I was wondering about the ICP, it was in the standard ACL's but the port number was different in the conf file.
I'll give this one a shot.
#Allow ICP queries from everyone
icp_access allow all
You don't want ICP in a reverse proxy. In fact I would recommend you to distable icp entirely (see icp_port).
As I understand ACL's, squid uses OR logic when checking the ACL values. Squid only searches until it finds a match in the ACL then stops. The access rules are different, they use AND logic and combine all the ACL's in the list. If none of the access rules are matched, the default response is the exact opposite of the last rule.
[or if you are using Squid-3 with cache_peer based forwarding]
acl Exchangebox dstdomain the.official.fqdn.requested.by.clients http_access allos https port443 Exchangebox
# And finally deny all other access to this proxy http_access deny all
# Disable ICP icp_port 0
So for example:
acl mynetwork src 192.168.1.0 http_access allow mynetwork
This would only allow the 192.168.1.0 subnet, and by default it would DENY anything else since it wouldn't match the acl - mynetwork.
I got confused by one in Wessels book:
acl All src 0/0 acl Bob ident bob http_access allow Bob http_access deny All
First if the ident wasn't matched with bob, they would be denied. Then if it wasn't ident traffic, they'd be denied for everything else? am I correct? In this example, I am trying to see how a non match could occur since the All acl is basically everything isn't it??
Thanks,
Eric
Regards Henrik
