On 27/09/11 15:45, Dale Mahalko wrote:
Environment:
pfSense 1.2.3-Release
Squid 2.7.9_4.1
I am using squid as a local access-logging front-end, to another
remote proxy which acts as a content filter on which I don't have
reporting/logging access.
If I specify the remote proxy and port in the web browser, I just get
a blank "can't connect" error for HTTPS addresses. It is blocking the
site, as expected.
Well, HTTPS in proxy formatted HTTP requests is called "CONNECT". The
thing to be aware of is that this will *only* show up if the browser is
configured to use a proxy (ie your Squid).
Second thing is that CONNECT requests are normally not sent to peer
proxies. You have to set "nonhierarchical_direct off" to make CONNECT
and POST go to peers.
But when squid is used, the access.log contains a long string of all
"TCP_DENIED" or "TCP_MISS" messages, but the blocked page loads
anyway.
Checking the cache.log there is a message "Temporarily disabling (Not
Found) digest from proxy.foo.com:8888"
This is unrelated. Simply means the peer is not willing or able to share
a cache digest with your Squid. Add "no-digest" to its cache_peer line
to silence these.
it appears squid is quietly saying "fine, I will go direct and
retrieve the data anyway".
Exactly.
The directive never_direct doesn't do anything for this:
never_direct deny all
You misunderstand never_direct. (its a bit of a twisted double-negative
directive).
"allow" is the only value with active meaning on never_direct.
"deny" is simply a way to avoid/bypass some following "allow" lines
from having affect. It equates to "maybe go direct" in never_direct.
I need squid to just simply give up and stop trying to access the
blocked site, if the upstream parent won't provide the content.
I think you need:
# send CONNECT (https://) and POST through the peer.
nonhierarchical_direct off
# prevent Squid going direct if the peer denies.
never_direct allow all
.. and make sure the cache_peer line has type "parent" for the peer.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.15
Beta testers wanted for 3.2.0.12