Rakesh Jha wrote:
Hi,
I have following scenario -
Client-->squid--->Proxy--->Stateful Inspection--> Squid
Parent-------->ISP2
Firewall Firewall | (two NIC config)
|
|-->ISP1
From Squid I am contacting parent squid at tcp port 3128 and it is
allowed through both firewalls. This arrangements works perfectly for
http traffic but I cannot login to hotmail or can not go to site with
https.
The idea behind this is that I want to use second ISP without
complicating my configuration. The HTTP traffic goes perfectly through
ISP2 but have problem with HTTPS. When I change never_direct to
always_direct https works but then it not using ISP2. Any help?
I would have to guess this is related to how you are balancing the
traffic between the two NICs on the parent Squid. Many HTTPS services
don't like a connection to bounce between two client IPs. I'd suggest
biasing your HTTPS traffic to one ISP (either by using
tcp_ougoing_address in the parent Squid configuration file, or by the
routing rules on the box) and see it that fixes things.
For using ISP1 I have other squid box which has default route to Proxy
firewall. My squid.conf on the client side squid proxy is as following -
acl bb-itsup src 10.10.56.0/255.255.255.0
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
never_direct allow bb-itsup
never_direct allow CONNECT
Or you could eliminate this never_direct line which would allow CONNECT
requests to bypass the parent proxy, while pushing all other requests
through it.
http_access allow localhost
http_access allow bb-itsup
#always_direct allow bb-itsup
http_access deny all
Thanks & regards,
Rakesh
Chris
