HTTP Anti-Virus Proxy
http://havp.hege.li/forum/

Squid Sandwich and SSL/FTP
http://havp.hege.li/forum/viewtopic.php?f=3&t=179		 Page 1 of 1
Author:  olaf [ 31 Oct 2006 20:05 ]
Post subject:  Squid Sandwich and SSL/FTP
Hi,

after some days, squid seems to work with havp. Here my suid 3.0pre4 config:
Code:
#                      ole home network              |       www
#                           parent        parent     |    isp parent
#            +-------+     +------+     +--------+   |    +--------+
# Client <-> | squid | <-> | HAVP | <-> | squid  |  <->   |        | <-> www
#            |       |     |      |     |        |   |    |        |
#           8080     |    6666    |    3128      |   |   8080      |
#            |       |     |      |     |        |   |    |        |
#            +-------+     +------+     +--------+   |    +--------+
#                                                    |
#

http_port 127.0.0.1:8080
http_port 127.0.0.1:3128
acl from_client myport 8080
acl from_havp   myport 3128
cache_peer 127.0.0.1            parent  6666    0       no-query no-digest no-netdb-exchange default
cache_peer proxy.mdcc-fun.de    parent  8080    0       default
icp_port  0
htcp_port 0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ope_network src 192.168.1.0/24
acl SSL_ports  port 443 563     # https, snews
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access allow ope_network
http_access deny all
http_reply_access allow all
icp_access allow all
always_direct allow from_havp
never_direct allow all
cache_dir aufs /var/cache/squid3 812 16 256
maximum_object_size 32768 KB
coredump_dir            /var/spool/squid3
shutdown_lifetime       5 seconds
half_closed_clients     off
pipeline_prefetch       on
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all


The goal is to allow access from localhost/private network. This seems to work, unfortunately not for ssl connections and ftp. ssl no connections are possible (havp error: Invalid request, ftp gpt error "Invalid request from browser".

What's wrong with this setup? Maybe some more hints?

Thanks
Olaf
Author:  hege [ 31 Oct 2006 21:51 ]
Post subject: 
No use sending SSL to HAVP, so you should bypass it:

cache_peer_access 127.0.0.1 deny CONNECT

FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right? :)

Cheers,
Henrik
Author:  olaf [ 31 Oct 2006 23:06 ]
Post subject: 
hege wrote:
FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right? :)


Yep, using firefox for ftp browsing too :D

Here my havp config:

Code:
USER havp
GROUP havp
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 16
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/spool/havp/havp-XXXXXX
TEMPDIR /tmp
DBRELOAD 60
PARENTPROXY 127.0.0.1
PARENTPORT 3128
PORT 6666
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/de
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANIMAGES true
MAXSCANSIZE 1000000
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false


/var/spool/havp is not yet on ram disk, only loop mounted disk image (due to to mand mount options, solves e.g. owner problems too)

I limited the MAXSCANSIZE to 1M (1000000), now the problem is:

/var/log/havp/access.log:
Code:
31/10/2006 21:08:49 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK
31/10/2006 21:09:16 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK


/var/log/squid3/access.log
Code:
1162325328.382   6117 127.0.0.1 TCP_MISS/200 78700 GET
ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar
1162325354.966  11987 127.0.0.1 TCP_MISS/200 78700 GET ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar


The 2nd try did work, the 1st got: proxy server denied connection.

Thanks,
Olaf
Author:  hege [ 31 Oct 2006 23:11 ]
Post subject: 
I haven't tested Squid 3 with HAVP, it could be sending some strange FTP request.. I'll test soon.

Cheers,
Henrik
Author:  olaf [ 01 Nov 2006 21:42 ]
Post subject: 
hege wrote:
No use sending SSL to HAVP, so you should bypass it:
cache_peer_access 127.0.0.1 deny CONNECT


got

Code:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: www.ccc.de:443

The following error was encountered:

    * Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:

    * The cache administrator does not allow this cache to make direct connections to origin servers, and
    * All configured parent caches are currently unreachable.

Your cache administrator is webmaster.


using squid.conf:

Code:
http_port 127.0.0.1:8080
http_port 127.0.0.1:3128
acl from_client myport 8080
acl from_havp   myport 3128
cache_peer 127.0.0.1            parent  6666    0       no-query no-digest no-netdb-exchange default
cache_peer proxy.mdcc-fun.de    parent  8080    0       default
icp_port  0
htcp_port 0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl ope_network src 192.168.1.0/24
acl SSL_ports  port 443 563     # https, snews
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
cache_peer_access 127.0.0.1 deny CONNECT
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access allow ope_network
http_access deny all
http_reply_access allow all
icp_access allow all
always_direct allow from_havp
never_direct allow all
cache_dir aufs /var/cache/squid3 812 16 256
maximum_object_size 32768 KB
coredump_dir            /var/spool/squid3
shutdown_lifetime       5 seconds
half_closed_clients     off
pipeline_prefetch       on
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all


Did I missunderstood you?

Thanks
Olaf
Author:  hege [ 01 Nov 2006 21:56 ]
Post subject: 
Actually you should remove always_direct allow from_havp. It disabled isp parent proxy, because it forces everything direct.

Just these will do the work:

# No SSL to havp
cache_peer_access 127.0.0.1 deny CONNECT
# Connections from HAVP go to isp parent proxy (it's next in the list)
cache_peer_access 127.0.0.1 deny from_havp
cache_peer_access 127.0.0.1 allow all
# Everything here
cache_peer_access proxy.mdcc-fun.de allow all

Optional:

# You can force everything to parent proxy if you want
# Normally, if it's unreachable squid will revert to direct connection
never_direct allow all

# Perhaps it's not necessary to send SSL to parent proxy
always_direct allow CONNECT

In this case you could also just use proxy.mdcc-fun.de directly in HAVP as parent proxy..

Cheers,
Henrik
Author:  pegr [ 01 Jan 2007 22:27 ]
Post subject:  connect prob
hi,
I think first line
http_port 127.0.0.1:8080
will not work for me
I use only
http_port 8080.

What do you think?
(squid 2.5.5)
btw: howto bypass ftp from first instance of squid?

CU
Peter
Author:  hege [ 01 Jan 2007 22:39 ]
Post subject:  Re: connect prob
pegr wrote:
hi,
I think first line
http_port 127.0.0.1:8080
will not work for me
I use only
http_port 8080.


That's fine.

Quote:
What do you think?
(squid 2.5.5)
btw: howto bypass ftp from first instance of squid?


acl FTP proto FTP
cache_peer_access 127.0.0.1 deny FTP

Cheers,
Henrik
Author:  pegr [ 01 Jan 2007 22:55 ]
Post subject: 
what about a always_direct allow ?
btw please see my other posting for this topic!

Thanks

Peter
Author:  pegr [ 13 Jan 2007 03:27 ]
Post subject:  now running but squidguard?
now the config up is working.
But now I wanna use squidguard with this.
Can anybody tell me how to put squidguard in the config to filter for client names from an before inserted auth-prog.

Thanks
Peter
Page 1 of 1 All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/