[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: Re: [pfSense-discussion] squid.inc gotchas
From: Odhiambo Washington <odhiambo () gmail ! com>
Date: 2011-06-06 19:08:53
Message-ID: BANLkTikEaA156Op03fSr3q8-66Qi1MPDwQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Just a followup:
Since squid rules are evaluated in order of placement, shouldn't "Custom
options" come up before "# Setup allowed acls" in the block below?
Those shown are my own custom options..
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Custom options
acl audiovideo rep_mime_type audio|video ^application/x-mms-framed
http_reply_access deny audiovideo
# Default block all to be sure
http_access deny all
On Mon, Jun 6, 2011 at 19:52, Odhiambo Washington <odhiambo@gmail.com>wrote:
>
>
> On Mon, Jun 6, 2011 at 15:25, Jim Pingle <lists@pingle.org> wrote:
>
>> On 6/6/2011 5:43 AM, Odhiambo Washington wrote:
>> > On Sun, Jun 5, 2011 at 18:04, Jim Pingle <lists@pingle.org
>> [snip]
>> > http://forum.pfsense.org/index.php/topic,32923.msg191044.html
>> [snip]
>>
>> > So in essence, we need:
>> >
>> > (12:25:03 <~>) 0 $ diff squid.inc squid.inc.local
>> > 527c527
>> > < }
>> > ---
>> >> }
>> > 813,814c813,814
>> > < acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
>> > < acl localhost src 127.0.0.1/255.255.255.255
>> > <http://127.0.0.1/255.255.255.255>
>> > ---
>> >> acl all src all
>> >> acl localhost src 127.0.0.1/32 <http://127.0.0.1/32>
>>
>> We have that now. Have since the middle of May:
>>
>> 2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21
>> -0400 807) acl all src all
>>
>> > 903c903
>> > < $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny
>> > all\n";
>> > ---
>> >> $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . "
>> all\n";
>>
>> We do that now. Have since late May:
>> 54c49bf2 config/squid3/squid.inc (jim-p 2011-05-25 14:39:07
>> -0400 898) $conf .= 'reply_body_max_size ' . ($down_limit
>> * 1024) . " all \n";
>>
>> > Another issue with regard to squid 3.1.x concerns this block in
>> squid.inc:
>> >
>> > if ($settings['allow_interface'] == 'on') {
>> > $src = '';
>> > foreach ($real_ifaces as $iface) {
>> > list($ip, $mask) = $iface;
>> > $ip = long2ip(ip2long($ip) & ip2long($mask));
>> > $src .= " $ip/$mask";
>> > }
>> > $conf .= "# Allow local network(s) on interface(s)\n";
>> > $conf .= "acl localnet src $src\n";
>> > $valid_acls[] = 'localnet';
>> > }
>> >
>> >
>> > For squid 3.x netmasks are deprecated. CIDR masks are used instead.
>>
>> Looks like that was also changed mid-May...
>> 2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21
>> -0400 677) $mask = 32-log((ip2long($mask) ^
>> ip2long('255.255.255.255'))+1,2);
>>
>>
>> > So, someone needs to change something in this block:-)
>> >
>> > Plus - could the package maintainer keep upto date with the squid
>> > branch? It's lagging much behind.
>>
>> Well there is no active maintainer of Squid 3. I poke at it now and then
>> when people submit patches, but I don't have any sort of focus on it, as
>> 2.7.x does what I want and it's stable.
>>
>> The current package is at 3.1.9 which is a couple months behind, but not
>> ancient. The FreeBSD port is up to 3.1.12. The tags are on the package
>> to build it automatically, but it may not be happening since the squid
>> 2.7.x build is probably conflicting with it. If I get some time I may
>> compile a new copy in a VM and upload it, but it may not be any time soon.
>>
>> I did find a couple things off in the xml for which files it was
>> pulling. I'll commit a fix here in a few. Try to reinstall it later today.
>>
>> Jim
>>
>
> Thanks, Jim, for all the hard work you are doing. I will try to reinstall
> later today and see what comes up.
