Hello good people of Linux Questions.
I recently have upgraded my squid to the version 2.6.
Right in the begining encounter problems... It seems this new version changed the way to configure it for a transparency proxy.
After searching in google i have manage to confiruge it to transparent proxy server. But when a user machine tray to navigate throughout the proxy server it give the error of Access Denied. In the access control i have give permisions for him to use the proxy but it not seem to work.
This server have to be giving service just for the internal lan. Service are:
- Access to the internet throughout squid transparent proxy.
- Internal server for: Web page (httpd), Web Mail (webmail of apache server), ftp (vsftd) and Internal DNS (BIND 9.3.4).
So far all work great but the squid does not work. This is the part of log from the file access.log ot the squid while the machine2.internaldomain.home open the mozilla and try to open pages:
Code:
..
1178674986.492 447 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.104 text/html
1178674988.571 668 192.168.1.2 TCP_DENIED/403 1346 GET http://www.google.com.py/ - DIRECT/64.233.161.147 text/html
..
Now here goes my config for the server =D
Devices configs.
Conection to the internet:
Code:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
NETMASK=255.255.255.252
IPADDR=172.18.3.30
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=172.18.3.29
Conection to the Internal LAN
Code:
TYPE=Ethernet
DEVICE=eth1
HWADDR=xx:xx:xx:xx:xx:xx
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.254
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
resolv.conf file:
Code:
search tekorei.home
nameserver 127.0.0.1
named.conf
Code:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
query-source address * port 53;
listen-on { 127.0.0.1; 192.168.1.254; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
..Deleted Content..
zone "internaldomain.home" IN {
type master;
file "data/internaldomain.home.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "data/reverse.internaldomain.home.zone";
allow-update { none; };
};
..Deleted Content..
internaldomain.home.zone file
Code:
;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
IN NS server;
IN MX 10 server;
internaldomain.home. IN A 192.168.1.254;
server IN A 192.168.1.254;
www IN CNAME server;
ftp IN CNAME server;
mail IN CNAME server;
machine1 IN A 192.168.1.1;
machine2 IN A 192.168.1.2;
reverse.internaldomain.home.zone file
Code:
;
$TTL 1D
@ IN SOA server.internaldomain.home. sysadmin.internaldomain.home. (
2007050301;
8H;
2H;
4W;
1D );
IN NS server.internaldomain.home.
254 IN PTR server.internaldomain.home.;
1 IN PTR machine1.internaldomain.home.;
2 IN PTR machine2.internaldomain.home.;
squid.conf file
Code:
http_port 3128 transparent
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/spool/squid 3000 16 256
access_log /var/log/squid/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl all src 0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl network1 src 192.168.1.0/255.255.255.0<--This one was set to "red1" now it is correct thanks to acid_kewpie.
always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access allow network1
http_access deny all
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Spanish
coredump_dir /var/spool/squid
In the original file acl network1 is called acl red1 in spanish, i translated to english for you all
it was an error of translation. In the original file they are called acl red1 and http_access allow red1 sorry for this
iptables config. Default policy are set to accept. No other rules are set besides this ones becose i'm still working on the iptables rules to have default policy to drop.
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $172.18.3.30
I also have configured the internal server for web pages (httpd), dovecot and senmail for internal mail and the vsftpd. If needed i will post the config for each one of this services.
Does someone can help?