Hi my name is Shawn Caron I am havving issues with the new squid 3.1.11. I cant get my laptop to download any updates from with in squid 3.1.11. I have digest auth installed working correctly for web browsers only. But when i try to update the laptop through aptitude using a sh script i cant get it to connect to the update servers like, debian.org or ubuntu.org for package updates. Also when i am at school at davenport university in lansing michigan their blackboard system uses ice java plugin and when i cannect through my remote proxy using astrada firewill i will get a username and password box asking for my user name and password. And if i dont type in the correct information and cancel the promt the browser will lock up and i have to restart the browser. Can any one provide the answers on this. Or do i have to switch to a different auth scheem to make this work with both the browsers and aptitude and apt-get. I can attach my squid.conf file if needed. and also the update script also,
My primary goals is the have the most secure connection and block all port 80,443 going out. Also i want to allow only certian mac address to bypass squid for updates only and not allow any web bassed traffic out with out it going through the quid proxy first. Also i want to be able to have vpn access remotely from out side- into my home network. For that i use kvpnc and astrado firewall. I have had issues with the connections using kvpnc and not been able to get a completed connection to the drop off point inside the network. Here is the squid.comf Currently working on squid3 version 3.1.11 #Authorization auth_param digest program /usr/lib/squid3/digest_pw_auth -c /etc/squid3/auth/digest/authlist auth_param digest nonce_garbage_interval 24 hours auth_param digest nonce_max_duration 24 hours auth_param digest nonce_max_count 50 auth_param digest children 5 auth_param digest realm Secured Proxy Server Authenication Required authenticate_cache_garbage_interval 24 hour authenticate_ttl 24 hour #auth_parm basic program /usr/lib/squid3/ncsa_auth /etc/squid3/userpass # ACL Lists acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT acl safe port 21 80 acl sslports port 22 441 443 465 587 631 995 8001 acl http proto http acl ftp proto ftp acl updateports port 21 80 acl updates dstdomain .debian.org .microsoft.com .symantec.com .windowsupdate.com .database.clamav.net .ubuntu.org acl Authorized-worstations src "/etc/squid3/workstations" acl Authorized-servers src "/etc/squid3/servers" acl Authorized-wireless src "/etc/squid3/wireless" acl Authorized-proxy src "/etc/squid3/proxy" acl Authorized-pfsense src "/etc/squid3/pfsense" acl webmin src "/etc/squid3/webmin" acl purge method purge acl Authorization-admins proxy_auth REQUIRED acl Authorization-users proxy_auth REQUIRED acl internal port 8080 8081 8118 10000 57310 57311 7001 acl bad_url url_regex "/etc/squid3/bad-sites.acl" #acl localnet 10.2.2.254/24 10.2.2.11/24 10.2.2.10/24 10.2.2.9/24 10.2.2.134/24 # HTTP ACCESS # Only allow cachemgr access from localhost http_access allow http updateports updates http_access allow ftp updateports updates http_access allow Authorization-admins Authorization-users http_access allow safe sslports internal http_access allow localhost http_access allow manager localhost http_access allow CONNECT webmin Authorized-pfsense updateports updates http_access allow Authorized-worstations http_access allow Authorized-servers http_access allow Authorized-wireless http_access allow Authorized-proxy http_access allow Authorized-pfsense http_access allow webmin #http_access localnet http_access allow Authorization-admins Authorization-users http_access deny all http_reply_access allow Authorization-users http_reply_access allow Authorization-admins #Allow ICP queries from local networks only icp_access allow Authorized-worstations Authorized-wireless icp_access deny all #Allow HTCP queries from local networks only htcp_access deny all # Squid normally listens to port 3128 #http_port 127.0.0.1:23654 http_port 10.2.2.3:56754 intercept http_port 10.2.2.4:23654 intercept #http_port 10.3.3.1:23654 # MISC SETTINGS hierarchy_stoplist cgi-bin ? cache_mem 7 MB maximum_object_size_in_memory 100 mb memory_replacement_policy lru cache_replacement_policy heap LFUDA cache_dir ufs /var/spool/squid3 1000 16 256 max_open_disk_fds 10 minimum_object_size 1000 mb maximum_object_size 1 GB no_cache allow internal #LOG #ACCESS LOG access_log /var/log/squid3/access.log cache_store_log none #logfile_rotate 0 #emulate_httpd_log on emulate_httpd_log on log_ip_on_direct on pid_filename /var/run/squid3.pid strip_query_terms on # OPTIONS FOR FTP GATEWAYING ftp_list_width 50 ftp_passive on ftp_sanitycheck on ftp_telnet_protocol on # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS unlinkd_program /usr/lib/squid3/unlinkd # OPTIONS FOR URL REWRITING #url_rewrite_children 2 #url_rewrite_children 2 #url_rewrite_concurrency 0 url_rewrite_host_header on url_rewrite_bypass off # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- #Suggested default: refresh_pattern ^ftp: 1440 5% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern Packages\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Sources\.bz2$ 0 20% 4320 refresh-ims refresh_pattern Release\.gpg$ 0 20% 4320 refresh-ims refresh_pattern Release$ 0 20% 4320 refresh-ims refresh_pattern . 0 20% 4320 refresh-ims hierarchy_stoplist cgi-bin ? #Default: #Default: read_ahead_gap 30 MB #negative_ttl 5 minute #positive_dns_ttl 24 hour range_offset_limit 0 KB minimum_expiry_time 60 seconds store_avg_object_size 100 KB # HTTP OPTIONS # ----------------------------------------------------------------------------- #Default: #request_header_max_size 100 KB #Default: #read_timeout 15 minute #read_timeout 24 hour #Default: # request_timeout 5 minutes #request_timeout 24 hour # shutdown_lifetime 30 seconds shutdown_lifetime 0 second #Default: cache_effective_user proxy # #Default: httpd_suppress_version_string on #Default: # visible_hostname localhost visible_hostname Secured_Proxy_Server_Authorization_Required # #Default: digest_bits_per_entry 5 # #Default: digest_rebuild_period 24 hour digest_rewrite_period 24 hour #digest_swapout_chunk_size 4096 bytes #Default: digest_rebuild_chunk_percentage 10 # #Default: udp_outgoing_address 0.0.0.0 #Default: # prefer_direct off # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... # # never_direct is the opposite of always_direct. Please read # the description for always_direct if you have not already. # # With 'never_direct' you can use ACL elements to specify # requests which should NEVER be forwarded directly to origin # servers. For example, to force the use of a proxy for all # requests, except those in your local domain use something like: # # acl local-servers dstdomain .foo.net # never_direct deny local-servers # never_direct allow all # # or if Squid is inside a firewall and there are local intranet # servers inside the firewall use something like: # # acl local-intranet dstdomain .foo.net # acl local-external dstdomain external.foo.net # always_direct deny local-external # always_direct allow local-intranet # never_direct allow all # # This option replaces some v1.1 options such as inside_firewall # and firewall_ip. # #Default: never_direct allow localhost #always_direct allow Authorized-pfsense Authorized-wireless always_direct allow updates #cache_dns_program /usr/lib/squid3/dnsserver #dns_children 5 #dns_retransmit_interval 5 seconds #dns_timeout 2 minutes #dns_nameservers 10.2.2.3 dns_defnames on hosts_file /etc/hosts append_domain .CA ignore_unknown_nameservers on ipcache_size 10000 ipcache_low 30 ipcache_high 50 memory_pools_limit 1000 KB retry_on_error on uri_whitespace strip # Leave coredumps in the first cache dir coredump_dir /var/spool/squid3 pipeline_prefetch on windows_ipaddrchangemonitor on redirect_children 1 unique_hostname Secured_Proxy_Server_Authorization_Required cache_effective_group proxy #fake_user_agent Nutscrape/1.0 (CP/M; 8-bit) cache_peer localhost parent 8081 0 url_rewrite_program /usr/bin/adzapper.wrapper url_rewrite_children 2 #ssl_unclean_shutdown on icp_query_timeout 10 mcast_icp_query_timeout 10 half_closed_clients off server_persistent_connections off client_persistent_connections on request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all tcp_outgoing_address 0.0.0.0 client_lifetime 24 hour announce_period 2 day #reference_age 24 hour log_icp_queries off memory_pools off authenticate_ip_ttl 48 hour Here is the user.sh script i use to create users account and passwords for squid 3.1.11 on debia 6.0 #!/bin/sh echo -e " Must use >> before output file" echo "" user=$1 pass=$2 realm=$3 if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then echo "Usage: $0 user password 'realm'"; exit 1 fi ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ') echo "$user:$realm:$ha1" Also here is my iptables.up.rules.squidnewmods *nat :PREROUTING ACCEPT [813:49625] :POSTROUTING ACCEPT [99:5940] :OUTPUT ACCEPT [272:16321] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,21,443 -j DNAT --to-destination 10.2.2.3:23654 -A -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,21,443 -j DNAT --to-destination 10.2.2.3:56754 -A POSTROUTING -o eth0 -j MASQUERADE Any help will be greatly accepted. Thanks Shawn