ffredrixson@xxxxxxxxxxx wrote:
I have squid 2.6stable18 on a debian sarge box in non-transparent mode. I also
have apache web server setup on this box and it works fine - when the browser is
pre-configured for the proxy.
I have some people come in and use their laptops from time to time so I need a
way to automatically direct them to the proxy server. I've read about wpad.dat
and proxy.pac and tried setting that up but I always get the TCP_DENIED/400
error:invalid-request in the access.log.
When I pre-configure the browser for the proxy, the wpad.dat page shows me the
javascript which from what I've read is what it's supposed to do when I put the
URL in the address bar: http://192.168.1.1/wpad.dat.
When I configure the browser to use a automatic configuration script with that
URL, I get the TCP_DENIED/400 errors again.
I must be missing something, but I've read everything I could find. Is it an acl
that I'm missing?
Probably a WPAD-DNS / WPAD-DHCP muckup or something in the .PAC itself.
Can someone please help me out?
Thank you in advance.
Here is my squid.conf:
memory_pools off
httpd_suppress_version_string on
cache_effective_user squid
cache_effective_group squid
Better leave the group voodoo to the kernel. Setup the user/group on the
OS properly and its not needed in squid.conf. effective_user is okay if
its not built properly by the package maintainer (But it should be!).
http_port 3128
cache_access_log /usr/local/squid/var/logs/access.log
Thats now: access_log ...
cache_log /usr/local/squid/var/logs/cache.log
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs on
useragent_log /usr/local/squid/var/logs/useragent.log
url_rewrite_program /usr/local/squid/bin/ufdbgclient -l
/usr/local/squid/var/logs
url_rewrite_children 16
#ACL's
acl all src 0/0
Make this: acl all src all
no_cache deny all
Make this: cache deny all
(or if you want things cached and bandwidth savings, remove it)
acl internal_net src 192.168.1.0/24
acl ok_downloads dstdomain "/var/domains.txt"
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow internal_net
None of the other http_access will ever match after that line!
http_access allow ok_downloads internal_net !
http_reply_access allow internal_net ok_downloads
Why do this restrictive allow when the next line is a duplicate but more
friendly one?
Better to just allow all replies. Remember Error pages and Access Denied
etc are replies!
http_reply_access allow internal_net
And ok. Good finish.
http_access deny all
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
