Jorge Perez wrote:
Hello, we are implementing a squid proxy server in my office.
The principal idea is to limit bandwith using delay pools and also block some
websites.
We have made our config and its working, but we dont know if everyting is
correct specially in the delay pools part.
**Introduction:
We have dedicated broadband with :
4MB FOR INTERNATIONAL TRAFIC
100MB FOR NATIONAL
PROXY: 192.168.169.3
GATEWAY: 192.168.169.2
Users: like 150 daily
**We want to divide our internal lan in 5 groups with the following rules PER
USER.
GROUP 1: normales from 192.168.169.30 to 192.168.169.129
-If a user exceeds 10mb when downloading a file limit to 10kb of download speed.
GROUP 2: tecnicos from 192.168.169.130 to 192.168.169.149
-File bigger than 50mb, limit to 30kb
GROUP 3: administrador 192.168.169.150 to 192.168.169.189
-File bigger than 100mb limit to 30kb
GROUP 4: estudio 192.168.169.190 to 192.168.169.219
-No downloads for files or very slow, but freely web surfing including youtube.
GROUP 5: gerencia 192.168.169.220 to 192.168.169.252
-Everyting unlimited
**We want to block the following sites from 192.168.169.1 to 192.168.169.129 :
BLOCK:
[CODE].facebook.com .twitter.com .doubleclick.com .fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com .rapidshare.de .mediafire.com .hotfile.com .myspace.com .fotolog.terra.cl .fotologs.com .portalnet.cl .taringa.net .antro.cl .chilewarez.cl .chilebt.com .shared.cl .comparte.cl .mininova.org .torrentz.com .flickr.com .flicker.net .keepvid.com .kotteshiro.com .no-ip.org .no-ip.com .redtube.com .xnxx.com .muyzorras.com .bananacorp.cl .orgasmatrix.com .depositfiles.com[/CODE]
**From: 192.168.169.130 to 192.168.169.149
BLOCK: Same as above unless facebook.com
**Deny from 192.168.169.1 to 192.168.169.29 DOWNLOADING THE FOLLOWING
EXTENSIONS:
[CODE].exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram
.rm .iso .raw .wav .mov[/CODE]
[B]We dont know if the rules per group are possible with the bandwidth we have,
also everyone surfs a lot youtube, we need that to not eat so much bandwith[/B].
Here is our current squid.conf
[QUOTE]
http_port 192.168.169.3:3128 transparent
Problem #1: CVE_2009-0801 "transparent" mode can be easily abused to
infect entire networks if the proxy port can be reached by non-NATed
traffic. Port 3128 is not safe to use for this.
cache_dir ufs /usr/local/squid/var/cache 250 16 256
cache_effective_user squid
cache_effective_group squid
access_log /usr/local/squid/var/logs/access.log squid
################################
acl localnet src 192.168.169.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#### SITIOS BLOKEADOS #####
acl restobb src 192.168.169.1-192.168.169.129
acl sucky_urls dstdomain .facebook.com .twitter.com .doubleclick.com
.fotolog.com .warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com
.megaupload.com .rapidshare.de .medi$
deny_info [url]http://www.xxxxxxx.xx/error.html[/url] sucky_urls
http_access deny restobb sucky_urls
######################## NO DESCARGAS #####
acl resto src 192.168.169.1-192.168.169.29/32
acl descargas_negadas url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip
.rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
deny_info [url]http://www.xxxxxxxxxx.xx/error.html[/url] descargas_negadas
http_access deny resto descargas_negadas
######################## SITIOS CASI BLOKEADOS ###############
acl restobb2 src 192.168.169.130-192.168.169.149
acl sucky_urls2 dstdomain .twitter.com .doubleclick.com .fotolog.com
.warez-bb.org .fotolog.cl .chilewarez.org .rapidshare.com .megaupload.com
.rapidshare.de .mediafire.com .de$
deny_info [url]http://www.xxxxxxxx.xx/error.html[/url] sucky_urls2
http_access deny restobb2 sucky_urls2
########################
http_access allow CONNECT SSL_ports
The above line is a wide open security hole. It lets ANYONE who can
reach your proxy send traffic to HTTPS ports.
I assume the intended affect was to permit your local networks HTTPS?
That is already configured by the current combination of "deny CONNECT
!SSL_ports" and "allow localnet" rules below.
NP: the lines that follows this contain the basic security safety nets
for DoS and other abuse protection. It really should be above all the
local custom http_access rules.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
########################
http_access allow localnet
http_access allow localhost
http_access deny all
##############################
http_reply_access allow localnet
Good. This is the only thing in Squid config protecting you from that
CONNECT security hole opened above.
http_reply_access deny all
#############################
#REGLAS DESCARGAS
acl normales src 192.168.169.30-192.168.169.129/32
acl tecnicos src 192.168.169.130-192.168.169.149/32
acl administrador src 192.168.169.150-192.168.169.189/32
acl estudio src 192.168.169.190-192.168.169.219/32
acl gerencia src 192.168.169.220-192.168.169.252/32
acl descargas url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi
.mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
Not doing what you expect.
Use this instead for the file types (its one line):
acl descrgas_files urlpath_regex -i
\.(exe|vqf|gz|zip|r[ap][rwm]|avi|mpe?g?3?|qt|ra?m|iso|wav|mov)(\?.*)?$
NP: was the "ftp" pattern meant to match FTP protocol or actually any
domain or file with "ftp" in the name?
For FTP protocol:
acl FTP proto FTP
delay_pools 5
delay_class 1 1
delay_parameters 1 10240/10485760 10240/10485760
delay_access 1 allow normales descargas
delay_access 1 deny all
delay_class 2 1
delay_parameters 2 30720/104857600 30720/104857600
delay_access 2 allow tecnicos descargas
delay_access 2 deny all
delay_class 3 1
delay_parameters 3 30720/104857600 30720/104857600
delay_access 3 allow administrador descargas
delay_access 3 deny all
delay_class 4 1
delay_parameters 4 -1/-1 -1/-1
delay_access 4 allow gerencia descargas
delay_access 4 deny all
The above pool means no limit. It's much better simply to not pool these
people.
delay_class 5 1
delay_parameters 5 10240/10240 10240/10240
delay_access 5 allow estudio descargas
delay_access 5 deny all
[/QUOTE]
[B]I hope that u guys can help us out to achieve what we are looking for.[/B]
You can see this more clearly at
http://www.linuxquestions.org/questions/showthread.php?p=4004534#post4004534
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
