~ubuntu-branches/ubuntu/jaunty/squid3/jaunty-security

Committer: Bazaar Package Importer
Author(s): Luigi Gangitano
Date: 2008-07-21 09:20:31 UTC
mfrom: (1.1.7 upstream) (3.1.1 lenny)
Revision ID: james.westby@ubuntu.com-20080721092031-bj8vog645lw6487u

Tags: 3.0.STABLE8-1

* Urgency high to meet freeze deadline

* New upstream release

* debian/patches/10-mgr_active_requests
- Added upstream patch fixing delay_pool reporting in cachemgr.cgi

files added:
debian/patches/10-mgr_active_requests.dpatch

lib/dirent.c

lib/encrypt.c

lib/getopt.c

src/peer_sourcehash.cc

src/peer_userhash.cc

files removed:
debian/patches/03-fix_unused_results.dpatch

files modified:
CREDITS

ChangeLog

README

RELEASENOTES.html

configure

configure.in

debian/changelog

debian/control

debian/patches/00list

helpers/basic_auth/MSNT/confload.c

helpers/basic_auth/squid_radius_auth/squid_rad_auth.c

helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.c *

helpers/negotiate_auth/squid_kerb_auth/spnegohelp/spnegohelp.h *

helpers/ntlm_auth/fakeauth/fakeauth_auth.c *

include/autoconf.h.in

include/squid_mswin.h *

include/version.h

lib/Makefile.am *

lib/Makefile.in

lib/util.c

src/AccessLogEntry.h

src/ICAP/ICAPConfig.cc

src/IPInterception.cc

src/Makefile.am

src/Makefile.in

src/StoreIOBuffer.h

src/WinSvc.cc

src/access_log.cc

src/cache_cf.cc

src/cf.data.pre

src/client_side.cc

src/comm.cc

src/dns_internal.cc

src/dnsserver.cc

src/enums.h

src/errorpage.cc

src/icp_v2.cc

src/main.cc

src/neighbors.cc

src/peer_select.cc

src/pinger.cc *

src/protos.h

src/structs.h *

src/tools.cc

tools/cachemgr.cc

tools/squidclient.cc

Show diffs side-by-side

added added

removed removed

src/cf.data.pre

455

DOC_START

456

Defining an Access List

457

458

acl aclname acltype string1 ...

459

acl aclname acltype "file" ...

460

461

when using "file", the file should contain one item per line

462

463

acltype is one of the types described below

458

Every access list definition must begin with an aclname and acltype,

459

followed by either type-specific arguments or a quoted filename that

460

they are read from.

461

462

acl aclname acltype argument ...

463

acl aclname acltype "file" ...

464

465

When using "file", the file should contain one item per line.

464

466

465

467

By default, regular expressions are CASE-SENSITIVE. To make

466

468

them case-insensitive, use the -i option.

468

470

469

471

***** ACL TYPES AVAILABLE *****

470

472

471

acl aclname src ip-address/netmask ... (clients IP address)

472

acl aclname src addr1-addr2/netmask ... (range of addresses)

473

acl aclname dst ip-address/netmask ... (URL host's IP address)

474

acl aclname myip ip-address/netmask ... (local socket IP address)

473

acl aclname src ip-address/netmask ... # clients IP address

474

acl aclname src addr1-addr2/netmask ... # range of addresses

475

acl aclname dst ip-address/netmask ... # URL host's IP address

476

acl aclname myip ip-address/netmask ... # local socket IP address

475

477

476

478

acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)

477

479

# The arp ACL requires the special configure option --enable-arp-acl.

482

484

# the same subnet. If the client is on a different subnet, then Squid cannot

483

485

# find out its MAC address.

484

486

485

acl aclname srcdomain .foo.com ... # reverse lookup, from client IP

486

acl aclname dstdomain .foo.com ... # Destination server from URL

487

acl aclname srcdom_regex [-i] xxx ... # regex matching client name

488

acl aclname dstdom_regex [-i] xxx ... # regex matching server

487

acl aclname srcdomain .foo.com ... # reverse lookup, from client IP

488

acl aclname dstdomain .foo.com ... # Destination server from URL

489

acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name

490

acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server

489

491

# For dstdomain and dstdom_regex a reverse lookup is tried if a IP

490

492

# based URL is used and no match is found. The name "none" is used

491

493

# if the reverse lookup fails.

492

494

493

acl aclname src_as number ...

494

acl aclname dst_as number ...

495

acl aclname src_as number ...

496

acl aclname dst_as number ...

495

497

# Except for access control, AS numbers can be used for

496

498

# routing of requests to specific caches. Here's an

497

499

# example for routing all requests for AS#1241 and only

500

502

# cache_peer_access mycache.mydomain.net allow asexample

501

503

# cache_peer_access mycache_mydomain.net deny all

502

504

503

acl aclname time [day-abbrevs] [h1:m1-h2:m2]

504

day-abbrevs:

505

S - Sunday

506

M - Monday

507

T - Tuesday

508

W - Wednesday

509

H - Thursday

510

F - Friday

511

A - Saturday

512

h1:m1 must be less than h2:m2

505

acl aclname time [day-abbrevs] [h1:m1-h2:m2]

506

# day-abbrevs:

507

# S - Sunday

508

# M - Monday

509

# T - Tuesday

510

# W - Wednesday

511

# H - Thursday

512

# F - Friday

513

# A - Saturday

514

# h1:m1 must be less than h2:m2

513

515

514

acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL

516

acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL

515

517

acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path

516

518

517

acl aclname port 80 70 21 ...

