-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Feel free to use Squid Wiki: http://wiki.squid-cache.org/ConfigExamples/Intercept 03.03.15 19:30, laxcat пишет: > I have squid installed on a NAT instance in AWS. I installed squid > using yum. The OS is amazon linux. When squid is not running I am > able to send traffic through the nat box from private subnets but > when I start squid I am not. > > This is the default iptables rules: > > [admin@box1 ~]# iptables -t nat --line-numbers -L iptables -t nat > --line-numbers -L Chain PREROUTING (policy ACCEPT) num target > prot opt source destination > > Chain INPUT (policy ACCEPT) num target prot opt source > destination > > Chain OUTPUT (policy ACCEPT) num target prot opt source > destination > > Chain POSTROUTING (policy ACCEPT) num target prot opt source > destination 1 MASQUERADE all -- 10.3.0.0/16 anywhere > > > > I start squid and add the below rule to iptables I get a squid > error page: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 > -j REDIRECT --to-port 3128 > > Error pages says: ERROR The requested URL could not be retrieved > The following error encountered while trying to retrieve the URL: > / Invalid URL > > Current config I have tried a few different ones. > > # # Recommended minimum configuration: # acl manager proto > cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost > dst 127.0.0.0/8 0.0.0.0/32 ::1 > > # Example rule allowing access from your local networks. # Adapt to > list your (internal) IP networks from where browsing # should be > allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal > network acl localnet src 172.16.0.0/12 # RFC1918 possible internal > network acl localnet src 192.168.0.0/16 # RFC1918 possible internal > network acl localnet src fc00::/7 # RFC 4193 local private > network range acl localnet src fe80::/10 # RFC 4291 link-local > (directly plugged) machines > > acl SSL_ports port 443 acl Safe_ports port 80 # http acl > Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl > Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl > Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port > 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports > port 591 # filemaker acl Safe_ports port 777 # multiling http acl > CONNECT method CONNECT > > # # Recommended minimum Access Permission configuration: # # Only > allow cachemgr access from localhost #http_access allow manager > localhost #http_access allow all acl whitelist dstdomain > "/etc/squid/whitelist" http_access allow whitelist http_access > allow CONNECT whitelist http_access deny !whitelist > > # Deny requests to certain unsafe ports http_access deny > !Safe_ports > > # Deny CONNECT to other than secure SSL ports http_access deny > CONNECT !SSL_ports > > # We strongly recommend the following be uncommented to protect > innocent # web applications running on the proxy server who think > the only # one who can access services on "localhost" is a local > user #http_access deny to_localhost > > # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. # Adapt > localnet in the ACL section to list your (internal) IP networks # > from where browsing should be allowed http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy http_access deny > all > > # Squid normally listens to port 3128 http_port 3128 > > # We recommend you to use at least the following line. > hierarchy_stoplist cgi-bin ? > > # Uncomment and adjust the following to add a disk cache > directory. #cache_dir ufs /var/spool/squid 100 16 256 > > # Leave coredumps in the first cache dir coredump_dir > /var/spool/squid > > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 > 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . > 0 20% 4320 > > > > > > -- View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Squid-Proxy-on-AWS-Nat-Instance-tp4670170.html > > Sent from the Squid - Users mailing list archive at Nabble.com. > _______________________________________________ squid-users mailing > list squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU9c/oAAoJENNXIZxhPexGm2IIAKJJt3hxdfzOHsUNt8y126gH xIbwxDvl2DOfVxSRFqHOWRYEO/72mGPU97sQJaktbs1FTo/pU1gf1zFvNNGo8E7/ +N5xyNJ5KSs0a8SH3elS6YIqsfQ9StWBTCY8ft2B0lsM2/HJakpurOf0c455D8VG bRHH2vIH+I9iWa2CijfZoIgX2bDieUmn26yFof/8rbjbSf8OBzoPaxOs5dUy8Yme 7uWQARVt3BoH4d1k992pyqcNobzB3t45fRUImIvzHcLBMIywJMcP9M/hPAwnFLex nWKXEO20M2qV9jp1iTG7RNXou8JN2vZbJGKkeAYVD7yIucxUM3nP5nDBf5fc+Eg= =psFg -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
