Sure, here it is, very simple
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl snmpcheck snmp_community public
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
snmp_access allow snmpcheck localhost
# And finally deny all other access to this proxy
http_access deny all
snmp_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
snmp_port 3401
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /cache/squid/var/cache/squid 350000 16 256
# Leave coredumps in the first cache dir
coredump_dir /cache/squid/var/cache/squid
strip_query_terms off
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
memory_cache_shared on
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
pipeline_prefetch on
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl snmpcheck snmp_community public
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
snmp_access allow snmpcheck localhost
# And finally deny all other access to this proxy
http_access deny all
snmp_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
snmp_port 3401
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /cache/squid/var/cache/squid 350000 16 256
# Leave coredumps in the first cache dir
coredump_dir /cache/squid/var/cache/squid
strip_query_terms off
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
memory_cache_shared on
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
pipeline_prefetch on
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30
On Thu, Mar 5, 2015 at 8:54 AM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Looking good.
Can I take look onto your squid.conf? Without comment lines and
sensitive info?
05.03.15 19:51, Monah Baki пишет:
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
> port 3129
>
> # block in pass in log quick on bge0 pass out log quick on bge0
> pass out keep state
>
>
> Thanks
>
> On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoinov@xxxxxxxxx>
> wrote:
>
iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE> Show complete pf.conf, please.
>
> 05.03.15 19:45, Monah Baki пишет:
>>>> In my squid.conf
>>>>
>>>> http_port 3128 http_port 3129 intercept
>>>>
>>>> Thanks
>>>>
>>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov
>>>> <yvoinov@xxxxxxxxx> wrote:
>>>>
>>>> Squid access denied?
>>>>
>>>> Look at this:
>>>>
>>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>>> any
>>>>>>>> port 80 -> 10.0.0.24 port 3129
>>>>
>>>> Which port configured in Squid as intercept?
>>>>
>>>> 3129?
>>>>
>>>> and 3128 is forwarding?
>>>>
>>>> 05.03.15 19:36, monahbaki@xxxxxxxxx пишет:
>>>>>>> Yes that's what I followed and user is getting a
>>>>>>> "access denied" from the squid when he tries
>>>>>>> www.cnn.com
>>>>>>>
>>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon
>>>>>>> Wireless 4G LTE network. Original Message From: Yuri
>>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To:
>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re:
>>>>>>> squid intercept config
>>>>>>>
>>>>>>>
>>>>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>>>>>>>
>>>>>>>
>>>>
>>>>
>
>
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
>>>>>>>
>>>>>>> 05.03.15 18:19, Monah Baki пишет:
>>>>>>>> Hi all, can anyone verify if this is correct, need to
>>>>>>>> make ure that users will be able to access the
>>>>>>>> internet via the squid.
>>>>>>>
>>>>>>>> Running FreeBSD with a single interface with
>>>>>>>> Squid-3.5.2
>>>>>>>
>>>>>>>> Policy based routing on Cisco with the following:
>>>>>>>
>>>>>>>
>>>>>>>> interface GigabitEthernet0/0/1.1
>>>>>>>
>>>>>>>> encapsulation dot1Q 1 native
>>>>>>>
>>>>>>>> ip address 10.0.0.9 255.255.255.0
>>>>>>>
>>>>>>>> no ip redirects
>>>>>>>
>>>>>>>> no ip unreachables
>>>>>>>
>>>>>>>> ip nat inside
>>>>>>>
>>>>>>>> standby 1 ip 10.0.0.10
>>>>>>>
>>>>>>>> standby 1 priority 120
>>>>>>>
>>>>>>>> standby 1 preempt
>>>>>>>
>>>>>>>> standby 1 name HSRP
>>>>>>>
>>>>>>>> ip policy route-map CFLOW
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> ip access-list extended REDIRECT
>>>>>>>
>>>>>>>> deny tcp host 10.0.0.24 any eq www
>>>>>>>
>>>>>>>> permit tcp host 10.0.0.23 any eq www
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> route-map CFLOW permit 10
>>>>>>>
>>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>>>>>>
>>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from
>>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129
>>>>>>>
>>>>>>>> # block in pass in log quick on bge0 pass out log
>>>>>>>> quick on bge0 pass out keep state
>>>>>>>
>>>>>>>> and finally in my squid.conf: http_port 3128
>>>>>>>> http_port 3129 intercept
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> And for testing purposes from the squid server:
>>>>>>>> ./squidclient -h 10.0.0.24 -p 3128
>>>>>>>> http://www.freebsd.org/
>>>>>>>
>>>>>>>> If I replace -p 3128 with -p 80, I get a access
>>>>>>>> denied, and if I omit the -p 3128 completely, I can
>>>>>>>> access the websites.
>>>>>>>
>>>>>>>> tcpdump with (-p 3128)
>>>>>>>
>>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
>>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win
>>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr
>>>>>>>> 1054387720], length 0 13:15:02.681421 IP
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448 13:15:02.681575 IP
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Did I miss anything?
>>>>>>>
>>>>>>>> Thanks Monah
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> squid-users mailing list
>>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> squid-users mailing list
>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>
>>>>>
>>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh
M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg
FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+
u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM
7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk=
=n7R1
-----END PGP SIGNATURE-----
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
