LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   squid transparent proxy...... (http://www.linuxquestions.org/questions/linux-networking-3/squid-transparent-proxy-64544/)

hitesh_linux 06-09-2003 11:44 AM

squid transparent proxy......
 
hi
I have some in squid transparent proxy......

what i use : iptables,redhat linux 8.0,squid 2.4
stable v7



my current setup : SERVER BOX ( contains
SQUID,APACHE,PHP,MYSQL,IPTABLES,BANDWIDTH CONTROL)
IP 1 : 172.16.100.4 ( INTERNET
LANCARD )

IP 2 : 10.0.0.1 (internal
network CARD )



What i want : i want to use transparent proxy. but i
want all my users to authenticate.in short if my user
is not logged in and when he types any url he should
be presented with a login page (php and mysql) where
my user will enter his login name and password. and if
he is logged in he can use internet



what i did :



Squid.conf



http_port 8080

icp_port 3130

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 16 MB

maximum_object_size 4096 KB

minimum_object_size 0 KB

maximum_object_size_in_memory 8 KB

cache_replacement_policy lru

memory_replacement_policy lru

cache_dir ufs /var/spool/squid 250 16 256

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

pid_filename /var/run/squid.pid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320



acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT



http_access allow manager localhost

http_access deny manager

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all



#Set these if you want your proxy to work in a
transparent way.

#Transparent proxy means you generally don't have to
configure all

#your client's browsers, but hase some drawbacks too.

#Leaving these uncommented won't do any harm.

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on



cache_mgr hitesh@hylix.com



cache_effective_user squid

cache_effective_group squid



visible_hostname c-systems



IPTABLES FIREWALL

IPTABLES=/sbin/iptables





EX_ETH=eth0 #
External Interface

IN_ETH=eth1 #
Local Interface

LOCAL_IP=10.0.0.2 #
Local Host IP

LOCAL_NET=10.0.0.0/8 #
Local Network

EXTERNAL_NET=172.16.0.0/24 #
External Network

PROXY_IP=10.0.0.2 #
Proxy Server IP

PROXY_PORT=8080 #
Proxy Server Port No

P_PORTS="0:1023"

UP_PORTS="1024:65535"

TR_SRC_PORTS="32769:65535"

TR_DST_PORTS="33434:33523"





$IPTABLES -F

$IPTABLES -X

$IPTABLES -Z



# Masquerade

$IPTABLES -t nat -A POSTROUTING -o $EX_ETH -j
MASQUERADE



# Turn on IP forwarding

echo '1' > /proc/sys/net/ipv4/ip_forward



# IF U GET IP_CONNTRAC ERROR USE THIS ELSE REMOVE

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max



## load modules

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp



# Transparent Proxy

$IPTABLES -t nat -A PREROUTING -i $IN_ETH -p tcp
--dport 80 -j REDIRECT --to-port $PROXY_PORT



and some security setttings rules for death of ping
etc

unSpawn 06-13-2003 03:24 AM

If this is still a problem, AFAIK you can't do *and* transparent proxying *and* have authentication. Look at the Squid FAQ.


All times are GMT -5. The time now is 06:51 AM.