[squid-users] squid intercept config

Monah Baki monahbaki at gmail.com
Thu Mar 5 14:03:28 UTC 2015


Sure, here it is, very simple


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl snmpcheck snmp_community public

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

snmp_access allow snmpcheck localhost


# And finally deny all other access to this proxy
http_access deny all
snmp_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
snmp_port 3401

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /cache/squid/var/cache/squid 350000 16 256

# Leave coredumps in the first cache dir
coredump_dir /cache/squid/var/cache/squid

strip_query_terms off


#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
memory_cache_shared on
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
pipeline_prefetch on
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30


On Thu, Mar 5, 2015 at 8:54 AM, Yuri Voinov <yvoinov at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Looking good.
>
> Can I take look onto your squid.conf? Without comment lines and
> sensitive info?
>
> 05.03.15 19:51, Monah Baki пишет:
> > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
> > port 3129
> >
> > # block in pass in log quick on bge0 pass out log quick on bge0
> > pass out keep state
> >
> >
> > Thanks
> >
> > On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoinov at gmail.com>
> > wrote:
> >
> > Show complete pf.conf, please.
> >
> > 05.03.15 19:45, Monah Baki пишет:
> >>>> In my squid.conf
> >>>>
> >>>> http_port 3128 http_port 3129 intercept
> >>>>
> >>>> Thanks
> >>>>
> >>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov
> >>>> <yvoinov at gmail.com> wrote:
> >>>>
> >>>> Squid access denied?
> >>>>
> >>>> Look at this:
> >>>>
> >>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
> >>>> any
> >>>>>>>> port 80 -> 10.0.0.24 port 3129
> >>>>
> >>>> Which port configured in Squid as intercept?
> >>>>
> >>>> 3129?
> >>>>
> >>>> and 3128 is forwarding?
> >>>>
> >>>> 05.03.15 19:36, monahbaki at gmail.com пишет:
> >>>>>>> Yes that's what I followed and user is getting a
> >>>>>>> "access denied" from the squid when he tries
> >>>>>>> www.cnn.com
> >>>>>>>
> >>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon
> >>>>>>> Wireless 4G LTE network. Original Message From: Yuri
> >>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To:
> >>>>>>> squid-users at lists.squid-cache.org Subject: Re:
> >>>>>>> [squid-users] squid intercept config
> >>>>>>>
> >>>>>>>
> >>>>
> >
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
> >>>>>>>
> >>>>>>>
> >>>>
> >>>>
> >
> >
> http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
> >>>>>>>
> >>>>>>> 05.03.15 18:19, Monah Baki пишет:
> >>>>>>>> Hi all, can anyone verify if this is correct, need to
> >>>>>>>> make ure that users will be able to access the
> >>>>>>>> internet via the squid.
> >>>>>>>
> >>>>>>>> Running FreeBSD with a single interface with
> >>>>>>>> Squid-3.5.2
> >>>>>>>
> >>>>>>>> Policy based routing on Cisco with the following:
> >>>>>>>
> >>>>>>>
> >>>>>>>> interface GigabitEthernet0/0/1.1
> >>>>>>>
> >>>>>>>> encapsulation dot1Q 1 native
> >>>>>>>
> >>>>>>>> ip address 10.0.0.9 255.255.255.0
> >>>>>>>
> >>>>>>>> no ip redirects
> >>>>>>>
> >>>>>>>> no ip unreachables
> >>>>>>>
> >>>>>>>> ip nat inside
> >>>>>>>
> >>>>>>>> standby 1 ip 10.0.0.10
> >>>>>>>
> >>>>>>>> standby 1 priority 120
> >>>>>>>
> >>>>>>>> standby 1 preempt
> >>>>>>>
> >>>>>>>> standby 1 name HSRP
> >>>>>>>
> >>>>>>>> ip policy route-map CFLOW
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> ip access-list extended REDIRECT
> >>>>>>>
> >>>>>>>> deny tcp host 10.0.0.24 any eq www
> >>>>>>>
> >>>>>>>> permit tcp host 10.0.0.23 any eq www
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> route-map CFLOW permit 10
> >>>>>>>
> >>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24
> >>>>>>>
> >>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from
> >>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129
> >>>>>>>
> >>>>>>>> # block in pass in log quick on bge0 pass out log
> >>>>>>>> quick on bge0 pass out keep state
> >>>>>>>
> >>>>>>>> and finally in my squid.conf: http_port 3128
> >>>>>>>> http_port 3129 intercept
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> And for testing purposes from the squid server:
> >>>>>>>> ./squidclient -h 10.0.0.24 -p 3128
> >>>>>>>> http://www.freebsd.org/
> >>>>>>>
> >>>>>>>> If I replace -p 3128 with -p 80, I get a access
> >>>>>>>> denied, and if I omit the -p 3128 completely, I can
> >>>>>>>> access the websites.
> >>>>>>>
> >>>>>>>> tcpdump with (-p 3128)
> >>>>>>>
> >>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
> >>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win
> >>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr
> >>>>>>>> 1054387720], length 0 13:15:02.681421 IP
> >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
> >>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040,
> >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
> >>>>>>>> length 1448 13:15:02.681575 IP
> >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
> >>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040,
> >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
> >>>>>>>> length 1448
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> Did I miss anything?
> >>>>>>>
> >>>>>>>> Thanks Monah
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> squid-users mailing list
> >>>>>>>> squid-users at lists.squid-cache.org
> >>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> squid-users mailing list
> >>>>>>> squid-users at lists.squid-cache.org
> >>>>>>> http://lists.squid-cache.org/listinfo/squid-users
> >>>>>>>
> >>>>>
> >>>>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE
> zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh
> M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg
> FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+
> u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM
> 7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk=
> =n7R1
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150305/9ebc3af8/attachment-0001.html>


More information about the squid-users mailing list