I have been using Squid 2.9 on OpenBSD 5.0 for a while as a transparent proxy. PF on the proxy box rdr-to redirects all web requests not destined for the box itself to squid running on port 3128. Squid then processes the request based on a series of ACLs, and either allows the request or redirects (deny_info ... all) the request to a page on the proxy box. I am now working on upgrading the system to OpenBSD 5.5 and Squid 3.4.2 Presumably this will require some config changes, so I'm starting off with a basic config. This is based off of the example installed on OpenBSD, but with most of the rules stripped out. acl authorized_hosts dstdomain .google.com acl authorized_hosts dstdomain .wunderground.com acl authorized_hosts dstdomain .noaa.gov http_access allow authorized_hosts http_access deny all http_port 3128 transparent http_port 3129 # to avoid errors on startup coredump_dir /var/squid/cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 deny_info http://192.168.10.1/login.py all What I would expect to happen is that attempts to access google, wunderground, or noaa.gov would work (load the requested page), while all other requests would get my custom block page. What is actually happening is that requests for pages in the authorized_hosts acl get the generic squid "Access Denied" page. Other requests do get my custom page, as expected. So what did I miss? Why can't I even get basic pages to go through? And why, if squid is denying access, do I get the generic "Access Denied" page rather than the custom one I specified? At least I know my requests are being forwarded to squid by PF properly. Or so I assume, since I am getting the squid "Access Denied" page. ----------------------------------------------- Israel Brewster Systems Analyst II Ravn Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7293 -----------------------------------------------
