firewall configuration

From: Duane Wessels <wessels>
Date: Wed, 29 May 96 12:25:04 -0700

>I'm using squid beta8 and I'm trying to configure it properly for use
>inside a firewall. Here's the situation:
>The domain contains both networks which are inside and outside
>the firewall. For example, all addresses are accessible from
>inside, but there are also addresses which are not
>accessible from inside. How do I configure the internal proxy to only
>go direct to the addresses?
>This is what I'm setting:
>single_parent_bypass on
>hierarchy_stoplist /cgi-bin/
>hierarchy_stoplist ?
>hierarchy_stoplist https://
>I do not set the local_domain (I'm assuming that local_ip takes care
>of that).
>Now this configuration seems to work except when the
>hierarchy_stoplist matches the URL. So a /cgi-bin/ URL causes the
>proxy to go direct even if the address is not in Perhaps
>the inside_firewall setting is taking precedence. But if I don't set
>it, won't the proxy try to go direct regardless?
>I really would like to set inside_firewall with an IP network spec
>like local_ip rather than a domain name because all networks in the
>domain are not inside the firewall. Perhaps I was hoping that
>local_ip would behave like inside_firewall.

I think you should not use 'inside_firewall'. Have you tried this

single_parent_bypass on

I don't think you want 'cgi-bin' in any of the stoplists. The
'local_ip' will cause all requests to hosts in that address space to go
direct. Everything else will be sent to the parent. Whatever you add
to the stoplists will prevent them from being fetched outside of your
firewall. If you want to prevent /cgi-bin/ from being cached, you can
use the ttl_pattern instead.

Duane W.
Received on Wed May 29 1996 - 12:25:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:27 MST