Lets just go over all these settings....
kang ason wrote:
--- kang ason <a550n@xxxxxxxxx> wrote:
Date: Fri, 1 Feb 2008 07:00:27 -0800 (PST)
From: kang ason <a550n@xxxxxxxxx>
Subject: Transparent Proxy by squid 2.6 stable 14 in
ubuntu 7.10 not working
To: squid-users@xxxxxxxxxxxxxxx
Dear all
i have server running squid (transparent proxy) in
linux (squid installed using synaptic Package
Manager
on ubuntu 7.10 with squid 2.6 Stable 14)
this server have two interfaces, eth0 to internet &
eth1 to LAN
And this is my squid.conf
http_port 192.168.10.10:8080 transparent
Fine. BUT, is 192.168.10.10 an IP assigned to eth1 ??
As a test you can drop the IP here and FW inbound traffic to
192.168.10.10:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
You can kill these to and replace them with the refresh_patterns below.
cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 128 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 51200 KB
minimum_object_size 0 KB
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 5000 18 256
access_log /var/log/squid/access.log
squid
cache_log /dev/null
Better to have a cache_log and see whats going wrong with squid when
something does.
cache_store_log /dev/null
Better to use "cache_store_log none" and prevent all the attempted
writes to /dev/null
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/share/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
log_fqdn off
ftp_user admin@server
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
Useful to add:
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
I know its the default config line, but better to use CIDR or no mask
here (default is /32)
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
It's useful to make sure _ALL_ of the SSL_Ports are also in Safe_Ports.
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl
Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
## Client IP Address
acl VLAN10 src 192.168.10.0/255.255.255.0
Better to use CIDR 192.168.10.0/24
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny purge
http_access allow purge localhost
Ahhh... that will never match. The line above ALWAYS denies purge.
Kill it or switch the config lines.
http_access deny manager
http_access allow VLAN10
http_access allow manager localhost
again, that will never match for the global 'deny manager' above.
http_access allow localhost
http_access deny all
icp_access allow all
cache_mgr admin@server
cache_effective_user proxy
cache_effective_group proxy
visible_hostname Proxy.server
always_direct allow all
coredump_dir /var/spool/squid
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
store_dir_select_algorithm round-robin
## ---- end of
squid.conf ----
and this is my iptables for squid transparent
iptables -t nat -A PREROUTING -i eth1 -s
192.168.10/24 -p tcp --dport 80 -j REDIRECT
--to-port 8080
Well, unless you have other IPA assigned to eth1, using IP here is
pretty redundant,
iptables -A PREROUTING -t nat -i eth1 -p tcp -s
192.168.10.0/24 -j ACCEPT
So what is NAT meant to be doing with this traffic? ACCEPT allows
without changes.
It seems to me that port-80 traffic is being redirected to squid, and
the rest is let out into the internet with RFC1918 private addresses
(depending on "-t filter -A FORWARD" bridging rules).
iptables -t nat -A POSTROUTING -o eth0 -s
192.168.10/24 -j MASQUERADE
Try this:
iptables -t nat -A PREROUTING -o eth0 -s 192.168.10.10 -p tcp --dport 80
-j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.10/24 -p tcp --dport
80 -j REDIRECT --to-port 8080
iptables -t filter -A FORWARD -i eth1 -s 192.168.10/24 -p tcp --dport
80 -j REJECT
when i look into /var/log/squid/access.log, i can
found client access squid.
if client setting browser using proxy into
192.168.10.10 with port 8080, i can see client in
/var/log/squid/access.log
what wrong with my squid.conf or iptables rules?
why transparent proxy not working, & why client must
setting using proxy in their browser if the want
using
proxy.
Also check that some form of transparency support has been built into
your squid.
Run 'squid -v'.
Look for '--enable-linux-netfilter' in the configured list.
thanks.
regards
ason
Cah Kopeng
Lereng Utara Gunung Merbabu
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
