[squid-users] squid intercept config

Yuri Voinov yvoinov at gmail.com
Thu Mar 5 13:54:29 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking good.

Can I take look onto your squid.conf? Without comment lines and
sensitive info?

05.03.15 19:51, Monah Baki пишет:
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
> port 3129
> 
> # block in pass in log quick on bge0 pass out log quick on bge0 
> pass out keep state
> 
> 
> Thanks
> 
> On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoinov at gmail.com>
> wrote:
> 
> Show complete pf.conf, please.
> 
> 05.03.15 19:45, Monah Baki пишет:
>>>> In my squid.conf
>>>> 
>>>> http_port 3128 http_port 3129 intercept
>>>> 
>>>> Thanks
>>>> 
>>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov
>>>> <yvoinov at gmail.com> wrote:
>>>> 
>>>> Squid access denied?
>>>> 
>>>> Look at this:
>>>> 
>>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>>> any
>>>>>>>> port 80 -> 10.0.0.24 port 3129
>>>> 
>>>> Which port configured in Squid as intercept?
>>>> 
>>>> 3129?
>>>> 
>>>> and 3128 is forwarding?
>>>> 
>>>> 05.03.15 19:36, monahbaki at gmail.com пишет:
>>>>>>> Yes that's what I followed and user is getting a
>>>>>>> "access denied" from the squid when he tries
>>>>>>> www.cnn.com
>>>>>>> 
>>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon
>>>>>>> Wireless 4G LTE network. Original Message From: Yuri
>>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To: 
>>>>>>> squid-users at lists.squid-cache.org Subject: Re:
>>>>>>> [squid-users] squid intercept config
>>>>>>> 
>>>>>>> 
>>>> 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>>>>>>>
>>>>>>>
>>>>
>>>>
>
> 
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
>>>>>>> 
>>>>>>> 05.03.15 18:19, Monah Baki пишет:
>>>>>>>> Hi all, can anyone verify if this is correct, need to
>>>>>>>> make ure that users will be able to access the
>>>>>>>> internet via the squid.
>>>>>>> 
>>>>>>>> Running FreeBSD with a single interface with
>>>>>>>> Squid-3.5.2
>>>>>>> 
>>>>>>>> Policy based routing on Cisco with the following:
>>>>>>> 
>>>>>>> 
>>>>>>>> interface GigabitEthernet0/0/1.1
>>>>>>> 
>>>>>>>> encapsulation dot1Q 1 native
>>>>>>> 
>>>>>>>> ip address 10.0.0.9 255.255.255.0
>>>>>>> 
>>>>>>>> no ip redirects
>>>>>>> 
>>>>>>>> no ip unreachables
>>>>>>> 
>>>>>>>> ip nat inside
>>>>>>> 
>>>>>>>> standby 1 ip 10.0.0.10
>>>>>>> 
>>>>>>>> standby 1 priority 120
>>>>>>> 
>>>>>>>> standby 1 preempt
>>>>>>> 
>>>>>>>> standby 1 name HSRP
>>>>>>> 
>>>>>>>> ip policy route-map CFLOW
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> ip access-list extended REDIRECT
>>>>>>> 
>>>>>>>> deny tcp host 10.0.0.24 any eq www
>>>>>>> 
>>>>>>>> permit tcp host 10.0.0.23 any eq www
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> route-map CFLOW permit 10
>>>>>>> 
>>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>>>>>> 
>>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from
>>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129
>>>>>>> 
>>>>>>>> # block in pass in log quick on bge0 pass out log
>>>>>>>> quick on bge0 pass out keep state
>>>>>>> 
>>>>>>>> and finally in my squid.conf: http_port 3128
>>>>>>>> http_port 3129 intercept
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> And for testing purposes from the squid server: 
>>>>>>>> ./squidclient -h 10.0.0.24 -p 3128
>>>>>>>> http://www.freebsd.org/
>>>>>>> 
>>>>>>>> If I replace -p 3128 with -p 80, I get a access
>>>>>>>> denied, and if I omit the -p 3128 completely, I can
>>>>>>>> access the websites.
>>>>>>> 
>>>>>>>> tcpdump with (-p 3128)
>>>>>>> 
>>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > 
>>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win
>>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr
>>>>>>>> 1054387720], length 0 13:15:02.681421 IP
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448 13:15:02.681575 IP 
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> Did I miss anything?
>>>>>>> 
>>>>>>>> Thanks Monah
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> _______________________________________________ 
>>>>>>>> squid-users mailing list
>>>>>>>> squid-users at lists.squid-cache.org 
>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> squid-users mailing list
>>>>>>> squid-users at lists.squid-cache.org 
>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>> 
>>>>> 
>>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE
zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh
M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg
FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+
u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM
7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk=
=n7R1
-----END PGP SIGNATURE-----


More information about the squid-users mailing list