<div dir="ltr">squid 3.3.8 and ubuntu 15.04 server</div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-24 15:04 GMT+03:00 Yuri Voinov <span dir="ltr"><<a href="mailto:yvoinov@gmail.com" target="_blank">yvoinov@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Squid 3.5.x?<br>
<br>
<div>24.06.15 18:03, Dalmar пишет:<br>
</div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div style="font-size:12.8000001907349px">Hi,</div>
<div style="font-size:12.8000001907349px">For over two weeks i
am having a really headache in configuring squid
transparent/intercept. </div>
<div style="font-size:12.8000001907349px">I have tried different
options and configurations but i couldn't get it to work.</div>
<div style="font-size:12.8000001907349px">i think the problems
lies in the Iptables / NAT but i really couldn't solve it. </div>
<div style="font-size:12.8000001907349px">I have tried different
iptable rules including the intercept linuxDnat - sysctl
configuration, but didnt work.</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"># your proxy IP</div>
<div style="font-size:12.8000001907349px">SQUIDIP=X.X.X.X</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"># your proxy listening
port</div>
<div style="font-size:12.8000001907349px">SQUIDPORT=XXXX</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">iptables -t nat -A
PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT</div>
<div style="font-size:12.8000001907349px">iptables -t nat -A
PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$SQUIDIP:$SQUIDPORT</div>
<div style="font-size:12.8000001907349px">iptables -t nat -A
POSTROUTING -j MASQUERADE</div>
<div style="font-size:12.8000001907349px">iptables -t mangle -A
PREROUTING -p tcp --dport $SQUIDPORT -j DROP</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">i have to say that
squid works well when i configure in the client browsers.</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">at the mikrotik side,
i am using DST-NAT chain port 80 pro TCP action DST-NAT to
address squidIP and Port</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">i am using ubuntu
server 15.04 using squid 3.3.8 and this is my configuration
and the errors i get:</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"> <span style="white-space:pre-wrap"> </span>
------ eth0 WAN <----- MAIN WAN Public IP Internet</div>
<div style="font-size:12.8000001907349px">
MK---|</div>
<div style="font-size:12.8000001907349px"> <span style="white-space:pre-wrap"> </span>
------ eth1 LAN</div>
<div style="font-size:12.8000001907349px">
|</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>
------ eth2 Proxy</div>
<div style="font-size:12.8000001907349px"> </div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>
------ eth0 WAN ---> Public IP --> Internet
--> gets internet from 24online / another Mikrotik</div>
<div style="font-size:12.8000001907349px"> <span style="white-space:pre-wrap"> </span>
Squid---|</div>
<div style="font-size:12.8000001907349px"> <span style="white-space:pre-wrap"> </span>
------ eth1 Proxy</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>
|</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>
------ eth2 webmin --> For server Management</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">-error1: if no
intercept/transparent and no iptables is configured</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>-Invalid
URL - The requested url could not be retrieved</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> </span>-but
if proxy is configured in the user browser - it works!</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">-error2:if intercept
and iptable DNAT is configured </div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> -</span>Access
Denied and in the access log TCP-MISS/403</div>
<div style="font-size:12.8000001907349px"><span style="white-space:pre-wrap"> -</span>no
forward proxy port configured </div>
<div style="font-size:12.8000001907349px"> -security
alert : host header forgery detected on local= SquidIP:8080
remote:mikrotikIP (local ip does not match any domain name)</div>
<div style="font-size:12.8000001907349px"> -warning :
forwarding loop detected (x-Forwarded-for mikrotik lan IP)</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">squid.conf</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">acl localnet src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><span style="white-space:pre-wrap"> </span>#
RFC1918 possible internal network</div>
<div style="font-size:12.8000001907349px">acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><span style="white-space:pre-wrap"> </span>#
RFC1918 possible internal network</div>
<div style="font-size:12.8000001907349px">acl SSL_ports port 443</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port 80<span style="white-space:pre-wrap"> </span>#
http</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port 21<span style="white-space:pre-wrap"> </span>#
ftp</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
443<span style="white-space:pre-wrap"> </span># https</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port 70<span style="white-space:pre-wrap"> </span>#
gopher</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
210<span style="white-space:pre-wrap"> </span># wais</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
1025-65535<span style="white-space:pre-wrap"> </span>#
unregistered ports</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
280<span style="white-space:pre-wrap"> </span># http-mgmt</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
488<span style="white-space:pre-wrap"> </span># gss-http</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
591<span style="white-space:pre-wrap"> </span># filemaker</div>
<div style="font-size:12.8000001907349px">acl Safe_ports port
777<span style="white-space:pre-wrap"> </span># multiling
http</div>
<div style="font-size:12.8000001907349px">acl CONNECT method
CONNECT</div>
<div style="font-size:12.8000001907349px">http_access deny
!Safe_ports</div>
<div style="font-size:12.8000001907349px">http_access deny
CONNECT !SSL_ports</div>
<div style="font-size:12.8000001907349px">http_access allow
localhost manager</div>
<div style="font-size:12.8000001907349px">http_access deny
manager</div>
<div style="font-size:12.8000001907349px">http_access allow
localnet</div>
<div style="font-size:12.8000001907349px">http_access allow
localhost</div>
<div style="font-size:12.8000001907349px">http_access deny all</div>
<div style="font-size:12.8000001907349px">http_port 8080</div>
<div style="font-size:12.8000001907349px">http_port 8181</div>
<div style="font-size:12.8000001907349px">cache_mem 2000 MB</div>
<div style="font-size:12.8000001907349px">cache_dir ufs
/var/spool/squid3 100000 16 256</div>
<div style="font-size:12.8000001907349px">coredump_dir
/var/spool/squid3</div>
<div style="font-size:12.8000001907349px">refresh_pattern ^ftp:<span style="white-space:pre-wrap"> </span>1440<span style="white-space:pre-wrap"> </span>20%<span style="white-space:pre-wrap"> </span>10080</div>
<div style="font-size:12.8000001907349px">refresh_pattern
^gopher:<span style="white-space:pre-wrap"> </span>1440<span style="white-space:pre-wrap"> </span>0%<span style="white-space:pre-wrap"> </span>1440</div>
<div style="font-size:12.8000001907349px">refresh_pattern -i
(/cgi-bin/|\?) 0<span style="white-space:pre-wrap"> </span>0%<span style="white-space:pre-wrap"> </span>0</div>
<div style="font-size:12.8000001907349px">refresh_pattern
(Release|Packages(.gz)*)$ 0 20% 2880</div>
<div style="font-size:12.8000001907349px">refresh_pattern .<span style="white-space:pre-wrap"> </span>0<span style="white-space:pre-wrap"> </span>20%<span style="white-space:pre-wrap"> </span>4320</div>
<div style="font-size:12.8000001907349px">cache_effective_user
proxy</div>
<div style="font-size:12.8000001907349px">cache_effective_group
proxy</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">----------------------------------------</div>
<div style="font-size:12.8000001907349px">I am really confused,
can anyone guide me please.</div>
<div style="font-size:12.8000001907349px">Thanks in advance</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
squid-users mailing list
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>