Hello Rob, I use OpenBSD and squid 3.3.4 in production environment, you'll exactly what you need here: http://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/#sthash.9SpWE1kn.dpbs Have a nice day -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le jeudi 30 mai 2013 à 18:14 -0700, Rob Sheldon a écrit : > Hi, > > I'm a Squid newbie. I have an OpenBSD firewall running pf with multiple > outbound interfaces doing some connection pooling. I'm trying to get > Squid/SquidGuard up and running as a transparent proxy; I've been using > this guide: http://www.kernel-panic.it/openbsd/proxy/proxy4.html > > I've run into a problem I don't understand and it's driving me bugnuts. > Hoping somebody can help sort me out. > > If I set "http_port 3139", do no redirects in pf, and manually > configure my browser to use the firewall LAN side on 3139 as a proxy, > everything works just fine. If I change http_port to "3139 intercept", > turn on rdr in pf for just my test IP address (only!), and turn off my > browser's proxy config, I get "access denied" errors back from Squid, > along with complaints about forwarding loops. There's no goofy proxy > peering, no other redirects in pf ... I can't for the life of me figure > out where the loop is happening. > > Here's the pf rule I'm using to activate the redirect for my test IP: > > pass in quick on $if_int proto tcp from 192.168.0.209 to any port www > rdr-to 192.168.0.1 port 3139 > > ...And here's my squid.conf, sans comments (I've stripped it down a bit > trying to figure this out): > > acl localnet src 10.0.0.0/8 > acl localnet src 172.16.0.0/12 > acl localnet src 192.168.0.0/16 > acl localnet src fc00::/7 > acl localnet src fe80::/10 > > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > > http_access allow all > > http_port 3128 > http_port 3139 intercept > > visible_hostname firewall.local > > ...When testing, I'll toggle "intercept" on or off on the second > http_port config along with the rdr in pf. > > What I'm seeing when running "squid -d 1 -N" is e.g., > > 2013/05/30 17:19:03| WARNING: Forwarding loop detected for: > POST / HTTP/1.1 > Host: ocsp.verisign.com > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 > Firefox/10.0.12 Iceweasel/10.0.12 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Content-Length: 115 > Content-Type: application/ocsp-request > Via: 1.1 firewall.local (squid/3.2.7) > X-Forwarded-For: 192.168.0.209 > Cache-Control: max-age=259200 > Connection: keep-alive > > The only rule I'm changing in pf between the two scenarios is the rdr > rule for my IP only, so I don't think the loop is happening anywhere in > pf. I must have something in squid.conf seriously goofed up, but I > haven't been able to figure it out. > > Any help? > > Thanks, > > - R. >
Attachment:
signature.asc
Description: This is a digitally signed message part
