stephane lepain wrote:
Amos Jeffries wrote:
stephane lepain wrote:
Hi,
I have added am acl in order for me to connect to Xchat through my
proxy. it works fine. Now, I want to use bitlbee using XChat to try
to connect to msn and everything going through my proxy. Everytime I
lunch Bitlbee and I get the error HTTP/1.0 503 Service Unavailable.
Proxy traversal failed. The way I connect to bitlbee through Xchat is
"/server 127.0.0.1 and then this is when I get the error mentioned
above.
I can't see the reason why I would be able to connect to XChat and
not bitlbee. When I check the access.log I do see a tcp_miss 503.
Thanks for your help
That would be because your squid is not listening on 127.0.0.1.
Lets go over your config and improve it a bit shall we?
### ACCESS CONTROLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl iguane src 192.168.1.8 127.0.0.1
acl heaven src 192.168.1.10
acl zongo src 192.168.1.5
acl margoullat src 192.168.1.6 192.168.1.7
acl livebox src 192.168.1.1
acl xchat port 6667 1863
http_access allow CONNECT xchat
http_access deny CONNECT xchat
The allow line above lets anyone use xchat through you.
Blocking it here or below has no effect.
http_access allow iguane
http_access allow heaven
http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
### NETWORK OPTIONS
That missing newline will be causing some problems I think.
http_access allow margoullat
http_access allow livebox
You could be creating a single ACL which contains all those machines
IP addresses (like Safe_Ports is done) instead of a seperate line
each. That would help keep his and the ICP lines below sync'd up.
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
Like I said to someone else recently. These safety controls (from the
manager down) need to be at the top of the squid http_access lines to
have any effect.
NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat"
at the end of it.
http_access deny all
icp_access allow iguane
icp_access allow heaven
icp_access allow zongo
icp_access allow margoullat
icp_access allow livebox
Again combining these machines into a single ACL wil let you use it
here too in a nice and short way.
icp_access deny ALL
Might be worth changing the case on that one ;-)
http_port 192.168.1.7:3128
And here Squid is ONLY listening on the public IP address of its
machine. If you only have one network card you can safely remove the
IP address part of that line.
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
negative_ttl 2 minutes
request_header_max_size 12 KB
request_header_max_size 12 KB
request_body_max_size 0 KB # 0=nolimit
via off
cache_vary off
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
refresh_stale_hit 5 seconds
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
Huh? you never want to login anywhere external?
header_access Link deny all
forward_timeout 2 minutes
cache_mgr penguindeb@xxxxxxxxx
htcp_port 4827
cache_peer cache.orange.fr parent 3128 3130 default no-query
hosts_file /etc/hosts
append_domain .macitos.fr
memory_pools_limit 50 MB
forwarded_for off
client_db off
reload_into_ims on
coredump_dir /var/spool/squid
Amos
Hi Amos,
Thanks for the great advices. I have changed the conf
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
*acl locallan src 192.168.1.0/24*
*acl xchat port 6667 *
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports *! xchat*
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
*http_access allow locallan*
http_access deny all
*icp_access allow locallan
*for the line "http_port 192.168.1.7:3128", I do have two nics on that
server.
As far as connecting bitlbee on 127.0.0.1, I am changing it to one of
the squid server NICS. That way, I can see that squid is now filtering
and I think it is more secure (I have a lot more control).
On the same content, is SQUID capable of filtering BITTORENT? I am using
to filter emule great but last night to my surprise SQUID didn't filter
BITTORENT.
Could you please advise ?
Not natively. It will do some limited control if BitTorrent is
configured to use CONNECT requests through HTTP-Proxy.
But at present that is all. Torrent is on the long-term todo list, but
there is much that needs work before we get to it. If you want it
anytime reasonable it will take sponsorship money.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.