Squid 3.5.x?
24.06.15 18:03, Dalmar пишет:
Hi,
For over two weeks i am having a really headache in configuring squid
transparent/intercept.
I have tried different options and configurations but i couldn't get
it to work.
i think the problems lies in the Iptables / NAT but i really couldn't
solve it.
I have tried different iptable rules including the intercept linuxDnat
- sysctl configuration, but didnt work.
# your proxy IP
SQUIDIP=X.X.X.X
# your proxy listening port
SQUIDPORT=XXXX
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
i have to say that squid works well when i configure in the client
browsers.
at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action
DST-NAT to address squidIP and Port
i am using ubuntu server 15.04 using squid 3.3.8 and this is my
configuration and the errors i get:
------ eth0 WAN <----- MAIN WAN Public IP Internet
MK---|
------ eth1 LAN
|
------ eth2 Proxy
------ eth0 WAN ---> Public IP --> Internet --> gets internet
from 24online / another Mikrotik
Squid---|
------ eth1 Proxy
|
------ eth2 webmin --> For server Management
-error1: if no intercept/transparent and no iptables is configured
-Invalid URL - The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!
-error2:if intercept and iptable DNAT is configured
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured
-security alert : host header forgery detected on local=
SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
-warning : forwarding loop detected (x-Forwarded-for mikrotik
lan IP)
squid.conf
acl localnet src 10.0.0.0/8 <http://10.0.0.0/8># RFC1918 possible
internal network
acl localnet src 192.168.0.0/16 <http://192.168.0.0/16># RFC1918
possible internal network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern .020%4320
cache_effective_user proxy
cache_effective_group proxy
----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
