On Wed, 21 Oct 2009 08:44:43 -0700 (PDT), ant2ne <tcygne@xxxxxxxxxxxxxxxx> wrote: > I'm not sure what I'm trying to describe. > > This webcache proxy is not used for any security what so ever. We have > other > filtering devices. This proxy is only designed to cache websites. For the > most part it is working well. _everything_ plugged into the network has a security impact. This proxy is just not front-line is all. For example, an open internal proxy might still be used as a multi-stage-relay by infected internal machines, or as a easy access pathway to otherwise protected (source authorized?) internal resources. > > But, we have some users that try to access intranet sites vie a web console > and they get "access denied" from squid. I'm thinking that it is probably > that these intranet sites open up a port that is restricted by squid in > some > way. Your proxy logs will say. Check access.log for 4xx and 5xx status codes on internal URLs. Then analyse the particular URLs found. > I'm wanting to pass through all traffic on all ports for all client > computers who are accessing an ip address of 10.0.0.0. I want these sites > just get passed through the proxy without caching the data. Must it be by IP address? is there no internal domain name for access? With dstdomain you can do: acl internalSite dstdomain foo.example.com otherwise you are stuck with Squid doing DNS lookups to locate: acl internalServer dst 10.0.0.0 > > Here is my current squid.conf > > http_port 3128 > # acl QUERY urlpath_regex cgi-bin \? #Removed by Amos, suggested to speed > up > web sites using media > cache_mem 512 MB # May need to set lower if I run low on RAM > maximum_object_size_in_memory 4096 KB #Increased by Amos, suggested to > speed > up web sites using media > maximum_object_size 1 GB > cache_dir aufs /cache 500000 256 256 > redirect_rewrites_host_header off > cache_replacement_policy lru > acl all src all > acl localnet src 10.60.0.0/255.255.0.0 > acl localhost src 127.0.0.1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/8 > acl Safe_ports port 80 443 210 119 70 21 1025-65535 > acl SSL_Ports port 443 > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_Ports > http_access allow localnet > http_access allow localhost > http_access deny all > icp_port 0 > refresh_pattern \.jpg$ 3600 50% 60 > refresh_pattern \.gif$ 3600 50% 60 > refresh_pattern \.css$ 3600 50% 60 > refresh_pattern \.js$ 3600 50% 60 > refresh_pattern \.html$ 300 50% 10 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > access_log /var/log/squid/access.log squid > visible_hostname AHSPX01
