RE: [squid-users] Port based ACLs for Squid setup with upstream p roxying to Surfingate's Finjan-

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 9 Feb 2005 09:36:51 -0900

> -----Original Message-----
> From: Maxx Christopher Lobo [mailto:maxx@arraycomm.com]
> Sent: Tuesday, February 08, 2005 5:21 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Port based ACLs for Squid setup with upstream
> proxying to Surfingate's Finjan-
>
>
> Hi:
>
> I've included relevant parts of the conf file at the end of this email,
> but first the human-readable version...
>
> A quick description of the situation:
> -------------------------------------
> I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux,
> using transparent proxying in conjunction with Cisco's WCCP. The Squid
> box uses Surfingate's FinJAN (an active content filtering/scanning
> proxy) as its upstream proxy.
> In other words, http requests leave the user's PC, are intercepted
> through WCCP, passed to squid, and squid passes them to FinJAN. For
> various reasons, I can't alter this chain.
> The corporate firewall blocks all outgoing traffic that does not pass
> through a proxy. Users cannot connect to FinJAN directly - all proxying
> is done through Squid. FinJAN only handles HTTP and FTP.
> I have an ACL for a group of IP addresses (a few servers, some admin
> workstations) that bypass this chain, and do NOT use FinJAN. Squid
> handles all proxying for these specific IPs.
>
> A quick description of the problem:
> -----------------------------------
> Windows Media Player and Yahoo's LaunchCast (which the latter
> essentially uses the former) are 'broken' for the native radio streams
> that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is
> passed to Squid, which in turn passes it to FinJAN - and FinJAN does not
> know how to handle this traffic, since it wasn't designed to do this.
>
> I'd like to point out here that 'true' HTTP based audio streams (like
> the ones that use port 80) are unaffected by this situation, and work
> fine with this chain of proxies.
>
> What I would like to know/do:
> -----------------------------
> Is it possible to use the cache_peer directive to pass all port 80/443
> traffic to FinJAN, and process all other 'Safe_Ports' traffic locally
> through Squid?

Simple enough. See below.

>
> Currently I have the ability to do this with ACLs that define a group of
> PCs (by IP address). I don't know how to do this using port numbers. Is
> this even possible?
>
> An alternative solution would be for me to run two squid processes on
> the same box, one which handles port 80/443 traffic, and the other which
> handles all other safe ports. This will very likely solve my problem,
> but before I go that messy route, I want to make sure that a simple ACL
> isn't the real solution.
>
> The relevant squid.conf:
> ------------------------
> #
> # Begin squid.conf
> #
> acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535
> acl CONNECT method CONNECT GET POST PROPFIND HEAD
> #
> acl dns-Local dstdomain .xyz.com
> acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25
> acl all src 0.0.0.0/0.0.0.0

acl streaming port 554 1755

> #
> http_access allow localhost
> http_access deny !Safe_ports
> http_access deny CONNECT
> http_access deny all
> #
> cache_peer finjan.xyz.com parent 5150 0 no-query default

always_direct allow streaming

> always_direct allow dns-Local
> always_direct allow IT_PCS
> never_direct allow all
> #
> # End squid.conf
> #
>
> If this is possible, I'd be grateful for an example. Thanks-
>
> --Maxx Lobo

Tada! At least in theory... :o)

If you want to limit responses on these ports to only allow streaming music,
look into the http_reply_access/rep_mime_type acl combination.

Chris
Received on Wed Feb 09 2005 - 11:37:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST