On 11/03/19 8:26 am, steven wrote: > > On 05.03.19 06:13, Amos Jeffries wrote: >> On 5/03/19 12:10 pm, steven wrote: >>> Ah thank you for that clarification, the python icap servers i tested so >>> far are not very promissing but at least theres a connection now. >>> >>> sadly squid does not allow http access at all, only https access. >>> >> Er, that would be because the only http_port you have is configured with >> 'accl' - making it a reverse-proxy port. But you do not have any >> cache_peer configured to handle that type of traffic. >> >> >> So, is there any particular reason you have that port receiving 'accel' >> / reverse-proxy mode traffic? >> If not remove that mode flag and things should all work for HTTP too. >> > > removed the accel mode but still no luck with http, when opening the adress: > > http://squid-web-proxy-cache.1019090.n4.nabble.com/http-port-with-quot-transparent-quot-or-quot-intercept-quot-td4677133.html > > > The following error was encountered while trying to retrieve the URL: > /http-port-with-quot-transparent-quot-or-quot-intercept-quot-td4677133.html > Ah, that is an origin-form URL. > > in this tutorial: > > https://www.reddit.com/r/sysadmin/comments/a67hly/squid_proxy_a_short_guide_forward_transparent/ > > > the guy uses two ports for http like this: > > |http_port 3128 # Listen on this HTTP port, intercepting requests > http_port 3129 intercept and then with iptables he redirects 80 to port > 3129 which does not work here :( export Which should work fine ... provided the right type of traffic is passed to each port. > http_proxy=http://192.168.10.215:3140 && wget google.de # im using 3140 > as intercept port. config at the end. --2019-03-10 20:20:56-- > http://google.de/ Connecting to 192.168.10.215:3140... connected. Proxy > request sent, awaiting response... 403 Forbidden 2019-03-10 20:20:56 > ERROR 403: Forbidden. | > Hmm. You keep mixing port modes and traffic types. Port 3128, 80 and 443 all have different traffic syntax and handling requirements. The mode flags tell Squid which syntax is expected and valid arriving at that port. Default mode is forward/explicit-proxy so there is no flag for that mode/syntax. Ports with 'intercept' flags must *only* have traffic passed to them from the OS NAT subsystem. Clients should be connecting directly to the domain origin on port 80. Do not configure them with any details about the proxy. Eg passing the http_proxy environment variable is configuring wget to use an explicit-proxy port. Your wget test should be using port 3128 in that http_proxy= setting. Or not using that setting at all for tests of the port 80 and port 443 traffic (which should be getting intercepted by NAT). > > grep -v '#' squid.conf > ... NP: You are missing the default security rules to protect against DoS and other nasty attacks. > http_access allow localnet > coredump_dir /var/spool/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > http_port 3128 Above port is for forward-proxy / explicit-proxy traffic. Clients need to be explicitly configured to send traffic here, or instructed to by response URLs generated by this proxy. You do not have 'ssl-bump' so any TLS/SSL/HTTPS traffic from these clients will go through in CONNECT tunnels without inspection. > http_port 3140 intercept Above port is for NAT intercepted port 80 traffic. Clients are contacting HTTP origin servers directly. There is no TLS/SSL/HTTPS traffic on this port. Attempts by the client to Upgrade to non-HTTP protocols (including HTTPS) will be ignored. > https_port 3129 ssl-bump intercept generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem Above port is for NAT intercepted port 443 traffic, with SSL-Bump'ing. Clients are contacting HTTPS origin servers directly. There is no plain-text HTTP traffic on this port. Attempts by the client to Upgrade to non-HTTPS protocols (including HTTP) will be ignored. on_unsupported_protocol determines what happens to non-TLS traffic arriving at this port. Internet requirements are that traffic is rejected, though abuse of port 443 for sneaking other things through this port is so popular it may not always be possible. > sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db > -M 4MB > acl step1 at_step SslBump1 > > ssl_bump peek step1 > ssl_bump bump all > NP: SSL-Bump'ing operations are performed on all traffic without knowledge of the server X.509 certificate details. This introduces TLS/SSL errors and several classes of security vulnerability. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
