On Wed, 21 Oct 2009 08:44:43 -0700 (PDT), ant2ne <tcygne_at_altonschools.org>
wrote:
> I'm not sure what I'm trying to describe.
>
> This webcache proxy is not used for any security what so ever. We have
> other
> filtering devices. This proxy is only designed to cache websites. For
the
> most part it is working well.
_everything_ plugged into the network has a security impact.
This proxy is just not front-line is all. For example, an open internal
proxy might still be used as a multi-stage-relay by infected internal
machines, or as a easy access pathway to otherwise protected (source
authorized?) internal resources.
>
> But, we have some users that try to access intranet sites vie a web
console
> and they get "access denied" from squid. I'm thinking that it is
probably
> that these intranet sites open up a port that is restricted by squid in
> some
> way.
Your proxy logs will say. Check access.log for 4xx and 5xx status codes on
internal URLs. Then analyse the particular URLs found.
> I'm wanting to pass through all traffic on all ports for all client
> computers who are accessing an ip address of 10.0.0.0. I want these
sites
> just get passed through the proxy without caching the data.
Must it be by IP address? is there no internal domain name for access?
With dstdomain you can do:
acl internalSite dstdomain foo.example.com
otherwise you are stuck with Squid doing DNS lookups to locate:
acl internalServer dst 10.0.0.0
>
> Here is my current squid.conf
>
> http_port 3128
> # acl QUERY urlpath_regex cgi-bin \? #Removed by Amos, suggested to
speed
> up
> web sites using media
> cache_mem 512 MB # May need to set lower if I run low on RAM
> maximum_object_size_in_memory 4096 KB #Increased by Amos, suggested to
> speed
> up web sites using media
> maximum_object_size 1 GB
> cache_dir aufs /cache 500000 256 256
> redirect_rewrites_host_header off
> cache_replacement_policy lru
> acl all src all
> acl localnet src 10.60.0.0/255.255.0.0
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/8
> acl Safe_ports port 80 443 210 119 70 21 1025-65535
> acl SSL_Ports port 443
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_Ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> icp_port 0
> refresh_pattern \.jpg$ 3600 50% 60
> refresh_pattern \.gif$ 3600 50% 60
> refresh_pattern \.css$ 3600 50% 60
> refresh_pattern \.js$ 3600 50% 60
> refresh_pattern \.html$ 300 50% 10
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> access_log /var/log/squid/access.log squid
> visible_hostname AHSPX01
Received on Wed Oct 21 2009 - 22:24:21 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 23 2009 - 12:00:03 MDT