[squid-users] squid intercept config
Yuri Voinov
yvoinov at gmail.com
Thu Mar 5 13:44:01 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Squid access denied?
Look at this:
In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any
>> port 80 -> 10.0.0.24 port 3129
Which port configured in Squid as intercept?
3129?
and 3128 is forwarding?
05.03.15 19:36, monahbaki at gmail.com пишет:
> Yes that's what I followed and user is getting a "access denied"
> from the squid when he tries www.cnn.com
>
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G
> LTE network. Original Message From: Yuri Voinov Sent: Thursday,
> March 5, 2015 8:22 AM To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid intercept config
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>
>
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
>
> 05.03.15 18:19, Monah Baki пишет:
>> Hi all, can anyone verify if this is correct, need to make ure
>> that users will be able to access the internet via the squid.
>
>> Running FreeBSD with a single interface with Squid-3.5.2
>
>> Policy based routing on Cisco with the following:
>
>
>> interface GigabitEthernet0/0/1.1
>
>> encapsulation dot1Q 1 native
>
>> ip address 10.0.0.9 255.255.255.0
>
>> no ip redirects
>
>> no ip unreachables
>
>> ip nat inside
>
>> standby 1 ip 10.0.0.10
>
>> standby 1 priority 120
>
>> standby 1 preempt
>
>> standby 1 name HSRP
>
>> ip policy route-map CFLOW
>
>
>
>> ip access-list extended REDIRECT
>
>> deny tcp host 10.0.0.24 any eq www
>
>> permit tcp host 10.0.0.23 any eq www
>
>
>
>> route-map CFLOW permit 10
>
>> match ip address REDIRECT set ip next-hop 10.0.0.24
>
>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>> any port 80 -> 10.0.0.24 port 3129
>
>> # block in pass in log quick on bge0 pass out log quick on bge0
>> pass out keep state
>
>> and finally in my squid.conf: http_port 3128 http_port 3129
>> intercept
>
>
>
>> And for testing purposes from the squid server: ./squidclient -h
>> 10.0.0.24 -p 3128 http://www.freebsd.org/
>
>> If I replace -p 3128 with -p 80, I get a access denied, and if I
>> omit the -p 3128 completely, I can access the websites.
>
>> tcpdump with (-p 3128)
>
>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018,
>> options [nop,nop,TS val 985588797 ecr 1054387720], length 0
>> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http >
>> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win
>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length
>> 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http >
>> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win
>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length
>> 1448
>
>
>
>> Did I miss anything?
>
>> Thanks Monah
>
>
>
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU+F2gAAoJENNXIZxhPexGivEH/jh0uoMFUNiqROuSVfnCbd4F
pzcgm//4M3CRFCCGYT+u7VA14Uw5EPz/3vIiOQZFWrZLt9zZdtIlHqPA0ucBi5U5
cfHwlOhAXWMihM0gUYCATWit6c+cY9bvFS9wHzav9RJK8aRFWGczBhPLfFMGV8/y
WTgnCh3ViR3ZjilLhM3MB1nd4pNzn01BM9X3rteGu5d1zh6hznyEIqMAzUXFcBeF
cnsWPnXkhU/r13X7zk0K6nF9tSaSIvbYJQaTWRl5DvkYVwQgCcPUwQ5yleWh70Ex
MycgylzjEqCAO4rqpYwV/v8/meb8+QzgK3e1KFRXDz91/zUz8LGO0ns7LzhAKFM=
=ZRtj
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list