Search squid archive

Re: Re: How to make Squid 3.3.8 a transparent proxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi babajaga,


....HIER_DIRECT/127.0.0.1 ...<

Strange enough, squid forwards the request to 127.0.0.1 ....


Is there a possibility to tell squid stop forwarding.


I am not sure, whether you need 2 ports to be specified:
http_port 3129
http_port 3128 intercept
I tried it, but it still does not work. Same error. Here my current squid.conf: 
-----%<-----
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
# http_access deny !Safe_ports
# http_access deny CONNECT !SSL_ports
# http_access allow localhost manager
# http_access deny manager
# http_access allow localhost
# http_access deny all
http_access allow all
http_port 3127
http_port 3128 intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320
-----%<-----


In your setup, you need special firwall rules, to avoid a loop:
DG forwards to port 80, squid intercepts, forwards to port 80, NO INTERCEPT
THEN (hopefully)
So you should post firewall rules, as well.


Here it is:
-----%<-----
# Zuerst: direktes Verbinden zu Proxies verbieten
iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT 
iptables -A OUTPUT -p tcp --dport 3128 -j REJECT
iptables -A OUTPUT -p tcp --dport 8100 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8100 -j REJECT

# Fuer folgende Netzwerke braucht es keinen Proxy
iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A OUTPUT -d 127.0.0.1 -j ACCEPT

# Aqbanking does not support Proxys: allow some HBCI IPs
iptables -A OUTPUT -d 193.110.133.32 -j ACCEPT
iptables -A OUTPUT -d 195.140.47.194 -j ACCEPT
iptables -A OUTPUT -d 195.145.106.77 -j ACCEPT
iptables -A OUTPUT -d 195.145.106.98 -j ACCEPT
iptables -A OUTPUT -d 212.184.124.125 -j ACCEPT
iptables -A OUTPUT -d 213.95.18.77 -j ACCEPT
iptables -A OUTPUT -d 213.95.18.98 -j ACCEPT
iptables -A OUTPUT -d 213.95.70.61 -j ACCEPT
iptables -A OUTPUT -d 217.115.75.100 -j ACCEPT

# Rules to Reject HTTPS without Dansguardian
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner proxy -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -m owner --uid-owner proxy -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT
iptables -A OUTPUT -p udp --dport 443 -j REJECT

# Port 80 Traffic automatisch auf Dansguardian legen
# Traffic von root akzeptieren
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT 
# ... alle anderen Benutzer auf Port 8080 umbiegen
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p udp --dport 80 -j REDIRECT --to-port 8080
-----%<-----
But even without flushing all rules and setting the proxy manually - same error... 


Otherwise:
I always did it the other way:
client --- (transparent) squid ---DG --web
because
1) client does not need to specify proxy explicitly (in your setup, a MUST)
2) no need to cache content, later on blocked by DG
3) Not sure any more, whether DG supports parent proxy
With squid 3.1.20 it works perfectly. Thus I think it should work with squid 3.3.8, too. Here the relevant part of my dansguardian.conf: 
-----%<-----
# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128
-----%<-----
Dansguardian forwards correctly to squid. The dansguardian part works (and blocks) perfectly. 


Then my setup matched the rules in
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
I read this link also. That is why I made the change from "transparent" to "intercept".
My scenario is a bit different from that on the link: client and server is the same machine. 


Only the line
cache_peer 127.0.0.1 parent DG-port 0 no-query no-digest no-netdb-exchange
to be added to squid.conf
Now I added this line at the end of the squid.conf file. But still no change. 

Do you have any other ideas?

Greetings,

Tobi
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux