Wednesday, March 31, 2010
Tuesday, March 23, 2010
sample squid configuration
Example Configurations
To help you fully understand how Squid access control works, and to give you a head start developing your own rules, the following are some ACL lines you can try. Each line is
preceded with one or more comment lines (starting with a #) explaining what it does:
# include the domains news.bbc.co.uk and slashdot.org
# and not newsimg.bbc.co.uk or www.slashdot.org.
acl newssites dstdomain news.bbc.co.uk slashdot.org
# include any subdomains or bbc.co.uk or slashdot.org
acl newssites dstdomain .bbc.co.uk .slashdot.org
# only include sites located in Canada
acl canadasites dstdomain .ca
# only include working hours
acl workhours time MTWHF 9:00-18:00
# only include lunchtimes
acl lunchtimes time MTWHF 13:00-14:00
# only include weekends
acl weekends time AS 00:00-23:59
# include URLs ending in “.zip”. Note: the \ is important,
# because “.” has a special meaning otherwise
acl zipfiles url_regex -i \.zip$
# include URLs starting with https
acl httpsurls url_regex -i ^https
# include all URLs that match “hotmail”
url_regex hotmail url_regex -i hotmail
# include three specific IP addresses
acl directors src 10.0.0.14 10.0.0.28 10.0.0.31
# include all IPs from 192.168.0.0 to 192.168.0.255
acl internal src 192.168.0.0/24
# include all IPs from 192.168.0.0 to 192.168.0.255
# and all IPs from 10.0.0.0 to 10.255.255.255
acl internal src 192.168.0.0/24 10.0.0.0/8
When you have your ACL lines in place, you can put together appropriate http_access lines. For example, you might want to use a multilayered access system so that certain
users (for example, company directors) have full access, whereas others are filtered. For example:
http_access allow directors
http_access deny hotmail
http_access deny zipfiles
http_access allow internal lunchtimes
http_access deny all
Because Squid matches those in order, directors will have full, unfiltered access to the Web. If the client IP address is not in the directors list, the two deny lines are processed so
that the user cannot download .zip files or read online mail at Hotmail. After blocking those two types of requests, the allow on line four allows internal users to access the Web,
as long as they do so only at lunchtime. The last line (which is highly recommended) blocks all other users from the proxy.
To help you fully understand how Squid access control works, and to give you a head start developing your own rules, the following are some ACL lines you can try. Each line is
preceded with one or more comment lines (starting with a #) explaining what it does:
# include the domains news.bbc.co.uk and slashdot.org
# and not newsimg.bbc.co.uk or www.slashdot.org.
acl newssites dstdomain news.bbc.co.uk slashdot.org
# include any subdomains or bbc.co.uk or slashdot.org
acl newssites dstdomain .bbc.co.uk .slashdot.org
# only include sites located in Canada
acl canadasites dstdomain .ca
# only include working hours
acl workhours time MTWHF 9:00-18:00
# only include lunchtimes
acl lunchtimes time MTWHF 13:00-14:00
# only include weekends
acl weekends time AS 00:00-23:59
# include URLs ending in “.zip”. Note: the \ is important,
# because “.” has a special meaning otherwise
acl zipfiles url_regex -i \.zip$
# include URLs starting with https
acl httpsurls url_regex -i ^https
# include all URLs that match “hotmail”
url_regex hotmail url_regex -i hotmail
# include three specific IP addresses
acl directors src 10.0.0.14 10.0.0.28 10.0.0.31
# include all IPs from 192.168.0.0 to 192.168.0.255
acl internal src 192.168.0.0/24
# include all IPs from 192.168.0.0 to 192.168.0.255
# and all IPs from 10.0.0.0 to 10.255.255.255
acl internal src 192.168.0.0/24 10.0.0.0/8
When you have your ACL lines in place, you can put together appropriate http_access lines. For example, you might want to use a multilayered access system so that certain
users (for example, company directors) have full access, whereas others are filtered. For example:
http_access allow directors
http_access deny hotmail
http_access deny zipfiles
http_access allow internal lunchtimes
http_access deny all
Because Squid matches those in order, directors will have full, unfiltered access to the Web. If the client IP address is not in the directors list, the two deny lines are processed so
that the user cannot download .zip files or read online mail at Hotmail. After blocking those two types of requests, the allow on line four allows internal users to access the Web,
as long as they do so only at lunchtime. The last line (which is highly recommended) blocks all other users from the proxy.
Friday, March 5, 2010
LVM + RAID
mdadm -C /dev/md0 --level=5 --raid-device=3 /dev/hda5 /dev/hda6 /dev/hda7
mkfs -t ext3 /dev/md0
pvcreate /dev/md0
vgcreate my-lvm-raid /dev/md0
lvcreate -L -500M -n my-lvm-raid-lv0 /dev/my-lvm-raid
mkfs -t ext3 /dev/my-lvm-raid/my-lvm-raid-lv0
mount /dev/my-lvm-raid/my-lvm-raid-lv0 /mnt
NB:- tested on Centos 5.3
see:- http://wiki.tldp.org/LVM-ON-RAID
mkfs -t ext3 /dev/md0
pvcreate /dev/md0
vgcreate my-lvm-raid /dev/md0
lvcreate -L -500M -n my-lvm-raid-lv0 /dev/my-lvm-raid
mkfs -t ext3 /dev/my-lvm-raid/my-lvm-raid-lv0
mount /dev/my-lvm-raid/my-lvm-raid-lv0 /mnt
NB:- tested on Centos 5.3
see:- http://wiki.tldp.org/LVM-ON-RAID
Thursday, March 4, 2010
chkconfig examples
chkconfig --list mysql
chkconfig service-name --level level-no: on/off
ex:- chkconfig firstboot --level 345 on
ec:- chkconfig firstboot off ; disables firstboot in all runlevels
NB:_ tested on ubuntu 9.04
chkconfig service-name --level level-no: on/off
ex:- chkconfig firstboot --level 345 on
ec:- chkconfig firstboot off ; disables firstboot in all runlevels
NB:_ tested on ubuntu 9.04
Subscribe to:
Comments (Atom)