Your access controls are very strange
> acl ACISNETWORK src 10.1.1.0/255.255.255.0 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 > acl CONNECT method GET POST HEAD CONNECT PUT DELETE > http_access allow manager localhost > http_access deny manager > http_access allow ACISNETWORK The above allows any request from a client in your ACISNETWORK. It even allows a user to make a CONNECT request to any port, such as port 25. That allows Squid to be used as a spam relay, and is a very bad idea. The rest of these ACLs apply only to request coming from somewhere except ACISNETWORK. > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports Since you rediefined CONNECT to include other methods, the above would deny a GET request to port 80, for example. Probably not what you want to do. You should leave the CONNECT acl with only the connect method. > http_reply_access allow ACISNETWORK > http_access deny ACISNETWORK The above line is not necessary because any request that matches ACISNETWORK was already allowed above and will never reach this point in the rules. > icp_access deny ACISNETWORK > http_access deny all > icp_access deny all I'm not really sure about your setup, but I think your ACL rules should probably look like this: acl ACISNETWORK src 10.1.1.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access deny !Safe_ports http_access allow ACISNETWORK You may want to add more ports to Safe_ports. If you have users on other networks (besides ACISNETWORK), you should make another ACL for that network and allow it also. Duane W.