Re: Squid3 in intercept mode
On 2013-06-19, Lars Nooden lars.noo...@gmail.com wrote: On Wed, 19 Jun 2013, Reyk Floeter wrote: Anyway, you should make sure to use divert-to instead of rdr-to in your pf.conf. rdr-to is considered to be obsolete for userland proxies (except for spamd). That solved it exactly. I had not seen the change and had been trying rdr-to instead of divert-to. Did you find any official instructions with out-of-date information? I have made sure that the pkg-readme and also Squid's wiki have correct information for interception proxies.
Re: Squid3 in intercept mode
On Thu, 20 Jun 2013, Stuart Henderson wrote: On 2013-06-19, Lars Nooden lars.noo...@gmail.com wrote: On Wed, 19 Jun 2013, Reyk Floeter wrote: Anyway, you should make sure to use divert-to instead of rdr-to in your pf.conf. rdr-to is considered to be obsolete for userland proxies (except for spamd). That solved it exactly. I had not seen the change and had been trying rdr-to instead of divert-to. Did you find any official instructions with out-of-date information? I have made sure that the pkg-readme and also Squid's wiki have correct information for interception proxies. No. It was my fault for going through the README but not catching 'divert-to' I had gotten the two confused with what I had once (last) set up with 4.2 or 4.1. I did notice that pf.conf(5) has several examples for rdr-to which seem on the surface to do what I was aiming for, but none for divert-to. Regards, /Lars
Squid3 in intercept mode
I'm running into some difficulty with access denied in squid3 when I switch it to act as an intercepting proxy. It works as normal when I use it as a regular proxy but when turning on intercepting (formerly transparent proxying) the web browser shows this error: ...Access Denied. Access control vconfiguration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect ... and the access log shows this kind of message in intercept mode but not as a normal proxy: 1371640231.979 3 192.168.2.33 TCP_DENIED/403 4014 GET http://blogs.hbr.org/cs/2013/06/you_have_no_control_over_s.html - HIER_NONE/- text/html 1371640232.045 3 192.168.2.33 TCP_DENIED/403 3922 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html So I can see that PF is properly forwarding the connection and that the browser is actually reaching squid3. However even completely removing any access limitations in squid.conf does not let the browser through. The following should be open but still produces the TCP_DENIED message: http_access allow all ... http_port 127.0.0.1:3128 intercept This occurs with in 5.3-stable on i386 with both squid/3.2.11 from ports and with squid/3.2.7p0 from the CD, so what should I look at changing? Regards, /Lars
Re: Squid3 in intercept mode
On 06/19/13 15:08, Lars Noodén wrote: I'm running into some difficulty with access denied in squid3 when I switch it to act as an intercepting proxy. It works as normal when I use it as a regular proxy but when turning on intercepting (formerly transparent proxying) the web browser shows this error: ...Access Denied. Access control vconfiguration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect ... and the access log shows this kind of message in intercept mode but not as a normal proxy: 1371640231.979 3 192.168.2.33 TCP_DENIED/403 4014 GET http://blogs.hbr.org/cs/2013/06/you_have_no_control_over_s.html - HIER_NONE/- text/html 1371640232.045 3 192.168.2.33 TCP_DENIED/403 3922 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html So I can see that PF is properly forwarding the connection and that the browser is actually reaching squid3. However even completely removing any access limitations in squid.conf does not let the browser through. The following should be open but still produces the TCP_DENIED message: http_access allow all ... http_port 127.0.0.1:3128 intercept This occurs with in 5.3-stable on i386 with both squid/3.2.11 from ports and with squid/3.2.7p0 from the CD, so what should I look at changing? Regards, /Lars Hello, I have a setup of squid on 5.3 (not -stable though) with intercept, here is my squid.conf file: - acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost manager http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 127.0.0.1:3128 intercept icp_port 0 htcp_port 0 snmp_port 0 cache_mem 512 MB cache_dir ufs /var/squid/cache 100 16 256 access_log syslog:daemon.debug max_filedesc 1024 coredump_dir /var/squid/cache refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 - And the pf rule to make this work looks like this: pass in on gif0 inet proto tcp from any to any port = 80 flags S/SA keep state (sloppy) divert-to 127.0.0.1 port 3128 It works for me. -peter
Re: Squid3 in intercept mode
Hi, I think this is a little bit off-topic on this list, or should we start discussing all problems of all ports here? ... Anyway, you should make sure to use divert-to instead of rdr-to in your pf.conf. rdr-to is considered to be obsolete for userland proxies (except for spamd). Reyk On Wed, Jun 19, 2013 at 04:08:06PM +0300, Lars Noodén wrote: I'm running into some difficulty with access denied in squid3 when I switch it to act as an intercepting proxy. It works as normal when I use it as a regular proxy but when turning on intercepting (formerly transparent proxying) the web browser shows this error: ...Access Denied. Access control vconfiguration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect ... and the access log shows this kind of message in intercept mode but not as a normal proxy: 1371640231.979 3 192.168.2.33 TCP_DENIED/403 4014 GET http://blogs.hbr.org/cs/2013/06/you_have_no_control_over_s.html - HIER_NONE/- text/html 1371640232.045 3 192.168.2.33 TCP_DENIED/403 3922 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html So I can see that PF is properly forwarding the connection and that the browser is actually reaching squid3. However even completely removing any access limitations in squid.conf does not let the browser through. The following should be open but still produces the TCP_DENIED message: http_access allow all ... http_port 127.0.0.1:3128 intercept This occurs with in 5.3-stable on i386 with both squid/3.2.11 from ports and with squid/3.2.7p0 from the CD, so what should I look at changing? Regards, /Lars
Re: Squid3 in intercept mode
On Wed, 19 Jun 2013, Reyk Floeter wrote: Anyway, you should make sure to use divert-to instead of rdr-to in your pf.conf. rdr-to is considered to be obsolete for userland proxies (except for spamd). That solved it exactly. I had not seen the change and had been trying rdr-to instead of divert-to. Regards, /Lars