Re: [squid-users] Squid + Cisco 4500 + WCCP2
On Wed, Jul 25, 2012 at 3:04 PM, Indunil Jayasooriya wrote: > > > Can your squid box to go to internet ? ( Pls check /etc/resolv.conf file ) > > How many interfaces does your squid box have? > > 1 or 2 ? > > in /etc/sysctl.conf file , pls check net.ipv4.ip_forward parameter? try > to make it to one in following manner. > > net.ipv4.ip_forward = 1 > > > > > > > On Wed, Jul 25, 2012 at 2:13 PM, Ioannis Pliatsikas > wrote: >> >> Very sorry for bothering you again >> >> although i get the redirection from the router to squid, using tcpdump >> (10.72.192.61 test internal address) >> >> 11:38:37.956330 IP 199.47.218.151.80 > 10.72.192.61.50690: Flags [S.], >> seq 1048613649, ack 1347334415, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:38.399796 IP 10.72.192.61.50697 > 199.47.218.151.80: Flags [S], seq >> 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length >> 0 >> 11:38:38.399880 IP 199.47.218.151.80 > 10.72.192.61.50697: Flags [S.], >> seq 3389808826, ack 3043000772, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:39.756353 IP 199.47.218.151.80 > 10.72.192.61.50697: Flags [S.], >> seq 3389808826, ack 3043000772, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:41.356350 IP 176.9.44.80.80 > 10.72.192.61.50693: Flags [S.], seq >> 326259738, ack 1299448389, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:41.409101 IP 10.72.192.61.50697 > 199.47.218.151.80: Flags [S], seq >> 3043000771, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length >> 0 >> 11:38:41.409164 IP 199.47.218.151.80 > 10.72.192.61.50697: Flags [S.], >> seq 3389808826, ack 3043000772, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:41.556343 IP 176.9.44.80.80 > 10.72.192.61.50694: Flags [S.], seq >> 2634200113, ack 3423797704, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:41.756336 IP 199.47.218.151.80 > 10.72.192.61.50697: Flags [S.], >> seq 3389808826, ack 3043000772, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:41.756362 IP 209.85.148.139.80 > 10.72.192.61.50695: Flags [S.], >> seq 2040290141, ack 953271924, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> 11:38:42.356340 IP 209.85.148.139.80 > 10.72.192.61.50696: Flags [S.], >> seq 69242255, ack 3941278742, win 14600, options [mss >> 1460,nop,nop,sackOK,nop,wscale 4], length 0 >> >> >> i still can't get linux to redirect to squid (port 8080), access.log is >> empty >> >> i use the following iptables >> >> - >> # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 >> *filter >> :INPUT ACCEPT [105007:140596865] >> :FORWARD ACCEPT [3:120] >> :OUTPUT ACCEPT [212743:136992211] >> -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT >> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT >> COMMIT >> # Completed on Wed Jul 25 11:36:37 2012 >> # Generated by iptables-save v1.4.12.1 on Wed Jul 25 11:36:37 2012 >> *nat >> :PREROUTING ACCEPT [0:0] >> :INPUT ACCEPT [1254:65132] >> :OUTPUT ACCEPT [118:7345] >> :POSTROUTING ACCEPT [0:0] >> -A PREROUTING -d $SQUID_IP -i eth0 -p tcp -j ACCEPT >> -A PREROUTING -s $NETWORK_SPACE -i eth0 -p tcp -m tcp --dport 80 -j >> REDIRECT --to-ports 8080 >> -A POSTROUTING -j MASQUERADE >> COMMIT >> # Completed on Wed Jul 25 11:36:37 2012 >> >> --- >> >> Catch is that i use l2 redirection, so source and destination is eth0, no >> gre tunnel. Can it be done or should a create a virtual device and redirect >> input from there? >> >> >> Thank you in advance >> John > > > > > -- > Thank you > Indunil Jayasooriya > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid + Cisco 4500 + WCCP2
>>> >>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >>> --to-port 8080 >>> >>> to redirect all incoming traffic to squid port but access.log shows no >>> activity >>> >>> > >have you added this below rule ( if squid listens on port 8080 ) > > iptables -A INPUT -p tcp --dport 8080 -j ACCEPT > > > -- Thank you Indunil Jayasooriya
[squid-users] SSL Error 4:Attempted to connect using the (TLS V1.0 | SSL V3.0) protocol(s). The server rejected the connection
very often below error while accessing a Server. Sometimes, It is possible to access. but very rarely. Without squid, We can access that site via ADSL without any issue. Squid version is - Squid Cache: Version 2.6.STABLE6 on CentOS 5 - 32bit below is the error. Any clue to solve it? SSL Error 4:Attempted to connect using the (TLS V1.0 | SSL V3.0) protocol(s). The server rejected the connection -- Thank you Indunil Jayasooriya
Re: [squid-users] website issue
>> >> Forbidden >> >> You don't have permission to access / on this server. >> >> Additionally, a 500 Internal Server Error error was encountered while >> trying to use an ErrorDocument to handle the request. >> >> >> could you pls help me to solve this issue ? >> > > Appears to be an Apache configuration error. Contact the website > administrator about that. They are the only one who an help you. Thanks for your reply. I will contact them. any way, could you pls let me know, how can we access this same website without squid. and also, ho can we access it with squid 2.7 stable 9 on OpenBSD 4.8 64 bit. it also has negative_ttl 5 minutes but, it is commented in this way. #negative_ttl 5 minutes -- Thank you Indunil Jayasooriya
Re: [squid-users] website issue
>> >> >> we can access it without squid. what could be the issue... ? >> > > Squid has a 403 error page cached for that URL. Before you ask, yes, error > pages are allowed to be cached when the webmaster has explicitly enabled > caching of them. This might be one of those times. > > Check that negative_ttl is set to 0 (may require the unit seconds as well). > Any other value results in errors such as that being cached against the > webmasters specifications and best-practice recommendations. by default , negative_ttl is disabled in this way. # negative_ttl 5 minutes then , I chaged it to negative_ttl 0 seconds Now, access log shows this TCP_MISS/403 653 GET http://www.go2uti.com/ - DIRECT/196.4.59.53 text/html TCP_MISS/403 664 GET http://www.go2uti.com/favicon.ico - DIRECT/196.4.59.53 text/html TCP_MISS/403 664 GET http://www.go2uti.com/favicon.ico - DIRECT/196.4.59.53 text/html and , I get below error on the web browser Forbidden You don't have permission to access / on this server. Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request. could you pls help me to solve this issue ? -- Thank you Indunil Jayasooriya
[squid-users] website issue
hi, I need expert advice we cant access www.go2uti.com form our squid 2.6.STABLE6 on CentOS 5 this is the log . TCP_NEGATIVE_HIT/403 659 GET http://www.go2uti.com/ - NONE/- text/html we can access it without squid. what could be the issue... ? -- Thank you Indunil Jayasooriya
Re: [squid-users] Problem compiling Squid 3.1.11 or 3.1.12 on OpenBSD 4.8
On Thu, Apr 21, 2011 at 1:54 PM, EzyMike wrote: > Hi! > > I have a problem compiling squid 3.1.11 or 3.1.12 on a OpenBSD 4.8 box. > When preparing to replace a OpenBSD 4.6 box with a 4.8, the compilation of > squid brings this error: > > Making all in lib > cc1: warnings being treated as errors > In file included from ../include/util.h:49, > from base64.c:6: > /usr/include/arpa/inet.h:74:warning 'struct in_addr' declared inside > parameter list these may help http://www.mail-archive.com/squid-users@squid-cache.org/msg78443.html http://www.mail-archive.com/squid-users@squid-cache.org/msg78501.html -- Thank you Indunil Jayasooriya
Re: [squid-users] Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
> > 3.2 will not mark the traffic and do any of the special transparent traffic > handling unless one of the NAT lookups functions returns true. Just relying > on the default getsockname() is not sufficient to mark the traffic for > special handling. > > Fortunately the "ipfw" NAT lookup does what the new PF version apparently > needs. The --enable-ipfw-transparent should work as a temporary measure. with --enable-ipfw-transparent, it works with already known this below error. Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied > I would like to fix this so --enable-pf-transparent properly detects and > handles the version of PF available. Are you able to find out how I could do > that please? Will I have to do something from my end ? -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
On Tue, Apr 19, 2011 at 1:05 PM, Indunil Jayasooriya wrote: > >>> Now, we have to use >>> >>> divert-to instead of rdr-to in pf.conf >>> >>> >>> Pls read below URL where you get the real thing in regard to it. It >>> was replied by OpenBSD developer Reyk Floeter. >>> >>> >>> http://www.mail-archive.com/misc@openbsd.org/msg101469.html >>> >> >> Aha! so PF provides getsockname() now. That means it will require the >> ./configure --enable-ipfw-transparent option to Squid. > > > Hi, sorry for the delay in replying. > > > I changed from http_port 3129 intercept to http_port 127.0.0.1:3129 > intercept in squid.conf file. > > Here's the rule in pf.conf > > pass in log on $int_if proto tcp from $lan_net to any port 80 \ > divert-to 127.0.0.1 port 3129 >> > > here's config option, it is with --enable-ipfw-transparent > > > Squid Cache: Version 3.2.0.6 > configure options: '--datadir=/usr/local/share/squid' '--enable-arp-acl' > '--enable-basic-auth-helpers=NCSA' '--enable-digest-auth-helpers=password' > '--enable-delay-pools' '--enable-external-acl-helpers=ip_user' > '--enable-forw-via-db' '--enable-negotiate-auth-helpers=squid_kerb_auth' > '--enable-ipfw-transparent' '--enable-removal-policies=lru' '--enable-ssl' > '--enable-storeio=aufs' '--with-pthreads' '--localstatedir=/var/squid' > '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' > '--infodir=/usr/local/info' --enable-ltdl-convenience > > > Now, I can access internet. But, I still get this error. > > 2011/04/19 17:55:18 kid1| Intercept.cc(305) PfInterception: PF open failed: > (13) Permission denied > > > then, I recompiled without --enable-ipfw-transparent ( Now it is without > both --enable-pf-transparent and --enable-ipfw-transparent) > > still , I can access internet. But, Still I get below error. > > 2011/04/19 18:26:44 kid1| Intercept.cc(305) PfInterception: PF open failed: > (13) Permission denied > > > > > any comments are welcome from your end. > > > > thanks a lot. > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid Icons screw-up
