[squid-users] squid intercept config

Yuri Voinov yvoinov at gmail.com
Thu Mar 5 13:44:01 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Squid access denied?

Look at this:

In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any
>> port 80 -> 10.0.0.24 port 3129

Which port configured in Squid as intercept?

3129?

and 3128 is forwarding?

05.03.15 19:36, monahbaki at gmail.com пишет:
> Yes that's what I followed and user is getting a "access denied"
> from the squid when he tries www.cnn.com
> 
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G
> LTE network. Original Message From: Yuri Voinov Sent: Thursday,
> March 5, 2015 8:22 AM To: squid-users at lists.squid-cache.org 
> Subject: Re: [squid-users] squid intercept config
> 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>
> 
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
> 
> 05.03.15 18:19, Monah Baki пишет:
>> Hi all, can anyone verify if this is correct, need to make ure
>> that users will be able to access the internet via the squid.
> 
>> Running FreeBSD with a single interface with Squid-3.5.2
> 
>> Policy based routing on Cisco with the following:
> 
> 
>> interface GigabitEthernet0/0/1.1
> 
>> encapsulation dot1Q 1 native
> 
>> ip address 10.0.0.9 255.255.255.0
> 
>> no ip redirects
> 
>> no ip unreachables
> 
>> ip nat inside
> 
>> standby 1 ip 10.0.0.10
> 
>> standby 1 priority 120
> 
>> standby 1 preempt
> 
>> standby 1 name HSRP
> 
>> ip policy route-map CFLOW
> 
> 
> 
>> ip access-list extended REDIRECT
> 
>> deny tcp host 10.0.0.24 any eq www
> 
>> permit tcp host 10.0.0.23 any eq www
> 
> 
> 
>> route-map CFLOW permit 10
> 
>> match ip address REDIRECT set ip next-hop 10.0.0.24
> 
>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>> any port 80 -> 10.0.0.24 port 3129
> 
>> # block in pass in log quick on bge0 pass out log quick on bge0 
>> pass out keep state
> 
>> and finally in my squid.conf: http_port 3128 http_port 3129 
>> intercept
> 
> 
> 
>> And for testing purposes from the squid server: ./squidclient -h 
>> 10.0.0.24 -p 3128 http://www.freebsd.org/
> 
>> If I replace -p 3128 with -p 80, I get a access denied, and if I 
>> omit the -p 3128 completely, I can access the websites.
> 
>> tcpdump with (-p 3128)
> 
>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018,
>> options [nop,nop,TS val 985588797 ecr 1054387720], length 0
>> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http >
>> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win
>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length
>> 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http >
>> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win
>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length
>> 1448
> 
> 
> 
>> Did I miss anything?
> 
>> Thanks Monah
> 
> 
> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU+F2gAAoJENNXIZxhPexGivEH/jh0uoMFUNiqROuSVfnCbd4F
pzcgm//4M3CRFCCGYT+u7VA14Uw5EPz/3vIiOQZFWrZLt9zZdtIlHqPA0ucBi5U5
cfHwlOhAXWMihM0gUYCATWit6c+cY9bvFS9wHzav9RJK8aRFWGczBhPLfFMGV8/y
WTgnCh3ViR3ZjilLhM3MB1nd4pNzn01BM9X3rteGu5d1zh6hznyEIqMAzUXFcBeF
cnsWPnXkhU/r13X7zk0K6nF9tSaSIvbYJQaTWRl5DvkYVwQgCcPUwQ5yleWh70Ex
MycgylzjEqCAO4rqpYwV/v8/meb8+QzgK3e1KFRXDz91/zUz8LGO0ns7LzhAKFM=
=ZRtj
-----END PGP SIGNATURE-----


More information about the squid-users mailing list