The squid.conf is driven by the GUI front end provided in ClearOS 5.2.
The only options there are:
Configuration:
Maximum Cache Size - set to 100MB
Minimum Size Object - set to 4MB
MaximumDownload File Size - Set to unlimited
Web Proxy Mode:
Transparent mode - set to enabled
Banner and Pop-Up filter - set to disabled
User Authentication - set to disabled
The rest of the configuration is as provided by ClearOS.
Following what you've said, I've removed the line "http_port 3128"
because the other three http_port lines are written to dynamically by
the ClearOS init script. This allows the proxy to start. And it is
working. Thanks.
I've put some comments in line as well and I'll contact the ClearOS devs
about the security issue.
Thanks,
Nick
On 01/05/2012 06:51, Amos Jeffries wrote:
> On 1/05/2012 1:36 a.m., Nick Howitt wrote:
>> Hi,
>> I am new to squid and I am trying to run in on my ClearOS 5.2 gateway
>> where it is supplied as a pre-configured package. However, whenever I
>> try to start it I lose all internet access. I would like to run it in
>> transparent mode which is a menu option I have for it.
>>
>> My cache.log reads:
>> 2012/04/25 12:51:06| Starting Squid Cache version 2.6.STABLE21 for
>> i686-redhat-linux-gnu...
>>
> <snip>
>> 2012/04/25 12:51:06| Accepting proxy HTTP connections at 0.0.0.0,
>> port 3128, FD 13.
>
> So squid is configured to listen on a wildcard port (*:3128) which
> binds to every IP address the box has using a single open+listen
> operation. This is successful.
>
> Then Squid is *also* instructed to bind particular IP:port
> combinations ...
>
>> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
>> 192.168.3.1:3128: (98) Address already in use
>
> ... oops, *:3128 is already open ...
>
>> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
>> 192.168.2.1:3128: (98) Address already in use
>
> ... oops, *:3128 is already open ...
>
>> 2012/04/25 12:51:06| commBind: Cannot bind socket FD 14 to
>> 127.0.0.1:3128: (98) Address already in use
>
> ... oops, *:3128 is already open ...
>
>> At this point I lose internet access. and it does not change when I
>> switch it to transparent mode. I am not aware of anything else
>> running on port 3128 and netstat -an -t | grep 3128 shows nothing.
>
> You configured Squid to open port 3128 four times. Only the first
> attempt succeeds, the others clash with it.
>
> Squid is operating with the wildcard port open for all traffic. BUT,
> intercepted traffic cannot be received by the regular forward-proxy
> port 3128. Your requests passed to any IP and port 3128 are rejected
> as malformed client->proxy requests (true, because they are
> client->origin format requests).
>
>
>>
>> If it helps at all, this is my squid.conf:
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.0/8
>> acl webconfig_lan src 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
>> acl webconfig_to_lan dst 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow webconfig_to_lan
>
> The above "allow webconfig_to_lan" rule opens your proxy to 4 out of
> the 5 most common proxy attacks
> http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
>
> Oops.
>
>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
> Move your global allow rule down to here below the basic security
> protections.
>
>
> And consider carefully why you need it in the first place. There are
> no accel mode ports configured. For an interception proxy you should
> be able to depend on the src type ACL to operate correctly or you have
> configured the interception rules wrong.
I'll ping the devs on this one as I don't like security issues and this
will be the same on all ClearOS implementations
>
>
>> http_access allow localhost
>> http_access allow webconfig_lan
>> http_access deny all
>> icp_access allow all
>> http_port 3128
>> hierarchy_stoplist cgi-bin ?
>> access_log /var/log/squid/access.log squid
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> coredump_dir /var/spool/squid
>> error_directory /etc/squid/errors
>> follow_x_forwarded_for allow localhost
>> http_port 192.168.3.1:3128 transparent
>> http_port 192.168.2.1:3128 transparent
>> http_port 127.0.0.1:3128 transparent
>>
>> Can anyone help me, please?
>
> Please follow the advice in
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat#iptables_configuration
The ClearOS iptables rules are pretty similar and I believe they do the
same.
>
> Additionally, why do you have three interception ports? and why is
> 127.0.0.1 involved?
I have two LANS so I can understand the two interception addresses. I'll
ping the devs about 127.0.0.1.
>
> Amos
Received on Tue May 01 2012 - 10:14:04 MDT
This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 12:00:06 MDT