Hello all,

I am new to this community (altho it has helped me alot already when Googleing for info ).

Now i am stuck with a problem i cannot resolve...

I have a Squid proxy server running on my Ubuntu 9.10 server and on my local network this works great.

At work, my boss wants to use the proxy as well (for caching purposes on 2 Mbit line), but i cannot find the way to allow external access to Squid. I know that Squid blocks external access by default, but i can't find the info on how to unblock that.

The ip address from work is a static one, so i only need to let Squid allow that one particular external ip address to connect with it. I guess i need an extra ACL entry, but i don't know what to enter... (also Google did not find any info, or i have searched with the wrong keywords...)

Does someone know how to fix this problem or at least some tips where to find the info on it?

Thanks in advance!

Best regards,

Langerak

http_port <public_ip>:<port>

Run squid on both the internal/external IP's. Moreover are you using some sort of NAT?

--
Prasanta

http_port <public_ip>:<port>

Run squid on both the internal/external IP's. Moreover are you using some sort of NAT?

--
Prasanta

NAT goes via my router.

Shouldn't i define a http_access rule for the ip adress of my work? Since i want that address to be able to connect to my Squid server.

Via http_port i get no result when entering my public ip address with port...

In that case port forward that request,

/sbin/iptables -t nat -A PREROUTING -p tcp -d <public_ip> --dport <port> -j DNAT --to-destination <internal_squid_ip>:<port>
/sbin/iptables -A FORWARD -p tcp -d <internal_squid_ip> --dport <port> -j ACCEPT

Ask your boss to key in the public_ip and the port in the proxy settings of the browser.

That should work.

--
Prasanta

I have tried that, still to no avail .

Maybe i haven't explained it good enough, let me try again:

Here at home i have this Squid proxy server running for my home network which works good.

I want to be able to connect to my proxy from outside my home as well. When i enter my ip address or dyndns name with the correct port, i get the error in Firefox saying that my proxy is working, but not allowing external access to it, when i connect from outside my home.
So let's say, at work i have ip address 1.2.3.4, which needs to be allowed by Squid (external access), how would i accomplish that? I guess i have to add a rule for that ip address in squid.conf, maybe a switch or something, letting external machines connect as well.

Here is the ACL part of my squid.conf:

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_Ports port 22 # ssh
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

When i add an entry with acl ext_access 1.2.3.4 and further on in the config file i set that ext_access has http_access it still won't work.

I hope i have clarified it enough now for a good solution! But thanks already for the answers posted!

No. There is nothing to do with the squid.conf file. I tried the same setup with external users (user's using it from outside my home). I have the following setup.

I have squid running at home, on IP 192.168.1.1 port 3128.

http_port 192.168.1.1:3128

I have written a NAT rule on the firewall,

/sbin/iptables -t nat -A PREROUTING -p tcp -d 121.245.52.22 --dport 8000 -j DNAT --to-destination 192.168.1.1:3128
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 3128 -j ACCEPT

User's outside my home use 121.245.52.22 and port 8000 as proxy server and port. Hope this helps.

--
Prasanta

Hi,

Thanks for the tip, but unfortunately this won't work...

When i enter the the external IP address as proxy in Firefox at work i get the same error as before that the proxyserver is not setup to allow external connections.

I have to say that i put the route on the server where the squid server resides. Any port forwarding etc. goes via my Sitecom router, which is only reachable via web server (config)

Any suggestions left?

EDIT:
Stupidly enough, the port forwarding part on my router has been reset , so i guess that's one reason i cannot connect to it outside my internal network .

Edited the port forwarding part and set it up correctly and tomorrow i'll see if it has success!

Thanks for all the help, opened up the port in my router, added the route again and now all works like a charm!

By the way: Do you have some links for me as to tune Squid a bit? Like caching etc? Since we use a 2 mbit line at work, caching would be nice .

The best is to go through the squid website, http://www.squid-cache.org/. Moreover, in case your link is getting too saturated due to heavy downloads that the users are using, some user consuming a heavier bandwidth, better put a limit on the download speed using delay_pools.

In case you feel that the problem is sorted out, please mark the thread as solved since it helps the others users also in getting the answers.

--
Prasanta

langerak
you do not necessarily have to use iptable rules to get it to work.
you do need to open up ports on your firewall but you hit the nail right on the head when you mentioned ACL's. since your work does have a static public ip all you need to do is setup an acl to allow that ip address.
i.e. acl *label* src *ip address*/*subnet mask wildcard* (i used 28 since we have a block of static ips)
then http_access allow *label*
restart squid and you're good to go - while prasantas solution may work, its a bit overkill