Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Squid i uruchomienie? FATAL: Could not determine fully...

Dami24 28 Cze 2007 22:19 5834 12
  • #1 28 Cze 2007 22:19
    Dami24
    Poziom 11  

    witam przy odpaleniu sqida mam odp. od serwera :
    root@serwer:/etc/squid# /etc/init.d/squid start
    * Starting Squid HTTP proxy squid * Creating squid spool directory structure
    FATAL: Could not determine fully qualified hostname. Please set 'visible_hostname'

    Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
    CPU Usage: 0.028 seconds = 0.020 user + 0.008 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    Aborted (core dumped)
    FATAL: Could not determine fully qualified hostname. Please set 'visible_hostname'

    Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
    CPU Usage: 0.028 seconds = 0.020 user + 0.008 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    Aborted (core dumped)
    [fail]
    root@serwer:/etc/squid#

    a instalacja squida była robiona apt-get install squid

    plik config.


    # WELCOME TO SQUID 2.6.STABLE5
    # ----------------------------
    #
    # This is the default Squid configuration file. You may wish
    # to look at the Squid home page (http://www.squid-cache.org/)
    # for the FAQ and other documentation.
    #
    # The default Squid config file shows what the defaults for
    # various options happen to be. If you don't need to change the
    # default, you shouldn't uncomment the line. Doing so may cause
    # run-time problems. In some cases "none" refers to no default
    # setting at all, while in other cases it refers to a valid
    # option - the comments for that keyword indicate if this is the
    # case.
    #


    # NETWORK OPTIONS
    # -----------------------------------------------------------------------------

    # TAG: http_port
    # Usage: port [options]
    # hostname:port [options]
    # 1.2.3.4:port [options]
    #
    # The socket addresses where Squid will listen for HTTP client
    # requests. You may specify multiple socket addresses.
    # There are three forms: port alone, hostname with port, and
    # IP address with port. If you specify a hostname or IP
    # address, Squid binds the socket to that specific
    # address. This replaces the old 'tcp_incoming_address'
    # option. Most likely, you do not need to bind to a specific
    # address, so you can use the port number alone.
    #
    # The default port number is 3128.
    #
    # If you are running Squid in accelerator mode, you
    # probably want to listen on port 80 also, or instead.
    #
    # The -a command line option will override the *first* port
    # number listed here. That option will NOT override an IP
    # address, however.
    #
    # You may specify multiple socket addresses on multiple lines.
    #
    # options are:
    # transparent Support for transparent proxies




    # vhost Accelerator using Host directive
    # vport Accelerator with IP virtual host support
    # vport= As above, but uses specified port number
    # rather than the http_port number.
    # defaultsite= Main web site name for accelerators.
    # urlgroup= Default urlgroup to mark requests
    # with (see also acl urlgroup and
    # url_rewrite_program)
    # protocol= Protocol to reconstruct accelerated
    # requests with. Defaults to http.
    # no-connection-auth
    # Prevent forwarding of Microsoft
    # connection oriented authentication
    # (NTLM, Negotiate and Kerberos)
    # tproxy Support Linux TPROXY for spoofing
    # outgoing connections using the client
    # IP address.
    #
    # If you run Squid on a dual-homed machine with an internal
    # and an external interface we recommend you to specify the
    # internal address:port in http_port. This way Squid will only be
    # visible on the internal address.
    #
    # Squid normally listens to port 3128
    http_port 3128

    # TAG: https_port
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
    #
    # The socket address where Squid will listen for HTTPS client
    # requests.
    #
    # This is really only useful for situations where you are running
    # squid in accelerator mode and you want to do the SSL work at the
    # accelerator level.
    #
    # You may specify multiple socket addresses on multiple lines,
    # each with their own SSL certificate and/or options.
    #
    # Options:
    #
    # defaultsite= The name of the https site presented on
    # this port.
    #
    # urlgroup= Default urlgroup to mark requests with (see
    # also acl urlgroup and url_rewrite_program)
    #
    # protocol= Protocol to reconstruct accelerated requests
    # with. Defaults to https.
    #
    # cert= Path to SSL certificate (PEM format)
    #
    # key= Path to SSL private key file (PEM format)
    # if not specified, the certificate file is
    # assumed to be a combined certificate and
    # key file
    #
    # version= The version of SSL/TLS supported
    # 1 automatic (default)
    # 2 SSLv2 only
    # 3 SSLv3 only
    # 4 TLSv1 only
    #
    # cipher= Colon separated list of supported ciphers
    #
    # options= Various SSL engine options. The most important
    # being:
    # NO_SSLv2 Disallow the use of SSLv2
    # NO_SSLv3 Disallow the use of SSLv3
    # NO_TLSv1 Disallow the use of TLSv1
    # SINGLE_DH_USE Always create a new key when using
    # temporary/ephemeral DH key exchanges
    # See src/ssl_support.c or OpenSSL SSL_CTX_set_options
    # documentation for a complete list of options.
    #
    # clientca= File containing the list of CAs to use when
    # requesting a client certificate
    #
    # cafile= File containing additional CA certificates to
    # use when verifying client certificates. If unset
    # clientca will be used.
    #
    # capath= Directory containing additional CA certificates
    # and CRL lists to use when verifying client certificates
    #
    # crlfile= File of additional CRL lists to use when verifying
    # the client certificate, in addition to CRLs stored in
    # the capath. Implies VERIFY_CRL flag below.
    #
    # dhparams= File containing DH parameters for temporary/ephemeral
    # DH key exchanges
    #
    # sslflags= Various flags modifying the use of SSL:
    # DELAYED_AUTH
    # Don't request client certificates
    # immediately, but wait until acl processing
    # requires a certificate (not yet implemented)
    # NO_DEFAULT_CA
    # Don't use the default CA lists built in
    # to OpenSSL.
    # NO_SESSION_REUSE
    # Don't allow for session reuse. Each connection
    # will result in a new SSL session.
    # VERIFY_CRL
    # Verify CRL lists when accepting client
    # certificates
    # VERIFY_CRL_ALL
    # Verify CRL lists for all certificates in the
    # client certificate chain
    #
    # sslcontext= SSL session ID context identifier.
    #
    #
    #Default:
    # none

    # TAG: ssl_unclean_shutdown
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # Some browsers (especially MSIE) bugs out on SSL shutdown
    # messages.
    #
    #Default:
    # ssl_unclean_shutdown off

    # TAG: ssl_engine
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # The OpenSSL engine to use. You will need to set this if you
    # would like to use hardware SSL acceleration for example.
    #
    #Default:
    # none

    # TAG: sslproxy_client_certificate
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # Client SSL Certificate to use when proxying https:// URLs
    #
    #Default:
    # none

    # TAG: sslproxy_client_key
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # Client SSL Key to use when proxying https:// URLs
    #
    #Default:
    # none

    # TAG: sslproxy_version
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # SSL version level to use when proxying https:// URLs
    #
    #Default:
    # sslproxy_version 1

    # TAG: sslproxy_options
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # SSL engine options to use when proxying https:// URLs
    #
    #Default:
    # none

    # TAG: sslproxy_cipher
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # SSL cipher list to use when proxying https:// URLs
    #
    #Default:
    # none

    # TAG: sslproxy_cafile
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # TAG: sslproxy_capath
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # TAG: sslproxy_flags
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # TAG: sslpassword_program
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-ssl option
    #
    # Specify a program used for entering SSL key passphrases
    # when using encrypted SSL certificate keys. If not specified
    # keys must either be unencrypted, or Squid started with the -N
    # option to allow it to query interactively for the passphrase.
    #
    #Default:
    # none

    # TAG: icp_port
    # The port number where Squid sends and receives ICP queries to
    # and from neighbor caches. Default is 3130. To disable use
    # "0". May be overridden with -u on the command line.
    #
    #Default:
    # icp_port 3130

    # TAG: htcp_port
    # The port number where Squid sends and receives HTCP queries to
    # and from neighbor caches. To turn it on you want to set it 4827.
    # By default it is set to "0" (disabled).
    #
    #Default:
    # htcp_port 0

    # TAG: mcast_groups
    # This tag specifies a list of multicast groups which your server
    # should join to receive multicasted ICP queries.
    #
    # NOTE! Be very careful what you put here! Be sure you
    # understand the difference between an ICP _query_ and an ICP
    # _reply_. This option is to be set only if you want to RECEIVE
    # multicast queries. Do NOT set this option to SEND multicast
    # ICP (use cache_peer for that). ICP replies are always sent via
    # unicast, so this option does not affect whether or not you will
    # receive replies from multicast group members.
    #
    # You must be very careful to NOT use a multicast address which
    # is already in use by another group of caches.
    #
    # If you are unsure about multicast, please read the Multicast
    # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
    #
    # Usage: mcast_groups 239.128.16.128 224.0.1.20
    #
    # By default, Squid doesn't listen on any multicast groups.
    #
    #Default:
    # none

