Re: Squid question

Daniel Feijo wrote:
>
> Henry:

My name is Henrik, thankyou.

> Thank you, the conf file worked fine.

Good.

> I need to let my internal users to surf the web with the same
> proxy box that the accelerated hosts. When I add the
> dns_nameservers line the accelerator stops working and I receive
> an access denied mesage. Without the dns_nameserver the proxy does
> not resolve the names?

You need dns_nameservers if you want Squid to use other nameservers than
configured in /etc/resolv.conf. Only adding dns_nameservers should make
no difference for the accelerator if /etc/hosts is used. Make sure the
system is configured to prefer /etc/hosts over DNS (usually set in
/etc/nsswitch.conf).

httpd_accel_with_proxy is required to allow a single Squid both to be
used as accelerator and proxy.

To also allow proxying the following lines needs to be added

dns_nameservers ip.of.an.internet.dns
httpd_accel_with_proxy on
acl from_my_network src ip.of.your.local.net/netmask
http_access allow from_my_network

For security reasons you probably also want the following from the
distributed configuration somewhere before the above http_access allow
line:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html