On Wed, 2002-10-02 at 02:17, James Gregory wrote: > The setup is as follows. The firewall is on 192.168.9.50. It's running > kernel 2.2, since as discussed previously here, 2.4 halves the speed of > my connection. My proxy server is another computer - 192.168.9.10, and > I'm on 192.168.9.1. > > I've set the following options in squid.conf: > > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > And the following acls: > > http_access allow all > http_access localhost > http_access intranet > icp_access allow all > miss_access allow all
Are you sure thats the entire list? If so you are running an open proxy, which is not a good thing. > now, since I don't have all the neat forwarding stuff in 2.4, I have an > ssh tunnel running on my firewall that accepts all connections (with -g) > on port 8080/tcp and sends them through the tunnel to the proxy server > (I intend to replace this with something else later). The rules I'm > using on my firewall to do the forwarding are: > > $IPCHAINS -A input -p TCP -d 127.0.0.1/32 80 -j ACCEPT > $IPCHAINS -A input -p TCP -d 192.168.9.10/32 80 -j ACCEPT > $IPCHAINS -A input -p TCP -d 192.168.9.50/32 80 -j ACCEPT > $IPCHAINS -A input -p TCP -d any/0 80 -j REDIRECT 8080 This won't work for some applications, because squid will lose the destination host IP address when the ssh tunnel is used. Only HTTP/1.1 apps (which means they include Host:) will work through this setup. Also, your rules are suspect - squid initiated traffic will get caught as well, and bounce back to squid. You need an explicit ACCEPT for traffic from the squid box before the redirect. > Finally, I'm attempting to get this thing to forward connections on to > usyd's proxy server with: > > cache_peer 129.78.64.5 parent 8080 7 no-query > no-netdb-exchange > > (and since I'm not allowed to do ICP with them, there's another rule on > the firewall to bounce ICP to it's local echo port) ICP should not be occuring at all - because of the no-query entry. Cheers, Rob
signature.asc
Description: This is a digitally signed message part