    # TAG: udp_incoming_address
    # TAG: udp_outgoing_address
    # udp_incoming_address is used for the ICP socket receiving packets
    # from other caches.
    # udp_outgoing_address is used for ICP packets sent out to other
    # caches.
    #
    # The default behavior is to not bind to any specific address.
    #
    # A udp_incoming_address value of 0.0.0.0 indicates Squid
    # should listen for UDP messages on all available interfaces.
    #
    # If udp_outgoing_address is set to 255.255.255.255 (the default)
    # it will use the same socket as udp_incoming_address. Only
    # change this if you want to have ICP queries sent using another
    # address than where this Squid listens for ICP queries from other
    # caches.
    #
    # NOTE, udp_incoming_address and udp_outgoing_address can not
    # have the same value since they both use port 3130.
    #
    #Default:
    # udp_incoming_address 0.0.0.0
    # udp_outgoing_address 255.255.255.255


    # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
    # -----------------------------------------------------------------------------

    # TAG: cache_peer
    # To specify other caches in a hierarchy, use the format:
    #
    # cache_peer hostname type http_port icp_port [options]
    #
    # For example,
    #
    # # proxy icp
    # # hostname type port port options
    # # -------------------- -------- ----- ----- -----------
    # cache_peer parent.foo.net parent 3128 3130 [proxy-only]
    # cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
    # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
    #
    # type: either 'parent', 'sibling', or 'multicast'.
    #
    # proxy_port: The port number where the cache listens for proxy
    # requests.
    #
    # icp_port: Used for querying neighbor caches about
    # objects. To have a non-ICP neighbor
    # specify '7' for the ICP port and make sure the
    # neighbor machine has the UDP echo port
    # enabled in its /etc/inetd.conf file.
    #
    # options: proxy-only
    # weight=n
    # ttl=n
    # no-query
    # default
    # round-robin
    # multicast-responder
    # closest-only
    # no-digest
    # no-netdb-exchange
    # no-delay
    # login=user:password | PASS | *:password
    # connect-timeout=nn
    # digest-url=url
    # allow-miss
    # max-conn
    # htcp
    # htcp-oldsquid
    # carp-load-factor
    # originserver
    # userhash
    # sourcehash
    # name=xxx
    # monitorurl=url
    # monitorsize=sizespec
    # monitorinterval=seconds
    # monitortimeout=seconds
    # group=name
    # forceddomain=name
    # ssl
    # sslcert=/path/to/ssl/certificate
    # sslkey=/path/to/ssl/key
    # sslversion=1|2|3|4
    # sslcipher=...
    # ssloptions=...
    # front-end-https[=on|auto]
    # connection-auth[=on|off|auto]
    #
    # use 'proxy-only' to specify objects fetched
    # from this cache should not be saved locally.
    #
    # use 'weight=n' to specify a weighted parent.
    # The weight must be an integer. The default weight
    # is 1, larger weights are favored more.
    #
    # use 'ttl=n' to specify a IP multicast TTL to use
    # when sending an ICP queries to this address.
    # Only useful when sending to a multicast group.
    # Because we don't accept ICP replies from random
    # hosts, you must configure other group members as
    # peers with the 'multicast-responder' option below.
    #
    # use 'no-query' to NOT send ICP queries to this
    # neighbor.
    #
    # use 'default' if this is a parent cache which can
    # be used as a "last-resort." You should probably
    # only use 'default' in situations where you cannot
    # use ICP with your parent cache(s).
    #
    # use 'round-robin' to define a set of parents which
    # should be used in a round-robin fashion in the
    # absence of any ICP queries.
    #
    # 'multicast-responder' indicates the named peer
    # is a member of a multicast group. ICP queries will
    # not be sent directly to the peer, but ICP replies
    # will be accepted from it.
    #
    # 'closest-only' indicates that, for ICP_OP_MISS
    # replies, we'll only forward CLOSEST_PARENT_MISSes
    # and never FIRST_PARENT_MISSes.
    #
    # use 'no-digest' to NOT request cache digests from
    # this neighbor.
    #
    # 'no-netdb-exchange' disables requesting ICMP
    # RTT database (NetDB) from the neighbor.
    #
    # use 'no-delay' to prevent access to this neighbor
    # from influencing the delay pools.
    #
    # use 'login=user:password' if this is a personal/workgroup
    # proxy and your parent requires proxy authentication.
    # Note: The string can include URL escapes (i.e. %20 for
    # spaces). This also means % must be written as %%.
    #
    # use 'login=PASS' to forward authentication to the peer.
    # Needed if the peer requires login.
    # Note: To combine this with local authentication the Basic
    # authentication scheme must be used, and both servers must
    # share the same user database as HTTP only allows for
    # a single login (one for proxy, one for origin server).
    #
    # use 'login=*:password' to pass the username to the
    # upstream cache, but with a fixed password. This is meant
    # to be used when the peer is in another administrative
    # domain, but it is still needed to identify each user.
    # The star can optionally be followed by some extra
    # information which is added to the username. This can
    # be used to identify this proxy to the peer, similar to
    # the login=username:password option above.
    #
    # use 'connect-timeout=nn' to specify a peer
    # specific connect timeout (also see the
    # peer_connect_timeout directive)
    #
    # use 'digest-url=url' to tell Squid to fetch the cache
    # digest (if digests are enabled) for this host from
    # the specified URL rather than the Squid default
    # location.
    #
    # use 'allow-miss' to disable Squid's use of only-if-cached
    # when forwarding requests to siblings. This is primarily
    # useful when icp_hit_stale is used by the sibling. To
    # extensive use of this option may result in forwarding
    # loops, and you should avoid having two-way peerings
    # with this option. (for example to deny peer usage on
    # requests from peer by denying cache_peer_access if the
    # source is a peer)
    #
    # use 'max-conn' to limit the amount of connections Squid
    # may open to this peer.
    #
    # use 'htcp' to send HTCP, instead of ICP, queries
    # to the neighbor. You probably also want to
    # set the "icp port" to 4827 instead of 3130.
    #
    # use 'htcp-oldsquid' to send HTCP to old Squid versions
    #
    # use 'carp-load-factor=f' to define a parent
    # cache as one participating in a CARP array.
    # The 'f' values for all CARP parents must add
    # up to 1.0.
    #
    # 'originserver' causes this parent peer to be contacted as
    # a origin server. Meant to be used in accelerator setups.
    #
    # use 'userhash' to load-balance amongst a set of parents
    # based on the client proxy_auth or ident username.
    #
    # use 'sourcehash' to load-balanse amongs a set of parents
    # based on the client source ip.
    #
    # use 'name=xxx' if you have multiple peers on the same
    # host but different ports. This name can then be used to
    # differentiate the peers in cache_peer_access and similar
    # directives.
    #
    # use 'monitorurl=url' to have periodically request a given
    # URL from the peer, and only consider the peer as alive
    # if this monitoring is successful (default none)
    #
    # use 'monitorsize=min[-max]' to limit the size range of
    # 'monitorurl' replies considered valid. Defaults to 0 to
    # accept any size replies as valid.
    #
    # use 'monitorinterval=seconds' to change frequency of
    # how often the peer is monitored with 'monitorurl'
    # (default 300 for a 5 minute interval). If set to 0
    # then monitoring is disabled even if a URL is defined.
    #
    # use 'monitortimeout=seconds' to change the timeout of
    # 'monitorurl'. Defaults to 'monitorinterval'.
    #
    # use 'forceddomain=name' to forcibly set the Host header
    # of requests forwarded to this peer. Useful in accelerator
    # setups where the server (peer) expects a certain domain
    # name and using redirectors to feed this domain name
    # is not feasible.
    #
    # use 'ssl' to indicate that connections to this peer should
    # bs SSL/TLS encrypted.
    #
    # use 'sslcert=/path/to/ssl/certificate' to specify a client
    # SSL certificate to use when connecting to this peer.
    #
    # use 'sslkey=/path/to/ssl/key' to specify the private SSL
    # key corresponding to sslcert above. If 'sslkey' is not
    # specified then 'sslcert' is assumed to reference a
    # combined file containing both the certificate and the key.
    #
    # Notes:
    #
    # On Debian/Ubuntu system a default snakeoil certificate is
    # available in /etc/ssl and users can set:
    #
    # cert=/etc/ssl/certs/ssl-cert-snakeoil.pem
    #
    # and
    #
    # key=/etc/ssl/private/ssl-cert-snakeoil.key
    #
    # for testing.
    #
    # use sslversion=1|2|3|4 to specify the SSL version to use
    # when connecting to this peer
    # 1 = automatic (default)
    # 2 = SSL v2 only
    # 3 = SSL v3 only
    # 4 = TLS v1 only
    #
    # use sslcipher=... to specify the list of valid SSL ciphers
    # to use when connecting to this peer.
    #
    # use ssloptions=... to specify various SSL engine options:
    # NO_SSLv2 Disallow the use of SSLv2
    # NO_SSLv3 Disallow the use of SSLv3
    # NO_TLSv1 Disallow the use of TLSv1
    # See src/ssl_support.c or the OpenSSL documentation for
    # a more complete list.
    #
    # use sslcafile=... to specify a file containing
    # additional CA certificates to use when verifying the
    # peer certificate.
    #
    # use sslcapath=... to specify a directory containing
    # additional CA certificates to use when verifying the
    # peer certificate.
    #
    # use sslcrlfile=... to specify a certificate revocation
    # list file to use when verifying the peer certificate.
    #
    # use sslflags=... to specify various flags modifying the
    # SSL implementation:
    # DONT_VERIFY_PEER
    # Accept certificates even if they fail to
    # verify.
    # NO_DEFAULT_CA
    # Don't use the default CA list built in
    # to OpenSSL.
    #
    # use ssldomain= to specify the peer name as advertised
    # in it's certificate. Used for verifying the correctness
    # of the received peer certificate. If not specified the
    # peer hostname will be used.
    #
    # use front-end-https to enable the "Front-End-Https: On"
    # header needed when using Squid as a SSL frontend in front
    # of Microsoft OWA. See MS KB document Q307347 for details
    # on this header. If set to auto then the header will
    # only be added if the request is forwarded as a https://
    # URL.
    #
    # use connection-auth=off to tell Squid that this peer does
    # not support Microsoft connection oriented authentication,
    # and any such challenges received from there should be
    # ignored. Default is auto to automatically determine the
    # status of the peer.
    #
    # NOTE: non-ICP/HTCP neighbors must be specified as 'parent'.
    #
    #Default:
    # none

