[squid-users] Adding WAN IP address to SQUID.CONF so users can run .net program

From: <MargaretGillon_at_chromalloy.com>
Date: Mon, 12 Sep 2011 15:48:50 -0700

I am on a WAN with another division. We are trying to run a web program at
that divison but SQUID denies the address. I use a whitelist and added the
IP adress to the whitelist but the program still won't run. I also added
the server by name ".services.chromalloy.local" to the whitelist. I also
added the program's post to the Safe_ports list. The other divison also
uses SQUID and when they added the server's IP to their whitelist the
program could run. I am guessing the problem is that we are on 2 different
networks and the server isn't on our local network? My squid.conf is
below. I am on the 192.168.100.0 network and the program is on the
193.168.3.0 network. I marked the lines I changed with added 2011-09-12. I
am running Squid3 on Ubuntu 10.04.1.
Thanks, Margaret.

*** This is from the access.log file
1315858391.599 0 192.168.100.19 TCP_DENIED/403 2614 GET
http://services.chromalloy.local:8888/VFG/VirtualFG.svc - NONE/- text/html
1315858401.149 11 192.168.100.19 TCP_DENIED/403 2419 GET
http://192.168.3.42/ - NONE/- text/html

*** this is my squid.conf

#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl server src 192.168.3.1/255.255.255.255 #added 2011-09-12
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.100.0/24 192.168.101.0/24 192.168.3.0/24 #added
3.0 2011-09-12
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8888 # 192.168.3.42 at CNV, added 2011-09-12

acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow manager server # added 2011-09-12
http_access deny manager
http_access deny !Safe_ports

http_access deny to_localhost
icp_access deny all
htcp_access deny all

http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid3/access.log squid

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

acl whitelist dstdomain "/etc/squid3/whitelist.txt"

# Allow localnet machines to whitelisted sites
http_access allow localnet whitelist

# block all other access
http_access deny all

"This e-mail message and any attachment(s) are for the sole use of the
intended recipient(s) and may contain company proprietary, privileged or
confidential information. If you are not the intended recipient(s), please
contact the sender by reply e-mail, advise them of the error and destroy
this message and its attachments as well as any copies. The review, use or
distribution of this message or its content by anyone other than the
intended recipient or senior management of the company is strictly
prohibited."
Received on Mon Sep 12 2011 - 22:49:03 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2011 - 12:00:02 MDT