[squid-users] Routing Internally And/Or Externally?

nkingsquid nking4930 at hotmail.com
Wed Apr 20 13:59:43 UTC 2016


Eliezer, this was very Helpful!  I have changed several things that you
mentioned that were incorrect and I will post my code below (changing names
and IPs to protect the confused :P ).  

At a high level this is my situation:  Our users have devices that are
supplied by us.  On these devices we have sandboxed apps that we ONLY allow
to come to our domain.  They also have their regular browser & Apps that can
access the web.  

While they are within the sandboxed apps however we want that app (for
various reasons) to both go to internal sites and external sites.

So when traffic hits the Squid (This is *AFTER* it gets authenticated thru
various security layers, and lastly thru a NetScaler) it either matches the
list of internal resources and is allowed to continue OR it does not and is
re-directed to a second proxy that will then send it to the internet.  ( I
was mistaken before about it going back to the original netscaler it came
from).

For example:
I browse to *me.examp.com*
     Squid recognizes that is an internal resource and lets me go to the
internal resource

I browse to *google.com*
     Squid recognizes that is NOT an internal resource and sends the traffic
to a second proxy to go to google.com

I browse to *facebook.com*
     Squid recognizes that is NOT an internal resource and sends the traffic
to a second proxy to go to facebook.com

I browse to *anywhere on the internet*
     Squid recognizes that is NOT an internal resource and sends the traffic
to a second proxy to go to anywhere else on the internet

Last ?...  if I have: acl Internal_Domain dstdomain [-n] .examp.com  do I
NEED to list me.examp.com or them.examp.com ?




CODE:

acl Local_Network dst 11.0.0.0/8
acl Local_Network dst 132.0.0.0/8
acl Internal_Domain dstdomain [-n] .examp.com
acl Internal_Domain dstdomain me.examp.com
acl Internal_Domain dstdomain them.examp.com
acl Internal_Domain dstdomain here.examp.com
acl Internal_Domain dstdomain hereagain.examp.com
acl Internal_Domain dstdomain sigh.examp.com
acl Internal_Domain dstdomain me.examp2.com
acl Internal_Domain dstdomain  [-n] .me.examp3.com
acl Local_Network dst 149.200.214.0/24
acl Local_Network dst 152.130.186.0/24
acl Local_Network dst 192.168.0.0/16
acl Local_Network src 121.0.0.1

acl dummy_match dstdom_regex . #dummy match all domain regex

acl Inbound_Net_Scaler src 10.24.62.51
acl Outbound_Proxy src 10.213.51.18

acl SSL_ports port 443
acl Safe_ports port 80		
acl Safe_ports port 443		
acl CONNECT method CONNECT


# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports


deny_info 302: http://www.google.com/?%H dummy_match              
#Customized deny_info that will redirect to google with some addition 

http_access allow Inbound_Net_Scaler Internal_Domain            #rule that
allows netscaler sources traffic to access internal domains 
http_access allow Inbound_Net_Scaler acl Local_Network          #rule that
allows netscaler sources traffic to access internal ip addresses 


####Need code that states if traffic is from <http://www.google.com/?%H>
*Inbound_Net_Scaler * but does not match *Internal_Domain* or
*Local_Network* to re-direct it to *Outbound_Proxy* ####                  

http_access deny all


END CODE










--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Routing-Internally-And-Or-Externally-tp4677152p4677168.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list