On 25/08/11 00:26, knapper wrote:
----- Original Message -----
From: "Amos Jeffries"
<snip>
FWIW; nothing you talk about below has anything to do with
being
dual-homed (connected to _three_ networks, two being
Internet links).
Thanks.
What you are describing is a perfectly normal router setup
with Squid on
the router, which happens to run Windows XP. Well in this
case XP is NOT the router.
That is handled by a separate router firewall.
So you have two routers. The squid box and the primary one.
Physical wiring:
Clients->Router->Squid->Internet
or
Clients->Squid->Router->Internet
Anyways, my point being this is normal standard config. :)
XP PRO with 2 nics. I need to set squid up to serve as a
proxy server on one nic, and the other nic is the network
interface.
Nic A:
192.168.0.195 is the Dell server box and it points to 0.1
for the internet gateway.
I can browse the internet just fine without squid.
Nic B is 192.168.9.195 is the second nic in the Dell
box,
and this is hooked to a WAP for the laptops in the small
school.
(not sure where to point it's gateway, but I don't think
pointing it to 0.195 is going
to work).
I want to configure squid to listen on the 9.x network,
and
http_port 192.168.9.195:3128
relay, and cache the traffic out the 0.x network. This
way
acl localnet src 192.168.0.0/24
http_access allow localnet
I'm confused here. http access needs to be limited to the
9.x network I think.
Oops, yes you are right there.
The local network will be the 9.x network, which are the
schools laptops. They communicate
over the wireless router (a D-Link) which is attached to a
NIC, that has the address 192.168.9.195
Ideally, the other nic will just attach to a DSL
modem/gateway 192.168.0.1, and maybe the teachers laptop.
The one wrinkle in that, is the possibility of having to use
a Cellular "dongle" because DSL is not available at the
school. Essentially, that is a USB device that acts as a
modem, and installs as any
other network card. In that case, the "dongle" will be
attached to the box that squid wants to run on, and I'll
have to configur squid to use *it's* ip address.
That would be up to the OS. All Squid does is open connections. Possibly
with tcp_outgoing_address to force a particular IP address.
o.k. some questions here, what is the tcp_outgoing_address
config line for?
I was trying to use it to force traffic out. 192.168.0.1
The "source" IP address on Squid->Internet TCP connections. Should be
completely optional.
You could use it as an extra safety precaution to avoid firewall
issues with the strict firewall rules I assume you will be adding. It
can to prevent things like the OS unexpectedly giving Squid a TCP
connection " 192.168.9.195 -> *.*.*.* " for Internet requests.
You can set the firewall with certainty that IP X will be used by
squid outbound.
The squid service is currently just hanging.
Ah students. That scenario is one I'm quite familiar with.
PreK - 8th
When working with squid in school situations you will
usually need to
set it up as a captive portal proxy to prevent a lot of
trivial
bypassing.
This is why I want the actual access to the internet to be
on the 0.x network, and only allow the students access to it
THROUGH the cache side of squid.
Of course.
I should mention, you won't be able to use any of the transparent
interception tricks due to Windows not having NAT support.
Look into blocking port 80 and other aliases of it getting
to
the Internet. Adding WPAD protocol to the network and a
PAC file doing
auto-configuration of browsers to use the proxy.
I'm lost on this one, will have to go look these up.
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers
The squid langpack bundles ship customizable error pages
ERR_AGENT_*
that can be displayed in a captive-portal setup to
instruct the users to
configure their browser properly for portals.
At which point you don't need NetNany for HTTP. Squid
provides a full
array of URL and request controls. It passes traffic to
other software
(via HTTP or in 3.1+ via ICAP/eCAP) for the complex jobs
of handling
page content filtering.
NP: NetNanny is not one of those other software AFAIK.
NetNanny is designed to run on one machine, and intercept
browser traffic from that machine and
filter it.
I need to fake it into thinking it is protecting just one
machine the "server", so it would be getting the
requests out to 0.1 since it would be running with that as
it's gateway. It is a pretty comprehensive
filtering package.
I believe that by running squid on one side, using it to
cache content, and then pass content to the 0.1 side, that
NetNanny will work on the 0.1 side, block any proxy
bypasses, but happily send data
back to the squid side.
Interesting. Might work. Depends on exactly what that anti-proxy
functionality they were talking about does.
<snip>
here is the config file that I tried to use. (I stripped all
the comments out of this
copy that I'm sending)
Can you take a quick look and tell me what I need to change,
and what I can delete.
<snip, ignoring okay bits>
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where
browsing
# should be allowed
acl localnet src 10.0.0.0/24 # RFC1918 possible internal
network
acl localnet src 172.16.0.0/16 # RFC1918 possible internal
network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
Those bits. Like they say, are examples. Replace the localnet lines
above with the one for 192.168.9.0/24
<snip, ignoring okay bits>
# http_access deny all
weird, but could cause you confusion later. can erase that commented out
line.
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
There is "http_access allow localnet" missing right here.
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
ICP and HTCP are for proxy-to-proxy communications.
If you don't need it right now set them to just "deny all" and make sure
the matching icp_port/htcp_port are set to 0. Can be easily setup later.
# Squid normally listens to port 3128
#http_port 3128
http_port 192.168.9.195:8080 no-connection-auth transparent
http_port 192.168.9.195:3128 no-connection-auth transparent
http_port 192.168.9.195:80 no-connection-auth transparent
This "transparent" could be part of the cause of your hang.
** Windows does not provide NAT.
Best you can do is use GPO policy and/or the WPAD protocol to do
"transparent configuration"/auto-configuration on the network.
The squid part of that is a regular proxy port like "http_port 3128".
#internal nic 1
#acl normal_service_net src 192.168.9.0/8
NP: definitely not /8. Parts outside of the 192.168.*.*/16 are allocated
to real organizations elsewhere.
#second nic to internet appliance
tcp_outgoing_address 192.168.0.1
This would be another part of the hang.
** Set to an IP on the Squid box facing the Internet. Or erase.
Otherwise it looks okay.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10
