Author Topic: how to use two network in squd proxy with one internet connection (Read 14563 times)

nmmurali · « **on:** May 21, 2010, 01:11:20 PM »

Dear Friends,

I configured squid proxy server in centOS 5.4 and its working fine. Now i want to configure one more network in the same proxy server

running network : 192.168.2.0 (with limited access only)
i want to configure : 192.168.1.0 (With full access)

It is possible or not please helpme

Advanced thanks for all members

kaushalpatel1982 · « **Reply #1 on:** May 22, 2010, 03:17:17 AM »

It is very much possible. You didn't say what kind of limited access you want to configure? Still you just need to configure ACL in squid.conf as follow

acl blocksite url_regex -i test
acl limitedaccess src 192.168.2.0/255.255.255.0
acl fullaccess src 192.168.1.0/255.255.255.0

http_access allow !blockurl limitedaccess
http_access allow fullaccess
http_access deny all

The above configuration will not allow 192.168.2.0 network to access site with keyword test when it will be allowed from 192.168.1.0 network.

nmmurali · « **Reply #2 on:** May 22, 2010, 09:35:56 AM »

Dear kaushalpatel

My squid.conf was like this

# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
acl blockfiles urlpath_regex "/etc/squid/block.files.acl"
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
# Particular sites blocking for clients its a own rule *************Murali*****************
acl blocksites dstdomain .yahoo.com
acl blocksites dstdomain .rediff.com
acl blocksites dstdomain .hotmail.com
http_access deny blocksites

acl blockregexurl url_regex -i musicacl blockregexurl url_regex -i live
acl blockregexurl url_regex -i news
acl blockregexurl url_regex -i sexsites
acl blockregexurl url_regex -i mallu
http_access deny blockregexurl

#http_access allow our_networks
acl nomus_network src 192.168.2.0/255.255.255.0
acl business_hours time M T W H F A 9:35-19:20
http_access allow nomus_network business_hours

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

my squid proxy server ip: 192.168.2.2 and new network is 192.168.1.0 wants full access

please helpme

Advanced thanks kaushal

kaushalpatel1982 · « **Reply #3 on:** May 24, 2010, 05:23:37 AM »

I guess you already have IP address of the another network on this machine or the machine is accessible in anyway by the second network you said.

Take backup of your current configuration file first.

Please check the lines in Bold and do the necessary change and restart the squid service.

#######################################################
acl blockfiles urlpath_regex "/etc/squid/block.files.acl"
deny_info ERR_BLOCKED_FILES blockfiles
#remove/comment the line blow
http_access deny blockfiles

# Particular sites blocking for clients its a own rule *************Murali*****************
acl blocksites dstdomain .yahoo.com
acl blocksites dstdomain .rediff.com
acl blocksites dstdomain .hotmail.com
#remove/comment the line blow
#http_access deny blocksites

acl blockregexurl url_regex -i musicacl blockregexurl url_regex -i live
acl blockregexurl url_regex -i news
acl blockregexurl url_regex -i sexsites
acl blockregexurl url_regex -i mallu
#remove/comment the line blow
#http_access deny blockregexurl

#http_access allow our_networks
acl nomus_network src 192.168.2.0/255.255.255.0
acl nomus_network_2 src 192.168.1.0/255.255.255.0
acl business_hours time M T W H F A 9:35-19:20
http_access allow !blockfiles !blockregexurl !blocksites nomus_network business_hours
http_access allow nomus_network_2

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
#######################################################

nmmurali · « **Reply #4 on:** May 24, 2010, 09:11:36 AM »

Dear kaushalpatel

I am sorry to say this after configuration it showing the message like this

Stopping squid: [FAILED]
Starting squid: [FAILED]

If you don't mind i will show you my complete configuration
Please check the lines in Bold is my configuration

# TAG: acl
# Defining an Access List
acl nomus_network src 192.168.2.0/255.255.255.0
acl nomus_network src 192.168.1.0/255.255.255.0
acl business_hours time S M T W H F A 9:35-19:20

# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
acl blockfiles urlpath_regex "/etc/squid/block.files.acl"
deny_info ERR_BLOCKED_FILES blockfiles
#Particular sites blocking for clients
acl blocksites dstdomain .yahoo.com
acl blocksites dstdomain .rediff.com
acl blocksites dstdomain .gmail.com
acl blocksites dstdomain .hotmail.com
acl blocksites dstdomain .youtube.com
acl blocksites dstdomain .orkut.com
acl blocksites dstdomain .eenadu.net
acl blocksites dstdomain .mail.com
acl blocksites dstdomain .monsterindia.com
acl blocksites dstdomain .timesjobs.com
acl blocksites dstdomain .shine.com
acl blocksites dstdomain .olx.in
acl blocksites dstdomain .accenture.com
acl blocksites dstdomain .meebo.com
acl blocksites dstdomain .naukuri.com
# Words blocking in any sites
acl blockregexurl url_regex -i shaadi
acl blockregexurl url_regex -i music
acl blockregexurl url_regex -i live
acl blockregexurl url_regex -i sex
acl blockregexurl url_regex -i bollywood
acl blockregexurl url_regex -i masala
acl blockregexurl url_regex -i blogspot
acl blockregexurl url_regex -i mallu
acl blockregexurl url_regex -i news
acl blockregexurl url_regex -i songs
acl blockregexurl url_regex -i yahoo
acl blockregexurl url_regex -i gmail
acl blockregexurl url_regex -i rediff
acl blockregexurl url_regex -i hotmail
acl blockregexurl url_regex -i mails

#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 110
acl Safe_ports port 25
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

http_access allow !blockfiles !blocksites !blockregexurl
http_access allow nomus_network business_hours
http_access allow nomus_network_2

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

# TAG: http_access2
# Allowing or Denying access based on defined access lists
#
# Identical to http_access, but runs after redirectors. If not set
# then only http_access is used.
#
#Default:
# none

# Squid normally listens to port 3128
http_port 3128
http_port 192.168.2.2:999

Network cards eth0: 192.168.1.221 /255.255.255.0 Gateway: 192.168.1.220 (wan)
eth1: 192.168.2.2 / 255.255.255.0 Gateway: 192.168.1.221 (lan)
Working configuration is IP: 192.168.2.3 to 192.168.2.150
Subnet : 255.255.255.0
Gateway : 192.168.2.2 (Proxy Server IP)

Requirement network (With Full access) IP: 192.168.1.5 to 192.168.1.50
Subnet: 255.255.255.0
Gateway : 192.168.2.2

So please helpme kaushal
Thanks a lot

Regards
Murali

kaushalpatel1982 · « **Reply #5 on:** May 24, 2010, 01:34:11 PM »

1. You configured your networks with same ACL name which should be different as I mentioned in previous discustion.

2. In HTTP_Access, You are trying to deny sites for all networks. You have to again follow the configuration as pervious discustion.

3. Rather this many blocksite list you shoudl create a file and configure it like you have configured it for Block file. and same suggestion for Blockregexurl.

4. I dont know why you configure "http_port 192.168.2.2:999". If you want to use that Only from this IP address and port of server will be used by server then comment the above line. Also add the same line for another network if required.

It seem like your squid was not working when you restarted the service. Restart the service once you have change your configuration.

nmmurali · « **Reply #6 on:** May 28, 2010, 04:10:20 AM »

Dear kaushalpatel

Now i changed my configuration setup now iam using previous configuration as it is means 192.168.2.0 but new network is 192.168.3.0

eth0 : wan ip
eth1: 192.168.2.0 Network
eth2: 192.168.3.0 Network

In squid.conf file is 192.168.2.2:999

In above 192.168.2.2 is proxy server ip and 999 is port number because in clients are using based on proxy server i need to configure the client browser proxy server ip with port number otherwise they are not getting internet.

In present configuration

eth0 : 192.168.1.218/255.255.255.0/192.x.x.x (gateway)
eth1 : 192.168.2.2/ 255.255.255.0 / 192.168.1.218
eth2 : 192.168.3.1/255.255.255.0 / 192.168.1.218

In the squid file i configured 192.168.3.1:3128

Now 3.1 network clients are getting internet based on above configuration but they are getting internet based on 2.2 network condition (blocking) why i need 3.1 network with full access

squid.conf

acl nomus_network src 192.168.2.0/255.255.255.0
acl nomus_network_2 src 192.168.3.0/255.255.255.0
acl business_hours time M T W H F A 9:30-18:00
http_access allow nomus_network business_hours
http_access allow nomus_network_2

http_port 192.168.2.2:999
http_port 192.168.3.1:3128

Kaushal please telme any miss configuration

Thanks a lot

Author Topic: how to use two network in squd proxy with one internet connection (Read 14563 times)

nmmurali

how to use two network in squd proxy with one internet connection

kaushalpatel1982

Re: how to use two network in squd proxy with one internet connection

nmmurali

Re: how to use two network in squd proxy with one internet connection

kaushalpatel1982

Re: how to use two network in squd proxy with one internet connection

nmmurali

Re: how to use two network in squd proxy with one internet connection

kaushalpatel1982

Re: how to use two network in squd proxy with one internet connection

nmmurali

Re: how to use two network in squd proxy with one internet connection