On 1/05/2012 1:36 a.m., Nick Howitt wrote:
Hi,
I am new to squid and I am trying to run in on my ClearOS 5.2 gateway
where it is supplied as a pre-configured package. However, whenever I
try to start it I lose all internet access. I would like to run it in
transparent mode which is a menu option I have for it.
My cache.log reads:
2012/04/25 12:51:06| Starting Squid Cache version 2.6.STABLE21 for
i686-redhat-linux-gnu...
<snip>
2012/04/25 12:51:06| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 13.
So squid is configured to listen on a wildcard port (*:3128) which binds
to every IP address the box has using a single open+listen operation.
This is successful.
Then Squid is *also* instructed to bind particular IP:port combinations ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
192.168.3.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
192.168.2.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
127.0.0.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
At this point I lose internet access. and it does not change when I
switch it to transparent mode. I am not aware of anything else running
on port 3128 and netstat -an -t | grep 3128 shows nothing.
You configured Squid to open port 3128 four times. Only the first
attempt succeeds, the others clash with it.
Squid is operating with the wildcard port open for all traffic. BUT,
intercepted traffic cannot be received by the regular forward-proxy port
3128. Your requests passed to any IP and port 3128 are rejected as
malformed client->proxy requests (true, because they are client->origin
format requests).
If it helps at all, this is my squid.conf:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl webconfig_lan src 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
acl webconfig_to_lan dst 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow webconfig_to_lan
The above "allow webconfig_to_lan" rule opens your proxy to 4 out of the
5 most common proxy attacks
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
Oops.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Move your global allow rule down to here below the basic security
protections.
And consider carefully why you need it in the first place. There are no
accel mode ports configured. For an interception proxy you should be
able to depend on the src type ACL to operate correctly or you have
configured the interception rules wrong.
http_access allow localhost
http_access allow webconfig_lan
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
error_directory /etc/squid/errors
follow_x_forwarded_for allow localhost
http_port 192.168.3.1:3128 transparent
http_port 192.168.2.1:3128 transparent
http_port 127.0.0.1:3128 transparent
Can anyone help me, please?
Please follow the advice in
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat#iptables_configuration
Additionally, why do you have three interception ports? and why is
127.0.0.1 involved?
Amos
