Hello Squid gurus,
I want use Squid with WPAD (DHCP/DNS) proxy autoconfiguration for
win clients. Unfortunately there are some services (antivirus), which
does not recognizes/are not able automatically configure for proxy
and still are accessing HTTP sites directly at port 80. I imagine
configuration some as (slightly simplified):
squid.conf:
http_port 192.168.0.254:3128
http_port 192.168.0.254:3129 intercept
acl NormalAccess myport 3128
acl AntiVirusUpd myport 3129
acl AVirUpdSiteIP dst 95.34.11.64/26
http_access allow NormalAccess
http_access allow AntiVirusUpd AVirUpdSiteIP
http_access deny all
iptables at firewall/Squid machine:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3129
Thus my questions:
- is please possible run Squid (at firewall Linux machine) at two
different ports, on one as "normal" proxy accessed as proxy by
client processess which are able do proxy autoconfiguration,
and on other configured in intercepted mode for clients processes
which not know proxy autoconfiguration and access internet directly?
- is possible distinguish between these two accesses with ACL rules
(i.e. from one client machine one sort of processes (browsers, system
updates/...) regularly autoconfigure proxy and will access Squid on
"normal mode" port and will have e.g. unrestricted access, and second
sort of processes with "direct" internet access will be redirected to
intercept mode port and will accessing internet transparently - but
they will have allowed only e.g one site)?
Is "myport" ACL right one for this distinction?
Thanks in advance, Franta Hanzlik
PS: It would be maybe better solve this with two Squid instances running
at different http_port, but there will not be big traffic and I'd better
run only one instance for both ports.
Received on Sun May 13 2012 - 17:51:53 MDT
This archive was generated by hypermail 2.2.0 : Mon May 14 2012 - 12:00:02 MDT