[squid-users] re-directing an ip range

From: George Dominguez <[email protected]>
Date: Tue, 1 Apr 2003 11:17:12 +1000

Hello all,

I have posted this question before, tried suggestions but with no luck. I
hope someone can help

The problem is:

We have two squid proxy servers, running on RH8

students-proxy - 10.1.1.4
staff-proxy - 10.1.4.18

1 - All staff except for a specific IP range should be prompt to validate
when accessing the UQ databases.
2 - All students should not be prompt - the students proxy is doing NAT
from the firewall and is allow access onto the UQ databases. To make this
sound clear - anyone going out on 10.1.1.4 (students-proxy) will not be
asked to validate.

I have configured the staff-proxy (10.1.4.18) to route requests coming from
the IP range to the students-proxy (10.1.1.4)
It routes for sometime, then stops to route, at which time I run squid -k
reconfigure, and starts to route again.
Very inconsistent. When it stops routing, it allows everything to go
direct, and therefore all staff including those from the exclusion list are
prompt for a password.

I have included my entire squid.conf file - if someone can give my any
clues it will be highly appreciated.

http_port 10.1.4.18:3128
cache_effective_user squid
cache_effective_group squid
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /usr/local/squid/var/cache 2000 16 256
cache_log /usr/local/squid/var/logs/cache.log
cache_access_log /usr/local/squid/var/logs/access.log

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

visible_hostname staffproxy

acl all src 0/0
acl manager proto cache_object
acl localhost src 127.0.0.0/255.255.255.255
acl SSL_ports port 443 563 569 5190
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# If an IP is from the exception-entries list, then
# pass the request to 10.1.1.4 proxy server.
acl mte src 10.1.10.201-10.1.10.207/255.255.255.255 10.1.4.68
acl skr src 10.1.4.160-10.1.4.180/255.255.255.255
acl syd src 10.1.5.60-10.1.5.65/255.255.255.255
acl uqlib dstdomain .uq.edu.au
cache_peer 10.1.1.4 parent 3128 3130
cache_peer_access 10.1.1.4 allow mte uqlib
cache_peer_access 10.1.1.4 allow skr uqlib
cache_peer_access 10.1.1.4 allow syd uqlib
cache_peer_access 10.1.1.4 deny all
always_direct allow all !mte skr syd

# don't cache our site
 acl our-site dstdomain .mteliza.com.au
 no_cache deny our-site

# This entry was made in the other proxy, to allow direct access
# acl pc src 10.1.4.18
# http_access allow pc

# Enable both the winbind basic and ntlm authenticators
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 25
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 25
auth_param basic realm squid proxy-caching web server
auth_param basic credentialsttl 2 hours

# Proxy auth ACL entry staffauth = "staff authentication"
acl staffauth proxy_auth REQUIRED
http_access allow staffauth
http_access deny all !localhost

Regards
George

=====================================================
Privileged/Confidential Information may be contained in this message. If
you are not the addressee (or responsible for delivery of the message to
the addressee), you may not copy or deliver this message to anyone. In such
a case, you should destroy this message and kindly notify the sender by
reply e-mail. Opinions, conclusions and other information in this message
that do not relate to the official business of my employer shall be
understood as neither given nor endorsed by it.
Received on Mon Mar 31 2003 - 18:15:45 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:27 MST