Hi all!
I use Squid2.6STABLE5 as a proxy to access DMZ located webservers from the
outside and also as a HTTP proxy for my internal clients. But there is a
problem: I get forward loops on my external interface. I tried all kind of
different setup's, but it doesn't make any difference.
offending setup:
http_port internal:3128
http_port mail:80 defaultsite=www.foobar.com vhost
http_port orders:80 defaultsite=orders.foobar.com vhost
https_port webmail:443 \
defaultsite=webmail.foobar.com vhost \
cert=/usr/local/etc/squid/certs/webmail.foobar.com.pem \
cafile=/etc/CA/ssl/public/vsign-class3.crt \
# clientca=/etc/CA/ssl/public/ca.pem \
# crlfile=/etc/CA/ssl/public/crl.pem \
# sslflags=DELAYED_AUTH \
capath=/etc/CA/ssl/public
icp_port 0
# Mail program
#mail_program sendmail
# Redirector
redirect_program /usr/local/bin/squidGuard -c
/usr/local/etc/squid/squidGuard.conf
redirect_children 4
# Rotate logs 4 times
logfile_rotate 4
# Do not show our internal IP-address
forwarded_for off
# Error directory
error_directory /usr/local/etc/squid/errors/Dutch
# Access log
access_log /usr/local/squid/logs/access.log squid
# SSL options
ssl_unclean_shutdown on
#sslproxy_client_certificate /usr/local/etc/squid/certs/client.certs
#
# Public Internet to DMZ
cache_peer www2.foobar.com parent 80 0 no-query originserver \
proxy-only no-digest
cache_peer_domain www2.foobar.com www.foobar.com
cache_peer www3.foobar.com parent 80 0 no-query originserver proxy-only \
login=PASS connection-auth=off no-digest
cache_peer_domain www3.foobar.com orders.foobar.com
#cache_peer www4.foobar.com parent 80 0 no-query originserver proxy-only
#cache_peer_domain www4.foobar.com www.foobarusa.com
cache_peer blx-mx.foobar.com parent 80 0 no-query originserver \
front-end-https proxy-only no-digest login=PASS connection-auth=off
cache_peer_domain blx-mx.foobar.com webmail.foobar.com
acl accel type accelerated
acl accel-domains dstdomain www.foobar.com orders.foobar.com
webmail.foobar.com
http_access allow accel accel-domains
http_access deny accel
# =================== The rest of the config
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#
# Cache settings
cache_effective_user squid
cache_effective_group squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#
# Internal to Public Internet
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8090
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl our_networks src 10.0.0.0/16 10.11.0.0/16 10.30.0.0/16
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Allow only our networks
http_access allow our_networks
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
icp_access allow all
#
# Kaspersky Proxy for Squid ICAP Support
icap_enable on
icap_send_client_ip on
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_class ic_kav is_kav_req is_kav_resp
acl HTTP proto HTTP
acl GET method GET
icap_access ic_kav allow HTTP GET
TIA
Bert
Received on Fri Nov 10 2006 - 13:47:40 MST
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST