Re: hierachy_stoplist and single parent (fix) (fwd)

 This discussion was intended for squid-users@ but
 was posted to squid@ by mistake (mine)

----- Forwarded message from Henrik Nordstrom -----

> Situation: we *must* use a parent cache for all web
> proxying, but any ftp proxying attempts are accepted but
> the proxy gives a "go away" message (but doesn't return
> any HTTP errors...)

Correct me if I am wrong
* All HTTP traffic MUST to go throught your parent cache
  (inside a non-forwarding firewall)
* All FTP traffic should go directly, since your parent
  have broken FTP proxy support.

I don't get it. Are you allowed to go directly to hosts
outside your firewall or not?

Here are some alternatives, depending on your situation:

---- Alternative 1. ----
A forwarding firewall, that accepts all traffic,
but it is prefered that HTTP goes throught your parent.

then you can use
cache_host parent...
local_domain your.domain
hierarchy_stoplist ftp://

When using this setup, all cacheable requests goes to the parent,
all private (http_stop, pragma: no-cache, If-Modified-Since) or
ftp requests go directly to the source.

---- Alternative 2 ----
If your firewall is not forwarding outgoing traffic other
than ftp, then you either have to fix the parent proxy to
handle ftp proxying, or hack the Squid sources as you did.

The last part of your patch can be replaced by
hierarchy_stoplist ftp://
or if you don't want to cache ftp
ftp_stoplist .*

---- Alternative 3 -----
If all you want to do is to give a error page on ftp requests
outside your firewall, then you can use the following:

acl ftp proto ftp
acl ourdomain domain your.domain
http_access deny ftp !ourdomain

Which gives a error message like this for ftp requests outside
your domain:
   Sorry, you are not currentlyallowed to get ftp://some.domain.com/
   From this cache. Please check with the cache administrator if you
   beleive this is incorrect.

---
Henrik Nordstrom
----- End of forwarded message from Henrik Nordstrom -----