HTTP Anti-Virus Proxy

I've made a dozen squid.conf and I cannot tell if this is working. Ihave used the config in the Ideas section like:

Squid is working fine as a transparent proxy.. just have the iptables redirect and accelorator lines in the squid.conf... (havp and squid on 10.1.0.10/32

http_port 3128
icp_port 0
# scanning through HAVP
cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default

(...) etc... used acls modified to work on my network ok. But I never get TCP_HIT only log files in squid/access.log like:

1148765054.337 270 10.1.0.253 TCP_MISS/200 3174 GET \http://sourceforge.net/sflogo.php?group_id=132123&type=2 - 1148765054.417 532 10.1.0.253 TCP_MISS/200 17501 GET http://www.server-side.de/grafik/squid.jpg - DIRECT/212.227.109.197 image/jpeg
1148765054.421 0 10.1.0.253 TCP_IMS_HIT/304 209 GET http://www.server-side.de/grafik/bemberg.jpg - NONE/- image/jpeg
DEFAULT_PARENT/127.0.0.1 image/png

Just misses?

I have also tried many times the other squid/havp/sandwich config in the forums docs section but cannot get it to work without enableing "http_access allow localhost " after the SQUID1 SQUID2 setup and acls like:

visible_hostname the.host.name
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128
icp_port 0

# havp config is PARENTPROXY localhost PARENTPORT 8081
http_port 127.0.0.1:8081

# Define acl for HAVP port
acl HAVP_PORT myport 127.0.0.1:8081
acl all src 0.0.0.0/0.0.0.0

# HAVP on localhost port 8090
cache_peer 127.0.0.1 parent 8090 0 no-query no-digest no-netdb-exchange default

# Needed if we want to go directly to SQUID2 without HAVP
# We can't use same peer name twice, so lets use 127.0.0.2..
cache_peer 127.0.0.2 parent 8081 0 no-query no-digest no-netdb-exchange

# We only want to cache requests to SQUID2, not port 3128

no_cache deny !HAVP_PORT

# Always use SQUID2 or HAVP
prefer_direct off
never_direct allow all
# HTTPS traffic scanning not neededacl Proto_HTTPS proto HTTPS
cache_peer_access 127.0.0.1 allow !Proto_HTTPS
cache_peer_access 127.0.0.1 deny all
cache_peer_access 127.0.0.2 allow all

Still, I get no TCP_HITS in my squid logs. I am very confused with trying to get a squid sandwich to work. I do not see how the first example workis at all with just havp as the parent proxy... Sorry for this long message.

havp always works great though! What a great software!

Kiira

Hi.
Below is the squid sandwich config I am using. It has been working for a while now with around 50 users, maybe it can help you. I think you have to put a line like:
"http_access allow localhost Safe_ports" at the end of the sandwich config so that HAVP requests to SQUID2 are allowed to go on the internet.

regards
jb
_____________________________________________________________________

# ***************** SANDWICH CONFIG ********************
# USERS -- > SQUID 1(port 8080) --> HAVP(port 8081) --> SQUID 2(port 8090) --> INTERNET

# SQUID 1
http_port 8080

# SQUID 2
http_port 127.0.0.1:8090

# ACL for the port where havp requests are comming
acl HAVP_PORT myport 8090

# We only cache requests for SQUID2
no_cache deny !HAVP_PORT

# HAVP running on port 8081
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default

# Needed if we want to go directly to SQUID2 without HAVP
# We can't use same peer name twice, so lets use 127.0.0.2..
cache_peer 127.0.0.2 parent 8090 0 no-query no-digest no-netdb-exchange

always_direct allow SSL_ports

cache_peer_access 127.0.0.2 allow localhost
cache_peer_access localhost allow !SSL_ports
cache_peer_access localhost deny everyone

never_direct allow !SSL_ports
always_direct allow HAVP_PORT
always_direct deny everyone

# Allow Squid 2 to go out on the internet
http_access allow localhost Safe_ports

#Below, put your normal acl rules

EDITTED: Ipasted in wrong squid.conf the first time

Hi jbm,

thanks for the help!

I still have the same problem though. I have debug_level 28,3 which gives me failures for my own src address, like the packets are not accepted by localhost? If they get seen by squid they have entered INPUT chain and should be 127.0.0.1, not 10.1.0.254

I thought perhaps it was my iptables, masquerade or myredirects from port 80 to 3128... but same things happen always even when I point the browsers proxy address/port straight to squid/havp gateway.

aaiiii, ??????? I have worked on this for 40 hours.

my squid does not match anything for localhost just my src ip 10.1.0.253


/*-------------------------*/
2006/05/29 09:52:47| aclMatchAclList: checking all
2006/05/29 09:52:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' found
2006/05/29 09:52:47| aclMatchAclList: returning 1
2006/05/29 09:52:47| aclCheck: checking 'http_access allow localhost Safe_ports '
2006/05/29 09:52:47| aclMatchAclList: checking localhost
2006/05/29 09:52:47| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255'
2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' NOT found
2006/05/29 09:52:47| aclMatchAclList: no match, returning 0
2006/05/29 09:52:47| aclCheck: checking 'http_access deny all'
2006/05/29 09:52:47| aclMatchAclList: checking all
2006/05/29 09:52:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' found
2006/05/29 09:52:47| aclMatchAclList: returning 1
2006/05/29 09:52:47| aclCheck: match found, returning 0
2006/05/29 09:52:47| aclCheckCallback: answer=0

/*--------------------------------*/ and i use this havp.conf lines

PARENTPROXY 127.0.0.1
PARENTPORT 8090

PORT 8081
/*--------------------------------*/ and i use this for squid,conf

# SQUID 1
http_port 3128

# SQUID 2
# havp.config has PARENTHOST 127.0.0.1, PARENTPORT 8090
http_port 127.0.0.1:8090

# ACL for the port where havp requests are comming
acl HAVP_PORT myport 127.0.0.1:8090

# We only cache requests for SQUID2
no_cache deny !HAVP_PORT

# HAVP running on port 8081
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default

# ------------------------------------
# Needed if we want to go directly to SQUID2 without HAVP
# We can't use same peer name twice, so lets use 127.0.0.2..

cache_peer 127.0.0.2 parent 8090 0 no-query no-digest no-netdb-exchange

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unpriviledged ports
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?

always_direct allow SSL_ports

cache_peer_access 127.0.0.2 allow localhost
cache_peer_access localhost allow !SSL_ports
cache_peer_access localhost deny all

never_direct allow !SSL_ports
always_direct allow HAVP_PORT
always_direct deny all

# Allow Squid 2 to go out on the internet
http_access allow localhost Safe_ports

http_access deny all