[squid-users] squid intercept mode fo http & https
Yuri Voinov
yvoinov at gmail.com
Sat Nov 21 20:02:33 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
21.11.15 22:56, Ahmad Alzaeem пишет:
> Thanks fot your reply .
>
> I know that my DNS is weird .
>
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give
them ip:port in their browsers .
What is you need????
>
>
> So yes , im forced to work on that way .
>
> And I want to filter my websites and the only way to go internet is
using the proxy .
>
> So what do you suggest ?
>
> So again , the packet go to squid , but inside this packet the name of
websites and ds tip is the proxy ip.
>
> What settings needed on squid to operate such as get the info from
name and skip dst ip ?
For what?
>
>
> If u look @ the log files u will understand my idea
I do not see any useful idea.
>
>
> Thanks a lot for reply
>
> cheers
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
On Behalf Of Antony Stone
> Sent: Saturday, November 21, 2015 7:22 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] squid intercept mode fo http & https
>
> On Saturday 21 November 2015 at 17:02:56, Ahmad Alzaeem wrote:
>
>> Hi Guys I have a squid runnng in intercept mode
>
> Okay...
>
>> I have a dns to resolve all the websites to the ip of proxy
>
> Which instructions / documentation did you follow saying that was a
good idea?
>
>> I want the proxy to be able to operate normally
>
> Then, set up your DNS server normally as well :)
>
>> and don't look @ the destination ip since all packet will have the
>> destination ip as the ip of proxy
>
> I think you have the wrong idea of what "intercept mode" means.
>
>> I want the proxy to operate based on the domain name.
>
> So, just route the packets to the proxy (with the *correct* destination IP
> address) as per all the guidelines you can find on the Internet
showing how to do this, and Squid will do the rest.
>
>> So far I have the squid listenting on port 11611 interept mode and I
>> have traffic 80 , 443 hit the linux proxy server
>
> You need to perform NAT on the same box as Squid is running on, to
redirect packets from their original IP address, to the IP of Squid, and
it will work.
>
> Undo the weirdness you've created with DNS.
>
>> Now I cant open either http or https .
>
> I can only say "I'm not surprised." You've told the clients to
connect to Squid as a web server. Squid finds its own IP as the
destination, and gives up.
>
>> Squid.conf :
>>
>> dns_nameservers 8.8.8.8
>
> I strongly recommend you to set up a local caching name server, and
point both your clients, and Squid, at it.
>
>> visible_hostname seerver.server
>
> Have you cut and pasted this configuration file, or (mis-)typed it?
>
>> acl localnet src xxx.0.0/16 xxx.0.0/16 192.168.0.0/16 # RFC1918
possible
>> internal network
>
> You have public IPs on your internal network?
>
> Unusual, but plausible... I'm just checking to make sure I understand
your network correctly.
>
>> # Squid normally listens to port 3128
>>
>> #http_port 443 intercept
>>
>> http_port 10.159.144.206:11611 intercept
>
> So, the Squid server has a private IP - this makes it all the more
unusual that you seem to have public IPs on your internal network.
>
>> iptables settings :
>>
>> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
>> --to-destination 10.159.144.206:11611
>
> That looks fine for a standard intercept setup.
>
>> any help ?????
>
> Undo your DNS strangeness and let us know if it starts working.
>
>
> Regards,
>
>
> Antony.
>
> --
> "There is no reason for any individual to have a computer in their home."
>
> - Ken Olsen, President of Digital Equipment Corporation (DEC, later
consumed by Compaq, later merged with HP)
>
> Please reply to the
list;
> please
*don't* CC me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWUM3YAAoJENNXIZxhPexG9KgH/03AkT8hyHYKBFsXKlW3EDjg
tpSDalmcoeAaJ7h/CtCK9rPFYX9odovPJoCJmNH4zgtsMA86QA0d1HcZbKFWr6Vb
tHVP0/6z9nLylbO3Jox9jd8bYjlamHDAw8pEdZ6CQLWaDt/x6FIeyVY2ga8Md8Tw
emiUgPTLGYXhiB8cieKTiCUfD2wPIU8Lv20xVFlZG18weW1jloZJeoUccT8jp+qa
3xt8WnLV8K806tlyaJtiZ1OblZJd8rdySeyv18XQVErWNRHZTqZfBSR0WgKF42og
muuUV2GyEburg/9guHLqF5iaJti23elXFq9aINwQvqWniCQoTdMqByzzRIPjYaM=
=qQVh
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list