On 12/02/2016 3:31 a.m., Stefan Hölzle wrote: > Maybe my squid.conf will help to solve this. Even more helpful would be your "squid -v" output. > I checked this configuration with "squid -k check". > > squid.conf (external_ip, /opt/some_program and /etc/squid/file.list must > be corrected): > > #### AUTHENTICATION #### > external_acl_type ext_name_a %LOGIN /opt/some_program ext_name_a_arg > external_acl_type ext_name_c %LOGIN %SRC /opt/some_program ext_name_c_arg > auth_param digest program /opt/some_program digestauth > auth_param digest realm Hello > auth_param digest children 1 startup=1 idle=1 concurrency=500 > auth_param digest nonce_garbage_interval 5 minutes > auth_param digest nonce_max_duration 30 minutes > auth_param digest nonce_max_count 5000 > auth_param digest check_nonce_count off > > > #### ACL #### > acl localnet src 192.168.0.0/24 > acl to_localnet dst 192.168.0.0/24 Performs DNS A/AAAA resolve of the URL domain to find the set of possible dst-IP. > > acl CONNECT_allowexceptions dstdom_regex -i some_domain$ Performs PTR lookup of any raw-IP URL hostnames that fail to match the regex pattern as-is. > acl CONNECT_Safe_ports port 443 > acl CONNECT method CONNECT > > acl snmppublic snmp_community public > > acl auth_passed proxy_auth REQUIRED > acl ext_name_c_passed external ext_name_c > acl ext_name_a_passed external ext_name_a > > # special exceptions > acl special_url url_regex some_regex > http_access deny special_url > deny_info 200:ERR_PAGE_NAME special_url > > # special rules > acl some_rule dstdom_regex -i some_regex > acl ext_list dstdom_regex -i "/etc/squid/file.list" Both perform PTR lookup of any raw-IP URL hostnames that fail to match the regex pattern as-is. > > #### ACCESS #### > http_access allow manager localnet > http_access deny manager > > http_access allow CONNECT CONNECT_allowexceptions --> Potential PTR lookup. > http_access deny CONNECT !CONNECT_Safe_ports > http_access deny to_localhost > http_access deny to_localnet --> definite A/AAAA lookup. > http_access deny special_url > http_access deny ext_list --> Potential PTR lookup. > > http_access allow localnet > http_access allow localhost > > http_access allow some_rule --> Potential PTR lookup. > > # activate additional external acls > http_access allow ext_name_a_passed !all > > http_access deny !ext_name_c_passed > > http_access allow auth_passed > > http_access deny all > > deny_info 403:ERR_ACCESS_DENIED ext_name_c_passed > <snip> > dns_v4_first on > client_db off > > #### IP PORT CONFIG #### > http_port 192.168.0.1:3456 > > acl port80 localport 80 > acl port443 localport 443 Squid is not listening on port 443, nor do you have any "https_port ...intercept" that might receive that ports traffic. > > http_port external_ip:80 > > acl ext_ip localip external_ip > > tcp_outgoing_address external_ip ext_ip port80 > tcp_outgoing_address external_ip ext_ip port443 > > cache_mem 250 MB > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
