Hi all! I use Squid2.6STABLE5 as a proxy to access DMZ located webservers from the outside and also as a HTTP proxy for my internal clients. But there is a problem: I get forward loops on my external interface. I tried all kind of different setup's, but it doesn't make any difference. offending setup: http_port internal:3128 http_port mail:80 defaultsite=www.foobar.com vhost http_port orders:80 defaultsite=orders.foobar.com vhost https_port webmail:443 \ defaultsite=webmail.foobar.com vhost \ cert=/usr/local/etc/squid/certs/webmail.foobar.com.pem \ cafile=/etc/CA/ssl/public/vsign-class3.crt \ # clientca=/etc/CA/ssl/public/ca.pem \ # crlfile=/etc/CA/ssl/public/crl.pem \ # sslflags=DELAYED_AUTH \ capath=/etc/CA/ssl/public icp_port 0 # Mail program #mail_program sendmail # Redirector redirect_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf redirect_children 4 # Rotate logs 4 times logfile_rotate 4 # Do not show our internal IP-address forwarded_for off # Error directory error_directory /usr/local/etc/squid/errors/Dutch # Access log access_log /usr/local/squid/logs/access.log squid # SSL options ssl_unclean_shutdown on #sslproxy_client_certificate /usr/local/etc/squid/certs/client.certs # # Public Internet to DMZ cache_peer www2.foobar.com parent 80 0 no-query originserver \ proxy-only no-digest cache_peer_domain www2.foobar.com www.foobar.com cache_peer www3.foobar.com parent 80 0 no-query originserver proxy-only \ login=PASS connection-auth=off no-digest cache_peer_domain www3.foobar.com orders.foobar.com #cache_peer www4.foobar.com parent 80 0 no-query originserver proxy-only #cache_peer_domain www4.foobar.com www.foobarusa.com cache_peer blx-mx.foobar.com parent 80 0 no-query originserver \ front-end-https proxy-only no-digest login=PASS connection-auth=off cache_peer_domain blx-mx.foobar.com webmail.foobar.com acl accel type accelerated acl accel-domains dstdomain www.foobar.com orders.foobar.com webmail.foobar.com http_access allow accel accel-domains http_access deny accel # =================== The rest of the config hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # # Cache settings cache_effective_user squid cache_effective_group squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # # Internal to Public Internet acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 8090 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl our_networks src 10.0.0.0/16 10.11.0.0/16 10.30.0.0/16 # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Allow only our networks http_access allow our_networks # And finally deny all other access to this proxy http_access deny all http_reply_access allow all icp_access allow all # # Kaspersky Proxy for Squid ICAP Support icap_enable on icap_send_client_ip on icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod icap_class ic_kav is_kav_req is_kav_resp acl HTTP proto HTTP acl GET method GET icap_access ic_kav allow HTTP GET TIA Bert