> Those of you affected will have to manually move the icons folder as a whole > from /var/www/squid/icons to /usr/share/squid/icons (or your OS equivalent) > when moving on to future releases. in mine , Openbsd, # pwd /var/squid # ls -ld www/squid/icons/* -rw-r--r-- 1 root_squid 443 Apr 11 17:29 www/squid/icons/SN.png drwxr-xr-x 2 _squid _squid 1536 Apr 11 17:29 www/squid/icons/silk there it goes, # mv www/squid/icons /usr/local/share/squid/ # ls -al /usr/local/share/squid/ total 84 drwxr-xr-x 4 root wheel512 Apr 11 18:16 . drwxr-xr-x 17 root wheel512 Apr 7 21:03 .. drwxr-xr-x 46 root wheel 2560 Apr 11 17:29 errors drwxr-xr-x 3 root wheel512 Apr 11 17:29 icons -rw-r--r-- 1 root wheel 30845 Apr 11 17:29 mib.txt -- Thank you Indunil Jayasooriya
[squid-users] Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
> updated. Pls see below. > > pass in log on $int_if proto tcp from $lan_net to any port 80 \ > divert-to 127.0.0.1 port 3129 > > > but, still now luck. any comments ? squid developer in squid mailing list said the below, Aha! so PF provides getsockname() now. That means it will require the ./configure --enable-ipfw-transparent option to Squid. so, I configured with ./configure --enable-ipfw-transparent here's the URL where We discussed http://www.mail-archive.com/squid-users@squid-cache.org/msg78526.html But, still no success. Where have I gone wrong? -- Thank you Indunil Jayasooriya
[squid-users] Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
Hi reyk, many thanks for the reply. > - revert /dev/pf to the old 0600 permissions reverted. Now it is set to default. pls see below. # ls -al /dev/pf crw--- 1 root wheel 73, 0 Apr 1 19:30 /dev/pf > - recompile squid _without_ --enable-pf-transparent (disable it) recompiled without --enable-pf-transparent pls see squid configuration option ( Now, no --enable-pf-transparent option) # squid -v Squid Cache: Version 3.2.0.6 configure options: '--datadir=/usr/local/share/squid' '--enable-arp-acl' '--enable-basic-auth-helpers=NCSA' '--enable-digest-auth-helpers=password' '--enable-delay-pools' '--enable-external-acl-helpers=ip_user' '--enable-forw-via-db' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-removal-policies=lru' '--enable-ssl' '--enable-storeio=aufs' '--with-pthreads' '--localstatedir=/var/squid' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' --enable-ltdl-convenience > - update your pf.conf to use divert-to instead of rdr-to updated. Pls see below. pass in log on $int_if proto tcp from $lan_net to any port 80 \ divert-to 127.0.0.1 port 3129 but, still now luck. any comments ? -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
> anyway. for the /dev/pf thing, I will come back with an update As I said, below two commands NOT good at all. # chgrp _squid /dev/pf # chmod g+rw /dev/pf Now, we have to use divert-to instead of rdr-to in pf.conf Pls read below URL where you get the real thing in regard to it. It was replied by OpenBSD developer Reyk Floeter. http://www.mail-archive.com/misc@openbsd.org/msg101469.html I am home now, I am going to office on monday. then, I will do accordingly and update you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
>> patch -p0< /PATH/TO/bug3185_mk2.patch > > Exactly correct. > > Being in the base folder of your squid sources when running it > (/root/software/squid-3.2.0.6/) DONE. performed below steps. first, did cd to /root/software/squid-3.2.0.6/compat/os backed up as follows. cp openbsd.h openbsd.h.orig then, did cd to /root/software/squid-3.2.0.6 patch -p0 < /tmp/bug3185_mk2.patch Pls see the output. Hmm... Looks like a unified diff to me... The text leading up to this was: -- |=== modified file 'compat/os/openbsd.h' |--- compat/os/openbsd.h2010-11-21 04:40:05 + |+++ compat/os/openbsd.h2011-04-08 08:10:12 + -- Patching file compat/os/openbsd.h using Plan A... Hunk #1 succeeded at 30. Hmm... Ignoring the trailing garbage. done It worked didn't it? I think yes. your comments are welcome... then, # cd /root/software/squid-3.2.0.6/compat/os # diff openbsd.h openbsd.h.orig 33,40d32 < /* OpenBSD requires netinet/in.h before arpa/inet.h */ < #if HAVE_NETINET_IN_H < #include < #endif < #if HAVE_ARPA_INET_H < #include < #endif < anyway , now the full contents of openbsd.h is as follows. # cat openbsd.h #ifndef SQUID_OS_OPENBSD_H #define SQUID_OS_OPENBSD_H #ifdef _SQUID_OPENBSD_ / *--* * DO *NOT* MAKE ANY CHANGES below here unless you know what you're doing...* *--* / /* * Don't allow inclusion of malloc.h */ #if HAVE_MALLOC_H #undef HAVE_MALLOC_H #endif /* * This OS has at least one version that defines these as private * kernel macros commented as being 'non-standard'. * We need to use them, much nicer than the OS-provided __u*_*[] */ //#define s6_addr8 __u6_addr.__u6_addr8 //#define s6_addr16 __u6_addr.__u6_addr16 #define s6_addr32 __u6_addr.__u6_addr32 /* OpenBSD also hide v6only socket option we need for comm layer. :-( */ #if !defined(IPV6_V6ONLY) #define IPV6_V6ONLY 27 // from OpenBSD 4.3 headers. (NP: does not match non-BSD OS values) #endif /* OpenBSD requires netinet/in.h before arpa/inet.h */ #if HAVE_NETINET_IN_H #include #endif #if HAVE_ARPA_INET_H #include #endif #endif /* _SQUID_OPENBSD_ */ #endif /* SQUID_OS_OPENBSD_H */ That's all for that patch. I think U r ok. anyway. for the /dev/pf thing, I will come back with an update -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
> > Thank you. This is being tracked in > http://bugs.squid-cache.org/show_bug.cgi?id=3185 > > Can you test the patch I've added there please? I downloaded the file. is it bug3185_mk2.patch isn't it? This is the PATH of the file include/util.h /root/software/squid-3.2.0.6/include/util.h May I ask how can I patch it? is it something like patch -p0 < /PATH/TO/bug3185_mk2.patch or another way? I want to try. Pls help me to go ahead. >> cache_effective_user _squid > > Can be replaced by a configure option: > --with-default-user=_squid ok, I will configure and try again... >> cache_effective_group _squid > > Remove cache_effective_group. > Assign user _squid to group _squid instead (must be done anyways). i have already like this .. # id _squid uid=515(_squid) gid=515(_squid) groups=515(_squid) further, if u need. my /etc/passwd _squid:*:515:515:SquidAccount:/nonexistent:/sbin/nologin my /etc/group _squid:*:515: what else? Welcome your comments. >> # Define the access log format >> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %> %mt below was my first log format line logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %Hs" instead. then, I changed %03Hs to %03>Hs. Then, no complain. is %03>Hs ok? > 3.2 should be complaining about that alteration to the default ... is it? yes. pls see , That's what i mentioned before. 2011/04/08 16:25:54 kid1| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. >> permision of /dev/pf >> >> crw--- 1 root wheel 73, 0 Apr 1 19:30 /dev/pf >> > > Is wheel the usual group for /dev/pf? yes. the same on my other OpenBSD box running squid 2.7.9. Pls see if u need. # squid -v Squid Cache: Version 2.7.STABLE9 # ls -al /dev/pf crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf # tail -f /var/squid/logs/cache.log 2011/04/08 14:26:24| 0 Objects expired. 2011/04/08 14:26:24| 351 Objects cancelled. 2011/04/08 14:26:24| 0 Duplicate URLs purged. 2011/04/08 14:26:24| 0 Swapfile clashes avoided. 2011/04/08 14:26:24| Took 1.2 seconds (5811.2 objects/sec). 2011/04/08 14:26:24| Beginning Validation Procedure 2011/04/08 14:26:24| Completed Validation Procedure 2011/04/08 14:26:24| Validated 6608 Entries 2011/04/08 14:26:24| store_swap_size = 92128k 2011/04/08 14:26:25| storeLateRelease: released 0 objects no problem at all with squid 2.7.9 > I would expect some other less privileged group has read access to /dev/pf. > You then add the _squid user as a member of that low-privilege group. I did below steps. I think I will have to look in to it. I think I should discuss with OpenBSD mailing list in regard to this as they are secure by default. I love their Philosophy very much. # chgrp _squid /dev/pf # chmod g+rw /dev/pf after this , pls see cache.log , no complain in regard to pf as before. # tail -f /var/squid/logs/cache.log 2011/04/08 20:30:04 kid1| 0 Objects expired. 2011/04/08 20:30:04 kid1| 7 Objects cancelled. 2011/04/08 20:30:04 kid1| 0 Duplicate URLs purged. 2011/04/08 20:30:04 kid1| 0 Swapfile clashes avoided. 2011/04/08 20:30:04 kid1| Took 0.04 seconds (25798.56 objects/sec). 2011/04/08 20:30:04 kid1| Beginning Validation Procedure 2011/04/08 20:30:04 kid1| Completed Validation Procedure 2011/04/08 20:30:04 kid1| Validated 2117 Entries 2011/04/08 20:30:04 kid1| store_swap_size = 8998 2011/04/08 20:30:05 kid1| storeLateRelease: released 0 objects That's all I can tell you. sorry for the long mail. I think step by step info may be very helpful. anyway, Pls let me know how to patch. I love it, then, for next releases on OpenBSD, I can try. hope 2 hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
> > The problem is that netinet/in.h must be included before arpa/inet.h in > include/util.h (at least for 3.1.11). Just add > #include before the #include line in this > file. At least that fixed the same problem with Squid 3.1.11 on OpenBSD 4.9. Thanks for your help. Sorry for the delay in replying. As said, I added the below 2 lines to include/util.h file #include #include then. configure with below options Squid Cache: Version 3.2.0.6 configure options: '--datadir=/usr/local/share/squid' '--enable-arp-acl' '--enable-basic-auth-helpers=NCSA' '--enable-digest-auth-helpers=password' '--enable-delay-pools' '--enable-external-acl-helpers=ip_user' '--enable-forw-via-db' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-pf-transparent' '--enable-removal-policies=lru' '--enable-ssl' '--enable-storeio=aufs' '--with-pthreads' '--localstatedir=/var/squid' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' --enable-ltdl-convenience then, did make and make install. it went fine. I added below line to squid.conf file http_port 3129 intercept cache_mem 256 MB cache_effective_user_squid cache_effective_group _squid # Define the access log format logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %
Re: [squid-users] Problems with transparancy and pf
>
> Thank you. I've split the wiki examples we have for PF into separate OpenBSD
> and FreeBSD pages and added a new section for the altered OpenBSD syntax.
>
> Would any of you mind reading through and checking the texts? please?
yes
> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
OK , Thanks very much.
