Re: [squid-users] Adding WAN IP address to SQUID.CONF so users can run .net program from Amos Jeffries on 2011-09-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Sep 2011 14:23:22 +1200

On Mon, 12 Sep 2011 15:48:50 -0700, MargaretGillon wrote:
> I am on a WAN with another division. We are trying to run a web
> program at
> that divison but SQUID denies the address. I use a whitelist and
> added the
> IP adress to the whitelist but the program still won't run. I also
> added
> the server by name ".services.chromalloy.local" to the whitelist. I
> also
> added the program's post to the Safe_ports list. The other divison
> also
> uses SQUID and when they added the server's IP to their whitelist the
> program could run. I am guessing the problem is that we are on 2
> different
> networks and the server isn't on our local network? My squid.conf is
> below. I am on the 192.168.100.0 network and the program is on the
> 193.168.3.0 network. I marked the lines I changed with added
> 2011-09-12. I
> am running Squid3 on Ubuntu 10.04.1.
> Thanks, Margaret.
>
> *** This is from the access.log file
> 1315858391.599 0 192.168.100.19 TCP_DENIED/403 2614 GET
> http://services.chromalloy.local:8888/VFG/VirtualFG.svc - NONE/-
> text/html
> 1315858401.149 11 192.168.100.19 TCP_DENIED/403 2419 GET
> http://192.168.3.42/ - NONE/- text/html
>
> *** this is my squid.conf
>
> #Recommended minimum configuration:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl server src 192.168.3.1/255.255.255.255 #added 2011-09-12
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 192.168.100.0/24 192.168.101.0/24 192.168.3.0/24
> #added
> 3.0 2011-09-12

These would have worked IF the source of the request was 192.168.3.*.
However that is the destination. I think you can drop both of these
changes again.

<snip>
> hierarchy_stoplist cgi-bin ?

You can drop hierarchy_stoplist.

<snip>
>
> acl whitelist dstdomain "/etc/squid3/whitelist.txt"
>
> # Allow localnet machines to whitelisted sites
> http_access allow localnet whitelist

Clients in localnet are only allowed to visit whitelisted websites...

Your logged client (192.168.100.19) is in localnet, so it appears that
the *domain name* "192.168.3.42" and "services.chromalloy.local" are not
whitelisted. squid does not exactly do mDNS yet, so the .local domain is
probably failing on DNS lookup for to_localhost.

The best way is probably to use a type of reverse-proxy config for it.
Place the above your to_localhost http_access rule after the CONNECT
rule:

  cache_peer 192.168.3.42 parent 8888 0 originserver no-query
name=services
  acl localServices dstdomain .services.chromalloy.local
  cache_peer_access services allow localServices
  cache_peer_access services deny all
  http_access allow localnet localServices

Amos
Received on Tue Sep 13 2011 - 02:23:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2011 - 12:00:02 MDT