[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Amos Jeffries
squid3 at treenet.co.nz
Wed Sep 16 16:03:16 UTC 2015
On 17/09/2015 3:42 a.m., Yuri Voinov wrote:
>
> Sure.
>
> I've tried all possible combinations.
> Including this:
>
> # SSL bump rules
> sslproxy_cert_error allow all
> acl DiscoverSNIHost at_step SslBump1
> ssl_bump peek DiscoverSNIHost
> acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.*
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> # Privoxy+Tor access rules
> never_direct allow CONNECT
> never_direct allow tor_url
> always_direct deny tor_url
> always_direct allow all
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow CONNECT
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
The above rules enact the following policy:
* CONNECT requests are required to go DIRECT
"always_direct allow all"
* tor_url requests use the peer, other traffic uses DIRECT
"always_direct deny tor_url" plus,
"never_direct allow tor_url" plus,
"cache_peer_access 127.0.0.1 allow tor_url"
>
> The problem is:
>
> I need to forward ro parent AND combination for CONNECT and tor_url ACL.
>
remove all of the always_direct lines.
remove the "cache_peer_access 127.0.0.1 allow CONNECT" line.
That should be all you need.
Amos
More information about the squid-users
mailing list