RE: [squid-users] Squid + Firewall + non std ports

-----Original Message-----
From: Barry Darnton [mailto:BarryD@chw.edu.au]
Sent: Tuesday, September 18, 2001 3:47 PM
To: 'Colin Campbell'; Barry Darnton
Cc: 'squid-users@squid-cache.org'
Subject: RE: [squid-users] Squid + Firewall + non std ports

Well between sending this message and now I have found a solution
although I dont really like it.

I have the following
acl local_domain dstdomain .kids .health.nsw.gov.au
always_direct allow local_domain

acl transparent dstdomain chw.edu.au
never_direct allow transparent

acl Problem_sites_nonstd dstdomain .harvard.edu
never_direct allow problem_sites_nonstd

acl chw proxy_auth REQUIRED

http_access allow local-domain
http_access allow transparent
http_access allow chw
http_access allow problem_sites_nonstd

The problem_sites_nonstd is what I needed to do for these sites that
require some form of authentication after you reach them, if they are
not using port 80. I cant explain this because if you go to the site on
port 8080 it gets there fine and you can go wherever you like using <>80
until you go somewhere that requires authentication (non SSL). I put it
after the chw access control so that you still need to authenticate
prior to using that site.

I am still confused about the authentication though, I would like to
define chw as say network 10.x and use authentication for that network
but deny any other network. It seems to me that you cant define a
network to use authentication. to get chw to authenticate I used acl chw
proxy_auth REQUIRED but then users on my external networks (non 10.x)
can authenticate if they have a username and password. The Acl's are a
little confusing on ways to do this. I can stop them if I use network
ACL such as acl chw src 10.x.x.x/255.0.0.0 but I cant do this with
authentication.

Barry
Received on Mon Sep 17 2001 - 23:54:06 MDT