[squid-users] Citrix ICA and Squid ...

From: Adam Pearse <apearse@dont-contact.us>
Date: Mon, 13 Nov 2006 11:57:50 -0700

After reading through the squid archive and the various Citrix support
documents, I have found a combination of settings which will allow my
users to access Citrix through the squid proxy. I am seeking a better
understanding of the ramifications of what I had to do and would
appreciate your collective thoughts on my changes ...

In squid.conf:

before my changes:

acl all src 0.0.0.0/0.0.0.0
acl AuthorizedUsers proxy_auth REQUIRED
acl manager proto cache_object
acl PURGE method PURGE
acl localhost src 127.0.0.1/255.255.255.255
acl grandsquid src 99.99.99.99/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # Autorpm.org
acl Safe_ports port 89 # Oracle Technical Forums
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow manager grandsquid
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access allow PURGE localhost
http_access allow localhost
http_access deny all

after the change I made:

acl all src 0.0.0.0/0.0.0.0
acl AuthorizedUsers proxy_auth REQUIRED
acl manager proto cache_object
acl PURGE method PURGE
acl localhost src 127.0.0.1/255.255.255.255
acl grandsquid src 99.99.99.99/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 80 443 563 1494 2598
acl Safe_ports port 80 # http
acl Safe_ports port 81 # Autorpm.org
acl Safe_ports port 89 # Oracle Technical Forums
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow manager grandsquid
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access allow PURGE localhost
http_access allow localhost
http_access deny all

The change is found on the line:

acl SSL_ports port 80 443 563 1494 2598

Now the part I don't understand. I found 1494 and 2598 and understand
why they are needed but it wasn't until I added port 80 to SSL ports
that I was successful in making a connection. What are the security
concerns or issues this brings? Is there another way to accomplish
this? Is it important?
Received on Mon Nov 13 2006 - 11:57:56 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST