RE: [squid-users] Port based ACLs for Squid setup with upstream proxying to Surfingate's Finjan-

From: Maxx Christopher Lobo <maxx@dont-contact.us>
Date: Wed, 09 Feb 2005 16:55:26 -0800

Chris:

Thanks for the suggestion - I added the port based ACL to the
always_direct list, and my new squid.conf is included below.

I've tested the veracity of the port based ACL, using an FTP client -
where previously the FTP connection would be shunted to FinJAN, now
squid passes it through itself - which is exactly what I was hoping for.

And unfortunately that isn't the end of the problem. Windows Media
Player streams (non-port 80) are still having the same issue as before -
the stream is able to connect, and it says 'playing', but no audio
actually plays. (I've obviously eliminated the basic issues like sound
card not working and so on ;-))
When the IP based ACL is used, this problem disappears, and the PC is
able to play the stream without a problem.

Is there something else I'm missing?

## Begin squid.conf
#
acl Web_ports 80
acl SSL_ports 443 563
acl Media_ports 554 1755
acl Safe_ports port 20 21 70 210 1025-65535
acl CONNECT method CONNECT GET POST PROPFIND HEAD
#
acl dns-Local dstdomain .xyz.com
acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25
acl all src 0.0.0.0/0.0.0.0
#
http_access allow localhost
http_access allow Web_ports
http_access allow SSL_ports
http_access allow Media_ports
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
#
cache_peer finjan.xyz.com parent 5150 0 no-query default
always_direct allow dns-Local
always_direct allow IT_PCS
always_direct allow SSL_ports
always_direct allow Media_ports
always_direct allow Safe_ports
never_direct allow all
#
## End squid.conf

---Maxx

On Wed, 2005-02-09 at 10:36, Chris Robertson wrote:
> > Hi:
> >
> > I've included relevant parts of the conf file at the end of this email,
> > but first the human-readable version...
> >
> > A quick description of the situation:
> > -------------------------------------
> > I have a working Squid-2.5.Stable5-4.fc2.2 installation under Linux,
> > using transparent proxying in conjunction with Cisco's WCCP. The Squid
> > box uses Surfingate's FinJAN (an active content filtering/scanning
> > proxy) as its upstream proxy.
> > In other words, http requests leave the user's PC, are intercepted
> > through WCCP, passed to squid, and squid passes them to FinJAN. For
> > various reasons, I can't alter this chain.
> > The corporate firewall blocks all outgoing traffic that does not pass
> > through a proxy. Users cannot connect to FinJAN directly - all proxying
> > is done through Squid. FinJAN only handles HTTP and FTP.
> > I have an ACL for a group of IP addresses (a few servers, some admin
> > workstations) that bypass this chain, and do NOT use FinJAN. Squid
> > handles all proxying for these specific IPs.
> >
> > A quick description of the problem:
> > -----------------------------------
> > Windows Media Player and Yahoo's LaunchCast (which the latter
> > essentially uses the former) are 'broken' for the native radio streams
> > that use MMS or RTSP (TCP/UDP 1755 and 554) - because the traffic is
> > passed to Squid, which in turn passes it to FinJAN - and FinJAN does not
> > know how to handle this traffic, since it wasn't designed to do this.
> >
> > I'd like to point out here that 'true' HTTP based audio streams (like
> > the ones that use port 80) are unaffected by this situation, and work
> > fine with this chain of proxies.
> >
> > What I would like to know/do:
> > -----------------------------
> > Is it possible to use the cache_peer directive to pass all port 80/443
> > traffic to FinJAN, and process all other 'Safe_Ports' traffic locally
> > through Squid?
>
> Simple enough. See below.
>
> >
> > Currently I have the ability to do this with ACLs that define a group of
> > PCs (by IP address). I don't know how to do this using port numbers. Is
> > this even possible?
> >
> > An alternative solution would be for me to run two squid processes on
> > the same box, one which handles port 80/443 traffic, and the other which
> > handles all other safe ports. This will very likely solve my problem,
> > but before I go that messy route, I want to make sure that a simple ACL
> > isn't the real solution.
> >
> > The relevant squid.conf:
> > ------------------------
> > #
> > # Begin squid.conf
> > #
> > acl Safe_ports port 20 21 70 80 210 443 563 800 1025-65535
> > acl CONNECT method CONNECT GET POST PROPFIND HEAD
> > #
> > acl dns-Local dstdomain .xyz.com
> > acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25
> > acl all src 0.0.0.0/0.0.0.0
>
> acl streaming port 554 1755
>
> > #
> > http_access allow localhost
> > http_access deny !Safe_ports
> > http_access deny CONNECT
> > http_access deny all
> > #
> > cache_peer finjan.xyz.com parent 5150 0 no-query default
>
> always_direct allow streaming
>
> > always_direct allow dns-Local
> > always_direct allow IT_PCS
> > never_direct allow all
> > #
> > # End squid.conf
> > #
>
> Tada! At least in theory... :o)
>
> If you want to limit responses on these ports to only allow streaming music,
> look into the http_reply_access/rep_mime_type acl combination.
>
> Chris
Received on Wed Feb 09 2005 - 17:55:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST