Thank you so much Matus, we were indeed missing a DNS service:
Your proxy is already listening on port 80 and 443 for directly receiving traffic to any domain with a DNS entry of 192.168.0.188. best, *Juan Carlos* *Join our mailing list <http://lists.mediaarchitecture.org/?p=subscribe&id=1> (Max 1-mail / month)* Am Mo., 22. Okt. 2018 um 15:12 Uhr schrieb Amos Jeffries < squ...@treenet.co.nz>: > On 23/10/18 1:26 AM, Juan Carvajal B. wrote: > > Dear list, > > > > I hope you can give me some hints for my current task. > > > > I would like to achieve the following: > > > > 1. A user comes with the own device, for example phone or table. > > 2. The user connects to our own WLAN network > > 4. The user enters the addres of our website > > 3. The user can only access our website, which is hosted in a sever *not > > connected* to the internet. > > > > We have the following set up > > > > Tablets / phones <---> WLAN router <---> server > > > > please note that there is *no* connection to internet. The server is > > connected to the "internet" port of the router. > > > > The server runs ubuntu & apache. > > > > I've been trying to achieve this with squid but I get a **warning of a > > forwarding loop**. I do not know what I'm doing wrong. > > > > I'm following this: > > https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect > > https://wiki.squid-cache.org/SquidFaq/ReverseProxy > > > > Here are my conf files: > > > > ****squid.conf**** > > > > > > visible_hostname squid.proxy > > I have seen other people using this "squid.proxy" as the FQDN of their > proxy. It is likely that your chosen proxy hostname is not unique. > > Since this is a reverse-proxy it is best to set this to the FQDN of the > primary website you are proxying. > > > > > http_port 3128 intercept > > http_port 192.168.0.188:80 accel > > defaultsite=our.domain.org > > http_port 192.168.0.188:443 accel > > defaultsite=our.domain.org > > The above should be https_port and requires the TLS certificate for the > domain being virtual-hosted. > > see > <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting> > which > I added just yesterday. > > > > cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel > > acl our_sites dstdomain our.domain.org > > http_access allow our_sites > > cache_peer_access myAccel allow our_sites > > cache_peer_access myAccel deny all > > Move the above custom configuration down to ... > > > acl SSL_ports port 443 > > acl CONNECT method CONNECT > > http_access deny !Safe_ports > > You do not have any definition of Safe_ports above. It should contain at > least 80 and 443 for your proxy. > > > http_access deny CONNECT !SSL_ports > > http_access allow localhost manager > > http_access deny manager > > ... here. > > > You are missing good rules for traffic arriving on the port 3128. The > below "allow all" is very bad. > > > > http_access allow localhost > > http_access allow all > > That should be: > > http_access deny all > > > ... > > > ****IPTABLES**** > > > > # your proxy IP > > SQUIDIP=192.168.0.188 > > # your proxy listening port > > SQUIDPORT=3128 > > iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT > > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT > > --to-port $SQUIDPORT > > > > Here is your problem. You have not bypassed the traffic Squid is sending > to 127.0.0.1:80. > > Traffic to/from localhost does not use global IP addresses such as > 192.168.0.188. Thus Squid's attempts to send traffic to Apache is being > looped back into port 3128 by iptables. > > > What is the point of all this interception anyway? > > Your proxy is already listening on port 80 and 443 for directly > receiving traffic to any domain with a DNS entry of 192.168.0.188. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
