Search squid archive

Re: Adding WAN IP address to SQUID.CONF so users can run .net program

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 12 Sep 2011 15:48:50 -0700, MargaretGillon wrote:
I am on a WAN with another division. We are trying to run a web program at that divison but SQUID denies the address. I use a whitelist and added the IP adress to the whitelist but the program still won't run. I also added the server by name ".services.chromalloy.local" to the whitelist. I also added the program's post to the Safe_ports list. The other divison also
uses SQUID and when they added the server's IP to their whitelist the
program could run. I am guessing the problem is that we are on 2 different
networks and the server isn't on our local network? My squid.conf is
below. I am on the 192.168.100.0 network and the program is on the
193.168.3.0 network. I marked the lines I changed with added 2011-09-12. I
am running Squid3 on Ubuntu 10.04.1.
Thanks, Margaret.

*** This is from the access.log file
1315858391.599      0 192.168.100.19 TCP_DENIED/403 2614 GET
http://services.chromalloy.local:8888/VFG/VirtualFG.svc - NONE/- text/html
1315858401.149     11 192.168.100.19 TCP_DENIED/403 2419 GET
http://192.168.3.42/ - NONE/- text/html

*** this is my squid.conf

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl server    src 192.168.3.1/255.255.255.255   #added 2011-09-12
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.100.0/24 192.168.101.0/24 192.168.3.0/24 #added
3.0 2011-09-12

These would have worked IF the source of the request was 192.168.3.*. However that is the destination. I think you can drop both of these changes again.

<snip>
hierarchy_stoplist cgi-bin ?

You can drop hierarchy_stoplist.

<snip>

acl whitelist dstdomain "/etc/squid3/whitelist.txt"

# Allow localnet machines to whitelisted sites
http_access allow localnet whitelist

Clients in localnet are only allowed to visit whitelisted websites...

Your logged client (192.168.100.19) is in localnet, so it appears that the *domain name* "192.168.3.42" and "services.chromalloy.local" are not whitelisted. squid does not exactly do mDNS yet, so the .local domain is probably failing on DNS lookup for to_localhost.


The best way is probably to use a type of reverse-proxy config for it. Place the above your to_localhost http_access rule after the CONNECT rule:

cache_peer 192.168.3.42 parent 8888 0 originserver no-query name=services
 acl localServices dstdomain .services.chromalloy.local
 cache_peer_access services allow localServices
 cache_peer_access services deny all
 http_access allow localnet localServices


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux