[squid-users] eSafe Gateway as parent proxy

From: Stephen J. McCracken <smccrack@dont-contact.us>
Date: 22 Jan 2004 15:24:46 -0500

Hi, all,

To start:
Squid Cache: Version 2.5.STABLE2
configure options: --enable-async-io --enable-removal-policies=heap,lru
--enable-snmp

(Yes, we're not "current", but we need to get this working to replace
our current web filter before we work on upgrading and adding
authentication.)

RedHat 7.3 (Linux 2.4.20-20.7)

(We are not yet using authentication, so I don't think Bug 592 applies.)

We are having trouble setting up eSafe as a parent proxy.
If we request something already cached from squid, it works.
If we request something allowed directly, it works.
When we try to force it through eSafe (never_direct allow all) - it
breaks.
If we take out the "never_direct allow all" it works, but doesn't seem
to go through the eSafe filter.
Whenever we add in the "never_direct allow all" directive, we get the
following in the browser:

ERROR
The requested URL could not be retrieved

________________________________________________________________________

While trying to retrieve the URL:
NONE://esafe.hcjb.org.ec:8080http://www.mail-archive.com/squid-users@squid-cache.org/msg11590.html

The following error was encountered:

      * Read Error
The system returned:

    (104) Connection reset by peer

An error condition occurred while reading data from the network. Please
retry your request.

Your cache administrator is webmaster.

________________________________________________________________________
Generated Thu, 22 Jan 2004 19:57:21 GMT by webfilter2.quito.hcjb.org.ec
(squid/2.5.STABLE2)

Is the following correct? Should I blame esafe and go after the problem
there?

http_port 8080
cache_peer esafe.hcjb.org.ec parent 8080 0 no-query default
hierarchy_stoplist cgi-bin ?
[snipped non-relevant lines]
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 9100 2095 2082
acl Safe_ports port 80 # http
acl Safe_ports port 20-21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 554 # multiling http
acl CONNECT method CONNECT
acl adminuser src 10.129.134.4/30
acl adminuser src 10.129.129.12/30
acl internetenabled src 10.129.129.0/25
acl internetenabled src 10.129.130.0/24
acl internetenabled src 10.129.134.0/24
acl internetenabled src 10.129.184.0/24
acl internetenabled src 10.138.0.0/16
acl internetenabled src 10.139.0.0/16
acl internetenabled src 10.140.0.0/16
acl goodsites dstdomain .hcjb.org.ec
acl goodsites dstdomain .hcjb.org
acl goodsites dstdomain .nod32.com
http_access allow manager localhost
http_access allow manager adminuser
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow adminuser
http_access allow localhost
http_access allow all goodsites
http_access allow internetenabled
http_access deny all
http_reply_access allow all
icp_access allow all
acl DSTlocalserversIP dst 10.129.130.0/24
acl DSTlocalserversIP dst 10.129.254.0/24
acl DSTlocalserversDMN dstdomain .hcjb.org.ec
acl DSTlocalserversException dstdomain www.hcjb.org.ec
always_direct deny DSTlocalserversException
always_direct allow DSTlocalserversIP
always_direct allow DSTlocalserversDMN
never_direct allow all

Thanks for any direction you can give us.
Received on Thu Jan 22 2004 - 13:25:09 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:08 MST