RE: [squid-users] Port based ACLs for Squid setup with upstream p roxying to Surfingate's Finjan-

From: Chris Robertson <[email protected]>
Date: Thu, 10 Feb 2005 10:25:39 -0900

> -----Original Message-----
> From: Maxx Christopher Lobo [mailto:maxx@arraycomm.com]
> Sent: Wednesday, February 09, 2005 3:55 PM
> To: squid-users@squid-cache.org
> Subject: RE: [squid-users] Port based ACLs for Squid setup with upstream
> proxying to Surfingate's Finjan-
>
>
> Chris:
>
> Thanks for the suggestion - I added the port based ACL to the
> always_direct list, and my new squid.conf is included below.
>
> I've tested the veracity of the port based ACL, using an FTP client -
> where previously the FTP connection would be shunted to FinJAN, now
> squid passes it through itself - which is exactly what I was hoping for.
>
> And unfortunately that isn't the end of the problem. Windows Media
> Player streams (non-port 80) are still having the same issue as before -
> the stream is able to connect, and it says 'playing', but no audio
> actually plays. (I've obviously eliminated the basic issues like sound
> card not working and so on ;-))
> When the IP based ACL is used, this problem disappears, and the PC is
> able to play the stream without a problem.
>
> Is there something else I'm missing?
>
> ## Begin squid.conf
> #
> acl Web_ports 80
> acl SSL_ports 443 563
> acl Media_ports 554 1755
> acl Safe_ports port 20 21 70 210 1025-65535
> acl CONNECT method CONNECT GET POST PROPFIND HEAD
> #
> acl dns-Local dstdomain .xyz.com
> acl IT_PCS src 192.168.0.1 192.168.0.5 192.168.0.25
> acl all src 0.0.0.0/0.0.0.0
> #
> http_access allow localhost
> http_access allow Web_ports
> http_access allow SSL_ports
> http_access allow Media_ports
> http_access deny !Safe_ports
> http_access deny CONNECT
> http_access deny all
> #
> cache_peer finjan.xyz.com parent 5150 0 no-query default
> always_direct allow dns-Local
> always_direct allow IT_PCS
> always_direct allow SSL_ports
> always_direct allow Media_ports
> always_direct allow Safe_ports
> never_direct allow all
> #
> ## End squid.conf
>
> ---Maxx

I imagine that the stream is being set up over port 80 (and is therefore
being set up through the Finjan). A little searching through the email
archives finds someone who was looking to block WMP. That should help...

So try this:

acl media_mime req_mime_type -i ^video/x-ms-asf$
acl media_mime req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl media_mime req_mime_type -i ^application/x-mms-framed$
acl WMP browser Windows-Media-Player/*

always_direct allow media_mime WMP

In theory (I love that phrase) this should allow Windows Media Player to
directly make requests for Windows media types.

Chris
Received on Thu Feb 10 2005 - 12:25:51 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST