Hi LQ,

Just have a few queries about SQUID 2.6

First some background;

Squid 2.6 Stable on FC6 64-bit
DELL PE 2950 server, Intel Xeon 1.86 GHz 4GB RAM 300gb RAID-1

/ 10GB
/usr 20GB
/boot 100MB
swap 8GB (4 partitions of 2GB)
/opt 20GB
/var 97GB

First of all, the squid process itself is quite slow even though it shows free memory as more than 3 GB. Nevertheless, its running.

Now i need to block urls via pattern matching, for e.g. to block all urls having the word sex or crack or chat etc. in them. I tried with

acl badurl url_regex -i "/etc/squid/badurl.txt"
http_access deny badurl

but it didn't work.

Next, my clients are able to view ftp sites via squid, but i need them not to be cached, i.e. direct access to be given to clients.
Also, the ftp service will be blocked by default, enabled only for particular users.
Is there any way I can do it.

Lastly, i need to authenticate the users accessing squid via an ldap server running on lotus domino.

I'm sending across my squid.conf file for further refernce.
Anyone care to take a look at it and tell me if i have added extra resources/configuration than needed.

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 256 MB
maximum_object_size 32768 KB
maximum_object_size_in_memory 4096 KB
cache_dir ufs /var/spool/squid 10000 16 256
access_log /var/log/squid/access.log squid
dns_nameservers 202.144.96.4 202.138.96.2
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl orkut dstdomain .orkut.com
acl badsites dstdomain "/etc/squid/bad_sites"
acl abplan src 10.2.0.0/255.255.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny badsites
http_access deny orkut
http_access allow abplan
http_access deny all
http_reply_access allow all
icp_access allow all
reply_body_max_size 21000000 allow all
visible_hostname abpproxy2
coredump_dir /var/spool/squid

BTW can anyone tell me where to find a list of url's generally blocked in corporate environments.

Any response is welcome...

"acl http_access deny badurl" is incorrect, that line would be "http_access deny badurl" and inserted in a suitable position relative to other http_access statements.

Sorry Guys,
A small typo error

acl badurl url_regex -i "/etc/squid/badurl.txt"
http_access deny badurl

is the actual config i used.

well try it again and then show us all the config actually en situ, so there's no chance of typos, confusion or anything.

Hi, LQ
My ldap authentication problem is eventually solved.
Following are the required lines from squid.conf

auth_param basic program /usr/lib64/squid/squid_ldap_auth -h blackberry.abpmail.com -p 389 -P -b abp -f "uid=%s"
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute
acl ldapauth proxy_auth REQUIRED
http_access allow ldapauth

Now, the users are getting authenticated via the domino ldap server called blackberry.abpmail.com

Hi,
As i mentioned in my previous post, internet users are getting authenticated via ldap and are able to access the net.
Now i need to block some of the users in ldap from accessing the internet.
Any suggestions on how to achieve that?

Thanks in advance.

well you haven't specified what the distinction would be within ldap, but in general that would be groups. it's best to use groups to allow access to a resource, not prevent it, so generally you'd have an ldap group called "InternetAccess" or something, and use the squid_ldap_group tool to use it to define the valid user in a matching ACL. Here's a suitable document defining this...

http://wiki.debian.org/DebianEdu/How...Authentication

not that you have two isolated things going on here, 1) Authentication, which you already have, and 2) Authorization, which the groups would be for, and infact that have very little in common other than the same ldap backend.