On 7/12/2012 1:21 AM, Crawford, Ben wrote:
> As requested, a more detailed squid.conf:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl localnet src 10.161.128.0/20
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> cache_peer 10.55.240.250 parent 3128 3130 no-query default login=PASS
> http_access allow manager localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_port 10.161.128.11:3128 intercept
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
>
> Ben
well the answer is you other mail + the squid.conf
"Without the cache_peer I can not get to any sties at all. All
internet (well, http and https) traffic on our network must go through
the parent proxy, either directly or through a local child proxy."
the proxy tries to connect the direct upstream server to get access
because you dont have an explicit "never_direct allow all" acl defined.
so post and other requests that requires direct access will then tried
to be served by accessing the origin server.
you must be explicit with cache_peer acl.
replace:
##
cache_peer 10.55.240.250 parent 3128 3130 no-query default login=PASS
##
with
##
cache_peer 10.55.240.250 parent 3128 3130 no-query default login=PASS
name=upstream
cache_peer_access upstream allow all
never_direct allow all
##
this will allow and will force all traffic through the upstream proxy
server.
Good luck,
Eliezer
<SNIP>
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Wed Jul 11 2012 - 23:57:17 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 12 2012 - 12:00:02 MDT