as you can see in the acl documentation at:
http://www.squid-cache.org/Doc/config/acl/
it seems like what you need is myport that you mentioned.
there is no need what so ever for this to use two squid instances.
you should restrict the http_access to by more explicit such as:
http_port 192.168.0.254:3128
http_port 192.168.0.254:3129 intercept
acl localnet src 192.168.0.0/24
acl NormalAccess myport 3128
acl AntiVirusUpd myport 3129
acl AVirUpdSiteIP dst 95.34.11.64/26
#add a dstsom to match in a case of ip change up on the av company
acl AVUPDOMS dstdomain norton.domain.com kaspersky.domain.com
#strictly defined your clients scope to not leave any open options for
clients to use your proxy.
#i would also restrict the access to the proxy with firewall but it
depends on your environment.
http_access allow NormalAccess localnet
http_access allow localnet AntiVirusUpd AVUPDOMS
http_access allow localnet AntiVirusUpd AVirUpdSiteIP
http_access deny all
Regards,
Eliezer
On 13/05/2012 20:51, Frantisek Hanzlik wrote:
Hello Squid gurus,
I want use Squid with WPAD (DHCP/DNS) proxy autoconfiguration for
win clients. Unfortunately there are some services (antivirus), which
does not recognizes/are not able automatically configure for proxy
and still are accessing HTTP sites directly at port 80. I imagine
configuration some as (slightly simplified):
squid.conf:
http_port 192.168.0.254:3128
http_port 192.168.0.254:3129 intercept
acl NormalAccess myport 3128
acl AntiVirusUpd myport 3129
acl AVirUpdSiteIP dst 95.34.11.64/26
http_access allow NormalAccess
http_access allow AntiVirusUpd AVirUpdSiteIP
http_access deny all
iptables at firewall/Squid machine:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3129
Thus my questions:
- is please possible run Squid (at firewall Linux machine) at two
different ports, on one as "normal" proxy accessed as proxy by
client processess which are able do proxy autoconfiguration,
and on other configured in intercepted mode for clients processes
which not know proxy autoconfiguration and access internet directly?
- is possible distinguish between these two accesses with ACL rules
(i.e. from one client machine one sort of processes (browsers, system
updates/...) regularly autoconfigure proxy and will access Squid on
"normal mode" port and will have e.g. unrestricted access, and second
sort of processes with "direct" internet access will be redirected to
intercept mode port and will accessing internet transparently - but
they will have allowed only e.g one site)?
Is "myport" ACL right one for this distinction?
Thanks in advance, Franta Hanzlik
PS: It would be maybe better solve this with two Squid instances running
at different http_port, but there will not be big traffic and I'd better
run only one instance for both ports.
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
