HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Squid sandwhich - is this working ok? http://havp.hege.li/forum/viewtopic.php?f=3&t=101 |
Page 1 of 1 |
Author: | kiira [ 28 May 2006 00:59 ] |
Post subject: | Squid sandwhich - is this working ok? |
I've made a dozen squid.conf and I cannot tell if this is working. Ihave used the config in the Ideas section like: Squid is working fine as a transparent proxy.. just have the iptables redirect and accelorator lines in the squid.conf... (havp and squid on 10.1.0.10/32 http_port 3128 icp_port 0 # scanning through HAVP cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default (...) etc... used acls modified to work on my network ok. But I never get TCP_HIT only log files in squid/access.log like: 1148765054.337 270 10.1.0.253 TCP_MISS/200 3174 GET \http://sourceforge.net/sflogo.php?group_id=132123&type=2 - 1148765054.417 532 10.1.0.253 TCP_MISS/200 17501 GET http://www.server-side.de/grafik/squid.jpg - DIRECT/212.227.109.197 image/jpeg 1148765054.421 0 10.1.0.253 TCP_IMS_HIT/304 209 GET http://www.server-side.de/grafik/bemberg.jpg - NONE/- image/jpeg DEFAULT_PARENT/127.0.0.1 image/png Just misses? I have also tried many times the other squid/havp/sandwich config in the forums docs section but cannot get it to work without enableing "http_access allow localhost " after the SQUID1 SQUID2 setup and acls like: visible_hostname the.host.name httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on http_port 3128 icp_port 0 # havp config is PARENTPROXY localhost PARENTPORT 8081 http_port 127.0.0.1:8081 # Define acl for HAVP port acl HAVP_PORT myport 127.0.0.1:8081 acl all src 0.0.0.0/0.0.0.0 # HAVP on localhost port 8090 cache_peer 127.0.0.1 parent 8090 0 no-query no-digest no-netdb-exchange default # Needed if we want to go directly to SQUID2 without HAVP # We can't use same peer name twice, so lets use 127.0.0.2.. cache_peer 127.0.0.2 parent 8081 0 no-query no-digest no-netdb-exchange # We only want to cache requests to SQUID2, not port 3128 no_cache deny !HAVP_PORT # Always use SQUID2 or HAVP prefer_direct off never_direct allow all # HTTPS traffic scanning not neededacl Proto_HTTPS proto HTTPS cache_peer_access 127.0.0.1 allow !Proto_HTTPS cache_peer_access 127.0.0.1 deny all cache_peer_access 127.0.0.2 allow all Still, I get no TCP_HITS in my squid logs. I am very confused with trying to get a squid sandwich to work. I do not see how the first example workis at all with just havp as the parent proxy... Sorry for this long message. havp always works great though! What a great software! Kiira |
Author: | jbm [ 29 May 2006 12:04 ] |
Post subject: | Squid sandwich |
Hi. Below is the squid sandwich config I am using. It has been working for a while now with around 50 users, maybe it can help you. I think you have to put a line like: "http_access allow localhost Safe_ports" at the end of the sandwich config so that HAVP requests to SQUID2 are allowed to go on the internet. regards jb _____________________________________________________________________ # ***************** SANDWICH CONFIG ******************** # USERS -- > SQUID 1(port 8080) --> HAVP(port 8081) --> SQUID 2(port 8090) --> INTERNET # SQUID 1 http_port 8080 # SQUID 2 http_port 127.0.0.1:8090 # ACL for the port where havp requests are comming acl HAVP_PORT myport 8090 # We only cache requests for SQUID2 no_cache deny !HAVP_PORT # HAVP running on port 8081 cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default # Needed if we want to go directly to SQUID2 without HAVP # We can't use same peer name twice, so lets use 127.0.0.2.. cache_peer 127.0.0.2 parent 8090 0 no-query no-digest no-netdb-exchange always_direct allow SSL_ports cache_peer_access 127.0.0.2 allow localhost cache_peer_access localhost allow !SSL_ports cache_peer_access localhost deny everyone never_direct allow !SSL_ports always_direct allow HAVP_PORT always_direct deny everyone # Allow Squid 2 to go out on the internet http_access allow localhost Safe_ports #Below, put your normal acl rules |
Author: | kiira [ 29 May 2006 17:49 ] |
Post subject: | |
EDITTED: Ipasted in wrong squid.conf the first time Hi jbm, thanks for the help! I still have the same problem though. I have debug_level 28,3 which gives me failures for my own src address, like the packets are not accepted by localhost? If they get seen by squid they have entered INPUT chain and should be 127.0.0.1, not 10.1.0.254 I thought perhaps it was my iptables, masquerade or myredirects from port 80 to 3128... but same things happen always even when I point the browsers proxy address/port straight to squid/havp gateway. aaiiii, ??????? I have worked on this for 40 hours. my squid does not match anything for localhost just my src ip 10.1.0.253 /*-------------------------*/ 2006/05/29 09:52:47| aclMatchAclList: checking all 2006/05/29 09:52:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' found 2006/05/29 09:52:47| aclMatchAclList: returning 1 2006/05/29 09:52:47| aclCheck: checking 'http_access allow localhost Safe_ports ' 2006/05/29 09:52:47| aclMatchAclList: checking localhost 2006/05/29 09:52:47| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' NOT found 2006/05/29 09:52:47| aclMatchAclList: no match, returning 0 2006/05/29 09:52:47| aclCheck: checking 'http_access deny all' 2006/05/29 09:52:47| aclMatchAclList: checking all 2006/05/29 09:52:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/05/29 09:52:47| aclMatchIp: '10.1.0.253' found 2006/05/29 09:52:47| aclMatchAclList: returning 1 2006/05/29 09:52:47| aclCheck: match found, returning 0 2006/05/29 09:52:47| aclCheckCallback: answer=0 /*--------------------------------*/ and i use this havp.conf lines PARENTPROXY 127.0.0.1 PARENTPORT 8090 PORT 8081 /*--------------------------------*/ and i use this for squid,conf # SQUID 1 http_port 3128 # SQUID 2 # havp.config has PARENTHOST 127.0.0.1, PARENTPORT 8090 http_port 127.0.0.1:8090 # ACL for the port where havp requests are comming acl HAVP_PORT myport 127.0.0.1:8090 # We only cache requests for SQUID2 no_cache deny !HAVP_PORT # HAVP running on port 8081 cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default # ------------------------------------ # Needed if we want to go directly to SQUID2 without HAVP # We can't use same peer name twice, so lets use 127.0.0.2.. cache_peer 127.0.0.2 parent 8090 0 no-query no-digest no-netdb-exchange acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unpriviledged ports acl CONNECT method CONNECT acl QUERY urlpath_regex cgi-bin \? always_direct allow SSL_ports cache_peer_access 127.0.0.2 allow localhost cache_peer_access localhost allow !SSL_ports cache_peer_access localhost deny all never_direct allow !SSL_ports always_direct allow HAVP_PORT always_direct deny all # Allow Squid 2 to go out on the internet http_access allow localhost Safe_ports http_access deny all |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |