[ole@hoth.jmg.com.pl: ]

From: Adrian Chadd <adrian@dont-contact.us>
Date: Fri, 13 Jul 2001 09:12:40 -0600

----- Forwarded message from Krzysztof Oledzki <ole@hoth.jmg.com.pl> -----

Date: Tue, 10 Jul 2001 19:17:16 +0200 (CEST)
From: Krzysztof Oledzki <ole@hoth.jmg.com.pl>
To: <squid@squid-cache.org>

Hello,

I noticed that ie_refresh hack does not work with transproxy.
It can not work because, AFAIK, flags.accel is never set to on when
some other software, not squid, does the Transparent Proxy support
network address redirection work.

You can find in client_side.c line:
        if (http->flags.accel && request->flags.ims)

So, if flags.accel==0 then no other checks will be performed. :(

First, I had tried removing http->flags.accel check from client_side.c
but then I discovered that this is not a good idea - all IMS request
from MSIE clients, even from MSIEs that have proxy configuration enabled,
were translated into no-cache requests.

If request comes from host other that firewall or comes from firewall but
it is masquaraded it means that client known about proxy and we do not
need to do anything with such request. Hopefully it is posiible to check
if request comes from firewal and user level software (like transproxy) or not.
For example Linux users lower ports (0-32768) for connections which comes
from client software and higher (32768-65536) for masquaraded ones.
Ofcourse someone can change it but he also can change squid.conf file :)

I attached small patch that adds one more acl - ie_refresh_access.
In my squid.conf I enabled ie_refresh and I also addedd:
       acl transproxy_ports srcport 0-32768
       acl transproxy_host src 192.168.0.1

       ie_refresh_access allow transproxy_ports transproxy_host
       ie_refresh_access deny all

to squid.conf and it works exactly like I expected :)

I also added one more acltype: srcport. It can be used for other authentications
and I needed it to check source port of request.

It would be great if someone can add this to next squid release. Ofcourse
I do not known squid source to good so I am not sure if I added srcport
and ie_refresh_access in the right way, but it seems to work... ;-)

Best regards,

                        Krzysztof Oledzki

----- End forwarded message -----
Received on Fri Jul 13 2001 - 09:12:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST