> > We are using squid in conjunction with trend micro's IWSS. > > The documentation outlines how to do this, clients contact IWSS and > IWSS uses squid as an upstream proxy server. For reporting reasons, > We want to do it the other way around, IWSS are to general for us, > Authentication is done vie NTLM. > > IWSS is running on 8080 and squid on 3128, same box. > IWSS is not an ICP proxy and thus the squid doco led me to > the following > Cach_peer statement: > cache_peer 127.0.0.1 parent 8080 7 no-query default > > Without the no-query and default statements I end up with > TIMEOUT_DIRECT > warnings. > > Now all this works ok, except when IWSS detects a virus, in > which case, > squid > Ignore the 403 returned and goes direct instead of displaying > the error > message > > 1108522791.283 59 172.16.8.59 TCP_MISS/200 886 GET > http://www.trendmicro.com/global/en/images/topnav/tn-partners-over.gif > aclark DEFAULT_PARENT/127.0.0.1 image/gif > 1108522791.287 57 172.16.8.59 TCP_MISS/200 754 GET > http://www.trendmicro.com/global/en/images/topnav/tn-about-over.gif > aclark DEFAULT_PARENT/127.0.0.1 image/gif > 1108522825.301 141 172.16.8.59 TCP_MISS/200 391 GET > http://www.trendmicro.com/ftp/products/eicar-file/eicar.com aclark > DIRECT/61.9.129.152 application/octet-stream > > I know it is getting a 403 from the IWSS as a packet trace has this in > its data segment: > > HTTP/1.1 403 OK > Connection: close > Content-Type: text/html; charset=UTF-8 > Cache-Control: no-cache > Date: Wed, 16 Feb 2005 01:49:15 GMT > <html><head><title>IWSS Security Event</title></head> > <body><script> if( typeof( window.innerWidth ) == 'number' ) {if > (window.innerWidth < 10 || window.innerHeight < 10) > {self.resizeTo(700,600);}}else if (document.body && > (document.body.clientWidth < 10 || document.body.clientHeight < 10)) > {self.resizeTo(700, 600);}</script><h1><h1>IWSS Security Event > (pthalo.ngv.vic.gov.au)</h1></h1> > Access to this URL is currently restricted due to a blocking > rule.<BR><BR>URL: > <B>http://www.trendmicro.com/ftp/products/eicar-file/eicar.com > </B><BR>Ru > le: Block URLs of type <B>Virus infected temporary block</B><P>If you > feel you have reached this message in error, please contact > your network > administrator. > </body></html> > > Is this the appropriate method for what we need out of our > caching/virus > system? > You may try : never_direct allow all in squid.conf. To prevent squid from 'direct going attempts'. M.
