[squid-users] Unable to access a device over port 4434
Piana, Josh
Josh.Piana at hexcel.com
Fri Oct 18 19:52:45 UTC 2024
Hey guys,
Thank you for the feedback in regards to the PAC file and the "cache_peer" directive.
It looks like we're moving forward with the PAC file. So I need to introduce Apache onto my squidbox now.
On a separate note, what would cause me to need to authenticate everytime I open a new browser? My credentials are supposed to last a week.
Here's my authentication config:
#####
auth_param basic program /usr/lib64/squid/basic_pam_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 1 week
acl kerb-auth proxy_auth REQUIRED
#####
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
Sent: Friday, October 18, 2024 3:34 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Unable to access a device over port 4434
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 17.10.24 20:40, Piana, Josh wrote:
> To clarify on the test, port 4434 is the port that was assigned to get
> access to that device, one of our firewalls.
>
> I looked at the old Squid config that we have, and it seems this was
> setup in a way that internal networks were not being passed through the proxy.
> This was done be either an ACL, or the PAC file, is what we're thinking.
The exemption has to be done through the PAC file, because once the browser's request reaches the proxy, it's impossible to go back and tell browser to go direct.
> The issue is, we don't exactly know how to implement the PAC file on
> our new Squid box.
the PAC file has to be provided ideally via HTTP, I'm not sure whether squid has that functionality.
I guess a HTTP server was running on your old server, providing the PAC file.
> With that said, I agree with your statement that its difficult to
> troubleshoot an issue as opposed to go around it. Unfortunately,
> that's how it was done before and that's the direction our current
> management is going again. So I need to reconfigure the squid.conf
> file to ignore internal traffic, networks, and IP's, and only web
> filter and proxy internet connections. We can't just copy the old
> config because it doesn't carry over 1:1, and its an old version from 2.5.
Once more, you can't ignore squid to be ignored by browsers, because squid can only do anything when it's accessed by browsers, when it's already too late. Either browsers must go around the proxy (PAC or WPAD), or the proxy must be allowed to reach destination server.
Install apache server to the machine and configure it to serve the PAC>
On 18.10.24 18:59, Amos Jeffries wrote:
>So what you need with Squid is a cache_peer, relaying relevant traffic
>to that device.
Amos, are you sure this can work in the case described?
> # details of how Squid should connect to the device cache_peer
> 172.27.46.253 parent 4434 0 originserver \
> tls-cert=/path/to/server.ca
>
> # which traffic to relay there
> acl foo dstdomain foo.example.com
> cache_peer_access 172.27.46.253 allow foo never_direct allow foo
>
> # permission for clients to make requests that reach that device
> http_access allow localnet foo
>
>
>Add more ACL conditions as needed to restrict the http_access line to
>the appropriate clients.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse _______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list