hi,
First i tried to run squid as transparent (interception) proxy that
didn't work. Browsing and other internet usage became too inconsistent.
too many break ups were occuring and all of a sudden browsing stop and
restart after some time ranging from a 30 seconds to a few minutes.
hitting F5 keys numerous times opens up the page. I used this rule from
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
to redirect traffic to squid on port 3128
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - -
Now I am running as non-transparent mode. Browsing is working fine but
there are a few major problems i m facing:
1. All users have to enter proxy settings in default browsers. Now some
applications don't have proxy setting and some don't work with proxy
servers. These applications are having great difficulty with this new
proxy setting hence users getting frustrated.
2. Ideally squid should only interfere with port 80 traffic and rest of
the traffic should be handled by shorewall as before but it seems like
this is not happening.
I am using these rules as mentioned in following link
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall with
non-transparent proxy in my rules file:
Squid as a Manual Proxy
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW tcp 3128
ACCEPT $FW net tcp 80
Now I have these questions, if any one can answer, it might help me:
Q-1 -> Does placement of both rules above (transparent /
non-transparent) in rules file is significant? I am placing these rules
on first line in rules file rite now in both cases.
Q-2 -> Do i need to modify any other shorewall file if I install squid
on same machine (firewall) as the shorewall?
Q-3 -> What do I need to do to let https traffic go through proxy as
well? If I modify rule in 2nd line as 80,443 and chck squid access.log,
TCP_DENIED shows up although SSL_Ports & Safe_Ports are both allowed
access explicitly in squid.
Q-4: If I have a link to access as (applogy for being so kinky, but i m
exhausted by config fixes b/w shorewall & squid) as
https://64.50.169.94:20098 Where should this traffic go, to shorewall or
squid (incase 2nd line reads as 80,443)
http://w.x.y.z:8080 where shud this traffic go provided that squid is
listening for port 80 traffic (http). Does port 8080 in URL change its
traffic type from http(port 80)?
Q-5 -> Do i need to setup some thing in squid to let people use a code
repository running on a remote server of URL like http://w.x.y.z:8080/
requiring users to authenticate to access code? I see requests going
through but returned with TCP_MISS/401 (Unauthorized) and user get an
error message on application interface as "you are not authorized to
access this server" users give correct username/pwd on the box that
appears for authentication.
--
Regards,
Asim Ahmed Khan
