Hi - noob here, I've searched the archives and not been able to find an
answer so I thought I'd post. Apologies if it's been covered before.
I have a debian squid server on our school's intranet called apollo.
apollo has a parent proxy which we must use to access the internet,
called proxy.embc.etc.etc. I cannot alter the embc proxy at all.
The embc proxy applies a lower level of filtering for client 10.16.52.13
only and a higher level for all other ips (our range is 10.16.52.0 to
10.16.54.255)
All our clients are configured to pass through our proxy apollo, I wish
to set rules up so that staff get the lower level of external filtering
and the rest get the higher level of filtering.
Currently I am testing this on my own pc acl mark_pc but will change for
all staff once I get this working.
I have set up an alias ip address on our proxy apollo and added what I
believe are the following significant lines to squid.conf
acl mark_pc src 10.16.52.33
tcp_outgoing_address 10.16.52.13 mark_pc
tcp_outgoing_address 10.16.52.237
server_persistent_connections off
however this hangs and timeouts my internet connection or slows it down
significantly. This is immediately fixed if I comment out the line
#tcp_outgoing_address 10.16.52.13 mark_pc
Can anyone shed light on this problem? Please page down for Conf file
***** Other tests I've tried. ******
1) Setting up a workstation on 10.16.52.13 and setting it to use
proxy.embc.etc directly - this worked fine.
2) Connecting to a server running phpinfo beyond both proxies
this reported the following whether the line was commented or not.
HTTP_X_FORWARDED_FOR 10.16.52.33, 10.16.52.237
which makes me think that the embc server was not getting the correct Ip
alias at all (10.16.52.13) but the main one for eth0
************************************************************************************
### Output of ifconfig
apollo:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0E:0C:37:D4:B8
inet addr:10.16.52.237 Bcast:10.16.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3716779 errors:0 dropped:0 overruns:0 frame:0
TX packets:3888417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2513027641 (2.3 GiB) TX bytes:2760724194 (2.5 GiB)
Base address:0xde80 Memory:fea80000-feaa0000
eth0:0 Link encap:Ethernet HWaddr 00:0E:0C:37:D4:B8
inet addr:10.16.52.13 Bcast:10.16.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xde80 Memory:fea80000-feaa0000
************************************************************************************
### My squid.conf slightly edited for simplicity
http_port 3128
cache_mem 100 MB
cache_dir ufs /var/spool/squid 500 16 256
logfile_rotate 9
offline_mode off
maximum_object_size 102400 KB
reload_into_ims off
pipeline_prefetch off
strip_query_terms off
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
acl my_network src 10.16.52.0/255.255.252.0
acl intranet dst 10.16.52.0/255.255.252.0
acl all src 0.0.0.0/0.0.0.0
acl SquidGuard_Rules ident REQUIRED
acl local_network url_regex -i http://apollo* http://www.apollo*
http://test.apollo* https://apollo* http://staffnet* http://filtered*
http://filtered/ http://thor* http://10.16.5*
acl mark_pc src 10.16.52.33
acl notts_lea_intranet url_regex -i http://intra.nottinghamcity.gov.uk*
acl blocked_domains dstdomain "/etc/squid/acl/blocked_domains.txt"
acl staff ident fee.m wadsworth.k
http_access allow intranet local_network
http_access deny !SquidGuard_Rules
http_access deny banned_users
http_access deny blocked_domains
http_access deny !my_network
http_access allow SquidGuard_Rules
http_access deny all
deny_info http://filtered/?rule=noUser SquidGuard_Rules
deny_info http://apollo/access_denied.php?url=%s blocked_domains
cache_peer proxy.embc.org.uk parent 80 80 no-query
cache_peer_access proxy.embc.org.uk allow !intranet
cache_peer_domain proxy.embc.org.uk !apollo !apollo:10000 !www.apollo
!test.apollo !manning.nottingham.sch.uk !thor !filtered !staffnet
!cerberus !athena !athena:8080
cache_effective_user proxy
cache_effective_group proxy
never_direct allow all !intranet !notts_lea_intranet
always_direct allow notts_lea_intranet !all
hierarchy_stoplist intra.nottinghamcity.gov.uk
### If I uncomment out the mark_pc line below,
### the internet hangs from my PC
#tcp_outgoing_address 10.16.52.13 mark_pc
tcp_outgoing_address 10.16.52.237
server_persistent_connections off