Chris: Thanks for the suggestion - I added the port based ACL to the always_direct list, and my new squid.conf is included below. I've tested the veracity of the port based ACL, using an FTP client - where previously the FTP connection would be shunted to FinJAN, now squid passes it through itself - which is exactly what I was hoping for. And unfortunately that isn't the end of the problem. Windows Media Player streams (non-port 80) are still having the same issue as before - the stream is able to connect, and it says 'playing', but no audio actually plays. (I've obviously eliminated the basic issues like sound card not working and so on ;-)) When the IP based ACL is used, this problem disappears, and the PC is able to play the stream without a problem. Is there something else I'm missing? ## Begin squid.conf # acl Web_ports 80 acl SSL_ports 443 563 acl Media_ports 554 1755 acl Safe_ports port 20 21 70 210 1025-65535 acl CONNECT method CONNECT GET POST PROPFIND HEAD # acl dns-Local dstdomain .xyz.com acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25 acl all src 0.0.0.0/0.0.0.0 # http_access allow localhost http_access allow Web_ports http_access allow SSL_ports http_access allow Media_ports http_access deny !Safe_ports http_access deny CONNECT http_access deny all # cache_peer finjan.xyz.com parent 5150 0 no-query default always_direct allow dns-Local always_direct allow IT_PCS always_direct allow SSL_ports always_direct allow Media_ports always_direct allow Safe_ports never_direct allow all # ## End squid.conf ---Maxx On Wed, 2005-02-09 at 10:36, Chris Robertson wrote: > > Hi: > > > > I've included relevant parts of the conf file at the end of this email, > > but first the human-readable version... > > > > A quick description of the situation: > > ------------------------------------- > > I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux, > > using transparent proxying in conjunction with Cisco's WCCP. The Squid > > box uses Surfingate's FinJAN (an active content filtering/scanning > > proxy) as its upstream proxy. > > In other words, http requests leave the user's PC, are intercepted > > through WCCP, passed to squid, and squid passes them to FinJAN. For > > various reasons, I can't alter this chain. > > The corporate firewall blocks all outgoing traffic that does not pass > > through a proxy. Users cannot connect to FinJAN directly - all proxying > > is done through Squid. FinJAN only handles HTTP and FTP. > > I have an ACL for a group of IP addresses (a few servers, some admin > > workstations) that bypass this chain, and do NOT use FinJAN. Squid > > handles all proxying for these specific IPs. > > > > A quick description of the problem: > > ----------------------------------- > > Windows Media Player and Yahoo's LaunchCast (which the latter > > essentially uses the former) are 'broken' for the native radio streams > > that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is > > passed to Squid, which in turn passes it to FinJAN - and FinJAN does not > > know how to handle this traffic, since it wasn't designed to do this. > > > > I'd like to point out here that 'true' HTTP based audio streams (like > > the ones that use port 80) are unaffected by this situation, and work > > fine with this chain of proxies. > > > > What I would like to know/do: > > ----------------------------- > > Is it possible to use the cache_peer directive to pass all port 80/443 > > traffic to FinJAN, and process all other 'Safe_Ports' traffic locally > > through Squid? > > Simple enough. See below. > > > > > Currently I have the ability to do this with ACLs that define a group of > > PCs (by IP address). I don't know how to do this using port numbers. Is > > this even possible? > > > > An alternative solution would be for me to run two squid processes on > > the same box, one which handles port 80/443 traffic, and the other which > > handles all other safe ports. This will very likely solve my problem, > > but before I go that messy route, I want to make sure that a simple ACL > > isn't the real solution. > > > > The relevant squid.conf: > > ------------------------ > > # > > # Begin squid.conf > > # > > acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535 > > acl CONNECT method CONNECT GET POST PROPFIND HEAD > > # > > acl dns-Local dstdomain .xyz.com > > acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25 > > acl all src 0.0.0.0/0.0.0.0 > > acl streaming port 554 1755 > > > # > > http_access allow localhost > > http_access deny !Safe_ports > > http_access deny CONNECT > > http_access deny all > > # > > cache_peer finjan.xyz.com parent 5150 0 no-query default > > always_direct allow streaming > > > always_direct allow dns-Local > > always_direct allow IT_PCS > > never_direct allow all > > # > > # End squid.conf > > # > > Tada! At least in theory... :o) > > If you want to limit responses on these ports to only allow streaming music, > look into the http_reply_access/rep_mime_type acl combination. > > Chris
