HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Squid Sandwich and SSL/FTP http://havp.hege.li/forum/viewtopic.php?f=3&t=179 |
Page 1 of 1 |
Author: | olaf [ 31 Oct 2006 20:05 ] |
Post subject: | Squid Sandwich and SSL/FTP |
Hi, after some days, squid seems to work with havp. Here my suid 3.0pre4 config: Code: # ole home network | www
# parent parent | isp parent # +-------+ +------+ +--------+ | +--------+ # Client <-> | squid | <-> | HAVP | <-> | squid | <-> | | <-> www # | | | | | | | | | # 8080 | 6666 | 3128 | | 8080 | # | | | | | | | | | # +-------+ +------+ +--------+ | +--------+ # | # http_port 127.0.0.1:8080 http_port 127.0.0.1:3128 acl from_client myport 8080 acl from_havp myport 3128 cache_peer 127.0.0.1 parent 6666 0 no-query no-digest no-netdb-exchange default cache_peer proxy.mdcc-fun.de parent 8080 0 default icp_port 0 htcp_port 0 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl ope_network src 192.168.1.0/24 acl SSL_ports port 443 563 # https, snews acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow from_havp localhost http_access deny from_havp all http_access allow localhost http_access allow ope_network http_access deny all http_reply_access allow all icp_access allow all always_direct allow from_havp never_direct allow all cache_dir aufs /var/cache/squid3 812 16 256 maximum_object_size 32768 KB coredump_dir /var/spool/squid3 shutdown_lifetime 5 seconds half_closed_clients off pipeline_prefetch on hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY no_cache deny localhost no_cache deny CONNECT no_cache allow all The goal is to allow access from localhost/private network. This seems to work, unfortunately not for ssl connections and ftp. ssl no connections are possible (havp error: Invalid request, ftp gpt error "Invalid request from browser". What's wrong with this setup? Maybe some more hints? Thanks Olaf |
Author: | hege [ 31 Oct 2006 21:51 ] |
Post subject: | |
No use sending SSL to HAVP, so you should bypass it: cache_peer_access 127.0.0.1 deny CONNECT FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right? Cheers, Henrik |
Author: | olaf [ 31 Oct 2006 23:06 ] |
Post subject: | |
hege wrote: FTP:// should work fine, anything specific in havp.log? Just to be sure, you are using browser for ftp right?
Yep, using firefox for ftp browsing too Here my havp config: Code: USER havp GROUP havp PIDFILE /var/run/havp/havp.pid SERVERNUMBER 16 MAXSERVERS 100 ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log LOG_OKS true LOGLEVEL 1 SCANTEMPFILE /var/spool/havp/havp-XXXXXX TEMPDIR /tmp DBRELOAD 60 PARENTPROXY 127.0.0.1 PARENTPORT 3128 PORT 6666 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/de WHITELISTFIRST true WHITELIST /etc/havp/whitelist BLACKLIST /etc/havp/blacklist FAILSCANERROR true SCANIMAGES true MAXSCANSIZE 1000000 STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS ENABLECLAMLIB true CLAMDBDIR /var/lib/clamav CLAMBLOCKENCRYPTED false CLAMBLOCKMAX false ENABLECLAMD false ENABLEFPROT false ENABLEAVG false ENABLEAVESERVER false ENABLESOPHIE false ENABLETROPHIE false ENABLENOD32 false ENABLEAVAST false /var/spool/havp is not yet on ram disk, only loop mounted disk image (due to to mand mount options, solves e.g. owner problems too) I limited the MAXSCANSIZE to 1M (1000000), now the problem is: /var/log/havp/access.log: Code: 31/10/2006 21:08:49 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK 31/10/2006 21:09:16 127.0.0.1 GET 200 ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz 296+78402 OK /var/log/squid3/access.log Code: 1162325328.382 6117 127.0.0.1 TCP_MISS/200 78700 GET
ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar 1162325354.966 11987 127.0.0.1 TCP_MISS/200 78700 GET ftp://ftp.debian.org/debian/pool/non-free/t/tnt/tnt_2.4.orig.tar.gz - DIRECT/128.101.240.212 application/x-tar The 2nd try did work, the 1st got: proxy server denied connection. Thanks, Olaf |
Author: | hege [ 31 Oct 2006 23:11 ] |
Post subject: | |
I haven't tested Squid 3 with HAVP, it could be sending some strange FTP request.. I'll test soon. Cheers, Henrik |
Author: | olaf [ 01 Nov 2006 21:42 ] |
Post subject: | |
hege wrote: No use sending SSL to HAVP, so you should bypass it:
cache_peer_access 127.0.0.1 deny CONNECT got Code: ERROR The requested URL could not be retrieved While trying to retrieve the URL: www.ccc.de:443 The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. Your cache administrator is webmaster. using squid.conf: Code: http_port 127.0.0.1:8080
http_port 127.0.0.1:3128 acl from_client myport 8080 acl from_havp myport 3128 cache_peer 127.0.0.1 parent 6666 0 no-query no-digest no-netdb-exchange default cache_peer proxy.mdcc-fun.de parent 8080 0 default icp_port 0 htcp_port 0 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl ope_network src 192.168.1.0/24 acl SSL_ports port 443 563 # https, snews acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports cache_peer_access 127.0.0.1 deny CONNECT http_access allow from_havp localhost http_access deny from_havp all http_access allow localhost http_access allow ope_network http_access deny all http_reply_access allow all icp_access allow all always_direct allow from_havp never_direct allow all cache_dir aufs /var/cache/squid3 812 16 256 maximum_object_size 32768 KB coredump_dir /var/spool/squid3 shutdown_lifetime 5 seconds half_closed_clients off pipeline_prefetch on hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY no_cache deny localhost no_cache deny CONNECT no_cache allow all Did I missunderstood you? Thanks Olaf |
Author: | hege [ 01 Nov 2006 21:56 ] |
Post subject: | |
Actually you should remove always_direct allow from_havp. It disabled isp parent proxy, because it forces everything direct. Just these will do the work: # No SSL to havp cache_peer_access 127.0.0.1 deny CONNECT # Connections from HAVP go to isp parent proxy (it's next in the list) cache_peer_access 127.0.0.1 deny from_havp cache_peer_access 127.0.0.1 allow all # Everything here cache_peer_access proxy.mdcc-fun.de allow all Optional: # You can force everything to parent proxy if you want # Normally, if it's unreachable squid will revert to direct connection never_direct allow all # Perhaps it's not necessary to send SSL to parent proxy always_direct allow CONNECT In this case you could also just use proxy.mdcc-fun.de directly in HAVP as parent proxy.. Cheers, Henrik |
Author: | pegr [ 01 Jan 2007 22:27 ] |
Post subject: | connect prob |
hi, I think first line http_port 127.0.0.1:8080 will not work for me I use only http_port 8080. What do you think? (squid 2.5.5) btw: howto bypass ftp from first instance of squid? CU Peter |
Author: | hege [ 01 Jan 2007 22:39 ] |
Post subject: | Re: connect prob |
pegr wrote: hi, I think first line http_port 127.0.0.1:8080 will not work for me I use only http_port 8080. That's fine. Quote: What do you think?
(squid 2.5.5) btw: howto bypass ftp from first instance of squid? acl FTP proto FTP cache_peer_access 127.0.0.1 deny FTP Cheers, Henrik |
Author: | pegr [ 01 Jan 2007 22:55 ] |
Post subject: | |
what about a always_direct allow ? btw please see my other posting for this topic! Thanks Peter |
Author: | pegr [ 13 Jan 2007 03:27 ] |
Post subject: | now running but squidguard? |
now the config up is working. But now I wanna use squidguard with this. Can anybody tell me how to put squidguard in the config to filter for client names from an before inserted auth-prog. Thanks Peter |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |