Re: [squid-users] intercepting and normal modes together? from Eliezer Croitoru on 2012-05-13 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sun, 13 May 2012 21:48:08 +0300

as you can see in the acl documentation at:
http://www.squid-cache.org/Doc/config/acl/

it seems like what you need is myport that you mentioned.
there is no need what so ever for this to use two squid instances.
you should restrict the http_access to by more explicit such as:

http_port 192.168.0.254:3128
http_port 192.168.0.254:3129 intercept
acl localnet src 192.168.0.0/24
acl NormalAccess myport 3128
acl AntiVirusUpd myport 3129
acl AVirUpdSiteIP dst 95.34.11.64/26
#add a dstsom to match in a case of ip change up on the av company
acl AVUPDOMS dstdomain norton.domain.com kaspersky.domain.com
#strictly defined your clients scope to not leave any open options for
clients to use your proxy.
#i would also restrict the access to the proxy with firewall but it
depends on your environment.
http_access allow NormalAccess localnet
http_access allow localnet AntiVirusUpd AVUPDOMS
http_access allow localnet AntiVirusUpd AVirUpdSiteIP
http_access deny all

Regards,
Eliezer

On 13/05/2012 20:51, Frantisek Hanzlik wrote:

> Hello Squid gurus,
>
> I want use Squid with WPAD (DHCP/DNS) proxy autoconfiguration for
> win clients. Unfortunately there are some services (antivirus), which
> does not recognizes/are not able automatically configure for proxy
> and still are accessing HTTP sites directly at port 80. I imagine
> configuration some as (slightly simplified):
> squid.conf:
> http_port 192.168.0.254:3128
> http_port 192.168.0.254:3129 intercept
> acl NormalAccess myport 3128
> acl AntiVirusUpd myport 3129
> acl AVirUpdSiteIP dst 95.34.11.64/26
> http_access allow NormalAccess
> http_access allow AntiVirusUpd AVirUpdSiteIP
> http_access deny all
>
> iptables at firewall/Squid machine:
> iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3129
>
>
> Thus my questions:
> - is please possible run Squid (at firewall Linux machine) at two
> different ports, on one as "normal" proxy accessed as proxy by
> client processess which are able do proxy autoconfiguration,
> and on other configured in intercepted mode for clients processes
> which not know proxy autoconfiguration and access internet directly?
>
> - is possible distinguish between these two accesses with ACL rules
> (i.e. from one client machine one sort of processes (browsers, system
> updates/...) regularly autoconfigure proxy and will access Squid on
> "normal mode" port and will have e.g. unrestricted access, and second
> sort of processes with "direct" internet access will be redirected to
> intercept mode port and will accessing internet transparently - but
> they will have allowed only e.g one site)?
> Is "myport" ACL right one for this distinction?
>
> Thanks in advance, Franta Hanzlik
>
> PS: It would be maybe better solve this with two Squid instances running
> at different http_port, but there will not be big traffic and I'd better
> run only one instance for both ports.

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Sun May 13 2012 - 18:48:20 MDT

This archive was generated by hypermail 2.2.0 : Mon May 14 2012 - 12:00:02 MDT