>I see no 'localnet' ACL use. If this proxy is supposed to be servicing >LAN clients, that will be needed and the keepgoing and artwork ACLs >probably not needed. I am connecting on a LAN to it now with no issues and multiple testers on the same subnet can also use it. why would i add a directive if its already working? I uncommented out the other lines cant recall why i commented them but yeah mistake there. >Whats the idea behind this "keepgoing" ACL ? Once i put that in with those domain it allowed them to connect as those were domains needed for access via SSL >Is this proxy supposed to have reverse-proxy duties for them? Nope, just a simple proxy that locks out the web unless the ACL allows it. On Fri, Jan 20, 2017 at 12:00 PM Alex Tate <alex.tate@xxxxxxxxx> wrote: > When I add the final deny all then no traffic traverses squid. When I > removed it then squid started passing traffic > > On Fri, Jan 20, 2017, 11:46 AM Amos Jeffries [via Squid Web Proxy Cache] < > ml-node+s1019090n4681226h61@xxxxxxxxxxxxx> wrote: > > On 21/01/2017 5:52 a.m., roadrage27 wrote: > > > I was able to resolve my issue partially. I burned down the server and > > rebuilt it clean so all previous changes that were made attempting to > make > > SSL work were gone. Once i reloaded squid and the config files i was > able > > to allow SSL traffic using the dstdomain acl type. I currently have a > few > > URLS that are regex type that need to be allowed so im currently > cranking > > out those. > > > > On Fri, Jan 20, 2017 at 8:36 AM roadrage27 wrote: > > > >>> That tells me either you have screwed up the CONNECT ACL definition. > Or > >>> the SSL_ports one. > >> Very possible as im pretty green on squid, my current conf file is > below. > >> with that conf the SSL sites just sit and spin until the eventually > time > >> out. > >> > >> acl site_squid_art url_regex ^http://www.squid-cache.org/Artwork > >> acl keepgoing dstdomain .plateau.com .skillwsa.com .successfactors.com > >> > > Whats the idea behind this "keepgoing" ACL ? > Is this proxy supposed to have reverse-proxy duties for them? > > >> acl SSL_ports port 443 > >> acl Safe_ports port 80 # http > >> acl Safe_ports port 21 # ftp > >> acl Safe_ports port 443 # https > >> acl Safe_ports port 70 # gopher > >> acl Safe_ports port 210 # wais > >> acl Safe_ports port 1025-65535 # unregistered ports > >> acl Safe_ports port 280 # http-mgmt > >> acl Safe_ports port 488 # gss-http > >> acl Safe_ports port 591 # filemaker > >> acl Safe_ports port 777 # multiling http > >> acl CONNECT method CONNECT > >> > >> http_access allow keepgoing > >> http_access deny !Safe_ports > >> http_access deny CONNECT !SSL_ports > >> #http_access allow CONNECT SSL_ports > >> http_access allow localhost manager > >> http_access allow site_squid_art > >> http_access allow localhost > >> > > I see no 'localnet' ACL use. If this proxy is supposed to be servicing > LAN clients, that will be needed and the keepgoing and artwork ACLs > probably not needed. > > The final "http_access deny all" is missing as well. Squid is just doing > that impicitly anyway. So its more needed to remind you of what is > happening and prevent possible mistakes implicitly allowing lots of > unexpected things through the proxy later. > > > >> > >> http_port 3132 > >> > >> > >> access_log /var/log/squid3/squid3132.log squid > >> > >> pid_filename /var/run/squid3132.pid > >> coredump_dir /var/spool/squid3 > >> > >> refresh_pattern ^ftp: 1440 20% 10080 > >> refresh_pattern ^gopher: 1440 0% 1440 > >> #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > FYI: The above commented out line is rather critical to the correct > behaviour for dynamic web content. > > If the server is not producing the required cache controls dynamically > changing data should not be allowed to store for one second, let alone > the default 7 days. > > >> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > >> #refresh_pattern . 0 20% 4320 > >> > > Whats the point of commenting that out? > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681226&i=0> > http://lists.squid-cache.org/listinfo/squid-users > > > If you reply to this email, your message will be added to the discussion > below: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-site-filtering-tp4681198p4681226.html > To unsubscribe from HTTPS site filtering, click here > <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681198&code=YWxleC50YXRlQGdtYWlsLmNvbXw0NjgxMTk4fDIwMjU4MDQxMw==> > . > NAML > <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-site-filtering-tp4681198p4681228.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
