Hi, I recently migrated my office's server from Slackware64 14.1 to CentOS 7. Right now I'm in the process of configuring the Squid web proxy. I edited the default /etc/squid/squid.conf, and here's what I have so far: --8<-------------------------------------------------- # /etc/squid/squid.conf # Nom d'h?te du serveur Squid visible_hostname amandine.microlinux.lan # D?finitions acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # R?gles d'acc?s http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet # Port du proxy http_port 3128 # Taille du cache dans la RAM cache_mem 256 MB # Vidage syst?me coredump_dir /var/spool/squid # Dur?e de vie des fichiers sans date d'expiration refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 --8<-------------------------------------------------- The proxy is working as expected. I have a few questions for fine-tuning though. 1. Squid's main logs are stored in /var/log/squid/access.log. I'd like to setup logfile rotation for that, since it can become quite big. How do you handle this? With Squid's intern 'logfile_rotate' directive or with logrotate? What I'd like to do is rotate this logfile about once a week. 2. Which user is Squid supposed to run as under CentOS? On my Slackware server I had the following: cache_effective_user nobody cache_effective_group nobody What's an orthodox setting for CentOS? 3. The access rules are a bit minimal. Do they seem OK to you for a LAN? Any suggestions? Cheers, Niki -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
2015-03-06 12:29 GMT-06:00 Niki Kovacs <info at microlinux.fr>:> > I recently migrated my office's server from Slackware64 14.1 to CentOS 7. > Right now I'm in the process of configuring the Squid web proxy. I edited > the default /etc/squid/squid.conf, and here's what I have so far: > > --8<-------------------------------------------------- > # /etc/squid/squid.conf > > # Nom d'h?te du serveur Squid > visible_hostname amandine.microlinux.lan > > # D?finitions > acl localnet src 192.168.2.0/24 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # R?gles d'acc?s > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > > # Port du proxy > http_port 3128 > > # Taille du cache dans la RAM > cache_mem 256 MB > > # Vidage syst?me > coredump_dir /var/spool/squid > > # Dur?e de vie des fichiers sans date d'expiration > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 > --8<-------------------------------------------------- > > The proxy is working as expected. I have a few questions for fine-tuning > though. > > 1. Squid's main logs are stored in /var/log/squid/access.log. I'd like to > setup logfile rotation for that, since it can become quite big. How do you > handle this? With Squid's intern 'logfile_rotate' directive or with > logrotate? What I'd like to do is rotate this logfile about once a week.The rpm should have configured logrotate: rpm -q --list squid |grep logrotate will show where the config file lands.> 2. Which user is Squid supposed to run as under CentOS? On my Slackware > server I had the following: > > cache_effective_user nobody > cache_effective_group nobody > > What's an orthodox setting for CentOS?The rpm should have created the squid user and group: rpm -q --scripts squid will show what it ran to do that.> 3. The access rules are a bit minimal. Do they seem OK to you for a LAN? Any > suggestions?Unless you want to restrict outbound access, the main thing is the acl to permit access from your local network source addresses (and no others). I'd recommend an external firewall or at least iptables blocking inbound internet access to port 3128 also. -- Les Mikesell lesmikesell at gmail.com
Le 06/03/2015 21:08, Les Mikesell a ?crit :> > The rpm should have configured logrotate: > rpm -q --list squid |grep logrotate > will show where the config file lands. >OK> > The rpm should have created the squid user and group: > rpm -q --scripts squid > will show what it ran to do that.OK> > > Unless you want to restrict outbound access, the main thing is the acl > to permit access from your local network source addresses (and no > others). I'd recommend an external firewall or at least iptables > blocking inbound internet access to port 3128 also. >The LAN server here already has Iptables configured to redirect HTTP traffic to 3128 transparently. Thanks for your detailed answer. That was very helpful! Cheers, Niki -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'?glise - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32