HTTP Anti-Virus Proxy
http://havp.hege.li/forum/

HAVP Config
http://havp.hege.li/forum/viewtopic.php?f=3&t=399		 Page 1 of 1
Author:  badm4n [ 25 Nov 2008 11:34 ]
Post subject:  HAVP Config
This is my config :
========
havp.conf
----------
SERVERNUMBER 40
#MAXSERVERS 600
LOGLEVEL 1
TRANSPARENT true
PARENTPROXY 192.168.222.100
PARENTPORT 2012
FORWARDED_IP true
X_FORWARDED_FOR true
=========
squid.conf
------------
##### Squid #####
http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 202.169.51.122 parent 80 0 no-query name=mySite
acl hostedSites dstdomain castor.gpi-g.com
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1 192.168.222.100
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
cache_peer_access mySite allow hostedSites
acl my_other_proxy src 192.168.222.100
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow my_other_proxy
cache_peer_access mySite deny all
http_access allow hostedSites
#http_access allow hostedSites2
#http_access allow hostedSites3


http_port 2012 transparent
icp_port 3130
snmp_port 0
cache_mgr admin
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 50 KB
maximum_object_size 50 MB
dead_peer_timeout 10 seconds
visible_hostname castor.gpi-g.com
cache_mem 50 MB
memory_pools off
log_icp_queries on
buffered_logs on
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
cache_swap_low 70%
cache_swap_high 90%
cache_dir aufs /var/spool/squid 16000 16 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /var/run/squid.pid
forwarded_for on
half_closed_clients off

cache_mgr mirza.k@gpi-g.com
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern \.(gif|jpg|jpeg)$ 600 80% 86400
refresh_pattern \.(xbm|xpm|ico|tiff)$ 600 80% 86400
refresh_pattern \.(au|snd|wav|ra|mid)$ 600 80% 86400
refresh_pattern \.(qt|mov|avi|mpeg)$ 600 80% 86400
refresh_pattern \.(iv|wrl|vrml)$ 600 80% 86400
refresh_pattern \.(z|qz)$ 600 80% 86400
refresh_pattern \.(hqx|bin)$ 600 80% 86400
refresh_pattern \.(tar|zip|avc)$ 600 80% 86400
refresh_pattern ^http:// 30 50% 86400
refresh_pattern ^ftp:// 30 50% 86400
refresh_pattern . 30 30% 43200

acl domainapprove url_regex -i "/etc/squid/domain-approve.txt"
acl chatting url_regex -i "/etc/squid/chatting.txt"
acl bad url_regex -i "/etc/squid/bad.txt"
acl good url_regex -i "/etc/squid/good.txt"
acl karantina url_regex -i "/etc/squid/karantina.txt"
acl deny-karantina url_regex -i "/etc/squid/deny-karantina.txt"
acl limit src "/etc/squid/user-limit.txt"
acl full src "/etc/squid/user-full.txt"
acl chat src 192.168.222.7
acl bebas src "/etc/squid/user-bebas.txt"
acl bebas src 192.168.1.2
acl sewi-req src 192.168.9.16 # PC Dian Hanya untuk domain Goodpack
acl sewi dstdomain .goodpack.com
http_access allow manager localhost bebas
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow bebas
http_access deny bad
http_access allow full
http_access allow chat chatting
http_access allow limit domainapprove
http_access allow good
http_access allow sewi-req sewi
#####################################
# Use in EMERGENCY ONLY - DELAYPOLLS #
#####################################
#
#acl nakal url_regex -i \.mp3$ \.rm$ \.mpg$ \.mpeg$ \.avi$ \.dat$ \.iso$ \.zip$ \.rar$ \.tar$ \.gz$
#delay_pools 1
#delay_class 1 1
#delay_parameters 1 21000/50000000
#delay_access 1 allow nakal
#delay_access 1 deny ALL
#
###################################################################
http_access deny all
snmp_access deny all
cachemgr_passwd nasigoreng manager
negative_ttl 1 minutes


============================
/etc/rc.local
--------------
#!/bin/sh -e
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
/sbin/iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/255.255.0.0 --dport 80 -j DNAT --to 192.168.222.100:8080
/etc/init.d/squid stop
/etc/init.d/apache2 stop
/etc/init.d/apache2 start
/etc/init.d/squid start
exit 0
==========================
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:4f:ec:b4:6c
inet addr:192.168.222.100 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::21e:4fff:feec:b46c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:654900 errors:0 dropped:0 overruns:0 frame:0
TX packets:323091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134921299 (128.6 MB) TX bytes:153552974 (146.4 MB)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 00:1e:58:9a:9f:d3
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:58ff:fe9a:9fd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:875335 errors:0 dropped:0 overruns:0 frame:0
TX packets:910661 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:227352504 (216.8 MB) TX bytes:173548361 (165.5 MB)
Interrupt:18

=============================

Internet ( ISP ) >>>>>>>> PROLINK ROUTER ( DMZ Enable directly to 10.0.0.2 ) >>>>>> Server ( this server squid + havp ) >>>>> user
i have 400 user with 60% activities
===============================

question is :
1. Which one config that i must edit ? ( to solved this problem : )
- When i browse some site, sometime i get msg :
Quote:
The following server is down:
Could not read body

