Hi all I am running a squid1->DG->squid2 sandwich setup and i am facing the following problem. When i give "never_direct allow all" in squid1.conf , i am not able to access any https sites. Without the above configuration line , all users can access https sites and even sites denied in the Content filter. For eg: suppose http://www.redhat.com is a banned site in content filter, i am able to access https://www.redhat.com which byepasses the content filter and is served by squid2.
My requirement is to allow all https traffic through this setup but the requests should flow through content filter and then to squid2 for serving. Is it possible to tell squid1 to pass the https traffic to the content filter and then to squid2? The Ports used here are 3128->8080->8081 . Following is the configuration of my squid1.conf ---------------- http_port 3128 cache_peer 127.0.0.1 parent 8080 0 no-query proxy-only default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 8 MB auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off ##Changed for user authentication auth_param basic program /usr/lib/squid/pam_auth refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl all_dst dst 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ## Change for deny caching never_direct allow all no_cache deny all cache_access_log /var/log/squid/access.log visible_hostname 192.168.10.175 acl students src 192.168.10.2-192.168.10.25 acl ttt src 192.168.10.25-192.168.10.254 acl test dstdom_regex .yahoo.com .google.* .org acl test1 dstdom_regex .sun.* .oracle.* acl test2 dstdom_regex .rediff.* acl time1 time 00:00-23:00 acl time2 time 09:00-23:00 acl lpdf urlpath_regex pdf$ mp3$ gif$ gz$ acl ljob url_regex -i ^http://*job* acl usr1 proxy_auth user3 user1 http_access allow students usr1 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Squid2.conf --------------- ttp_port 8081 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.0.0/24 192.168.1.0/24 http_access allow Safe_ports http_access allow SSL_ports http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid visible_hostname 192.168.10.175 coredump_dir /usr/local/squid/var/cache Thanks for any help Regards Shiva Raman
