[H-GEN] Squid conf file

[Rick Phillips]

I have been using Linux fo some years and have set up a few servers with
mail, apache, mysql etc but have never before had to set up squid.  In
this particular case, the squid server must point to another proxy
server higher up (a parent).  A conf file written in 2003 by the
Education Dept forms the basis of the conf file I have used because this
machine is deployed within the education system.

In the system, the parent server has a certain number of sites blocked
as inappropriate for students and on a local basis, we would block quite
a few more.

The proxy server locally is working and authenticating users against the
parent but the problem is that the local blocks are not working and,
after reading extensively and poring over the conf file, I can't see why
it is not.  Perhaps the 2003 conf file is no longer appropriate now as I
am using squid 2.5 in Mandriva 10.1 server edition.  I know that the
block files are being read and parsed as I have had to correct a few
errors.

I have attached the conf file with a couple of minor changes to hide
sensitive information and you will notice that the log files are kept in
an unusual place in deference to another admin who knows nothing about
Linux.  The folder where the conf, blocks and logs are kept are a samba
share so they can be accessed by him on a Windows box.

I would be grateful for any clues to get this thing working as it
should.

Thanks in advance,

Rick Phillips
-------------- next part --------------
################################################################
# Squid configuration file
# For access with Education Queensland Managed Internet Service
################################################################
#
# Version 1.6 - 16 September 2003
# Removed reference to ip ranges other than 10.* due to problems with HP and QUT sites
#
# Version 1.5 - 28 August 2003
# Added in local content filtering structure after request from a school
#
# Version 1.4 - 25 August 2003
# Added pipeline_prefetch to help improve performance
# Added uri_whitespace encode option to work with urls with spaces
# Added strip_query_terms off to permit loggiing of full urls visited in logs
#
# Version 1.3 - 20 August 2003
# Addded "login=PASS" to cache_peer line for v2.5 to work with upstream proxy
#
# Version 1.2 - 29 June 2003
# Standard
#
# specifies which local port squid will listen on
# this is the port the local browsers will need to be configured to use
http_port 3128
icp_port 3130

#location of upstream proxy
#add login=username:password to the end of cache_peer (where it is a valid EQ ID account) - this removes login prompt
#from the user and takes them directly to the internet - required for any local authentication programs
cache_peer upstream_proxy_server parent 80 3130 no-query default login=PASS

#size of memeory allocated to squid for its cache - best to run at under half of system memory but not too large
cache_mem  256 MB

#specifies cache size (500MB in this case - make as large as required ) and location
cache_dir ufs /var/spool/squid 71250 16 256
cache_swap_low  93
cache_swap_high 95

# Sets what machines can use this proxy service
# can be limited to school's assigned ip address range eg .
#acl all src 10.137.240.0/255.255.254.0
acl all src 10.0.0.0/255.0.0.0

# Sets access to protocols
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 8443
acl Safe_ports port 80 21 443 563 800 70 210 1025-65535
acl CONNECT method CONNECT
http_access allow manager localhost all
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
icp_access allow all
miss_access allow all

# Stops caching of dynamic content
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


# Sample of setup of local filtering for requests processed by this server
# Filtering can be applied to squid by creating and entering content into the files listed below

# Allow these to overide any blocks eg. ;
# /adirectorysomewhere
# acl allowedsites urlpath_regex "/etc/squid/blocks/allowed_sites"
# http_access allow allowedsites

# Block access to any web domain eg ;
# .playboy.com
acl blockeddomains dstdomain "/etc/squid/blocks/blocked_domains.txt"
http_access deny blockeddomains

# Block access to any particular file type eg. ;
# \.mp3$
acl blockedfiles urlpath_regex -i "/etc/squid/blocks/blocked_files.txt"
http_access deny blockedfiles

# Block access to these strings if they are in the url eg. ;
# porn
acl blockedsites urlpath_regex -i "/etc/squid/blocks/blocked_sites.txt"
http_access deny blockedsites


#these lines allow intranet sites to function - it sends any requests directly to that server
#uncomment or modify as it suits - if any problems are struck - commented these lines out
acl intranet1 dstdomain *education.qld.gov.au
acl intranet2 dstdomain *.govnet.qld.gov.au
acl intranet3 dstdomain *qed.qld.gov.au
acl intranet4 dstdomain *.eq.edu.au
acl ipadd1 dst 10.0.0.0/255.0.0.0
always_direct allow intranet1
always_direct allow intranet2
always_direct allow intranet3
always_direct allow intranet4
always_direct allow ipadd1

#set this email address to the proxy administrator
cache_mgr changed at school.someplace

#this is the name of the proxy server displayed in error messages
visible_hostname Proxy_Server

#this forces the proxy to pass all requests to the cache_peer server
never_direct allow all

# Extra performance options
# Setting this may help with urls that contain spaces and other illegal characters
# and encode to acsii to permit access - default option is to strip the url
uri_whitespace encode

# This option logs the entire http request string in the logs
strip_query_terms off

# This allows squid to fetch multiple objects through
# the one connection and may speed up performance and reduce latency
pipeline_prefetch on

# Logging & stuff
maximum_object_size 1000 MB
cache_access_log /etc/squid/log/access.log
cache_log /etc/squid/log/cache.log
cache_store_log /etc/squid/log/store.log
emulate_httpd_log on
log_fqdn on
# store_avg_object_size 30 MB (don't know what this does so have turned it off)