On 19/11/14 05:29, Amos Jeffries wrote: > What is your config? In particular anything using ACLs. auth_param basic program /usr/lib64/squid/basic_pam_auth -r auth_param basic children 50 auth_param basic realm Iceni Web Proxy auth_param basic credentialsttl 2 hours workers 4 shutdown_lifetime 3 seconds forward_max_tries 40 icap_service_failure_limit -1 host_verify_strict off spoof_client_ip deny all logformat iceni %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt "%{User-Agent}>h" %lp access_log stdio:/var/log/squid-nocache/access.log iceni cache_log /var/log/squid-nocache/cache.log cache_store_log none pid_filename /var/run/squid-nocache.pid coredump_dir /var/spool/squid-nocache state_dir /var/run/squid-nocache external_acl_type preauth children-max=1 concurrency=100 ttl=60 negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth /etc/iceni/authcached/authcached.psk acl preauth external preauth acl preauth_tproxy external preauth transparent acl preauth_ok note auth_tag preauth_ok acl preauth_done note auth_tag preauth_done acl need_http_auth note auth_tag http_auth acl need_cp_auth note auth_tag cp_auth acl need_postauth_sync note auth_tag postauth_sync acl need_postauth_async note auth_tag postauth_async external_acl_type postauth_async children-max=1 concurrency=100 ttl=0 grace=100 %SRC %>{User-Agent} %LOGIN %EXT_USER /usr/sbin/squid-postauth /etc/iceni/authcached/authcached.psk external_acl_type postauth_sync cache=0 children-max=1 concurrency=100 ttl=0 grace=0 %SRC %>{User-Agent} %LOGIN %EXT_USER /usr/sbin/squid-postauth /etc/iceni/authcached/authcached.psk acl postauth_async external postauth_async acl postauth_sync external postauth_sync acl show_login_page src all deny_info 302:https://%h/webproxy/captive_portal/captive_portal_login?c=%o show_login_page # A bodge to ensure accesses to this machine aren't authenticated # /etc/squid/local_ips is automatically updated by the init script when # Squid starts or reloads, so Squid should be reloaded whenever the # machine's IPs change (yuck!). acl local_ips dst "/etc/squid/local_ips" acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl https proto https acl proxy_auth proxy_auth REQUIRED acl tproxy myportname tproxy acl tproxy_ssl myportname tproxy_ssl acl dstdomain_localhost dstdomain localhost ###### # Start of http_access access control. ###### http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost # Unauthenticated access to the local server http_access allow local_ips http_access allow !tproxy !tproxy_ssl !https preauth http_access allow !preauth_done preauth_tproxy http_access allow need_http_auth need_postauth_sync proxy_auth postauth_sync http_access allow need_http_auth need_postauth_async proxy_auth postauth_async http_access allow need_http_auth proxy_auth postauth_async http_access deny preauth_ok show_login_page http_access deny all icp_access deny all htcp_access deny all acl icap_says_bump req_header X-SSL-Bump -i Yes ssl_bump server-first icap_says_bump ssl_bump server-first tproxy_ssl sslproxy_cert_error allow all request_header_access Via deny https request_header_access X-Forwarded-For deny https ###### # Listening ports ###### http_port 3128 ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/squid-sslbump.crt key=/etc/pki/tls/private/squid-sslbump.key dynamic_cert_mem_cache_size=128KB http_port 8080 ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/squid-sslbump.crt key=/etc/pki/tls/private/squid-sslbump.key dynamic_cert_mem_cache_size=128KB http_port 3130 tproxy name=tproxy https_port 3131 ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/squid-sslbump.crt key=/etc/pki/tls/private/squid-sslbump.key tproxy name=tproxy_ssl dynamic_cert_mem_cache_size=128KB tcp_outgoing_mark 0x2 tproxy tcp_outgoing_mark 0x2 tproxy_ssl cache_peer [::1] parent 3129 0 proxy-only no-query no-digest no-tproxy name=caching cache_peer_access caching deny CONNECT cache_peer_access caching deny https cache_peer_access caching deny tproxy_ssl cache_peer_access caching deny to_localhost cache_peer_access caching deny dstdomain_localhost cache_peer_access caching allow all cache_mem 0 cache deny all never_direct deny CONNECT never_direct deny https never_direct deny tproxy_ssl never_direct deny to_localhost never_direct deny dstdomain_localhost never_direct allow all icap_enable on icap_service_revival_delay 30 icap_preview_enable on icap_preview_size 50000 icap_send_client_ip on icap_send_client_username on icap_service iceni_reqmod_precache reqmod_precache 0 icap://localhost6:1344/reqmod_precache icap_service iceni_respmod_postcache respmod_precache 0 icap://localhost6:1344/respmod_postcache adaptation_service_set iceni_reqmod_precache iceni_reqmod_precache adaptation_service_set iceni_respmod_postcache iceni_respmod_postcache adaptation_access iceni_reqmod_precache deny local_ips adaptation_access iceni_reqmod_precache deny to_localhost adaptation_access iceni_reqmod_precache deny dstdomain_localhost adaptation_access iceni_reqmod_precache allow all adaptation_access iceni_respmod_postcache deny local_ips adaptation_access iceni_respmod_postcache deny to_localhost adaptation_access iceni_respmod_postcache deny dstdomain_localhost adaptation_access iceni_respmod_postcache allow all -- - Steve -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users