Asim Ahmed Khan wrote: > hi, > > First i tried to run squid as transparent (interception) proxy that > didn't work. Browsing and other internet usage became too > inconsisten. too many break ups were occuring and all of a sudden > browsing stop and restart after some time ranging from a 30 seconds > to a few minutes. hitting F5 keys numerous times opens up the page. I > used this rule from > > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall to > redirect traffic to squid on port 3128 > > #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE > ORIGINAL # PORT(S) DEST ACCEPT $FW net tcp www > REDIRECT loc 3128 tcp www - - > > Now I am running as non-transparent mode. Browsing is working fine > but there are a few major problems i m facing: > > 1. All users have to enter proxy settings in default browsers. Now > some applications don't have proxy setting and some don't work with > proxy servers. These applications are having great difficulty with > this new proxy setting hence users getting frustrated. > > 2. Ideally squid should only interfere with port 80 traffic and rest > of the traffic should be handled by shorewall as before but it seems > like this is not happening.
Nonsense. But there *are* sites that simply don't work with transparent proxying; the Sun VirtualBox registration site is one that I've run into. > > I am using these rules as mentioned in following link > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall with > non-transparent proxy in my rules file: > > Squid as a Manual Proxy > > > |/etc/shorewall/rules:| > > #ACTION SOURCE DEST PROTO DEST PORT(S) > ACCEPT loc $FW tcp 3128 > ACCEPT $FW net tcp 80 > > Now I have two questions, if any one can answer, it might help me: I count five questions... :-) > > Q-1 -> Does placement of both rules above (transparent / > non-transparent) in rules file is significant? I am placing these > rules on first line in rules file rite now in both cases. Entries in the rules file are based on first-match. So the first terminating rule (and both ACCEPT and REDIRECT are terminating) determines the disposition of the connection. > Q-2 -> Do i need to modify any other shorewall file if I install > squid on same machine (firewall) as the shorewall? This is covered in the Shorewall Squid documentation; if there were more files to modify, we would mention them in the documentation. > Q-3 -> What do I need to do to let https traffic go through proxy as > well? If I modify rule in 2nd line as 80,443 and chck squid > access.log, TCP_DENIED shows up although SSL_Ports & Safe_Ports are > both allowed access explicitly in squid. As detailed in the Shorewall Squid documentation (and many other places on the web), you *cannot* transparently proxy HTTPS. > Q-4: If I have a link to access as (applogy for being so kinky, but i > m exhausted by config fixes b/w shorewall & squid) as > > https://64.50.169.94:20098 Where should this traffic go, to shorewall > or squid (incase 2nd line reads as 80,443) All traffic goes through the Shorewall-configured firewall rules. It depends on whether you have configured an HTTPS manual proxy whether squid will handle the request or if it is simply routed to 64.50.169.94. > http://w.x.y.z:8080 where should this traffic go > provided that squid is listening for port 80 traffic (http). Does > port 8080 in URL change its traffic type from http(port 80)? No -- it is still HTTP. But it changes the port that is opened. So your REDIRECT rule for port 80 will not redirect traffic to 8080. > > > Q-5 -> Do i need to setup some thing in squid to let people use a > code repository running on a remote server of URL like > http://w.x.y.z:8080/ requiring users to authenticate to access code? I have no idea how to allow access to port 8080 through Squid. You will have to ask the Squid folks about that. > I see requests going through but returned with TCP_MISS/401 > (Unauthorized) and user get an error message on application interface > as "you are not authorized to access this server" users give correct > username/pwd on the box that appears for authentication. One more word of advise -- when you are testing, be sure to check the configuration of your browser; double check it! It is easy to forget that and you will end up drawing completely wrong conclusions about your tests if you think that you don't have a manual proxy configured but you do and vice versa. Also note that you can set up both squid and Shorewall to act on traffic from a single test computer. So you can do your testing without annoying your users any more than you already have. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
