LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Try many way but not yet start squid server to block some specific website (http://www.linuxquestions.org/questions/linux-server-73/try-many-way-but-not-yet-start-squid-server-to-block-some-specific-website-920680/)

tanin007 12-27-2011 04:34 AM

Try many way but not yet start squid server to block some specific website
 
I install a squid server on my server PC[I am using CentOS 5.5].
First i configure the squid server. I add those into "/etc/squid/squid.conf" file:
Code:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 202.51.176.42 192.168.10.1/24
http_access allow localhost
http_access allow lan
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS

Then create a file "/etc/fw.proxy" and those line into fw.proxy file.
Code:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to  $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

After then i use this command:
Code:

chmod +x /etc/fw.proxy
/etc/fw.proxy
service iptables save
chkconfig iptables on
/etc/init.d/squid restart

But i get this:
Code:

Stopping squid:                                            [FAILED]
init_cache_dir /var/spool/squid... Starting squid:        [FAILED]

In my "/var/log/messages" i find this three line:
Code:

Dec 27 04:25:44 ns1 squid[8400]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8401]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8402]: Bungled squid.conf line 6: http_access allow localhost

Can any one tell me how can i solve this problem

bathory 12-27-2011 05:40 AM

Quote:

In my "/var/log/messages" i find this three line:

Dec 27 04:25:44 ns1 squid[8400]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8401]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8402]: Bungled squid.conf line 6: http_access allow localhost
What is your squid version? On some older versions of squid, you have to define an ACL for localhost:
Code:

acl localhost src 127.0.0.1/32
So add the above line before line 6 and try to start squid to see what happens

Regards

tanin007 12-27-2011 06:15 AM

Again error
 
Thanks for your reply. This is my squid version:
Code:

Squid Cache: Version 2.6.STABLE21
I add this line before line 6. And my /etc/squid/squid.conf file is now like this:
Code:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 202.51.176.42 192.168.10.1/24
acl localhost src 127.0.0.1/32
http_access allow localhost
http_access allow lan
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS

After than, i restart my server " /etc/init.d/squid restart " and get again error like this:
Code:

Stopping squid:                                            [FAILED]
init_cache_dir /var/spool/squid... /etc/init.d/squid: line 62:  8768 Aborted                $SQUID -z -F -D >> /var/log/squid/squid.out 2>&1
Starting squid: /etc/init.d/squid: line 42:  8769 Aborted                $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
                                                          [FAILED]

And in my "/var/log/messages" file i get this:
Code:

Dec 27 06:06:53 ns1 squid[8842]: Could not determine fully qualified hostname.  Please set 'visible_hostname'
Dec 27 06:06:55 ns1 squid[8843]: Could not determine fully qualified hostname.  Please set 'visible_hostname'


bathory 12-27-2011 06:55 AM

Quote:

Dec 27 06:06:53 ns1 squid[8842]: Could not determine fully qualified hostname. Please set 'visible_hostname'
Dec 27 06:06:55 ns1 squid[8843]: Could not determine fully qualified hostname. Please set 'visible_hostname'
The error is self explanatory: You need to set the visible_hostname to the FQDN of your box, e.g.
Code:

visible_hostname host.domain.com
BTW, better use the same FQDN you have in /etc/hosts.

tanin007 12-27-2011 11:11 AM

Can you where i add this line?

visible_hostname host.domain.com

bathory 12-27-2011 12:14 PM

Quote:

Originally Posted by tanin007 (Post 4559362)
Can you where i add this line?

visible_hostname host.domain.com

You should add it in squid.conf

tanin007 12-28-2011 12:52 AM

Yet not block facebook
 
Thanks i add this line and the proxy server is successfully run. But yet it cannot block facebook. And when i run this proxy server it cannot open any web site. what can i do now?

bathory 12-28-2011 03:05 AM

Quote:

Originally Posted by tanin007 (Post 4559765)
Thanks i add this line and the proxy server is successfully run. But yet it cannot block facebook. And when i run this proxy server it cannot open any web site. what can i do now?

I guess the sites you want to block are in the /etc/squid/blacklist_domains file. If that's the case, then you should put the
Quote:

http_access deny BLACKLIST_DOMAINS
before any "http_access ..." option.

Also, I don't think you want to use your squid in accelerator mode, so you don''t need the four lines on top of squid.conf. Besides these options are used for squid-2.4and are deprecated in 2.6.
Read this to see what you need to change in order for squid to work in transparent mode.

tanin007 12-28-2011 03:53 AM

Yet not work
 
Thanks again for your reply. I fix the squid.conf file with this line:

Code:

#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
http_port 3128 transparent
http_port 80 defaultsite=192.168.10.1
acl port80 port 80
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
http_access allow port80
#always_direct allow all
visible_hostname host.domain.com
acl localhost src 127.0.0.1/8
acl lan src 202.51.176.42 192.168.10.1/24
http_access allow localhost
http_access allow lan

And when i run squid it shows it started successfully but yet now show any website. In defaultsite=192.168.10.1 i use this because i share the network into this 192.168.10.1 and 202.51.176.42 is my real ip. I do not understand what is the problem here.

bathory 12-28-2011 06:32 AM

Quote:

And when i run squid it shows it started successfully but yet now show any website. In defaultsite=192.168.10.1 i use this because i share the network into this 192.168.10.1 and 202.51.176.42 is my real ip. I do not understand what is the problem here.
What is the response you get from squid? If you don't get anything from squid, check your iptables rules.
You can also check the system and squid logs to see what is going on with your setup.

tanin007 12-29-2011 01:02 AM

Thanks work fine now. But i cannot able to block any https://facebook.com. I found some tutorial about change some settings and do this in this way:
Quote:

acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
Quote:

acl CONNECT method CONNECT
acl BLACKLIST_DOMAINS dstdomain "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
http_access deny BLACKLIST_DOMAINS CONNECT
Can you help?

bathory 12-29-2011 02:54 AM

Hi,

You cannot block https traffic in transparent mode.
If you want to stop your clients visiting such sites, you should use iptables to block port 80 and 443 outgoing connections and tell them to use your box as a (caching)proxy.
This way your rules should work.

Regards


All times are GMT -5. The time now is 04:45 PM.