[squid-users] Unable to access a device over port 4434
Matus UHLAR - fantomas
uhlar at fantomas.sk
Fri Oct 18 07:33:53 UTC 2024
On 17.10.24 20:40, Piana, Josh wrote:
> To clarify on the test, port 4434 is the port that was assigned to get
> access to that device, one of our firewalls.
>
> I looked at the old Squid config that we have, and it seems this was setup
> in a way that internal networks were not being passed through the proxy.
> This was done be either an ACL, or the PAC file, is what we're thinking.
The exemption has to be done through the PAC file, because once the
browser's request reaches the proxy, it's impossible to go back and tell
browser to go direct.
> The issue is, we don't exactly know how to implement the PAC file on our
> new Squid box.
the PAC file has to be provided ideally via HTTP, I'm not sure whether squid
has that functionality.
I guess a HTTP server was running on your old server, providing the PAC
file.
> With that said, I agree with your statement that its difficult to
> troubleshoot an issue as opposed to go around it. Unfortunately, that's
> how it was done before and that's the direction our current management is
> going again. So I need to reconfigure the squid.conf file to ignore
> internal traffic, networks, and IP's, and only web filter and proxy
> internet connections. We can't just copy the old config because it
> doesn't carry over 1:1, and its an old version from 2.5.
Once more, you can't ignore squid to be ignored by browsers, because squid
can only do anything when it's accessed by browsers, when it's already too
late. Either browsers must go around the proxy (PAC or WPAD), or the proxy
must be allowed to reach destination server.
Install apache server to the machine and configure it to serve the PAC>
On 18.10.24 18:59, Amos Jeffries wrote:
>So what you need with Squid is a cache_peer, relaying relevant traffic
>to that device.
Amos, are you sure this can work in the case described?
> # details of how Squid should connect to the device
> cache_peer 172.27.46.253 parent 4434 0 originserver \
> tls-cert=/path/to/server.ca
>
> # which traffic to relay there
> acl foo dstdomain foo.example.com
> cache_peer_access 172.27.46.253 allow foo
> never_direct allow foo
>
> # permission for clients to make requests that reach that device
> http_access allow localnet foo
>
>
>Add more ACL conditions as needed to restrict the http_access line to
>the appropriate clients.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
More information about the squid-users
mailing list