Sure, here it is, very simple
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl snmpcheck snmp_community public acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow manager localhost http_access allow manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost snmp_access allow snmpcheck localhost # And finally deny all other access to this proxy http_access deny all snmp_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept snmp_port 3401 # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /cache/squid/var/cache/squid 350000 16 256 # Leave coredumps in the first cache dir coredump_dir /cache/squid/var/cache/squid strip_query_terms off # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 half_closed_clients off quick_abort_min 0 KB quick_abort_max 0 KB vary_ignore_expire on reload_into_ims on memory_pools off cache_mem 4096 MB memory_cache_shared on minimum_object_size 0 bytes maximum_object_size 512 MB maximum_object_size 512 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_swap_low 98 cache_swap_high 100 fqdncache_size 16384 retry_on_error on offline_mode off pipeline_prefetch on logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 On Thu, Mar 5, 2015 at 8:54 AM, Yuri Voinov <yvoi...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Looking good. > > Can I take look onto your squid.conf? Without comment lines and > sensitive info? > > 05.03.15 19:51, Monah Baki пишет: > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 > > port 3129 > > > > # block in pass in log quick on bge0 pass out log quick on bge0 > > pass out keep state > > > > > > Thanks > > > > On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov <yvoi...@gmail.com> > > wrote: > > > > Show complete pf.conf, please. > > > > 05.03.15 19:45, Monah Baki пишет: > >>>> In my squid.conf > >>>> > >>>> http_port 3128 http_port 3129 intercept > >>>> > >>>> Thanks > >>>> > >>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov > >>>> <yvoi...@gmail.com> wrote: > >>>> > >>>> Squid access denied? > >>>> > >>>> Look at this: > >>>> > >>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to > >>>> any > >>>>>>>> port 80 -> 10.0.0.24 port 3129 > >>>> > >>>> Which port configured in Squid as intercept? > >>>> > >>>> 3129? > >>>> > >>>> and 3128 is forwarding? > >>>> > >>>> 05.03.15 19:36, monahb...@gmail.com пишет: > >>>>>>> Yes that's what I followed and user is getting a > >>>>>>> "access denied" from the squid when he tries > >>>>>>> www.cnn.com > >>>>>>> > >>>>>>> Sent from my BlackBerry 10 smartphone on the Verizon > >>>>>>> Wireless 4G LTE network. Original Message From: Yuri > >>>>>>> Voinov Sent: Thursday, March 5, 2015 8:22 AM To: > >>>>>>> squid-users@lists.squid-cache.org Subject: Re: > >>>>>>> [squid-users] squid intercept config > >>>>>>> > >>>>>>> > >>>> > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute > >>>>>>> > >>>>>>> > >>>> > >>>> > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > >>>>>>> > >>>>>>> 05.03.15 18:19, Monah Baki пишет: > >>>>>>>> Hi all, can anyone verify if this is correct, need to > >>>>>>>> make ure that users will be able to access the > >>>>>>>> internet via the squid. > >>>>>>> > >>>>>>>> Running FreeBSD with a single interface with > >>>>>>>> Squid-3.5.2 > >>>>>>> > >>>>>>>> Policy based routing on Cisco with the following: > >>>>>>> > >>>>>>> > >>>>>>>> interface GigabitEthernet0/0/1.1 > >>>>>>> > >>>>>>>> encapsulation dot1Q 1 native > >>>>>>> > >>>>>>>> ip address 10.0.0.9 255.255.255.0 > >>>>>>> > >>>>>>>> no ip redirects > >>>>>>> > >>>>>>>> no ip unreachables > >>>>>>> > >>>>>>>> ip nat inside > >>>>>>> > >>>>>>>> standby 1 ip 10.0.0.10 > >>>>>>> > >>>>>>>> standby 1 priority 120 > >>>>>>> > >>>>>>>> standby 1 preempt > >>>>>>> > >>>>>>>> standby 1 name HSRP > >>>>>>> > >>>>>>>> ip policy route-map CFLOW > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> ip access-list extended REDIRECT > >>>>>>> > >>>>>>>> deny tcp host 10.0.0.24 any eq www > >>>>>>> > >>>>>>>> permit tcp host 10.0.0.23 any eq www > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> route-map CFLOW permit 10 > >>>>>>> > >>>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24 > >>>>>>> > >>>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from > >>>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 > >>>>>>> > >>>>>>>> # block in pass in log quick on bge0 pass out log > >>>>>>>> quick on bge0 pass out keep state > >>>>>>> > >>>>>>>> and finally in my squid.conf: http_port 3128 > >>>>>>>> http_port 3129 intercept > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> And for testing purposes from the squid server: > >>>>>>>> ./squidclient -h 10.0.0.24 -p 3128 > >>>>>>>> http://www.freebsd.org/ > >>>>>>> > >>>>>>>> If I replace -p 3128 with -p 80, I get a access > >>>>>>>> denied, and if I omit the -p 3128 completely, I can > >>>>>>>> access the websites. > >>>>>>> > >>>>>>>> tcpdump with (-p 3128) > >>>>>>> > >>>>>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > > >>>>>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win > >>>>>>>> 1018, options [nop,nop,TS val 985588797 ecr > >>>>>>>> 1054387720], length 0 13:15:02.681421 IP > >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: > >>>>>>>> Flags [.], seq 17377:18825, ack 289, win 1040, > >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501], > >>>>>>>> length 1448 13:15:02.681575 IP > >>>>>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: > >>>>>>>> Flags [.], seq 18825:20273, ack 289, win 1040, > >>>>>>>> options [nop,nop,TS val 1054387720 ecr 985588501], > >>>>>>>> length 1448 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> Did I miss anything? > >>>>>>> > >>>>>>>> Thanks Monah > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> squid-users mailing list > >>>>>>>> squid-users@lists.squid-cache.org > >>>>>>>> http://lists.squid-cache.org/listinfo/squid-users > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> squid-users mailing list > >>>>>>> squid-users@lists.squid-cache.org > >>>>>>> http://lists.squid-cache.org/listinfo/squid-users > >>>>>>> > >>>>> > >>>> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+GAUAAoJENNXIZxhPexGCrkH/11tb2r+PvgODC7XyDfA1WUE > zyHTj3ZJ3HU+i9cpGZ8d/n+xWv6R09y+opC6WG0KVNlKIpqzNBSBjp4xKuMB1mAh > M83J38n8Mm38AoOKtNmFq4jipsEkWCo4m/PAWu0h0rRty9HGB+CV8ZSSAQyl4TJg > FY7vembnCRxJT6lDwE5QSWDxeCZUOEPNakonBblvQ6cAcUnhjOHpTVSICBkraNA+ > u8jcS1mHST9d64YzVrssGSd1yrVKEVHJPylyXiftGi9hEwhKWivmv2fsJ6LgRMlM > 7cXtnxPPiLe0/C4uwnLVdTSJGO6njZ61r8LRHaOT5qrM32aZbqZzDyG2yrXopXk= > =n7R1 > -----END PGP SIGNATURE----- >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users