[squid-users] squid intercept config

Monah Baki monahbaki at gmail.com
Thu Mar 5 14:15:51 UTC 2015


 '--prefix=/cache/squid' '--enable-follow-x-forwarded-for'
'--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi'
'--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads'
'--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent'
'--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience




On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov <yvoinov at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This looking good too.
>
> Stupid question:
>
> With witch interception option squid builed?
>
> I.e, squid -v?
>
> 05.03.15 18:19, Monah Baki пишет:
> > Hi all, can anyone verify if this is correct, need to make ure that
> > users will be able to access the internet via the squid.
> >
> > Running FreeBSD with a single interface with Squid-3.5.2
> >
> > Policy based routing on Cisco with the following:
> >
> >
> > interface GigabitEthernet0/0/1.1
> >
> > encapsulation dot1Q 1 native
> >
> > ip address 10.0.0.9 255.255.255.0
> >
> > no ip redirects
> >
> > no ip unreachables
> >
> > ip nat inside
> >
> > standby 1 ip 10.0.0.10
> >
> > standby 1 priority 120
> >
> > standby 1 preempt
> >
> > standby 1 name HSRP
> >
> > ip policy route-map CFLOW
> >
> >
> >
> > ip access-list extended REDIRECT
> >
> > deny   tcp host 10.0.0.24 any eq www
> >
> > permit tcp host 10.0.0.23 any eq www
> >
> >
> >
> > route-map CFLOW permit 10
> >
> > match ip address REDIRECT set ip next-hop 10.0.0.24
> >
> > In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any
> > port 80 -> 10.0.0.24 port 3129
> >
> > # block in pass in log quick on bge0 pass out log quick on bge0
> > pass out keep state
> >
> > and finally in my squid.conf: http_port 3128 http_port 3129
> > intercept
> >
> >
> >
> > And for testing purposes from the squid server: ./squidclient -h
> > 10.0.0.24 -p 3128 http://www.freebsd.org/
> >
> > If I replace -p 3128 with -p 80, I get a access denied, and if I
> > omit the -p 3128 completely, I can access the websites.
> >
> > tcpdump with (-p 3128)
> >
> > 13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http:
> > Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797
> > ecr 1054387720], length 0 13:15:02.681421 IP
> > wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq
> > 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720
> > ecr 985588501], length 1448 13:15:02.681575 IP
> > wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq
> > 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720
> > ecr 985588501], length 1448
> >
> >
> >
> > Did I miss anything?
> >
> > Thanks Monah
> >
> >
> >
> > _______________________________________________ squid-users mailing
> > list squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJU+GS+AAoJENNXIZxhPexGb+8H/R/S58piXzwHUnfmDWEiBD1H
> 8qID7tliv+MaY2AEGKwr/vCU5d6z2wknXGL/kTk5QV+O4fvdVW9iftSDLfu+jL4F
> FKXn38yT+ALUiKeb3239Pd16Z1c/sdhjELDuY6zN7EmQ1Bhw2hW+48UUFptASNJ4
> RDAGrKhhwj5l5j8TFn9U25PKgAr7+W4PWgVcQiYW+sYaKTjmr5YYBhOkH7zLIB3G
> ZRYb6pJFzLzDTX3NSrwVip1i1k4yRtxVvVjkoEkG042f+q8hX4CI4hGC7NloIuoa
> qTIGXVJTzD912p9UBsBJsDgG/tyb/MlTrC0SWcrDOp2SZcfo29bNExSYxeQATQI=
> =MZ5a
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150305/01e45b9b/attachment.html>


More information about the squid-users mailing list