On 17.10.24 20:40, Piana, Josh wrote:
To clarify on the test, port 4434 is the port that was assigned to get
access to that device, one of our firewalls.
I looked at the old Squid config that we have, and it seems this was setup
in a way that internal networks were not being passed through the proxy.
This was done be either an ACL, or the PAC file, is what we're thinking.
The exemption has to be done through the PAC file, because once the
browser's request reaches the proxy, it's impossible to go back and tell
browser to go direct.
The issue is, we don't exactly know how to implement the PAC file on our
new Squid box.
the PAC file has to be provided ideally via HTTP, I'm not sure whether squid
has that functionality.
I guess a HTTP server was running on your old server, providing the PAC
file.
With that said, I agree with your statement that its difficult to
troubleshoot an issue as opposed to go around it. Unfortunately, that's
how it was done before and that's the direction our current management is
going again. So I need to reconfigure the squid.conf file to ignore
internal traffic, networks, and IP's, and only web filter and proxy
internet connections. We can't just copy the old config because it
doesn't carry over 1:1, and its an old version from 2.5.
Once more, you can't ignore squid to be ignored by browsers, because squid
can only do anything when it's accessed by browsers, when it's already too
late. Either browsers must go around the proxy (PAC or WPAD), or the proxy
must be allowed to reach destination server.
Install apache server to the machine and configure it to serve the PAC>
On 18.10.24 18:59, Amos Jeffries wrote:
So what you need with Squid is a cache_peer, relaying relevant traffic
to that device.
Amos, are you sure this can work in the case described?
# details of how Squid should connect to the device
cache_peer 172.27.46.253 parent 4434 0 originserver \
tls-cert=/path/to/server.ca
# which traffic to relay there
acl foo dstdomain foo.example.com
cache_peer_access 172.27.46.253 allow foo
never_direct allow foo
# permission for clients to make requests that reach that device
http_access allow localnet foo
Add more ACL conditions as needed to restrict the http_access line to
the appropriate clients.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
