Dear all,
i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and delay pools to control bandwidth (my configuration files attached)1- clients who send request- proxy setting working fine with this directive http_port 3128
- Delay pools working fine, internet browsing to all clients using proxy is working.
2- When transparent proxy clients sent http request via iptables ... REDIRECT.
http_port 3129 intercept
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
I observed the problem in both cases when client sent request through IPTABLES Squid service got failed. When i stop iptables and start squid then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
3- my objective to setup squid.
* Internet sharing to Proxy setting configured clients.
* Internet sharing to Proxy Transparent clients (Those request directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO Network for HTTP and HTTPS Requests without configuring proxy setting (coming from wireless).
* delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.
* delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.
Kindly if somebody help me to fix my problems and if share any setting which works. I had added ssl bump certificate because the service was crashing again and again without any reason after a few days or sometime on same day.
--
With Regards,
Arsalan Hussain
If you don't fight for what you want, don't cry for what you lose.
acl localnet src 192.168.5.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet # for clients with a configured proxy. http_port 3128 # for clients who are sent here via iptables ... REDIRECT. http_port 3129 intercept # for https clients who are sent here via iptables ... REDIRECT https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER via off forwarded_for off # ******* DELAY POOLS ************** acl WebControl dstdomain .googlevideo.com acl WebControl dstdomain .facebook.com acl WebControl dstdomain .dailymotion.com acl WebControl dstdomain .tw1.com acl WebControl dstdomain .fbcdn.net acl SpecialClients src 192.168.5.0/24 # General Rule for All unlimited request_body_max_size 0 KB delay_pools 2 delay_class 1 2 delay_class 2 2 delay_parameters 1 2000000/2000000 256000/256000 delay_parameters 2 950000/950000 130000/130000 delay_access 2 allow WebControl delay_access 2 deny all delay_access 1 allow localnet delay_access 1 deny all # ********************************** DELAT POOLS END # debug options ALL # Uncomment and adjust the following to add a disk cache directory. coredump_dir /var/spool/squid cache_dir ufs /var/spool/squid 1024 16 256 coredump_dir /var/cache/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname admin.preston --------------------------------------------------------------- IPTABLES SETTING # Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8330155:414444635] -A INPUT -i eth1 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A INPUT -j DROP COMMIT # Completed on Mon Jul 31 05:43:29 2017
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
