Usage: never_direct allow|deny [!]aclname ...
never_direct is the opposite of always_direct. Please read
the description for always_direct if you have not already.
With 'never_direct' you can use ACL elements to specify
requests which should NEVER be forwarded directly to origin
servers. For example, to force the use of a proxy for all
requests, except those in your local domain use something like:
acl local-servers dstdomain .foo.net
never_direct deny local-servers
never_direct allow all
or if Squid is inside a firewall and there are local intranet
servers inside the firewall use something like:
acl local-intranet dstdomain .foo.net
acl local-external dstdomain external.foo.net
always_direct deny local-external
always_direct allow local-intranet
never_direct allow all
This clause supports both fast and slow acl types.
See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.