[squid-users] Problem with a website...
Hello everyone, im having problem with 1 website, my PC does not pass by the squid proxy, so its all fine, i can access the website normally, http://www.sintegra.fazenda.pr.gov.br/sintegra/, but when i try to access by squid it does not access, and does not get denied... i look into the logs and couldnt see anything... the message i get is this.. O seguinte erro foi encontrado ao tentar recuperar a URL: http://www.sintegra.fazenda.pr.gov.br/sintegra/ Impossível determinar o endereço IP do nome de host www.sintegra.fazenda.pr.gov.br (impossible to get the IP address of the host www...) O servidor DNS retornou: (DNS returned) Server Failure: The name server was unable to process this query. Isto significa que o cache não pode resolver o nome de host contido na URL. Verifique se o endereço está correto. Seu administrador do cache é root. Any ideas ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Problem-with-a-website-tp4667160.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] unbound and squid not resolving SSL sites
Current config below: In my network I have unbound redirecting some sites through the proxy server and checking authentication, If I redirect www.thisite.com it works corectly. However, as soon as SSL is used https://www.thissite.com it doesn't resolve at all. Any ideas what I have to do to enable ssl redirects in unbound or squid? Handle port 443 traffic and the encrypted traffic there. You are only receiving port 80 traffic in this config file. I am already redirecting 443 traffic but the proxy won't pick it up. There is a SSL ports directive in the squid.conf so it should accept them? For example, this line redirect all HTTP traffic but as soon as the browser wants a SSL connection, it is dropped: local-data: anywhere.mysite.com. 600 IN A 109.xxx.xx.xxx local-zone: identity.mysite.com. redirect external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth What does this helper do exactly to earn the term authentication? TCP/IP address alone is insufficient to verify the end-users identity. This helper checks that an IP address is contained within a database table. If the IP address exists, then it allows them to use the proxy server. acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access deny to_localhost external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth acl interval_auth external time_squid_auth http_access allow interval_auth #http_access allow all # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 80 accel vhost allow-direct hierarchy_stoplist cgi-bin ? #cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
[squid-users] let squid to request the page using client IP?
I have asked this question on Apache mailing list but they tell me to ask it here: we know that we can allow some IPS with out authentication using Allow from IP: Directory /var/www/html/template Order allow,deny Allow from 192.168.1.5 Satisfy any AuthName LDAP Authentication AuthType Basic AuthBasicProvider ldap AuthzLDAPauthoritative off AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*) /Directory But what if we use proxy (squid) in front, then the source IP will be the proxy IP, How can I make Apache to deal with the client IP not the proxy IP? or How to let squid to request the page using client IP?
Re: [squid-users] let squid to request the page using client IP?
On Thu, 2014-08-07 at 22:02 +, Mark jensen wrote: I have asked this question on Apache mailing list but they tell me to ask it here: we know that we can allow some IPS with out authentication using Allow from IP: Directory /var/www/html/template Order allow,deny Allow from 192.168.1.5 Satisfy any AuthName LDAP Authentication AuthType Basic AuthBasicProvider ldap AuthzLDAPauthoritative off AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*) /Directory But what if we use proxy (squid) in front, then the source IP will be the proxy IP, How can I make Apache to deal with the client IP not the proxy IP? or How to let squid to request the page using client IP? you will want to look into the X-Forwarded-For header. Make sure you are inserting it with squid, and that apache is parsing the header for the value and basing the access on it. the client ip will be in the first position (0 based, i think), when using comma (,) as a delimiter.
Re: [squid-users] let squid to request the page using client IP?
Googling apache x-forwarded-for led me to mod_extract_forwarded http://www.openinfo.co.uk/apache/ -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [squid-users] let squid to request the page using client IP?
On Fri, 2014-08-08 at 11:48 +1200, Jason Haar wrote: Googling apache x-forwarded-for led me to mod_extract_forwarded http://www.openinfo.co.uk/apache/ from the apache mod_proxy page: Reverse Proxy Request Headers When acting in a reverse-proxy mode (using the ProxyPass directive, for example), mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are: X-Forwarded-For The IP address of the client. X-Forwarded-Host The original host requested by the client in the Host HTTP request header. X-Forwarded-Server The hostname of the proxy server. Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies. See also the ProxyPreserveHost and ProxyVia directives, which control other request headers. looks like all you need is mod_proxy_http.