Hi: I've included relevant parts of the conf file at the end of this email, but first the human-readable version... A quick description of the situation: ------------------------------------- I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux, using transparent proxying in conjunction with Cisco's WCCP. The Squid box uses Surfingate's FinJAN (an active content filtering/scanning proxy) as its upstream proxy. In other words, http requests leave the user's PC, are intercepted through WCCP, passed to squid, and squid passes them to FinJAN. For various reasons, I can't alter this chain. The corporate firewall blocks all outgoing traffic that does not pass through a proxy. Users cannot connect to FinJAN directly - all proxying is done through Squid. FinJAN only handles HTTP and FTP. I have an ACL for a group of IP addresses (a few servers, some admin workstations) that bypass this chain, and do NOT use FinJAN. Squid handles all proxying for these specific IPs. A quick description of the problem: ----------------------------------- Windows Media Player and Yahoo's LaunchCast (which the latter essentially uses the former) are 'broken' for the native radio streams that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is passed to Squid, which in turn passes it to FinJAN - and FinJAN does not know how to handle this traffic, since it wasn't designed to do this. I'd like to point out here that 'true' HTTP based audio streams (like the ones that use port 80) are unaffected by this situation, and work fine with this chain of proxies. What I would like to know/do: ----------------------------- Is it possible to use the cache_peer directive to pass all port 80/443 traffic to FinJAN, and process all other 'Safe_Ports' traffic locally through Squid? Currently I have the ability to do this with ACLs that define a group of PCs (by IP address). I don't know how to do this using port numbers. Is this even possible? An alternative solution would be for me to run two squid processes on the same box, one which handles port 80/443 traffic, and the other which handles all other safe ports. This will very likely solve my problem, but before I go that messy route, I want to make sure that a simple ACL isn't the real solution. The relevant squid.conf: ------------------------ # # Begin squid.conf # acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535 acl CONNECT method CONNECT GET POST PROPFIND HEAD # acl dns-Local dstdomain .xyz.com acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25 acl all src 0.0.0.0/0.0.0.0 # http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT http_access deny all # cache_peer finjan.xyz.com parent 5150 0 no-query default always_direct allow dns-Local always_direct allow IT_PCS never_direct allow all # # End squid.conf # If this is possible, I'd be grateful for an example. Thanks- --Maxx Lobo
