Hello All, We use one openSuSe 11.4 server to manage access of five networks four of which are connected through VPN. Initial configuration used in-built Squid (3.0 Stable 18) in transparent mode. We recently ran an upgrade and got Squid 3.2 on the same oS 11.4 We realized some admin IP addresses are blocked from access and branch users require adding proxy settings in the browsers / apps to connect to the internet. I experienced the former after the upgrade while not sure about the latter. I am a timely consultant (practical) to the team not in-house. How can the above be rectified? Attached is the current conf with a few alterations and a question on http_port -- Thank you and kind regards, # Edmonds
# # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp #acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # USUL Connection ACLs acl usul src 10.40.1.0/24 10.40.2.0/24 10.40.3.0/24 10.40.4.0/24 10.40.5.0/24 acl noaccess src "/etc/squid/noaccess.txt" acl admin src "/etc/squid/admin.txt" acl a37 src "/etc/squid/one37.txt" acl srvips src "/etc/squid/srvips.txt" acl mgrs src "/etc/squid/mgrs.txt" acl clerix src "/etc/squid/clerix.txt" # USUL Connectivity Time-Frames acl NoGenNet time MTWHFA 08:00-12:59 acl NoGenNet time MTWHFA 13:59-16:59 acl NoGenNet time S 07:00-12:59 acl NoGenNet time SMTWHFA 19:00-23:59 acl NoGenNet time SMTWHFA 00:00-06:59 ## You Tube acl YouTube time SMTWHFA 19:00-23:59 acl YouTube time SMTWHFA 00:00-07:59 # USUL Streaming Restrictions acl nommq req_mime_type -i "/etc/squid/nommq.txt" # USUL File & URL Restrictions acl donot urlpath_regex -i "/etc/squid/donot.txt" #acl nowords url_regex -i "/etc/squid/nowords.txt" acl srvurls dstdomain -i "/etc/squid/srvurls.txt" acl fewurls dstdomain -i "/etc/squid/fewww.txt" acl one37 dstdomain -i "/etc/squid/url37.txt" acl malice dstdomain -i "/etc/squid/malware.acl" acl porn dstdomain -i "/etc/squid/xxx.acl" acl ads dstdomain -i "/etc/squid/ads.acl" acl tubeyou dstdomain -i "/etc/squid/utube.txt" #acl blackout dstdomain -i "/etc/squid/blackout.txt" # # Recommended minimum Access Permission configuration: # #http_access deny usul all # Only allow cachemgr access from localhost http_access allow manager localhost # USUL HTTP Access Rules http_access allow srvurls all http_access allow fewurls all http_access allow admin mgrs all http_access allow one37 a37 http_access deny tubeyou !YouTube http_access deny malice all http_access deny porn all http_access deny ads all #http_access deny nowords all http_access deny noaccess http_access deny srvips !srvurls all #http_access allow fewurls http_access deny NoGenNet clerix all #http_access deny pmhr clerix #http_access deny sday clerix #http_access deny night_s clerix #http_access deny night_e clerix http_access deny donot !admin http_access deny nommq !admin !mgrs http_access allow usul all http_access deny manager noaccess # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet #http_access allow localhost # allow localhost always proxy functionality http_access allow localhost # And finally deny all other access to this proxy http_access deny all error_directory /usr/share/squid/errors/en #deny_info PORN_DENIED blackout icp_access allow usul icp_access deny all htcp_access allow usul htcp_access deny all # Squid normally listens to port 3128 #http_port 3128 http_port 3128 intercept #http_port 80 intercept #http_port 8080 intercept #http_port all intercept # Best each port above or this? # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? cache_mem 400 MB # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 20000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid access_log /var/log/squid/access.log squid minimum_object_size 512 KB maximum_object_size 4 MB maximum_object_size_in_memory 6 MB # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 dns_nameservers 41.##.##.# 41.##.##.# visible_hostname ###### icp_port 3130 cache deny YouTube tubeyou