>
>
>
> Jan-Frode Myklebust-2 wrote:
>>
>> On 2009-03-06, Merdouille <jgerhards_at_r-advertising.com> wrote:
>>>
>>> I need to have a squid conf to allow peaople to acces data from url
>>> like
>>> :
>>>
>>> http://mysquidproxy/img=http%3A%2F%2Ffiles.macbidouille.com%2Fnews%2F200903%2FAP999.jpg
>>> or
>>> http://mysquidproxy/img=http://files.macbidouille.com/Fnews/200903/AP999.jpg
>>>
>>> and i want mysquid to use cache for
>>> http://files.macbidouille.com/Fnews/200903/AP999.jpg
>>
>>
>> I recently had a similar problem, but I solved it using apache instead
>> of squid. Assuming your squid is running on port 3128/tcp, and you have
>> apache listening on 80/tcp. The following apache-config should do what
>> you ask (I think):
>>
>> ProxyRequests On
>> ProxyRemote * http://localhost:3128
>> ProxyTimeout 600
>> ProxyPreserveHost Off
>>
>> RewriteEngine on
>> RewriteRule ^/img=http://(.*) http://$1 [L,P]
>>
>>
>>
>> -jf
>>
>>
>>
>
> I tried it for my httpd :
>
> # Activation du proxy
> ProxyRequests On
> ProxyVia On
> # Les proxy peres
> ProxyRemote * http://192.168.100.194:81
> # Le timeout
> ProxyTimeout 600
> ProxyPreserveHost Off
> RewriteEngine on
> RewriteRule ^/img=http://(.*) http://$1 [L,P]
> RewriteLog /var/log/httpd/rewrite.log
> RewriteLogLevel 3
>
>
> And my squid on the same computer port 81 :
>
> visible_hostname moi
> acl all src all
> acl white dstdomain "/etc/squid/white"
> acl TRACE method TRACE
> acl PUT method PUT
> acl POST method POST
> acl proxyed urlpath_regex -i "/etc/squid/whitelist"
>
Are these the only http_access lines?
> http_access allow white !POST !PUT !TRACE proxyed
Will ONLY match domains in whilelist which *also* contain path segments in
'proxyed'.
-> This means apache requests for http://someone.else.example.com/fubar
will not match this control.
> http_access deny !white POST PUT TRACE !proxyed
--> will always fail to match:
Request method == "POST" == "PUT" == "TRACE" != true
*** implicit inversion ***
Your squid is handling that list as trailed by an:
http_access allow all
Which makes your open-proxy behavior.
> http_port moi:81
> icp_port 0
>
> etc
>
> When i try http://moi/http://somesite/someURL it works but it works for
> every site!
> My dstdomain white list works no more!
To get this going safely with Squid+Apache you will also need to do all of
the following in addition to what you have already done:
1) Trail the list with an explicit "http_access deny all" to be sure the
set controls only do what you want.
2) add an access control to allow apache requests through
3) setup a second ACL mirroring the 'proxyed' listing, which limits apache
requests only to the requests that are actually allowed.
4) setup a *third* set of access controls on apache. To mirror the
accepted content in 'proxyed' file and block apache from being an
open-proxy in it's own place.
Amos
Received on Mon Mar 09 2009 - 21:32:51 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 10 2009 - 12:00:03 MDT
