On 23/01/20 3:11 pm, aashutosh kalyankar wrote: > From: Amos Jeffrie> > Secondly, make sure that your tests are accurately emulating how clients > would "use" the proxy. That means making connections from a test machine > directly to the Internet and seeing if the routing and NAT delivers the > traffic to Squid properly. > > > I am using a chromebook to test. In the configuration section of the > wireless network there is an option to add proxy hostname and proxy port > based on protocols. > Http proxy : proxy-tls 80 > HTTPS proxy: proxy-tls 443 > That is part of your problem. Those are settings for explicit proxy. With intercept the clients knows nothing about any proxy. They are just connecting to a web server directly (but *NAT* sends it to Squid instead). > > - Use cache.log to view the traffic coming into the proxy. It will be > request messages with a prefix line indicating "Client HTTP request". > Make sure that prefix line says the remote Internet IP address and port > 80/443 you were testing with. > - If you want confirm that access.log has a transaction entry for the > URL you tested with ORIGINAL_DST and the server IP. > > Sample cache.log for a test I did for neverssl.com <http://neverssl.com> > > 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2346) > parseHttpRequest: HTTP Client local=172.22.22.148:80 > <http://172.22.22.148:80> remote=172.22.22.151:34728 > <http://172.22.22.151:34728> FD 12 flags=33 > 2020/01/22 17:08:30.236 kid1| 11,2| client_side.cc(2347) > parseHttpRequest: HTTP Client REQUEST: > --------- > GET http://neverssl.com/ HTTP/1.1 > Host: neverssl.com <http://neverssl.com> > Proxy-Connection: keep-alive ... > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > ... this is where all your custom http_access rules are supposed to be. > The Safe_ports and SSL_Ports lines above are DoS and hijack protections. > > > IIUC, These are not required to be here so I commented out those lines. > Sorry if I was not clear. They should be the first http_access lines in your config. Local policy rules follow them. Then the final "deny all" rule to block anything not allowed by your policy. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
