HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 24 Apr 2014 11:57

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: HAVP Config
PostPosted: 25 Nov 2008 11:34 
Offline

Joined: 25 Nov 2008 10:58
Posts: 24
This is my config :
========
havp.conf
----------
SERVERNUMBER 40
#MAXSERVERS 600
LOGLEVEL 1
TRANSPARENT true
PARENTPROXY 192.168.222.100
PARENTPORT 2012
FORWARDED_IP true
X_FORWARDED_FOR true
=========
squid.conf
------------
##### Squid #####
http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 202.169.51.122 parent 80 0 no-query name=mySite
acl hostedSites dstdomain castor.gpi-g.com
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1 192.168.222.100
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
cache_peer_access mySite allow hostedSites
acl my_other_proxy src 192.168.222.100
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow my_other_proxy
cache_peer_access mySite deny all
http_access allow hostedSites
#http_access allow hostedSites2
#http_access allow hostedSites3


http_port 2012 transparent
icp_port 3130
snmp_port 0
cache_mgr admin
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 50 KB
maximum_object_size 50 MB
dead_peer_timeout 10 seconds
visible_hostname castor.gpi-g.com
cache_mem 50 MB
memory_pools off
log_icp_queries on
buffered_logs on
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
cache_swap_low 70%
cache_swap_high 90%
cache_dir aufs /var/spool/squid 16000 16 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /var/run/squid.pid
forwarded_for on
half_closed_clients off

cache_mgr mirza.k@gpi-g.com
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern \.(gif|jpg|jpeg)$ 600 80% 86400
refresh_pattern \.(xbm|xpm|ico|tiff)$ 600 80% 86400
refresh_pattern \.(au|snd|wav|ra|mid)$ 600 80% 86400
refresh_pattern \.(qt|mov|avi|mpeg)$ 600 80% 86400
refresh_pattern \.(iv|wrl|vrml)$ 600 80% 86400
refresh_pattern \.(z|qz)$ 600 80% 86400
refresh_pattern \.(hqx|bin)$ 600 80% 86400
refresh_pattern \.(tar|zip|avc)$ 600 80% 86400
refresh_pattern ^http:// 30 50% 86400
refresh_pattern ^ftp:// 30 50% 86400
refresh_pattern . 30 30% 43200

acl domainapprove url_regex -i "/etc/squid/domain-approve.txt"
acl chatting url_regex -i "/etc/squid/chatting.txt"
acl bad url_regex -i "/etc/squid/bad.txt"
acl good url_regex -i "/etc/squid/good.txt"
acl karantina url_regex -i "/etc/squid/karantina.txt"
acl deny-karantina url_regex -i "/etc/squid/deny-karantina.txt"
acl limit src "/etc/squid/user-limit.txt"
acl full src "/etc/squid/user-full.txt"
acl chat src 192.168.222.7
acl bebas src "/etc/squid/user-bebas.txt"
acl bebas src 192.168.1.2
acl sewi-req src 192.168.9.16 # PC Dian Hanya untuk domain Goodpack
acl sewi dstdomain .goodpack.com
http_access allow manager localhost bebas
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow bebas
http_access deny bad
http_access allow full
http_access allow chat chatting
http_access allow limit domainapprove
http_access allow good
http_access allow sewi-req sewi
#####################################
# Use in EMERGENCY ONLY - DELAYPOLLS #
#####################################
#
#acl nakal url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$ \.iso$ \.zip$ \.rar$ \.tar$ \.gz$
#delay_pools 1
#delay_class 1 1
#delay_parameters 1 21000/50000000
#delay_access 1 allow nakal
#delay_access 1 deny ALL
#
###################################################################
http_access deny all
snmp_access deny all
cachemgr_passwd nasigoreng manager
negative_ttl 1 minutes


============================
/etc/rc.local
--------------
#!/bin/sh -e
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/255.255.0.0 --dport 80 -j DNAT --to 192.168.222.100:8080
/etc/init.d/squid stop
/etc/init.d/apache2 stop
/etc/init.d/apache2 start
/etc/init.d/squid start
exit 0
==========================
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:4f:ec:b4:6c
inet addr:192.168.222.100 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::21e:4fff:feec:b46c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:654900 errors:0 dropped:0 overruns:0 frame:0
TX packets:323091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134921299 (128.6 MB) TX bytes:153552974 (146.4 MB)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 00:1e:58:9a:9f:d3
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:58ff:fe9a:9fd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:875335 errors:0 dropped:0 overruns:0 frame:0
TX packets:910661 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:227352504 (216.8 MB) TX bytes:173548361 (165.5 MB)
Interrupt:18

=============================

Internet ( ISP ) >>>>>>>> PROLINK ROUTER ( DMZ Enable directly to 10.0.0.2 ) >>>>>> Server ( this server squid + havp ) >>>>> user
i have 400 user with 60% activities
===============================

question is :
1. Which one config that i must edit ? ( to solved this problem : )
- When i browse some site, sometime i get msg :
Quote:
The following server is down:
Could not read body

- i cant browse my domain http://castor.gpi-g.com with same result
Quote:
The following server is down:
Could not read body

2. Where i can get manual page about HAVP individual syntax ?

urgent


Top
 Profile  
 
 Post subject: Re: HAVP Config
PostPosted: 26 Nov 2008 05:42 
Offline

Joined: 25 Nov 2008 10:58
Posts: 24
Code:
root@castor:/home/mirza# cat /etc/hosts
127.0.0.1       localhost
192.168.222.100 castor.gpi-g.com castor.
10.0.0.2 castor.gpi-g.com castor.
202.169.51.122 castor.gpi-g.com castor.
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
root@castor:/home/mirza#



still waiting


Top
 Profile  
 
 Post subject: Re: HAVP Config
PostPosted: 04 Dec 2008 15:45 
Offline

Joined: 23 Apr 2008 09:36
Posts: 101
It must be an error in your squid configuration, because the site, you described, is reachable with havp!
There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed.
For this sites, i defined an exception in the squid configuration.
If you need an example, i can post it in the evening.

Perhaps you need a client proxy exception for your own domain?

greetings


Top
 Profile  
 
 Post subject: Re: HAVP Config
PostPosted: 05 Dec 2008 04:46 
Offline

Joined: 25 Nov 2008 10:58
Posts: 24
karesmakro wrote:
It must be an error in your squid configuration, because the site, you described, is reachable with havp!
There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed.
For this sites, i defined an exception in the squid configuration.
If you need an example, i can post it in the evening.

Perhaps you need a client proxy exception for your own domain?

greetings



yes please...
but i have already put this :
Code:
cache_peer 192.168.222.2 sibling 2012 0 no-query no-digest default
cache_peer 192.168.222.111 sibling 2012 0 no-query no-digest default


##### Squid #####
http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 10.0.0.2 parent 80 0 no-query name=mySite
acl hostedSites dstdomain castor.gpi-g.com

http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 202.169.51.122 parent 80 0 no-query name=mySite2
acl hostedSites2 dstdomain castor.gpi-g.com

http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 192.168.222.100 parent 80 0 no-query name=mySite3
acl hostedSites3 dstdomain castor.gpi-g.com

cache_peer_access mySite allow hostedSites
cache_peer_access mySite2 allow hostedSites2
cache_peer_access mySite3 allow hostedSites3


acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1 192.168.222.100 202.169.51.122
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

cache_peer_access mySite deny all
cache_peer_access mySite2 deny all
cache_peer_access mySite3 deny all

http_access allow hostedSites
http_access allow hostedSites2
http_access allow hostedSites3



but it still same :(
sometimes it cant be load/error :((
even public or lan ip :(


Top
 Profile  
 
 Post subject: Re: HAVP Config
PostPosted: 05 Dec 2008 09:12 
Offline

Joined: 23 Apr 2008 09:36
Posts: 101
Oh sorry! At my second look i saw, that you didn't configured a sandwich like squid->havp->squid.
Why you don't make a configuration like havp->squid ?
The needed configuration parts are:
havp.conf
Code:
PARENTPROXY 127.0.0.1
PARENTPORT 3128

#
# Port HAVP is listening on.
#
# Default:
PORT 8080

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
BIND_ADDRESS <your local ip adress>

squid.conf
Code:
http_port 3128 transparent

and make a redirect from port 80 to port 3128.

if you want to make a sandwich, which give you in some reasons a better control to make exceptions, i'll post my configuration:
havp.conf
Code:
#
# Port HAVP is listening on.
#
# Default:
PORT 8080

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
BIND_ADDRESS 127.0.0.1

PARENTPROXY 127.0.0.1
PARENTPORT 3128

squid.conf
Code:
http_port 3128
http_port 127.0.0.1:3129


and after the acl's

Code:
##########################################
############ HAVP
##########################################

# Define acl for HAVP port (the port HAVP connects to SQUID2)
acl FROM_HAVP myport 3129

# Don't log duplicate requests coming from HAVP
log_access deny FROM_HAVP

# HAVP on localhost port 8080
cache_peer 127.0.0.1 parent 8080 0 name=havp proxy-only no-query no-digest no-netdb-exchange default

# Needed if we want to go directly to SQUID2 without HAVP
cache_peer 127.0.0.1 parent 3129 0 name=squid2 proxy-only no-query no-digest no-netdb-exchange

# This makes sure ALL requests are sent to parent peers when needed
prefer_direct off
nonhierarchical_direct off

# HTTPS traffic scanning not needed
# (squid2 skipped too, since it can't be cached)
acl HTTPS proto HTTPS
acl SSL proto SSL
always_direct allow SSL

# Always force use of HAVP or Squid2 parent
never_direct allow !FROM_HAVP

# It's easier to create whitelists her than in HAVP
# Also, if there is a bug in HAVP, whitelisting there might not work
acl NOSCAN dstdomain www.it-connect-unix.de www.finanzen.net

cache_peer_access havp deny FROM_HAVP
cache_peer_access havp deny SSL
cache_peer_access havp deny NOSCAN
cache_peer_access havp allow all
cache_peer_access squid2 deny FROM_HAVP
cache_peer_access squid2 allow all

#########################################


i hope, this is any help for you!
What's saying your messages in squid.access?


Top
 Profile  
 
 Post subject: Re: HAVP Config
PostPosted: 05 Dec 2008 09:27 
Offline

Joined: 25 Nov 2008 10:58
Posts: 24
hmmmm

i will try in few hours... thx for your information
if i found error i will post it back to you

thx again

and thx b4


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group