Dalmar | 24 Jun 14:03 2015
Picon

Mikrotik and Squid Transparent

Hi,
For over two weeks i am having a really headache in configuring squid transparent/intercept. 
I have tried different options and configurations but i couldn't get it to work.
i think the problems lies in the Iptables / NAT but i really couldn't solve it. 
I have tried different iptable rules including the intercept linuxDnat - sysctl configuration, but didnt work.

# your proxy IP
SQUIDIP=X.X.X.X

# your proxy listening port
SQUIDPORT=XXXX


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


i have to say that squid works well when i configure in the client browsers.

at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action DST-NAT to address squidIP and Port

i am using ubuntu server 15.04 using squid 3.3.8 and this is my configuration and the errors i get:


                        ------ eth0 WAN <----- MAIN WAN Public IP Internet
                 MK---|
                           ------ eth1 LAN
                          |
                   ------ eth2 Proxy
                  

         ------ eth0 WAN ---> Public IP --> Internet --> gets internet from 24online / another Mikrotik
       Squid---|
                        ------ eth1 Proxy
       |
        ------ eth2 webmin --> For server Management


-error1: if no intercept/transparent and no iptables is configured
-Invalid URL -  The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!


-error2:if intercept and iptable DNAT is configured 
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured 
        -security alert : host header forgery detected on local= SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
        -warning : forwarding loop detected (x-Forwarded-for mikrotik lan IP)

squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy

----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Dalmar | 24 Jun 13:59 2015
Picon

(no subject)

Hi,
For over two weeks i am having a really headache in configuring squid transparent/intercept. 
I have tried different options and configurations but i couldn't get it to work.
i think the problems lies in the Iptables / NAT but i really couldn't solve it. 
I have tried different iptable rules including the intercept linuxDnat - sysctl configuration, but didnt work.

# your proxy IP
SQUIDIP=X.X.X.X

# your proxy listening port
SQUIDPORT=XXXX


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP


i have to say that squid works well when i configure in the client browsers.

at the mikrotik side, i am using DST-NAT chain port 80 pro TCP action DST-NAT to address squidIP and Port

i am using ubuntu server 15.04 using squid 3.3.8 and this is my configuration and the errors i get:


                       ------ eth0 WAN <----- MAIN WAN Public IP Internet
                 MK---|
                           ------ eth1 LAN
                          |
                   ------ eth2 Proxy
                  

         ------ eth0 WAN ---> Public IP --> Internet --> gets internet from 24online / another Mikrotik
     Squid---|
                        ------ eth1 Proxy
       |
        ------ eth2 webmin --> For server Management


-error1: if no intercept/transparent and no iptables is configured
-Invalid URL -  The requested url could not be retrieved
-but if proxy is configured in the user browser - it works!


-error2:if intercept and iptable DNAT is configured 
-Access Denied and in the access log TCP-MISS/403
-no forward proxy port configured 
        -security alert : host header forgery detected on local= SquidIP:8080 remote:mikrotikIP (local ip does not match any domain name)
        -warning : forwarding loop detected (x-Forwarded-for mikrotik lan IP)

squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080
http_port 8181
cache_mem 2000 MB
cache_dir ufs /var/spool/squid3 100000 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy

----------------------------------------
I am really confused, can anyone guide me please.
Thanks in advance
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
HackXBack | 24 Jun 04:24 2015
Picon

TCP_MISS/503

some times http pages give squid error page
in access.log i see TCP_MISS/503
what should be the problem?
i checked iptables and squid.conf but seems every thing look fine ..!!
thanks.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-MISS-503-tp4671863.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Mike | 24 Jun 01:03 2015
Picon

acl for redirect

We have a server setup using squid 3.5 and e2guardian (newer branch of 
dansguardian), the issue is now google has changed a few things around 
and google is no longer filtered which is not acceptable. We already 
have the browser settings for SSL Proxy set to our server, and squid has 
ssl-bump enabled and working. Previously there was enough unsecure 
content on Google that the filtering was still working, but now google 
has gone 100% encrypted meaning it is 100% unfiltered. What is happening 
is it is creating an ssl tunnel (for lack of a better term) between 
their server and the browser, so all squid sees is the connection to 
www.google.com, and after that it is tunneled and not recognized by 
squid or e2guardian at all.

I found a few options online that was used with older squid versions but 
nothing is working with squid 3.5... Looking for something like this:

acl google dstdomain .google.com
deny_info http://www.google.com/webhp?nord=1 google
http_access deny google

Essentially want to have squid take all regular requests for google.com 
and send/relay it to the unsecured page at 
http://www.google.com/webhp?nord=1 which allows e2guardian to properly 
filter. With the current settings though, it goes to the squid access 
denied page.

Mike
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Picon

Doubt about private ip "leaking"

Hello guys,

Usually I check open ports using a site http://canyouseeme.org when I'm on a client and need to do some kind of NAT etc.

On one of my clients I'm running a SQUID v3.1.10 as a transparent proxy, and when I open the page the browser shows my private IP, after a little test, I disabled the proxy and made the same test and the site started showing my WAN IP as it should. Is that somekind of bug or misconfiguration on my squid.conf?

--
Att,


João Paulo
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Sebastian Goicochea | 23 Jun 17:10 2015
Picon

Time out where? TCP_MISS_TIMEDOUT

I've found several of these in my access.log

1435009516.011 899906 10.60.3.221 TCP_MISS_TIMEDOUT/200 8790 GET 
http://t4.kn3.net/taringa/7/5/4/5/0/5/blackz89/236x177_1F2.jpg - 
ORIGINAL_DST/104.18.42.237 image/jpeg
1435009516.011 899840 10.63.6.215 TCP_MISS_TIMEDOUT/200 8742 GET 
http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgKDT-NKwfhCsAhjIATIIcTeEVWIn93c 
- ORIGINAL_DST/173.194.42.26 application/x-javascript

I don't quite understand it. Which connection is timing out? Squid to 
webserver? Squid to client?
Couldn't find much on Google

Thanks,
Sebastian
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
sqca | 23 Jun 14:32 2015

Reverse Proxy translate public domain to internal path

Hi folks,

I have started to use Squid 3.5.5 to implement a reverse proxy for multiple
webservers. Some of them are publishing multiple websites on the same port
so I need to do the following:
Publish "site1.example.com" via Squid which points at 192.168.0.1:8080/test
Publish "site.example.com" via Squid which points at
192.168.0.1:8080/production
and so on.

What do I need to do to accomplish this? Is it really necessary to use the
url_rewrite_program directive?

Thank you all for your input.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-Proxy-translate-public-domain-to-internal-path-tp4671854.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Michael Pelletier | 22 Jun 17:48 2015

How can I change the location of the kerberos cache file?

Hello,

Squid is keeping the kerberos cache file in /var/tmp. How can I change the location?

# ls -al /var/tmp/
total 864
drwxrwxrwt.  3 root  root   36864 Jun 22 11:43 .
drwxr-xr-x. 22 root  root    4096 May  9 23:55 ..
-rw-r--r--   1 root  root       0 Jun 21 20:09 .fsrlast_xfs
drwx------.  2 root  root   16384 May  9 19:01 lost+found
-rw-------   1 squid squid 823779 Jun 22 11:43 SVC-137Proxy-137Kerb-137Auth_23

Thanks in advance,
Michael

Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Graham | 21 Jun 14:24 2015
Picon

Squid to ask for, but not require, authentication.

I am looking for a way to configure Squid to ask for (and check) 
authentication using LDAP, but to proceed if there is no auth 
information provided.

I have been using DansGuardian for a while with Squid authenticating and 
then getting DansGuardian to filter based on the username that Squid has 
authenticated. The browsers talk directly to DansGuardian, which talks 
to Squid, which does the work over the 'net.

I am now trying to add an android device - which has some apps that 
don't ask the user for a login/password (although they do talk to the 
proxy) and therefore they fail to connect with a 407 error. I have 
modified DansGuardian to allow just this one IP to work without 
authentication, but Squid requires the auth and denies the requests. If 
I make Squid more permissive (remove the auth config) then DansGuardian 
works with that IP address, but will then block all other IP addresses 
as Squid hasn't authenticated anyone. Note that I can't do IP 
authentication from Squid because all requests come from the 
DansGuardian IP (which happens to be localhost) and it can't tell which 
ones to authenticate and which to allow.

Basically what I think I want is for DansGuardian to make the decisions 
on whether to allow the connection, and Squid to perform the check of 
the authentication via LDAP and to allow the connection if the auth is 
OK, or is not present... and to deny the connection if the auth is 
present but incorrect.

Is this possible?

Or am I going about this in the wrong way?

Thanks

GC
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
mohammad | 21 Jun 10:18 2015
Picon

tos miss-mask not working at all squid 3.5.5

Hello,

couple of squids servers; in a parent child peer relationship. both are on
centos 6.

the parent is doing url rewrites, parent hit and actually serve traffic from
local cache; while child see's it as miss on both ICP and HTCP, and as such; 
Qos_flows tos parent-hit=0xXX doesn't work.

i've used the parent tos local cache command and it works, I can actually
see the tos tag being delivered from parent to child via tcpdump.

problem is, for the child; if i set the qos_flows miss command for the
parent, child squid will actually tag all hit and miss traffic of parent
with the speified tos.

but if i use the miss-mask=0xXX command; tos is always 0ut with 0x00 for the
parent; so basically, child squid (3.5.5) is not passing the traffic with
the tos being send from parent;  

according to documentation; tos preserve is supposed to be default; provided
that you also do the ZPH patch on linux as the specified link on the Doc
page of qos_flows.

tried everything, nothing worked; please help

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/tos-miss-mask-not-working-at-all-squid-3-5-5-tp4671815.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Jason Haar | 21 Jun 00:31 2015
Picon

confused about ICAP and who's downloading what

Hi there

I'm starting to use ICAP as an AV content filter, having moved away from
using the  havp antivirus proxy as a parent proxy

Part of the problem with havp was that it stopped being developed years
ago and HTTP trickery had moved on in ways that basically it
couldn't support - but squid - being the wonderful piece of loved
software it is - was keeping up with the times :-)

Anyway, now that I'm trialing ICAP, I'm concerned about the same issue.
When a web page is requested by a client, what component does what? Does
squid do the download, pass the content to ICAP, or does it (like with
parent proxies), just tell the ICAP software to do the download itself?
You can see where I'm going, the latter would mean "odd" HTTP
applications which might work fine through squid might fail if the ICAP
software does things differently

(btw: "odd" can mean many things: even how dns lookups occur, ipv6
support,etc)

Thanks

--

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
squid-users <at> lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Gmane