ivan zivkovic wrote:
This is what I got from *access.log.1*
1247569933.948 2355 192.168.1.0 TCP_MISS/200 6541 GET
http://www.google.hr/ - DIRECT/74.125.87.99 <http://74.125.87.99> text/html
1247569938.386 4309 192.168.1.0 TCP_MISS/200 17592 GET
http://www.google.hr/extern_js/f/CgJlbhICaHIrMAo4GywrMA44BSwrMBY4DiwrMBc4AywrMBg4BCwrMBk4BCwrMCU4yYgBLCswJjgFLCswJzgCLA/n2_RYniADdU.js
- DIRECT/74.125.87.104 <http://74.125.87.104> text/javascript
1247569940.604 2189 192.168.1.0 TCP_MISS/204 267 GET
http://clients1.google.hr/generate_204 - DIRECT/74.125.87.101
<http://74.125.87.101> text/html
1247569942.311 1697 192.168.1.0 TCP_MISS/204 357 GET
http://www.google.hr/csi? - DIRECT/74.125.87.103 <http://74.125.87.103>
text/html
1247569951.263 1684 192.168.1.0 TCP_MISS/200 6541 GET
http://www.google.hr/ - DIRECT/74.125.87.147 <http://74.125.87.147>
text/html
1247569951.396 0 192.168.1.0 TCP_NEGATIVE_HIT/204 274 GET
http://clients1.google.hr/generate_204 - NONE/- text/html
1247569953.001 1603 192.168.1.0 TCP_MISS/204 357 GET
http://www.google.hr/csi? - DIRECT/74.125.87.99 <http://74.125.87.99>
text/html
Ok, sorry for TPROXY... But one thing I dont understand - /NAT needs to
be happening on the Squid box/. I have NAT (AirLive Security Gateway
MW2000-S) which controls access to network, but to configure NAT on my
PC. If I got you correctly here is the problem I think.
I think so too. If you notice the NAT lines in the tutorial I pointed
your way, there are two of them. The first prevents packets from Squid
box being NATed. The second does the NAT for everything else.
Make sure the AirLive is able to do that and some of the problems will
disappear. If not you will have to find some other way to bypass it for
the Squid box outbound messages.
If you have access to the AirLive routing and enough control to policy
route just the port-80 packets at Squid. That would be the best
solution. I'm not sure if its possible though. Most plug-n-play consumer
boxes don't allow enough control.
Good luck with it. Sorry I can't be of more or detailed help.
And I did change acl localnet src to 192.168.1.0/24
<http://192.168.1.0/24>!
Everything else is default! I want web caching server that everybody from
192.168.1.0/99 <http://192.168.1.0/99> network can access. Idea is to
get Internet to work faster!
What I meant here is all from 192.168.1.0 - 192.168.1.99! Sorry...
Ah, okay. For odd start/end numbers like this its just the first-last range:
acl localnet src 192.168.1.0-192.168.1.99
I have shorewall firewall. Holy shit I have so much to learn but it is
interesting! O, I have Squid 3.0 stable 8
Okay. I can't provide much help there I'm afraid. I found shorewall too
tricky and limited when I tried it. So I have an idea how its
configured, but the details you need are unknown to me.
IIRC there is a nat table file somewhere. You need to figure out which
order to write the columns. But the details to enter in are the same as
those seen in the iptables NAT lines of the tutorial.
On Fri, Jul 17, 2009 at 1:10 PM, Amos Jeffries <squ...@treenet.co.nz
<mailto:squ...@treenet.co.nz>> wrote:
Thing to note before starting:
none of your text below has anything to do with the TPROXY feature.
Current Ubuntu official releases are not even TPROXYv2 or TPROXYv4
enabled.
You are discussing an NAT interception proxy (aka transparent proxy
to some people).
hardin369 wrote:
Been through lots of guides and I did manage to set up a proxy
web caching
server. But when I activate it everything goes to hell. First
problem I have
is that when I start it it says "unrockognized....vhost"! Ok,
but my main
Hmm, one thing to check here. I've heard of a firewall (SonicForge
or something like that) which does interception and can send traffic
to Squid. Uses a proxy of its own which attempts to get around
CVE-2009-0801 interception flaw by adding the destination IP address
as the Host: header entry. This screws up many virtual hosted web
servers.
problem is that I have NAT device connected to computer on which
proxy is
installed. I'm running ubuntu latest, squid3. NAT device is actually
security gateway for wifi network. In NAT I enter proxy address
192.168.1.99 <http://192.168.1.99>: 3128 and thats all.
For interception to log accurate visitor IP addresses with Squid the
NAT needs to be happening on the Squid box. That is an absolute
requirement.
DNAT is possible to seem operating properly on a different box, but
you loose all hope of accurate IP information about requests.
Two things you need to check is that the requests leaving squid box
are NOT. Absolutely NOT being caught by the NAT rules again and sent
back at Squid.
All settings in my squid.conf are
configured through internet guides. It is simply slow, very slow, my
computer is not fast but this is for 20 users max. So that
should not be any
problem...
* Check the above looping problem.
* Check that the Squid box has fast DNS access.
* check that enough memory is available (NOTE: cache_mem is the
amount of RAM allocated for storage of recently used objects. Thus
the _minimum_ Squid will need. Indexes and in-transit stuff needs a
lot more on top)
* check that NAT functionality is loaded and running on the Squid
box. Even if unused, it will prevent the OS timing out trying to
locate NAT data on every request.
http_access allow localnet
http_access allow localhost
http_access allow all
This "allow all" is severely dangerous.
acl localnet src 192.168.1.0 192.168.1.99/32
<http://192.168.1.99/32>
The two IP addresses 192.168.1.0/32 <http://192.168.1.0/32> and
192.168.1.99/32 <http://192.168.1.99/32> are the only two computers
on the network? I think you mean 192.168.1.0/24 <http://192.168.1.0/24>.
Which makes it work without needing "allow all", which is downright
dangerous. "all" means exactly that: 'all the entire Internet' has
access through your Squid box if they can get there.
http_port 192.168.1.99:3128 <http://192.168.1.99:3128> transparent
(these lines up are not in this order)
Order is important in squid.conf:
acl must come before http_access,
order of specific http_access determines which if the individual
lines has privilege and is used.
other default settings may or may not affect this depending on
where they are above or below these.
Everything else is default! I want web caching server that
everybody from
192.168.1.0/99 <http://192.168.1.0/99> network can access. Idea
is to get Internet to work faster!
/99 ?? Please look up the meaning of the technical term CIDR.
To do that change your ACL line to this:
acl localnet src 192.168.1.0/24 <http://192.168.1.0/24>
To conclude:
The best guide you will find for Ubuntu Squid-3 interception proxy
setup is this one:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
It contains everything different from the default system settings
that needs changing to operate interception. All you need do is add
your internal network ranges to the squid.conf localnet ACL, and
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
