Asim Ahmed @ Folio3 wrote:
Chris Robertson wrote:
Asim Ahmed @ Folio3 wrote:
hi all,
I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a
RHEL5 box. I had a few problems running squid in transparent mode so
now I am running it in non-transparent mode.
Please use the term "interception" instead of "transparent".
Every thing like browsing / IM tools working fine. A major problem
that I am facing is that quite a few users in my staff uses TFS
(Team Foundation Server - A code repository running on port 8080)
remotely. After installing squid they are hving great difficulty
connecting to that server. I am REDIRECTING port 80 traffic from
shorewall to squid on the same box.
Which indicates you are still INTERCEPTING traffic.
/_*not any more, I've setup client browsers with IPs & ports*_/
I tried same approach and REDIRECTED port 8080 traffic to squid as
well and made an ACL in squid.conf to allow that particular traffic
to that particular server address over port 8080.
Why wouldn't it be allowed? Port 8080 is included in "Safe_ports".
Assuming you are allowing access to your cache based on source IP,
you shouldn't need a special rule allowing traffic to a particular
server's port 8080.
But why is failing the requests by 401 error. /_*The remote server
reuqests username/password even then request fails*_/
When I see squid access log, traffic shows up there but with HTTP
401 code that means not-authorized request. On TFS screen users also
get "you are not authorized to connect to this server" error. This
does not make any sense because without squid they jsut connect in
first attempt.
Please share your squid.conf (minus comments and blank lines).
Otherwise have a look at
http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F
I'd try allowing access to the TFS before you check for MimeTypes and
keywords.
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl folio3Network src 192.168.4.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl super_users src "/etc/squid/f3_acls/super_users.acl"
acl gerrys_users src "/etc/squid/f3_acls/gerrys_groups.acl"
acl netsat_users src "/etc/squid/f3_acls/netsat_groups.acl"
acl managers src "/etc/squid/f3_acls/managers.acl"
acl facebook dstdomain "/etc/squid/f3_acls/facebook.acl"
acl facebook_users src "/etc/squid/f3_acls/facebook_users.acl"
acl blocked_sites dstdomain "/etc/squid/f3_acls/blocked_sites.acl"
acl blocked_request_mt req_mime_type -i
"/etc/squid/f3_acls/blocked_mimetypes.acl"
acl blocked_reply_mt rep_mime_type -i
"/etc/squid/f3_acls/blocked_mimetypes.acl"
acl blocked_keywords url_regex -i
"/etc/squid/f3_acls/blocked_keywords.acl"
acl gaming_sites dstdomain "/etc/squid/f3_acls/gaming_sites.acl"
acl server_machines src "/etc/squid/f3_acls/server_machines.acl"
acl TFS dst <ip.of.tfs.machine>
acl working_hours time MTWHF 09:00-13:00
acl working_hours time MTWHF 14:00-18:30
acl gaming_hours time MTWHF 21:00-23:59
acl gaming_hours time MTWHF 01:00-07:00
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow super_users
http_access allow facebook_users facebook
http_access allow TFS
http_access deny working_hours blocked_sites
http_access deny working_hours blocked_request_mt
http_access deny working_hours blocked_keywords
http_access deny !gaming_hours gaming_sites
http_access allow managers
http_access allow gerrys_users
http_access allow netsat_users
http_access allow server_machines
http_access allow localhost
http_access deny all
http_reply_access allow super_users
http_reply_access deny working_hours blocked_reply_mt
icp_access allow folio3Network
icp_access deny all
htcp_access allow folio3Network
htcp_access deny all
http_port 4044
hierarchy_stoplist cgi-bin ?
cache_dir aufs /var/spool/squid 10240 16 256
access_log /var/log/squid/access.log squid
cache_store_log none
logfile_rotate 10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
negative_ttl 0 seconds
visible_hostname LIANA
icp_port 3130
coredump_dir /var/spool/squid
Even I tried adding a rule in shorewall to process 8080 traffic
before I redirect traffic to squid, but that makes things unreliable
in the sense that some times it work, and at times it does not!
Can any one help suggesting any measures to get over with this?
Is this squid's normal behaviour to stop shorewall from normal
working when installed?
No.
Does squid takes over control of system ports in use by shorewall?
Only if you configure it to.
Chris
Chris