Re: [squid-users] http://bugs.squid-cache.org/show_bug.cgi?id=4223
On 27/01/2016 1:03 p.m., Tory M Blue wrote: > Can we get an update on the bug mentioned here " > http://bugs.squid-cache.org/show_bug.cgi?id=4223"; > > With this unfixed one can't use siblings with HTCP or anything actually. I > should be able to have my origin and a sibling, I should be able to make a > request to my sibling for a document and if that fails the request goes to > the origin, and not pass back the failure from the sibling. > > Just wondered why this bug is allowed to persist? Good question. Nobody with money has yet been bothered enough to pay for it to be fixed. Those of us doing Squid code as a hobby in our spare time are currently focussed on either other bugs and other components totally unrelated to it. FYI: the quick workaround would be a config option added to cache_peer to disable sending the "Cache-Control:only-if-cached" header on requests to that peer. The full long-term fix would be to also do an audit of the code handling the sibling response to see why 500 is not doing exactly as you described above. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL error since I migrated from Squid3.5.10 to Squid3.5.13.
On 29/01/2016 2:08 p.m., Sebastien.Boulianne wrote: > Hi, > > Since I migrated my Squid to the latest version, many many many users > notified me they are SSL warning message. > I haven't this issue with the Squid3.5.10. > I used the Eliezer's yum package. > > The problem only happens with phones using active-sync. > I haven't changed my active-sync configuration and it worked perfectly with > Squid3.5.10. > Why does it happens then ?!?? > Unknown. There are a couple of possibilities. Can you try an incremental upgrade? to 3.5.11 for a bit, then .12, then .13 to narrow down the set of possible changes we need to look at. > On the browsers, I don't get any warning message. > > I used exactly the same config and the same wildcard certificate. > > When I run service squid status, I got this: > Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on > FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) > > Anyone can explain me that please and tell me how to fix it ? > If you dont mind what is the "..." bit exactly ? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.1 ldap authentication
Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions? Thanks, Nando > On Jan 25, 2016, at 10:07 AM, Anders Gustafsson > wrote: > > Do a packet trace on the LDAP connection. I bet the delay happens there. > Also: I suspect that it might do the same LDAP lookup for EVERY HTTP session > of which there might be thousands for a complex page. > > nando mendonca 2016-01-25 17:52 >>> > I'm running squid 3.5.12, i'm using ldap for authentication. When trying to > browse the internet from clients it takes up to 10 minutes for the website > to load. Can you please assist me in troubleshooting what the issue is? > Below is my squid.conf file. > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL error since I migrated from Squid3.5.10 to Squid3.5.13.
Hi, Since I migrated my Squid to the latest version, many many many users notified me they are SSL warning message. I haven't this issue with the Squid3.5.10. I used the Eliezer's yum package. The problem only happens with phones using active-sync. I haven't changed my active-sync configuration and it worked perfectly with Squid3.5.10. Why does it happens then ?!?? On the browsers, I don't get any warning message. I used exactly the same config and the same wildcard certificate. When I run service squid status, I got this: Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:30 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Jan 28 18:17:31 squid.cpu.ca squid[5147]: Error negotiating SSL connection on FD 155: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3...wn (1/0) Anyone can explain me that please and tell me how to fix it ? Thanks you very much for your answer. Sébastien ___ Rancid-discuss mailing list rancid-disc...@shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.1 ldap authentication
Hey Nando, Can you test something? On 25/01/2016 17:52, nando mendonca wrote: external_acl_type ldap_group %LOGIN /usr/local/squid1/libexec/ext_ldap_group_acl -R -b "ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D "cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f "(&(memberuid=%u) (cn=%a))" -w password -h ldap.corp.domain.com In the above replace the "%LOGIN" with "%un" and see what happens. The differences are mentioned at: http://www.squid-cache.org/Doc/config/external_acl_type/ Also comparing your command to what I have tested with I see something different. My test command can be seen in this ML thread: - http://lists.squid-cache.org/pipermail/squid-users/2015-July/004874.html I do not have the executable in my hands so I don't know the meaning of the "-R" flag and compared to the command I have used it's different. Try the above and we will see the results, Eliezer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] forwarded_for problems log client ip apache 2.4
Hey,
It is off-topic but I do have a setup that works with this and it
depends on couple things.
The first thing is that if it's not clear to me how you use the squid
and the apache services together.
