Re: [squid-users] non-transparent squid and port 8080 traffic

From: Asim Ahmed _at_ Folio3 <_at_>
Date: Fri, 11 Dec 2009 16:33:23 +0500

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl folio3Network src 192.168.4.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl super_users src "/etc/squid/f3_acls/super_users.acl"
acl gerrys_users src "/etc/squid/f3_acls/gerrys_groups.acl"
acl netsat_users src "/etc/squid/f3_acls/netsat_groups.acl"
acl managers src "/etc/squid/f3_acls/managers.acl"
acl facebook dstdomain "/etc/squid/f3_acls/facebook.acl"
acl facebook_users src "/etc/squid/f3_acls/facebook_users.acl"
acl blocked_sites dstdomain "/etc/squid/f3_acls/blocked_sites.acl"
acl blocked_request_mt req_mime_type -i
"/etc/squid/f3_acls/blocked_mimetypes.acl"
acl blocked_reply_mt rep_mime_type -i
"/etc/squid/f3_acls/blocked_mimetypes.acl"
acl blocked_keywords url_regex -i "/etc/squid/f3_acls/blocked_keywords.acl"
acl gaming_sites dstdomain "/etc/squid/f3_acls/gaming_sites.acl"
acl server_machines src "/etc/squid/f3_acls/server_machines.acl"
acl working_hours time MTWHF 09:00-13:00
acl working_hours time MTWHF 14:00-18:30
acl gaming_hours time MTWHF 21:00-23:59
acl gaming_hours time MTWHF 01:00-07:00
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow super_users
http_access allow facebook_users facebook
http_access deny working_hours blocked_sites
http_access deny working_hours blocked_request_mt
http_access deny working_hours blocked_keywords
http_access deny !gaming_hours gaming_sites
http_access allow managers
http_access allow gerrys_users
http_access allow netsat_users
http_access allow server_machines
http_access allow localhost
http_access deny all
http_reply_access allow super_users
http_reply_access deny working_hours blocked_reply_mt
icp_access allow folio3Network
icp_access deny all
htcp_access allow folio3Network
htcp_access deny all
http_port 4044
hierarchy_stoplist cgi-bin ?
cache_dir aufs /var/spool/squid 10240 16 256
access_log /var/log/squid/access.log squid
cache_store_log none
logfile_rotate 10
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
negative_ttl 0 seconds
visible_hostname LIANA
icp_port 3130
coredump_dir /var/spool/squid

Chris Robertson wrote:
> Asim Ahmed @ Folio3 wrote:
>> hi all,
>>
>> I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a
>> RHEL5 box. I had a few problems running squid in transparent mode so
>> now I am running it in non-transparent mode.
>
> Please use the term "interception" instead of "transparent".
>
>> Every thing like browsing / IM tools working fine. A major problem
>> that I am facing is that quite a few users in my staff uses TFS (Team
>> Foundation Server - A code repository running on port 8080) remotely.
>> After installing squid they are hving great difficulty connecting to
>> that server. I am REDIRECTING port 80 traffic from shorewall to squid
>> on the same box.
>
> Which indicates you are still INTERCEPTING traffic. /_*not any more,
> I've setup client browsers with IPs & ports*_/
>
>> I tried same approach and REDIRECTED port 8080 traffic to squid as
>> well and made an ACL in squid.conf to allow that particular traffic
>> to that particular server address over port 8080.
>
> Why wouldn't it be allowed? Port 8080 is included in "Safe_ports".
> Assuming you are allowing access to your cache based on source IP, you
> shouldn't need a special rule allowing traffic to a particular
> server's port 8080. But why is failing the requests by 401 error.
> /_*The remote server reuqests username/password even then request fails*_/
>
>> When I see squid access log, traffic shows up there but with HTTP 401
>> code that means not-authorized request. On TFS screen users also get
>> "you are not authorized to connect to this server" error. This does
>> not make any sense because without squid they jsut connect in first
>> attempt.
>
> Please share your squid.conf (minus comments and blank lines).
> Otherwise have a look at
> http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F
>
>
>>
>> Even I tried adding a rule in shorewall to process 8080 traffic
>> before I redirect traffic to squid, but that makes things unreliable
>> in the sense that some times it work, and at times it does not!
>> Can any one help suggesting any measures to get over with this?
>>
>> Is this squid's normal behaviour to stop shorewall from normal
>> working when installed?
>
> No.
>
>> Does squid takes over control of system ports in use by shorewall?
>
> Only if you configure it to.
>
>
> Chris
>
>

-- 
Regards,
Asim Ahmed Khan
IT Manager,
Folio3 (Pvt.) Ltd. www.folio3.com
Direct: 92-21-4323721-4 Ext 110
Email: aahmed_at_folio3.com
Received on Fri Dec 11 2009 - 11:33:36 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 15 2009 - 12:00:02 MST