The squid.conf is driven by the GUI front end provided in ClearOS 5.2.
The only options there are:
Configuration:
Maximum Cache Size - set to 100MB
Minimum Size Object - set to 4MB
MaximumDownload File Size - Set to unlimited
Web Proxy Mode:
Transparent mode - set to enabled
Banner and Pop-Up filter - set to disabled
User Authentication - set to disabled
The rest of the configuration is as provided by ClearOS.
Following what you've said, I've removed the line "http_port 3128"
because the other three http_port lines are written to dynamically by
the ClearOS init script. This allows the proxy to start. And it is
working. Thanks.
I've put some comments in line as well and I'll contact the ClearOS devs
about the security issue.
Thanks,
Nick
On 01/05/2012 06:51, Amos Jeffries wrote:
On 1/05/2012 1:36 a.m., Nick Howitt wrote:
Hi,
I am new to squid and I am trying to run in on my ClearOS 5.2 gateway
where it is supplied as a pre-configured package. However, whenever I
try to start it I lose all internet access. I would like to run it in
transparent mode which is a menu option I have for it.
My cache.log reads:
2012/04/25 12:51:06| Starting Squid Cache version 2.6.STABLE21 for
i686-redhat-linux-gnu...
<snip>
2012/04/25 12:51:06| Accepting proxy HTTP connections at 0.0.0.0,
port 3128, FD 13.
So squid is configured to listen on a wildcard port (*:3128) which
binds to every IP address the box has using a single open+listen
operation. This is successful.
Then Squid is *also* instructed to bind particular IP:port
combinations ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
192.168.3.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
192.168.2.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
127.0.0.1:3128: (98) Address already in use
... oops, *:3128 is already open ...
At this point I lose internet access. and it does not change when I
switch it to transparent mode. I am not aware of anything else
running on port 3128 and netstat -an -t | grep 3128 shows nothing.
You configured Squid to open port 3128 four times. Only the first
attempt succeeds, the others clash with it.
Squid is operating with the wildcard port open for all traffic. BUT,
intercepted traffic cannot be received by the regular forward-proxy
port 3128. Your requests passed to any IP and port 3128 are rejected
as malformed client->proxy requests (true, because they are
client->origin format requests).
If it helps at all, this is my squid.conf:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl webconfig_lan src 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
acl webconfig_to_lan dst 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow webconfig_to_lan
The above "allow webconfig_to_lan" rule opens your proxy to 4 out of
the 5 most common proxy attacks
http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
Oops.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Move your global allow rule down to here below the basic security
protections.
And consider carefully why you need it in the first place. There are
no accel mode ports configured. For an interception proxy you should
be able to depend on the src type ACL to operate correctly or you have
configured the interception rules wrong.
I'll ping the devs on this one as I don't like security issues and this
will be the same on all ClearOS implementations
http_access allow localhost
http_access allow webconfig_lan
http_access deny all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid
error_directory /etc/squid/errors
follow_x_forwarded_for allow localhost
http_port 192.168.3.1:3128 transparent
http_port 192.168.2.1:3128 transparent
http_port 127.0.0.1:3128 transparent
Can anyone help me, please?
Please follow the advice in
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat#iptables_configuration
The ClearOS iptables rules are pretty similar and I believe they do the
same.
Additionally, why do you have three interception ports? and why is
127.0.0.1 involved?
I have two LANS so I can understand the two interception addresses. I'll
ping the devs about 127.0.0.1.
Amos
