Re: Parent proxy only without icp query? from Henrik Nordstrom on 1999-03-08 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 09 Mar 1999 00:52:17 +0100

dave spaulding wrote:

> I desparately need to get my client computers to look to
> squid (<-easy) and squid (hard ->) ONLY to look at 1 machine: my content
> filter.

Then you probably wan to use never_direct to force Squid to select a
parent, as if inside a firewall. The drawback is that if your content
filter fails, then Squid fails as well (it won't go direct).

> Can this be done? Is this the "routing" that you are speaking about?

Certainly doable. Pretty standard config.

> I am currently running 1.2 (from redhat 5.2) but would upgrade if need be...

RedHat 5.2 includes Squid 1.1.22 (there is no 1.2 release of Squid,
only 1.2beta releases).

You do not need to upgrade to make this configuration, but I defenitely
recommend upgrading, especially if you are setting up a new proxy. You
will most likely get somewhat confused answers if you ask questions on
how to configure Squid 1.1.X as most Squid knowledge people are using
Squid 2.X today (answers will be based on Squid 2 unless you explicitly
state that you must use Squid 1.1.X, in which case the answer most
likely will be based on Squid 2 with some hints on how to translate it
to Squid 1.1.X).

As seen in a previous discussion on Squid users you need to make 3 host
name aliases for your content filter to be able to tell Squid how to
route the different protocols to different ports. Request routing only
be done based on the peers configured host name and not port number.

This is Squid 2 syntax, but you should be able to translate it to Squid
1.1.X if you need to. (cache_peer_access and never_direct uses different
names and syntax).

# Route http to filter port 8080
cache_peer http-filter.mva.net parent 8080 0 no-query default
acl http proto http
cache_peer_access http-filter.mva.net allow http
# Route ftp to filter port 8021
cache_peer ftp-filter.mva.net parent 8021 0 no-query default
acl ftp proto ftp
cache_peer_access ftp-filter.mva.net allow ftp
# Route sll to filter port 8443
cache_peer ssl-filter.mva.net parent 8443 0 no-query default
acl ssl method connect
cache_peer_access ssl-filter.mva.net allow ssl
# Force everything to go throught the filter
acl all src 0.0.0.0/0
never_direct allow all

---
Henrik Nordstrom
Spare time Squid hacker

Received on Mon Mar 08 1999 - 17:57:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:10 MST