With Squid Cache: Version 2.7.STABLE9 on OpenBSD 4.8
I have below lines for transparency with PF
# macros
ext_if="em0"
int_if="em1"
lan_net="192.168.0.0/24"
# Deafult deny
block in log
block out log
antispoof quick for { lo $int_if $ext_if }
#These 2 are the rules for transparency with PF
pass in log on $int_if proto tcp from $lan_net to any port 80 \
rdr-to 127.0.0.1 port 3128
pass out log on $ext_if inet proto tcp from $ext_if to any \
port 80
--
Thank you
Indunil Jayasooriya
[squid-users] Fwd: squid-3.2.0.6 - make issue on OpenBSD 4.8 - 64 bit
IC -DPIC -o .libs/malloc_trace.o libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT malloc_trace.lo -MD -MP -MF .deps/malloc_trace.Tpo -c malloc_trace.cc -o malloc_trace.o >/dev/null 2>&1 mv -f .deps/malloc_trace.Tpo .deps/malloc_trace.Plo /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPool.lo -MD -MP -MF .deps/MemPool.Tpo -c -o MemPool.lo MemPool.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPool.lo -MD -MP -MF .deps/MemPool.Tpo -c MemPool.cc -fPIC -DPIC -o .libs/MemPool.o libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPool.lo -MD -MP -MF .deps/MemPool.Tpo -c MemPool.cc -o MemPool.o >/dev/null 2>&1 mv -f .deps/MemPool.Tpo .deps/MemPool.Plo /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolChunked.lo -MD -MP -MF .deps/MemPoolChunked.Tpo -c -o MemPoolChunked.lo MemPoolChunked.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolChunked.lo -MD -MP -MF .deps/MemPoolChunked.Tpo -c MemPoolChunked.cc -fPIC -DPIC -o .libs/MemPoolChunked.o libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolChunked.lo -MD -MP -MF .deps/MemPoolChunked.Tpo -c MemPoolChunked.cc -o MemPoolChunked.o >/dev/null 2>&1 mv -f .deps/MemPoolChunked.Tpo .deps/MemPoolChunked.Plo /bin/sh ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolMalloc.lo -MD -MP -MF .deps/MemPoolMalloc.Tpo -c -o MemPoolMalloc.lo MemPoolMalloc.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolMalloc.lo -MD -MP -MF .deps/MemPoolMalloc.Tpo -c MemPoolMalloc.cc -fPIC -DPIC -o .libs/MemPoolMalloc.o libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Werror -pipe -D_REENTRANT -g -O2 -MT MemPoolMalloc.lo -MD -MP -MF .deps/MemPoolMalloc.Tpo -c MemPoolMalloc.cc -o MemPoolMalloc.o >/dev/null 2>&1 mv -f .deps/MemPoolMalloc.Tpo .deps/MemPoolMalloc.Plo /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Werror -pipe -D_REENTRANT -MT getfullhostname.lo -MD -MP -MF .deps/getfullhostname.Tpo -c -o getfullhostname.lo getfullhostname.c libtool: compile: gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wcomments -Werror -pipe -D_REENTRANT -MT getfullhostname.lo -MD -MP -MF .deps/getfullhostname.Tpo -c getfullhostname.c -fPIC -DPIC -o .libs/getfullhostname.o cc1: warnings being treated as errors In file included from ../include/util.h:44, from getfullhostname.c:51: /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 589 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6/lib (line 708 of Makefile). *** Error code 1 Stop in /root/software/squid-3.2.0.6 (line 433 of Makefile). -- Thank you Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
>>
>>
> This is my pf.conf that worked on the 7.2 system.
some PF syntax have been changed since OpenBSD 4.7. one is rdr . pls see this
http://www.openbsd.org/faq/upgrade47.html
So, when it comes to FreeBSD 8.2, I do NOT know, whether these syntax
are present. Pls check.
>
> proxy_services = "{ 21, 80 }"
> internal_net = "172.17.0.0/16"
> proxy = "127.0.0.1"
>
> rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services
> -> $proxy port 8080
since rdr syntax has been changed. this is the new since OpenBSD 4.7
for port 80
pass in log on $int_if proto tcp from $lan_net to any port 80 \
rdr-to 127.0.0.1 port 8080
for port 21, since ftp-proxy is running on openBSD
pass in quick log on $int_if proto tcp from $lan_net to any port 21 \
rdr-to 127.0.0.1 port 8021
> I'm trying to use your example but I get a syntax error when trying to load.
> I'm aware of line feeds and have checked that there's none.
>
> pass in log on $int_if proto tcp from $internal_net to any port
> $proxy_services rdr -> $proxy port 8080
Pls replace like this and see.
pass in log on $int_if proto tcp from $internal_net to any port
80 rdr -> $proxy port 8080
--
Thank you
Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
> I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my
> config from the 7.2 machine.
>
> My problem is that squid is not working with transparency. The browser
> traffic goes directly to the Internet.
>
If u r doing with PF, Can I have your pf rules?
I am doing squid 2.7.9 tranparent with OpenBSd 4.8.
These are my PF rules.
# filter rules
block in log
pass out log
pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \
rdr-to 127.0.0.1 port 3128
in squid.conf file
http_port 3128 transparent
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
http_access allow localnet
--
Thank you
Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
Pls see below Urls http://forums.freebsd.org/showthread.php?t=16917 http://forums.freebsd.org/showthread.php?t=14889 http://forums.freebsd.org/showthread.php?t=10874 On Tue, Mar 29, 2011 at 3:32 PM, Leslie Jensen wrote: > Hello list. > > I've used squid together with pf for a while on a Freebsd 7.2-RELEASE > machine. > > > I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my > config from the 7.2 machine. > > My problem is that squid is not working with transparency. The browser > traffic goes directly to the Internet. > > Setting proxy in the browser works, so I believe squid is ok. > > My question is about which build options I must use? > > I've used the following: > SQUID_KERB_AUTH X (ON) > SQUID_NIS_AUTH X (ON) > SQUID_IPV6 (Default) X (ON) > > SQUID_DELAY_POOLS X (ON) > SQUID_SNMP X (ON) > SQUID_HTCP (CARP?) X (ON) > SQUID_WCCP X (ON) > SQUID_IDENT (OFF) > SQUID_IPFW X (ON) > SQUID_PF X (ON) > SQUID_AUFS (Default) X (ON) > SQUID_KQUEUE X (ON) > > Then I found this > https://wiki.andrewmercer.net/index.php/Squid_-_Transparent_Proxy > > Where he suggests that even > SQUID_IPFILTER X (ON) > > Should be activated. > > I recompiled Squid3.1 with the above and now I get an error which I can > understand because I do not have IPFilter installed/active. > > > > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > 2011/03/29 11:14:44| IpIntercept.cc(250) IpfInterception: NAT open failed: > (2) No such file or directory > _ > > So when only pf is used, must I compile squid with IPFILTER and IPFW ? > > Thanks > > /Leslie > -- Thank you Indunil Jayasooriya
Re: [squid-users] Not reaching one site
>> >> >> >> (101) Network is unreachable >> > >> > Have you added DNS in your PCs ? try to add and see > > What do you mean by this? > My PCs are correctly resolving hostnames: > > C:\Documents and Settings\flavio>nslookup www.debian.org > Server: exchange.piramide.local > Address: 172.16.16.254 > > Nome: www.debian.org > Addresses: 86.59.118.148, 82.195.75.97 > > F. > in squid.con file , Pls search dns_nameservers directive and add like this. dns_nameservers 172.16.16.254 -- Thank you Indunil Jayasooriya
Re: [squid-users] Not reaching one site
> >> >> In both cases, when I use my browser in my LAN (whichever PC I use), I >> get: >> >> (101) Network is unreachable > > Have you added DNS in your PCs ? try to add and see > > >> > > > -- -- Thank you Indunil Jayasooriya
[squid-users] password policy
Hi ALL, we have a proxy server running with ncsa_auth. we use htpasswd to generate passwords. There is a requirement for a password policy where we want to give a minumum and maximum characters with both characters and numbers. we need a web interface for that. in addition to that, password should expire in a period (let's say 5 months). before that, it should be informed to users. Could you pls let me know the software we need to achieve the above said requirements? What about the Squid Users Manager pkg? -- Thank you Indunil Jayasooriya
Re: [squid-users] FTP Error
>> >> I try with Cuteftp , filezilla , these worked very well. Only IE and >> Firefox How did you access? Pls try below method ftp://user:p...@www.domain.com
Fwd: [squid-users] FTP issues
Amos, i want to access www.icuh2009.org. Am using Filezilla. Not sure what you mean by the connect method! Pls try below via firefox or IE ftp://user:p...@www.icuh2009.org/ -- Thank you Indunil Jayasooriya
Re: [squid-users] howto block audio/video streaming
Pls try this acl magic_words url_regex -i .mp3 .mp4 .wmv .wave .mpeg .dat .ac3 .midi .rm http_access deny magic_words and type below command squid -k reconfigure On Wed, Jul 22, 2009 at 3:17 PM, Gopinath Achari wrote: > simply block based on extentions of files > > using url_pathregex > > On Tuesday 21 July 2009 16:13, Muhammad Sharfuddin wrote: >> Squid 2.7 STABLE 5 >> >> how can I block audio/video streaming via squid ? >> >> I have blocked a lot many streaming wesbites(like youtube) but I want to >> block all of them.. and I think the best method is to block all types of >> audio/video streaming rather then blocking websites(that are increasing >> day-by-day) >> >> Regards >> -ms > > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid is running but nothing happens
> I just realized I left out a major detail right after posting this. > > Even though I added the client machine's IP address to the ACL, the problem > is I don't get ANY messages in the access or cache log files. It there a firewall running? if yes, pls disable for a moment What is the O/S you use? -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid and TC - Traffic Shaping
On Wed, Apr 22, 2009 at 2:55 PM, Amos Jeffries wrote: > Wilson Hernandez - MSD, S. A. wrote: >> >> Hello. >> >> I was writing a script to control traffic on our network. I created my >> rules with tc and noticed that it wasn't working correctly. >> >> I tried this traffic shaping on a linux router that has squid doing >> transparent cache. >> >> When measuring the download speed on speedtest.net the download speed is >> 70kbps when is supposed to be over 300kbps. I found it strange since >> I've done traffic shaping in the past and worked but not on a box with >> squid. I stopped the squid server and ran the test again and it gave me >> the speed I assigned to that machine. I assigned different bw and the >> test gave the correct speed. >> >> Have anybody used traffic shaping (TC in linux) on a box with squid? Is >> there a way to combine both a have them work side by side? About 2years ago, I used the below script on a CentOS 4.4 box acting as a firewall (iptables), routing (iproute2) and squid 2.5 transparent intercepting. #traffic shaping on eth1 - i.e: LAN INTERFACE (For Downloading). eth0 is connected to the Internet INTERFAZ_LAN=eth1 FULLBANDWIDTH=256 BANDWIDTH4LAN=64 tc qdisc del root dev $INTERFAZ_LAN tc qdisc add dev $INTERFAZ_LAN root handle 1: htb r2q 4 tc class add dev $INTERFAZ_LAN parent 1: classid 1:1 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_LAN parent 1:1 classid 1:10 htb rate "$BANDWIDTH4LAN"Kbit tc qdisc add dev $INTERFAZ_LAN parent 1:10 handle 10: sfq perturb 10 tc filter add dev $INTERFAZ_LAN parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 classid 1:10 192.168.100.0/24 is my LAN RANGE. According to the above script, My FULL bandwidth was 256 kbit. I allocated 64 kbit for downloading. it is actually NOTHING to do with squid for me. ALL went fine with iproute2 pkg. > I am also seeking a TC expert to help several users already needing to use > it with TPROXYv4 and/or WCCP setups. I am NOT a tc expert. just a guy with an interest. -- Thank you Indunil Jayasooriya
Fwd: [squid-users] squid + clamav
I'm using HAVP as a cache peer and it is working quite nicely: oh, yeah, I also tested several times. it worked very well. -- Thank you Indunil Jayasooriya
Re: [squid-users] set 'visible_hostname'
> FATAL: Could not determine fully qualified hostname. Please > set 'visible_hostname' > > Squid Cache (Version 2.5.STABLE4): Terminated abnormally. > CPU Usage: 0.020 seconds = 0.020 user + 0.000 sys > Maximum Resident Size: 0 KB > Page faults with physical i/o: 252 > Aborted > > > I don't Know what can I do in squid.conf file , pls type visible_hostname yourhostname then, type below command squid -k reconfigure That's it -- Thank you Indunil Jayasooriya
[squid-users] How to deny ftp in squid.conf file
Hi, Is there a way to block ftp access to some client ip addresses in squid.conf file and the rest of users should be ble to access ftp sites Lets's assume I want to block ftp access to clients ips such as 192.168.1.2, 192.168.1.4, 192.168.1.10 and the rest should be able to access ftp sites. What about ACLs like below ? acl ftp proto FTP acl noftpips src 192.168.1.2 192.168.1.4 192.168.1.10 http_access allow ! noftpips Your ideas ? -- Thank you Indunil Jayasooriya
Re: [squid-users] squid caching report
Hi ALL Here is HOW to - Step by Step. I use this on Redhat/CentOS SARG - Step by Step - Fisst install rpmforge-release RPM . Then, perform below steps [r...@worldnet ~]# yum install sarg [r...@worldnet ~]# cd /etc/httpd/conf.d/ [r...@worldnet conf.d]# cp sarg.conf sarg.conf.orig [r...@worldnet conf.d]# cat sarg.conf Alias /sarg /var/www/sarg DirectoryIndex index.html Order deny,allow Deny from all Allow from all [r...@worldnet conf.d]# /etc/init.d/httpd restart Then, [r...@worldnet ~]# cd /var/www/sarg/ Now, Edit words ONE-SHOT and One shot reports of index.html to reports and reports (Every 30 minutes) as follows. web-reports web-reports Then, [r...@worldnet sarg]# cd /etc/sarg/ [r...@worldnet sarg]# cp sarg.conf sarg.conf.orig And edit, sarg.conf Pls coment out below line as follows, #output_dir /var/www/sarg/ONE-SHOT and, Add below line. output_dir /var/www/sarg/web-reports Then, issue below command, [r...@worldnet sarg]# /usr/bin/sarg SARG: Records in file: 1514, reading: 100.00% Then, touch [r...@worldnet ~]# touch /var/www/sarg/sarg.cron [r...@worldnet sarg]# cat /var/www/sarg/sarg.cron #!/bin/bash cd /var/www/sarg/web-reports rm -rf * /usr/bin/sarg [r...@wolrdnet sarg]# chmod 755 /var/www/sarg/sarg.cron Then, [r...@worldnet ~]# cd /etc/cron.d [r...@worldnet cron.d]# touch sarg [r...@worldnet ~]# cat /etc/cron.d/sarg 0 15 * * * root /var/www/sarg/sarg.cron > /dev/null 2>&1 Then, issue below commands. [r...@worldnet ~]# /etc/cron.daily/sarg [r...@worldnet ~]# /etc/cron.weekly/sarg [r...@worldnet ~]# /etc/cron.monthly/sarg Now, Browse as follows. http://192.168.101.25/sarg That's it. On Fri, Jan 16, 2009 at 2:58 PM, Andreev Nikita wrote: > Hi. > > You can use cacti but it's MRTG-like. The best tools I know for squid > reports are sarg (which is rather popular) and lightsquid (it makes > reports a lot faster but I don't know if it's popular outside Russia). > > Regards, > LPIC-1, EMCPA > Nikita Andreev > > -- Thank you Indunil Jayasooriya
Re: [squid-users] How to exclude some ip addresses from squid access log(SOLVED)
Hi, Thanks for all. Added the below to sarg.conf file to exclude ips . it works fine. # TAG: exclude_string "string1:string2:...:stringn" # Records from access.log file that contain one of listed strings will be ignored. # exclude_string "192.1.54.2:192.1.54.9:192.1.54.34:192.1.54.43:192.1.54.65" -- Thank you Indunil Jayasooriya
[squid-users] How to exclude some ip addresses from squid access log.
