Hello all, I have posted this question before, tried suggestions but with no luck. I hope someone can help
The problem is: We have two squid proxy servers, running on RH8 students-proxy - 10.1.1.4 staff-proxy - 10.1.4.18 1 - All staff except for a specific IP range should be prompt to validate when accessing the UQ databases. 2 - All students should not be prompt - the students proxy is doing NAT from the firewall and is allow access onto the UQ databases. To make this sound clear - anyone going out on 10.1.1.4 (students-proxy) will not be asked to validate. I have configured the staff-proxy (10.1.4.18) to route requests coming from the IP range to the students-proxy (10.1.1.4) It routes for sometime, then stops to route, at which time I run squid -k reconfigure, and starts to route again. Very inconsistent. When it stops routing, it allows everything to go direct, and therefore all staff including those from the exclusion list are prompt for a password. I have included my entire squid.conf file - if someone can give my any clues it will be highly appreciated. http_port 10.1.4.18:3128 cache_effective_user squid cache_effective_group squid cache_mem 32 MB cache_swap_low 90 cache_swap_high 95 cache_dir ufs /usr/local/squid/var/cache 2000 16 256 cache_log /usr/local/squid/var/logs/cache.log cache_access_log /usr/local/squid/var/logs/access.log refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 visible_hostname staffproxy acl all src 0/0 acl manager proto cache_object acl localhost src 127.0.0.0/255.255.255.255 acl SSL_ports port 443 563 569 5190 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # If an IP is from the exception-entries list, then # pass the request to 10.1.1.4 proxy server. acl mte src 10.1.10.201-10.1.10.207/255.255.255.255 10.1.4.68 acl skr src 10.1.4.160-10.1.4.180/255.255.255.255 acl syd src 10.1.5.60-10.1.5.65/255.255.255.255 acl uqlib dstdomain .uq.edu.au cache_peer 10.1.1.4 parent 3128 3130 cache_peer_access 10.1.1.4 allow mte uqlib cache_peer_access 10.1.1.4 allow skr uqlib cache_peer_access 10.1.1.4 allow syd uqlib cache_peer_access 10.1.1.4 deny all always_direct allow all !mte skr syd # don't cache our site acl our-site dstdomain .mteliza.com.au no_cache deny our-site # This entry was made in the other proxy, to allow direct access # acl pc src 10.1.4.18 # http_access allow pc # Enable both the winbind basic and ntlm authenticators auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 25 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/libexec/wb_auth auth_param basic children 25 auth_param basic realm squid proxy-caching web server auth_param basic credentialsttl 2 hours # Proxy auth ACL entry staffauth = "staff authentication" acl staffauth proxy_auth REQUIRED http_access allow staffauth http_access deny all !localhost Regards George ===================================================== Privileged/Confidential Information may be contained in this message. If you are not the addressee (or responsible for delivery of the message to the addressee), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. Opinions, conclusions and other information in this message that do not relate to the official business of my employer shall be understood as neither given nor endorsed by it.
