> -----Original Message----- > From: Maxx Christopher Lobo [mailto:maxx@xxxxxxxxxxxxx] > Sent: Tuesday, February 08, 2005 5:21 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: [squid-users] Port based ACLs for Squid setup with upstream > proxying to Surfingate's Finjan- > > > Hi: > > I've included relevant parts of the conf file at the end of this email, > but first the human-readable version... > > A quick description of the situation: > ------------------------------------- > I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux, > using transparent proxying in conjunction with Cisco's WCCP. The Squid > box uses Surfingate's FinJAN (an active content filtering/scanning > proxy) as its upstream proxy. > In other words, http requests leave the user's PC, are intercepted > through WCCP, passed to squid, and squid passes them to FinJAN. For > various reasons, I can't alter this chain. > The corporate firewall blocks all outgoing traffic that does not pass > through a proxy. Users cannot connect to FinJAN directly - all proxying > is done through Squid. FinJAN only handles HTTP and FTP. > I have an ACL for a group of IP addresses (a few servers, some admin > workstations) that bypass this chain, and do NOT use FinJAN. Squid > handles all proxying for these specific IPs. > > A quick description of the problem: > ----------------------------------- > Windows Media Player and Yahoo's LaunchCast (which the latter > essentially uses the former) are 'broken' for the native radio streams > that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is > passed to Squid, which in turn passes it to FinJAN - and FinJAN does not > know how to handle this traffic, since it wasn't designed to do this. > > I'd like to point out here that 'true' HTTP based audio streams (like > the ones that use port 80) are unaffected by this situation, and work > fine with this chain of proxies. > > What I would like to know/do: > ----------------------------- > Is it possible to use the cache_peer directive to pass all port 80/443 > traffic to FinJAN, and process all other 'Safe_Ports' traffic locally > through Squid? Simple enough. See below. > > Currently I have the ability to do this with ACLs that define a group of > PCs (by IP address). I don't know how to do this using port numbers. Is > this even possible? > > An alternative solution would be for me to run two squid processes on > the same box, one which handles port 80/443 traffic, and the other which > handles all other safe ports. This will very likely solve my problem, > but before I go that messy route, I want to make sure that a simple ACL > isn't the real solution. > > The relevant squid.conf: > ------------------------ > # > # Begin squid.conf > # > acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535 > acl CONNECT method CONNECT GET POST PROPFIND HEAD > # > acl dns-Local dstdomain .xyz.com > acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25 > acl all src 0.0.0.0/0.0.0.0 acl streaming port 554 1755 > # > http_access allow localhost > http_access deny !Safe_ports > http_access deny CONNECT > http_access deny all > # > cache_peer finjan.xyz.com parent 5150 0 no-query default always_direct allow streaming > always_direct allow dns-Local > always_direct allow IT_PCS > never_direct allow all > # > # End squid.conf > # > > If this is possible, I'd be grateful for an example. Thanks- > > --Maxx Lobo Tada! At least in theory... :o) If you want to limit responses on these ports to only allow streaming music, look into the http_reply_access/rep_mime_type acl combination. Chris