[squid-users] Traffic redirection to squid socket

2015-06-05 Thread Edx gmail 
 Hi,I am using squid on Openwrt(chaos calmer) and want to redirect all requests for port 80 to 3128 port of squid  so that i can filter the traffic there on squid box. I am using wpad for auto proxy and want non-proxy user's traffic for port 80 to go to squid socket which is in my case 192.168.1.1:3128I have included "http_port 3128 intercept" in squid.conf and also made rule in firewallconfig redirect        option src 'lan'        option src_dport '80'        option src_ip '!192.168.1.1'        option dest 'wan'        option dest_port '3128'        option dest_ip '192.168.1.1'        option proto 'tcp'        option target 'DNAT' Using the above configuration i am able to full fill my purpose but if do so then users with auto proxy in their browers ‎can't access internet at all while in access.log it shows everything perfect.Thanks in advance--Regards  Yashvinder Sent from my BlackBerry 10 smartphone.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Traffic redirection to squid socket

2015-06-05 Thread Amos Jeffries 
On 6/06/2015 12:03 a.m., Edx gmail wrote:
> Hi,
> I am using squid on Openwrt(chaos calmer) and want to redirect all requests 
> for 
> port 80 to 3128 port of squid  so that i can filter the traffic there on 
> squid 
> box. I am using wpad for auto proxy and want non-proxy user's traffic for 
> port 
> 80 to go to squid socket which is in my case 192.168.1.1:3128
> 
> I have included
> "http_port 3128 intercept" in squid.conf
> and also made rule in firewall
> config redirect
>  option src 'lan'
>  option src_dport '80'
>  option src_ip '!192.168.1.1'
>  option dest 'wan'
>  option dest_port '3128'
>  option dest_ip '192.168.1.1'
>  option proto 'tcp'
>  option target 'DNAT'
> 
> Using the above configuration i am able to full fill my purpose but if do so 
> then users with auto proxy in their browers ‎can't access internet at all 
> while 
> in access.log it shows everything perfect.


You SHOULD NOT use port 3128 for receiving intercepted port 80 HTTP
origin traffic. It is registered officially for HTTP proxy traffic and
you cant mix the two traffic types.

Select a non-3128 port of your choice for Squid to listen for the
intercepted traffic. That will also allow easy firewalling without
showing port scanners that Squid is using it.
 

Also, note that the NAT operations MUST be done on the Squid machine.
Squid requires internal access to the kernel NAT sytsem records to
intercept safely, you cant do that across machines.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users