Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3 from Amos Jeffries on 2012-11-22 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 23 Nov 2012 15:14:22 +1300

On 23/11/2012 11:45 a.m., Eliezer Croitoru wrote:
> The basic thing is to know he IP address of the client since you are
> allowing only specific number of IP addresses to use the proxy.
> You can send it to me on my private mail and just the relevant
> "denied" lines are what I need.
>
> Regards,
> Eliezer
>
> On 11/22/2012 4:41 PM, Leslie Jensen wrote:
>>
>>
>> Eliezer Croitoru skrev 2012-11-22 15:19:
>>> Next time just clean the file first to make it more readable:
>>> use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed
>>> '/^$/d'
>>>
>>> ##start
> <SNIP>
>>> ##end
>>>
>>> it seems to me like forward proxy and the only reason I can think of to
>>> not work is:
>>> Missing credentials related settings.
>>> With the current config file squid only allows users with specific SRC
>>> ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/
>>> Also you didnt posted the access.log output for the request but it seem
>>> like you have one missing ACL.

+ 3.2 intercept port receiving forward-proxy requests will reject them
due to NAT failure/lies.

+ 3.2 Host header validation *will* reject if forward traffic is
validated as being intercepted.

** you need at minimum to add a http_port line without "intercept" on it
for the Squid icons and configured browsers to fetch from.

Also, on checking the config file there are some minor anoyances which
will be adding extra warnings into your cache.log:

* the "QUERY" ACL is now deprecated. You should remove it from your
config along with the "no_cache" (obsolete by itself) directive that
uses it.

* the hierarchy_stoplist is also deprecated and causes slightly more
harm than good. Can be removed.

* default refresh pattern is outdated. The current CGI pattern is "
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 "

* remove localhost ACL re-definition. Using the old definition will
cause existing Squid to not even start. Fix for that has yet to be
published.

* remove localhost ACL re-definition

* remove to_localhost ACL re-definition

Amos
Received on Fri Nov 23 2012 - 02:14:38 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 23 2012 - 12:00:05 MST