Hi Everyone, I have the need of monitoring squid web browsing . So I am going to use sarg. It usually shows all the ip addresses. I want to excldue ip addresses of some managers from sarg. So , I think If I can exclude those ips from squid access.log, It would be a solution. and also, Can I exclude ftp access to some ip addresses? Pls grant your advice. -- Thank you Indunil Jayasooriya
[squid-users] The requested URL was not found on this server - squid
Hi AlL, I get below error while browsing a website. its home page is http://pathiranatimber.mine.nu I get the homepage.. (Sorry , I canNOT give usermame and password) - When I give username and password. It will go to the following page http://pathiranatimber.mine.nu/home.cgi Then , it give below error. The requested URL was not found on this server This is what access log says. 1226568643.800 1468 192.1.54.62 TCP_MISS/200 4485 GET http://pathiranatimber.mine.nu/ - DIRECT/124.43.227.181 text/html 1226568644.134805 192.1.54.62 TCP_MISS/200 938 GET http://pathiranatimber.mine.nu/css.css - DIRECT/124.43.227.181 text/plain 1226568645.053891 192.1.54.62 TCP_MISS/200 385 GET http://pathiranatimber.mine.nu/jpg/arrow03.gif - DIRECT/124.43.227.181 image/gif 1226568645.361 1198 192.1.54.62 TCP_MISS/200 2164 GET http://pathiranatimber.mine.nu/jpg/login_7.jpg - DIRECT/124.43.227.181 image/jpeg 1226568645.517 1354 192.1.54.62 TCP_MISS/200 2250 GET http://pathiranatimber.mine.nu/jpg/login_5.jpg - DIRECT/124.43.227.181 image/jpeg 1226568645.791 1628 192.1.54.62 TCP_MISS/200 4119 GET http://pathiranatimber.mine.nu/jpg/login_3.jpg - DIRECT/124.43.227.181 image/jpeg 1226568646.129 1075 192.1.54.62 TCP_MISS/200 4102 GET http://pathiranatimber.mine.nu/jpg/login_8.jpg - DIRECT/124.43.227.181 image/jpeg 1226568657.218809 192.1.54.62 TCP_MISS/200 367 POST http://pathiranatimber.mine.nu/home.cgi - DIRECT/124.43.227.181 text/html But, If I bybass squid, It works fine. This is a streaming video site. But, remember, There is NO firewall running. All ports are open. ANY ADVICE -- Thank you Indunil Jayasooriya
[squid-users] Vedio streming erros
Hi, We want to go to below website which contains streaming vedio. When We get there all the images. But We will NOT get streaming vedio. If We bypass squid, We get streamig Vedio. http://uticctv.mine.nu/index.htm The above site has a user name and password. I can Not give it you. sorry for it. Anyway, This is squid version , Pls see below Squid Cache: Version 2.6.STABLE6 Your Idead expected -- Thank you Indunil Jayasooriya
Re: [squid-users] Interception caching problems
Hi, Pls fill below varable with yours. $LAN= Lan ip range. example- 192.168.0.0/24 $INTERFAZ_INT= Interface connects to the Internet $INTERFAZ_LAN= Interface conncects to Lan $LAN_IP of the squid box = Lan ip. example- 192.168.0.1 I use below rules for tranceparent interception on Linux. #Enabling ip forwarding echo "1" > /proc/sys/net/ipv4/ip_forward #For squid traffic to Accept iptables -A INPUT -d $LAN_IP -p tcp -s $LAN --dport 3128 -j ACCEPT iptables -A FORWARD -p udp -s $LAN --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -s $LAN -m multiport --dports 20,21,22,25,43,53,80,443,110,143 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 20,21,22,25,43,53,80,443,110,143 -j ACCEPT iptables -t nat -A POSTROUTING -p udp -o $INTERFAZ_INT -s $LAN --dport 53 -j SNAT --to-source $INT_IP iptables -t nat -A POSTROUTING -p tcp -o $INTERFAZ_INT -s $LAN -m multiport --dports 20,21,22,25,43,53,80,443,110,143 -j SNAT --to-source $INT_IP #Redirecting traffic destined to port 80 to port 3128 iptables -t nat -A PREROUTING -p tcp -i $INTERFAZ_LAN --dport 80 -j REDIRECT --to-port 3128 in addition to that, Pls check you Clients PCs. their gateway, DNS servers
Re: [squid-users] squid https
> I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i > got error. Can you use this option with the same version of mine ? I think > you are using squid 3. I tried this option like this ; I also use squid Version 2.6.STABLE18 from OpenBSD port tree as transparent interception. I think below may help you http://wiki.squid-cache.org/Features/SslBump?highlight=%28C%7B1%7DategoryWish%29%7C%28C%7B1%7DategoryFeature%29%7C%28completed%29%7C%28Version...%3A.%2A3.1%29%7C%28Status...%3A%29%7C%28ETA...%3A%29 Happy Squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] squid https
On Tue, Sep 2, 2008 at 11:30 AM, İsmail ÖZATAY <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to redirect https traffic to squid for days. 2 weeks ago i sent > a post to this group and tried some advices but could not fix my problem. If > i use server ip and squid port with any browser ( without redirecting https > or ftp port with iptables ) it works ( both https anf ftp ) but when i > redirect https this error accurs ; > > 192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/- > text/html > > After that i used this advice ; > > https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem > > Last i tried this one that does not work with squid on OpenBSD4.3 ; I use OpenBSD 4.3 I think you are trying to redirect https and ftp. Transparent interception of HTTPS traffic is (by design) not possible. Squid 3HEAD includes a feature called sslbump Pls visit below Urls http://markmail.org/message/5d7rtqbhwwcivkkx?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 http://markmail.org/message/mkgy5jjr6wdthi5k?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 -- Thank you Indunil Jayasooriya
Re: [squid-users] squid and squidguard
>> Also i saw that this is a commercial product. Do you know any free >> software like this ? What about this? Pls try http://www.shallalist.de/ -- Thank you Indunil Jayasooriya
Re: [squid-users] parent proxy issue (SOLVED)
> > You have a typo in your ACL config. 192.168.0.0. is not an IP address. I'm > > surprised your squid even starts. > > 192.168.0.0. is a mistake only in this mail. But, in squid.conf file I have > added correctly. > > Anyway, I have added a rule for tranceparent interception. I removed it. Now, > It works. -- Thank you Indunil Jayasooriya
[squid-users] parent proxy issue
Hi, I want to forward all the webtraffice to a parent proxy. I have given below lines in squid.conf file cache_peer 192.168.0.3 parent 3128 0 no-query default acl mynet src 192.168.0.0./24 http_access allow mynet never_direct allow all But. it does not work? Both are squid 2.6 on RH EL 5 ANy idea? -- Thank you Indunil Jayasooriya
[squid-users] squid is quite slow with Acls
Hi , my squid box became quite slow after adding ACLs. they use ncsa_auth. belwo are a few Acls. # These IPs have access to sites given in ACL paxarusers with password acl paxarusers src 172.23.1.86 acl dstallowed4paxarusers dstdomain .paxaronline.com .dhl.com .dhl.com.lk acl ncsa_users proxy_auth required http_access allow paxarusers dstallowed4paxarusers ncsa_users http_access deny paxarusers # These IPS have access to sites given in ACL shipping with password acl shipping src 172.23.1.73 172.23.1.88 172.23.1.95 acl dstallowed4shipping dstdomain .apl.com .hanjin.com .maersk.com .mpower-shipper.com .tradecard.com .onlanka.com .dhl.com . dhl.com.lk .wde.eserviceslanka.com .corporate.ndbbank.com .hsbcnet.com .slpa.lk acl ncsa_users proxy_auth required http_access allow shipping dstallowed4shipping ncsa_users http_access deny shipping # These IPS have access to sites given in ACL Nike with password acl nike src 172.23.3.13 172.23.3.36 172.23.1.79 172.23.3.61 172.23.1.35 172.23.1.174 172.23.1.38 172.23.1.104 acl dstallowed4nike dstdomain .george.tactivity.com .nike.com .nikeconnect.com .google.com .google.lk .dhl.com .dhl.com.lk .a verydennison.com acl ncsa_users proxy_auth required http_access allow nike dstallowed4nike ncsa_users http_access deny nike #these have FULL ACCESS without password acl mynet src 172.23.0.0/255.255.0.0 http_access allow mynet Is it because of the above ACls. Any advice is expected. -- Thank you Indunil Jayasooriya
Re: [squid-users] squid not asking for authentication
> sorry i am a new to this .. if only you could explain. or just give me some > link were i can get knowladge abt this Pls click below Urls http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-7cfff26a112769fccff8f4d507961cd27ebe5eac http://www.squid-cache.org/mail-archive/squid-users/200708/0069.html Hope , it may help -- Thank you Indunil Jayasooriya
Re: [squid-users] transparent intercepting proxy
>> no, it´s now possible without dns ... browser need to resolve address >> to ip to start connections Thanks for your quick responce. How Can I achieve it. All clinets use IE and firefox. Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] transparent intercepting proxy
On Mon, Jul 7, 2008 at 3:19 PM, Alexandre Correa <[EMAIL PROTECTED]> wrote: > no, it´s now possible without dns ... browser need to resolve address > to ip to start connections Thanks for your quick responce. How Can I achieve it. All clinets use IE and firefox. Hope to hear from you. -- Thank you Indunil Jayasooriya
[squid-users] transparent intercepting proxy
Hi, I have setup transparent intercepting proxy (squid 2.6 branch) in RedHat EL5. It has 2 NICs. One is connected to router. The other is connected to LAN. Client's gateway is LAN ip address of the proxy server.Clients have 2 Dns entries. It works fine. If I remove dns entires of clinets PCs. It will NOT work. Is it normal? Without DNS sentires in Clients Pcs. Is it possible to work? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Question : Squid and iptables
> > I have a linux server and 3 ethernet card installed and squid is working > this server. > I m using two ADSL lines. I m sharing these ADSL lines with iproute. But i > have a problem. > ADSL1 and ADSL2 users has a same real ip address. All 80 port request exit > the one ADSL line. > What kind of routing am i making this protocols (iptables and squid)? Do you want to route port 80 (web) traffic via one ADSL line? the rest of traffcie via the other? if so, iptables and ip route2 can do it. then, you nerd policy routing. -- Thank you Indunil Jayasooriya
