[squid-users] squid intercept config

Monah Baki monahbaki at gmail.com
Sat Mar 7 12:09:57 UTC 2015 

Forgot to paste my test.

Basically from my squid server:
root at ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H
'Host: www.cnn.com\n' -p 80
HTTP/1.1 302 Found
Server: Varnish
Retry-After: 0
Content-Length: 0
Location: http://edition.cnn.com80
Accept-Ranges: bytes
Date: Sat, 07 Mar 2015 12:08:21 GMT
Via: 1.1 varnish
Connection: close
X-Served-By: cache-lhr6328-LHR
X-Cache: MISS
X-Cache-Hits: 0


Thanks
Monah

On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 6/03/2015 1:19 a.m., Monah Baki wrote:
> > Hi all, can anyone verify if this is correct, need to make ure that users
> > will be able to access the internet via the squid.
> >
> > Running FreeBSD with a single interface with Squid-3.5.2
> >
> > Policy based routing on Cisco with the following:
> >
> >
> > interface GigabitEthernet0/0/1.1
> >
> > encapsulation dot1Q 1 native
> >
> > ip address 10.0.0.9 255.255.255.0
> >
> > no ip redirects
> >
> > no ip unreachables
> >
> > ip nat inside
> >
> > standby 1 ip 10.0.0.10
> >
> > standby 1 priority 120
> >
> > standby 1 preempt
> >
> > standby 1 name HSRP
> >
> > ip policy route-map CFLOW
> >
> >
> >
> > ip access-list extended REDIRECT
> >
> > deny   tcp host 10.0.0.24 any eq www
> >
> > permit tcp host 10.0.0.23 any eq www
> >
> >
> >
> > route-map CFLOW permit 10
> >
> > match ip address REDIRECT
> > set ip next-hop 10.0.0.24
> >
> > In my /etc/pf.conf
> > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
> > 3129
> >
> > # block in
> > pass in log quick on bge0
> > pass out log quick on bge0
> > pass out keep state
> >
> > and finally in my squid.conf:
> > http_port 3128
> > http_port 3129 intercept
> >
> >
> >
> > And for testing purposes from the squid server:
> >  ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/
> >
> > If I replace -p 3128 with -p 80, I get a access denied, and if I omit the
> > -p 3128 completely, I can access the websites.
>
> If you omit the -p entirely squidclient assumes "-p 3128" (the proxy
> default listening port), so it works exactly the same as if you had used
> -p 3128 explicitly.
>
> If you use -p 80 you also need to change the pther parameters so they
> generate port-80 syntax message:
>  - the -h with IP or hostname of the remote web server, and
>  - the URL parameters being a relative URL, and
>  - the -j parameter with Host: header domain name of the server
> ...
>  eg.
>  squidclient -h www.freebsd.org -j www.freebsd.org -p 80 /
>
> NP: if your squidclient is too old to support -j, use this instead:
>   -H 'Host: www.freebsd.org\n'
>
>  ** this test should work from the squid box without having gone through
> the proxy. Only from the client machine should it work *with* NAT
> passing it through the proxy.
>
>
>
> Using a proxy syntax message sent directly to the proxy receiving port,
> or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a
> guaranted forwarding loop failure.
>
>
> That doesn't fix your clients issue, but hopefully makes it clear that
> the above desribed test is broken enough to prevent you identifying when
> the client issue is fixed if that happens on some change.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150307/9e987689/attachment.html>

More information about the squid-users mailing list