518

acl aclname port 0-1024 ... # ranges allowed

519

acl aclname myport 3128 ... # (local socket TCP port)

519

acl aclname port 80 70 21 ...

520

acl aclname port 0-1024 ... # ranges allowed

521

acl aclname myport 3128 ... # (local socket TCP port)

520

522

acl aclname myportname 3128 ... # http(s)_port name

521

523

522

acl aclname proto HTTP FTP ...

524

acl aclname proto HTTP FTP ...

523

525

524

acl aclname method GET POST ...

526

acl aclname method GET POST ...

525

527

526

528

acl aclname http_status 200 301 500- 400-403 ... # status code in reply

527

529

528

acl aclname browser [-i] regexp ...

530

acl aclname browser [-i] regexp ...

529

531

# pattern match on User-Agent header (see also req_header below)

530

532

531

acl aclname referer_regex [-i] regexp ...

533

acl aclname referer_regex [-i] regexp ...

532

534

# pattern match on Referer header

533

535

# Referer is highly unreliable, so use with care

534

536

535

acl aclname ident username ...

537

acl aclname ident username ...

536

538

acl aclname ident_regex [-i] pattern ...

537

539

# string match on ident output.

538

540

# use REQUIRED to accept any non-null ident.

577

579

# clients may appear to come from multiple addresses if they are

578

580

# going through proxy farms, so a limit of 1 may cause user problems.

579

581

580

acl aclname req_mime_type [-i] mime-type1 ...

582

acl aclname req_mime_type [-i] mime-type ...

581

583

# regex match against the mime type of the request generated

582

584

# by the client. Can be used to detect file upload or some

583

585

# types HTTP tunneling requests.

589

591

# thought of as a superset of "browser", "referer" and "mime-type"

590

592

# ACLs.

591

593

592

acl aclname rep_mime_type [-i] mime-type1 ...

594

acl aclname rep_mime_type [-i] mime-type ...

593

595

# regex match against the mime type of the reply received by

594

596

# squid. Can be used to detect file download or some

595

597

# types HTTP tunneling requests.

602

604

# thought of as a superset of "browser", "referer" and "mime-type"

603

605

# ACLs.

604

606

605

acl acl_name external class_name [arguments...]

607

acl aclname external class_name [arguments...]

606

608

# external ACL lookup via a helper class defined by the

607

609

# external_acl_type directive.

608

610

1309

1311

round-robin

1310

1312

weighted-round-robin

1311

1313

carp

1314

userhash

1315

sourcehash

1312

1316

multicast-responder

1313

1317

closest-only

1314

1318

no-digest

1383

1387

distributed among the parents based on the CARP load

1384

1388

balancing hash function based on their weight.

1385

1389

1390

use 'userhash' to load-balance amongst a set of parents

1391

based on the client proxy_auth or ident username.

1392

1393

use 'sourcehash' to load-balance amongst a set of parents

1394

based on the client source ip.

1395

1386

1396

'multicast-responder' indicates the named peer

1387

1397

is a member of a multicast group. ICP queries will

1388

1398

not be sent directly to the peer, but ICP replies

2006

2016

et Tag returned by external acl

2007

2017

ea Log string returned by external acl

2008

2018

<st Reply size including HTTP headers

2019

>st Request size including HTTP headers

2020

st Request+Reply size including HTTP headers

2009

2021

<sH Reply high offset sent

2010

2022

<sS Upstream object size

2011

2023

% a literal % character

4579

4591

requests, except those in your local domain use something like:

4580

4592

4581

4593

acl local-servers dstdomain .foo.net

4582

acl all src 0.0.0.0/0.0.0.0

4583

4594

never_direct deny local-servers

4584

4595

never_direct allow all

4585

4596

5229

5240

offline_toggle *

5230

5241

pconn

5231

5242

peer_select

5243

reconfigure *

5232

5244

redirector

5233

5245

refresh

5234

5246

server_list

5473

5485

rounded to 1000.

5474

5486

DOC_END

5475

5487

5488

NAME: windows_ipaddrchangemonitor

5489

COMMENT: on|off

5490

TYPE: onoff

5491

DEFAULT: on

5492

LOC: Config.onoff.WIN32_IpAddrChangeMonitor

5493

DOC_START

5494

On Windows Squid by default will monitor IP address changes and will

5495

reconfigure itself after any detected event. This is very useful for

5496

proxies connected to internet with dial-up interfaces.

5497

In some cases (a Proxy server acting as VPN gateway is one) it could be

5498

desiderable to disable this behaviour setting this to 'off'.

5499

Note: after changing this, Squid service must be restarted.

5500

DOC_END

5501

5476

5502

EOF

Older »