>
> I hope you did see my email after this one you have responded to, which
> contained detailed explanations
> about this reply_body_max_size.
> I must say I am still a little confused about the correct params for that
> directive, even after the explanation
> I got from squid-dev.
>
> At the moment, my squid.conf contains:
>
> reply_body_max_size 307200 KB all
>
> It still mesmerizes me how it works, but my understanding seems to suggest
> that what we need in squid.inc is:
>
> $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " KB" . " all\n";
>
> ... which is what I am working with now.
>
> Once again, thanks for taking this up.
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> I can't hear you -- I'm using the scrambler.
> Please consider the environment before printing this email.
>
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
I can't hear you -- I'm using the scrambler.
Please consider the environment before printing this email.
[Attachment #5 (text/html)]
Just a followup:<br><br>Since squid rules are evaluated in order of placement, \
shouldn't "Custom options" come up before "# Setup allowed \
acls" in the block below?<br>Those shown are my own custom options..<br>
<br><br># Setup allowed acls<br># Allow local network(s) on \
interface(s)<br>http_access allow localnet<br># Custom options<br>acl audiovideo \
rep_mime_type audio|video ^application/x-mms-framed<br>http_reply_access deny \
audiovideo<br>
# Default block all to be sure<br>http_access deny all<br><br><br><div \
class="gmail_quote">On Mon, Jun 6, 2011 at 19:52, Odhiambo Washington <span \
dir="ltr"><<a href="mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>></span> \
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;"><div><div></div><div class="h5"><br><br><div \
class="gmail_quote">On Mon, Jun 6, 2011 at 15:25, Jim Pingle <span dir="ltr"><<a \
href="mailto:lists@pingle.org" target="_blank">lists@pingle.org</a>></span> \
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div>On 6/6/2011 5:43 AM, Odhiambo Washington wrote:<br>
> On Sun, Jun 5, 2011 at 18:04, Jim Pingle <<a href="mailto:lists@pingle.org" \
target="_blank">lists@pingle.org</a><br> </div>[snip]<br>
<div>> <a href="http://forum.pfsense.org/index.php/topic,32923.msg191044.html" \
target="_blank">http://forum.pfsense.org/index.php/topic,32923.msg191044.html</a><br> \
</div>[snip]<br> <div><br>
> So in essence, we need:<br>
><br>
> (12:25:03 <~>) 0 $ diff squid.inc squid.inc.local<br>
> 527c527<br>
> < }<br>
> ---<br>
>> }<br>
> 813,814c813,814<br>
</div>> < acl all src <a href="http://0.0.0.0/0.0.0.0" \
target="_blank">0.0.0.0/0.0.0.0</a> <<a href="http://0.0.0.0/0.0.0.0" \
target="_blank">http://0.0.0.0/0.0.0.0</a>><br> <div>> < acl localhost src \
<a href="http://127.0.0.1/255.255.255.255" \
target="_blank">127.0.0.1/255.255.255.255</a><br> </div>> <<a \
href="http://127.0.0.1/255.255.255.255" \
target="_blank">http://127.0.0.1/255.255.255.255</a>><br> > ---<br>
>> acl all src all<br>
>> acl localhost src <a href="http://127.0.0.1/32" \
target="_blank">127.0.0.1/32</a> <<a href="http://127.0.0.1/32" \
target="_blank">http://127.0.0.1/32</a>><br> <br>
We have that now. Have since the middle of May:<br>
<br>
2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21<br>
-0400 807) acl all src all<br>
<div><br>
> 903c903<br>
> < $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . \
" deny<br> > all\n";<br>
> ---<br>
>> $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . \
" all\n";<br> <br>
</div>We do that now. Have since late May:<br>
54c49bf2 config/squid3/squid.inc (jim-p 2011-05-25 14:39:07<br>
-0400 898) $conf .= 'reply_body_max_size ' . \
($down_limit<br> <div>* 1024) . " all \n";<br>
<br>
> Another issue with regard to squid 3.1.x concerns this block in squid.inc:<br>
><br>
