poncenby wrote:
> Thanks for your reply.
>
> In the scenario of not trusting the DNS replies that are received by the
> client machine, all websites viewed on the client machine will have
> static dns entries pointing to the squid cache.
>
> What I'm looking for is a way of configuring squid so this can happen.
> I've read the reverse proxy docs and tried the config changes in
> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator,
> however I get accessed denied and being new to squid am at a loss to
> figure why the URL and Host fields are not being constructed and
> allowing my client some web browsing through a trusted source.
Ah, sorry. Looks like this was my fault. I omitted a critical piece of
info from the how-to:
The reverse-proxy configuration MUST appear at the top of squid.conf
above any other forward-proxy configuration (http_access etc).
otherwise the standard proxy access rules block some people viewing the
accelerated site.
>
> Here is my squid.conf if someone could give me hint at why this isn't
> working how I need it to:
> I have apache2 running on tcp/81.
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src 0.0.0.0
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl HTTP proto HTTP
> acl CONNECT method CONNECT
> always_direct allow HTTP
This always_direct will be interfering with the reverse-proxy config BTW.
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all
The all of the bit below needs to be up the top at about the place where
the always_direct currently is.
> http_port 80 accel defaultsite=localhost
> cache_peer 127.0.0.1 parent 81 0 no-query originserver name=myAccel
> acl our_sites dstdomain localhost
> http_access allow our_sites
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel allow all
PS. "localhost" is not a good content for defaultsite. You should have a
proper public domain name there.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5Received on Sun Feb 15 2009 - 00:17:00 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 15 2009 - 12:00:01 MST