Re: [squid-users] squid -> dansguardian -> squid

From: Joshua Brindle <JBrindle@dont-contact.us>
Date: Fri, 15 Aug 2003 11:56:08 -0500

I'm doing this (but using 1 copy of squid on both sides of
dansguardian, this is how mine is working (i suspect
something similar will work for you))

cache_peer 127.0.0.1 parent 8080 7 allow-miss no-digest no-netdb-exchange no-query proxy-only name=localhost
^^^ that is dansguardian

external_acl_type checkHeader ttl=0 children=1 %{X-Naughty-Why} %{X-Naughty-Where} %SRC /usr/local/bin/ckheader
acl ch external checkHeader
^^^ my external ACL that checks for an X-Naughty header (patch to dansguardian, I'll send it upstread and to you if you want)

http_reply_access allow localhost
^^^ need to allow replies coming back to dansguardian

http_reply_access deny !ch
deny_info http://kang.snu.edu/porn.php?site=%s ch
^^^ deny if the header is there (and send them to a login page for bypass options)

http_reply_access allow all
^^^ allow everythign else

always_direct allow localhost
^^^ localhost ( on the right side dansguardian -> squid) must go direct (since dansguardian _is_ the cache peer)
never_direct allow our_networks
^^^ and coming from the net ( net -> squid -> dansguardian) must always go through the cache peer

the downfall here is that squid thinks it's in a forwarding loop (but it's not) since it sees the same page twice

debug_options ALL,1 33,0
^^^ that will take care of the forwarding loop warnings

hope this helps..
Once i'm done with this project i'll document how this should work and provide all the patches (they are being sent upstream too)

Joshua Brindle
UNIX Administrator
Southern Nazarene University

>>> "Brian Meyer" <bmeyer@swmc.org> 08/15/03 11:44AM >>>
I have a proxy set up that has Dans and Squid on it. This setup works fine,
and for transparent proxying, the firewall redirects port 80 traffic to 8080
where Dans Guardian picks it up. DG then passes it to squid on port 3128
where it is proxied out to the internet. We need more control of our ACL's,
so we looked into setting up another instance of Squid before DG to handle
the ACL, and just let DG scan for content. We have successfully configured
the second copy of squid to listen on port 8081 and then send it's requests
on to DG at port 8080. If I configure a web browser to use a proxy server,
and point it to port 8081, everything works fine, but if I leave the web
browser configured for transparent access, and change the firewall redirect
to port 8081 instead of 8080, it breaks. In looking at the log files of the
first squid listening on port 8081, the requested url's are getting :8080
appended to the domain. It looks like this:

1060957931.194 40883 mhall.swmc.org TCP_MISS/000 0 GET
http://www.google.com:8080/ - FIRST_UP_PARENT/127.0.0.1 -
1060958054.025 137655 mhall.swmc.org TCP_MISS/504 1045 GET
http://ar.atwola.com:8080/image/93142556/1060958206/aim -
FIRST_UP_PARENT/127.0.0.1 -
1060960878.334 4116 mhall.swmc.org TCP_MISS/000 0 GET
http://www.google.com:8080/ - FIRST_UP_PARENT/127.0.0.1 -

I am trying to figure out why this is happening when we change the firewall
redirect, but not happening if we set the client browser to use a proxy at
port 8081. The squid line that we are using to send the requests on to DG
is:

cache_peer 127.0.0.1 parent 8080 0 no-query

and I have also played with the accel settings like tis:

httpd_accel_host 127.0.0.1
httpd_accel_port 8080

If I disable these 2 lines, then the log file only shows the url of the
request, the domain is getting stripped out.

Any help that anyone can provide would be greatly appreciated.

Brian Meyer
Received on Fri Aug 15 2003 - 10:56:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:55 MST