Well between sending this message and now I have found a solution although I
dont really like it.
I have the following
acl local_domain dstdomain .kids .health.nsw.gov.au
always_direct allow local_domain
acl transparent dstdomain chw.edu.au
never_direct allow transparent
acl Problem_sites_nonstd dstdomain .harvard.edu
never_direct allow problem_sites_nonstd
acl chw proxy_auth REQUIRED
http_access allow local-domain
http_access allow transparent
http_access allow chw
http_access allow problem_sites_nonstd
The problem_sites_nonstd is what I needed to do for these sites that require
some form of authentication after you reach them, if they are not using port
80. I cant explain this because if you go to the site on port 8080 it gets
there fine and you can go wherever you like using <>80 until you go
somewhere that requires authentication (non SSL). I put it after the chw
access control so that you still need to authenticate prior to using that
site.
I am still confused about the authentication though, I would like to define
chw as say network 10.x and use authentication for that network but deny any
other network. It seems to me that you cant define a network to use
authentication. to get chw to authenticate I used acl chw proxy_auth
REQUIRED but then users on my external networks (non 10.x) can authenticate
if they have a username and password. The Acl's are a little confusing on
ways to do this. I can stop them if I use network ACL such as acl chw src
10.x.x.x/255.0.0.0 but I cant do this with authentication.
Barry
-----Original Message-----
From: Colin Campbell [mailto:sgcccdc@citec.qld.gov.au]
Sent: Tuesday, 18 September 2001 14:47
To: Barry Darnton
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Squid + Firewall + non std ports
Hi,
What do you have in the "never_direct" department. I have a squid running
behind a firewall and can't say I've ever experienced your problem.
Here's a sanitised version of my config in this area:
acl internals dstdomain .my.domain
acl localservers dst vvv.www.xxx.0/24
always_direct allow internals
always_direct allow localservers
never_direct allow all
This makes my squid hit hosts in my.domain and those on LAN
vvv.www.xxx.0/24 without going to the firewall. Everything else must never
go direct.
Colin
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you are not the intended recipient, please
delete it and notify the sender.
Views expressed in this message and any attachments are those
of the individual sender, and are not necessarily the views of the
Childrens Hospital at Westmead
This footnote also confirms that this email message has been
virus scanned and although no computer viruses were detected,
the Childrens Hospital at Westmead accepts no liability for any
consequential damage resulting from email containing computer
viruses.
**********************************************************************
Received on Mon Sep 17 2001 - 23:48:43 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:14 MST