RE: [squid-users] Can Microsoft Proxy be the Parent http server on port 80 - Additional notes

From: Doron Shmaryahu <doron@dont-contact.us>
Date: Wed, 26 Nov 2003 08:57:53 +0200

Hi,

That will work, now that you have removed the proxy-only statement.

Thanks

Doron
-----Original Message-----
From: jonathan_hughes@goodyear.co.za [mailto:jonathan_hughes@goodyear.co.za]

Sent: 25 November 2003 01:08 PM
To: doron@crc.co.za; hno@squid-cache.org
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Can Microsoft Proxy be the Parent http server on
port 80 - Additional notes

Doron / Henrik / List,

Just to verify - I want Squid to 'suck' its cache objects out of the
upstream Microsoft proxy server for storage or serving to the Web browser
clients. I dont neccessarily want to pass the client on to the MS Proxy
Server - however if that is possibhle then I would like to try/know how that
is possible.

Any sign that Squid can do the proxy job will help me leverage this product
into my company. I am guessing I will need to find out what the firewall
port and IP are though - has anyone done this before (using an MS Proxy as
the upstream server).

I have changed my cache_peer line to:

cache_peer msproxy.goodyear.co.za parent 80 0 default no-query
login=neib091:101dalmations connect-timeout=15

But when I try and open say: http://www.google.com/ in my Internet Explorer
web browser (which points to squid.goodyear.co.za:8080) the browser hangs
with a slow progress bar for about 5 to 10 minutes before timing out.

Viva Linux ;)
                                                                           
                          Jonathan Hughes
                                                                           
                          Tech Support Specialist
                                                                           
                          Goodyear South Africa
                                                                           

 

 

 

 P +27 41 9946 247 F +27 41 9946 243 E jonathan_hughes@goodyear.co.za

 H A M

 O X A

 N : I

 E L

 : :

 

 

 

 

 

                      "Doron

                      Shmaryahu" To:
<jonathan_hughes@goodyear.co.za>
                      <doron@crc.co.za cc:

> Subject: RE: [squid-users]
Can Microsoft Proxy be the Parent http server on port
                                               80 - Attached sample of my
code
                      2003/11/25 07:57

                      AM

 

Hi,

You may want to set the icp port to 0 as ms proxy wont listen for it. The
icp_port you have set is for squid itself to listen on, where you have your
statement:

 cache_peer zaproxy.goodyear.co.za parent 80 3130 proxy-only
login=MyNT_Logon_ID:MyNT_Logon_Pass connect-timeout=15

Change to

cache_peer zaproxy.goodyear.co.za parent 80 0 proxy-only
login=MyNT_Logon_ID:MyNT_Logon_Pass connect-timeout=15

Also must the upstream proxy be the default parent ? Do you want to forward
all requests to the upstream proxy, otherwise the way you have it now, if
squid queries the upstream proxy it wont get a answer, and will bypass the
parent.

Use

cache_peer zaproxy.goodyear.co.za parent 80 0 default
login=MyNT_Logon_ID:MyNT_Logon_Pass connect-timeout=15

By using the proxy-only statement your squid machine will not cache anything
!!

Doron

-----Original Message-----
From: jonathan_hughes@goodyear.co.za
[mailto:jonathan_hughes@goodyear.co.za]

Sent: 25 November 2003 11:34 AM
To: doron@crc.co.za
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Can Microsoft Proxy be the Parent http server on
port 80 - Attached sample of my code

Doron,

No problem, here is a sample of my settings in my squid.conf file:

---------------------- START CODE SNIPPET ----------------------

http_port 3128 8080

icp_port 0 ##disabled - dont think MS Proxy supports this ???

cache_peer zaproxy.goodyear.co.za parent 80 3130 proxy-only
login=MyNT_Logon_ID:MyNT_Logon_Pass connect-timeout=15

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

hierarchy_stoplist cgi-bin ?

cache_dir ufs /var/spool/squid 100 16 256

ftp_user Squid@goodyear.co.za

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server auth_param basic
credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost http_access allow manager
localhost http_access deny manager # Deny requests to unknown ports
http_access deny !Safe_ports # Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

acl mynetworks src 160.122.0.0/255.255.0.0 http_access allow mynetworks
icp_access allow mynetworks http_access allow localhost http_access deny all

http_reply_access allow all
icp_access allow all

cache_mgr root
cache_effective_user squid
cache_effective_group squid

... etc ...

---------------------- END CODE SNIPPET ----------------------

I think that covers all the primary settings. I have changed only the proxy
parent 'upstream', have added custom acl as seen above and have added port
8080 as an additional port Squid will serve its cache to clients on. My
aceess control seems fine as I do not get the denied message I used to get.

If I logon to windows NT with a username and password that is approved for
internet access then the existing MS proxy allows seamless web browsing -
otherwise the user needs to enter this authentication information to browse
the web (so users who do not have approved access cannot browse the web).

Any help appreciated, thanks,

                          Jonathan Hughes

                          Tech Support Specialist

                          Goodyear South Africa

                      "Doron

                      Shmaryahu" To:
<jonathan_hughes@goodyear.co.za>, <squid-users@squid-cache.org>
                      <doron@crc.co.za cc:

> Subject: RE: [squid-users]
Can Microsoft Proxy be the Parent http server on port
                                               80

                      2003/11/25 06:37

                      AM

Hi,

When you say you are having trouble what exacly does it not do. Also could
you post you portion of your squid.conf file.

Thanks

-----Original Message-----
From: jonathan_hughes@goodyear.co.za
[mailto:jonathan_hughes@goodyear.co.za]

Sent: 25 November 2003 10:07 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Can Microsoft Proxy be the Parent http server on
port 80

Hi List,

I need to install Squid server with the intention of using it to replace
Microsoft Proxy Server and ISA Proxy Server.

I have the basic daemon squid.conf and access control lists working (or so
it appears - squid -k parse generates no errors).

However I am having trouble configuring the parent or root Proxy server as
my squid install's parent.

If I can prove Squid works by placing it downstream from the existing proxy
server on our LAN and using the existing MS proxy as the Web content
supplier to the Squid cache (The MS proxy server is called 'upstream
server') then we maymigrate to Squid for our entire org.

I am running: Squid2.5 Stable1
Server OS: Red Hat Linux 9.0
MS Parent Proxy: msproxy.goodyear.co.za Squid Server: cache.goodyear.co.za

Any suggestions, or simple pointers will be appreciated. I have refrence
material and full printouts of config files etc.

Thanks in advance and keep well,

                          Jonathan Hughes

                          Tech Support Specialist

                          Goodyear South Africa

 P +27 41 9946 247 F +27 41 9946 243 E jonathan_hughes@goodyear.co.za

 H A M

 O X A

 N : I

 E L

 : :

|--------------------------------------------------------------------------|

|The information in this e-mail contains confidential and / or
|proprietary
|
|information and is intended solely for the addressee. Access to this
|
|e-mail by anyone else is unauthorised and may not be copied or
|
|disseminated without the express consent of The Goodyear Tire & Rubber
|
|Company or one of its subsidiaries. If you are not the intended
|recipient,
|
|any disclosure, copying, distribution or any action taken or omitted in
|
|reliance on this, is prohibited and may be unlawful. Whilst all
reasonable|
|steps are taken to ensure the accuracy and integrity of information and
|
|data transmitted electronically and to preserve the confidentiality
|
|thereof, no liability or responsibility whatsoever is accepted if
|
|information or data is, for whatever reason, corrupted or does not
|reach
|
|its intended destination.
|
|--------------------------------------------------------------------------|
Received on Tue Nov 25 2003 - 23:51:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:37 MST