Fwd: [squid-users] Setting a whitelist for ONE IP-Adress
Can you post me a default config with my three lines in it, so that the IP-Adress is using the whitelist defined and any other IPs can reach any site? Try below lines # Define the pc/ip, which has to squid later acl pc101 src 192.168.100.101/255.255.255.255 # define the whitelist acl whitelist url_regex -i "/squid/etc/whitelist.allow" http_access deny pc101 !whitelist then, create below file. touch /squid/etc/whitelist.allow and add below domains to that file. .allowedsites1.com .allowedsites2.com .allowedsites3.com #the rest has FULL ACCESS acl mynet 192.168.100.0/24 http_access allow mynet restart squid Happy Squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] Setting a whitelist for ONE IP-Adress
> I tried the following config lines: > > # Define the pc/ip, which has to squid later > acl pc101 src 192.168.100.101/255.255.255.255 > > # define the whitelist > acl whitelist dstdomain "/squid/etc/whitelist.allow" > > # define the pc to use the whitelist > http_access pc101 whitelist Pls add the word allow as follows http_access allow pc101 whitelist Happy squiding -- Thank you Indunil Jayasooriya
[squid-users] Re: Help with sarg usage
> In any case - the report seems to cover the whole period of the log. Even > though the report is generates every 30 minutes - it appears to cover the > whole squid log period. YES Is there any way to restrict the report to a short > period (say 1 hour) of within the coverage of the squid log. I still do not know. I think it is good to send another mail with the subject of "restrict access log to a short period (say 1 hour)" Then, squid developers might be able to answer you. go ahead to bring this to an end Happy Squiding. -- Thank you Indunil Jayasooriya
[squid-users] Re: Help with sarg usage
The cron job seems to create a new report > every 30 minutes - and delete the old one. Yes, that's right. The new report covers the full > period (presumably) covered by the current squid log file - until the time > the report is generated. Yes, that's right. I can't find a way to narrow down the time window > of the report. I also can't find a way to make it cover further back than > the current squid log file - What do u mean ? do you need older data than the current report? current crontab executes every 30 minutes and delete the old one. I think if it does not delete the old one, I would be older than current. So just, try to have about 10 reports and delete from 11. So , pls try below squid.cron [EMAIL PROTECTED] ~]# cat /var/www/sarg/sarg.cron #!/bin/sh /usr/bin/sarg cd /var/www/sarg/reports rm -rf *.11 Pls try it out. > > I seem to have something in my /etc/cron.daily which rotates the squid > access.log file at 4.02 am every morning. May I have a look at that? And also , have a look at these scrips. I have not used these.Pls try and see. If you succeed, Pls put a mail to this mailing list, then others can benifit from them. http://sarg.sourceforge.net/enhancements.php http://sarg.sourceforge.net/zhaolei.txt Happy Squiding -- Thank you Indunil Jayasooriya
[squid-users] Re: Help with sarg usage
> Yes. That did help quite a bit. I had actually seen the link before from a > google search - but hadn't studied it properly. It certainly explains my > "forbidden" problem. I think I found a missing step though. The step by step > instructions do not tell you to make sarg.cron executable - so the cron job > wouldn't run until I corrected this. Yeah, sarg.cron should be executable. So, Pls execute it in following way. chmod 755 /var/www/sarg/sarg.cron > It still leaves me with a few queries though: > 1) I would like to be able to see what traffic flowed between (say) 13.00 on > 13 June 2008 and 14:00 on 13th June 2008. I think that it depends on the crontab. my crontab @ step by steb doc displays every 5 minute execution. So , Then, It has every 5 miniute data. For example, crontab executes every 5 minutes. Let's say 13 hrs , 13.05 hrs, 13.10 hrs ans so on. > I haven't found a way to do this yet. Is it possible with Sarg? I am trying > to find out what causes occasional large traffic bursts. First, Pls get Sarg woking. Then, begin to analyse. > 2) Is there some more complete documentation somewhere? The man page refers > to documentation in the "GNU info format". Where could I find this Difficult to say. -- Thank you Indunil Jayasooriya
Re: [squid-users] iptables syntax
> I will run Squid on Linux OS, with transparent mode. > Should I use iptables to do the http intercept? > what's the iptables syntax? please help, thank you. How many network card does this squid box have? in squid.conf, Pls add below line http_port 3128 transparent This is the iptables rule #Redirecting traffic destined to port 80 to port 3128 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128 for more, pls visit below URL http://wiki.squid-cache.org/SquidFaq/InterceptionProxy Happy Squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] Where are the ircache.net cgi for creating graphs?
What about this? http://www.squid-cache.org/~wessels/squid-rrd/ On Sat, Jun 14, 2008 at 3:23 AM, Richard Hubbell <[EMAIL PROTECTED]> wrote: > Hello squid world, > > I was looking for the scripts that create the graphs on ircache.net, I found > everything but the cgi scripts. Does anyone know where to get them? > > Or maybe there's another package that's preferred to make use of RRD for > Squid? > > > > > > -- Thank you Indunil Jayasooriya
[squid-users] Re: Help with sarg usage
Hi Richard, I hope this may help you. http://www.squid-cache.org/mail-archive/squid-users/200805/0172.html On Sun, Jun 15, 2008 at 12:33 PM, Richard Chapman <[EMAIL PROTECTED]> wrote: > Hi > > I have satrg installed and working - but have not found much documentation > other than the man pages - which are fairly brief. > > Can anyone help me with these issues with sarg. > > 1) It appears to only use the current squid log by default - and the > documentation doesn't seem to tell me how I can get it to read several squid > log files. > 2) When I first installed it - and told it to place reports in > /var/ww/html/sarg - I could browse the report fine as > http://192.168.0.201/sarg - but for some reason - I now get a "Forbidden" > error". > 3) How do you access the reports at the default location: /var/www/sarg? > 4) If I specify the "-t HH-HH" option to restrict the report to a time range > - it doesn't seem to behave as I would expect. I get far less traffic > reported than I would expect over the period. I can't find any way to check > that it is reporting all the relevant trafic. > > Thanks > > Richard. > > -- Thank you Indunil Jayasooriya
Re: [squid-users] Web Usage Statistics by Client IP
Hi Richard, Pls try sarg. here is HOW to . http://www.squid-cache.org/mail-archive/squid-users/200805/0172.html On Wed, Jun 11, 2008 at 6:38 PM, Richard Chapman <[EMAIL PROTECTED]> wrote: > Hi > > I am new to Squid - but found it very easy to get going. I am running Squid > 2.6 on Centos 5.1 Linux. and it workd brilliantly. > > I was hoping to be able to track down the Bandwidth Usage Stats for > individual client machines - to try to find out where all our bandwidth is > going. I have found the Cache Manager Statistics Reports - but haven't found > one with this info broken down by Client. > Is it there somewhere in one of the report - or do I need some additional > reporting tool? > > Thanks for the help. > > Richard. > > > > -- Thank you Indunil Jayasooriya
Re: [squid-users] help on performances
> Need some help on how to improve the performance of squid proxy. > > My problem is when I access any site directly it is faster but when used > proxy its slow. Pls try below command and ses its output squidclient mgr:info -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
>> On squid box, there is a utility Guarddog used for port forwarding. So >> it forward all traffic on port 80 to Squid port 3128. > > I'd say your problem is here. You have port forwarded port 80 on the > server itself to port 3128 on the server itself. Same as configuring > Squid to listen on port 80 directly. I think Henrik is right. Pls do not uer suc a GUI tool. pls input iptables command by hand. > What you need is a rule which intercepts (NAT:s)any outgoing traffic to > port 80 on servers out on the Internet and redirect these to Squid. This > is different from port 80 on the server itself. Pls try below rules. #on the squidbox, Open squidport (3218) for LAN ips iptables -A INPUT -i eth0 -d ipofsquidbox -p tcp -s ipofLANs/24 --dport 3128 -j ACCEPT #Redirecting traffic destined to port 80 to port 3128 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3128 Hope to hear from you. Happy squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid keeps rotating.
> In my squid.conf I have edited the line logfile_rotate 0
> so this should prevent squid from changing access.log to access.log.1
That's true
> However for some reason it keeps doing that. Squid needs to write to
> /var/log/squid/access.log since that is a named pipe that has a text
> processor behind it. Any idea why Squid is still doing this ?
How's /etc/logrotate.d/squid file. this is JUST one .
Example of /etc/logrotate.d/squid
/var/log/squid/access.log {
daily
rotate 4
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 4
copytruncate
compress
notifempty
missingok
}
/var/log/squid/store.log {
daily
rotate 4
copytruncate
compress
notifempty
missingok
# This script asks squid to rotate its logs on its own.
# Restarting squid is a long process and it is not worth
# doing it just to rotate logs
postrotate
/usr/sbin/squid -k rotate
endscript
}
As you can see, I use the /usr/sbin/squid -k rotate command to let
squid rotate his logs. You can issue this command everytime you feel
the need to.
I got it from below URL
http://linux.cudeso.be/linuxdoc/squid.php
Happy Squiding
--
Thank you
Indunil Jayasooriya
Re: [squid-users] second squid proxy
>> On Tue, Jun 3, 2008 at 7:25 PM, Armend ALIAGA wrote: >> > Hi all, >> > I would be gratefull if somebody could help me out on this issue, >> > I have a squid proxy (.i.e. IP.10.10.10.1) running wonderfull up to now.. >> > I set up another squid proxy ... and the issue is that I dont know how to >> redirect all http requets from this one to the first proxy 10.10.10.1 without >> going directly to internet ? ( I'am not allowed to NAT 2 IP in the pix ?!?) >> > I tried to do it with "cache peer parent 10.10.10.1 3128 3130" but I have >> > an >> error when aplying policy. >> > thanks, >> >> pls try belpw. >> >> cache_peer 10.10.10.1 parent 3128 0 no-query default >> acl all src 0.0.0.0/0.0.0.0 >> never_direct allow all >> May I get your network set up with ips, if possible? I think it is like this. clients ---> 2ndsquidproxy ---> 1stsquidproxy(its ip is 10.10.10.1) --> Your firewall Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
On Thu, Jun 5, 2008 at 11:37 AM, Kirtimaan <[EMAIL PROTECTED]> wrote: > Hello, > > There is one Eth in Squid Box. > > There is a DSL Router with IP 192.168.1.165 > > Squid box is configured to access internet and DNS service using this IP. > > There are 4 windows XP systems connected to same network and they use Squid > box IP as their gateway and DNS server address. > > so it is like > > WINDOW CLIENTS <=> SQUID BOX <=> DSL ROUTER. > > On squid box, there is a utility Guarddog used for port forwarding. So it > forward all traffic on port 80 to Squid port 3128. > > Squid box also have apache webserver, but that is configured on port 8080. > So if any one in network have to use intranet, we have to use like > http://squidbox:8080. > > When squid is running and we try to access it like http://squidbox it shows > a page > > --- >* Access Denied. > > Access control configuration prevents your request from being allowed > at this time. Please contact your service provider if you feel this is > incorrect. have you added ACL in squid.conf something like this. acl our_networks src 192.168.1.0/24 http_access allow our_networks Pls try it out -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.6 Access Log Not showing access to websites
> To my surprise, I can use internet even when squid service is > Thanks, > Kirtimaan > > Amos Jeffries wrote: >>down. So > now it means that squid is not configured properly ? > > How I can verify this, please guide. Could you pls draw your network diagram? How many ethernet does squid box have? Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] second squid proxy
On Wed, Jun 4, 2008 at 2:48 PM, Armend ALIAGA <[EMAIL PROTECTED]> wrote: > Hi , > thanks for your replies... > if I check the mark in internet options to bypass proxy for local address > I'am able to get through our intranet and other local sites, and also if I > uncheck the mark won't browse intranet - which means that the second proxy > works fine... > However I'am not able to browse internet ? > any idea? then, Pls add below I assume your LAN is 192.168.1.0/24, if it is something else, Pls change it accordingly cache_peer 10.10.10.1 parent 3128 0 no-query default acl lan src 192.168.1.0/24 http_access allow lan never_direct allow all -- Thank you Indunil Jayasooriya
Re: [squid-users] second squid proxy
On Tue, Jun 3, 2008 at 7:25 PM, Armend ALIAGA <[EMAIL PROTECTED]> wrote: > Hi all, > I would be gratefull if somebody could help me out on this issue, > I have a squid proxy (.i.e. IP.10.10.10.1) running wonderfull up to now.. > I set up another squid proxy ... and the issue is that I dont know how to > redirect all http requets from this one to the first proxy 10.10.10.1 without > going directly to internet ? ( I'am not allowed to NAT 2 IP in the pix ?!?) > I tried to do it with "cache peer parent 10.10.10.1 3128 3130" but I have an > error when aplying policy. > thanks, pls try belpw. cache_peer 10.10.10.1 parent 3128 0 no-query default acl all src 0.0.0.0/0.0.0.0 never_direct allow all -- Thank you Indunil Jayasooriya
Re: [squid-users] allow group 1 to access few sites and group 2 to access another group of sites
> is there a way using squid proxy to somehow allow certaint people to > access some websites and another group of people access another group > of websites? > > maybe some sort of authentication of some sort? yes. I am running with nsca_auth pls add below lines to squid.conf file auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED acl group1 proxy_auth user1 user2 user3 user4 user5 acl group2 proxy_auth user6 user7 acl group3 proxy_auth user9 user11 acl DOMAINSLIST1 dstdomain .bbc.com .cnn.com acl DOMAINSLIST2 dstdomain .google.com .yahoo.com .gmail.com acl DOMAINSLIST3 dstdomain .bsd.org .openbsd.org .freebsd.org .redhat.com http_access deny group1 !DOMAINSLIST1 http_access deny group2 !DOMAINSLIST2 http_access deny group3 !DOMAINSLIST3 http_access allow ncsa_users then, using htpasswd file , pls add users as follows [EMAIL PROTECTED] ~]# htpasswd /etc/squid/squid_passwd user1 New password: Re-type new password: Adding password for user user1 finally, Pls restart squid server. That's it Happy squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] Access-list domain and user
> I want to know if it's possible to have an ACL to grant a user to > access a domain. > My users are authenticated with LDAP. Let's assume that user toto wants to have access to cnn.com . Pls try below > To grant access a user : acl prj1 proxy_auth toto acl domains4toto dstdomain .cnn.com http_access allow prj1 domains4toto http_reply_access allow prj1 domains4toto http_access deny prj1 Just try it out. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
I am GLAD to hear am very happy about your effort in solving this ISSUE. HAPPY squiding. On Mon, Jun 2, 2008 at 1:57 PM, Edward Dam <[EMAIL PROTECTED]> wrote: > Hello > > Thank you for all your help. I have figured out that it is actually > related to DNS. When I put the intranet DNS server (from that other > domain) in front of my own DNS server in resolv.conf, it now works > through squid. > > Thank you again for all your help, and I apologize if I wasted your time. > > On Mon, Jun 2, 2008 at 4:18 PM, Indunil Jayasooriya <[EMAIL PROTECTED]> wrote: >>> my laptop IP is 10.1.15.57. >>> >>> 10.1.15.240 is the LAN interface of the router. It is normally the >>> gateway - however when I am using squid (transparent) the squid server >>> becomes my gateway. >> >> Yeah, Interesting. >> Then, this is your network setup >> >> if you bypass squid , >> your laptop -> Firewall -> intranet(www.example.com) it directs to >> www2.example.com >> >> If you go via squid, this would be your network setup >> >> your laptop -> squid -> Firewall -> intranet(www.example.com) it >> directs to www2.example.com >> >> I think 10.1.15.240 is the gateway of squid server. How many ethernet >> does this squid server have? >> >> I think this is something that belongs to routing... >> >> >> -- >> Thank you >> Indunil Jayasooriya >> > -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
> my laptop IP is 10.1.15.57. > > 10.1.15.240 is the LAN interface of the router. It is normally the > gateway - however when I am using squid (transparent) the squid server > becomes my gateway. Yeah, Interesting. Then, this is your network setup if you bypass squid , your laptop -> Firewall -> intranet(www.example.com) it directs to www2.example.com If you go via squid, this would be your network setup your laptop -> squid -> Firewall -> intranet(www.example.com) it directs to www2.example.com I think 10.1.15.240 is the gateway of squid server. How many ethernet does this squid server have? I think this is something that belongs to routing... -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
10.1.15.245 is the squid server. It resides on the LAN. 10.1.15.240 is the LAN interface 10.1.15.241 is connected to INTRANET What is you laptop ip? We know you (i.e your laptop) can access www2.example.com without squid. Can you tracert to www2.example.com (NOT throuogh squid) I think 10.1.15.240 is the gateway of your LAPTOP Pls come back to me... > > From my laptop (through squid) > > > > C:\Documents and Settings\edd>tracert www2.example.com > > Tracing route to 10.43.8.20 over a maximum of 30 hops > > 1<1 ms<1 ms<1 ms 10.1.15.245 -- this is my squid server > 2<1 ms<1 ms<1 ms 10.1.15.240 -- the is our router - LAN > interface > 3 1 ms<1 ms<1 ms 10.1.15.241 --- this is the 2nd > interface on the router, connected to the WAN (intranet, not internet) > 411 ms12 ms13 ms 10.43.113.57 > 5 8 ms13 ms12 ms 10.43.112.2 > 613 ms13 ms13 ms 10.43.8.20 > > Trace complete. > > C:\Documents and Settings\edd> > > > > > On Mon, Jun 2, 2008 at 3:25 PM, Indunil Jayasooriya <[EMAIL PROTECTED]> wrote: >>> No other logging for it. >> >> Thanks for your logs. I think that 10.43.8.20 is the server where >> www2.example.com. >> >> >> So far, We checked in two ways. One way is without squid (Direct >> connection)Then, It worked. >> >> What is this path, >> >> Is it via a firewall? Pls write down that PATH. >> >> The , other PATH is via squid proxy. Then, It does not work. >> >> What is this PATH? >> >> I want to see reverse path filtering. >> >> hope to hear form you. >> - >> Thank you >> Indunil Jayasooriya >> > -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
> No other logging for it. Thanks for your logs. I think that 10.43.8.20 is the server where www2.example.com. So far, We checked in two ways. One way is without squid (Direct connection)Then, It worked. What is this path, Is it via a firewall? Pls write down that PATH. The , other PATH is via squid proxy. Then, It does not work. What is this PATH? I want to see reverse path filtering. hope to hear form you. - Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
> www2.example.com server is not my within my company. I cannot change > the port on it Again, pls disable both transparent intercept mode and dansguardian in squid. Then, browse www.example.com via squid. Pls give me the output of below command tail -f /var/log/squid/acccess.log and, also I need the output of below 2 apache logs of www.example.com at the same time? tail -f /var/log/httpd/access_log tail -f /var/log/httpd/error_log I think it is the easiest way to see what is going on there? -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
> Yes, that is correct. If I bypass squid and go to www.example.com, it > automatically redirects to www2.example.com:8098/login.aspx OK, SOUNDS GOOD. i.e nothing wrong with webserver www.example.com www2.example.com is running on port 8098. Can you change it to port 80 ? Then, Pls browse www.example.com via squid. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
> When I take off transparent mode, the result is the same, it does not > access (time out) without squid, When you access www.example.com, does it redirect to www2.example.com:8098/login.aspx ? If yes, Webserver www.example.com is OK. Hope to hear from you. Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
