Configuring Squid Proxy server & Transparent Proxy

[JoeDirte]

What i'm trying to setup is this.  when a user opens up any browser they are redirected to a login page once logged in the can browse the internet normaly.  depending on their login and pass certain websites are not allowed.  ie childs login bans certian websites while an admin has unrestriceted access to everything.
Trying to implement this with squid/squidguard.  I have seen something similar to this at the university with thier wireless connection. would like to use a transparent proxy with this setup.

[Ricky]

Proxy authentication don't works good in transparent way.. it works best when used as normal proxy.

Btw.. mutthu is also trying to solve something like yours.. better he can solve u out.. but it is possible.

[chandu]

how to configure in linux for internet sharing

[Ricky]

@chandu ..

You are actually asking for NAT. I have already given tutorial for that --> Internet sharing in linux .
Instead you can also use firestarter. A gui for your task.

[sabobo]

hi! i was trying to setup a proxy n i follow the confiig from the proxy how to but im having this mssg in my /var/logs/cache.log

Squid Cache (Version 2.5.STABLE1): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 478
2005/06/06 19:06:41| Starting Squid Cache version 2.5.STABLE1 for i386-redhat-linux-gnu...
2005/06/06 19:06:41| Process ID 4010
2005/06/06 19:06:41| With 1024 file descriptors available
2005/06/06 19:06:41| Performing DNS Tests...
FATAL: ipcache_init: DNS name lookup tests failed.

nd my client cant connect to the proxy i setup, i mean client cant brows using my proxy
what seems to be the problem

[Ricky]

Code: [Select]

FATAL: ipcache_init: DNS name lookup tests failed.
This is the problem. Your proxy is not running and reason is that you need to make sure your internet is connected and you are able to open websites in that machine one which are running squid.
Actually squid is unable to verify if you are connected to internet or not.

[sabobo]

ahhh... ok now i understand, Thank you! bro i really appreciate ur help. but theres another thing..... u see before i configure the squid.conf my pc can connect to the internet connecting to the dsl modem router, then i tried configuring rc.nat the one in ur rc.nat how2 n it works fine...all clients that i connect on my pc to share internet works fine, they are all connecting to internet using the ip of my pc. that means that i configure it good ryt?. but when i configure the squid.conf (follwng ur squid how2) that thing happend n when i try to surf on my pc i cant surf. am i missing somthing or what. oh btw my squid.conf is in /etc/squid/squid.conf not in usr/local/squid/etc/squid.conf and my cache.log is in /var/log/cache.log not in /usr/local/squid/var/logs/cache.log  n im using redhat 9......maybee that matters. does it?

[omnia]

Hi Ricky

im using fedora core 3 do i have to change any thing in the redirect command as im installing transparent squid

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

cause it seems to be not working

and when do i need to use DNAt

[Ricky]

You don't need to do any changes.. all you have to make sure that you are specifiying right interface and right port.

[Dafoe]

Hi,

I´m trying to access my newly configured squid proxy on my linux box which is on a different localnet. The machine which is designed to use that proxy connects to internet through another machine.

So here´s my linux-box squid.conf

where "honnun" is the outside ipaddress of my computer.

Code: [Select]


maximum_object_size 8192 KB  


cache_mem 16 MB


cache_dir ufs /usr/local/misc/squid_cache 2048 22 256


cache_store_log none


#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255


#acl your_network src 192.168.0.0/255.255.255.0
acl honnun src 194.105.243.29
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


http_access allow honnun
http_access deny all
icp_access allow all
miss_access allow all

cache_mgr ari.bjornsson@gmail.com

visible_hostname bender.verk.hi.is
unique_hostname bender.verk.hi.is

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

http_port 3128



when I put bender.verk.hi.is and port 3128 in IE proxy settings I get the error:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
contact administrator ari.bjornsson@gmail.com

Squid starts normally, here is the log file:

Code: [Select]


2005/07/18 19:41:34| Starting Squid Cache version 2.5.STABLE9 for i386-debian-linux-gnu...
2005/07/18 19:41:34| Process ID 6449
2005/07/18 19:41:34| With 1024 file descriptors available
2005/07/18 19:41:34| DNS Socket created at 0.0.0.0, port 32812, FD 6
2005/07/18 19:41:34| Adding nameserver 130.208.165.10 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.82 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.11 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.87 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 213.176.128.50 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 213.176.128.51 from /etc/resolv.conf
2005/07/18 19:41:34| User-Agent logging is disabled.
2005/07/18 19:41:34| Referer logging is disabled.
2005/07/18 19:41:34| Unlinkd pipe opened on FD 11
2005/07/18 19:41:34| Swap maxSize 2097152 KB, estimated 161319 objects
2005/07/18 19:41:34| Target number of buckets: 8065
2005/07/18 19:41:34| Using 8192 Store buckets
2005/07/18 19:41:34| Max Mem  size: 16384 KB
2005/07/18 19:41:34| Max Swap size: 2097152 KB
2005/07/18 19:41:34| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2005/07/18 19:41:34| Store logging disabled
2005/07/18 19:41:34| Rebuilding storage in /usr/local/misc/squid_cache (CLEAN)
2005/07/18 19:41:34| Using Least Load store dir selection
2005/07/18 19:41:34| Set Current Directory to /var/spool/squid
2005/07/18 19:41:34| Loaded Icons.
2005/07/18 19:41:35| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12.
2005/07/18 19:41:35| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2005/07/18 19:41:35| HTCP Disabled.
2005/07/18 19:41:35| WCCP Disabled.
2005/07/18 19:41:35| Ready to serve requests.
2005/07/18 19:41:35| Done reading /usr/local/misc/squid_cache swaplog (0 entries)
2005/07/18 19:41:35| Finished rebuilding storage from disk.
2005/07/18 19:41:35|         0 Entries scanned
2005/07/18 19:41:35|         0 Invalid entries.
2005/07/18 19:41:35|         0 With invalid flags.
2005/07/18 19:41:35|         0 Objects loaded.
2005/07/18 19:41:35|         0 Objects expired.
2005/07/18 19:41:35|         0 Objects cancelled.
2005/07/18 19:41:35|         0 Duplicate URLs purged.
2005/07/18 19:41:35|         0 Swapfile clashes avoided.
2005/07/18 19:41:35|   Took 0.3 seconds (   0.0 objects/sec).
2005/07/18 19:41:35| Beginning Validation Procedure
2005/07/18 19:41:35|   Completed Validation Procedure
2005/07/18 19:41:35|   Validated 0 Entries
2005/07/18 19:41:35|   store_swap_size = 0k
2005/07/18 19:41:35| storeLateRelease: released 0 objects


why can´t I access internet through my proxy ? (the linux-box is connected to the internet)

regards,
Ari Björnsson

[Ricky]

Here problem is at two places..

1.

Code: [Select]


#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255
it should be .

Code: [Select]


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
as you should define ur own computer also..

Secondly ..

Code: [Select]

acl honnun src 194.105.243.29
will only allow acess to that ip .. ie 194.105.243.29.
I think you are trying to give acess to a network and hence it should be like..

Code: [Select]

acl honnun src 194.105.243.0/255.255.255.0 only if its a class C network.

Other than that I feel everything fine.. and kindly read the first page about configuration again.

[taiwo]

the explanation you gave for the squid.when i tried it, it accepted all the syntax but it did not work for me .

[Ricky]

taiwo..

sorry but I don't understand.. wht is not working for u ? ! can you explain little more ?
btw give me last few lines of your cache.log .. say last 10 lines.

[praful_thakare]

Hello Rickey....javascript:emoticon(':D')
Very Happy

i ask u about how to configure squid proxy of smoothwall  you tell me about that thanks for that but my problem not solved yet.....javascript:emoticon(':(')
Sad

here i install the smoothwall it running fine all user accessing the intrenet through proxy only but i have no controlle over it....

i try to configure acl like allow only specific PC on the network i made changes in acl file here is my default configuration file

acl all src 0.0.0.0./0.0.0.0.
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_Ports port 445 443 441 563
acl Safe_Ports 80                                  #http
acl Safe_Ports 81                                    #smoothwall http
acl Safe_Ports 21                                   # ftp
acl Safe_Ports 445 443 441 563              # https,snews
acl Safe_Ports 70                                  # gopher
acl Safe_Ports 210                                # wais
acl Safe_Ports 1025-65535                    # unregistry ports
acl Safe_Ports 280                               # http_mgmt
acl Safe_Ports 488                              #gss_http
acl Safe_Ports 591                              # filemaker
acl Safe_Ports 777                              # multiling http

acl CONNECT method CONNECT
http_access allow localnet
http_access deny !safe_port
http_access deny CONNECT ! SSL_Potrs
http_access allow localnet
http_access dent all


this is my default config file i made changes for allow only speacific PC to access the internet i done cahnges at before line containing
http_access deny all
i inserted follwing line

acl ok_users src 192.168.0.2
acl ok_users src 192.168.0.3
http_access allow ok_users

and here i done one thing i comment the line
http_access allow localnet as
#http_access allow localnet

please kindly tell me where i m wrong because whenever i do this changes my whole internet access block by the proxy server that is squid...


here i want configure squid such that i can block the users from accessing internet and i have decide there time of accessing the internet


one more thing how install man pages in smoothwall...as there is no manual pages in the smmothwall


and want to one thing that is it possible to configure the squid such that while accessing the internet it will ask for username and password that is authontication

please help me here i am new one -
thank you
sorry for trouble   javascript:emoticon(':(')
Sad

[Ricky]

hmm..

First of I would like to tell you that you have to understand few things about squid. here you are totally wrong and also smoothwall rewrite its squid.conf every time you start squid so you have to edit separate acl file in squid , I think you know it (now I don't remember its path).

So you have asked.
1. How to allow only specific ip.
2. How to allow user only at specific time.
3. How to install man pages.

For first question:
You should first make sure your squid.conf is normal one. Then remove line for local net ie don't allow local net , only allow specific ips.. for that

Code: [Select]

# This line will specify good ips, you can add as many as ip you want in this line, just leave a space after every ip.
acl good_ips src 192.168.4.4

 #this line will give access to good ips.
http_access allow good_ips

 #This one blocks everything else than the allowed one.
http_access deny all

For IInd question, see Squid time acl

For IIIrd question. I recommend you to ask it as separate topic in appropriate section so that you can get better answers.