Dave Coventry wrote:
AAaaargh! Sorry, I meant to reply to the list, but that doesn't seem
to be the default. Sorry.
Amos,
Many thanks for the reply; I had almost given up!
On Jan 7, 2008 12:52 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
So this is a webserver accelerator too?
Think about adding defaultsite= option to cope with the many broken web
clients that may be accessing your server.
The main requirement is for some kind of control over the user's
browsing habits.
This port is also the cause of your problem. You are running squid as a
non-privileged user. To access a special port <1024 you MUST run squid
as root and let it drop down to unprivileged by itself at the right times.
Yes it is being started as root with /etc/init.d/squid restart, or by
the boot sequence.
The line http_port 192.168.60:80 vhost vport=8080 has a typo, which I
have since corrected.
In fact I have been researching this quite extensively and have tried
a number of different configurations of squid.conf without success so
far.
My squid.conf now looks like this:
visible_hostname Base
acl IQNetwork src 192.168.60.0/24
acl all src 0.0.0.0/0.0.0.0
http_access allow IQNetwork
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
I have downloaded and recompiled Squid2.6.STABLE17 as part of the
ongoing effort to get it working, but still no joy.
My iptables look like this:
root@Base:/home/dave# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp
dpt:www to:192.168.60.254:3128
DNAT tcp -- anywhere anywhere tcp
dpt:https to:192.168.60.254:3128
The current releases of squid do not support HTTPS transparently.
There is only an experimental patch waiting for 3.1 called SSLBump which
is supposed to handle that sort of thing.
DNAT tcp -- anywhere anywhere tcp
dpt:3128 to:192.168.60.254:3128
DNAT tcp -- anywhere anywhere tcp
dpt:webcache to:192.168.60.254:3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 192.168.60.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But still no joy....
Does squid have port 80 outbound without going through the redirect?
what does cache.log say? (usually .../logs/cache.log)
Amos
--
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