You squid.conf shows two ports that both are in forward mode rather then
reverse mode which the setup would be pretty different by the proxy
functionality.
The basic scenario that the proxy provides a Forwarded-For header is
when it is when it has someone to inform about it such as internal
service or a reverse proxy.
When it's a parent or sibling proxy then the forwarded_for option should
be in "on" mode. Just notice that if you have some WAN connection in the
middle then without an HTTPS secured connection it would probably be
meaningless for a service unless it has a specific set of IP addresses
that it trusts.(unless the service has a reverse or forward dns
resolution mechanism that will "automatically" add\identify origin
sources by the domain name A\\CNAME records)
Currently squid doesn't have the option to use some ACLs in order to
decide to who\what he will send the forwarded-for headers which might be
important in use cases like I think yours is.
Basically based on the assumption that this proxy doesn't have any child
proxy services the right way to implement the forwarded-for is using the
"truncate" and not the "on" option to avoid any sort of ip
impersonations.(since any client can add "X-Forwarded-For: X.Y.Z.I" to
the request).
As for the apache remote_ip module and squid it is very simple to test,
a simple tcpdump on the proxy or the apache server with some filters
will show you what is on the wire and what the apache server receives.
The main question is what you do see in your apache logs and what you
expect to appear in them?
I can lend you my working remoteip modules settings:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.10.10
From the docs at:
-
https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteiptrustedproxy
-
https://httpd.apache.org/docs/trunk/mod/mod_remoteip.html#remoteipinternalproxy
I assume that you are wrongly using the
"RemoteIPTrustedProxy" directive to trust this proxy about internal 10/8
192.168/16 etc addresses spaces which it cannot(as documented).
So my suggestion is to try the "RemoteIPInternalProxy" instead of
"RemoteIPTrustedProxy".
Notice that remote_ip is IP related module and will not result in
reporting any sort of domain name in the access logs, resulting in such
log format will be an apache log related subject which I have never used.
Currently the log format I am using in apache is:
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
%v" combined_vhost
Which will show the remote_ip module resolved IP address and will report
the target vhost in the end of the log line so it won't break some log
parsing tools.
All The Bests,
Eliezer
* I wrote this long email partially as documentation of the subject for
later use in searches.
On 28/01/2016 15:38, L.P.H. van Belle wrote:
Hai,
I having some troubles to get my client ip (and/or hostname) logged in
my apache webserver.
I do think this is something in my squid setup, but i can find it..
So if anyone can help me out a bit, would be great.
I’ve tested with the forwarded_for options tried all options here.
http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html
im using Debian Jessie, Apache 2.4 with mod_remoteip
http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
My settings for remoteip ( and yes the modules is enabled )
a2query -m | grep remote
remoteip (enabled by site administrator)
# for remote proxy setup
RemoteIPHeader X-Forwarded-For
# for cluster setup
#RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 127.0.0.1/8
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy prxy1.internal.domain.tld
RemoteIPTrustedProxy prxy2.internal.domain.tld
#original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
combined
any tips on howto debug this, i did find lots of things with google, but
none worked for me.
This is my (sanitized) squid config, default values are not shown.
Any improvement tips are welkom ;-) but my bigest problem now is
getting the ip of the client in my webserver logs.
Greetz,
Louis
# squid 3.5.12 config
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/prxy1.internal.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego
--domain=NTDOMAIN
auth_param negotiate children 50 startup=10 idle=1
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=domain,dc=internal,dc=domain,dc=tld"
Re: [squid-users] ICAP and Allow 204 Header
On 01/28/2016 09:46 AM, Gilles Bardouillet wrote: > Sorry for the response form but I dont received the Alex email, You may want to check your email server. It is rejecting my emails. > Here is some details from debug mode : > > 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(653) parseMore: have 182 > bytes to parse [FD 32;Rr/w job924] > 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(654) parseMore: > ICAP/1.0 200 OK > X-Apparent-Data-Types: JPG > Service: CAS 1.3.1.1(170722) > Service-ID: avscanner > ISTag: "56680096" > Encapsulated: req-body=0 > Date: Wed, 09 Dec 2015 10:32:19 GMT > Adaptation::Icap::Xaction::noteCommRead threw exception: Invalid ICAP > Response The Encapsulated header is invalid because it indicates an adapted HTTP request without headers. Your ICAP service appears to be broken. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ICAP and Allow 204 Header
Sorry for the response form but I dont received the Alex email, so I tried below to recompose the thread discussion On 01/25/2016 10:28 AM, Gilles Bardouillet wrote: >/I'm using SQUID with CAS ICAP Server but I have one issue : />//>/* for some images, squid receive icap error as ICAP_ERR_OTHER / It may be useful to know more details about that ICAP error. What ICAP response, if any, does Squid receive when it generates ICAP_ERR_OTHER? Here is some details from debug mode : 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(653) parseMore: have 182 bytes to parse [FD 32;Rr/w job924] 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(654) parseMore: ICAP/1.0 200 OK X-Apparent-Data-Types: JPG Service: CAS 1.3.1.1(170722) Service-ID: avscanner ISTag: "56680096" Encapsulated: req-body=0 Date: Wed, 09 Dec 2015 10:32:19 GMT 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(749) parseHeaders: parse ICAP headers 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(1079) parseHead: have 182 head bytes to parse; state: 0 2015/12/09 11:32:11.786 kid3| 93,5| ModXact.cc(1094) parseHead: parse success, consume 182 bytes, return true 2015/12/09 11:32:11.786 kid3| 93,3| ../../../src/base/AsyncJobCalls.h(177) dial: Adaptation::Icap::Xaction::noteCommRead threw exception: Invalid ICAP Response 2015/12/09 11:32:11.786 kid3| 93,4| Xaction.cc(514) setOutcome: ICAP_ERR_OTHER Do you need more ? >/* I noticed that for all these errors, Squid dont send the HTTP header />/Allows 204 / Allow:204 is not an HTTP header field. It is an ICAP header field. Right >/* I read the code and find the Allow 204 header _is only set when />/preview is enabled_. / Are you sure? Several factors affect ICAP Allow:204 request header presence. Preview availability should not be one of them because Allow:204 is about 204 responses _outside_ of Preview. See RFC 3507 Section 4.6. Right, preview is only used for Allow 204 In and not Out My case is about Allow 204 out. here is the source code from 3.5.13 fromModXact.cc: const bool allow204in = preview.enabled(); // TODO: add shouldAllow204in() const bool allow204out = state.allowedPostview204 = shouldAllow204(); else if (allow204out) allowHeader = "Allow: 204\r\n"; >/My icap conf activated preview and preview size as follow : />/icap_preview_enable on />/icap_preview_size 1024 / IIRC, Squid ignores icap_preview_size in squid.conf (a bug). The ICAP service OPTIONS response determines the Preview size (subject to an internal limit of 64KB). My ICAP server (CAS) dont send any Preview size in OPTIONS response :-( >/I read that the preview size value can be overwritten by OPTIONS />/requests, so can give me some details, hints in order to find why some />/pictures dont offer preview and then fails ? / See RFC 3507 Section 4.5 for details on how Preview is negotiated. If you think Squid violates the ICAP protocol, please file a bug report with the corresponding capture of ICAP messages (from and to Squid). As for ICAP 204 outside of Preview, I believe Squid can offer to support that ICAP response if all of the checks below are successful: * the origin server OPTIONS response includes Allow:204; * the message content length is known at the ICAP request time; and * the message content length does not exceed 64KB. Thanks, I will check theses things. If you prefer to analyze the code, see Adaptation::Icap::ModXact::shouldAllow204() and Adaptation::Icap::ModXact::canBackupEverything(). HTH, Alex. Regards, Gilles. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] forwarded_for problems log client ip apache 2.4
On 29/01/2016 2:38 a.m., L.P.H. van Belle wrote:
> Hai,
>
>
>
> I having some troubles to get my client ip (and/or hostname) logged in my
> apache webserver.
>
> I do think this is something in my squid setup, but i can find it..
>
> So if anyone can help me out a bit, would be great.
>
>
>
> I’ve tested with the forwarded_for options tried all options here.
>
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html
>
"forwarded_for on" is the correct one - and the default value BTW, so
you dont need to configure anything for Squid to do its part of this.
I can see that being used in your squid.conf. So the problem is either
that the requests you see really do have *no* client, or a different
client to what you are thinking, or a problem in Apache.
