<div dir="ltr">Sure, here it is, very simple<br><br><div><br>#<br># Recommended minimum configuration:<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br>acl snmpcheck snmp_community public<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># Only allow cachemgr access from localhost<br>http_access allow manager localhost<br>http_access allow manager<br>http_access deny manager<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br>acl manager url_regex -i ^cache_object:// /squid-internal-mgr/<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br>http_access allow localnet<br>http_access allow localhost<br><br>snmp_access allow snmpcheck localhost<br><br><br># And finally deny all other access to this proxy<br>http_access deny all<br>snmp_access deny all<br><br># Squid normally listens to port 3128<br>http_port 3128<br>http_port 3129 intercept<br>snmp_port 3401<br><br># Uncomment and adjust the following to add a disk cache directory.<br>cache_dir ufs /cache/squid/var/cache/squid 350000 16 256<br><br># Leave coredumps in the first cache dir<br>coredump_dir /cache/squid/var/cache/squid<br><br>strip_query_terms off<br><br><br>#<br># Add any of your own refresh_pattern entries above these.<br>#<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br><br>half_closed_clients off<br>quick_abort_min 0 KB<br>quick_abort_max 0 KB<br>vary_ignore_expire on<br>reload_into_ims on<br>memory_pools off<br>cache_mem 4096 MB<br>memory_cache_shared on<br>minimum_object_size 0 bytes<br>maximum_object_size 512 MB<br>maximum_object_size 512 KB<br>ipcache_size 1024<br>ipcache_low 90<br>ipcache_high 95<br>cache_swap_low 98<br>cache_swap_high 100 <br>fqdncache_size 16384<br>retry_on_error on<br>offline_mode off<br>pipeline_prefetch on<br>logfile_rotate 10<br>dns_nameservers 8.8.8.8 41.78.211.30<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 8:54 AM, Yuri Voinov <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span>Looking good.<br>
<br>
Can I take look onto your squid.conf? Without comment lines and<br>
sensitive info?<br>
<br>
05.03.15 19:51, Monah Baki пишет:<br>
<span class="">> rdr pass inet proto tcp from <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> to any port 80 -> 10.0.0.24<br>
> port 3129<br>
><br>
> # block in pass in log quick on bge0 pass out log quick on bge0<br>
> pass out keep state<br>
><br>
><br>
> Thanks<br>
><br>
> On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <<a href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>><br>
> wrote:<br>
><br>
</span><div><div class="h5">> Show complete pf.conf, please.<br>
><br>
> 05.03.15 19:45, Monah Baki пишет:<br>
>>>> In my squid.conf<br>
>>>><br>
>>>> http_port 3128 http_port 3129 intercept<br>
>>>><br>
>>>> Thanks<br>
>>>><br>
>>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov<br>
>>>> <<a href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>> wrote:<br>
>>>><br>
>>>> Squid access denied?<br>
>>>><br>
>>>> Look at this:<br>
>>>><br>
>>>> In my /etc/pf.conf rdr pass inet proto tcp from <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> to<br>
>>>> any<br>
>>>>>>>> port 80 -> 10.0.0.24 port 3129<br>
>>>><br>
>>>> Which port configured in Squid as intercept?<br>
>>>><br>
>>>> 3129?<br>
>>>><br>
>>>> and 3128 is forwarding?<br>
>>>><br>
>>>> 05.03.15 19:36, <a href="mailto:monahbaki@gmail.com">monahbaki@gmail.com</a> пишет:<br>
>>>>>>> Yes that's what I followed and user is getting a<br>
>>>>>>> "access denied" from the squid when he tries<br>
>>>>>>> <a href="http://www.cnn.com" target="_blank">www.cnn.com</a><br>
>>>>>>><br>
>>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon<br>
>>>>>>> Wireless 4G LTE network. Original Message From: Yuri<br>
>>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To:<br>
>>>>>>> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a> Subject: Re:<br>
>>>>>>> [squid-users] squid intercept config<br>
>>>>>>><br>
>>>>>>><br>
>>>><br>
> <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute</a><br>
>>>>>>><br>
>>>>>>><br>
>>>><br>
>>>><br>
><br>
><br>
<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf</a><br>
>>>>>>><br>
>>>>>>> 05.03.15 18:19, Monah Baki пишет:<br>
>>>>>>>> Hi all, can anyone verify if this is correct, need to<br>
>>>>>>>> make ure that users will be able to access the<br>
>>>>>>>> internet via the squid.<br>
>>>>>>><br>
>>>>>>>> Running FreeBSD with a single interface with<br>
>>>>>>>> Squid-3.5.2<br>
>>>>>>><br>
>>>>>>>> Policy based routing on Cisco with the following:<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> interface GigabitEthernet0/0/1.1<br>
>>>>>>><br>
>>>>>>>> encapsulation dot1Q 1 native<br>
>>>>>>><br>
>>>>>>>> ip address 10.0.0.9 255.255.255.0<br>
>>>>>>><br>
>>>>>>>> no ip redirects<br>
>>>>>>><br>
>>>>>>>> no ip unreachables<br>
>>>>>>><br>
>>>>>>>> ip nat inside<br>
>>>>>>><br>
>>>>>>>> standby 1 ip 10.0.0.10<br>
>>>>>>><br>
>>>>>>>> standby 1 priority 120<br>
>>>>>>><br>
>>>>>>>> standby 1 preempt<br>
>>>>>>><br>
>>>>>>>> standby 1 name HSRP<br>
>>>>>>><br>
>>>>>>>> ip policy route-map CFLOW<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> ip access-list extended REDIRECT<br>
>>>>>>><br>
>>>>>>>> deny tcp host 10.0.0.24 any eq www<br>
>>>>>>><br>
>>>>>>>> permit tcp host 10.0.0.23 any eq www<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> route-map CFLOW permit 10<br>
>>>>>>><br>
>>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24<br>
>>>>>>><br>
>>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from<br>
>>>>>>>> <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> to any port 80 -> 10.0.0.24 port 3129<br>
>>>>>>><br>
>>>>>>>> # block in pass in log quick on bge0 pass out log<br>
>>>>>>>> quick on bge0 pass out keep state<br>
>>>>>>><br>
>>>>>>>> and finally in my squid.conf: http_port 3128<br>
>>>>>>>> http_port 3129 intercept<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> And for testing purposes from the squid server:<br>
>>>>>>>> ./squidclient -h 10.0.0.24 -p 3128<br>
>>>>>>>> <a href="http://www.freebsd.org/" target="_blank">http://www.freebsd.org/</a><br>
>>>>>>><br>
>>>>>>>> If I replace -p 3128 with -p 80, I get a access<br>
>>>>>>>> denied, and if I omit the -p 3128 completely, I can<br>
>>>>>>>> access the websites.<br>
>>>>>>><br>
>>>>>>>> tcpdump with (-p 3128)<br>
>>>>>>><br>
>>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 ><br>
>>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win<br>
>>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr<br>
>>>>>>>> 1054387720], length 0 13:15:02.681421 IP<br>
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:<br>
>>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040,<br>
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],<br>
>>>>>>>> length 1448 13:15:02.681575 IP<br>
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:<br>
>>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040,<br>
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],<br>
>>>>>>>> length 1448<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> Did I miss anything?<br>
>>>>>>><br>
>>>>>>>> Thanks Monah<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>>> _______________________________________________<br>
>>>>>>>> squid-users mailing list<br>
>>>>>>>> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>>>>>>>> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
>>>>>>><br>
>>>>>>> _______________________________________________<br>
>>>>>>> squid-users mailing list<br>
>>>>>>> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>>>>>>> <a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
>>>>>>><br>
>>>>><br>
>>>><br>
>><br>
><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</div></div>iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE<br>
zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh<br>
M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg<br>
FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+<br>
u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM<br>
7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk=<br>
=n7R1<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br></div>