Search squid archive

Dansguardian + squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for the long post, but I like to error on the side of verbosity when I'm grasping at straws.

I've been happily running Dansguardian(2.10.1.1-4.el6.x86_64) + squid(3.1.10-9.el6_3.x86_64) on CentOS 6 for a while.

Recently, I've been dealing with an HTTP 1.1 error by disabling the proxy temporarily. I finally decided to fix it for real and it looks like squid 3.3 will solve my problem. So I hacked the squid 3.3 source into the CentOS 3.1 source rpm, and produced a package you can find here:
http://kai.gnukai.com/repo/

I was using a "close-to-stock" squid 3.1 configuration that was working:
---snip---
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
follow_x_forwarded_for deny all
http_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
visible_hostname CENSORED
---snip---

I dropped in squid 3.3, and it complained about line one. So I dropped line 1, and had some more issues. So I decided to start with the stock 3.3 squid configuration, and simply "add" the peices I thought I needed. I ended up with this:
---snip---
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
follow_x_forwarded_for deny all
visible_hostname CENSORED
always_direct allow all
http_port 3129 transparent
---snip---

You may notice I "added" port 3129 instead of replacing the 3128. I did that just to avoid the "kid1| ERROR: No forward-proxy ports configured." error. I've updated my dansguardian config accordingly.

For reference, here's my iptables config. ppp0 is my internet connection, br0 is my local network connection, and tun+ interfaces are any OpenVPN

---snip---
*nat
:PREROUTING ACCEPT [10:812]
:POSTROUTING ACCEPT [3:236]
:OUTPUT ACCEPT [6:469]
:whitelist - [0:0]
-A PREROUTING -j whitelist
-A PREROUTING -s 10.9.8.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.9.8.0/24 -i br0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.8.1:8080
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [34:8038]
:OUTPUT ACCEPT [5:337]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 3 --name DEFAULT --rsource -j LOG --log-prefix "SSH DROP: " --log-level 6 -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j DROP -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [109:23590]
:INPUT ACCEPT [50:3853]
:FORWARD ACCEPT [59:19737]
:OUTPUT ACCEPT [29:2882]
:POSTROUTING ACCEPT [88:22619]
COMMIT
---snip---


So, with the DNAT rule enabled, every http page (ie: http://kai.gnukai.com/ip.php) comes back in my browser with the error
---snip---
     Access Denied.

Access control configuration prevents your request from being allowed at
   this time. Please contact your service provider if you feel this is
   incorrect.
---snip---

If I http decode the mailto: link to root, I get this:
---snip---
mailto:root?subject=CacheErrorInfo - ERR_ACCESS_DENIED&body=CacheHost: shuttle.gamer.gnukai.com
ErrPage: ERR_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 12 Jul 2013 01:08:40 GMT

ClientIP: 10.9.8.1

HTTP Request:
GET /ip.php HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: shuttle
Accept: */*
Via: 1.0 CENSORED (squid/3.3.6)
X-Forwarded-For: 10.9.8.104, 10.9.8.1
Cache-Control: max-age=259200
Connection: keep-alive
---snip---

10.9.8.104 is my browser. If I use curl to get the headers back, they look like this:

---snip---
HTTP/1.1 403 Forbidden
Server: squid/3.3.6
Mime-Version: 1.0
Date: Fri, 12 Jul 2013 02:53:39 GMT
Content-Type: text/html
Content-Length: 3447
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
Via: 1.1 CENSORED (squid/3.3.6), 1.1 CENSORED (squid/3.3.6)
Connection: keep-alive
---snip---

I'm confused that it says 3128, when it's clearly talking 3129 on the lo device: 0.000000 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=211693779 TSER=0 WS=7 0.000012 10.9.8.1 -> 10.9.8.1 TCP 3129 > 35160 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=211693779 TSER=211693779 WS=7 0.000021 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [ACK] Seq=1 Ack=1 Win=32896 Len=0 TSV=211693779 TSER=211693779 0.000869 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [PSH, ACK] Seq=1 Ack=1 Win=32896 Len=44 TSV=211693780 TSER=211693779
....


I get the feeling this is an ACL issue, but I can't find it. What's really confusing me is that if I change the iptables DNAT rule to redirect straight to squid (port 3129), I don't run into this issue.

Any ideas?




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux