[squid-users] squid intercept config
Yuri Voinov
yvoinov at gmail.com
Thu Mar 5 13:54:29 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Looking good.
Can I take look onto your squid.conf? Without comment lines and
sensitive info?
05.03.15 19:51, Monah Baki пишет:
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
> port 3129
>
> # block in pass in log quick on bge0 pass out log quick on bge0
> pass out keep state
>
>
> Thanks
>
> On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoinov at gmail.com>
> wrote:
>
> Show complete pf.conf, please.
>
> 05.03.15 19:45, Monah Baki пишет:
>>>> In my squid.conf
>>>>
>>>> http_port 3128 http_port 3129 intercept
>>>>
>>>> Thanks
>>>>
>>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov
>>>> <yvoinov at gmail.com> wrote:
>>>>
>>>> Squid access denied?
>>>>
>>>> Look at this:
>>>>
>>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>>> any
>>>>>>>> port 80 -> 10.0.0.24 port 3129
>>>>
>>>> Which port configured in Squid as intercept?
>>>>
>>>> 3129?
>>>>
>>>> and 3128 is forwarding?
>>>>
>>>> 05.03.15 19:36, monahbaki at gmail.com пишет:
>>>>>>> Yes that's what I followed and user is getting a
>>>>>>> "access denied" from the squid when he tries
>>>>>>> www.cnn.com
>>>>>>>
>>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon
>>>>>>> Wireless 4G LTE network. Original Message From: Yuri
>>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To:
>>>>>>> squid-users at lists.squid-cache.org Subject: Re:
>>>>>>> [squid-users] squid intercept config
>>>>>>>
>>>>>>>
>>>>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute
>>>>>>>
>>>>>>>
>>>>
>>>>
>
>
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
>>>>>>>
>>>>>>> 05.03.15 18:19, Monah Baki пишет:
>>>>>>>> Hi all, can anyone verify if this is correct, need to
>>>>>>>> make ure that users will be able to access the
>>>>>>>> internet via the squid.
>>>>>>>
>>>>>>>> Running FreeBSD with a single interface with
>>>>>>>> Squid-3.5.2
>>>>>>>
>>>>>>>> Policy based routing on Cisco with the following:
>>>>>>>
>>>>>>>
>>>>>>>> interface GigabitEthernet0/0/1.1
>>>>>>>
>>>>>>>> encapsulation dot1Q 1 native
>>>>>>>
>>>>>>>> ip address 10.0.0.9 255.255.255.0
>>>>>>>
>>>>>>>> no ip redirects
>>>>>>>
>>>>>>>> no ip unreachables
>>>>>>>
>>>>>>>> ip nat inside
>>>>>>>
>>>>>>>> standby 1 ip 10.0.0.10
>>>>>>>
>>>>>>>> standby 1 priority 120
>>>>>>>
>>>>>>>> standby 1 preempt
>>>>>>>
>>>>>>>> standby 1 name HSRP
>>>>>>>
>>>>>>>> ip policy route-map CFLOW
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> ip access-list extended REDIRECT
>>>>>>>
>>>>>>>> deny tcp host 10.0.0.24 any eq www
>>>>>>>
>>>>>>>> permit tcp host 10.0.0.23 any eq www
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> route-map CFLOW permit 10
>>>>>>>
>>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>>>>>>
>>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from
>>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129
>>>>>>>
>>>>>>>> # block in pass in log quick on bge0 pass out log
>>>>>>>> quick on bge0 pass out keep state
>>>>>>>
>>>>>>>> and finally in my squid.conf: http_port 3128
>>>>>>>> http_port 3129 intercept
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> And for testing purposes from the squid server:
>>>>>>>> ./squidclient -h 10.0.0.24 -p 3128
>>>>>>>> http://www.freebsd.org/
>>>>>>>
>>>>>>>> If I replace -p 3128 with -p 80, I get a access
>>>>>>>> denied, and if I omit the -p 3128 completely, I can
>>>>>>>> access the websites.
>>>>>>>
>>>>>>>> tcpdump with (-p 3128)
>>>>>>>
>>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
>>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win
>>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr
>>>>>>>> 1054387720], length 0 13:15:02.681421 IP
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448 13:15:02.681575 IP
>>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017:
>>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040,
>>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501],
>>>>>>>> length 1448
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Did I miss anything?
>>>>>>>
>>>>>>>> Thanks Monah
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> squid-users mailing list
>>>>>>>> squid-users at lists.squid-cache.org
>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> squid-users mailing list
>>>>>>> squid-users at lists.squid-cache.org
>>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>
>>>>>
>>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE
zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh
M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg
FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+
u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM
7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk=
=n7R1
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list