HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:53


Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 
  Print view Previous topic | Next topic 
Author Message
akhran
PostPosted: 11 Mar 2006 14:23 
Offline

Joined: 11 Mar 2006 11:27
Posts: 7
According to the documentation, one of setup is to use the squid sandwich.

1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings?

2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned?

3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy? If so, what are the configurations needed on SQUID2?

4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required.

Thanks !
Top
 Profile  
 
hege
PostPosted: 11 Mar 2006 15:08 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
akhran wrote:
According to the documentation, one of setup is to use the squid sandwich.

1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings?

2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned?


It depends entirely on what is configured on SQUID1. You can use ACLs to bypass havp on whatever conditions you want (no HTTPS, ip, url, day of time etc.). The point is that you use SQUID1 for everything. It is the central point where clients connect.

Quote:
3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy?


Ofcourse, it doesn't matter who and how many connect to SQUID2. All it does is accept clients (in this case, HAVPs) and do proxying.

Quote:
4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required.


At simplest, you have cache_peer config for every havp address, and use round-robin option. I haven't tested if it's enough to have one cache_peer line with DNS address pointing to many HAVP IPs.

You should check Squid documentation for rest, all the information is there..

Cheers,
Henrik
Top
 Profile  
 
Guest
PostPosted: 12 Mar 2006 13:07 
What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says :

http_access deny CONNECT !SSL_ports

Any pointers?

Thanks :)



hege wrote:
akhran wrote:
According to the documentation, one of setup is to use the squid sandwich.

1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings?

2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned?


It depends entirely on what is configured on SQUID1. You can use ACLs to bypass havp on whatever conditions you want (no HTTPS, ip, url, day of time etc.). The point is that you use SQUID1 for everything. It is the central point where clients connect.

Quote:
3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy?


Ofcourse, it doesn't matter who and how many connect to SQUID2. All it does is accept clients (in this case, HAVPs) and do proxying.

Quote:
4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required.


At simplest, you have cache_peer config for every havp address, and use round-robin option. I haven't tested if it's enough to have one cache_peer line with DNS address pointing to many HAVP IPs.

You should check Squid documentation for rest, all the information is there..

Cheers,
Henrik
Top
  
 
hege
PostPosted: 12 Mar 2006 13:15 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Anonymous wrote:
What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says :

http_access deny CONNECT !SSL_ports

Any pointers?


If SQUID1 is caching, it could have virus file in cache that HAVP didn't recognize earlier..

cache_peer_access is for routing traffic..

You would do something like this:

acl Scan_HTTPS proto HTTPS
#Allow all traffic except HTTPS to havp
cache_peer_access havp.xxx.com allow !Scan_HTTPS
#Allow all traffic to SQUID2 (havp is tried first..)
cache_peer_access squid2.xxx.com allow all

Cheers,
Henrik
Top
 Profile  
 
Guest
PostPosted: 12 Mar 2006 13:21 
Thanks Henrik :)

Any plan to implement support for FTP in next version?

hege wrote:
Anonymous wrote:
What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says :

http_access deny CONNECT !SSL_ports

Any pointers?


If SQUID1 is caching, it could have virus file in cache that HAVP didn't recognize earlier..

cache_peer_access is for routing traffic..

You would do something like this:

acl Scan_HTTPS proto HTTPS
#Allow all traffic except HTTPS to havp
cache_peer_access havp.xxx.com allow !Scan_HTTPS
#Allow all traffic to SQUID2 (havp is tried first..)
cache_peer_access squid2.xxx.com allow all

Cheers,
Henrik
Top
  
 
hege
PostPosted: 12 Mar 2006 13:29 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Anonymous wrote:
Any plan to implement support for FTP in next version?


Direct support won't come for some time I think.. just use Squid parent and it works through that in 0.78. ;)

Cheers,
Henrik
Top
 Profile  
 
Guest
PostPosted: 12 Mar 2006 13:46 
1) So to route all the HTTPS and FTP traffic to SQUID2, is the modified SQUID1 configuration correct?

# No caching
cache_dir null /tmp
no_cache deny all
# HAVP on port 8080
cache_peer havp.xxx.com parent 8080 0 no-query no-digest no-netdb-exchange default
# SQUID2 on port 8090
cache_peer squid2.xxx.com parent 8090 0 no-query no-digest no-netdb-exchange

acl Scan_HTTPS proto HTTPS
acl Scan_FTP proto FTP
#Allow all traffic except HTTPS and FTP to havp
cache_peer_access havp.xxx.com allow !Scan_HTTPS
cache_peer_access havp.xxx.com allow !Scan_FTP
#Allow all traffic to SQUID2 (havp is tried first..)
cache_peer_access squid2.xxx.com allow all

2) For HAVP.conf, do I need to specify SQUID2 as the parent proxy?

Thanks !

hege wrote:
Anonymous wrote:
Any plan to implement support for FTP in next version?


Direct support won't come for some time I think.. just use Squid parent and it works through that in 0.78. ;)

Cheers,
Henrik
Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 7 posts ] 

Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]

Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group