-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Squid access denied? Look at this: In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any >> port 80 -> 10.0.0.24 port 3129 Which port configured in Squid as intercept? 3129? and 3128 is forwarding? 05.03.15 19:36, monahbaki@xxxxxxxxx пишет: > Yes that's what I followed and user is getting a "access denied" > from the squid when he tries www.cnn.com > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G > LTE network. Original Message From: Yuri Voinov Sent: Thursday, > March 5, 2015 8:22 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: squid intercept config > > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > > 05.03.15 18:19, Monah Baki пишет: >> Hi all, can anyone verify if this is correct, need to make ure >> that users will be able to access the internet via the squid. > >> Running FreeBSD with a single interface with Squid-3.5.2 > >> Policy based routing on Cisco with the following: > > >> interface GigabitEthernet0/0/1.1 > >> encapsulation dot1Q 1 native > >> ip address 10.0.0.9 255.255.255.0 > >> no ip redirects > >> no ip unreachables > >> ip nat inside > >> standby 1 ip 10.0.0.10 > >> standby 1 priority 120 > >> standby 1 preempt > >> standby 1 name HSRP > >> ip policy route-map CFLOW > > > >> ip access-list extended REDIRECT > >> deny tcp host 10.0.0.24 any eq www > >> permit tcp host 10.0.0.23 any eq www > > > >> route-map CFLOW permit 10 > >> match ip address REDIRECT set ip next-hop 10.0.0.24 > >> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to >> any port 80 -> 10.0.0.24 port 3129 > >> # block in pass in log quick on bge0 pass out log quick on bge0 >> pass out keep state > >> and finally in my squid.conf: http_port 3128 http_port 3129 >> intercept > > > >> And for testing purposes from the squid server: ./squidclient -h >> 10.0.0.24 -p 3128 http://www.freebsd.org/ > >> If I replace -p 3128 with -p 80, I get a access denied, and if I >> omit the -p 3128 completely, I can access the websites. > >> tcpdump with (-p 3128) > >> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > >> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, >> options [nop,nop,TS val 985588797 ecr 1054387720], length 0 >> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > >> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length >> 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > >> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length >> 1448 > > > >> Did I miss anything? > >> Thanks Monah > > > >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ squid-users mailing > list squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU+F2gAAoJENNXIZxhPexGivEH/jh0uoMFUNiqROuSVfnCbd4F pzcgm//4M3CRFCCGYT+u7VA14Uw5EPz/3vIiOQZFWrZLt9zZdtIlHqPA0ucBi5U5 cfHwlOhAXWMihM0gUYCATWit6c+cY9bvFS9wHzav9RJK8aRFWGczBhPLfFMGV8/y WTgnCh3ViR3ZjilLhM3MB1nd4pNzn01BM9X3rteGu5d1zh6hznyEIqMAzUXFcBeF cnsWPnXkhU/r13X7zk0K6nF9tSaSIvbYJQaTWRl5DvkYVwQgCcPUwQ5yleWh70Ex MycgylzjEqCAO4rqpYwV/v8/meb8+QzgK3e1KFRXDz91/zUz8LGO0ns7LzhAKFM= =ZRtj -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
