 item2 ... itemn
|name||name used to refer to this acl in a deny_info or http_access clause|
|kind||which kind of condition this acl describes:
|data||values that the given parameter can take. The acl is matched if (at least) one value of the list corresponds (logical or)|
+acl explicit myip 22.214.171.124Matches any request which is addressed to the proxy host (all requests should). Used to detect implicit proxy requests, which appear to be addressed to the Web server, rather than the proxy host.
+acl msie browser MSIEBlock request from inferior browsers.
+acl password proxy_auth REQUIREDRequires user to identity himself by password
+acl ident ident REQUIREDRequires user to be identifies by Unix ident
+ +# WEBMIN: Users that are not allowed to surf +acl lockedUsers proxy_auth root root2 testel51 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxx +acl identLockedUsers ident root root2 testel51 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxUsers who are not allowed to surf, either for technical reason (root, ...) or for disciplinary reasons (testel51)
+ +# WEBMIN: Censored domains +acl censoredDomains dstdom_regex ^none$ rotten\.com freudin\.com whitehouse\.com area\.com rwx\.com he\.net is-europe\.net freevideochat\.com via\.net go\.to luxusbuerg\.lu www\.luxusbuerg\.luCensored domains
+ +# WEBMIN: Censored IP addresses +acl censoredIps dst 126.96.36.199/24 188.8.131.52 184.108.40.206 220.127.116.11Domains blocked by IP address
+ +# WEBMIN: Clients which may connect without a password, and without +# WEBMIN: any other destination restriction +acl unfilteredClients src 10.0.0.1 18.104.22.168 22.214.171.124/255.255.255.224 127.0.0.1 126.96.36.199/255.255.255.240 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124Clients which are not filtered (no need to enter username/password, no restriction on places to surf to)
+ +# WEBMIN: Linux "compute servers" which run netscape, and which may connect +# WEBMIN: without a password but can only go to allowed destinations +acl surfServers src 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124Unix hosts, on which users are identified by identd, rather than username/password.
Now come the actual access control lists, which say which actions are allowed or denied depending on the acls which the query is in.
Denies/Allows access to all requests matching all ACL's in the list (logical AND). The http_access commands are "executed" in order. The action (deny or allow) corresponding to the first http_access which matches a given request is taken.
http_access deny/allow lists
# TAG: http_access # Allowing or Denying access based on defined access lists @@ -1023,9 +1058,31 @@ http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports +http_access deny msieDeny access from inferior browsers.
# # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # +http_access deny !localNetsDeny any access not coming from a local net. Indeed, we do not want our proxy to be used by people connecting from other sites, which might use it for "connection laundering".
+ +# WEBMIN: Hosts allowed to connect without restriction +http_access allow unfilteredClientsAllow access from unfiltered clients without any further checks.
+ +# WEBMIN: Deny access for transparent proxy +http_access deny !explicitDeny any access which uses this as an implicit proxy. This is because any clients coming to this point are filtered clients, for which the user needs to be authenticated, and authentication does not work when operating as an implicit proxy.
+ +# WEBMIN: Deny access without password +http_access deny !surfServers !passwordSurf servers are Unix hosts such as those in the conference and in physics. If the connection does not come from one of those, and if no password is supplied, refuse. Basically, this rule says that for non-Unix hosts, we must check the password.
+http_access deny !surfServers lockedUsersIf the request came from a non-Unix host, and corresponds to a locked user, refuse access.
+http_access deny surfServers !identIf the access came from a Unix host, and the user could not be identified, using identd refuse. Basically, this rule says that for Unix hosts, we must check identd.
+http_access deny surfServers identLockedUsersIf the request came from a Unix host, and corresponds to a locked user, refuse access.
This is similar to the rule above; the reason why there are two different rules rather than one for both cases is because the ACL contains the method how the user has been identified, which is different for both cases.
+ +# WEBMIN: More restrictions +http_access deny censoredDomains +http_access deny censoredIpsRefuse request to domains or IP addresses which are censored.
+ +# WEBMIN: Allow everything which is not forbidden +http_access allow !surfServers passwordIf the request came from a non surf server, and a password has been supplied, allow it.
+http_access allow surfServers http_access deny all # TAG: icp_accessIf the request came from a surf server, allow it