Yes, my config used to have the "vhost" defined in it, however with
3.2, I found out it wasn't needed any more, so I cleared it up, in an
effort to figure out what is going on.
I guess I need to show the whole config. I'll also note I am using it
as a reverse proxy, as well as a transparent proxy for my local
network's access to the internet, with caching. I have it using
squidGuard for some things, and I used to tie in squidclamav as an
icap service, however it caused a massive performance hit on page
loading times, so I disabled it, but still have some configuration
directives in place that are for icap.
I will gladly admit that I'm not extremely proficient in how the
config file should work, I'm mostly just scouring through the
squid-cache wiki, and anything I can Google to figure out what I need.
However, there is very little I'm finding with regards to my current
problem.
Here's my config file in its entirety:
---------------------------------------------------------------------------------------------------------------
# SQUID 3.2.0.16
# --------------
http_port 80 accel defaultsite=darkhelm.org
https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
defaultsite=darkhelm.org
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
# Security ACL, force username/password login. See music below.
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS name=xlorep
acl sites_xlorep url_regex ^https://xlorep\.darkhelm\.org
cache_peer_access xlorep allow sites_xlorep
http_access allow sites_xlorep
acl http_xlorep url_regex ^http://xlorep\.darkhelm\.org
http_access deny http_xlorep
deny_info https://xlorep.darkhelm.org http_xlorep
#8022 8081
cache_peer 127.0.0.1 parent 8022 0 no-query originserver login=PASS name=shell
acl sites_shell url_regex ^https://shell\.darkhelm\.org
cache_peer_access shell allow sites_shell
http_access allow sites_shell
acl http_shell url_regex ^http://shell\.darkhelm\.org
http_access deny http_shell
deny_info https://shell.darkhelm.org http_shell
cache_peer 10.18.75.4 parent 8000 0 no-query originserver login=PASS name=music
acl sites_music url_regex ^https://music\.darkhelm\.org
cache_peer_access music allow sites_music ncsa_users
http_access allow sites_music ncsa_users
acl http_music url_regex ^http://music\.darkhelm\.org
http_access deny http_music
deny_info https://music.darkhelm.org http_music
cache_peer 10.18.75.4 parent 8080 0 no-query originserver login=PASS name=mplay
acl sites_mplay url_regex ^https://mplay\.darkhelm\.org
cache_peer_access mplay allow sites_mplay ncsa_users
http_access allow sites_mplay ncsa_users
acl http_mplay url_regex ^http://mplay\.darkhelm\.org
http_access deny http_mplay
deny_info https://mplay.darkhelm.org/ http_mplay
cache_peer 10.18.75.4 parent 4711 0 no-query originserver login=PASS name=amw
acl sites_amw url_regex ^https://amw\.darkhelm\.org
cache_peer_access amw allow sites_amw
http_access allow sites_amw
acl http_amw url_regex ^http://amw\.darkhelm\.org
http_access deny http_amw
deny_info https://amw.darkhelm.org http_amw
cache_peer 10.18.75.4 parent 9091 0 no-query originserver login=PASS name=bt
acl sites_bt url_regex ^https://bt\.darkhelm\.org
cache_peer_access bt allow sites_bt
http_access allow sites_bt
acl http_bt url_regex ^http://bt\.darkhelm\.org
http_access deny http_bt
deny_info https://bt.darkhelm.org http_bt
# Recommended minimum configuration:
#
#acl manager proto cache_object
#acl localhost src 127.0.0.0/8 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.18.75.0/24 10.2.18.0/24
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 intercept
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache_mem 64 MB
cache_replacement_policy heap LRU
# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid3 4096 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_group proxy
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode off
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
---------------------------------------------------------------------------------------------------------------
"I'm not responcabel fer my comuter's spleling errnors" - Xlorep DarkHelm
Website: http://darkhelm.org
On Wed, Mar 21, 2012 at 5:10 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 22.03.2012 12:20, Cliff Hill wrote:
>
> NOTE: both of these regex should never have matched in 3.1. defaultsite
> explicitly forces the URI to be "http://darkhelm.org/..." unless you the
> vhost option is enabled. It is disabled by default on 3.1 and older.
> 3.2 uses HTTP/1.1 where vhost is enabled by default. So the regex ACL might
> start operating now as you seem to have intended them to.
>
>
>
>> However whenever I try to go there with a web browser, it just hangs,
>> and never actually gets redirected.
>>
>> Right now, I just want it to simply redirect http:// to https:// for
>> my cache_peers. Can anyone help me?
>
>
> With the above config...
>
> . The client sends traffic to Squid via port 80. Meaning client<->squid
> traffic is plain HTTP.
>
> .. Your access control and deny_info bounces the client to an "https://"
> URI.
>
> ... The client should then dutifully connect to port 443 (HTTPS).
>
> What happens then? your displayed config does not show.
>
>
> Amos
Received on Thu Mar 22 2012 - 15:31:13 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 23 2012 - 12:00:04 MDT