On Mon, 12 Sep 2011 15:48:50 -0700, MargaretGillon wrote:
I am on a WAN with another division. We are trying to run a web
program at
that divison but SQUID denies the address. I use a whitelist and
added the
IP adress to the whitelist but the program still won't run. I also
added
the server by name ".services.chromalloy.local" to the whitelist. I
also
added the program's post to the Safe_ports list. The other divison
also
uses SQUID and when they added the server's IP to their whitelist the
program could run. I am guessing the problem is that we are on 2
different
networks and the server isn't on our local network? My squid.conf is
below. I am on the 192.168.100.0 network and the program is on the
193.168.3.0 network. I marked the lines I changed with added
2011-09-12. I
am running Squid3 on Ubuntu 10.04.1.
Thanks, Margaret.
*** This is from the access.log file
1315858391.599 0 192.168.100.19 TCP_DENIED/403 2614 GET
http://services.chromalloy.local:8888/VFG/VirtualFG.svc - NONE/-
text/html
1315858401.149 11 192.168.100.19 TCP_DENIED/403 2419 GET
http://192.168.3.42/ - NONE/- text/html
*** this is my squid.conf
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl server src 192.168.3.1/255.255.255.255 #added 2011-09-12
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.100.0/24 192.168.101.0/24 192.168.3.0/24
#added
3.0 2011-09-12
These would have worked IF the source of the request was 192.168.3.*.
However that is the destination. I think you can drop both of these
changes again.
<snip>
hierarchy_stoplist cgi-bin ?
You can drop hierarchy_stoplist.
<snip>
acl whitelist dstdomain "/etc/squid3/whitelist.txt"
# Allow localnet machines to whitelisted sites
http_access allow localnet whitelist
Clients in localnet are only allowed to visit whitelisted websites...
Your logged client (192.168.100.19) is in localnet, so it appears that
the *domain name* "192.168.3.42" and "services.chromalloy.local" are not
whitelisted. squid does not exactly do mDNS yet, so the .local domain is
probably failing on DNS lookup for to_localhost.
The best way is probably to use a type of reverse-proxy config for it.
Place the above your to_localhost http_access rule after the CONNECT
rule:
cache_peer 192.168.3.42 parent 8888 0 originserver no-query
name=services
acl localServices dstdomain .services.chromalloy.local
cache_peer_access services allow localServices
cache_peer_access services deny all
http_access allow localnet localServices
Amos