On Mon, Jun 2, 2008 at 11:18 AM, Edward Dam <[EMAIL PROTECTED]> wrote: > I've cleared the rules, and then applied your recommended iptables command. > > Unfortunately, it puts me right back to where I started. When the > www.example.com redirects to http://www2.example.com:8098/login.aspx, > it never gets there and times out. First, Pls clear the rule I have given, http_port 3128 transparent because of the above rule , you are running squid in transparent intercept mode. I hope you can browse all the other site successfully. Pls let me know. Could you pls check can squid redirect www.example.com to www2.example.com:8098/login.aspx without running squid in transparent intercept mode ? Pls let me know if it can not , Then, It is www.example.com that redirects to www.example.com, What is this www.example.com ? Is it under your control. is it running apache? I think you will have to redirect to www2.example.com:8098/login.aspx there. Hope to hear from you. -- Thank you Indunil Jayasooriya
Re: [squid-users] Port Problem with squid
>> When a user points to www.example.com, that webpage/server redirects this is an port 80 request >> them to http://www2.example.com:8098/login.aspx then, it should redirect to port 8098 So, I think , pls try below. iptables -t nat -A PREROUTING -m tcp -p tcp -d www.example.com --dport 80 -j REDIRECT --to-port 8098 -- Thank you Indunil Jayasooriya
Re: [squid-users] ldap_auth
Hi, > Is there a good guide detailing how to set this digest up with openLdap? http://yajith.blogspot.com/2007/12/squid-ldap-and-active-directory.html -- Thank you Indunil Jayasooriya
Re: [squid-users] Basic Config Question
I am runnig squid servers on firewalls and on DMZ. no issue at all. -- Thank you Indunil Jayasooriya
Re: [squid-users] Block Windows Live Messenger with Squid
Another URL, http://blogs.techrepublic.com.com/networking/?p=308 On Wed, May 21, 2008 at 9:48 PM, Thomas Raef <[EMAIL PROTECTED]> wrote: > Messenger will also use port 80. You'll need to do l7-filter for that. Or > using squid, setup acls for the messenger mimetype which will catch it if > it's coming through port 80, and then also block port 1863. > > I believe that's been covered before in this group so you may want to search > the archives. Sorry, but I don't have the exact details in front of me. > > Thomas J. Raef > > >> -Original Message- >> From: Cassiano Martin [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, May 21, 2008 11:05 AM >> To: adnann5 >> Cc: squid-users@squid-cache.org >> Subject: Re: [squid-users] Block Windows Live Messenger with Squid >> >> Messenger uses port 1863 tcp for communication, and some HTTPS SOAP >> requests to M$ servers. >> You need to block this port using iptables. >> >> iptables -A FORWARD -p tcp --dport 1863 -j DROP >> iptables -A FORWARD -p tcp --sport 1863 -j DROP >> >> >> adnann5 wrote: >> > Hi Guys, >> > I've a running a transparently working copy of squid 2.6 stable 19 >> on a >> > Linux FC9 box. >> > I wanted to block msn/windows live messenger through it, i've add >> following >> > code in my squid.conf >> > >> > acl msnmime req_mime_type ^application/x-msn-messenger >> > >> > acl msngw url_regex -i gateway.dll >> > >> > http_access deny msnmime >> > >> > http_access deny msngw >> > >> > but messenger is still signing in... >> > >> > Does any body have another solution? >> > >> > >> > Regards >> > >> >> >> No virus found in this incoming message. >> Checked by AVG. >> Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: >> 5/21/2008 7:21 AM >> > > No virus found in this outgoing message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.21/1458 - Release Date: 5/21/2008 > 7:21 AM > > -- Thank you Indunil Jayasooriya
Re: [squid-users] squid2.6STABLE13 and transparent proxy
On Tue, May 13, 2008 at 3:12 AM, melvin obiri <[EMAIL PROTECTED]> wrote: > Hi, I need help with transparent proxy on fedora 6 or fedora. > I have set the http_port to transparent mode as below > http_port 192.168.0.220:3128 transparent > > and made a fowarding rule on iptables but am still not able to do > transparent proxy > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128 What is eth0. It should be LAN interface. Do you have a NAT rule there? something like below. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4 Have you aplied DROP polices. then, You need another rule like this. iptables -A INPUT -p tcp --dport 3128 -j ACCEPT Pls try these. GOOD LUCK > > Is there anything am missing on here > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.5STABLE6
2008/5/8 David Johnson <[EMAIL PROTECTED]>: > yes i have two proxies, on erunning 2.6 and one running 2.5... i wanted to > know at what patch level was the NTLM issue remedied. The 2.6 version works > prima, no problems at all. So if you know at which patch level it is > addressed i would greatly appreciate the info. What is the O/S u r using? how have you installed squid? source or binary? u r running squid 2.5.6. I think if you can update it to something higher, there's a chance to get it worked. GOOD LUCK > > > Thnans much. > > >>> "Indunil Jayasooriya" <[EMAIL PROTECTED]> 08-05-2008 12:08 >>> > > > > what version of squid are you using? > > > > i see 2.6 does not have this problem but 2.5.6 does. > > > > so i was wondering what patch level i need to be at in order to address > the issue or do i need the 2.6 version. > > squid 2.5 is quite OLD. Pls use squid 2.6 instead. > > > -- > Thank you > Indunil Jayasooriya > > > ** > Disclaimer > > E-mail wordt door ANWB niet gebruikt voor het aangaan van externe > verplichtingen. > Deze e-mail is uitsluitend bestemd voor geadresseerde(n). Indien deze e-mail > onverhoopt niet voor u is bestemd dan verzoeken wij u vriendelijk contact op > te > nemen met de afzender en daarna het bericht te vernietigen. Deze e-mail mag > niet > worden doorgestuurd, openbaar gemaakt of verveelvoudigd worden zonder de > toestemming van de afzender. > ANWB betracht grote zorgvuldigheid bij het verzenden van e-mails. ANWB kan > echter niet garanderen dat deze e-mail juist, volledig, tijdig en virusvrij > wordt > overgebracht. In een dergelijk geval is ANWB op geen enkele wijze > aansprakelijk > voor enige schade, direct dan wel indirect, in welke vorm dan ook. > > ANWB B.V. > > ** > > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.5STABLE6
> what version of squid are you using? > > i see 2.6 does not have this problem but 2.5.6 does. > > so i was wondering what patch level i need to be at in order to address the > issue or do i need the 2.6 version. squid 2.5 is quite OLD. Pls use squid 2.6 instead. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid 2.5STABLE6
> website trying to access: http://www.fiakc.com I get the dialog box from here. -- Thank you Indunil Jayasooriya
Re: Re: [squid-users] Squid logs analysing.
> I downloaded and installed sarg on RHEL 5 but but not able to set it up. > > Have anybody successfully setup SARG on RHEL 5. > > Kindly let me know. I have done it on Centos 4x Pls see below. step by step guide. SARG - Step by Step - CentOS [EMAIL PROTECTED] ~]# yum install sarg [EMAIL PROTECTED] ~]# cd /etc/httpd/conf.d/ [EMAIL PROTECTED] conf.d]# cp sarg.conf sarg.conf.orig [EMAIL PROTECTED] conf.d]# cat sarg.conf Alias /sarg /var/www/sarg DirectoryIndex index.html Order deny,allow Deny from all Allow from all [EMAIL PROTECTED] conf.d]# /etc/init.d/httpd restart Then, [EMAIL PROTECTED] ~]# cd /var/www/sarg/ [EMAIL PROTECTED] sarg]# mkdir reports Now, Edit words ONE-SHOT and One shot reports of index.html to reports and reports (Every 30 minutes) as follows. reports reports (Every 30 minutes) Then, [EMAIL PROTECTED] sarg]# cd /etc/sarg/ [EMAIL PROTECTED] sarg]# cp sarg.conf sarg.conf.orig And edit, sarg.conf Pls coment out below line as follows, #output_dir /var/www/sarg/ONE-SHOT and, Add below line. output_dir /var/www/sarg/reports Then, issue below command, [EMAIL PROTECTED] sarg]# /usr/bin/sarg SARG: Records in file: 1514, reading: 100.00% Then, touch [EMAIL PROTECTED] ~]# touch /var/www/sarg/sarg.cron [EMAIL PROTECTED] ~]# cat /var/www/sarg/sarg.cron #!/bin/sh /usr/bin/sarg cd /var/www/sarg/reports rm -rf *.1 Then, [EMAIL PROTECTED] ~]# cd /etc/cron.d [EMAIL PROTECTED] cron.d]# touch sarg [EMAIL PROTECTED] cron.d]# cat sarg */5 * * * * root /var/www/sarg/sarg.cron > /dev/null 2>&1 #*/30 * * * * root /var/www/sarg/sarg.cron > /dev/null 2>&1 Then, issue below commands. [EMAIL PROTECTED] ~]# /etc/cron.daily/sarg [EMAIL PROTECTED] ~]# /etc/cron.weekly/sarg [EMAIL PROTECTED] ~]# /etc/cron.monthly/sarg Now, Browse as follows. http://192.168.101.25/sarg That's it. GOOD LUCK > > > > On Thu, 08 May 2008 Indunil Jayasooriya wrote : > > > >Pls use sarg. It is good. > > > > > >Anyway, Redhat 9 is quite old. Pls use Cenos 5x instead > > > >RPM can be got from below URL > > > >http://dag.wieers.com/rpm/packages/sarg/ > > > >GOOD LUCK > > > > > >On Thu, May 8, 2008 at 12:07 PM, Alexey Shakin <[EMAIL PROTECTED]> wrote: > > > Dear All! > > > > > > I am new in squid administrating and > > > I have one rather simple question. > > > It is - how can I analyse squid log files? > > > I have installed Red Hat 9 with > > > Squid 2.5 Stable from the distribution kit. > > > The standart tool (webalizer) is not > > > appropriate at all. What I need is > > > a possibility to create a detailed, flexible > > > report about all users' usage of the server. > > > I'm sure it's a very common task for Squid > > > admins. Why there is no tool in the > > > distribution kit, I don't understand. > > > So, what will you advise me? > > > > > > > > > > > > > >-- > >Thank you > >Indunil Jayasooriya > > > > -- Thank you Indunil Jayasooriya
Re: [squid-users] Proxy & reverse proxy on same computer / Many squid daemon ?
Hi, What is the version squid. It should be 2.6 or higher. For proxy. pls try below rules. http_port 3128 acl mynet src 192.168.101.0/24 http_access allow mynet For reverse proxy . pls try below rules. http_port 80 accel defaultsite=www.example.com cache_peer ip.of.real.webserver parent 80 0 no-query originserver acl our_sites dstdomain .example.com http_access allow our_sites never_direct allow our_sites cache_peer_access ip.of.real.webserver allow our_sites pls see below URL too. http://markmail.org/message/75qi6maqfzz3o6dc#query:proxy%20and%20reverse%20proxy%20indunil+page:1+mid:qinbxaivrs6vgvue+state:results GOOD LUCK On Thu, May 8, 2008 at 1:29 PM, <[EMAIL PROTECTED]> wrote: > > > Hello, > > I'm a squid's beginner because i'm a student, and i have a problem with a > project. > > I'm French. > > > > I must do run a squid server with dansguardian like a proxy cache, and a > reverse proxy squid on a same computer. > > My squid proxy and my dansguardian are running, but I want to do run an other > daemon of squid in same time with an other configuration of squid.conf (for > reverse). > > Please how can I do this ? > > > > Sorry for my bad English. > -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid logs analysing.
