[squid-users] squid intercept config
Yuri Voinov
yvoinov at gmail.com
Thu Mar 5 14:23:54 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
10.0.0.23 is your host? And 10.0.0.24 is proxy box?
05.03.15 20:15, Monah Baki пишет:
> '--prefix=/cache/squid' '--enable-follow-x-forwarded-for'
> '--with-large-files' '--enable-ssl' '--disable-ipv6'
> '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp'
> '--with-pthreads' '--with-filedescriptors=65535'
> '--enable-cachemgr-hostname=hostname'
> '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent'
> '--enable-pf-transparent' '--with-nat-devpf'
> --enable-ltdl-convenience
>
>
>
>
> On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov <yvoinov at gmail.com>
> wrote:
>
> This looking good too.
>
> Stupid question:
>
> With witch interception option squid builed?
>
> I.e, squid -v?
>
> 05.03.15 18:19, Monah Baki пишет:
>>>> Hi all, can anyone verify if this is correct, need to make
>>>> ure that users will be able to access the internet via the
>>>> squid.
>>>>
>>>> Running FreeBSD with a single interface with Squid-3.5.2
>>>>
>>>> Policy based routing on Cisco with the following:
>>>>
>>>>
>>>> interface GigabitEthernet0/0/1.1
>>>>
>>>> encapsulation dot1Q 1 native
>>>>
>>>> ip address 10.0.0.9 255.255.255.0
>>>>
>>>> no ip redirects
>>>>
>>>> no ip unreachables
>>>>
>>>> ip nat inside
>>>>
>>>> standby 1 ip 10.0.0.10
>>>>
>>>> standby 1 priority 120
>>>>
>>>> standby 1 preempt
>>>>
>>>> standby 1 name HSRP
>>>>
>>>> ip policy route-map CFLOW
>>>>
>>>>
>>>>
>>>> ip access-list extended REDIRECT
>>>>
>>>> deny tcp host 10.0.0.24 any eq www
>>>>
>>>> permit tcp host 10.0.0.23 any eq www
>>>>
>>>>
>>>>
>>>> route-map CFLOW permit 10
>>>>
>>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>>>
>>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>>> any port 80 -> 10.0.0.24 port 3129
>>>>
>>>> # block in pass in log quick on bge0 pass out log quick on
>>>> bge0 pass out keep state
>>>>
>>>> and finally in my squid.conf: http_port 3128 http_port 3129
>>>> intercept
>>>>
>>>>
>>>>
>>>> And for testing purposes from the squid server: ./squidclient
>>>> -h 10.0.0.24 -p 3128 http://www.freebsd.org/
>>>>
>>>> If I replace -p 3128 with -p 80, I get a access denied, and
>>>> if I omit the -p 3128 completely, I can access the websites.
>>>>
>>>> tcpdump with (-p 3128)
>>>>
>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 >
>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018,
>>>> options [nop,nop,TS val 985588797 ecr 1054387720], length 0
>>>> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http >
>>>> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win
>>>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501],
>>>> length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http >
>>>> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win
>>>> 1040, options [nop,nop,TS val 1054387720 ecr 985588501],
>>>> length 1448
>>>>
>>>>
>>>>
>>>> Did I miss anything?
>>>>
>>>> Thanks Monah
>>>>
>>>>
>>>>
>>>> _______________________________________________ squid-users
>>>> mailing list squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU+Gb6AAoJENNXIZxhPexGZ0sIAKg4iDx7Vm4imHddvGYss5su
AKb0wk0E5tJBRXDH+Mlv+rRAe5CKCqFmNQHe4CMcm5XF3PBSlSKwD6Ih/Mnjtn4m
+6qk/GOWYACyb7NhGsif57VL6b4AHkqVF3gBZjuNiR/9gMhUYcOHGIdvGX/RLn+z
m/gUjA4Ef0JNaflgy48z12ECSvs6RMQzB186i4zm6KoEzFethL/3UhHiLrrDjry+
wB1Rwr8wx3pzbu53WQAS57aGpcp7n0gI7VLwvjh2M6wIetlVLwqWUQu87r0HmvQ5
duoaGplxlCYx7QKZ4L3Q74HH/8taojWxLakCQump1PCTUofWCUy0sAgkxKPCdHw=
=HWEF
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list