[squid-users] Port based ACLs for Squid setup with upstream proxying to Surfingate's Finjan-

From: Maxx Christopher Lobo <maxx@dont-contact.us>
Date: Tue, 08 Feb 2005 18:20:32 -0800

Hi:

I've included relevant parts of the conf file at the end of this email,
but first the human-readable version...

A quick description of the situation:
-------------------------------------
I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux,
using transparent proxying in conjunction with Cisco's WCCP. The Squid
box uses Surfingate's FinJAN (an active content filtering/scanning
proxy) as its upstream proxy.
In other words, http requests leave the user's PC, are intercepted
through WCCP, passed to squid, and squid passes them to FinJAN. For
various reasons, I can't alter this chain.
The corporate firewall blocks all outgoing traffic that does not pass
through a proxy. Users cannot connect to FinJAN directly - all proxying
is done through Squid. FinJAN only handles HTTP and FTP.
I have an ACL for a group of IP addresses (a few servers, some admin
workstations) that bypass this chain, and do NOT use FinJAN. Squid
handles all proxying for these specific IPs.

A quick description of the problem:
-----------------------------------
Windows Media Player and Yahoo's LaunchCast (which the latter
essentially uses the former) are 'broken' for the native radio streams
that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is
passed to Squid, which in turn passes it to FinJAN - and FinJAN does not
know how to handle this traffic, since it wasn't designed to do this.

I'd like to point out here that 'true' HTTP based audio streams (like
the ones that use port 80) are unaffected by this situation, and work
fine with this chain of proxies.

What I would like to know/do:
-----------------------------
Is it possible to use the cache_peer directive to pass all port 80/443
traffic to FinJAN, and process all other 'Safe_Ports' traffic locally
through Squid?

Currently I have the ability to do this with ACLs that define a group of
PCs (by IP address). I don't know how to do this using port numbers. Is
this even possible?

An alternative solution would be for me to run two squid processes on
the same box, one which handles port 80/443 traffic, and the other which
handles all other safe ports. This will very likely solve my problem,
but before I go that messy route, I want to make sure that a simple ACL
isn't the real solution.

The relevant squid.conf:
------------------------
#
# Begin squid.conf
#
acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535
acl CONNECT method CONNECT GET POST PROPFIND HEAD
#
acl dns-Local dstdomain .xyz.com
acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25
acl all src 0.0.0.0/0.0.0.0
#
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
#
cache_peer finjan.xyz.com parent 5150 0 no-query default
always_direct allow dns-Local
always_direct allow IT_PCS
never_direct allow all
#
# End squid.conf
#

If this is possible, I'd be grateful for an example. Thanks-

--Maxx Lobo
Received on Tue Feb 08 2005 - 19:20:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST