In my squid.conf http_port 3128 http_port 3129 intercept
Thanks On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Squid access denied? > > Look at this: > > In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any > >> port 80 -> 10.0.0.24 port 3129 > > Which port configured in Squid as intercept? > > 3129? > > and 3128 is forwarding? > > 05.03.15 19:36, [email protected] пишет: > > Yes that's what I followed and user is getting a "access denied" > > from the squid when he tries www.cnn.com > > > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G > > LTE network. Original Message From: Yuri Voinov Sent: Thursday, > > March 5, 2015 8:22 AM To: [email protected] > > Subject: Re: [squid-users] squid intercept config > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > > > > 05.03.15 18:19, Monah Baki пишет: > >> Hi all, can anyone verify if this is correct, need to make ure > >> that users will be able to access the internet via the squid. > > > >> Running FreeBSD with a single interface with Squid-3.5.2 > > > >> Policy based routing on Cisco with the following: > > > > > >> interface GigabitEthernet0/0/1.1 > > > >> encapsulation dot1Q 1 native > > > >> ip address 10.0.0.9 255.255.255.0 > > > >> no ip redirects > > > >> no ip unreachables > > > >> ip nat inside > > > >> standby 1 ip 10.0.0.10 > > > >> standby 1 priority 120 > > > >> standby 1 preempt > > > >> standby 1 name HSRP > > > >> ip policy route-map CFLOW > > > > > > > >> ip access-list extended REDIRECT > > > >> deny tcp host 10.0.0.24 any eq www > > > >> permit tcp host 10.0.0.23 any eq www > > > > > > > >> route-map CFLOW permit 10 > > > >> match ip address REDIRECT set ip next-hop 10.0.0.24 > > > >> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to > >> any port 80 -> 10.0.0.24 port 3129 > > > >> # block in pass in log quick on bge0 pass out log quick on bge0 > >> pass out keep state > > > >> and finally in my squid.conf: http_port 3128 http_port 3129 > >> intercept > > > > > > > >> And for testing purposes from the squid server: ./squidclient -h > >> 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > >> If I replace -p 3128 with -p 80, I get a access denied, and if I > >> omit the -p 3128 completely, I can access the websites. > > > >> tcpdump with (-p 3128) > > > >> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > > >> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, > >> options [nop,nop,TS val 985588797 ecr 1054387720], length 0 > >> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > > >> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win > >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length > >> 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > > >> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win > >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length > >> 1448 > > > > > > > >> Did I miss anything? > > > >> Thanks Monah > > > > > > > >> _______________________________________________ squid-users > >> mailing list [email protected] > >> http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ squid-users mailing > > list [email protected] > > http://lists.squid-cache.org/listinfo/squid-users > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+F2gAAoJENNXIZxhPexGivEH/jh0uoMFUNiqROuSVfnCbd4F > pzcgm//4M3CRFCCGYT+u7VA14Uw5EPz/3vIiOQZFWrZLt9zZdtIlHqPA0ucBi5U5 > cfHwlOhAXWMihM0gUYCATWit6c+cY9bvFS9wHzav9RJK8aRFWGczBhPLfFMGV8/y > WTgnCh3ViR3ZjilLhM3MB1nd4pNzn01BM9X3rteGu5d1zh6hznyEIqMAzUXFcBeF > cnsWPnXkhU/r13X7zk0K6nF9tSaSIvbYJQaTWRl5DvkYVwQgCcPUwQ5yleWh70Ex > MycgylzjEqCAO4rqpYwV/v8/meb8+QzgK3e1KFRXDz91/zUz8LGO0ns7LzhAKFM= > =ZRtj > -----END PGP SIGNATURE----- >
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
