On 25/08/2014 12:37 p.m., orientalsniper wrote: > Hello all, I'm having the same problem as this guy: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html > > When I try to access a website I get a Access Denied by Squid message > and in the access.log I see I'm getting a forwarding loop error. > > But we have different network setup and he's using Ubuntu. I'm running Squid 3.4 > > I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid) > > I have the following network: > WAN1 + WAN2 in pfSense > 10.0.0.1/24 (LAN1 in pfSense) > 10.1.0.1/24 (LAN2 in pfSense) > 10.2.0.1/24 (LAN3 in pfSense) ----> (connecting to nginx+squid[10.2.0.2] VM) > What is nginx in the mix for? and what is pfSense doing? where are the NATs happening? ** ** you must have at least three layers of NAT for that described setup to work: clients-->10.2.0.2 (for delivery to nginx) 10.2.0.2:80 -> 10.2.0.2:3128 (nginx outgoing MITM capture to Squid) 127.0.0.1 -> 10.2.0.2 10.2.0.2 -> Internet > My squid.conf: (elided the comments for you so we can read it easier.) > > acl whatismyip dstdomain whatismyip.cc > http_access allow whatismyip > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl WORK-PC srcdomain 10.1.0.3 10.1.0.3 is not a domain name. It is an IP address. Use src ACL type. > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > > http_access allow localnet > http_access allow localhost > > http_port 10.2.0.2:3128 intercept > > cache_dir ufs /var/squid/cache/squid 100 16 256 > coredump_dir /var/squid/cache/squid > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > cache_effective_user squid > cache_effective_group squid > check_hostnames off > unique_hostname squidcache > dns_nameservers 8.8.8.8 > tcp_outgoing_address 127.0.0.1 > 127.0.0.1 is not a globally routable IP address. Nor can it be NAT'ed to one. Outgoing traffic from Squid to any other host is guaranteed to fail delivery. Amos