    # TAG: cache_peer_domain
    # Use to limit the domains for which a neighbor cache will be
    # queried. Usage:
    #
    # cache_peer_domain cache-host domain [domain ...]
    # cache_peer_domain cache-host !domain
    #
    # For example, specifying
    #
    # cache_peer_domain parent.foo.net .edu
    #
    # has the effect such that UDP query packets are sent to
    # 'bigserver' only when the requested object exists on a
    # server in the .edu domain. Prefixing the domain name
    # with '!' means the cache will be queried for objects
    # NOT in that domain.
    #
    # NOTE: * Any number of domains may be given for a cache-host,
    # either on the same or separate lines.
    # * When multiple domains are given for a particular
    # cache-host, the first matched domain is applied.
    # * Cache hosts with no domain restrictions are queried
    # for all requests.
    # * There are no defaults.
    # * There is also a 'cache_peer_access' tag in the ACL
    # section.
    #
    #Default:
    # none

    # TAG: neighbor_type_domain
    # usage: neighbor_type_domain neighbor parent|sibling domain domain ...
    #
    # Modifying the neighbor type for specific domains is now
    # possible. You can treat some domains differently than the the
    # default neighbor type specified on the 'cache_peer' line.
    # Normally it should only be necessary to list domains which
    # should be treated differently because the default neighbor type
    # applies for hostnames which do not match domains listed here.
    #
    #EXAMPLE:
    # cache_peer parent cache.foo.org 3128 3130
    # neighbor_type_domain cache.foo.org sibling .com .net
    # neighbor_type_domain cache.foo.org sibling .au .de
    #
    #Default:
    # none

    # TAG: icp_query_timeout (msec)
    # Normally Squid will automatically determine an optimal ICP
    # query timeout value based on the round-trip-time of recent ICP
    # queries. If you want to override the value determined by
    # Squid, set this 'icp_query_timeout' to a non-zero value. This
    # value is specified in MILLISECONDS, so, to use a 2-second
    # timeout (the old default), you would write:
    #
    # icp_query_timeout 2000
    #
    #Default:
    # icp_query_timeout 0

    # TAG: maximum_icp_query_timeout (msec)
    # Normally the ICP query timeout is determined dynamically. But
    # sometimes it can lead to very large values (say 5 seconds).
    # Use this option to put an upper limit on the dynamic timeout
    # value. Do NOT use this option to always use a fixed (instead
    # of a dynamic) timeout value. To set a fixed timeout see the
    # 'icp_query_timeout' directive.
    #
    #Default:
    # maximum_icp_query_timeout 2000

    # TAG: mcast_icp_query_timeout (msec)
    # For multicast peers, Squid regularly sends out ICP "probes" to
    # count how many other peers are listening on the given multicast
    # address. This value specifies how long Squid should wait to
    # count all the replies. The default is 2000 msec, or 2
    # seconds.
    #
    #Default:
    # mcast_icp_query_timeout 2000

    # TAG: dead_peer_timeout (seconds)
    # This controls how long Squid waits to declare a peer cache
    # as "dead." If there are no ICP replies received in this
    # amount of time, Squid will declare the peer dead and not
    # expect to receive any further ICP replies. However, it
    # continues to send ICP queries, and will mark the peer as
    # alive upon receipt of the first subsequent ICP reply.
    #
    # This timeout also affects when Squid expects to receive ICP
    # replies from peers. If more than 'dead_peer' seconds have
    # passed since the last ICP reply was received, Squid will not
    # expect to receive an ICP reply on the next query. Thus, if
    # your time between requests is greater than this timeout, you
    # will see a lot of requests sent DIRECT to origin servers
    # instead of to your parents.
    #
    #Default:
    # dead_peer_timeout 10 seconds

    # TAG: hierarchy_stoplist
    # A list of words which, if found in a URL, cause the object to
    # be handled directly by this cache. In other words, use this
    # to not query neighbor caches for certain objects. You may
    # list this option multiple times. Note: never_direct overrides
    # this option.
    #We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # TAG: cache
    # A list of ACL elements which, if matched, cause the request to
    # not be satisfied from the cache and the reply to not be cached.
    # In other words, use this to force certain objects to never be cached.
    #
    # You must use the word 'DENY' to indicate the ACL names which should
    # NOT be cached.
    #
    # Default is to allow all to be cached
    #We recommend you to use the following two lines.
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY

    # TAG: cache_vary
    # Set to off to disable caching of Vary:in objects.
    #
    #Default:
    # cache_vary on

    # TAG: broken_vary_encoding
    # Many servers have broken support for on-the-fly Content-Encoding,
    # returning the same ETag on both plain and gzip:ed variants.
    # Vary replies matching this access list will have the cache split
    # on the Accept-Encoding header of the request and not trusting the
    # ETag to be unique.
    #
    # Apache mod_gzip and mod_deflate known to be broken so don't trust
    # Apache to signal ETag correctly on such responses
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache


    # OPTIONS WHICH AFFECT THE CACHE SIZE
    # -----------------------------------------------------------------------------

    # TAG: cache_mem (bytes)
    # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
    # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
    # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
    # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
    #
    # 'cache_mem' specifies the ideal amount of memory to be used
    # for:
    # * In-Transit objects
    # * Hot Objects
    # * Negative-Cached objects
    #
    # Data for these objects are stored in 4 KB blocks. This
    # parameter specifies the ideal upper limit on the total size of
    # 4 KB blocks allocated. In-Transit objects take the highest
    # priority.
    #
    # In-transit objects have priority over the others. When
    # additional space is needed for incoming data, negative-cached
    # and hot objects will be released. In other words, the
    # negative-cached and hot objects will fill up any unused space
    # not needed for in-transit objects.
    #
    # If circumstances require, this limit will be exceeded.
    # Specifically, if your incoming request rate requires more than
    # 'cache_mem' of memory to hold in-transit objects, Squid will
    # exceed this limit to satisfy the new requests. When the load
    # decreases, blocks will be freed until the high-water mark is
    # reached. Thereafter, blocks will be used to store hot
    # objects.
    #
    #Default:
    # cache_mem 8 MB

    # TAG: cache_swap_low (percent, 0-100)
    # TAG: cache_swap_high (percent, 0-100)
    #
    # The low- and high-water marks for cache object replacement.
    # Replacement begins when the swap (disk) usage is above the
    # low-water mark and attempts to maintain utilization near the
    # low-water mark. As swap utilization gets close to high-water
    # mark object eviction becomes more aggressive. If utilization is
    # close to the low-water mark less replacement is done each time.
    #
    # Defaults are 90% and 95%. If you have a large cache, 5% could be
    # hundreds of MB. If this is the case you may wish to set these
    # numbers closer together.
    #
    #Default:
    # cache_swap_low 90
    # cache_swap_high 95

    # TAG: maximum_object_size (bytes)
    # Objects larger than this size will NOT be saved on disk. The
    # value is specified in kilobytes, and the default is 4MB. If
    # you wish to get a high BYTES hit ratio, you should probably
    # increase this (one 32 MB object hit counts for 3200 10KB
    # hits). If you wish to increase speed more than your want to
    # save bandwidth you should leave this low.
    #
    # NOTE: if using the LFUDA replacement policy you should increase
    # this value to maximize the byte hit rate improvement of LFUDA!
    # See replacement_policy below for a discussion of this policy.
    #
    #Default:
    # maximum_object_size 4096 KB

    # TAG: minimum_object_size (bytes)
    # Objects smaller than this size will NOT be saved on disk. The
    # value is specified in kilobytes, and the default is 0 KB, which
    # means there is no minimum.
    #
    #Default:
    # minimum_object_size 0 KB

    # TAG: maximum_object_size_in_memory (bytes)
    # Objects greater than this size will not be attempted to kept in
    # the memory cache. This should be set high enough to keep objects
    # accessed frequently in memory to improve performance whilst low
    # enough to keep larger objects from hoarding cache_mem.
    #
    #Default:
    # maximum_object_size_in_memory 8 KB

    # TAG: ipcache_size (number of entries)
    # TAG: ipcache_low (percent)
    # TAG: ipcache_high (percent)
    # The size, low-, and high-water marks for the IP cache.
    #
    #Default:
    # ipcache_size 1024
    # ipcache_low 90
    # ipcache_high 95

    # TAG: fqdncache_size (number of entries)
    # Maximum number of FQDN cache entries.
    #
    #Default:
    # fqdncache_size 1024

    # TAG: cache_replacement_policy
    # The cache replacement policy parameter determines which
    # objects are evicted (replaced) when disk space is needed.
    #
    # lru : Squid's original list based LRU policy
    # heap GDSF : Greedy-Dual Size Frequency
    # heap LFUDA: Least Frequently Used with Dynamic Aging
    # heap LRU : LRU policy implemented using a heap
    #
    # Applies to any cache_dir lines listed below this.
    #
    # The LRU policies keeps recently referenced objects.
    #
    # The heap GDSF policy optimizes object hit rate by keeping smaller
    # popular objects in cache so it has a better chance of getting a
    # hit. It achieves a lower byte hit rate than LFUDA though since
    # it evicts larger (possibly popular) objects.
    #
    # The heap LFUDA policy keeps popular objects in cache regardless of
    # their size and thus optimizes byte hit rate at the expense of
    # hit rate since one large, popular object will prevent many
    # smaller, slightly less popular objects from being cached.
    #
    # Both policies utilize a dynamic aging mechanism that prevents
    # cache pollution that can otherwise occur with frequency-based
    # replacement policies.
    #
    # NOTE: if using the LFUDA replacement policy you should increase
    # the value of maximum_object_size above its default of 4096 KB to
    # to maximize the potential byte hit rate improvement of LFUDA.
    #
    # For more information about the GDSF and LFUDA cache replacement
    # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
    # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html..
    #
    #Default:
    # cache_replacement_policy lru

    # TAG: memory_replacement_policy
    # The memory replacement policy parameter determines which
    # objects are purged from memory when memory space is needed.
    #
    # See cache_replacement_policy for details.
    #
    #Default:
    # memory_replacement_policy lru


    # LOGFILE PATHNAMES AND CACHE DIRECTORIES
    # -----------------------------------------------------------------------------

    # TAG: cache_dir
    # Usage:
    #
    # cache_dir Type Directory-Name Fs-specific-data [options]
    #
    # You can specify multiple cache_dir lines to spread the
    # cache among different disk partitions.
    #
    # Type specifies the kind of storage system to use. Only "ufs"
    # is built by default. To enable any of the other storage systems
    # see the --enable-storeio configure option.
    #
    # 'Directory' is a top-level directory where cache swap
    # files will be stored. If you want to use an entire disk
    # for caching, this can be the mount-point directory.
    # The directory must exist and be writable by the Squid
    # process. Squid will NOT create this directory for you.
    # Only using COSS, a raw disk device or a stripe file can
    # be specified, but the configuration of the "cache_wap_log"
    # tag is mandatory.
    #
    # The ufs store type:
    #
    # "ufs" is the old well-known Squid storage format that has always
    # been there.
    #
    # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
    #
    # 'Mbytes' is the amount of disk space (MB) to use under this
    # directory. The default is 100 MB. Change this to suit your
    # configuration. Do NOT put the size of your disk drive here.
    # Instead, if you want Squid to use the entire disk drive,
    # subtract 20% and use that value.
    #
    # 'Level-1' is the number of first-level subdirectories which
    # will be created under the 'Directory'. The default is 16.
    #
    # 'Level-2' is the number of second-level subdirectories which
    # will be created under each first-level directory. The default
    # is 256.
    #
    # The aufs store type:
    #
    # "aufs" uses the same storage format as "ufs", utilizing
    # POSIX-threads to avoid blocking the main Squid process on
    # disk-I/O. This was formerly known in Squid as async-io.
    #
    # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
    #
    # see argument descriptions under ufs above
    #
    # The diskd store type:
    #
    # "diskd" uses the same storage format as "ufs", utilizing a
    # separate process to avoid blocking the main Squid process on
    # disk-I/O.
    #
    # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
    #
    # see argument descriptions under ufs above
    #
    # Q1 specifies the number of unacknowledged I/O requests when Squid
    # stops opening new files. If this many messages are in the queues,
    # Squid won't open new files. Default is 64
    #
    # Q2 specifies the number of unacknowledged messages when Squid
    # starts blocking. If this many messages are in the queues,
    # Squid blocks until it receives some replies. Default is 72
    #
    # When Q1 < Q2 (the default), the cache directory is optimized
    # for lower response time at the expense of a decrease in hit
    # ratio. If Q1 > Q2, the cache directory is optimized for
    # higher hit ratio at the expense of an increase in response
    # time.
    #
    # The COSS store type:
    #
    # block-size=n defines the "block size" for COSS cache_dir's.
    # Squid uses file numbers as block numbers. Since file numbers
    # are limited to 24 bits, the block size determines the maximum
    # size of the COSS partition. The default is 512 bytes, which
    # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
    # you should not change the COSS block size after Squid
    # has written some objects to the cache_dir.
    #
    # overwrite-percent=n defines the percentage of disk that COSS
    # must write to before a given object will be moved to the
    # current stripe. A value of "n" closer to 100 will cause COSS
    # to waste less disk space by having multiple copies of an object
    # on disk, but will increase the chances of overwriting a popular
    # object as COSS overwrites stripes. A value of "n" close to 0
    # will cause COSS to keep all current objects in the current COSS
    # stripe at the expense of the hit rate. The default value of 50
    # will allow any given object to be stored on disk a maximum of
    # 2 times.
    #
    # max-stripe-waste=n defines the maximum amount of space that COSS
    # will waste in a given stripe (in bytes). When COSS writes data
    # to disk, it will potentially waste up to "max-size" worth of disk
    # space for each 1MB of data written. If "max-size" is set to a
    # large value (ie >256k), this could potentially result in large
    # amounts of wasted disk space. Setting this value to a lower value
    # (ie 64k or 32k) will result in a COSS disk refusing to cache
    # larger objects until the COSS stripe has been filled to within
    # "max-stripe-waste" of the maximum size (1MB).
    #
    # membufs=n defines the number of "memory-only" stripes that COSS
    # will use. When an cache hit is performed on a COSS stripe before
    # COSS has reached the overwrite-percent value for that object,
    # COSS will use a series of memory buffers to hold the object in
    # while the data is sent to the client. This will define the maximum
    # number of memory-only buffers that COSS will use. The default value
    # is 10, which will use a maximum of 10MB of memory for buffers.
    #
    # maxfullbufs=n defines the maximum number of stripes a COSS partition
    # will have in memory waiting to be freed (either because the disk is
    # under load and the stripe is unwritten, or because clients are still
    # transferring data from objects using the memory). In order to try
    # and maintain a good hit rate under load, COSS will reserve the last
    # 2 full stripes for object hits. (ie a COSS cache_dir will reject
    # new objects when the number of full stripes is 2 less than maxfullbufs)
    #
    # Common options:
    #
    # read-only, this cache_dir is read only.
    #
    # max-size=n, refers to the max object size this storedir supports.
    # It is used to initially choose the storedir to dump the object.
    # Note: To make optimal use of the max-size limits you should order
    # the cache_dir lines with the smallest max-size value first and the
    # ones with no max-size specification last.
    #
    # Note that for coss, max-size must be less than COSS_MEMBUF_SZ
    # (hard coded at 1 MB).
    #
    #Default:
    # cache_dir ufs /var/spool/squid 100 16 256

    # TAG: logformat
    # Usage:
    #
    # logformat <name> <format specification>
    #
    # Defines an access log format.
    #
    # The <format specification> is a string with embedded % format codes
    #
    # % format codes all follow the same basic structure where all but
    # the formatcode is optional. Output strings are automatically escaped
    # as required according to their context and the output format
    # modifiers are usually not needed, but can be specified if an explicit
    # output format is desired.
    #
    # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
    #
    # " output in quoted string format
    # [ output in squid text log format as used by log_mime_hdrs
    # # output in URL quoted format
    # ' output as-is
    #
    # - left aligned
    # width field width. If starting with 0 then the
    # output is zero padded
    # {arg} argument such as header name etc
    #
    # Format codes:
    #
    # >a Client source IP address
    # >A Client FQDN
    # <A Server IP address or peer name
    # la Local IP address (http_port)
    # lp Local port number (http_port)
    # ts Seconds since epoch
    # tu subsecond time (milliseconds)
    # tl Local time. Optional strftime format argument
    # default %d/%b/%Y:%H:%M:%S %z
    # tg GMT time. Optional strftime format argument
    # default %d/%b/%Y:%H:%M:%S %z
    # tr Response time (milliseconds)
    # >h Request header. Optional header name argument
    # on the format header[:[separator]element]
    # <h Reply header. Optional header name argument
    # as for >h
    # un User name
    # ul User login
    # ui User ident
    # us User SSL
    # ue User external acl
    # Hs HTTP status code
    # Ss Squid request status (TCP_MISS etc)
    # Sh Squid hierarchy status (DEFAULT_PARENT etc)
    # mt MIME content type
    # rm Request method (GET/POST etc)
    # ru Request URL
    # rv Request protocol version
    # ea Log string returned by external acl
    # <st Reply size including HTTP headers
    # % a literal % character
    #
    #logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
    #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
    #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
    #logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
    #
    #Default:
    # none

    # TAG: access_log
    # These files log client request activities. Has a line every HTTP or
    # ICP request. The format is:
    # access_log <filepath> [<logformat name> [acl acl ...]]
    #
    # Will log to the specified file using the specified format (which
    # must be defined in a logformat directive) those entries which match
    # ALL the acl's specified (which must be defined in acl clauses).
    # If no acl is specified, all requests will be logged to this file.
    #
    # To disable logging of a request use the filepath "none", in which case
    # a logformat name should not be specified.
    #
    # To log the request via syslog specify a filepath of "syslog"
    access_log /var/log/squid/access.log squid

    # TAG: cache_log
    # Cache logging file. This is where general information about
    # your cache's behavior goes. You can increase the amount of data
    # logged to this file with the "debug_options" tag below.
    #
    #Default:
    # cache_log /var/log/squid/cache.log

    # TAG: cache_store_log
    # Logs the activities of the storage manager. Shows which
    # objects are ejected from the cache, and which objects are
    # saved and for how long. To disable, enter "none". There are
    # not really utilities to analyze this data, so you can safely
    # disable it.
    #
    #Default:
    # cache_store_log /var/log/squid/store.log

    # TAG: cache_swap_log
    # Location for the cache "swap.state" file. This log file holds
    # the metadata of objects saved on disk. It is used to rebuild
    # the cache during startup. Normally this file resides in each
    # 'cache_dir' directory, but you may specify an alternate
    # pathname here. Note you must give a full filename, not just
    # a directory. Since this is the index for the whole object
    # list you CANNOT periodically rotate it!
    #
    # If %s can be used in the file name it will be replaced with a
    # a representation of the cache_dir name where each / is replaced
    # with '.'. This is needed to allow adding/removing cache_dir
    # lines when cache_swap_log is being used.
    #
    # If have more than one 'cache_dir', and %s is not used in the name
    # these swap logs will have names such as:
    #
    # cache_swap_log.00
    # cache_swap_log.01
    # cache_swap_log.02
    #
    # The numbered extension (which is added automatically)
    # corresponds to the order of the 'cache_dir' lines in this
    # configuration file. If you change the order of the 'cache_dir'
    # lines in this file, these log files will NOT correspond to
    # the correct 'cache_dir' entry (unless you manually rename
    # them). We recommend you do NOT use this option. It is
    # better to keep these log files in each 'cache_dir' directory.
    #
    #Default:
    # none

    # TAG: emulate_httpd_log on|off
    # The Cache can emulate the log file format which many 'httpd'
    # programs use. To disable/enable this emulation, set
    # emulate_httpd_log to 'off' or 'on'. The default
    # is to use the native log format since it includes useful
    # information Squid-specific log analyzers use.
    #
    #Default:
    # emulate_httpd_log off

    # TAG: log_ip_on_direct on|off
    # Log the destination IP address in the hierarchy log tag when going
    # direct. Earlier Squid versions logged the hostname here. If you
    # prefer the old way set this to off.
    #
    #Default:
    # log_ip_on_direct on

    # TAG: mime_table
    # Pathname to Squid's MIME table. You shouldn't need to change
    # this, but the default file contains examples and formatting
    # information if you do.
    #
    #Default:
    # mime_table /usr/share/squid/mime.conf

    # TAG: log_mime_hdrs on|off
    # The Cache can record both the request and the response MIME
    # headers for each HTTP transaction. The headers are encoded
    # safely and will appear as two bracketed fields at the end of
    # the access log (for either the native or httpd-emulated log
    # formats). To enable this logging set log_mime_hdrs to 'on'.
    #
    #Default:
    # log_mime_hdrs off

    # TAG: useragent_log
    # Squid will write the User-Agent field from HTTP requests
    # to the filename specified here. By default useragent_log
    # is disabled.
    #
    #Default:
    # none

    # TAG: referer_log
    # Squid will write the Referer field from HTTP requests to the
    # filename specified here. By default referer_log is disabled.
    # Note that "referer" is actually a misspelling of "referrer"
    # however the misspelt version has been accepted into the HTTP RFCs
    # and we accept both.
    #
    #Default:
    # none

    # TAG: pid_filename
    # A filename to write the process-id to. To disable, enter "none".
    #
    #Default:
    # pid_filename /var/run/squid.pid

    # TAG: debug_options
    # Logging options are set as section,level where each source file
    # is assigned a unique section. Lower levels result in less
    # output, Full debugging (level 9) can result in a very large
    # log file, so be careful. The magic word "ALL" sets debugging
    # levels for all sections. We recommend normally running with
    # "ALL,1".
    #
    #Default:
    # debug_options ALL,1

    # TAG: log_fqdn on|off
    # Turn this on if you wish to log fully qualified domain names
    # in the access.log. To do this Squid does a DNS lookup of all
    # IP's connecting to it. This can (in some situations) increase
    # latency, which makes your cache seem slower for interactive
    # browsing.
    #
    #Default:
    # log_fqdn off

    # TAG: client_netmask
    # A netmask for client addresses in logfiles and cachemgr output.
    # Change this to protect the privacy of your cache clients.
    # A netmask of 255.255.255.0 will log all IP's in that range with
    # the last digit set to '0'.
    #
    #Default:
    # client_netmask 255.255.255.255


    # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
    # -----------------------------------------------------------------------------

    # TAG: ftp_user
    # If you want the anonymous login password to be more informative
    # (and enable the use of picky ftp servers), set this to something
    # reasonable for your domain, like wwwuser@somewhere.net
    #
    # The reason why this is domainless by default is the
    # request can be made on the behalf of a user in any domain,
    # depending on how the cache is used.
    # Some ftp server also validate the email address is valid
    # (for example perl.com).
    #
    #Default:
    # ftp_user Squid@

    # TAG: ftp_list_width
    # Sets the width of ftp listings. This should be set to fit in
    # the width of a standard browser. Setting this too small
    # can cut off long filenames when browsing ftp sites.
    #
    #Default:
    # ftp_list_width 32

    # TAG: ftp_passive
    # If your firewall does not allow Squid to use passive
    # connections, turn off this option.
    #
    #Default:
    # ftp_passive on

    # TAG: ftp_sanitycheck
    # For security and data integrity reasons Squid by default performs
    # sanity checks of the addresses of FTP data connections ensure the
    # data connection is to the requested server. If you need to allow
    # FTP connections to servers using another IP address for the data
    # connection turn this off.
    #
    #Default:
    # ftp_sanitycheck on

    # TAG: ftp_telnet_protocol
    # The FTP protocol is officially defined to use the telnet protocol
    # as transport channel for the control connection. However, many
    # implementations are broken and does not respect this aspect of
    # the FTP protocol.
    #
    # If you have trouble accessing files with ASCII code 255 in the
    # path or similar problems involving this ASCII code you can
    # try setting this directive to off. If that helps, report to the
    # operator of the FTP server in question that their FTP server
    # is broken and does not follow the FTP standard.
    #
    #Default:
    # ftp_telnet_protocol on

    # TAG: check_hostnames
    # For security and stability reasons Squid by default checks
    # hostnames for Internet standard RFC compliance. If you do not want
    # Squid to perform these checks then turn this directive off.
    #
    #Default:
    # check_hostnames on

    # TAG: allow_underscore
    # Underscore characters is not strictly allowed in Internet hostnames
    # but nevertheless used by many sites. Set this to off if you want
    # Squid to be strict about the standard.
    #
    #Default:
    # allow_underscore on

    # TAG: cache_dns_program
    # Note: This option is only available if Squid is rebuilt with the
    # --disable-internal-dns option
    #
    # Specify the location of the executable for dnslookup process.
    #
    #Default:
    # cache_dns_program /usr/lib/squid/dnsserver

    # TAG: dns_children
    # Note: This option is only available if Squid is rebuilt with the
    # --disable-internal-dns option
    #
    # The number of processes spawn to service DNS name lookups.
    # For heavily loaded caches on large servers, you should
    # probably increase this value to at least 10. The maximum
    # is 32. The default is 5.
    #
    # You must have at least one dnsserver process.
    #
    #Default:
    # dns_children 5

    # TAG: dns_retransmit_interval
    # Initial retransmit interval for DNS queries. The interval is
    # doubled each time all configured DNS servers have been tried.
    #
    #
    #Default:
    # dns_retransmit_interval 5 seconds

    # TAG: dns_timeout
    # DNS Query timeout. If no response is received to a DNS query
    # within this time all DNS servers for the queried domain
    # are assumed to be unavailable.
    #
    #Default:
    # dns_timeout 2 minutes

    # TAG: dns_defnames on|off
    # Normally the RES_DEFNAMES resolver option is disabled
    # (see res_init(3)). This prevents caches in a hierarchy
    # from interpreting single-component hostnames locally. To allow
    # Squid to handle single-component names, enable this option.
    #
    #Default:
    # dns_defnames off

    # TAG: dns_nameservers
    # Use this if you want to specify a list of DNS name servers
    # (IP addresses) to use instead of those given in your
    # /etc/resolv.conf file.
    # On Windows platforms, if no value is specified here or in
    # the /etc/resolv.conf file, the list of DNS name servers are
    # taken from the Windows registry, both static and dynamic DHCP
    # configurations are supported.
    #
    # Example: dns_nameservers 10.0.0.1 192.172.0.4
    #
    #Default:
    # none

    # TAG: hosts_file
    # Location of the host-local IP name-address associations
    # database. Most Operating Systems have such a file on different
    # default locations:
    # - Un*X & Linux: /etc/hosts
    # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
    # (%SystemRoot% value install default is c:\winnt)
    # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
    # (%SystemRoot% value install default is c:\windows)
    # - Windows 9x/Me: %windir%\hosts
    # (%windir% value is usually c:\windows)
    # - Cygwin: /etc/hosts
    #
    # The file contains newline-separated definitions, in the
    # form ip_address_in_dotted_form name [name ...] names are
    # whitespace-separated. Lines beginning with an hash (#)
    # character are comments.
    #
    # The file is checked at startup and upon configuration.
    # If set to 'none', it won't be checked.
    # If append_domain is used, that domain will be added to
    # domain-local (i.e. not containing any dot character) host
    # definitions.
    #
    #Default:
    # hosts_file /etc/hosts
    #
    hosts_file /etc/hosts

    # TAG: diskd_program
    # Specify the location of the diskd executable.
    # Note that this is only useful if you have compiled in
    # diskd as one of the store io modules.
    #
    #Default:
    # diskd_program /usr/lib/squid/diskd-daemon

    # TAG: unlinkd_program
    # Specify the location of the executable for file deletion process.
    #
    #Default:
    # unlinkd_program /usr/lib/squid/unlinkd

    # TAG: pinger_program
    # Note: This option is only available if Squid is rebuilt with the
    # --enable-icmp option
    #
    # Specify the location of the executable for the pinger process.
    #
    #Default:
    # pinger_program /usr/lib/squid/pinger

    # TAG: url_rewrite_program
    # Specify the location of the executable for the URL rewriter.
    # Since they can perform almost any function there isn't one included.
    #
    # For each requested URL rewriter will receive on line with the format
    #
    # URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup <NL>
    #
    # And the rewriter may return a rewritten URL. The other components of
    # the request line does not need to be returned (ignored if they are).
    #
    # The rewriter can also indicate that a client-side redirect should
    # be performed to the new URL. This is done by prefixing the returned
    # URL with "301:" (moved permanently) or 302: (moved temporarily).
    #
    # It can also return a "urlgroup" that can subsequently be matched
    # in cache_peer_access and similar ACL driven rules. An urlgroup is
    # returned by prefixing the returned url with "!urlgroup!"
    #
    # By default, a URL rewriter is not used.
    #
    #Default:
    # none

    # TAG: url_rewrite_children
    # The number of redirector processes to spawn. If you start
    # too few Squid will have to wait for them to process a backlog of
    # URLs, slowing it down. If you start too many they will use RAM
    # and other system resources.
    #
    #Default:
    # url_rewrite_children 5

    # TAG: url_rewrite_concurrency
    # The number of requests each redirector helper can handle in
    # parallel. Defaults to 0 which indicates that the redirector
    # is a old-style singlethreaded redirector.
    #
    #Default:
    # url_rewrite_concurrency 0

    # TAG: url_rewrite_host_header
    # By default Squid rewrites any Host: header in redirected
    # requests. If you are running an accelerator this may
    # not be a wanted effect of a redirector.
    #
    # WARNING: Entries are cached on the result of the URL rewriting
    # process, so be careful if you have domain-virtual hosts.
    #
    #Default:
    # url_rewrite_host_header on

    # TAG: url_rewrite_access
    # If defined, this access list specifies which requests are
    # sent to the redirector processes. By default all requests
    # are sent.
    #
    #Default:
    # none

    # TAG: location_rewrite_program
    # Specify the location of the executable for the Location rewriter,
    # used to rewrite server generated redirects. Usually used in
    # conjunction with a url_rewrite_program
    #
    # For each Location header received the location rewriter will receive
    # one line with the format:
    #
    # location URL <SP> requested URL <SP> urlgroup <NL>
    #
    # And the rewriter may return a rewritten Location URL or a blank line.
    # The other components of the request line does not need to be returned
    # (ignored if they are).
    #
    # By default, a Location rewriter is not used.
    #
    #Default:
    # none

    # TAG: location_rewrite_children
    # The number of location rewriting processes to spawn. If you start
    # too few Squid will have to wait for them to process a backlog of
    # URLs, slowing it down. If you start too many they will use RAM
    # and other system resources.
    #
    #Default:
    # location_rewrite_children 5

    # TAG: location_rewrite_concurrency
    # The number of requests each Location rewriter helper can handle in
    # parallel. Defaults to 0 which indicates that the helper
    # is a old-style singlethreaded helper.
    #
    #Default:
    # location_rewrite_concurrency 0

    # TAG: location_rewrite_access
    # If defined, this access list specifies which requests are
    # sent to the location rewriting processes. By default all Location
    # headers are sent.
    #
    #Default:
    # none

    # TAG: auth_param
    # This is used to define parameters for the various authentication
    # schemes supported by Squid.
    #
    # format: auth_param scheme parameter [setting]
    #
    # The order in which authentication schemes are presented to the client is
    # dependent on the order the scheme first appears in config file. IE
    # has a bug (it's not RFC 2617 compliant) in that it will use the basic
    # scheme if basic is the first entry presented, even if more secure
    # schemes are presented. For now use the order in the recommended
    # settings section below. If other browsers have difficulties (don't
    # recognize the schemes offered even if you are using basic) either
    # put basic first, or disable the other schemes (by commenting out their
    # program entry).
    #
    # Once an authentication scheme is fully configured, it can only be
    # shutdown by shutting squid down and restarting. Changes can be made on
    # the fly and activated with a reconfigure. I.E. You can change to a
    # different helper, but not unconfigure the helper completely.
    #
    # Please note that while this directive defines how Squid processes
    # authentication it does not automatically activate authentication.
    # To use authentication you must in addition make use of ACLs based
    # on login name in http_access (proxy_auth, proxy_auth_regex or
    # external with %LOGIN used in the format tag). The browser will be
    # challenged for authentication on the first such acl encountered
    # in http_access processing and will also be re-challenged for new
    # login credentials if the request is being denied by a proxy_auth
    # type acl.
    #
    # WARNING: authentication can't be used in a transparently intercepting
    # proxy as the client then thinks it is talking to an origin server and
    # not the proxy. This is a limitation of bending the TCP/IP protocol to
    # transparently intercepting port 80, not a limitation in Squid.
    #
    # === Parameters for the basic scheme follow. ===
    #
    # "program" cmdline
    # Specify the command for the external authenticator. Such a program
    # reads a line containing "username password" and replies "OK" or
    # "ERR" in an endless loop. "ERR" responses may optionally be followed
    # by a error description available as %m in the returned error page.
    #
    # By default, the basic authentication scheme is not used unless a
    # program is specified.
    #
    # If you want to use the traditional proxy authentication, jump over to
    # the helpers/basic_auth/NCSA directory and type:
    # % make
    # % make install
    #
    # Then, set this line to something like
    #
    # auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
    #
    # "children" numberofchildren
    # The number of authenticator processes to spawn. If you start too few
    # squid will have to wait for them to process a backlog of credential
    # verifications, slowing it down. When credential verifications are
    # done via a (slow) network you are likely to need lots of
    # authenticator processes.
    # auth_param basic children 5
    #
    # "concurrency" numberofconcurrentrequests
    # The number of concurrent requests/channels the helper supports.
    # Changes the protocol used to include a channel number first on
    # the request/response line, allowing multiple requests to be sent
    # to the same helper in parallell without wating for the response.
    # Must not be set unless it's known the helper supports this.
    #
    # "realm" realmstring
    # Specifies the realm name which is to be reported to the client for
    # the basic proxy authentication scheme (part of the text the user
    # will see when prompted their username and password).
    # auth_param basic realm Squid proxy-caching web server
    #
    # "credentialsttl" timetolive
    # Specifies how long squid assumes an externally validated
    # username:password pair is valid for - in other words how often the
    # helper program is called for that user. Set this low to force
    # revalidation with short lived passwords. Note that setting this high
    # does not impact your susceptibility to replay attacks unless you are
    # using an one-time password system (such as SecureID). If you are using
    # such a system, you will be vulnerable to replay attacks unless you
    # also use the max_user_ip ACL in an http_access rule.
    # auth_param basic credentialsttl 2 hours
    #
    # "casesensitive" on|off
    # Specifies if usernames are case sensitive. Most user databases are
    # case insensitive allowing the same username to be spelled using both
    # lower and upper case letters, but some are case sensitive. This
    # makes a big difference for user_max_ip ACL processing and similar.
    # auth_param basic casesensitive off
    #
    # "blankpassword" on|off
    # Specifies if blank passwords should be supported. Defaults to off
    # as there is multiple authentication backends which handles blank
    # passwords as "guest" access.
    #
    # === Parameters for the digest scheme follow ===
    #
    # "program" cmdline
    # Specify the command for the external authenticator. Such a program
    # reads a line containing "username":"realm" and replies with the
    # appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1)
    # hash) does not exists. See RFC 2616 for the definition of H(A1).
    # "ERR" responses may optionally be followed by a error description
    # available as %m in the returned error page.
    #
    # By default, the digest authentication scheme is not used unless a
    # program is specified.
    #
    # If you want to use a digest authenticator, jump over to the
    # helpers/digest_auth/ directory and choose the authenticator to use.
    # It it's directory type
    # % make
    # % make install
    #
    # Then, set this line to something like
    #
    # auth_param digest program /usr/lib/squid/digest_auth_pw /usr/etc/digpass
    #
    #
    # "children" numberofchildren
    # The number of authenticator processes to spawn. If you start too few
    # squid will have to wait for them to process a backlog of credential
    # verifications, slowing it down. When credential verifications are
    # done via a (slow) network you are likely to need lots of
    # authenticator processes.
    # auth_param digest children 5
    #
    # "concurrency" numberofconcurrentrequests
    # The number of concurrent requests/channels the helper supports.
    # Changes the protocol used to include a channel number first on
    # the request/response line, allowing multiple requests to be sent
    # to the same helper in parallell without wating for the response.
    # Must not be set unless it's known the helper supports this.
    #
    # "realm" realmstring
    # Specifies the realm name which is to be reported to the client for the
    # digest proxy authentication scheme (part of the text the user will see
    # when prompted their username and password).
    # auth_param digest realm Squid proxy-caching web server
    #
    # "nonce_garbage_interval" timeinterval
    # Specifies the interval that nonces that have been issued to clients are
    # checked for validity.
    # auth_param digest nonce_garbage_interval 5 minutes
    #
    # "nonce_max_duration" timeinterval
    # Specifies the maximum length of time a given nonce will be valid for.
    # auth_param digest nonce_max_duration 30 minutes
    #
    # "nonce_max_count" number
    # Specifies the maximum number of times a given nonce can be used.
    # auth_param digest nonce_max_count 50
    #
    # "nonce_strictness" on|off
    # Determines if squid requires strict increment-by-1 behavior for nonce
    # counts, or just incrementing (off - for use when useragents generate
    # nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
    # auth_param digest nonce_strictness off
    #
    # "check_nonce_count" on|off
    # This directive if set to off can disable the nonce count check
    # completely to work around buggy digest qop implementations in certain
    # mainstream browser versions. Default on to check the nonce count to
    # protect from authentication replay attacks.
    # auth_param digest check_nonce_count on
    #
    # "post_workaround" on|off
    # This is a workaround to certain buggy browsers who sends an incorrect
    # request digest in POST requests when reusing the same nonce as acquired
    # earlier in response to a GET request.
    # auth_param digest post_workaround off
    #
    # === NTLM scheme options follow ===
    #
    # "program" cmdline
    # Specify the command for the external NTLM authenticator. Such a
    # program participates in the NTLMSSP exchanges between Squid and the
    # client and reads commands according to the Squid NTLMSSP helper
    # protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
    # authenticator is ntlm_auth from Samba-3.X, but a number of other
    # ntlm authenticators is available.
    #
    # By default, the ntlm authentication scheme is not used unless a
    # program is specified.
    #
    # Note:

    0 12
  • #2 28 Cze 2007 23:27
    mbo
    VIP Zasłużony dla elektroda

    Na samym początku masz rozwiązanie.

    Ustaw zmienną visible_hostname w pliku konfiguracyjnym, lub nazwę serwera w pliku hosts.

    0
  • #3 29 Cze 2007 15:25
    Dami24
    Poziom 11  

    # TAG: unique_hostname
    #Default:
    # none

    zmieniam na :

    # TAG: unique_hostname
    #Default:
    serwer


    plik hosts ma wpis :

    127.0.0.1 localhost
    192.168.0.0 serwer

    0
  • #4 29 Cze 2007 17:10
    gothye
    Poziom 33  

    masz mój squid.conf :

    Code:
    #ilosc ramu
    
    cache_mem 1500 MB
    # Maksymalny rozmiar pliku
    maximum_object_size 65536 KB
    maximum_object_size_in_memory 20 KB
    ipcache_size 10240
    ipcache_low 90
    ipcache_high 95
    cache_access_log /var/log/squid/access.log
    ###########################################################
    #tutaj podajesz siec
     acl all src 10.10.1.0/255.255.255.0
    # udostepnianie proxy dla wszystkich
    http_access allow all

    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 21 70 80 210 443 563 1025-65535
    acl purge method PURGE
    acl CONNECT method CONNECT

    ######################################################
    icp_access allow all
    miss_access allow all
    cache_mgr administrator(malpa)transfer.pl

    http_port 3128 transparent
    error_directory /usr/share/squid/errors/Polish
    visible_hostname transfer
    log_fqdn on
    log_mime_hdrs on
    ident_lookup_access allow all localhost SSL_ports Safe_ports CONNECT

    #1000 oznacza 1000mb dysku dla squida
    cache_dir ufs /var/spool/squid 3000 16 256
    #na jakim poziomie zapełnienia ma pracować cache dyskowe
    cache_swap_low  90
    cache_swap_high 95
    #dla archaicznych internet exploderów
    ie_refresh on

    vary_ignore_expire on
    relaxed_header_parser on

    0
  • #5 30 Cze 2007 00:20
    Dami24
    Poziom 11  

    Ok zmieniłem tylko linię
    acl localhost src 127.0.0.1/255.255.255.255

    na

    acl localhost src 127.0.0.1/255.255.255.0

    oraz w lini adres sieci na 192.168.0.0 i squid ruszył.Teraz jak mam uruchomić sarg jest zaistalowany a plik sarg.conf znajduje się w katalogu squida chyba tam ma być skoro sam tam sie zainstalował :) żeby zobaczyć sarg w przeglądarce należy wpisać http://192.168.0.1/sarg? bo tak daję to nic nie mam.I jeszcze jedno pytanko jak przepuścić wszystko przez tego squida plik firewall wygląda u mnie następująco :

    echo 1 > /proc/sys/net/ipv4/ip_forward

    ###Wyczysc tablice
    iptables -F
    iptables -X
    iptables -F -t nat
    iptables -X -t nat
    iptables -F -t filter
    iptables -X -t filter

    ###Ustaw domyslna polityke dzialan
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    ###Zezwol na polaczenia ssh
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    ###Zezwol na polaczenia http,https,telnet eggdropa(5555),ftp,ping
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
    iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -p tcp --dport 17335 -j ACCEPT
    iptables -A INPUT -p tcp --dport 17533 -j ACCEPT
    iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
    iptables -A INPUT -p tcp --dport 1205 -j ACCEPT
    iptables -A INPUT -p tcp --dport 113 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
    iptables -A INPUT -p tcp --dport 5000 -j ACCEPT
    iptables -A INPUT -p tcp --dport 37127 -j ACCEPT


    ###Programy p2p
    iptables -t nat -I PREROUTING -p tcp --dport 58026 -j DNAT --to 192.168.0.2:58026
    iptables -t nat -I PREROUTING -p udp --dport 42131 -j DNAT --to 192.168.0.2:42131



    ###Zezwalaj na polaczenia nawiazane przez serwer
    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

    ###Zezwalaj na wlasna petle
    iptables -A INPUT -i lo -j ACCEPT

    ###Udostepnianie polaczenia internetowego
    iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT
    iptables -A FORWARD -s 0/0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
    iptables -A input -s 192.168.0.0/24 -d 0.0.0.0/0 80 -p TCP -j REDIRECT 8080
    #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    0
  • #6 30 Cze 2007 11:35
    franyo_z
    Poziom 19  

    Witam.
    Co to za regułka iptables (przedostatnia):
    iptables -A input -s 192.168.0.0/24 -d 0.0.0.0/0 80 -p TCP -j REDIRECT 8080 ? Chyba ma kilka błędów w składni.
    Przekierowanie na squida ma postać ogólną:
    iptables -t nat -A PREROUTING -i (interfejs) -s (ip) -p tcp --dport 80 -j REDIRECT --to-port (port_squida)
    gdzie:
    (interfejs) - interfejs sieciowy, z którego ruch chcesz puścić przez squida, np. eth0
    (ip) - pula adresów maszyn z sieci, których ruch pójdzie przez squida, sieć podpięta do (interfejs), format, np. 192.168.1.0/24
    (port_squida) - port, na którym nasłuchuje squid
    pzdr.
    PS. Musisz dopuścić też do serwera ruch na port squida:
    iptables -A INPUT -i (interfejs) -s (ip) -p tcp --dport (port_squida) -j ACCEPT

    I zazwól jeszcze na ruch wychodzący na lo:
    iptables -A OUTPUT -o lo -j ACCEPT

    0
  • #7 30 Cze 2007 20:30
    Dami24
    Poziom 11  

    Ok już poprawiłem dane możesz jeszcze zerknąć na firwalla i poprawić go ew. nie potrzebne rzeczy wywalić a potrzebne zostawić.Chcę to jeszcze podpiąć pod LMS-a może wiesz jak to zrobić?

    0
  • #8 01 Lip 2007 10:35
    franyo_z
    Poziom 19  

    Witam.
    Nie uruchamiałem LMS-a, działam na statystykach własnej 'produkcji'. Squid już keszuje wywołania www z sieci?
    Co do regułek - masz dopuszczoną komunikacje na wielu różnych portach serwera - używasz ich wszystkich? Chodzi mi o zestaw regułek z INPUT. Masz dynamiczny IP zewnętrzny czy stały?

    0
  • #9 01 Lip 2007 11:21
    Dami24
    Poziom 11  

    Witam,nie wszystkie już poprawiłem na tak :
    echo 1 > /proc/sys/net/ipv4/ip_forward



    ###Wyczysc tablice
    iptables -F
    iptables -X
    iptables -F -t nat
    iptables -X -t nat
    #iptables -F -t filter
    #iptables -X -t filter

    ###Udostepnianie polaczenia internetowego
    iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT
    iptables -A FORWARD -s 0/0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE


    ###Zezwalaj na polaczenia nawiazane przez serwer
    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED



    #Squid

    iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    ###Zezwol na polaczenia http,https,telnet eggdropa(5555),ftp,ping

    iptables -A INPUT -p tcp --dport 17335 -j ACCEPT
    iptables -A INPUT -p tcp --dport 17533 -j ACCEPT
    iptables -A INPUT -p tcp --dport 1205 -j ACCEPT
    teraz próbuję ustawić blokowanie klientów czyli dany ip w sieci czytam i próbuję ale coś się miesza

    0
  • Pomocny post
    #10 01 Lip 2007 11:29
    franyo_z
    Poziom 19  

    Witam.
    Po wyczyszczeniu tablic, ustaw jeszcze domyślne polityki:

    ###Ustaw domyslna polityke dzialan
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    Próbujesz blokować klientów po IP? To będzie tak:
    iptables -t nat -A PREROUTING -i (interfejs) -s (IP_klienta) -j DROP

    Regułkę tą wstawiasz przed (!) regułkami squida.

    pzdr.

    PS.
    Trochę pewniejsze jest blokowanie klientów po adresach MAC:
    iptables -t nat -A PREROUTING -i (interfejs) -m mac --mac-source (MAC_klienta) -j DROP

    0
  • #11 01 Lip 2007 12:18
    Dami24
    Poziom 11  

    czyli mam rozumieć że mogę utworzyć osobną regółkę skrypt wykonywalny do blokowania np.
    iptables -t nat -A PREROUTING -i eth1 -m mac --mac-source 00:16:cf:5c:64:06 -j DROP

    Dodano po 29 [minuty]:

    Jak wchodzę do webmina i daję statystyki sarg mam odpowiedz taka:
    Now generating Sarg report from Squid log file /var/log/squid/access.log and all rotated versions ..

    sarg -l /var/log/squid/access.log.1
    SARG: (html11) Nie można otworzyć pliku: /var/www/squid-reports/30Jun2007-01Jul2007/users

    .. Sarg failed! See the output above for details.

    0
  • #12 01 Lip 2007 15:13
    franyo_z
    Poziom 19  

    Witam.
    Sprawdź, czy masz katalog : /var/www/squid-reports i jego prawa dostępu dla usera,na którym chodzi serwer www.
    Możesz utworzyć osobny skrypt do blokowania po mac-ach, tylko daj w nim -I PREROUTING zamiast -A PREROUTING, spowoduje to dopisanie reguł na początku (-I) a nie na końcu (-A) łańcuchów iptables.
    pzdr.

    0
  • #13 01 Lip 2007 18:57
    Dami24
    Poziom 11  

    Sprawdziłem i katalog squid-reports występuje w /var/www/ i ma prawa 777 wiec powinno być ok ale dalej coś nie tak :(

    0