Re: [squid-users] Squid +XChat + Bitlbee

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 06 Feb 2008 01:39:59 +1300

stephane lepain wrote:
> Amos Jeffries wrote:
>> stephane lepain wrote:
>>> Hi,
>>>
>>> I have added am acl in order for me to connect to Xchat through my
>>> proxy. it works fine. Now, I want to use bitlbee using XChat to try
>>> to connect to msn and everything going through my proxy. Everytime I
>>> lunch Bitlbee and I get the error HTTP/1.0 503 Service Unavailable.
>>> Proxy traversal failed. The way I connect to bitlbee through Xchat is
>>> "/server 127.0.0.1 and then this is when I get the error mentioned
>>> above.
>>> I can't see the reason why I would be able to connect to XChat and
>>> not bitlbee. When I check the access.log I do see a tcp_miss 503.
>>> Thanks for your help
>>
>> That would be because your squid is not listening on 127.0.0.1.
>>
>> Lets go over your config and improve it a bit shall we?
>>
>>>
>>> ### ACCESS CONTROLS
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 443 # https
>>> acl SSL_ports port 563 # snews
>>> acl SSL_ports port 873 # rsync
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 631 # cups
>>> acl Safe_ports port 873 # rsync
>>> acl Safe_ports port 901 # SWAT
>>> acl purge method PURGE
>>> acl CONNECT method CONNECT
>>> acl iguane src 192.168.1.8 127.0.0.1
>>> acl heaven src 192.168.1.10
>>> acl zongo src 192.168.1.5
>>> acl margoullat src 192.168.1.6 192.168.1.7
>>> acl livebox src 192.168.1.1
>>> acl xchat port 6667 1863
>>> http_access allow CONNECT xchat
>>> http_access deny CONNECT xchat
>>
>> The allow line above lets anyone use xchat through you.
>> Blocking it here or below has no effect.
>>
>>> http_access allow iguane
>>> http_access allow heaven
>>> http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
>>> ### NETWORK OPTIONS
>>
>> That missing newline will be causing some problems I think.
>>
>>> http_access allow margoullat
>>> http_access allow livebox
>>
>> You could be creating a single ACL which contains all those machines
>> IP addresses (like Safe_Ports is done) instead of a seperate line
>> each. That would help keep his and the ICP lines below sync'd up.
>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access allow purge localhost
>>> http_access deny purge
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access deny to_localhost
>>> http_access allow localhost
>>
>> Like I said to someone else recently. These safety controls (from the
>> manager down) need to be at the top of the squid http_access lines to
>> have any effect.
>>
>> NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat"
>> at the end of it.
>>
>>> http_access deny all
>>
>>> icp_access allow iguane
>>> icp_access allow heaven
>>> icp_access allow zongo
>>> icp_access allow margoullat
>>> icp_access allow livebox
>>
>> Again combining these machines into a single ACL wil let you use it
>> here too in a nice and short way.
>>
>>> icp_access deny ALL
>>
>> Might be worth changing the case on that one ;-)
>>
>>> http_port 192.168.1.7:3128
>>
>> And here Squid is ONLY listening on the public IP address of its
>> machine. If you only have one network card you can safely remove the
>> IP address part of that line.
>>
>>> hierarchy_stoplist cgi-bin ?
>>> access_log /var/log/squid/access.log squid
>>> acl QUERY urlpath_regex cgi-bin \?
>>> cache deny QUERY
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> quick_abort_min 0 KB
>>> quick_abort_max 0 KB
>>> quick_abort_pct 95
>>> negative_ttl 2 minutes
>>> request_header_max_size 12 KB
>>> request_header_max_size 12 KB
>>> request_body_max_size 0 KB # 0=nolimit
>>> via off
>>> cache_vary off
>>> acl apache rep_header Server ^Apache
>>> broken_vary_encoding allow apache
>>> refresh_stale_hit 5 seconds
>>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>>> header_access From deny all
>>> header_access Referer deny all
>>> header_access Server deny all
>>> header_access User-Agent deny all
>>> header_access WWW-Authenticate deny all
>>
>> Huh? you never want to login anywhere external?
>>
>>> header_access Link deny all
>>> forward_timeout 2 minutes
>>> cache_mgr penguindeb@gmail.com
>>> htcp_port 4827
>>> cache_peer cache.orange.fr parent 3128 3130 default no-query
>>> hosts_file /etc/hosts
>>> append_domain .macitos.fr
>>> memory_pools_limit 50 MB
>>> forwarded_for off
>>> client_db off
>>> reload_into_ims on
>>> coredump_dir /var/spool/squid
>>>
>>
>> Amos
> Hi Amos,
>
> Thanks for the great advices. I have changed the conf
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> *acl locallan src 192.168.1.0/24*
> *acl xchat port 6667 *
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports *! xchat*
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localhost
> *http_access allow locallan*
> http_access deny all
> *icp_access allow locallan
>
> *for the line "http_port 192.168.1.7:3128", I do have two nics on that
> server.
>
> As far as connecting bitlbee on 127.0.0.1, I am changing it to one of
> the squid server NICS. That way, I can see that squid is now filtering
> and I think it is more secure (I have a lot more control).
>
> On the same content, is SQUID capable of filtering BITTORENT? I am using
> to filter emule great but last night to my surprise SQUID didn't filter
> BITTORENT.
>
> Could you please advise ?

Not natively. It will do some limited control if BitTorrent is
configured to use CONNECT requests through HTTP-Proxy.

But at present that is all. Torrent is on the long-term todo list, but
there is much that needs work before we get to it. If you want it
anytime reasonable it will take sponsorship money.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Feb 05 2008 - 05:39:52 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:04 MST