HTTP Anti-Virus Proxy :: View topic - Squid sandwich and HAVP round-robin

According to the documentation, one of setup is to use the squid sandwich.

1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings?

2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned?

3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy?

4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required.

akhran wrote:

It depends entirely on what is configured on SQUID1. You can use ACLs to bypass havp on whatever conditions you want (no HTTPS, ip, url, day of time etc.). The point is that you use SQUID1 for everything. It is the central point where clients connect.

Quote:

3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy?

Ofcourse, it doesn't matter who and how many connect to SQUID2. All it does is accept clients (in this case, HAVPs) and do proxying.

Quote:

4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required.

At simplest, you have cache_peer config for every havp address, and use round-robin option. I haven't tested if it's enough to have one cache_peer line with DNS address pointing to many HAVP IPs.

You should check Squid documentation for rest, all the information is there..

Cheers,
Henrik

What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says :

http_access deny CONNECT !SSL_ports

Any pointers?

Anonymous wrote:

If SQUID1 is caching, it could have virus file in cache that HAVP didn't recognize earlier..

cache_peer_access is for routing traffic..

You would do something like this:

acl Scan_HTTPS proto HTTPS
#Allow all traffic except HTTPS to havp
cache_peer_access havp.xxx.com allow !Scan_HTTPS
#Allow all traffic to SQUID2 (havp is tried first..)
cache_peer_access squid2.xxx.com allow all

Cheers,
Henrik

Any plan to implement support for FTP in next version?

Anonymous wrote:

Any plan to implement support for FTP in next version?

Direct support won't come for some time I think.. just use Squid parent and it works through that in 0.78.

Cheers,
Henrik

Author:	akhran [ 11 Mar 2006 14:23 ]
Post subject:	Squid sandwich and HAVP round-robin
According to the documentation, one of setup is to use the squid sandwich. 1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings? 2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned? 3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy? If so, what are the configurations needed on SQUID2? 4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required. Thanks !

Author:	hege [ 11 Mar 2006 15:08 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
akhran wrote: According to the documentation, one of setup is to use the squid sandwich. 1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings? 2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned? It depends entirely on what is configured on SQUID1. You can use ACLs to bypass havp on whatever conditions you want (no HTTPS, ip, url, day of time etc.). The point is that you use SQUID1 for everything. It is the central point where clients connect. Quote: 3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy? Ofcourse, it doesn't matter who and how many connect to SQUID2. All it does is accept clients (in this case, HAVPs) and do proxying. Quote: 4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required. At simplest, you have cache_peer config for every havp address, and use round-robin option. I haven't tested if it's enough to have one cache_peer line with DNS address pointing to many HAVP IPs. You should check Squid documentation for rest, all the information is there.. Cheers, Henrik

Author:	Guest [ 12 Mar 2006 13:07 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says : http_access deny CONNECT !SSL_ports Any pointers? Thanks hege wrote: akhran wrote: According to the documentation, one of setup is to use the squid sandwich. 1) Am I right to say that all traffic besides https are configured to use SQUID1 while https traffic is configured to use SQUID2 in the IE proxy settings? 2) All traffic pointing to SQUID1 will be scanned while traffic via SQUID2 will not be scanned? It depends entirely on what is configured on SQUID1. You can use ACLs to bypass havp on whatever conditions you want (no HTTPS, ip, url, day of time etc.). The point is that you use SQUID1 for everything. It is the central point where clients connect. Quote: 3)If I do not have SQUID1 but I have several HAVP and a SQUID2, can all the HAVPs be pointing SQUID2 as the parent proxy? Ofcourse, it doesn't matter who and how many connect to SQUID2. All it does is accept clients (in this case, HAVPs) and do proxying. Quote: 4) Would appreciate if you could elaborate on HAVP round robin (related to 3?) and the configurations required. At simplest, you have cache_peer config for every havp address, and use round-robin option. I haven't tested if it's enough to have one cache_peer line with DNS address pointing to many HAVP IPs. You should check Squid documentation for rest, all the information is there.. Cheers, Henrik

Author:	hege [ 12 Mar 2006 13:15 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
Anonymous wrote: What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says : http_access deny CONNECT !SSL_ports Any pointers? If SQUID1 is caching, it could have virus file in cache that HAVP didn't recognize earlier.. cache_peer_access is for routing traffic.. You would do something like this: acl Scan_HTTPS proto HTTPS #Allow all traffic except HTTPS to havp cache_peer_access havp.xxx.com allow !Scan_HTTPS #Allow all traffic to SQUID2 (havp is tried first..) cache_peer_access squid2.xxx.com allow all Cheers, Henrik

Author:	Guest [ 12 Mar 2006 13:21 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
Thanks Henrik Any plan to implement support for FTP in next version? hege wrote: Anonymous wrote: What's the reason behind for not allowing SQUID1 to do caching? I have been checking out the squid documentation but does not manage to find anything useful on routing https traffic from SQUID1 to another proxy(SQUID2). The closely I can find was a line that says : http_access deny CONNECT !SSL_ports Any pointers? If SQUID1 is caching, it could have virus file in cache that HAVP didn't recognize earlier.. cache_peer_access is for routing traffic.. You would do something like this: acl Scan_HTTPS proto HTTPS #Allow all traffic except HTTPS to havp cache_peer_access havp.xxx.com allow !Scan_HTTPS #Allow all traffic to SQUID2 (havp is tried first..) cache_peer_access squid2.xxx.com allow all Cheers, Henrik

HTTP Anti-Virus Proxy http://havp.hege.li/forum/

Squid sandwich and HAVP round-robin http://havp.hege.li/forum/viewtopic.php?f=3&t=34	Page 1 of 1

Author:	hege [ 12 Mar 2006 13:29 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
Anonymous wrote: Any plan to implement support for FTP in next version? Direct support won't come for some time I think.. just use Squid parent and it works through that in 0.78. Cheers, Henrik

Author:	Guest [ 12 Mar 2006 13:46 ]
Post subject:	Re: Squid sandwich and HAVP round-robin
1) So to route all the HTTPS and FTP traffic to SQUID2, is the modified SQUID1 configuration correct? # No caching cache_dir null /tmp no_cache deny all # HAVP on port 8080 cache_peer havp.xxx.com parent 8080 0 no-query no-digest no-netdb-exchange default # SQUID2 on port 8090 cache_peer squid2.xxx.com parent 8090 0 no-query no-digest no-netdb-exchange acl Scan_HTTPS proto HTTPS acl Scan_FTP proto FTP #Allow all traffic except HTTPS and FTP to havp cache_peer_access havp.xxx.com allow !Scan_HTTPS cache_peer_access havp.xxx.com allow !Scan_FTP #Allow all traffic to SQUID2 (havp is tried first..) cache_peer_access squid2.xxx.com allow all 2) For HAVP.conf, do I need to specify SQUID2 as the parent proxy? Thanks ! hege wrote: Anonymous wrote: Any plan to implement support for FTP in next version? Direct support won't come for some time I think.. just use Squid parent and it works through that in 0.78. Cheers, Henrik

Page 1 of 1	All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/