To all,
I do appreciate all assistance I have received. I do have this working very well - silly me, the first failures were do to ACL structured ( I was allowing based on the destination, not the source ).
Anyway, I am submitting my configuration and layout just in case someone else runs into this situation - forgive me if this is longwinded....
Situation: We needed to establish a VPN link with another provider and do to established VPN's at the source, we had to create this link using a separate or alternate subnet that did not exist on our network. Simple enough but the NAT functions on our Gauntlet firewall did not work (gauntlet support is baffled on why), however all we needed was web access so I configured squid on our internal (linux)dns/dhcp server and added a secondary nic card. A little ipmasq and static-routes, we were in business.
Firwall squid configuration:
cache_peer proxy2 parent 3128 0 proxy-only allow-miss no-query
acl careauth proxy_auth "/usr/local/squid/etc/carenet_users"
acl carenet_dsta srcdomain site.domain.org
acl carenet_dstb dst 100.0.0.0/8
no_cache deny carenet_dsta
no_cache deny carenet_dstb
http_access deny carenet_dsta carenet_dstb !careauth
never_direct allow carenet_dsta
never_direct allow carenet_dstb
cache_peer_access proxy2 allow internal_src
Secondary Proxy
cache_peer proxy1 sibling 3128 3130 proxy-only
I did not configured much access restrictions on the proxy2 based on the assumption that if they passed the authenticaiton, I did not want to box myself in. Basicly the proxy2 is the only device that has direct access to this VPN network other than the firewall. The internal routing will only route the 100.0.0.0/8 to the proxy2. I did not need nor want any caching so if the user id is in the carenet auth file, away they go.
The only question I still have is how to write a regex expression that will match either a domain name or ipaddress/mask in one file. This is the reason for the dsta and dstb acl lines. If anyone wants my conf files, I will send via private email.
Again - thanks for the help!!
Vernon Fort
-----Original Message-----
From: Vernon A. Fort
Sent: Tuesday, March 26, 2002 12:41 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Two Instances of Squid
Hello,
I have a situation where I need to run squid on two seperate interfaces on the same machine but the second instance will only be used for a specific address.
Instance one (primary for nornal internet browsing) 192.168.1.13:3128
Instance two ( only for a private ip address browsing) 192.168.103.13:3128
What do I need to configured on the primary so any request for this private ip address get forwarded to the second instance of squid?
Any help would be greatly appreciated!!
--------------------------------------------------
Vernon A. Fort
Jobsoft Design & Development Inc.
http://www.jobsoft.com
(615) 904-9559 ext 19
Received on Sat Mar 30 2002 - 15:13:18 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:13 MST