Environment:
pfSense 1.2.3-Release
Squid 2.7.9_4.1
I am using squid as a local access-logging front-end, to another
remote proxy which acts as a content filter on which I don't have
reporting/logging access.
If I specify the remote proxy and port in the web browser, I just get
a blank "can't connect" error for HTTPS addresses. It is blocking the
site, as expected.
But when squid is used, the access.log contains a long string of all
"TCP_DENIED" or "TCP_MISS" messages, but the blocked page loads
anyway.
Checking the cache.log there is a message "Temporarily disabling (Not
Found) digest from proxy.foo.com:8888"
it appears squid is quietly saying "fine, I will go direct and
retrieve the data anyway".
The directive never_direct doesn't do anything for this:
never_direct deny all
I need squid to just simply give up and stop trying to access the
blocked site, if the upstream parent won't provide the content.
This is probably complicated by the fact that this is a pfsense
firewall appliance. I have tried applying restrictions to brute-force
prevent squid from serving up pages directly but they do not do
anything:
"Deny All from LAN (Any) to WAN (Any)"
"Deny All from WAN (external firewall address) to any address port 80"
"Deny All from WAN (external firewall address) to any address port 443"
.... Squid still retrieves the blocked data through the WAN side of
the pfsense box.
(I can't post a copy of the squid config. It's all managed through the
pfsense GUI.)
Received on Tue Sep 27 2011 - 02:45:45 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 27 2011 - 12:00:02 MDT