When you use havp and squid on the same server, you don't need iptables. With cache_peer localhost parent 8899 0 no-query no-digest squid uses a parent proxy (havp). http://www.server-side.de/ideas.htm Take a look here: http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/ -----Ursprüngliche Nachricht----- Von: Andreas Westvik [mailto:andreas@xxxxxxx] Gesendet: Donnerstag, 14. Februar 2013 16:29 An: Fuhrmann, Marcel Betreff: Re: Securing squid3 Thanks for the answers! Went from: tcp 0 0 *:3128 *:* LISTEN to this: tcp 0 0 192.168.0.1:3128 *:* LISTEN Very good. Now about the havp stuff you mention, I really did not understand. > cache_peer localhost parent 8899 0 no-query no-digest How will this redirect traffic to 192.168.0.24? I Im using this command to gather traffic, and send it to 192.168.0.1:3128 iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-port 3128 I have even tried without this command, and its not working. -Andreas On Feb 14, 2013, at 16:00 , "Fuhrmann, Marcel" <Marcel.Fuhrmann@xxxxxx> wrote: > Hi Andreas, > > take a look: > > 1. > acl LAN 192.168.0.0/32 > .. > .. > http_access allow LAN > http_access deny ALL > > > > 2. http_port SQUID-IP:3128 > > > 3. Example: > > squid.conf: > cache_peer localhost parent 8899 0 no-query no-digest > > havp.conf: > #Port > PORT 8899 > > > -- > Marcel > > > -----Ursprüngliche Nachricht----- > Von: Andreas Westvik [mailto:andreas@xxxxxxx] > Gesendet: Donnerstag, 14. Februar 2013 15:43 > An: squid-users > Betreff: Securing squid3 > > Hi everybody > > I have been running squid3 on my Debian squeeze on/off for a few weeks now. > And there is a few things Im not sure of > > 1. How can I be sure that Im running it securely? I really only want squid3 to server my local clients (192.168.0.0/32). > 2. Can I bind squid3 to only listen to any device/ip? > 3. just for fun, I have setup havp on a different server. Is it possible to send my http traffic to that server first? (havp runs on 192.168.0.24) Then back to squid3? > > As of now, I need to configure my clients to connect to that havp server, then havp will send traffic back to squid. But I would like to happen with some automatic iptables commands. > I have tried several iptables setup, but nothing will make this work. > I cannot for the life of me intercept the port 80 traffic, then > redirect it to 192.168.0.24:3127 > > > > Like this: Client -> Gw 192.168.0.1 -> havp 192.168.0.24:3127 -> > squid3 192.168.0.1:3128 -> internets > > This is my setup: > > http_port 3128 transparent > acl LAN src 192.168.0.0/32 > acl localnet src 127.0.0.1/255.255.255.255 http_access allow LAN > http_access allow localnet cache_dir ufs /var/spool/squid3 5000 16 256 > > #Block > acl ads dstdom_regex -i "/etc/squid3/squid.adservers" > http_access deny ads > > eth3: 192.168.0.1 (non-dhcp envirment) > eth4: wan official ip (non-dchp) > > -Andreas
