[squid-users] Help with Squid Proxy on AWS Nat Instance.

Yuri Voinov yvoinov at gmail.com
Tue Mar 3 15:14:48 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Feel free to use Squid Wiki:

http://wiki.squid-cache.org/ConfigExamples/Intercept


03.03.15 19:30, laxcat пишет:
> I have squid installed on a NAT instance in AWS.  I installed squid
> using yum.  The OS is amazon linux.  When squid is not running I am
> able to send traffic through the nat box from private subnets but
> when I start squid I am not.
> 
> This is the default iptables rules:
> 
> [admin at box1 ~]# iptables -t nat --line-numbers -L iptables -t nat
> --line-numbers -L Chain PREROUTING (policy ACCEPT) num  target
> prot opt source               destination
> 
> Chain INPUT (policy ACCEPT) num  target     prot opt source
> destination
> 
> Chain OUTPUT (policy ACCEPT) num  target     prot opt source
> destination
> 
> Chain POSTROUTING (policy ACCEPT) num  target     prot opt source
> destination 1    MASQUERADE  all  --  10.3.0.0/16          anywhere
> 
> 
> 
> I start squid and add the below rule to iptables I get a squid
> error page: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
> -j REDIRECT --to-port 3128
> 
> Error pages says: ERROR The requested URL could not be retrieved 
> The following error encountered while trying to retrieve the URL:
> / Invalid URL
> 
> Current config I have tried a few different ones.
> 
> # # Recommended minimum configuration: # acl manager proto
> cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost
> dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks. # Adapt to
> list your (internal) IP networks from where browsing # should be
> allowed acl localnet src 10.0.0.0/8	# RFC1918 possible internal
> network acl localnet src 172.16.0.0/12	# RFC1918 possible internal
> network acl localnet src 192.168.0.0/16	# RFC1918 possible internal
> network acl localnet src fc00::/7       # RFC 4193 local private
> network range acl localnet src fe80::/10      # RFC 4291 link-local
> (directly plugged) machines
> 
> acl SSL_ports port 443 acl Safe_ports port 80		# http acl
> Safe_ports port 21		# ftp acl Safe_ports port 443		# https acl
> Safe_ports port 70		# gopher acl Safe_ports port 210		# wais acl
> Safe_ports port 1025-65535	# unregistered ports acl Safe_ports port
> 280		# http-mgmt acl Safe_ports port 488		# gss-http acl Safe_ports
> port 591		# filemaker acl Safe_ports port 777		# multiling http acl
> CONNECT method CONNECT
> 
> # # Recommended minimum Access Permission configuration: # # Only
> allow cachemgr access from localhost #http_access allow manager
> localhost #http_access allow all acl whitelist dstdomain
> "/etc/squid/whitelist" http_access allow whitelist http_access
> allow CONNECT whitelist http_access deny !whitelist
> 
> # Deny requests to certain unsafe ports http_access deny
> !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports http_access deny
> CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect
> innocent # web applications running on the proxy server who think
> the only # one who can access services on "localhost" is a local
> user #http_access deny to_localhost
> 
> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
> #
> 
> # Example rule allowing access from your local networks. # Adapt
> localnet in the ACL section to list your (internal) IP networks #
> from where browsing should be allowed http_access allow localnet 
> http_access allow localhost
> 
> # And finally deny all other access to this proxy http_access deny
> all
> 
> # Squid normally listens to port 3128 http_port 3128
> 
> # We recommend you to use at least the following line. 
> hierarchy_stoplist cgi-bin ?
> 
> # Uncomment and adjust the following to add a disk cache
> directory. #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir coredump_dir
> /var/spool/squid
> 
> # Add any of your own refresh_pattern entries above these. 
> refresh_pattern ^ftp:		1440	20%	10080 refresh_pattern ^gopher:	1440
> 0%	1440 refresh_pattern -i (/cgi-bin/|\?) 0	0%	0 refresh_pattern .
> 0	20%	4320
> 
> 
> 
> 
> 
> -- View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Squid-Proxy-on-AWS-Nat-Instance-tp4670170.html
>
> 
Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU9c/oAAoJENNXIZxhPexGm2IIAKJJt3hxdfzOHsUNt8y126gH
xIbwxDvl2DOfVxSRFqHOWRYEO/72mGPU97sQJaktbs1FTo/pU1gf1zFvNNGo8E7/
+N5xyNJ5KSs0a8SH3elS6YIqsfQ9StWBTCY8ft2B0lsM2/HJakpurOf0c455D8VG
bRHH2vIH+I9iWa2CijfZoIgX2bDieUmn26yFof/8rbjbSf8OBzoPaxOs5dUy8Yme
7uWQARVt3BoH4d1k992pyqcNobzB3t45fRUImIvzHcLBMIywJMcP9M/hPAwnFLex
nWKXEO20M2qV9jp1iTG7RNXou8JN2vZbJGKkeAYVD7yIucxUM3nP5nDBf5fc+Eg=
=psFg
-----END PGP SIGNATURE-----

More information about the squid-users mailing list