[squid-users] squid-3.4.8 intercept

Frank frank at cronomagic.com
Tue Nov 18 17:59:42 UTC 2014 

     Hi,

     Since upgrading from 3.1.22 to 3.4.8 I have been unable to get the 
transparent mode
to accept my IP.  I am seeing permission denied in the transaction when 
I do a packet dump.
I have read the documentation making changes for 3.4.8.
I even allowed everything and no go.

I also compiled squid and here is my configure script:

./configure \
   --prefix=/usr/share/squid-3.4.8  \
   --libdir=/usr/lib${LIBDIRSUFFIX} \
   --sysconfdir=/etc/squid \
   --localstatedir=/var/log/squid \
   --datadir=/usr/share/squid-3.4.8 \
   --with-pidfile=/var/run/squid/squid.pid \
   --mandir=/usr/man \
   --with-logdir=/var/log/squid \
   --enable-snmp \
   --enable-ipf-transparent \
   --enable-ipfw-transparent
#  --enable-auth="basic" \
#  --enable-basic-auth-helpers="NCSA" \
#  --enable-linux-netfilter \
#  --enable-async-io \
#  --disable-strict-error-checking

My machine the browser is on:

66.159.32.31

The machine that is running squid:

66.159.47.22

Here is my squid.conf

===================================================================================

#
# Recommended minimum configuration:
#

cache_effective_user  squid
cache_effective_group  squid

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src all    # RFC1918 possible internal network
#acl localnet src 66.159.32.0/24        # RFC1918 possible internal network
#acl localnet src 108.161.167.0/24      # RFC1918 possible internal network
#acl localnet src 66.159.47.0/24        # RFC1918 possible internal network
#acl localnet src 127.0.0.0/24  # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
########http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
###########http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
###############http_access allow localhost manager

###############http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
############http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all
http_access allow all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept

always_direct allow all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/share/squid/cache 100 32 512

# Leave coredumps in the first cache dir
coredump_dir /var/log/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

==================================================================================

And I have configured my browser to use HTTP Proxy 66.159.47.22 Port 3129

I also setup iptables on my machine as follows and that didn't work either. Same permission
denied.


/sbin/iptables -t nat -A OUTPUT -p tcp -s 66.159.32.31 --dport 80 -j DNAT --to 66.159.47.22:3129

Let me know if further info is needed.   Any help would be greatly appreciated.

-- 
Regards,
Frank Torontour
Network Administrator
frank at cronomagic.com
514-341-1579 EXT-214
1-800-427-6012 Ext-214

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141118/620ed9c9/attachment.html>

More information about the squid-users mailing list