Search squid archive

Re: Squid 3.2, reverse proxy, deny_info http/https redirect problems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Oh, I've found another situation that seems potentially related --
when I use a SSH tunnel to the proxy (port 3128) from a computer
outside my network, and try to use it as my browser proxy, it hangs on
everything, completely refusing to send any web traffic my way. 3.1
didn't have this problem -- I was able to use the proxy through a SSH
tunnel just fine... When I switched to 3.2, it ended up breaking it.


"I'm not responcabel fer my comuter's spleling errnors" - Xlorep DarkHelm
Website: http://darkhelm.org



On Thu, Mar 22, 2012 at 8:30 AM, Cliff Hill <chill@xxxxxxxxxxxx> wrote:
> Yes, my config used to have the "vhost" defined in it, however with
> 3.2, I found out it wasn't needed any more, so I cleared it up, in an
> effort to figure out what is going on.
>
>
> I guess I need to show the whole config. I'll also note I am using it
> as a reverse proxy, as well as a transparent proxy for my local
> network's access to the internet, with caching. I have it using
> squidGuard for some things, and I used to tie in squidclamav as an
> icap service, however it caused a massive performance hit on page
> loading times, so I disabled it, but still have some configuration
> directives in place that are for icap.
>
> I will gladly admit that I'm not extremely proficient in how the
> config file should work, I'm mostly just scouring through the
> squid-cache wiki, and anything I can Google to figure out what I need.
> However, there is very little I'm finding with regards to my current
> problem.
>
> Here's my config file in its entirety:
> ---------------------------------------------------------------------------------------------------------------
>
> #       SQUID 3.2.0.16
> #       --------------
>
> http_port 80 accel defaultsite=darkhelm.org
>
> https_port 443 cert=/home/darkhelm/keys/CertAuth/maincert.cert
> key=/home/darkhelm/keys/CertAuth/mainkey.pem accel
> defaultsite=darkhelm.org
>
> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
>
> # Security ACL, force username/password login. See music below.
> auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl ncsa_users proxy_auth REQUIRED
>
> cache_peer 10.18.75.1 parent 80 0 no-query originserver login=PASS name=xlorep
> acl sites_xlorep url_regex ^https://xlorep\.darkhelm\.org
> cache_peer_access xlorep allow sites_xlorep
> http_access allow sites_xlorep
> acl http_xlorep url_regex ^http://xlorep\.darkhelm\.org
> http_access deny http_xlorep
> deny_info https://xlorep.darkhelm.org http_xlorep
>
> #8022 8081
> cache_peer 127.0.0.1 parent 8022 0 no-query originserver login=PASS name=shell
> acl sites_shell url_regex ^https://shell\.darkhelm\.org
> cache_peer_access shell allow sites_shell
> http_access allow sites_shell
> acl http_shell url_regex ^http://shell\.darkhelm\.org
> http_access deny http_shell
> deny_info https://shell.darkhelm.org http_shell
>
> cache_peer 10.18.75.4 parent 8000 0 no-query originserver login=PASS name=music
> acl sites_music url_regex ^https://music\.darkhelm\.org
> cache_peer_access music allow sites_music ncsa_users
> http_access allow sites_music ncsa_users
> acl http_music url_regex ^http://music\.darkhelm\.org
> http_access deny http_music
> deny_info https://music.darkhelm.org http_music
>
> cache_peer 10.18.75.4 parent 8080 0 no-query originserver login=PASS name=mplay
> acl sites_mplay url_regex ^https://mplay\.darkhelm\.org
> cache_peer_access mplay allow sites_mplay ncsa_users
> http_access allow sites_mplay ncsa_users
> acl http_mplay url_regex ^http://mplay\.darkhelm\.org
> http_access deny http_mplay
> deny_info https://mplay.darkhelm.org/ http_mplay
>
> cache_peer 10.18.75.4 parent 4711 0 no-query originserver login=PASS name=amw
> acl sites_amw url_regex ^https://amw\.darkhelm\.org
> cache_peer_access amw allow sites_amw
> http_access allow sites_amw
> acl http_amw url_regex ^http://amw\.darkhelm\.org
> http_access deny http_amw
> deny_info https://amw.darkhelm.org http_amw
>
> cache_peer 10.18.75.4 parent 9091 0 no-query originserver login=PASS name=bt
> acl sites_bt url_regex ^https://bt\.darkhelm\.org
> cache_peer_access bt allow sites_bt
> http_access allow sites_bt
> acl http_bt url_regex ^http://bt\.darkhelm\.org
> http_access deny http_bt
> deny_info https://bt.darkhelm.org http_bt
>
> # Recommended minimum configuration:
> #
> #acl manager proto cache_object
> #acl localhost src 127.0.0.0/8 ::1
> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.18.75.0/24 10.2.18.0/24
> #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
> #acl localnet src fc00::/7       # RFC 4193 local private network range
> #acl localnet src fe80::/10      # RFC 4291 link-local (directly
> plugged) machines
>
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128 intercept
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> cache_mem 64 MB
> cache_replacement_policy heap LRU
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir diskd /var/spool/squid3 4096 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid3
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> cache_effective_group proxy
> icap_enable on
> icap_preview_enable on
> icap_preview_size 1024
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_client_username_encode off
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
> adaptation_access service_resp allow all
>
> ---------------------------------------------------------------------------------------------------------------
>
> "I'm not responcabel fer my comuter's spleling errnors" - Xlorep DarkHelm
> Website: http://darkhelm.org
>
>
>
> On Wed, Mar 21, 2012 at 5:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>> On 22.03.2012 12:20, Cliff Hill wrote:
>>
>> NOTE: both of these regex should never have matched in 3.1. defaultsite
>> explicitly forces the URI to be "http://darkhelm.org/..."; unless you the
>> vhost option is enabled. It is disabled by default on 3.1 and older.
>>  3.2 uses HTTP/1.1 where vhost is enabled by default. So the regex ACL might
>> start operating now as you seem to have intended them to.
>>
>>
>>
>>> However whenever I try to go there with a web browser, it just hangs,
>>> and never actually gets redirected.
>>>
>>> Right now, I just want it to simply redirect http:// to https:// for
>>> my cache_peers. Can anyone help me?
>>
>>
>> With the above config...
>>
>> . The client sends traffic to Squid via port 80. Meaning client<->squid
>> traffic is plain HTTP.
>>
>> .. Your access control and deny_info bounces the client to an "https://";
>> URI.
>>
>> ... The client should then dutifully connect to port 443 (HTTPS).
>>
>> What happens then? your displayed config does not show.
>>
>>
>> Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux