On Tue, 17 Aug 2010 13:14:25 -0500, >p3dRø< <ip2trama_at_gmail.com> wrote:
> Hi Amos,
>
> I have my proxy as another host in the network (with only one ethernet
> card = eth0). The communication flow is:
>
> Internet <--> Router ADSL <--> Firewall <--> Squid <--> PCs
>
> What I mean with transparent is that all the hosts go to proxy without
> authentication and without blocking anything yet. They don't know that
> there is any proxy.
With only one NIC on the proxy this gets close to some tricky packet
routing issues. If you can use a second NIC, physically separating the DMZ
(Squid->ADSL linkage) from the internal PCs would be a great help in
avoiding problems. (Ironically I have a long 3-day callout ahead to fix
exactly these issues for a client who decided to re-wire their net-cafe
themselves).
For NAT interception (http_port ... intercept) to work properly the Squid
box must be the once doing NAT. Otherwise there are not box-internal NAT
tables for Squid to retrieve the client real-destinations from.
In these setups I recommend making the Squid box setup as a full router +
firewall and the access device (ADSL here) as a pure modem/bridge pushing
everything complex over to the Squid box.
Due to vulnerabilities with direct access to an interception port 3.1 and
later will now prohibit the two modes from sharing a port. If the NAT
lookups fail (see above) its considered a direct-access connection and may
be blocked.
The fix for you is to do NAT on the Squid box.
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
That seems to be the main problem in a nutshell.
There are a few minor issues and details to make things run more smoothly.
I cover them below...
>
> I reconfigured my config file and I have this now:
>
> http_port 3128 intercept
> cache_mem 100 MB
> cache_dir ufs /var/spool/squid 150 16 256
> acl red_local src 192.168.1.0/24
> acl localhost src 127.0.0.1/32
With 3.1 Squid is IPv6-enabled. You may want to update these to include
your LAN IPv6 ranges. Those are ::1 for localhost and fe80::/7 for the
private equivalent to 192.168.*
Though having said that the NAT will not work on IPv6 traffic.
NP: you can instead v6-enable your LAN PCs traffic to Squid by using WPAD
to silently configure them for a proxy hostname with AAAA records
available. :)
> acl all src all
"all" is pre-defined in all Squid-3.x. Remove it to quieten the startup
warnings.
> http_access allow localhost
> http_access allow red_local
> acl SSL_ports port 443
> acl SSL_ports port 7779
> acl Safe_ports port 8080
> acl Safe_ports port 80
> acl Safe_ports port 7779
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
Ah, so all the stuff about Safe_ports and SSL_ports was a red-herring.
They are never used anyway.
To actually work these two config lines are supposed to be above your LAN
access permissions:
http_access allow localhost
http_access allow red_local
Amos
Received on Wed Aug 18 2010 - 03:05:53 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:03 MDT