Re: [squid-users] Adding WAN IP address to SQUID.CONF so users can run .net program

From: <MargaretGillon_at_chromalloy.com>
Date: Tue, 13 Sep 2011 08:47:51 -0700

> The best way is probably to use a type of reverse-proxy config for it.
> Place the above your to_localhost http_access rule after the CONNECT
> rule:
>
> cache_peer 192.168.3.42 parent 8888 0 originserver no-query
> name=services
> acl localServices dstdomain .services.chromalloy.local
> cache_peer_access services allow localServices
> cache_peer_access services deny all
> http_access allow localnet localServices
> Amos

Hi Amos, et al,

I tried your suggestion and then restarted the squid but I still get this
response.

1315927576.218 7 192.168.100.19 TCP_DENIED/403 2419 GET
http://192.168.3.42/ - NONE/- text/html
1315927579.953 0 192.168.100.19 TCP_DENIED/403 2466 GET
http://192.168.3.42/ - NONE/- text/html

Here is my revised squid.conf

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.100.0/24 192.168.101.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#2011-09-13 from squid-cache maillist, Amos Jeffries
cache_peer 192.168.3.42 parent 8888 0 originserver no-query name=services
acl localServices dstdomain .services.chromalloy.local
cache_peer_access services allow localServices
cache_peer_access services deny all
http_access allow localnet localServices

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 3128
access_log /var/log/squid3/access.log squid

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

acl whitelist dstdomain "/etc/squid3/whitelist.txt"

# Allow localnet machines to whitelisted sites
http_access allow localnet whitelist

# block all other access
http_access deny all

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
*** ***
Margaret Gillon

"This e-mail message and any attachment(s) are for the sole use of the
intended recipient(s) and may contain company proprietary, privileged or
confidential information. If you are not the intended recipient(s), please
contact the sender by reply e-mail, advise them of the error and destroy
this message and its attachments as well as any copies. The review, use or
distribution of this message or its content by anyone other than the
intended recipient or senior management of the company is strictly
prohibited."
Received on Tue Sep 13 2011 - 15:48:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 14 2011 - 12:00:02 MDT