[squid-users] Squid communications proxy dilemma

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 29 22:38:27 UTC 2016 

On 30/10/2016 4:40 a.m., paul.greene.va wrote:
> 
> Our firewall guy says what he's seeing in his logs is that traffic destined for 
> port 443, after it goes through the proxy, is trying to go straight to the 
> vendor over the internet, rather than go through the upstream McAfee gateway as 
> required, and thus, the traffic is getting dropped by the Cisco firewall. I did 
> a packet capture test with the McAfee gateway guy, and he confirmed that no 
> traffic coming from either either the WSUS or the SEPM is reaching his gateway.
> 
> I thought this line in the squid.conf file should send traffic from our proxy to 
> the upstream McAfee gateway, but maybe I'm misunderstanding the intent of the 
> cache_peer parent parameter.
> 
> cache_peer <McAfee Gateway IP address>      parent    8080  3130  proxy-only 
> no-query no-netdb-exchange default login=username:password
> 

cache_peer configures the *how* of traffic sent to that gateway. Which
traffic uses it is configured by other directives (cache_peer_access,
always_direct, never_direct, peer_direct, nonhierarchical_direct) and
depends on the type of traffic.

NP: the above also indicates the connection(s) are plain-text HTTP. If
you are using interception then HTTPS traffic cannot go through that
link. Since HTTPS requires end-to-end security, the cache_peer
connection needs to use 'ssl' options for intercepted port 443 to use it
safely.


> (if placement of this cache_peer parameter matters, its currently near the end 
> of the squid.conf file)
> 
> As a test, I configured internet explorer on the WSUS server to use the proxy 
> for internet access, Without configuring for the proxy, IE can't go anywhere 
> except the local network. IE can hit http websites (i.e. www.cnn.com) when it's 
> configured to use the proxy, but not https websites.
> 
> The Safe_ports and SSL_ports list is the same as the squid.conf defaults.
> 
> This is squid 3.3 running on Redhat 7.
> 
> Any suggestions or pointers?

Assuming you are using explicit/forward proxy, add this to your squid.conf:

 never_direct allow all

if that dont work by itself you may need these as well:

 prefer_direct off
 nonhierarchical_direct off

You should not have any existing lines with those directives or with
always_direct. If you do the placement might matter.

Amos

More information about the squid-users mailing list