[squid-users] squid intercept config
Yuri Voinov
yvoinov at gmail.com
Fri Mar 13 16:18:40 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
13.03.15 21:58, Monah Baki пишет:
> Hi All,
>
> Installed squid on CentOS 6.6 and it's working, but mY access.log
> shows all TCP_MISS and no TCP_HIT. The following config:
>
> squid.conf # Squid normally listens to port 3128 http_port 3128
> http_port 3129 intercept
And that's all????
>
>
>
> iptables
>
> # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
> *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT
> ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m
> tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT #
> Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save
> v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j
> REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j
> ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state
> --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp
> --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j
> REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT
> --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13
> 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13
> 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT
> [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064]
> :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport
> 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015
>
>
> Accessing sites, shows the IP address of the proxy 147.245.252.13.
>
> Am I missing something in IPTables that it is not caching?
>
>
> Thanks Monah
>
> On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries
> <squid3 at treenet.co.nz> wrote:
>
>> On 6/03/2015 1:19 a.m., Monah Baki wrote:
>>> Hi all, can anyone verify if this is correct, need to make ure
>>> that users will be able to access the internet via the squid.
>>>
>>> Running FreeBSD with a single interface with Squid-3.5.2
>>>
>>> Policy based routing on Cisco with the following:
>>>
>>>
>>> interface GigabitEthernet0/0/1.1
>>>
>>> encapsulation dot1Q 1 native
>>>
>>> ip address 10.0.0.9 255.255.255.0
>>>
>>> no ip redirects
>>>
>>> no ip unreachables
>>>
>>> ip nat inside
>>>
>>> standby 1 ip 10.0.0.10
>>>
>>> standby 1 priority 120
>>>
>>> standby 1 preempt
>>>
>>> standby 1 name HSRP
>>>
>>> ip policy route-map CFLOW
>>>
>>>
>>>
>>> ip access-list extended REDIRECT
>>>
>>> deny tcp host 10.0.0.24 any eq www
>>>
>>> permit tcp host 10.0.0.23 any eq www
>>>
>>>
>>>
>>> route-map CFLOW permit 10
>>>
>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>>
>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>> any port 80 -> 10.0.0.24 port 3129
>>>
>>> # block in pass in log quick on bge0 pass out log quick on
>>> bge0 pass out keep state
>>>
>>> and finally in my squid.conf: http_port 3128 http_port 3129
>>> intercept
>>>
>>>
>>>
>>> And for testing purposes from the squid server: ./squidclient
>>> -h 10.0.0.24 -p 3128 http://www.freebsd.org/
>>>
>>> If I replace -p 3128 with -p 80, I get a access denied, and if
>>> I omit the -p 3128 completely, I can access the websites.
>>
>> If you omit the -p entirely squidclient assumes "-p 3128" (the
>> proxy default listening port), so it works exactly the same as if
>> you had used -p 3128 explicitly.
>>
>> If you use -p 80 you also need to change the pther parameters so
>> they generate port-80 syntax message: - the -h with IP or
>> hostname of the remote web server, and - the URL parameters being
>> a relative URL, and - the -j parameter with Host: header domain
>> name of the server ... eg. squidclient -h www.freebsd.org -j
>> www.freebsd.org -p 80 /
>>
>> NP: if your squidclient is too old to support -j, use this
>> instead: -H 'Host: www.freebsd.org\n'
>>
>> ** this test should work from the squid box without having gone
>> through the proxy. Only from the client machine should it work
>> *with* NAT passing it through the proxy.
>>
>>
>>
>> Using a proxy syntax message sent directly to the proxy receiving
>> port, or with the proxy as receiving IP on port 80 (NAT'ed to
>> Squid) is a guaranted forwarding loop failure.
>>
>>
>> That doesn't fix your clients issue, but hopefully makes it clear
>> that the above desribed test is broken enough to prevent you
>> identifying when the client issue is fixed if that happens on
>> some change.
>>
>> Amos _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVAw3gAAoJENNXIZxhPexGk4EH/2YErYeV3IcEOyngCUHZJbyk
5sY2bMrA+0kpxTa9YQsVzC9QuULvh7NLbT/1J1Tx7k0CYkM+9T1qTjx6WPmHHE4x
GrsrW6qBVM2t0zgHcd4d5BQqDqs03F5fNkEINgufdMaBAkazr7YMWNciaX6j/36Y
BWFKFPB8BJNRbbamEqTrtL0r0qntNRXrBQjlP52PzXpqnnREn8n/mwLPn3wlTQl5
17HbvXBhgliyypIoitNGGWbM2SNdJSkrR0DqrM5SNfjPX9Ffm6FBRM2obA+TNl/q
j3elyeu/QHZhbxfJJmZYsJB+B2Q7dQXVvm37LVpRc2wHF6nUNEgmsjcG9Y98xqc=
=Dg4r
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list