Re: [squid-users] dstdomain/port acl question
fre 2007-02-02 klockan 11:27 -0500 skrev Chris Nighswonger: http_access allow manager localhost http_access allow manager masada1 http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost UnauthAccess http_access allow localhost WindowsUpdate http_access allow localhost Java http_access allow cnighswonger-lt http_access allow localhost PURGE http_access allow localhost AuthorizedUsers # Deny connections from inside to the outside webradio stream and redirect them to the inside stream # The first two entries handle direct stream requests. The last two handle file list requests. http_access deny streamserver streamport deny_info http://192.168.0.238:8000/mountpt streamserver streamport http_access deny streamlink deny_info http://192.168.0.238:8000/list.m3u streamlink # http_access deny !Safe_ports http_access deny all This looks a bit odd.. you can not deny what has already been allowed.. http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-926288cb0cbbdea92bc4a807f06dd75ddbc446ff Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] dstdomain/port acl question
tor 2007-02-01 klockan 16:26 -0500 skrev Chris Nighswonger: The following is my setup to handle the direct connections: acl streamserver dstdomain .streamserver.com acl streamport 1234 http_access deny streamserver streamport deny_info http://192.168.0.x:8000/mountpt streamserver streamport Where is this in relation to your other http_access rules? And what is said in access.log? But for this task of directing users to a local mirror even if they request the original Internet address I'd recommend you to use a url rewriter. This way you can get the local mirror completely transparent to your users, not even knowing they access the local mirror. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] dstdomain/port acl question
On 2/2/07, Henrik Nordstrom [EMAIL PROTECTED] wrote: tor 2007-02-01 klockan 16:26 -0500 skrev Chris Nighswonger: The following is my setup to handle the direct connections: acl streamserver dstdomain .streamserver.com acl streamport 1234 http_access deny streamserver streamport deny_info http://192.168.0.x:8000/mountpt streamserver streamport Where is this in relation to your other http_access rules? http_access allow manager localhost http_access allow manager masada1 http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost UnauthAccess http_access allow localhost WindowsUpdate http_access allow localhost Java http_access allow cnighswonger-lt http_access allow localhost PURGE http_access allow localhost AuthorizedUsers # Deny connections from inside to the outside webradio stream and redirect them to the inside stream # The first two entries handle direct stream requests. The last two handle file list requests. http_access deny streamserver streamport deny_info http://192.168.0.238:8000/mountpt streamserver streamport http_access deny streamlink deny_info http://192.168.0.238:8000/list.m3u streamlink # http_access deny !Safe_ports http_access deny all And what is said in access.log? The access.log shows two TCP_DENIED and one TCP_MISS all looking at the outside streaming server. 1170362412.967 5 127.0.0.1 TCP_DENIED/407 1903 GET http://streamserver.com:7590/ - NONE/- text/html 1170362413.015 41 127.0.0.1 TCP_DENIED/407 2136 GET http://streamserver.com:7590/ - NONE/- text/html 1170362431.237 1 127.0.0.1 TCP_DENIED/407 1903 GET http://streamserver.com:7590/ - NONE/- text/html 1170362431.270 18222 127.0.0.1 TCP_MISS/600 4515 GET http://streamserver.com:7590/ Administrator DIRECT/69.5.81.71 - 1170362431.285 5 127.0.0.1 TCP_DENIED/407 2136 GET http://streamserver.com:7590/ - NONE/- text/html 1170362431.530 1 127.0.0.1 TCP_DENIED/407 1903 GET http://streamserver.com:7590/ - NONE/- text/html 1170362431.532243 127.0.0.1 TCP_MISS/600 8859 GET http://streamserver.com:7590/ Administrator DIRECT/69.5.81.71 - But for this task of directing users to a local mirror even if they request the original Internet address I'd recommend you to use a url rewriter. This way you can get the local mirror completely transparent to your users, not even knowing they access the local mirror. I have had some difficulty setting up for two redirectors (adzapper and squirm). I saw your post on this route and decided to give it a try. :) Chris
Re: [squid-users] dstdomain/port acl question
Chris Nighswonger wrote: Hi all, We run a webradio which is broadcast via an external streaming service (A). In an effort to keep the Internet pipe from becoming conjested with audio streaming traffic from on-campus users listening to the stream, we setup an internal streamer (B) for use on campus. Of course you have those who are not paying attention to the notice to use the inside streamer rather than the outside. Since I run dg/squid, I am configuring squid to redirect traffic requests headed for A to B. There are two ways of accessing the stream. One is via a playlist file. (i.e. http://streamserver.com/list.asx) The other is directly. (i.e. http://streamserver.com:1234/) I have setup the following to handle the playlist url's: acl streamlink url_regex -i ^http://streamserver.com/list. http_access deny streamlink deny_info http://192.168.0.x:8000/list.m3u streamlink This part works great! (Thanks Henrik. :) The following is my setup to handle the direct connections: acl streamserver dstdomain .streamserver.com acl streamport 1234 Assuming this is not a typo, you forgot an important feature. The ACL type. acl streamport port 1234 http_access deny streamserver streamport deny_info http://192.168.0.x:8000/mountpt streamserver streamport This one does not work at all. Watching the access.log, squid authenticates the request and then proceeds to pass the traffic to the external streaming server (A). Looking into the packets with wireshark shows that they are indeed headed for streamserver.com:1234 Two questions: 1. Am I using the correct acl types to match http://streamserver.com:1234/ (dstdomain + port)? 2. Am I doing this entire redirect the hard way? I would think that squid would be the logical place to take care of this. Or is it iptables? Thanks, Chris Chris
Re: [squid-users] dstdomain/port acl question
acl streamport 1234 Assuming this is not a typo, you forgot an important feature. The ACL type. acl streamport port 1234 Sorry about that. It is a typo. That line in the config does include the port ACL type. Thanks, Chris