Search squid archive

Conflicts with squid in transparent to Apache proxy and OpenVPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear bests

I have this network configuration 

OpenVPN client -> Squid Proxy in transparent mode -> Internet -> APACHE
Proxy 80 -> OpenVPN 127.0.0.1:1194

When the OpenVPN client try to send a CONNECT 127.0.0.1:1194 to the
Apache Proxy the Squid Proxy in the LAN (in Transparent mode) trap the
command and kill the connection.

Which kind of acl i can set in order to force squid allowing this
connection ?

OpenVPN events when connecting to the remote Apache proxy.
-----------------------------------------------------------

Tue Sep 13 10:08:21 2011 TCP connection established with
[AF_INET]1xx.1xx.2xx.2xx:80
Tue Sep 13 10:08:21 2011 Send to HTTP proxy: 'CONNECT 127.0.0.1:1194
HTTP/1.0'
Tue Sep 13 10:08:22 2011 HTTP proxy returned: 'HTTP/1.0 403 Forbidden'
Tue Sep 13 10:08:22 2011 HTTP proxy returned bad status
Tue Sep 13 10:08:22 2011 TCP/UDP: Closing socket


Squid proxy event
-----------------------------------------------------------

192.168.1.157 - - [13/Sep/2011:10:08:27 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:08:34 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:08:41 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:08:48 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:08:55 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:09:02 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:09:09 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:09:16 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:09:23 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE
192.168.1.157 - - [13/Sep/2011:10:09:30 +0200] "CONNECT 127.0.0.1:1194
HTTP/1.0" 403 12459 TCP_DENIED:NONE

Squid.conf

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- UfdbGuard
url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=1 concurrency=0

#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^.*player
acl bigfiles_types urlpath_regex -i \.(deb|rpm|iso|tar\.gz|gz|bz|tar|
cue|nrg|crf|bwi|bwt|lcd|ccd|mdf|mds|vcd|cif|vdi|img)((\?|&).*)?$
acl office_network src 192.168.1.0/24


#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 80	#http
acl Safe_ports port 22	#ssh
acl Safe_ports port 443 563	#https, snews
acl Safe_ports port 1863	#msn
acl Safe_ports port 70	#gopher
acl Safe_ports port 210	#wais
acl Safe_ports port 1025-65535	#unregistered ports
acl Safe_ports port 280	#http-mgmt
acl Safe_ports port 488	#gss-http
acl Safe_ports port 591	#filemaker
acl Safe_ports port 777	#multiling http
acl Safe_ports port 631	#cups
acl Safe_ports port 873	#rsync
acl Safe_ports port 901	#SWAT
acl Safe_ports port 20	#ftp-data
acl Safe_ports port 21	#ftp#
acl SSL_ports port 9000	#Artica
acl SSL_ports port 443	#HTTPS
acl SSL_ports port 563	#https, snews
acl SSL_ports port 6667	#tchat
acl whitelisted_mac_computers arp
"/etc/squid3/whitelisted-computers-by-mac.acl

# AOL Instant Messenger to connect to oscar.aol.com
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT

# Permit IRC
acl IRC_ports port 6667
acl IRC_domains dstdomain .freenode.net
acl IRC_hosts dstdomain  irc.freenode.net
acl IRC_methods method CONNECT

# Permit Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT

# Permit Google Talk
acl GTALK_ports port 5222 5050 443
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_methods method CONNECT

acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video
\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|
application\/ogg)$



# ---------  RULES DEFINITIONS
url_rewrite_access deny localhost
url_rewrite_access deny whitelisted_mac_computers
url_rewrite_access allow all
http_access allow whitelisted_mac_computers
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow IRC_methods IRC_ports IRC_hosts
http_access allow IRC_methods IRC_ports IRC_domains
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow  GTALK_ports GTALK_hosts GTALK_methods

				http_access allow GTALK_methods GTALK_ports GTALK_domains
http_access allow MSN_ports MSN_domains MSN_methods

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny blockedsites
http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(1 service(s))


# --------- icap_service KASPERSKY mode 3.1.1

icap_service	is_kav_resp respmod_precache routing=on bypass=on
icap://192.168.1.136:1344/av/respmod
icap_service	is_kav_req reqmod_precache routing=on bypass=on
icap://192.168.1.136:1344/av/reqmod


# --------- adaptation For Kaspersky Antivirus

adaptation_service_set class_antivirus_kav_resp is_kav_resp
adaptation_service_set class_antivirus_kav_req is_kav_req
adaptation_access class_antivirus_kav_req deny MULTIMEDIA
adaptation_access class_antivirus_kav_req allow all
adaptation_access class_antivirus_kav_resp allow all


icap_enable on
icap_preview_size 128
icap_service_failure_limit -1
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on




# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings 
visible_hostname proxy-maison.touzeau.com
ignore_expect_100 off


# --------- time-out 
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds


maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 2 MB


#http/https ports
http_port 3128 transparent


# --------- SSL Rules 

# --------- Caches 
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 512 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches 
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200


# --------- SPECIFIC DNS SERVERS 
dns_nameservers 192.168.1.1

#--------- FTP specific parameters
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_epsv on
ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$  10080    90%     43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$  0    90%
260009  override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|
bz2|gz)$  0    90%     260009  override-expire ignore-no-cache
ignore-no-store ignore-private
refresh_pattern -i \.(html|htm|css|js|xml)$  1440    40%     40320  
refresh_pattern -i \.kaspersky-labs\.com/.*\.(diff|exe|klz|zip)$  1440
100%     28800  reload-into-ims ignore-no-cache
refresh_pattern -i \.avast\.com/.*\.(exe|vpu)$  1440    100%     28800
reload-into-ims ignore-no-cache
refresh_pattern -i \.avira-update\.com/.*\.gz$  1440    100%     28800
reload-into-ims ignore-no-cache
refresh_pattern -i global-download\.acer\.com/.*/Driver/.*zip  1440
100%     260009  reload-into-ims ignore-no-cache
refresh_pattern -i \.windowsupdate\.com/.*\.(cab|exe|dll|msi|psf)  0
80%     43200  reload-into-ims ignore-no-cache
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/  1440    80%
20160  reload-into-ims
refresh_pattern http://.*\.update\.microsoft\.com/  1440    80%
20160   reload-into-ims
refresh_pattern http://download\.microsoft\.com/  1440    80%     20160
reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/  1440    80%
20160   reload-into-ims
refresh_pattern http://office\.microsoft\.com/  1440    80%     20160
reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/  1440    80%
20160   reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/  1440    80%
20160   reload-into-ims
refresh_pattern http://.*\.archive\.ubuntu\.com/  1440    80%     20160
reload-into-ims
refresh_pattern -i \.microsoft\.com/.*\.(cab|exe|dll|msi)  10080    100%
43200  reload-into-ims ignore-no-cache
refresh_pattern -i ^http://.*\.gmail.*/.*  720    100%     4320  
refresh_pattern -i ^http://.*\.googlesyndication.*/.*  1440    100%
4320  
refresh_pattern -i ^http://notify.*dropbox\.com  1440    100%     2880
reload-into-ims ignore-no-cache
refresh_pattern -i ^http://safebrowsing-cache\.google\.com/.*  1440
100%     2880  reload-into-ims ignore-no-cache
refresh_pattern -i ^http://.*gmodules\.com/.*  1440    100%     2880
reload-into-ims ignore-no-cache
refresh_pattern -i ^http://.*google\..*/.*  2880    100%     4320  
refresh_pattern -i ^http://.*\.ubuntu\..*/.*  2880    100%     4320  
refresh_pattern .  0    100%     43200 reload-into-ims override-lastmod
refresh_pattern .		   0	20%	4320
refresh_pattern -i (/cg-bin/|\?) 0 0% 0
icp_port 3130


#Logs-------------------------------------------------
#fqdn is disabled For sarg.
log_fqdn off
coredump_dir	/var/squid/cache
cache_store_log	/var/log/squid/store.log
cache_log	/var/log/squid/cache.log
pid_filename	/var/run/squid.pid
access_log	none manager
access_log /var/log/squid/access.log common
access_log /var/log/squid/sarg.log squid

cache_dir	ufs /var/cache/squid 2000 16 256
# --------- OTHER CACHES
cache_dir ufs /home/squid-cache/cache3 20000 16 256
cache_dir ufs /home/squid-cache/cache2 8000 16 256









[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux