-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looking good. Can I take look onto your squid.conf? Without comment lines and sensitive info? 05.03.15 19:51, Monah Baki пишет: > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 > port 3129 > > # block in pass in log quick on bge0 pass out log quick on bge0 > pass out keep state > > > Thanks > > On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: > > Show complete pf.conf, please. > > 05.03.15 19:45, Monah Baki пишет: >>>> In my squid.conf >>>> >>>> http_port 3128 http_port 3129 intercept >>>> >>>> Thanks >>>> >>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov >>>> <yvoinov@xxxxxxxxx> wrote: >>>> >>>> Squid access denied? >>>> >>>> Look at this: >>>> >>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to >>>> any >>>>>>>> port 80 -> 10.0.0.24 port 3129 >>>> >>>> Which port configured in Squid as intercept? >>>> >>>> 3129? >>>> >>>> and 3128 is forwarding? >>>> >>>> 05.03.15 19:36, monahbaki@xxxxxxxxx пишет: >>>>>>> Yes that's what I followed and user is getting a >>>>>>> "access denied" from the squid when he tries >>>>>>> www.cnn.com >>>>>>> >>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon >>>>>>> Wireless 4G LTE network. Original Message From: Yuri >>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To: >>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: >>>>>>> squid intercept config >>>>>>> >>>>>>> >>>> > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute >>>>>>> >>>>>>> >>>> >>>> > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >>>>>>> >>>>>>> 05.03.15 18:19, Monah Baki пишет: >>>>>>>> Hi all, can anyone verify if this is correct, need to >>>>>>>> make ure that users will be able to access the >>>>>>>> internet via the squid. >>>>>>> >>>>>>>> Running FreeBSD with a single interface with >>>>>>>> Squid-3.5.2 >>>>>>> >>>>>>>> Policy based routing on Cisco with the following: >>>>>>> >>>>>>> >>>>>>>> interface GigabitEthernet0/0/1.1 >>>>>>> >>>>>>>> encapsulation dot1Q 1 native >>>>>>> >>>>>>>> ip address 10.0.0.9 255.255.255.0 >>>>>>> >>>>>>>> no ip redirects >>>>>>> >>>>>>>> no ip unreachables >>>>>>> >>>>>>>> ip nat inside >>>>>>> >>>>>>>> standby 1 ip 10.0.0.10 >>>>>>> >>>>>>>> standby 1 priority 120 >>>>>>> >>>>>>>> standby 1 preempt >>>>>>> >>>>>>>> standby 1 name HSRP >>>>>>> >>>>>>>> ip policy route-map CFLOW >>>>>>> >>>>>>> >>>>>>> >>>>>>>> ip access-list extended REDIRECT >>>>>>> >>>>>>>> deny tcp host 10.0.0.24 any eq www >>>>>>> >>>>>>>> permit tcp host 10.0.0.23 any eq www >>>>>>> >>>>>>> >>>>>>> >>>>>>>> route-map CFLOW permit 10 >>>>>>> >>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24 >>>>>>> >>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from >>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 >>>>>>> >>>>>>>> # block in pass in log quick on bge0 pass out log >>>>>>>> quick on bge0 pass out keep state >>>>>>> >>>>>>>> and finally in my squid.conf: http_port 3128 >>>>>>>> http_port 3129 intercept >>>>>>> >>>>>>> >>>>>>> >>>>>>>> And for testing purposes from the squid server: >>>>>>>> ./squidclient -h 10.0.0.24 -p 3128 >>>>>>>> http://www.freebsd.org/ >>>>>>> >>>>>>>> If I replace -p 3128 with -p 80, I get a access >>>>>>>> denied, and if I omit the -p 3128 completely, I can >>>>>>>> access the websites. >>>>>>> >>>>>>>> tcpdump with (-p 3128) >>>>>>> >>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > >>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win >>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr >>>>>>>> 1054387720], length 0 13:15:02.681421 IP >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: >>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040, >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501], >>>>>>>> length 1448 13:15:02.681575 IP >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: >>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040, >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501], >>>>>>>> length 1448 >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Did I miss anything? >>>>>>> >>>>>>>> Thanks Monah >>>>>>> >>>>>>> >>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> squid-users mailing list >>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>> >>>>>>> _______________________________________________ >>>>>>> squid-users mailing list >>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>> >>>>> >>>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+ u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM 7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk= =n7R1 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
