HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Squid does not redirect requests http://havp.hege.li/forum/viewtopic.php?f=3&t=23 |
Page 1 of 1 |
Author: | agruener [ 06 Mar 2006 20:54 ] |
Post subject: | Squid does not redirect requests |
Hello experts I have much trouble to get HAVP with Squid working in this case. My HAVP listens to port 8080 and it is working correctly. Pointing my brwosers Proxy to proxy:8080 works fine. Now I want to do it with a squid. So the config is Client -> Squid -> HAVP -> Internet. I got this working on another machine already but on this one it does not work. Squid is NEVER using the HAVP, no matter what I try to configure. Even the debug messages of Squid didn't help me. My Squid Config is as following (changing some Domainnames and external IPs): more squid.conf | grep -v ^$ | grep -v "#" cache_peer 141.1.1.1 parent 80 0 no-query cache_peer 141.2.2.2 parent 8183 0 no-query cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default acl admin_net src 192.168.40.0/24 acl Scan_HTTP proto HTTP never_direct allow Scan_HTTP cache_peer_access 127.0.0.1 deny !Scan_HTTP cache_peer_access 127.0.0.1 allow Scan_HTTP cache_peer_access 127.0.0.1 allow admin_net cache_peer_domain 141.1.1.1 test1.de cache_peer_domain 141.2.2.2 test2.de acl ffproxies dstdomain test3.de acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl JARFILE urlpath_regex \.jar no_cache deny JARFILE acl INTERN dstdomain mydomain.de mydomain-gmbh.de no_cache deny INTERN cache_mem 512 MB cache_dir ufs /var/cache/squid 5000 16 256 read-only cache_store_log none ftp_user nix@ueberhauptgarnix.com redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf redirect_children 30 refresh_pattern ^ftp: 60 20% 60 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl netmon src 172.16.11.106/32 192.168.12.5/32 192.168.12.7/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 8443 acl CONNECT method CONNECT acl netzgenhosts src "/etc/squid/squid.dnsok" acl nosavhosts src "/etc/squid/squid.nosav" acl mydomain_src src 172.16.0.0/12 192.168.0.0/16 acl mydomain_dst dst 172.16.0.0/12 192.168.0.0/16 acl local_adr dst 127.0.0.1/255.255.255.255 acl local_url dstdomain localhost acl errortest dstdomain error.mydomain-test.de acl denyusers src "/etc/squid/squid.deny" acl allowdomains url_regex -i "/etc/squid/squid.allowurl" acl nimdaWorm urlpath_regex -i \.eml$ acl w32gonera urlpath_regex -i gone.scr$ acl denydomains dstdom_regex -i "/etc/squid/squid.denyurl" acl denypath urlpath_regex -i "/etc/squid/squid.denyurl" acl denyips dst "/etc/squid/squid.denyips" acl blockedtypereq req_mime_type -i ^application/x-msmetafile$ acl blockedtypereq req_mime_type -i application/x-msmetafile acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$ acl blockedtyperep rep_mime_type -i application/x-msmetafile acl denyext url_regex -i \.wmf$ acl denydisp rep_header Content-Disposition -i filename.*\.wmf http_access allow manager localhost http_access allow manager netmon http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow ffproxies http_access deny nimdaWorm http_access deny w32gonera http_access deny local_url http_access deny local_adr http_access deny errortest http_access deny !mydomain_src http_access deny !netzgenhosts http_access deny denydomains http_access deny denypath http_access deny denyips http_access deny denyext http_access deny denydisp http_access deny blockedtypereq http_access deny blockedtyperep http_access allow allowdomains http_access allow mydomain_dst http_access deny denyusers http_access deny nosavhosts http_access allow admin_net http_access allow all http_access deny all http_reply_access allow all icp_access allow all cache_mgr Hotline@mydomain.de visible_hostname my-proxy append_domain .mydomain.de deny_info ERR_LOCAL_PROXY local_url deny_info ERR_LOCAL_PROXY local_adr deny_info ERR_NO_DNS netzgenhosts deny_info ERR_NO_SAV nosavhosts deny_info http://wwwtest.mydomain-gmbh.de/ errortest cachemgr_passwd disable shutdown cachemgr_passwd none all acl schnellsurfer src 0.0.0.0/0 always_direct deny ffproxies always_direct allow mydomain_dst always_direct allow schnellsurfer always_direct deny all never_direct allow ffproxies never_direct deny mydomain_dst never_direct deny schnellsurfer never_direct allow all header_access X-Forwarded-For deny !mydomain_dst header_access Server deny !mydomain_dst header_access Link deny !mydomain_dst header_access Via deny !mydomain_dst error_directory /usr/share/squid/errors/German uri_whitespace encode strip_query_terms off coredump_dir /var/cache/squid I have two network cards in my computer running SuSE Linux: eth0 192.168.102.12 eth1 "an external IP" Looking to /var/log/havp shows no errors in HAVP and only something in access.log when pointing the browser directly to 192.168.102.12:8080 and not to 192.168.102.12:3128 (where Squid is running). No errors in /var/log/messages or in /var/log/squid/access.log or /var/log/squid/cache.log Squid simply does not care about HAVP... I also tries the minimal config from http://www.server-side.de/ideas.htm with ACL all in all places. Also tried tu use the IP of eth0 192.168.102.12 instead of localhost or 127.0.0.1 ...same result. Help is really appreciated. Regards, Alexander |
Author: | Guest [ 07 Mar 2006 04:27 ] |
Post subject: | |
I'm no expert but we Just did pretty much what you are looking to do this morning with SELS9 Enterprise Server in less than 20 minutes. We had them running separately but realized the security is too weak to run havp on it's own. I realize that most of this is redundant regarding your situation, but I hope you glean something useful from this post. To get it to work you may need to pare your squid file down a touch, then add all of your particulars back a couple at a time. Our setup here is internet-->squid-->havp-->squid or havp-->client. It works. Don't listen with havp on a public ip if you are going to run squid. Listen on the internet with squid, send the traffic to havp for scanning and either back to squid or straight to a browser. Squid does not care about viruses -- the only real reason to scan for them is to protect Windows clients. Try this simple setup: With both a working squid and a working havp (not together), make sure at least the following lines are present in squid.conf along with your local network ip range (to avoid becoming a spam or XXX-proxy machine). cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow local_network # And finally deny all other access to this proxy http_access deny all -- some of these may not be necessary, but the first one most certainly needs to be in your config. Make sure and ditch the redirect to squidGuard -- why troubleshoot that headache. (The redirect to squidGuard is fine but you have left out what you are doing with the traffic). Also, try configuring only one cache_peer until it starts working. Restart your firewall process. Restart the network interfaces. With squid listening on port 3128 (or 80) --> add PARENTPORT 3128 (80) to havp.config. Restart squid. Restart havp. You should now have a configuration that will serve and scan web content to browsers configured with either port 3128 (squid) (80) or port 8080 (havp). This configuration will send ssl through squid without being scanned. If you are still having problems, I can provide more details, but I am confident (at that point) the developers will catch the hangup. robm ~ |
Author: | hege [ 07 Mar 2006 12:01 ] |
Post subject: | Re: Squid does not redirect requests |
agruener wrote: I got this working on another machine already but on this one it does not work. Squid is NEVER using the HAVP, no matter what I try to configure. Even the debug messages of Squid didn't help me.
Hi, I think I see a simple reason.. Squid checks all always_direct acls before checking never_direct. And you basically have always_direct allow schnellsurfer which forces all requests to go direct Cheers, Henrik |
Author: | agruener [ 07 Mar 2006 16:29 ] |
Post subject: | Re: Squid does not redirect requests |
Hi Henrik thanks for your hint. After hours I have found it by myself. And now I understand the meaning of these things in Squid ! BTW: It seems to run stable with about 30 req / s and 460 kb / s average in 60 minutes. Thanks again and Regards, Alexander |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |