GIGO . wrote:
In our setup ISA is being used as parent peer. The problem is that clients cannot browse https Sites.(All http/ftp sites works fine)
OS =Ubuntu 8.04
Squid3 is installed
I am extremey surprised your clients have access to HTTP and FTP at all.
Your configuration is seriously screwed and permits HTTPS but blocks
HTTP and FTP.
I think you need to read over the FAQ about access controls and how they
work. http://wiki.squid-cache.org/SquidFaq/SquidAcl
Take note in particular to the sections about ordering along with the
AND/OR logics and common mistakes.
My Squid.conf File:
visible_hostname 10.1.82.53
That is supposed to be a host domain name. It's publicly visible and IPs
in the 10.0.0.0/8 network are not unique.
cache_peer ISASERVER parent 8080 0 default no-digest no-query
http_port 10.1.82.53:3128
never_direct allow all
#Recommended minimum configuration:
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.1.82.0/255.255.255.0, 10.1.245.0/255.255.255.0
"," is not valid.
That line should be:
acl localnet src 10.1.82.0/24 10.1.245.0/24
acl SSL_ports port 443 #https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost localnet to_localhost SSL_ports Safe_ports
http_access allow CONNECT Safe_ports SSL_ports
http_access deny !Safe_ports !SSL_ports
http_access deny all
Please erase all those http_access lines and use the ones below.
I am stuck up with it and your assistance would be really valuable.
Thanks in advance
Regards,
Bilal Aslam
The default rules we provide for Squid allow the localnet work and local
machine Squid is running on full access to HTTPS, HTTP, FTP, Gopher, and
WAIS protocols and also to connect to any web server hosted on port
>1024 if it needs to (websites strangely hosted on 8080 etc).
Those defaults are:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
The single line "never_direct allow all" is forcing every single request
to be relayed through your ISA server.
Your ISA may not be configured to accept the CONNECT requests.
You have two choices:
1) make ISA handle the CONNECT requests Squid passes on from your clients.
2) add "never_direct deny CONNECT" above the "never_direct allow all"
to permit Squid to make HTTPS connections outward itself.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
Current Beta Squid 3.1.0.17
