-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 10.0.0.23 is your host? And 10.0.0.24 is proxy box? 05.03.15 20:15, Monah Baki пишет: > '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' > '--with-large-files' '--enable-ssl' '--disable-ipv6' > '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' > '--with-pthreads' '--with-filedescriptors=65535' > '--enable-cachemgr-hostname=hostname' > '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' > '--enable-pf-transparent' '--with-nat-devpf' > --enable-ltdl-convenience > > > > > On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: > > This looking good too. > > Stupid question: > > With witch interception option squid builed? > > I.e, squid -v? > > 05.03.15 18:19, Monah Baki пишет: >>>> Hi all, can anyone verify if this is correct, need to make >>>> ure that users will be able to access the internet via the >>>> squid. >>>> >>>> Running FreeBSD with a single interface with Squid-3.5.2 >>>> >>>> Policy based routing on Cisco with the following: >>>> >>>> >>>> interface GigabitEthernet0/0/1.1 >>>> >>>> encapsulation dot1Q 1 native >>>> >>>> ip address 10.0.0.9 255.255.255.0 >>>> >>>> no ip redirects >>>> >>>> no ip unreachables >>>> >>>> ip nat inside >>>> >>>> standby 1 ip 10.0.0.10 >>>> >>>> standby 1 priority 120 >>>> >>>> standby 1 preempt >>>> >>>> standby 1 name HSRP >>>> >>>> ip policy route-map CFLOW >>>> >>>> >>>> >>>> ip access-list extended REDIRECT >>>> >>>> deny tcp host 10.0.0.24 any eq www >>>> >>>> permit tcp host 10.0.0.23 any eq www >>>> >>>> >>>> >>>> route-map CFLOW permit 10 >>>> >>>> match ip address REDIRECT set ip next-hop 10.0.0.24 >>>> >>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to >>>> any port 80 -> 10.0.0.24 port 3129 >>>> >>>> # block in pass in log quick on bge0 pass out log quick on >>>> bge0 pass out keep state >>>> >>>> and finally in my squid.conf: http_port 3128 http_port 3129 >>>> intercept >>>> >>>> >>>> >>>> And for testing purposes from the squid server: ./squidclient >>>> -h 10.0.0.24 -p 3128 http://www.freebsd.org/ >>>> >>>> If I replace -p 3128 with -p 80, I get a access denied, and >>>> if I omit the -p 3128 completely, I can access the websites. >>>> >>>> tcpdump with (-p 3128) >>>> >>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > >>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, >>>> options [nop,nop,TS val 985588797 ecr 1054387720], length 0 >>>> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > >>>> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win >>>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], >>>> length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > >>>> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win >>>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], >>>> length 1448 >>>> >>>> >>>> >>>> Did I miss anything? >>>> >>>> Thanks Monah >>>> >>>> >>>> >>>> _______________________________________________ squid-users >>>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>>> >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU+Gb6AAoJENNXIZxhPexGZ0sIAKg4iDx7Vm4imHddvGYss5su AKb0wk0E5tJBRXDH+Mlv+rRAe5CKCqFmNQHe4CMcm5XF3PBSlSKwD6Ih/Mnjtn4m +6qk/GOWYACyb7NhGsif57VL6b4AHkqVF3gBZjuNiR/9gMhUYcOHGIdvGX/RLn+z m/gUjA4Ef0JNaflgy48z12ECSvs6RMQzB186i4zm6KoEzFethL/3UhHiLrrDjry+ wB1Rwr8wx3pzbu53WQAS57aGpcp7n0gI7VLwvjh2M6wIetlVLwqWUQu87r0HmvQ5 duoaGplxlCYx7QKZ4L3Q74HH/8taojWxLakCQump1PCTUofWCUy0sAgkxKPCdHw= =HWEF -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
