You also need
never_direct allow all
I tried this and effectively stopped all connectivity to any sites.
as per the Squid FAQ on how to use Squid within a firewall.
This is quite likely the source of your problems as the (unencoded) ? characters makes the URL fall into the "non-hierarchical" category where Squid will by default go direct unless prohibited.
Regards Henrik
--
+------------------------------------------ | José J. Cintrón - <jcintron@xxxxxxxxx> +------------------------------------------
# # Which port are we going to listen on # http_port 80 # # The port number where Squid sends and receives ICP queries to # and from neighbor caches to disable use 0, default 3120. # icp_port 3120 # # Where are we going to forward requests to... # cache_peer SQUID-PARENT parent 80 3120 proxy-only no-query # # This are settings from the default squid file. Don't ask me # what they do, if you need to know RTFM # hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive on refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # # Define ACLs # acl all src 10.10.12.2/255.255.255.255 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT acl SSL_ports port 443 563 # # Define ports # acl Safe_ports port 80 acl Safe_ports port 20 21 acl Safe_ports port 443 # # Define which domains we are going to allow # acl ALLOWED_domains dstdomain .microsoft.com .symantec.com .sun.com .msn.com .landesk.com .symantec.speedera.net # # Only allow cachemgr access from localhost # http_access allow manager localhost http_access deny manager # # Deny requests to unknown ports # http_access deny !Safe_ports # # Deny CONNECT to other than SSL ports # http_access deny CONNECT !SSL_ports # # Allow connections to ALLOWED domains only # http_access allow ALLOWED_domains # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user # http_access deny to_localhost # # And finally deny all other access to this proxy # http_access deny all # # Allow replies to client requests. This is complementary to http_access. # http_reply_access allow all # #Allow ICP queries from everyone # icp_access allow all # # ADMINISTRATIVE PARAMETERS # ----------------------------------------------------------------------------- # Email-address of local cache manager who will receive # mail if the cache dies. The default is "webmaster." # cache_mgr jcintron@xxxxxxxxx cache_effective_user nobody never_direct allow ALLOWED_domains # # Leave coredumps in the first cache dir # coredump_dir /var/lib/squid/cache
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