>
> im using Debian Jessie, Apache 2.4 with mod_remoteip
>
> http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
>
>
>
> My settings for remoteip ( and yes the modules is enabled )
>
> a2query -m | grep remote
>
> remoteip (enabled by site administrator)
>
>
>
>
>
> # for remote proxy setup
>
> RemoteIPHeader X-Forwarded-For
>
> # for cluster setup
>
> #RemoteIPHeader X-Real-IP
>
>
>
> RemoteIPTrustedProxy 127.0.0.1/8
>
> RemoteIPTrustedProxy 192.168.x.x/24
>
> RemoteIPTrustedProxy 192.168.x.x/24
>
> RemoteIPTrustedProxy prxy1.internal.domain.tld
>
> RemoteIPTrustedProxy prxy2.internal.domain.tld
>
>
>
> #original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>
> LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
> combined
>
>
>
>
>
>
>
>
>
> any tips on howto debug this, i did find lots of things with google, but none
> worked for me.
>
That is an issue to take up with the Apache support groups. If you are
lucky someone here might know, but its really off-topic.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] forwarded_for problems log client ip apache 2.4
Hai,
I having some troubles to get my client ip (and/or hostname) logged in my
apache webserver.
I do think this is something in my squid setup, but i can find it..
So if anyone can help me out a bit, would be great.
I’ve tested with the forwarded_for options tried all options here.
http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html
im using Debian Jessie, Apache 2.4 with mod_remoteip
http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
My settings for remoteip ( and yes the modules is enabled )
a2query -m | grep remote
remoteip (enabled by site administrator)
# for remote proxy setup
RemoteIPHeader X-Forwarded-For
# for cluster setup
#RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 127.0.0.1/8
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy prxy1.internal.domain.tld
RemoteIPTrustedProxy prxy2.internal.domain.tld
#original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
combined
any tips on howto debug this, i did find lots of things with google, but none
worked for me.
This is my (sanitized) squid config, default values are not shown.
Any improvement tips are welkom ;-) but my bigest problem now is getting the
ip of the client in my webserver logs.
Greetz,
Louis
# squid 3.5.12 config
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/prxy1.internal.domain.tld@REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
auth_param negotiate children 50 startup=10 idle=1
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=domain,dc=internal,dc=domain,dc=tld" \
-D changed_to_protect_mys...@internal.domain.tld -W
/etc/squid/private/ldap-bind \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 2 hours
authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour
# ACCESS CONTROLS
# -
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
## PC Networks
acl localnet src 192.168.XXX.0/24
acl localnet src 10.XXX.0.0/24
acl localnet src 10.XXX.1.0/24
acl localnet src 10.XXX.2.0/24
acl localnet src 10.XXX.3.0/24
acl localnet src 10.XXX.4.0/24
## Per location/function networks
acl localnet-funct1 src 192.168.XXX.0/24
acl localnet-funct2 src 10.XXX.0.0/24
acl localnet-funct3 src 10.XXX.1.0/24
acl localnet-funct4 src 10.XXX.2.0/24
acl localnet-funct5 src 10.XXX.3.0/24
acl localnet-funct6 src 10.XXX.4.0/24
acl localnet-funct7 src 10.XXX.210.0/24
acl localnet-funct8 src 172.20.XXX.0/24
acl localnet-funct1-server-range src 192.168.XXX.XXX-192.168.XXX.XXX
acl localnet-funct1-mailhopper src 192.168.XXX.XXX
acl localnet-funct1-antivirus src 192.168.XXX.XXX
acl localnet-funct1-xen1 src 192.168.XXX.XXX
acl localnet-funct1-gateway src 192.168.XXX.XXX
acl localnet-funct1-mail1 src 192.168.XXX.XXX
acl localnet-funct1-lin-228 src 192.168.XXX.XXX
acl localnet-funct1-lin-009 src 192.168.XXX.XXX
acl localnet-funct1-monitoring src 192.168.XXX.XXX
acl localnet-funct1-lin-003 src 192.168.XXX.XXX
## acl time frames.
acl work-ochtend time MTWHF 08:15-11:59
acl work-pauze time MTWHF 12:00-13:30
acl work-middag time MTWHF 13:31-17:00
acl after-work-hours time MTWHF 17:01-23:59
acl before-work-hours time MTWHF 00:00-08:14
##Block Video Streaming##
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mp2t
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb|ts|)(\?.*)?$
acl whitelistsites url_regex -i "/etc/squid/acl/domain-customer-sites.txt"
acl whitelistsites url_regex -i "/etc/squid/acl/allowed-sites.txt"
ac