Pls use sarg. It is good. Anyway, Redhat 9 is quite old. Pls use Cenos 5x instead RPM can be got from below URL http://dag.wieers.com/rpm/packages/sarg/ GOOD LUCK On Thu, May 8, 2008 at 12:07 PM, Alexey Shakin <[EMAIL PROTECTED]> wrote: > Dear All! > > I am new in squid administrating and > I have one rather simple question. > It is - how can I analyse squid log files? > I have installed Red Hat 9 with > Squid 2.5 Stable from the distribution kit. > The standart tool (webalizer) is not > appropriate at all. What I need is > a possibility to create a detailed, flexible > report about all users' usage of the server. > I'm sure it's a very common task for Squid > admins. Why there is no tool in the > distribution kit, I don't understand. > So, what will you advise me? > > -- Thank you Indunil Jayasooriya
Re: [squid-users] squid reverse proxy isssue
> Skip the accel directive, or upgrade to a more recent Squid version.. > > More recent RHEL packages can be found from the download section of the > web site. I went to the squid site and downloaded squid-2.6.STABLE19-1.el5.i386.rpm RPM. I have now upgraded. Now, I do not get that issue. Now, the question I have is I need to have 2 servers . When primary goes down, Squid should forward it to Secondary server. But, It does not. Primary Server is 192.168.9.5 Secondary Server is 192.168.9.4 My squid box is 192.168.9.62 Here is squid.conf. http_port 80 accel defaultsite=your.main.website cache_peer 192.168.9.5 parent 80 0 no-query originserver cache_peer 192.168.9.4 parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites cache_peer_access 192.168.9.5 allow our_sites cache_peer_access 192.168.9.4 allow our_sites never_direct allow our_sites I got these lines from Amos. Squid forwards request to primary (192.168.9.5). Then, What I did was I removed ethernet cable from primary Server- 192.168.9.5 ) , Then, I browsed, But, squid did not forward it to Secondary Server (192.168.9.4) . Hope to hear from you with your IDEAS. -- Thank you Indunil Jayasooriya
Fwd: [squid-users] squid reverse proxy isssue
HI ALL, My reverse proxy does not work. Pls help me to solve this. my squid.conf is like this http_port 80 accel defaultsite=your.main.website cache_peer 192.168.9.4 parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites /etc/hosts file has below line. from squid box , I can ping your.main.website 192.168.9.4your.main.website here is the log. [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 16:20:56 mail squid: Bungled squid.conf line 76: http_port 80 accel defaultsite=your.main.website [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] Where have I gone wrong? I am on RedHat EL 5 with below rpm squid-2.6.STABLE6-5.el5_1.3 -- Forwarded message -- From: Indunil Jayasooriya <[EMAIL PROTECTED]> Date: Mon, May 5, 2008 at 11:50 AM Subject: Re: [squid-users] squid reverse proxy isssue To: Paul Bertain <[EMAIL PROTECTED]> Cc: squid-users > Can your Squid box resolve your "http_port" line? Whatever you have as the > actual "your.main.website" needs to be resolveable. No, your.main.website can not be resolved. I added your.main.websit to /etc/hosts file. Now , I can ping your.main.website What I did was I configured apache to run on the samebox on 127.0.0.1 pls see below I have added this to http.conf file. Listen 127.0.0.1:80 I can telnet to 127.0.0.1 and your.main.websit on port 80. pls see below [EMAIL PROTECTED] squid]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. [EMAIL PROTECTED] squid]# telnet your.main.websit 80 Trying 127.0.0.1... Connected to your.main.websit (127.0.0.1). Escape character is '^]'. Then, I chaned squid.conf as below http_port 192.1.54.101:80 accel defaultsite=your.main.websit cache_peer 127.0.0.1 parent 80 0 no-query originserver cache_peer_access 127.0.0.1 allow our_sites acl our_sites dstdomain your.main.websit again, same error. Pls see below. [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 11:37:20 mail squid: Bungled squid.conf line 76: http_port 192.1.54.101:80 accel defaultsite=your.main.websit May 5 11:46:27 mail last message repeated 4 times Hope to hear from you. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] squid reverse proxy isssue
> Can your Squid box resolve your "http_port" line? Whatever you have as the > actual "your.main.website" needs to be resolveable. No, your.main.website can not be resolved. I added your.main.websit to /etc/hosts file. Now , I can ping your.main.website What I did was I configured apache to run on the samebox on 127.0.0.1 pls see below I have added this to http.conf file. Listen 127.0.0.1:80 I can telnet to 127.0.0.1 and your.main.websit on port 80. pls see below [EMAIL PROTECTED] squid]# telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. [EMAIL PROTECTED] squid]# telnet your.main.websit 80 Trying 127.0.0.1... Connected to your.main.websit (127.0.0.1). Escape character is '^]'. Then, I chaned squid.conf as below http_port 192.1.54.101:80 accel defaultsite=your.main.websit cache_peer 127.0.0.1 parent 80 0 no-query originserver cache_peer_access 127.0.0.1 allow our_sites acl our_sites dstdomain your.main.websit again, same error. Pls see below. [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 11:37:20 mail squid: Bungled squid.conf line 76: http_port 192.1.54.101:80 accel defaultsite=your.main.websit May 5 11:46:27 mail last message repeated 4 times Hope to hear from you. -- Thank you Indunil Jayasooriya
[squid-users] squid reverse proxy isssue
Hi, I want to setup squid as a reverse proxy. I added below lines to squid.conf file. http_port 80 accel defaultsite=your.main.website cache_peer 192.168.9.4 parent 80 0 no-query originserver cache_peer 192.168.9.5 parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites cache_peer_access 192.168.9.4 allow our_sites cache_peer_access 192.168.9.5 allow our_sites never_direct allow our_sites While retarting squid, it gives below error. [EMAIL PROTECTED] squid]# /etc/init.d/squid restart Stopping squid:[FAILED] Starting squid:[FAILED] here's /var/log/messages say. [EMAIL PROTECTED] squid]# tail -f /var/log/messages May 5 11:01:56 mail squid: Bungled squid.conf line 76: http_port 80 accel defaultsite=your.main.website This is on RedHat EL 5 with default RPM squid-2.6.STABLE6-3.el5 Any advice to get it working. -- Thank you Indunil Jayasooriya
Fwd: [squid-users] block msn
> Messenger uses port 443 too to file transfers. My principal target is to > block file transfer. Any Idea? Is it a linux box? Then, I think iptables might be able to do it. other wise, pls try l7-filter. pls see below. http://l7-filter.sourceforge.net/ -- Thank you Indunil Jayasooriya
Re: [squid-users] block msn
below URL may help. http://blogs.techrepublic.com.com/networking/?p=308 On Wed, Apr 30, 2008 at 1:32 AM, Wilson A. Galafassi Jr. <[EMAIL PROTECTED]> wrote: > Hello. > It´s possible to block msn under squid? Especially file transfer? > > Thanks, > Wilson > > > -- Thank you Indunil Jayasooriya
[squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2
> What command I have to issue to complete this task with PF on OpenBSD 4.2? > What should I do? Configuring pf The pf configuration is /etc/pf.conf. The file is documented in pf.conf(5). This is a minimal example of the required rdr rule. Make sure you also allow the redirected connections to pass, they'll have destination address 127.0.0.1 when the filter rules are evaluated. Redirection does not automatically imply passing. Also, the proxy must be able to establish outgoing connections to external web servers. int_if="gem0" ext_if="kue0" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state Note that squid needs to open /dev/pf in order to query the packet filter. The default permissions for this file allow access only to root. squid is running as user _squid, group _squid, so one way to allow access to squid is by changing the group ID of the file to _squid and make it group-accessable: # chgrp _squid /dev/pf # chmod g+rw /dev/pf pls click below URL for more http://www.benzedrine.cx/transquid.html -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Fwd: [squid-users] Reverse proxy for Primary and then Secondary
Looks good. If you have multiplewebsites hosted you may need both "accel vhost" options on the http_port. NOTED , Thanks -- Thank you Indunil Jayasooriya
Re: [squid-users] Reverse proxy for Primary and then Secondary
On Thu, Apr 10, 2008 at 7:48 PM, Amos Jeffries <[EMAIL PROTECTED]> wrote: > > Indunil Jayasooriya wrote: > > > Hi all, > > > > I have 2 web servers . One is Primary and the other is Secondary. > > > > Pls asssume > > ip of primary is 1.2.3.4 > > ip of secondary 2.3.4.5 > > > > I want squid resverse proxy to forward traffic to primary server. > > When, the primary goes offline, it should forward to Secondary web > > Server. > > > > How can I acheive this task? > > > > I am going to keep squid as a reverse proxy in front of them? > > > > pls assume ip of reverse proxy is 5.6.7.8 > > > > How Can I write rules in squid.conf? > > > > pls see below rules. > > > > > > http_port 80 accel defaultsite=your.main.website > > > > cache_peer ip.of.primarywebserver parent 80 0 no-query originserver > > cache_peer ip.of.secondarywebserver parent 80 0 no-query originserver > > > > acl our_sites dstdomain your.main.website > > http_access allow our_sites > > > > Add:squid-users > cache_peer_access ip.of.primarywebserver allow our_sites > cache_peer_access ip.of.secondarywebserver allow our_sites > never_direct allow our_sites Hi, amos, Then, Comple rule set will be this. Pls let me know. http_port 80 accel defaultsite=your.main.website cache_peer ip.of.primarywebserver parent 80 0 no-query originserver cache_peer ip.of.secondarywebserver parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites cache_peer_access ip.of.primarywebserver allow our_sites cache_peer_access ip.of.secondarywebserver allow our_sites never_direct allow our_sites > Squid follows that behavior by default. > > FYI, There are some additional monitor* options to fine-tune recovery. What are they? > > Amos > -- > Please use Squid 2.6.STABLE19 or 3.0.STABLE4 > -- Thank you Indunil Jayasooriya
[squid-users] Reverse proxy for Primary and then Secondary
Hi all, I have 2 web servers . One is Primary and the other is Secondary. Pls asssume ip of primary is 1.2.3.4 ip of secondary 2.3.4.5 I want squid resverse proxy to forward traffic to primary server. When, the primary goes offline, it should forward to Secondary web Server. How can I acheive this task? I am going to keep squid as a reverse proxy in front of them? pls assume ip of reverse proxy is 5.6.7.8 How Can I write rules in squid.conf? pls see below rules. http_port 80 accel defaultsite=your.main.website cache_peer ip.of.primarywebserver parent 80 0 no-query originserver cache_peer ip.of.secondarywebserver parent 80 0 no-query originserver acl our_sites dstdomain your.main.website http_access allow our_sites -- Thank you Indunil Jayasooriya
Re: [squid-users] acl from file
On Wed, Apr 9, 2008 at 12:46 AM, Luis Daniel Lucio Quiroz <[EMAIL PROTECTED]> wrote: > I have a huge txt file with domains that I want to ban, like this: > > .dom.com > .dom2.net > .etc > > I not sure I i can do this at my acl configuration > > acl banneddommains dstdomain /path/file.txt acl banneddommains dstdomain "/path/file.txt" http_access deny banneddommains > > or how? > > TIA > > LD > -- Thank you Indunil Jayasooriya
Re: [squid-users] unable to block sites completely
> www.catpass.info > www.newjumbo.info > > i blocked them using ACL list but they opened when i type > www.catpass.info/index.php > www.newjumbo.info/index.php > > plz tell me how to completely block there sites acl blockedsite dstdomain .catpass.info .newjumbo.info http_access deny blockedsite -- Thank you Indunil Jayasooriya
Re: [squid-users] squid transparent proxy
> You are right I am using port 8080. As I mentioned I have 2 machine the 1st > machine is my Firewall/NAT server wherein the iptables configuration already > stated that it should redirect port 80 to 8080 Oh , Squid is Not running on this box. then, REDIRECT will not work. What Your firewall can do is MARK port 80 traffic and route it via squid box. that is Known As Transparent Proxy to a Remote Box you need both iptables and ip route2 pkgs. Okay, below are the rules, you need to add. On your firewall, pls add below rules iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s ipaddressofsquid-box iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80 ip rule add fwmark 3 table 2 ip route add default via ipaddressofsquid-box dev eth1 table 2 dev eth1 is connected to squidbox. pls change it accodingly. On your squid Box, Pls add beow rules. iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 this is where REDIRECT takes place. In addition to that, you will have to make sure, port 8080 is open on this squid box , since squid is running on port 8080. I thinkeverything is open on squid box. Now, clients gateway is the ip of the firewall/NAT box. and also check Dns in clients. here's another useful urls http://www.mail-archive.com/squid-users@squid-cache.org/msg53662.html http://tldp.org/HOWTO/TransparentProxy-6.html Good luck -- Thank you Indunil Jayasooriya
