Re: [squid-users] Someone's using my cache?
I just wanted to say thanks for the replies on this. I have not forgotten nor am I putting your help in the trash bin, I have simply become overwhelmed with other tasks at this point. I will get back to this thread as soon as possible and as soon as I can start working on it so that I can try the suggested input. Thanks again. Mike
Re: [squid-users] Someone's using my cache?
http_access allow accel_hosts http_access allow manager localhost http_access deny manager http_access allow all The line above permits anyone who can send a packet to your proxy to use it as a relay for any purpose they like. The restrictions above it are not denying anything except cache_mgr:// protocol. So there is no protection inside Squid. The default config is safe if you set localnet to you internal IPs only: On 11.11.08 19:57, [EMAIL PROTECTED] wrote: I actually need to allow public connections since we don't know which machines are actually connecting for the testing. in such case you should restrict destinations only to your servers. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: [squid-users] Someone's using my cache?
Ah. Gottcha. You are wanting a reverse proxy. Darn, sorry, I should have thought about that distinction, like I said, this is yet another project on my plate so don't have it all down yet :). http://wiki.squid-cache.org/SquidFaq/ReverseProxy contains a usable config for accelerating a hidden web server securely. Yes, I did come across this but I wasn't sure if this was what I'm looking for. In the case of using the proxy, there is a virtual host server on the lan which handles a dozen or so sites which I wanted to use a reverse proxy to speed up connections to. On the public side, each domain has it's www IP pointing to that virtual hosting server. The web server is responding based on names so should squid be pointing to the server or dies it have to know about each site name as well? The examples in the URL seem to show a number of combinations and since I've not had the chance to actually sit down and start learning this, I ended up using what I posted, the hole. Mike
Re: [squid-users] Someone's using my cache?
Any chance someone could give me a working config to get me started? -The server has 2GB of memory and 1TB of space which is can use. There is nothing else running on it, this is all it will do, be a reverse proxy. -1 public IP to a named based web server hosting a dozen sites. -Squid used as a proxy server for http/https at 192.168.1.35. -The web server/s are identical, at 192.168.1.40 and 192.168.1.92 on the lan, same segment as the squid is. I can either load balance between the two but since 192.168.1.92 is really just a backup and much slower, it would be best to use this one as a fail over. Not sure what other info is required? Mike
Re: [squid-users] Someone's using my cache?
On ons, 2008-11-12 at 16:18 -0600, [EMAIL PROTECTED] wrote: Any chance someone could give me a working config to get me started? -The server has 2GB of memory and 1TB of space which is can use. There is nothing else running on it, this is all it will do, be a reverse proxy. -1 public IP to a named based web server hosting a dozen sites. -Squid used as a proxy server for http/https at 192.168.1.35. -The web server/s are identical, at 192.168.1.40 and 192.168.1.92 on the lan, same segment as the squid is. I can either load balance between the two but since 192.168.1.92 is really just a backup and much slower, it would be best to use this one as a fail over. Not sure what other info is required? Mike Basic setup: http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-7fa129a6528d9a5c914f8dd5671668173e39e341 Load balancing: http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-81d06e5a0d3a3ed4bdf7a7cb9077370a7b02bfaf for failover, simply don't specify a load balancing method. For clarity you can mark the preferred one with default but the order in squid.conf does pretty much the same.. Cache: see cache_dir, cache_mem and FAQ on memory usage. cache_dir: http://www.squid-cache.org/Doc/config/cache_dir/ cache_mem: http://www.squid-cache.org/Doc/config/cache_mem/ How much memory do I need in my Squid server? http://wiki.squid-cache.org/SquidFaq/SquidMemory#head-09818ad4cb8a1dfea1f51688c41bdf4b79a69991 There isn't very much documentation on the https support unfortunately, but it's pretty much the same except for https_port (and corresponding certificates) and the ssl option to cache_peer if the backend is using https as well. There is some https examples in the wiki http://wiki.squid-cache.org/ConfigExamples/SslReverseProxyWithWildcardCertifiate http://wiki.squid-cache.org/ConfigExamples/SquidAndRPCOverHttp http://wiki.squid-cache.org/ConfigExamples/SquidAndOutlookWebAccess Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Someone's using my cache?
Ah. Gottcha. You are wanting a reverse proxy. Darn, sorry, I should have thought about that distinction, like I said, this is yet another project on my plate so don't have it all down yet :). http://wiki.squid-cache.org/SquidFaq/ReverseProxy contains a usable config for accelerating a hidden web server securely. Yes, I did come across this but I wasn't sure if this was what I'm looking for. In the case of using the proxy, there is a virtual host server on the lan which handles a dozen or so sites which I wanted to use a reverse proxy to speed up connections to. On the public side, each domain has it's www IP pointing to that virtual hosting server. The web server is responding based on names so should squid be pointing to the server or dies it have to know about each site name as well? The examples in the URL seem to show a number of combinations and since I've not had the chance to actually sit down and start learning this, I ended up using what I posted, the hole. It's one basic config, with need-based variants. The 'vhost' variation is the one you want by the sounds. Yes the proxy needs to have a list of the domains that are acceptable, just like the virtual host needs to know the domains its serving. A dozen should be easily manageable. If there are too many or need changing frequently they can be moved into a separate file which squid loads into an ACL. If its still just a presentation demo as you said earlier, you can hack a little by configuring the browser used to demo to use the proxy as a normal proxy, but have the proxy itself setup as a reverse. That way the main production DNS stays normal. For a full rollout to go live the domain DNS gets pointed at the proxy instead of the virtual host and things keep flowing. Amos
Re: [squid-users] Someone's using my cache?
New user of squid. Used it many years ago but things have changes. I set up a proxy recently then forgot about it as I had other jobs to take care of. Seems I left it running but only had a couple of sites with IPs to the cache for testing. Yesterday, I wanted to get back to the cache and saw a great deal of traffic I/O on the cache but the weird part was that none of it was for or on my network. It looked like I've been used as some sort of payment gateway for a short while :). Anyhow, I do have firewall security in place, there was no compromise of the server itself so how in the heck was this happening? I kept the logs but being new to squid, means nothing to me just yet. You definitely have a fully open proxy configured for anyone who can send packets to it. Also the firewall itself intercepts and sends stuff into the proxy. It may be another internal machine or the firewall has been compromised. Or, it may also be valid usage by someone else which the firewall is sending through you as part of the interception. Here is my very basic setup file, maybe it's something silly I did, like the last line that says let anyone in. I would appreciate input on this, thanks very much. Mike http_port 80 transparent http_port 443 transparent acl all src 0.0.0.0/0.0.0.0 acl Safe_ports port 80 443 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl accel_hosts dst 192.168.1.40 http_access allow accel_hosts http_access allow manager localhost http_access deny manager http_access allow all The line above permits anyone who can send a packet to your proxy to use it as a relay for any purpose they like. The restrictions above it are not denying anything except cache_mgr:// protocol. So there is no protection inside Squid. The default config is safe if you set localnet to you internal IPs only: # RFC 1918: Possible Private Internal networks acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access deny all Just two things to re-think. What version of squid are you on? Whats the purpose of these? and what traffic are they catching? http_port 80 transparent http_port 443 transparent Amos
Re: [squid-users] Someone's using my cache?
You definitely have a fully open proxy configured for anyone who can send packets to it. Also the firewall itself intercepts and sends stuff into the proxy. Yes, I've not had much time to learn it yet, I just needed to get it running for a quick satellite demo so simply opened a port 80 hole in the firewall for traffic and created a basic config. http_access allow accel_hosts http_access allow manager localhost http_access deny manager http_access allow all The line above permits anyone who can send a packet to your proxy to use it as a relay for any purpose they like. The restrictions above it are not denying anything except cache_mgr:// protocol. So there is no protection inside Squid. The default config is safe if you set localnet to you internal IPs only: I actually need to allow public connections since we don't know which machines are actually connecting for the testing. http_access allow all I kind of figured that this might be a hole but I was not able to find out what I should build as a config in time. I needed and need to have this working as part of a demo, then later will have time to get back to it and learn more about it. What version of squid are you on? Whats the purpose of these? and what traffic are they catching? http_port 80 transparent http_port 443 transparent It's version 2.6. With the tiny amount of knowledge I gathered up, I put a config together which would allow public connections to a server on the network. The trial was showing off a website which was designed for satellite users so we used the proxy to speed things up a bit. The port 80/443 variables, I thought, were meant to allow traffic to come in on those ports but transparently since the users are any public user. Mike
RE: [squid-users] Someone's using my cache?
Yesterday, I wanted to get back to the cache and saw a great deal of traffic I/O on the cache but the weird part was that none of it was for or on my network. It looked like I've been used as some sort of payment gateway for a short while :). Anyhow, I do have firewall security in place, Assuming the squid box is inside your firewall then your firewall policy is incorrect. It should not allow connections from the internet to your squid box. Depending on how your network's setup that's usually the simplest thing to change. Or if you're squid is dual homed, stop squid from running on the dirty interface by specifying the internal interface only; #http_port 3128 http_port 192.168.1.1:3128 Or otherwise you'll need to setup an ACL listing all your internal networks and restrict access to that only.
RE: [squid-users] Someone's using my cache?
The setup is something like this; Internet User-Public IP-Firewall-NAT-Squid-Web Server Assuming the squid box is inside your firewall then your firewall policy is incorrect. It should not allow connections from the internet to your squid box. Depending on how your network's setup that's usually the simplest thing to change. Squid is inside of the network, with the web servers it is to cache traffic for. Connections would come into the network, convert to NAT on the inside, hit squid, then squid would get the data from the web server/s. Does this better explain my setup?
Re: [squid-users] Someone's using my cache?
[EMAIL PROTECTED] wrote: You definitely have a fully open proxy configured for anyone who can send packets to it. Also the firewall itself intercepts and sends stuff into the proxy. Yes, I've not had much time to learn it yet, I just needed to get it running for a quick satellite demo so simply opened a port 80 hole in the firewall for traffic and created a basic config. http_access allow accel_hosts http_access allow manager localhost http_access deny manager http_access allow all The line above permits anyone who can send a packet to your proxy to use it as a relay for any purpose they like. The restrictions above it are not denying anything except cache_mgr:// protocol. So there is no protection inside Squid. The default config is safe if you set localnet to you internal IPs only: I actually need to allow public connections since we don't know which machines are actually connecting for the testing. http_access allow all I kind of figured that this might be a hole but I was not able to find out what I should build as a config in time. I needed and need to have this working as part of a demo, then later will have time to get back to it and learn more about it. What version of squid are you on? Whats the purpose of these? and what traffic are they catching? http_port 80 transparent http_port 443 transparent It's version 2.6. With the tiny amount of knowledge I gathered up, I put a config together which would allow public connections to a server on the network. The trial was showing off a website which was designed for satellite users so we used the proxy to speed things up a bit. The port 80/443 variables, I thought, were meant to allow traffic to come in on those ports but transparently since the users are any public user. Mike Ah. Gottcha. You are wanting a reverse proxy. http://wiki.squid-cache.org/SquidFaq/ReverseProxy contains a usable config for accelerating a hidden web server securely. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