- i cant browse my domain http://castor.gpi-g.com with same result
Quote:
The following server is down:
Could not read body

2. Where i can get manual page about HAVP individual syntax ?

urgent
Author:  badm4n [ 26 Nov 2008 05:42 ]
Post subject:  Re: HAVP Config
Code:
root@castor:/home/mirza# cat /etc/hosts
127.0.0.1       localhost
192.168.222.100 castor.gpi-g.com castor.
10.0.0.2 castor.gpi-g.com castor.
202.169.51.122 castor.gpi-g.com castor.
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
root@castor:/home/mirza#



still waiting
Author:  karesmakro [ 04 Dec 2008 15:45 ]
Post subject:  Re: HAVP Config
It must be an error in your squid configuration, because the site, you described, is reachable with havp!
There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed.
For this sites, i defined an exception in the squid configuration.
If you need an example, i can post it in the evening.

Perhaps you need a client proxy exception for your own domain?

greetings
Author:  badm4n [ 05 Dec 2008 04:46 ]
Post subject:  Re: HAVP Config
karesmakro wrote:
It must be an error in your squid configuration, because the site, you described, is reachable with havp!
There're only a few of sites, where are problem's with havp. This problems belongs to sites, where authentication with NT is needed.
For this sites, i defined an exception in the squid configuration.
If you need an example, i can post it in the evening.

Perhaps you need a client proxy exception for your own domain?

greetings



yes please...
but i have already put this :
Code:
cache_peer 192.168.222.2 sibling 2012 0 no-query no-digest default
cache_peer 192.168.222.111 sibling 2012 0 no-query no-digest default


##### Squid #####
http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 10.0.0.2 parent 80 0 no-query name=mySite
acl hostedSites dstdomain castor.gpi-g.com

http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 202.169.51.122 parent 80 0 no-query name=mySite2
acl hostedSites2 dstdomain castor.gpi-g.com

http_port 80 accel vhost defaultsite=castor.gpi-g.com
cache_peer 192.168.222.100 parent 80 0 no-query name=mySite3
acl hostedSites3 dstdomain castor.gpi-g.com

cache_peer_access mySite allow hostedSites
cache_peer_access mySite2 allow hostedSites2
cache_peer_access mySite3 allow hostedSites3


acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1 192.168.222.100 202.169.51.122
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

cache_peer_access mySite deny all
cache_peer_access mySite2 deny all
cache_peer_access mySite3 deny all

http_access allow hostedSites
http_access allow hostedSites2
http_access allow hostedSites3



but it still same :(
sometimes it cant be load/error :((
even public or lan ip :(
Author:  karesmakro [ 05 Dec 2008 09:12 ]
Post subject:  Re: HAVP Config
Oh sorry! At my second look i saw, that you didn't configured a sandwich like squid->havp->squid.
Why you don't make a configuration like havp->squid ?
The needed configuration parts are:
havp.conf
Code:
PARENTPROXY 127.0.0.1
PARENTPORT 3128

#
# Port HAVP is listening on.
#
# Default:
PORT 8080

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
BIND_ADDRESS <your local ip adress>

squid.conf
Code:
http_port 3128 transparent

and make a redirect from port 80 to port 3128.

if you want to make a sandwich, which give you in some reasons a better control to make exceptions, i'll post my configuration:
havp.conf
Code:
#
# Port HAVP is listening on.
#
# Default:
PORT 8080

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
BIND_ADDRESS 127.0.0.1

PARENTPROXY 127.0.0.1
PARENTPORT 3128

squid.conf
Code:
http_port 3128
http_port 127.0.0.1:3129


and after the acl's

Code:
##########################################
############ HAVP
##########################################

# Define acl for HAVP port (the port HAVP connects to SQUID2)
acl FROM_HAVP myport 3129

# Don't log duplicate requests coming from HAVP
log_access deny FROM_HAVP

# HAVP on localhost port 8080
cache_peer 127.0.0.1 parent 8080 0 name=havp proxy-only no-query no-digest no-netdb-exchange default

# Needed if we want to go directly to SQUID2 without HAVP
cache_peer 127.0.0.1 parent 3129 0 name=squid2 proxy-only no-query no-digest no-netdb-exchange

# This makes sure ALL requests are sent to parent peers when needed
prefer_direct off
nonhierarchical_direct off

# HTTPS traffic scanning not needed
# (squid2 skipped too, since it can't be cached)
acl HTTPS proto HTTPS
acl SSL proto SSL
always_direct allow SSL

# Always force use of HAVP or Squid2 parent
never_direct allow !FROM_HAVP

# It's easier to create whitelists her than in HAVP
# Also, if there is a bug in HAVP, whitelisting there might not work
acl NOSCAN dstdomain www.it-connect-unix.de www.finanzen.net

cache_peer_access havp deny FROM_HAVP
cache_peer_access havp deny SSL
cache_peer_access havp deny NOSCAN
cache_peer_access havp allow all
cache_peer_access squid2 deny FROM_HAVP
cache_peer_access squid2 allow all

#########################################


i hope, this is any help for you!
What's saying your messages in squid.access?
Author:  badm4n [ 05 Dec 2008 09:27 ]
Post subject:  Re: HAVP Config
hmmmm

i will try in few hours... thx for your information
if i found error i will post it back to you

thx again

and thx b4
Page 1 of 1 All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/