Search squid archive

Re: Squid +XChat + Bitlbee

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



stephane lepain wrote:
Amos Jeffries wrote:
stephane lepain wrote:
Hi,

I have added am acl in order for me to connect to Xchat through my proxy. it works fine. Now, I want to use bitlbee using XChat to try to connect to msn and everything going through my proxy. Everytime I lunch Bitlbee and I get the error HTTP/1.0 503 Service Unavailable. Proxy traversal failed. The way I connect to bitlbee through Xchat is "/server 127.0.0.1 and then this is when I get the error mentioned above. I can't see the reason why I would be able to connect to XChat and not bitlbee. When I check the access.log I do see a tcp_miss 503. Thanks for your help

That would be because your squid is not listening on 127.0.0.1.

Lets go over your config and improve it a bit shall we?


### ACCESS CONTROLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge   method PURGE
acl CONNECT method CONNECT
acl iguane     src 192.168.1.8 127.0.0.1
acl heaven     src 192.168.1.10
acl zongo      src 192.168.1.5
acl margoullat src 192.168.1.6 192.168.1.7
acl livebox    src 192.168.1.1
acl xchat      port 6667 1863
http_access allow CONNECT xchat
http_access deny CONNECT xchat

The allow line above lets anyone use xchat through you.
Blocking it here or below has no effect.

http_access allow iguane
http_access allow heaven
http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
### NETWORK OPTIONS

That missing newline will be causing some problems I think.

http_access allow margoullat
http_access allow livebox

You could be creating a single ACL which contains all those machines IP addresses (like Safe_Ports is done) instead of a seperate line each. That would help keep his and the ICP lines below sync'd up.

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost

Like I said to someone else recently. These safety controls (from the manager down) need to be at the top of the squid http_access lines to have any effect.

NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat" at the end of it.

http_access deny all

icp_access allow iguane
icp_access allow heaven
icp_access allow zongo
icp_access allow margoullat
icp_access allow livebox

Again combining these machines into a single ACL wil let you use it here too in a nice and short way.

icp_access deny ALL

Might be worth changing the case on that one ;-)

http_port 192.168.1.7:3128

And here Squid is ONLY listening on the public IP address of its machine. If you only have one network card you can safely remove the IP address part of that line.

hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
quick_abort_min  0 KB
quick_abort_max  0 KB
quick_abort_pct  95
negative_ttl 2 minutes
request_header_max_size 12 KB
request_header_max_size 12 KB
request_body_max_size   0  KB # 0=nolimit
via off
cache_vary off
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
refresh_stale_hit 5 seconds
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all

Huh? you never want to login anywhere external?

header_access Link deny all
forward_timeout 2 minutes
cache_mgr penguindeb@xxxxxxxxx
htcp_port 4827
cache_peer cache.orange.fr parent 3128 3130 default no-query
hosts_file /etc/hosts
append_domain .macitos.fr
memory_pools_limit 50 MB
forwarded_for off
client_db off
reload_into_ims on
coredump_dir /var/spool/squid


Amos
Hi Amos,

Thanks for the great advices. I have changed the conf

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge   method PURGE
acl CONNECT method CONNECT
*acl locallan   src 192.168.1.0/24*
*acl xchat      port 6667 *

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports *! xchat*
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
*http_access allow locallan*
http_access deny all
*icp_access allow locallan

*for the line "http_port 192.168.1.7:3128", I do have two nics on that server.

As far as connecting bitlbee on 127.0.0.1, I am changing it to one of the squid server NICS. That way, I can see that squid is now filtering and I think it is more secure (I have a lot more control).

On the same content, is SQUID capable of filtering BITTORENT? I am using to filter emule great but last night to my surprise SQUID didn't filter BITTORENT.

Could you please advise ?

Not natively. It will do some limited control if BitTorrent is configured to use CONNECT requests through HTTP-Proxy.

But at present that is all. Torrent is on the long-term todo list, but there is much that needs work before we get to it. If you want it anytime reasonable it will take sponsorship money.

Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux