HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
HAVP Config http://havp.hege.li/forum/viewtopic.php?f=3&t=399 |
Page 1 of 1 |
Author: | badm4n [ 25 Nov 2008 11:34 ] |
Post subject: | HAVP Config |
This is my config : ======== havp.conf ---------- SERVERNUMBER 40 #MAXSERVERS 600 LOGLEVEL 1 TRANSPARENT true PARENTPROXY 192.168.222.100 PARENTPORT 2012 FORWARDED_IP true X_FORWARDED_FOR true ========= squid.conf ------------ ##### Squid ##### http_port 80 accel vhost defaultsite=castor.gpi-g.com cache_peer 202.169.51.122 parent 80 0 no-query name=mySite acl hostedSites dstdomain castor.gpi-g.com acl manager proto cache_object acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1 192.168.222.100 acl SSL_ports port 443 563 acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT cache_peer_access mySite allow hostedSites acl my_other_proxy src 192.168.222.100 follow_x_forwarded_for allow localhost follow_x_forwarded_for allow my_other_proxy cache_peer_access mySite deny all http_access allow hostedSites #http_access allow hostedSites2 #http_access allow hostedSites3 http_port 2012 transparent icp_port 3130 snmp_port 0 cache_mgr admin cache_replacement_policy heap LFUDA maximum_object_size_in_memory 50 KB maximum_object_size 50 MB dead_peer_timeout 10 seconds visible_hostname castor.gpi-g.com cache_mem 50 MB memory_pools off log_icp_queries on buffered_logs on quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 95 cache_swap_low 70% cache_swap_high 90% cache_dir aufs /var/spool/squid 16000 16 256 access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none pid_filename /var/run/squid.pid forwarded_for on half_closed_clients off cache_mgr mirza.k@gpi-g.com refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 refresh_pattern \.(gif|jpg|jpeg)$ 600 80% 86400 refresh_pattern \.(xbm|xpm|ico|tiff)$ 600 80% 86400 refresh_pattern \.(au|snd|wav|ra|mid)$ 600 80% 86400 refresh_pattern \.(qt|mov|avi|mpeg)$ 600 80% 86400 refresh_pattern \.(iv|wrl|vrml)$ 600 80% 86400 refresh_pattern \.(z|qz)$ 600 80% 86400 refresh_pattern \.(hqx|bin)$ 600 80% 86400 refresh_pattern \.(tar|zip|avc)$ 600 80% 86400 refresh_pattern ^http:// 30 50% 86400 refresh_pattern ^ftp:// 30 50% 86400 refresh_pattern . 30 30% 43200 acl domainapprove url_regex -i "/etc/squid/domain-approve.txt" acl chatting url_regex -i "/etc/squid/chatting.txt" acl bad url_regex -i "/etc/squid/bad.txt" acl good url_regex -i "/etc/squid/good.txt" acl karantina url_regex -i "/etc/squid/karantina.txt" acl deny-karantina url_regex -i "/etc/squid/deny-karantina.txt" acl limit src "/etc/squid/user-limit.txt" acl full src "/etc/squid/user-full.txt" acl chat src 192.168.222.7 acl bebas src "/etc/squid/user-bebas.txt" acl bebas src 192.168.1.2 acl sewi-req src 192.168.9.16 # PC Dian Hanya untuk domain Goodpack acl sewi dstdomain .goodpack.com http_access allow manager localhost bebas http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow bebas http_access deny bad http_access allow full http_access allow chat chatting http_access allow limit domainapprove http_access allow good http_access allow sewi-req sewi ##################################### # Use in EMERGENCY ONLY - DELAYPOLLS # ##################################### # #acl nakal url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$ \.iso$ \.zip$ \.rar$ \.tar$ \.gz$ #delay_pools 1 #delay_class 1 1 #delay_parameters 1 21000/50000000 #delay_access 1 allow nakal #delay_access 1 deny ALL # ################################################################### http_access deny all snmp_access deny all cachemgr_passwd nasigoreng manager negative_ttl 1 minutes ============================ /etc/rc.local -------------- #!/bin/sh -e echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables --flush /sbin/iptables --table nat --flush /sbin/iptables --delete-chain /sbin/iptables --table nat --delete-chain /sbin/iptables -F -t nat /sbin/iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE /sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/255.255.0.0 --dport 80 -j DNAT --to 192.168.222.100:8080 /etc/init.d/squid stop /etc/init.d/apache2 stop /etc/init.d/apache2 start /etc/init.d/squid start exit 0 ========================== # ifconfig eth0 Link encap:Ethernet HWaddr 00:1e:4f:ec:b4:6c inet addr:192.168.222.100 Bcast:192.168.255.255 Mask:255.255.0.0 inet6 addr: fe80::21e:4fff:feec:b46c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:654900 errors:0 dropped:0 overruns:0 frame:0 TX packets:323091 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:134921299 (128.6 MB) TX bytes:153552974 (146.4 MB) Interrupt:16 eth1 Link encap:Ethernet HWaddr 00:1e:58:9a:9f:d3 inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::21e:58ff:fe9a:9fd3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:875335 errors:0 dropped:0 overruns:0 frame:0 TX packets:910661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:227352504 (216.8 MB) TX bytes:173548361 (165.5 MB) Interrupt:18 ============================= Internet ( ISP ) >>>>>>>> PROLINK ROUTER ( DMZ Enable directly to 10.0.0.2 ) >>>>>> Server ( this server squid + havp ) >>>>> user i have 400 user with 60% activities =============================== question is : 1. Which one config that i must edit ? ( to solved this problem : ) - When i browse some site, sometime i get msg : Quote: The following server is down: Could not read body - i cant browse my domain http://castor.gpi-g.com with same result Quote: The following server is down: Could not read body 2. Where i can get manual page about HAVP individual syntax ? urgent |
Author: | badm4n [ 26 Nov 2008 05:42 ] |
Post subject: | Re: HAVP Config |
Code: root@castor:/home/mirza# cat /etc/hosts 127.0.0.1 localhost 192.168.222.100 castor.gpi-g.com castor. 10.0.0.2 castor.gpi-g.com castor. 202.169.51.122 castor.gpi-g.com castor. # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts root@castor:/home/mirza# still waiting |
Author: | karesmakro [ 04 Dec 2008 15:45 ] |
Post subject: | Re: HAVP Config |
It must be an error in your squid configuration, because the site, you described, is reachable with havp! There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed. For this sites, i defined an exception in the squid configuration. If you need an example, i can post it in the evening. Perhaps you need a client proxy exception for your own domain? greetings |
Author: | badm4n [ 05 Dec 2008 04:46 ] |
Post subject: | Re: HAVP Config |
karesmakro wrote: It must be an error in your squid configuration, because the site, you described, is reachable with havp! There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed. For this sites, i defined an exception in the squid configuration. If you need an example, i can post it in the evening. Perhaps you need a client proxy exception for your own domain? greetings yes please... but i have already put this : Code: cache_peer 192.168.222.2 sibling 2012 0 no-query no-digest default cache_peer 192.168.222.111 sibling 2012 0 no-query no-digest default ##### Squid ##### http_port 80 accel vhost defaultsite=castor.gpi-g.com cache_peer 10.0.0.2 parent 80 0 no-query name=mySite acl hostedSites dstdomain castor.gpi-g.com http_port 80 accel vhost defaultsite=castor.gpi-g.com cache_peer 202.169.51.122 parent 80 0 no-query name=mySite2 acl hostedSites2 dstdomain castor.gpi-g.com http_port 80 accel vhost defaultsite=castor.gpi-g.com cache_peer 192.168.222.100 parent 80 0 no-query name=mySite3 acl hostedSites3 dstdomain castor.gpi-g.com cache_peer_access mySite allow hostedSites cache_peer_access mySite2 allow hostedSites2 cache_peer_access mySite3 allow hostedSites3 acl manager proto cache_object acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1 192.168.222.100 202.169.51.122 acl SSL_ports port 443 563 acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT cache_peer_access mySite deny all cache_peer_access mySite2 deny all cache_peer_access mySite3 deny all http_access allow hostedSites http_access allow hostedSites2 http_access allow hostedSites3 but it still same sometimes it cant be load/error ( even public or lan ip |
Author: | karesmakro [ 05 Dec 2008 09:12 ] |
Post subject: | Re: HAVP Config |
Oh sorry! At my second look i saw, that you didn't configured a sandwich like squid->havp->squid. Why you don't make a configuration like havp->squid ? The needed configuration parts are: havp.conf Code: PARENTPROXY 127.0.0.1 PARENTPORT 3128 # # Port HAVP is listening on. # # Default: PORT 8080 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE BIND_ADDRESS <your local ip adress> squid.conf Code: http_port 3128 transparent and make a redirect from port 80 to port 3128. if you want to make a sandwich, which give you in some reasons a better control to make exceptions, i'll post my configuration: havp.conf Code: # # Port HAVP is listening on. # # Default: PORT 8080 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE BIND_ADDRESS 127.0.0.1 PARENTPROXY 127.0.0.1 PARENTPORT 3128 squid.conf Code: http_port 3128 http_port 127.0.0.1:3129 and after the acl's Code: ########################################## ############ HAVP ########################################## # Define acl for HAVP port (the port HAVP connects to SQUID2) acl FROM_HAVP myport 3129 # Don't log duplicate requests coming from HAVP log_access deny FROM_HAVP # HAVP on localhost port 8080 cache_peer 127.0.0.1 parent 8080 0 name=havp proxy-only no-query no-digest no-netdb-exchange default # Needed if we want to go directly to SQUID2 without HAVP cache_peer 127.0.0.1 parent 3129 0 name=squid2 proxy-only no-query no-digest no-netdb-exchange # This makes sure ALL requests are sent to parent peers when needed prefer_direct off nonhierarchical_direct off # HTTPS traffic scanning not needed # (squid2 skipped too, since it can't be cached) acl HTTPS proto HTTPS acl SSL proto SSL always_direct allow SSL # Always force use of HAVP or Squid2 parent never_direct allow !FROM_HAVP # It's easier to create whitelists her than in HAVP # Also, if there is a bug in HAVP, whitelisting there might not work acl NOSCAN dstdomain www.it-connect-unix.de www.finanzen.net cache_peer_access havp deny FROM_HAVP cache_peer_access havp deny SSL cache_peer_access havp deny NOSCAN cache_peer_access havp allow all cache_peer_access squid2 deny FROM_HAVP cache_peer_access squid2 allow all ######################################### i hope, this is any help for you! What's saying your messages in squid.access? |
Author: | badm4n [ 05 Dec 2008 09:27 ] |
Post subject: | Re: HAVP Config |
hmmmm i will try in few hours... thx for your information if i found error i will post it back to you thx again and thx b4 |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |