[squid-users] Not caching a domain
Hi, In my squid config I have following setup acl nocache dstdomain .mysite.com always_direct allow nocache no_cache deny nocache cache deny nocache I would like to exclude "mysite.com" from getting cached. Is this all I have to do ? How can I see if a site is getting cached or not in logs? Thx
Re: [squid-users] squid and wccp doesn't work
Scratch that...https and transparent proxy ..no can't do. On Jun 18, 2009, at 2:06 PM, Parvinder Bhasin wrote: I have this setup working differently but did you get HTTPS working? Just wondering. Trying going to an https site. Let me know your findings. -Parvinder Bhasin On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? "sh run interface" "sh run wccp" or "sh run | grep wccp" Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: "For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface." Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom
Re: [squid-users] squid and wccp doesn't work
I have this setup working differently but did you get HTTPS working? Just wondering. Trying going to an https site. Let me know your findings. -Parvinder Bhasin On Jun 18, 2009, at 4:28 AM, Tom Penndorf wrote: Daniel, Akos schrieb: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Could you send me the link where it is written to create a tunnel between the ASA and the Squid? What is your ASA config? "sh run interface" "sh run wccp" or "sh run | grep wccp" Once I tried WCCP with PIX SW Version 7.2.2 and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.ht ml Regards, Akos Hi, the wccp standard requires GRE. Alos, you can see here: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/dhcp.html#wp1094445 After some testing i've found some logging-Entries at the asa, saying that it cannot found any nat-entries for the answer-packets. So, i created an nat-exempt rule for this. Thos stops the messages, but it doesn't work. But now, i'v found the solution after some researching on the web in this article: http://www.breezy.ca/?q=node/316 specially interesting was this: "For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client since the proxied web client-server sessions cannot traverse the ASA. This is curious and not particularly well documented anywhere. This is also different than the Cisco IOS routers (which also support WCCP2) where the caching server can be on a different subnet. One reason this is true is that the ASA only supports proxying for packets that arrive in (ie: inbound) on an interface." Now i've created an internal interface for the server for communicating with the clients and the firewall. It's not the optimal solution, but it works now. Perhaps, it is interesting for someone else. Regards, Tom
Re: [squid-users] Squid - WCCP and ASA
Amos, Is there any compilation option that I am missing to make squid transparent??? maybe that's what's missing?. This is the 3.0 release. -Parvinder Bhasin On Jun 17, 2009, at 8:16 AM, Amos Jeffries wrote: Parvinder Bhasin wrote: Amos, The tunnel is actually between the ASA and WCCP enabled squid. No tunnel is between ASA and the squid box Operating System. Squid itself has nothing to do with the tunnel. Squids only concern is that the packets are arriving via some interception method. Thus the src/dst IPs are a bit strange and it needs "transparent" or "intercept" http_port option to handle. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? No you still need the tunnel. But I think assigning localhost-only address to it may be a bad thing. The other tunnels I know about all need an IP the firewall device can send to. Try without it to see if our packets start appearing. the squid box has an internal interface and is not connected to the internet directly. There are three categories of traffic interface: WAN - Internet facing LAN - local network facing localhost - not even getting past the NIC onto the wire. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. Can you trace the packets as far as reaching Squid and starting their way out again though? If so the tunnels etc are fine. But the routing exemption to allow for Squid box connections out through the router may be whacked. Amos -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin wrote: I have setup of squid ..which was compiled with --enable-delay- pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 > cf-in- f99.google.com.http: S 3689381709:3689381709(0) win 65535 14:13:45.524999 IP 192.168.100.175.52256 > bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 14:13:45.525001 IP 192.168.100.175.52255 > bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 14:13:45.525002 IP 192.168.100.175.52254 > bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 14:13:45.525003 IP 192.168.100.175.52253 > bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 14:13:47.427509 IP 192.168.100.175.52252 > mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 14:13:47.886251 IP 192.168.100.175.5
Re: [squid-users] squid and wccp doesn't work
Hi Tom, Exactly the same problem I have. Please let me know if you come across anything. -Parvinder Bhasin On Jun 17, 2009, at 11:50 AM, Tom Penndorf wrote: Hello, i'm trying to get squid and wccp on a cisco asa 5510 running. These are the steps, i've done to set it up. #aptitude install squid3 #vi /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow all http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/cache/squid3 3 32 256 access_log /var/log/squid3/access.log squid cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid3/store.log refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern (cgi-bin|\?)00%0 refresh_pattern .020%4320 wccp2_router 10.1.7.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 client_persistent_connections off icp_port 3130 coredump_dir /var/spool/squid3 #iptunnel add gre1 mode gre remote $ASA-EXT-IP local 10.1.7.2 dev eth0 #ifconfig gre1 10.1.7.2 netmask 255.255.255.255 up #echo 0 >/proc/sys/net/ipv4/conf/gre1/rp_filter #iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 3128 # echo 1 >/proc/sys/ipv4/ip_forward The asa detects the proxy and redirects the packets. On the squid- machine, i can see the syn-packets from the client, but no ack- packets. The counter for the iptables-rule is also increasing. If i remove the iptables-rule, the clients can browse the web, because the squid- machine is acting as a router, so the gre-tunnel seems to work correctly. After some research, i've found out, that the ack-packets are send out at eth0. I don't think, it's the correct way. Are there any things, i've forgotten? All howto's i've found, don't tell me any other steps. System is Debian lenny with squid 3.0.STABLE8-3. Is there anyone, who can give me a hint? Thanks, Tom
Re: AW: [squid-users] Squid - WCCP and ASA
Akos, You are right ASA does not support any GRE tunnels. But from what I have read by googling "squid asa wccp" is that tunnel is GRE on the proxy server side where as ASA is WCCP. Like I mentioned that I do see ASA REDIRECTING the packets . I see the redirected packets appearing on the proxy server but then I don't get any response back. I think there could be some issue with iptables rule maybe. -Parvinder Bhasin On Jun 17, 2009, at 1:38 AM, Daniel, Akos wrote: Hi, ASA does not support any IPoverIP such as GRE. Which SW Version you have on ASA? Once I tried WCCP and collected my info here: http://www.tar.hu/ashley77/Configuring_PIX_and_SQUID_or_WAAS_for_WCCP.html Regards, Akos -Ursprüngliche Nachricht- Von: Parvinder Bhasin [mailto:parvinder.bha...@gmail.com] Gesendet: Mittwoch, 17. Juni 2009 08:06 An: Amos Jeffries Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] Squid - WCCP and ASA Amos, The tunnel is actually between the ASA and WCCP enabled squid. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? the squid box has an internal interface and is not connected to the internet directly. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin wrote: I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 > cf-in- f99.google.com.http: S 3689381709:3689381709(0) win 65535 14:13:45.524999 IP 192.168.100.175.52256 > bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 14:13:45.525001 IP 192.168.100.175.52255 > bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 14:13:45.525002 IP 192.168.100.175.52254 > bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 14:13:45.525003 IP 192.168.100.175.52253 > bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 14:13:47.427509 IP 192.168.100.175.52252 > mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 14:13:47.886251 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 14:13:48.829652 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 655
Re: [squid-users] Squid - WCCP and ASA
Amos, The tunnel is actually between the ASA and WCCP enabled squid. All the examples on squid-cache site as well as googling this issue points to creating a tunnel like this. Are you saying I don't need tunnel??? external ip??? the squid box has an internal interface and is not connected to the internet directly. The squid box itself goes out the ASA and fetches the pages. Basically its NATed. -Parvinder Bhasin On Jun 16, 2009, at 5:51 PM, Amos Jeffries wrote: On Tue, 16 Jun 2009 16:49:56 -0700, Parvinder Bhasin wrote: I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up IIRC localhost IDs 127.0.0.0/8 are hardware-limited to only be usable for traffic internal to the box. If WCCP is going on a tunnel it will likely need an externally visible IP for the router to send to. echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 > cf-in-f99.google.com.http: S 3689381709:3689381709(0) win 65535 14:13:45.524999 IP 192.168.100.175.52256 > bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 14:13:45.525001 IP 192.168.100.175.52255 > bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 14:13:45.525002 IP 192.168.100.175.52254 > bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 14:13:45.525003 IP 192.168.100.175.52253 > bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 14:13:47.427509 IP 192.168.100.175.52252 > mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 14:13:47.886251 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 14:13:48.829652 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 14:13:49.820922 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535
[squid-users] Squid - WCCP and ASA
I have setup of squid ..which was compiled with --enable-delay-pools option. Works really well but without WCCP. I enabled WCCP support in the squid config and also enabled wccp support on my ASA. Setup GRE tunnel etc. For my testing purpose I am only having ONE client IP go through WCCP. The problem is I am able to see that client on the GRE1 interface (the requests) of the proxy server but that client is not getting anything back reply back. Do I need anything in iptables to allow etc??? do I need to compile with some transparent support?? if so which one would I use for ASA? Any help is highly appreciated. Here is part of my config: http_port 3128 transparent wccp2_router 192.168.100.250 wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 Additionally here is what I did to setup tunnel: modprobe ip_gre iptunnel add gre1 mode gre remote $ASA_IP local $LOCAL_IP dev eth0 ifconfig gre1 inet 127.0.0.2 netmask 255.255.255.0 up echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 I do see the RX counter going up but not the TX on gre1: gre1 Link encap:UNSPEC HWaddr C0-A8-64-CF-B7-BF-C8- C2-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1559 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83432 (81.4 KiB) TX bytes:0 (0.0 b) Here is tcpdump output: [r...@squidnclamav etc]# tcpdump -i gre1 host 192.168.100.175 and port not ssh tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gre1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:13:37.615862 IP 192.168.100.175.52257 > cf-in-f99.google.com.http: S 3689381709:3689381709(0) win 65535 14:13:45.524999 IP 192.168.100.175.52256 > bs2.ads.vip.sp1.yahoo.com.http: S 2516726129:2516726129(0) win 65535 14:13:45.525001 IP 192.168.100.175.52255 > bs2.ads.vip.sp1.yahoo.com.http: S 878462413:878462413(0) win 65535 14:13:45.525002 IP 192.168.100.175.52254 > bs2.ads.vip.sp1.yahoo.com.http: S 1528706489:1528706489(0) win 65535 14:13:45.525003 IP 192.168.100.175.52253 > bs2.ads.vip.sp1.yahoo.com.http: S 1578413587:1578413587(0) win 65535 14:13:47.427509 IP 192.168.100.175.52252 > mc2b.mail.vip.re1.yahoo.com.http: S 3796070861:3796070861(0) win 65535 14:13:47.886251 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:48.127001 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 3,nop,nop,timestamp 322113295 0,sackOK,eol> 14:13:48.829652 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:49.029600 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 3,nop,nop,timestamp 322113304 0,sackOK,eol> 14:13:49.820922 IP 192.168.100.175.52259 > f1.www.vip.sp1.yahoo.com.http: S 547104:547104(0) win 65535 14:13:50.030914 IP 192.168.100.175.52260 > hp-core.ebay.com.http: S 357937093:357937093(0) win 65535 3,nop,nop,timestamp 322113314 0,sackOK,eol>
Re: [squid-users] Placing COMPANY logo / BANNER
Thanks Amos and Matus. I just wanted to know so that I can scratch the idea. I will scratch it :) Thanks again. On May 7, 2009, at 6:36 AM, Amos Jeffries wrote: Parvinder Bhasin wrote: I have searched everywhere and cannot find anything regarding this. I would like to place a banner on every request client browser makes. I hear that it can maybe be done using Squid 3.1 and ICAP server. Is there any example of this config? I am ok with coding something for this purpose. Thanks and sorry if I have asked the same question in one way or the other before. Thx. Ah for the love of all that is Internet. No! There are much better alternatives than scribbling additions all over every web object. The one I highly recommend is to use a captive-portal approach, where users see a full page of your content on arrival and optionally at regular intervals. This is much safer and socially acceptable than altering external content. Squid provides the session helper for a kick start. Alternative helpers can easily be written to suit other use cases. Please note the problems with your original request: * what you see as a "page" is often a very large collection of small objects. Altering any of them can have a range of effects, from disastrous to ineffectual. * there is close to zero chance of identifying on the fly the linkage between certain web objects displayed on the same page. Which can royally screw over your users experience. * adding company banners to other companies content can quickly get you into big legal issues (them voluntarily using banner ads is a contract agreement, yours is a violation of someone elses service agreements). * consider the poor user who opens their banking website or facebook page only to see your company name. How are they to differentiate you from a spammer/phisher out to grab their personal details? Why should they trust you ever again after that? /thinking I'll have to write this up one day or find a good how-why reference article on net-neutrality. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
[squid-users] Placing COMPANY logo / BANNER
I have searched everywhere and cannot find anything regarding this. I would like to place a banner on every request client browser makes. I hear that it can maybe be done using Squid 3.1 and ICAP server. Is there any example of this config? I am ok with coding something for this purpose. Thanks and sorry if I have asked the same question in one way or the other before. Thx.
[squid-users] Getting REFERRER info - Squid
All, How can I get REFERRER info that my redirector program can read and make decisions based on the referrer? Can I even get at that data from my redirector program? Any help highly appreciated. -Parvinder Bhasin
[squid-users] OpenBSD / Transparent proxy and session helper :)
Just wondering if this was a typo on the squid wiki page for OpenBSD / Transparent proxy example, in PF the port is routed to 3128 but inside squid config , its http_port 3129. Is this correct? if squid was set on 3129 and you were to spin off netcat to listen on port 3129 and then start squid, it will surely fail as the port is used by the netcat listner. It would be great to know if this doc was correct or a typo. http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf My main question was to search for a session_helper example. Is there a small session_helper example page out there that someone can point me to? -Parvinder Bhasin
Re: [squid-users] Writing Plugins for Squid
Thanks Chris. For some reason I never got the message in my mailbox. Perhaps something with my email filter. Thanks a bunch. Really appreciate it. Cheers Parvinder Bhasin On Apr 30, 2009, at 12:02 PM, Chris Robertson wrote: Parvinder Bhasin wrote: Since I didn't get answer to my last post, You did get a response... http://www.squid-cache.org/mail-archive/squid-users/200904/0736.html I assume I have to code it myself. Can someone point me to the write place , where I can get some details on how to write plugins/helper apps for squid? http://www.squid-cache.org/Doc/config/external_acl_type/ Thanks Chris
[squid-users] Writing Plugins for Squid
Since I didn't get answer to my last post, I assume I have to code it myself. Can someone point me to the write place , where I can get some details on how to write plugins/helper apps for squid? Thanks
[squid-users] Squid and auth and Custom banner.
Hi, After researching a lot on this subject, I finally decided to post this here. What I would like to achieve is basically is: 1): A user is connected on my wireless / wired network , operating in transparent proxy I would like user before they can get to a site with squid is basically they get a user info page where they input their name and email upon submitting ( I like to store this data) they are then allowed access to the internet via squid. I am not really looking to AUTH a users but just want to get some info from the user before they can browse the net. Basically these sort of things can be seen on free wireless hotspots these days. Can I really achieve this ? if so, can someone point me in the right direction. 2): Lastly , I would like the users to get a CUSTOM BANNER in a frame of some sort while surfing. Here is the visualization of what I would want squid to do. |-| | CUSTOM BANNER | |-| | | | google.com | | [---] search | | | | | | | --- Can I really do this with squid? I don't mind writing code (plugin) either but I would rather first find out what I can achieve with squid. If I do however need to write something on my own (plugin) can someone point me in the right direction. Thanks in advance :)