> if ($settings['allow_interface'] == 'on') {<br>
> $src = '';<br>
> foreach ($real_ifaces as $iface) {<br>
> list($ip, $mask) = $iface;<br>
> $ip = long2ip(ip2long($ip) & \
ip2long($mask));<br> > $src .= " \
$ip/$mask";<br> > }<br>
> $conf .= "# Allow local network(s) on \
interface(s)\n";<br> > $conf .= "acl localnet \
src $src\n";<br> > $valid_acls[] = \
'localnet';<br> > }<br>
><br>
><br>
> For squid 3.x netmasks are deprecated. CIDR masks are used instead.<br>
<br>
</div>Looks like that was also changed mid-May...<br>
2866d3ae config/squid3/squid.inc (jim-p 2011-05-18 11:57:21<br>
-0400 677) $mask = 32-log((ip2long($mask) ^<br>
ip2long('255.255.255.255'))+1,2);<br>
<div><br>
<br>
> So, someone needs to change something in this block:-)<br>
><br>
> Plus - could the package maintainer keep upto date with the squid<br>
> branch? It's lagging much behind.<br>
<br>
</div>Well there is no active maintainer of Squid 3. I poke at it now and then<br>
when people submit patches, but I don't have any sort of focus on it, as<br>
2.7.x does what I want and it's stable.<br>
<br>
The current package is at 3.1.9 which is a couple months behind, but not<br>
ancient. The FreeBSD port is up to 3.1.12. The tags are on the package<br>
to build it automatically, but it may not be happening since the squid<br>
2.7.x build is probably conflicting with it. If I get some time I may<br>
compile a new copy in a VM and upload it, but it may not be any time soon.<br>
<br>
I did find a couple things off in the xml for which files it was<br>
pulling. I'll commit a fix here in a few. Try to reinstall it later today.<br>
<font color="#888888"><br>
Jim<br>
</font></blockquote></div><br></div></div>Thanks, Jim, for all the hard work you are \
doing. I will try to reinstall later today and see what comes up.<br><br>I hope you \
did see my email after this one you have responded to, which contained detailed \
explanations<br>
about this reply_body_max_size.<br>I must say I am still a little confused about the \
correct params for that directive, even after the explanation<br>I got from \
squid-dev.<br><br>At the moment, my squid.conf contains:<br>
<br>reply_body_max_size 307200 KB all<br><br>It still mesmerizes me how it works, but \
my understanding seems to suggest that what we need in squid.inc is:<br><br> $conf \
.= 'reply_body_max_size ' . ($down_limit * 1024) . " KB" . " \
all\n";<br>
<br>... which is what I am working with now.<br><br>Once again, thanks for taking \
this up.<div><div></div><div class="h5"><br><br clear="all"><br>-- <br>Best \
regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br><a href="tel:%2B254733744121" \
value="+254733744121" target="_blank">+254733744121</a>/<a href="tel:%2B254722743223" \
value="+254722743223" target="_blank">+254722743223</a><br>
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ <br>
I can't hear you -- I'm using the scrambler.<br><span \
style="font-size:10.0pt;color:#007F00"><img src="cid:image001.png@01CBFF85.F00DA370" \
height="33" width="35"></span><span style="font-size:10.0pt;color:#007F00" \
lang="EN-US">Please consider the environment before printing this email. </span><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Best \
regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254733744121/+254722743223<br>_ _ \
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ <br>I can't hear you -- I'm using \
the scrambler.<br>
<span style="font-size:10.0pt;color:#007F00"><img \
src="cid:image001.png@01CBFF85.F00DA370" height="33" width="35"></span><span \
style="font-size:10.0pt;color:#007F00" lang="EN-US">Please consider the environment \
before printing this email. </span><br>
<br>
--bcaec51f969bf659d604a50fd724--
["image001.png" (image/png)]
["image001.png" (image/png)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic