HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:52


Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 
  Print view Previous topic | Next topic 
Author Message
olaf
PostPosted: 31 Oct 2006 20:05 
Offline

Joined: 31 Oct 2006 19:52
Posts: 6
Hi,

after some days, squid seems to work with havp. Here my suid 3.0pre4 config:
Code:
#                      ole home network              |       www
#                           parent        parent     |    isp parent
#            +-------+     +------+     +--------+   |    +--------+
# Client <-> | squid | <-> | HAVP | <-> | squid  |  <->   |        | <-> www
#            |       |     |      |     |        |   |    |        |
#           8080     |    6666    |    3128      |   |   8080      |
#            |       |     |      |     |        |   |    |        |
#            +-------+     +------+     +--------+   |    +--------+
#                                                    |
#

http_port 127.0.0.1:8080
http_port 127.0.0.1:3128
acl from_client myport 8080
acl from_havp   myport 3128
cache_peer 127.0.0.1            parent  6666    0       no-query no-digest no-netdb-exchange default
cache_peer proxy.mdcc-fun.de    parent  8080    0       default
icp_port  0
htcp_port 0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ope_network src 192.168.1.0/24
acl SSL_ports  port 443 563     # https, snews
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access allow ope_network
http_access deny all
http_reply_access allow all
icp_access allow all
always_direct allow from_havp
never_direct allow all
cache_dir aufs /var/cache/squid3 812 16 256
maximum_object_size 32768 KB
coredump_dir            /var/spool/squid3
shutdown_lifetime       5 seconds
half_closed_clients     off
pipeline_prefetch       on
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all


The goal is to allow access from localhost/private network. This seems to work, unfortunately not for ssl connections and ftp. ssl no connections are possible (havp error: Invalid request, ftp gpt error "Invalid request from browser".

What's wrong with this setup? Maybe some more hints?

Thanks
Olaf
Top
 Profile  
 
hege
 Post subject:
PostPosted: 31 Oct 2006 21:51 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
No use sending SSL to HAVP, so you should bypass it:

cache_peer_access 127.0.0.1 deny CONNECT

FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right? :)

Cheers,
Henrik
Top
 Profile  
 
olaf
 Post subject:
PostPosted: 31 Oct 2006 23:06 
Offline

Joined: 31 Oct 2006 19:52
Posts: 6
hege wrote:
FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right? :)


Yep, using firefox for ftp browsing too :D

Here my havp config:

Code:
USER havp
GROUP havp
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 16
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/spool/havp/havp-XXXXXX
TEMPDIR /tmp
DBRELOAD 60
PARENTPROXY 127.0.0.1
PARENTPORT 3128
PORT 6666
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/de
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANIMAGES true
MAXSCANSIZE 1000000
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false


/var/spool/havp is not yet on ram disk, only loop mounted disk image (due to to mand mount options, solves e.g. owner problems too)

I limited the MAXSCANSIZE to 1M (1000000), now the problem is:

/var/log/havp/access.log:
Code:
31/10/2006 21:08:49 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK
31/10/2006 21:09:16 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK


/var/log/squid3/access.log
Code:
1162325328.382   6117 127.0.0.1 TCP_MISS/200 78700 GET
ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar
1162325354.966  11987 127.0.0.1 TCP_MISS/200 78700 GET ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar


The 2nd try did work, the 1st got: proxy server denied connection.

Thanks,
Olaf


Last edited by olaf on 31 Oct 2006 23:18, edited 2 times in total.

Top
 Profile  
 
hege
 Post subject:
PostPosted: 31 Oct 2006 23:11 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
I haven't tested Squid 3 with HAVP, it could be sending some strange FTP request.. I'll test soon.

Cheers,
Henrik
Top
 Profile  
 
olaf
 Post subject:
PostPosted: 01 Nov 2006 21:42 
Offline

Joined: 31 Oct 2006 19:52
Posts: 6
hege wrote:
No use sending SSL to HAVP, so you should bypass it:
cache_peer_access 127.0.0.1 deny CONNECT


got

Code:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: www.ccc.de:443

The following error was encountered:

    * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

    * The cache administrator does not allow this cache to make direct connections to origin servers, and
    * All configured parent caches are currently unreachable.

Your cache administrator is webmaster.


using squid.conf:

Code:
http_port 127.0.0.1:8080
http_port 127.0.0.1:3128
acl from_client myport 8080
acl from_havp   myport 3128
cache_peer 127.0.0.1            parent  6666    0       no-query no-digest no-netdb-exchange default
cache_peer proxy.mdcc-fun.de    parent  8080    0       default
icp_port  0
htcp_port 0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ope_network src 192.168.1.0/24
acl SSL_ports  port 443 563     # https, snews
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
cache_peer_access 127.0.0.1 deny CONNECT
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access allow ope_network
http_access deny all
http_reply_access allow all
icp_access allow all
always_direct allow from_havp
never_direct allow all
cache_dir aufs /var/cache/squid3 812 16 256
maximum_object_size 32768 KB
coredump_dir            /var/spool/squid3
shutdown_lifetime       5 seconds
half_closed_clients     off
pipeline_prefetch       on
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all


Did I missunderstood you?

Thanks
Olaf
Top
 Profile  
 
hege
 Post subject:
PostPosted: 01 Nov 2006 21:56 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Actually you should remove always_direct allow from_havp. It disabled isp parent proxy, because it forces everything direct.

Just these will do the work:

# No SSL to havp
cache_peer_access 127.0.0.1 deny CONNECT
# Connections from HAVP go to isp parent proxy (it's next in the list)
cache_peer_access 127.0.0.1 deny from_havp
cache_peer_access 127.0.0.1 allow all
# Everything here
cache_peer_access proxy.mdcc-fun.de allow all

Optional:

# You can force everything to parent proxy if you want
# Normally, if it's unreachable squid will revert to direct connection
never_direct allow all

# Perhaps it's not necessary to send SSL to parent proxy
always_direct allow CONNECT

In this case you could also just use proxy.mdcc-fun.de directly in HAVP as parent proxy..

Cheers,
Henrik
Top
 Profile  
 
pegr
 Post subject: connect prob
PostPosted: 01 Jan 2007 22:27 
Offline

Joined: 01 Jan 2007 21:39
Posts: 5
hi,
I think first line
http_port 127.0.0.1:8080
will not work for me
I use only
http_port 8080.

What do you think?
(squid 2.5.5)
btw: howto bypass ftp from first instance of squid?

CU
Peter
Top
 Profile  
 
hege
 Post subject: Re: connect prob
PostPosted: 01 Jan 2007 22:39 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
pegr wrote:
hi,
I think first line
http_port 127.0.0.1:8080
will not work for me
I use only
http_port 8080.


That's fine.

Quote:
What do you think?
(squid 2.5.5)
btw: howto bypass ftp from first instance of squid?


acl FTP proto FTP
cache_peer_access 127.0.0.1 deny FTP

Cheers,
Henrik
Top
 Profile  
 
pegr
 Post subject:
PostPosted: 01 Jan 2007 22:55 
Offline

Joined: 01 Jan 2007 21:39
Posts: 5
what about a always_direct allow ?
btw please see my other posting for this topic!

Thanks

Peter
Top
 Profile  
 
pegr
PostPosted: 13 Jan 2007 03:27 
Offline

Joined: 01 Jan 2007 21:39
Posts: 5
now the config up is working.
But now I wanna use squidguard with this.
Can anybody tell me how to put squidguard in the config to filter for client names from an before inserted auth-prog.

Thanks
Peter
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 10 posts ] 

Board index » HAVP Support » General Support

All times are UTC + 2 hours [ DST ]

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group