猝然临之而不惊,无故加之而不怒。
分类: LINUX
2005-12-27 16:19:02
参考文章:
通过http代理上MSN,提示80070193错误代码,MSN上不去,只有透过NAT的TCP连线才可以进去squid.conf
http_port 192.168.0.1:3128
icp_port 3130
udp_outgoing_address 255.255.255.255
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /usr/local/squid/var/cache1 4000 16 256
cache_dir ufs /usr/local/squid/var/cache2 4000 16 256
emulate_httpd_log off
pid_filename /usr/local/squid/var/logs/squid.pid
client_netmask 255.255.255.255
dns_nameservers 202.96.134.133 202.96.128.166
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl inside src 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl deny_MAC arp 00:0C:6E:B6:80:21 2C:BA:2C:90:2B:F1 00:0D:56:31:D0:DE
acl work_time time MTWHFA 7:30-17:30
acl mmxfile urlpath_regex -i .mp3$ .avi$ .wma$ .rm$ .exe$ .com$
acl reject_sex url_regex -i "/etc/squid/denysite"
acl msnmessenger req_mime_type ^application/x-msn-messenger$
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny deny_MAC
http_access deny mmxfile work_time
http_access deny reject_sex
http_access allow msnmessenger
http_access allow inside
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user nobody
cache_effective_group nobody
visible_hostname ADSLserver
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cachemgr_passwd secret shutdown
发现一:
发现一个问题
http_access allow inside
这一行放在acl deny manager(也就是所有deny)之前,MSN就可以,但是我做的其它设置就不起作用的(如限制下载MP3,.EXE等).
http_access allow msnmessenger
这一行放在哪个位置意义不大.
发现二,
看了一下Log,这是失败的MSN连线
[root@ADSLserver logs]# tail -100 access.log|grep "192.168.0.60"
1135391402.492 2 192.168.0.60 TCP_DENIED/403 1519 POST - NONE/- text/html
1135391410.288 83 192.168.0.60 TCP_DENIED/403 1519 POST - NONE/- text/html
如是成功的
1135389942.343 1 192.168.0.60 TCP_DENIED/403 1519 POST - NONE/- text/html
1135389999.963 738 192.168.0.60 TCP_MISS/200 409 POST - DIRECT/65.54.239.21 application/x-msn-messenger
1135390000.866 903 192.168.0.60 TCP_MISS/000 0 POST - NONE/- -
1135390015.699 2109 192.168.0.60 TCP_MISS/200 418 POST - DIRECT/65.54.239.21 application/x-msn-messenger
1135390020.001 4302 192.168.0.60 TCP_MISS/200 572 POST - DIRECT/207.46.1.2 application/x-msn-messenger
解决一.
没有人顶我,还是解决了.添加一条ACL
acl msn-a dstdomain gateway.messenger.hotmail.com
http_access allow msn-a inside
加上如上的ACL,我的MSN就可以用了,好呀
想一想.使用application/x-msn-messenger 应该也没有错的,只不过我的系统哪个地方应该有限制,还用就是使用req_mime_type好象是联上限制类型的网页之后才可以的,而我的根本不能打开msn的网站,所以..............
解决二,
实验证明我的设想是正确的.
加上
http_access deny msnmessenger work_time
在http_access allow inside之前
结果上班时间大家不能上MSN了.
