> > > > Jan-Frode Myklebust-2 wrote: >> >> On 2009-03-06, Merdouille <jgerhards@xxxxxxxxxxxxxxxxx> wrote: >>> >>> I need to have a squid conf to allow peaople to acces data from url >>> like >>> : >>> >>> http://mysquidproxy/img=http%3A%2F%2Ffiles.macbidouille.com%2Fnews%2F200903%2FAP999.jpg >>> or >>> http://mysquidproxy/img=http://files.macbidouille.com/Fnews/200903/AP999.jpg >>> >>> and i want mysquid to use cache for >>> http://files.macbidouille.com/Fnews/200903/AP999.jpg >> >> >> I recently had a similar problem, but I solved it using apache instead >> of squid. Assuming your squid is running on port 3128/tcp, and you have >> apache listening on 80/tcp. The following apache-config should do what >> you ask (I think): >> >> ProxyRequests On >> ProxyRemote * http://localhost:3128 >> ProxyTimeout 600 >> ProxyPreserveHost Off >> >> RewriteEngine on >> RewriteRule ^/img=http://(.*) http://$1 [L,P] >> >> >> >> -jf >> >> >> > > I tried it for my httpd : > > # Activation du proxy > ProxyRequests On > ProxyVia On > # Les proxy peres > ProxyRemote * http://192.168.100.194:81 > # Le timeout > ProxyTimeout 600 > ProxyPreserveHost Off > RewriteEngine on > RewriteRule ^/img=http://(.*) http://$1 [L,P] > RewriteLog /var/log/httpd/rewrite.log > RewriteLogLevel 3 > > > And my squid on the same computer port 81 : > > visible_hostname moi > acl all src all > acl white dstdomain "/etc/squid/white" > acl TRACE method TRACE > acl PUT method PUT > acl POST method POST > acl proxyed urlpath_regex -i "/etc/squid/whitelist" > Are these the only http_access lines? > http_access allow white !POST !PUT !TRACE proxyed Will ONLY match domains in whilelist which *also* contain path segments in 'proxyed'. -> This means apache requests for http://someone.else.example.com/fubar will not match this control. > http_access deny !white POST PUT TRACE !proxyed --> will always fail to match: Request method == "POST" == "PUT" == "TRACE" != true *** implicit inversion *** Your squid is handling that list as trailed by an: http_access allow all Which makes your open-proxy behavior. > http_port moi:81 > icp_port 0 > > etc > > When i try http://moi/http://somesite/someURL it works but it works for > every site! > My dstdomain white list works no more! To get this going safely with Squid+Apache you will also need to do all of the following in addition to what you have already done: 1) Trail the list with an explicit "http_access deny all" to be sure the set controls only do what you want. 2) add an access control to allow apache requests through 3) setup a second ACL mirroring the 'proxyed' listing, which limits apache requests only to the requests that are actually allowed. 4) setup a *third* set of access controls on apache. To mirror the accepted content in 'proxyed' file and block apache from being an open-proxy in it's own place. Amos
