[squid-users] squid intercept config

Monah Baki monahbaki at gmail.com
Fri Mar 13 16:47:44 UTC 2015 

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 350000 16 256


#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

half_closed_clients off
quick_abort_min 0 KB
quick_abort_max 0 KB
vary_ignore_expire on
reload_into_ims on
memory_pools off
cache_mem 4096 MB
visible_hostname isn-phc-cache
minimum_object_size 0 bytes
maximum_object_size 512 MB
maximum_object_size 512 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_swap_low 98
cache_swap_high 100
fqdncache_size 16384
retry_on_error on
offline_mode off
logfile_rotate 10
dns_nameservers 8.8.8.8 41.78.211.30




access.log:

1426267535.210    198 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.211    198 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.211    198 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.223    301 10.0.0.23 TCP_MISS/200 222 GET
http://rma-api.gravity.com/v1/beacons/log? - ORIGINAL_DST/80.239.148.18
text/html
1426267535.244    195 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.333    423 10.0.0.23 TCP_MISS/200 1420 GET
http://hpr.outbrain.com/utils/get? - ORIGINAL_DST/50.31.185.42 text/x-json
1426267535.345    412 10.0.0.23 TCP_MISS/200 11179 GET
http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40 text/javascript
1426267535.346    411 10.0.0.23 TCP_MISS/200 423 GET
http://t1.visualrevenue.com/? - ORIGINAL_DST/64.74.232.44 image/gif
1426267535.363    128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET
http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js
- ORIGINAL_DST/80.239.152.153 application/x-javascript
1426267535.381    193 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.406    189 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.408    190 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.408    191 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.418    200 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.437    188 10.0.0.23 TCP_MISS/200 431 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.464    128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET
http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js
- ORIGINAL_DST/80.239.152.153 application/x-javascript
1426267535.494    128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET
http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js
- ORIGINAL_DST/80.239.152.153 application/x-javascript
1426267535.604    217 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.609    256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET
http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17
text/javascript
1426267535.619    206 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.622    208 10.0.0.23 TCP_MISS/200 412 GET
http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227
image/gif
1426267535.696    129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET
http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png -
ORIGINAL_DST/80.239.152.153 image/png
1426267536.071    656 10.0.0.23 TCP_MISS/302 849 GET
http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? -
ORIGINAL_DST/66.235.141.144 text/plain
1426267536.075    257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET
http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/
80.239.148.17 text/javascript
1426267536.203    128 10.0.0.23 TCP_MISS/200 381 GET
http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif
1426267536.570    393 10.0.0.23 TCP_MISS/304 338 GET
http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js
- ORIGINAL_DST/80.239.148.32 text/javascript
1426267536.746    125 10.0.0.23 TCP_MISS/304 340 GET
http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243
application/x-javascript
1426267536.819    199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET
http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/
157.166.238.237 -
1426267536.942    260 10.0.0.23 TCP_MISS/200 677 GET
http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30
text/javascript
1426267537.027    236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? -
ORIGINAL_DST/199.16.156.11 image/gif
1426267537.146    362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? -
ORIGINAL_DST/199.16.156.11 image/gif
1426267537.171    388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? -
ORIGINAL_DST/199.16.156.11 image/gif
1426267537.230    432 10.0.0.23 TCP_MISS/302 481 GET
http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html
1426267537.603    173 10.0.0.23 TCP_MISS/204 676 GET
http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif
1426267537.618    247 10.0.0.23 TCP_MISS/200 322 GET
http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif
1426267537.892    388 10.0.0.23 TCP_MISS/200 68649 GET
http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/
80.239.152.153 application/x-shockwave-flash
1426267538.024    130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET
http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/
80.239.148.9 application/x-javascript

On Fri, Mar 13, 2015 at 12:18 PM, Yuri Voinov <yvoinov at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> 13.03.15 21:58, Monah Baki пишет:
> > Hi All,
> >
> > Installed squid on CentOS 6.6 and it's working, but mY access.log
> > shows all TCP_MISS and no TCP_HIT. The following config:
> >
> > squid.conf # Squid normally listens to port 3128 http_port 3128
> > http_port 3129 intercept
>
> And that's all????
>
> >
> >
> >
> > iptables
> >
> > # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
> > *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT
> > ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp
> > --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp
> > --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m
> > tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j
> > REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT #
> > Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save
> > v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m
> > state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j
> > REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j
> > ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> > ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state
> > --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp
> > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j
> > REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT
> > --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13
> > 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13
> > 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT
> > [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064]
> > :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport
> > 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015
> >
> >
> > Accessing sites, shows the IP address of the proxy 147.245.252.13.
> >
> > Am I missing something in IPTables that it is not caching?
> >
> >
> > Thanks Monah
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150313/3edb21ad/attachment-0001.html>

More information about the squid-users mailing list