firewall configuration

>I'm using squid beta8 and I'm trying to configure it properly for use
>inside a firewall. Here's the situation:
>
>The hp.com domain contains both networks which are inside and outside
>the firewall. For example, all 15.0.0.0 addresses are accessible from
>inside, but there are also 192.0.0.0 addresses which are not
>accessible from inside. How do I configure the internal proxy to only
>go direct to the 15.0.0.0 addresses?
>
>This is what I'm setting:
>
>inside_firewall hp.com
>local_ip 15.0.0.0
>single_parent_bypass on
>hierarchy_stoplist /cgi-bin/
>hierarchy_stoplist ?
>hierarchy_stoplist https://
>
>I do not set the local_domain (I'm assuming that local_ip takes care
>of that).
>
>Now this configuration seems to work except when the
>hierarchy_stoplist matches the URL. So a /cgi-bin/ URL causes the
>proxy to go direct even if the address is not in 15.0.0.0. Perhaps
>the inside_firewall setting is taking precedence. But if I don't set
>it, won't the proxy try to go direct regardless?
>
>I really would like to set inside_firewall with an IP network spec
>like local_ip rather than a domain name because all networks in the
>domain are not inside the firewall. Perhaps I was hoping that
>local_ip would behave like inside_firewall.
>
>Thanks...tai

I think you should not use 'inside_firewall'. Have you tried this
configuration:

#inside_firewall hp.com
local_ip 15.0.0.0
single_parent_bypass on

I don't think you want 'cgi-bin' in any of the stoplists. The
'local_ip' will cause all requests to hosts in that address space to go
direct. Everything else will be sent to the parent. Whatever you add
to the stoplists will prevent them from being fetched outside of your
firewall. If you want to prevent /cgi-bin/ from being cached, you can
use the ttl_pattern instead.

Duane W.
Received on Wed May 29 1996 - 12:25:04 MDT