Hey Andreas,
What do you see in the access.log when you try to access the website?
Also try to change the behavior of:
http://www.squid-cache.org/Doc/config/forwarded_for/
Eliezer
On 07/08/2014 06:13 PM, Andreas.Reschke_at_mahle.com wrote:
> Hello there,
>
> is there a special configuration of squid to allow connections for a
> Citrix ICA-Client to go through to proxy? We're not able to connect the
> Citrix ICA-Client (Web) through our squid proxy to a Citrix server outside
> in the internet. With the Microsoft ISA-Proxy it does.
>
> Our squid.conf:
> bgstproxyls01:~ # cat /etc/squid/squid.conf
> #
> # Recommended minimum configuration:
> #
>
> acl snmppublic snmp_community squid
> snmp_port 3401
> snmp_incoming_address 10.143.153.27
> snmp_outgoing_address 10.143.153.27
> snmp_access allow all
> client_db off
> half_closed_clients off
> via off
> cache_mem 4096 MB
> ipcache_size 2028
> fqdncache_size 2048
>
> hosts_file /etc/hosts
>
> memory_pools off
> maximum_object_size 50 MB
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> log_icp_queries off
> buffered_logs on
>
> dns_nameservers 10.20.94.32
> # acl manager proto cache_object
> # acl localhost src 127.0.0.1 # ::1
> # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 # ::1
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
>
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> # neu
> acl SSL method CONNECT
> acl CONNECT method CONNECT
>
>
> ##### erlaubte Seiten ohne Internetberechtigung
> acl open-sites dstdomain "/etc/squid/open-sites.txt"
> ##### erlaubte Seiten ohne Internetberechtigung
>
> ##### verbotene Seiten
> acl denied-sites url_regex "/etc/squid/denied-sites.txt"
> acl selling-sites url_regex "/etc/squid/selling-sites.txt"
>
> acl social-sites url_regex "/etc/squid/social-sites.txt"
> ##### verbotene Seiten
> acl allowedurls dstdomain "/etc/squid/bypass.txt"
>
> external_acl_type LDAPLookup children-startup=10 children-idle=30
> children-max=80 ttl=600 negative_ttl=30 %LOGIN
> /usr/sbin/ext_ldap_group_acl -d -b "dc=behrgroup,dc=net" -D
> "CN=BGST-S-SQUID,OU=Service Accounts,OU=bgst,OU=de,DC=behrgroup,DC=net" -W
> /etc/squid/ppp -f
> "(&(objectclass=user)(sAMAccountName=%v)(memberof:1.2.840.113556.1.4.1941:=CN=%a,OU=groups,OU=Proxy,OU=Global
> Groups,DC=behrgroup,dc=net))" -h 10.20.94.32
>
>
> ## DEBUGGING
>
> #debug_options 28,9
> #debug_options ALL,5 33,2 28,9 44,3
>
> # local & manager
> http_access allow manager localhost
> http_access deny manager
>
> # nur safe & SSL ab hier
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
>
> deny_infohttp://bgstproxyls01/denied.html denied-sites
>
>
> # Squid normally listens to port 3128
> http_port 3128
>
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=BEHRGROUP.NET
> auth_param ntlm children 128
> auth_param ntlm keep_alive off
>
>
> # Zeit-Steuerung für Indien
> acl indien proxy_auth external LDAPLookup GGPY-LO-Web-Time-Limited
> acl DAY time 05:30-13:30
> # Zeit-Steuerung für Indien
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> acl auth proxy_auth REQUIRED
> # bestimmte IP-adressen erlauben
> acl permitt_ips src 10.143.10.247/32
> acl FTP proto FTP
> acl PUT method PUT
>
> # whitelisten
> http_access allow open-sites all
> http_access allow localhost
> http_access allow permitt_ips !denied-sites !social-sites
> http_access allow indien DAY
> http_access deny indien
> http_access deny !chkglwebhttp
> http_access allow selling-sites sellingUser
> http_access allow social-sites socialUser
>
> # Denied sites rauswerfen, wenn sie nicht ebenfalls in allforbUser stehen
> http_access allow denied-sites allforbUser
> http_access deny denied-sites all # tötet alles was in denied-sites steht
> und "all" ist; also alles was in denied-sites steht, das all kann
> eigenltich weg.
>
> # FTP Regelungen
> http_access allow FTP PUT ftpputUser
> http_access deny FTP PUT
>
> # Test fuer Feuerecker
> http_access allow allowedurls
>
> # Wer nicht in Listen steht, sich aber trotzdem authentifizieren kann darf
> durch
> http_access allow all auth
> http_access allow auth
>
> # Wer hier noch nicht durch ist fliegt raus
> http_access deny all
>
> # access_log daemon:/usr/local/squid/var/logs/access.log squid
> access_log udp://127.0.0.1:7777 squid
>
> ########
> cache_peer 194.99.121.200 parent 3128 0 no-query no-digest
> no-netdb-exchange
> always_direct deny all
> never_direct allow all
> ###################
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 128
> #################
> ## Tred Micro anti virus
> icap_service service_1 reqmod_precache bypass=on
> icap://10.143.154.23:1344/REQ-Service
> icap_service service_2 respmod_precache bypass=on
> icap://10.143.154.23:1344/respmod
> adaptation_access service_1 allow all
> adaptation_access service_2 allow all
> adaptation_service_set class_1 service_1
> adaptation_service_set class_2 service_2
> adaptation_access class_1 allow all
> adaptation_access class_2 allow all
> ## Tred Micro anti virus
> redirect_children 20
> url_rewrite_program /usr/sbin/squidGuard -c /etc/squidguard.conf
> url_rewrite_children 200
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Mr. Andreas Reschke
> andreas.reschke@mahle.com,http://www.mahle.com
>
Received on Tue Jul 08 2014 - 21:18:24 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 09 2014 - 12:00:06 MDT