LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-27-2011, 03:34 AM   #1
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Rep: Reputation: Disabled
Unhappy Try many way but not yet start squid server to block some specific website


I install a squid server on my server PC[I am using CentOS 5.5].
First i configure the squid server. I add those into "/etc/squid/squid.conf" file:
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 202.51.176.42 192.168.10.1/24
http_access allow localhost
http_access allow lan
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
Then create a file "/etc/fw.proxy" and those line into fw.proxy file.
Code:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to  $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
After then i use this command:
Code:
chmod +x /etc/fw.proxy
/etc/fw.proxy
service iptables save
chkconfig iptables on
/etc/init.d/squid restart
But i get this:
Code:
Stopping squid:                                            [FAILED]
init_cache_dir /var/spool/squid... Starting squid:         [FAILED]
In my "/var/log/messages" i find this three line:
Code:
Dec 27 04:25:44 ns1 squid[8400]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8401]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8402]: Bungled squid.conf line 6: http_access allow localhost
Can any one tell me how can i solve this problem
 
Old 12-27-2011, 04:40 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
In my "/var/log/messages" i find this three line:

Dec 27 04:25:44 ns1 squid[8400]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8401]: Bungled squid.conf line 6: http_access allow localhost
Dec 27 04:25:44 ns1 squid[8402]: Bungled squid.conf line 6: http_access allow localhost
What is your squid version? On some older versions of squid, you have to define an ACL for localhost:
Code:
acl localhost src 127.0.0.1/32
So add the above line before line 6 and try to start squid to see what happens

Regards
 
1 members found this post helpful.
Old 12-27-2011, 05:15 AM   #3
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Again error

Thanks for your reply. This is my squid version:
Code:
Squid Cache: Version 2.6.STABLE21
I add this line before line 6. And my /etc/squid/squid.conf file is now like this:
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 202.51.176.42 192.168.10.1/24
acl localhost src 127.0.0.1/32
http_access allow localhost
http_access allow lan
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
After than, i restart my server " /etc/init.d/squid restart " and get again error like this:
Code:
Stopping squid:                                            [FAILED]
init_cache_dir /var/spool/squid... /etc/init.d/squid: line 62:  8768 Aborted                 $SQUID -z -F -D >> /var/log/squid/squid.out 2>&1
Starting squid: /etc/init.d/squid: line 42:  8769 Aborted                 $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
                                                           [FAILED]
And in my "/var/log/messages" file i get this:
Code:
Dec 27 06:06:53 ns1 squid[8842]: Could not determine fully qualified hostname.  Please set 'visible_hostname' 
Dec 27 06:06:55 ns1 squid[8843]: Could not determine fully qualified hostname.  Please set 'visible_hostname'
 
Old 12-27-2011, 05:55 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
Dec 27 06:06:53 ns1 squid[8842]: Could not determine fully qualified hostname. Please set 'visible_hostname'
Dec 27 06:06:55 ns1 squid[8843]: Could not determine fully qualified hostname. Please set 'visible_hostname'
The error is self explanatory: You need to set the visible_hostname to the FQDN of your box, e.g.
Code:
visible_hostname host.domain.com
BTW, better use the same FQDN you have in /etc/hosts.
 
1 members found this post helpful.
Old 12-27-2011, 10:11 AM   #5
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Can you where i add this line?

visible_hostname host.domain.com

Last edited by tanin007; 12-27-2011 at 10:12 AM.
 
Old 12-27-2011, 11:14 AM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
Originally Posted by tanin007 View Post
Can you where i add this line?

visible_hostname host.domain.com
You should add it in squid.conf
 
1 members found this post helpful.
Old 12-27-2011, 11:52 PM   #7
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Yet not block facebook

Thanks i add this line and the proxy server is successfully run. But yet it cannot block facebook. And when i run this proxy server it cannot open any web site. what can i do now?
 
Old 12-28-2011, 02:05 AM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
Originally Posted by tanin007 View Post
Thanks i add this line and the proxy server is successfully run. But yet it cannot block facebook. And when i run this proxy server it cannot open any web site. what can i do now?
I guess the sites you want to block are in the /etc/squid/blacklist_domains file. If that's the case, then you should put the
Quote:
http_access deny BLACKLIST_DOMAINS
before any "http_access ..." option.

Also, I don't think you want to use your squid in accelerator mode, so you don''t need the four lines on top of squid.conf. Besides these options are used for squid-2.4and are deprecated in 2.6.
Read this to see what you need to change in order for squid to work in transparent mode.
 
1 members found this post helpful.
Old 12-28-2011, 02:53 AM   #9
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Yet not work

Thanks again for your reply. I fix the squid.conf file with this line:

Code:
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
http_port 3128 transparent
http_port 80 defaultsite=192.168.10.1
acl port80 port 80
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
http_access allow port80
#always_direct allow all
visible_hostname host.domain.com
acl localhost src 127.0.0.1/8
acl lan src 202.51.176.42 192.168.10.1/24
http_access allow localhost
http_access allow lan
And when i run squid it shows it started successfully but yet now show any website. In defaultsite=192.168.10.1 i use this because i share the network into this 192.168.10.1 and 202.51.176.42 is my real ip. I do not understand what is the problem here.

Last edited by tanin007; 12-28-2011 at 03:12 AM.
 
Old 12-28-2011, 05:32 AM   #10
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
And when i run squid it shows it started successfully but yet now show any website. In defaultsite=192.168.10.1 i use this because i share the network into this 192.168.10.1 and 202.51.176.42 is my real ip. I do not understand what is the problem here.
What is the response you get from squid? If you don't get anything from squid, check your iptables rules.
You can also check the system and squid logs to see what is going on with your setup.
 
1 members found this post helpful.
Old 12-29-2011, 12:02 AM   #11
tanin007
LQ Newbie
 
Registered: Dec 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Thanks work fine now. But i cannot able to block any https://facebook.com. I found some tutorial about change some settings and do this in this way:
Quote:
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
Quote:
acl CONNECT method CONNECT
acl BLACKLIST_DOMAINS dstdomain "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
http_access deny BLACKLIST_DOMAINS CONNECT
Can you help?
 
Old 12-29-2011, 01:54 AM   #12
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,908

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

You cannot block https traffic in transparent mode.
If you want to stop your clients visiting such sites, you should use iptables to block port 80 and 443 outgoing connections and tell them to use your box as a (caching)proxy.
This way your rules should work.

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Block a website using a file alain1988 Linux - Newbie 5 10-20-2011 06:28 AM
squid server how to block https:www.website.com aliabbass Linux - Server 4 10-01-2011 01:45 PM
How to block urls for specific ip in squid addipolli Linux - Security 10 11-24-2008 02:04 AM
How to block a Website in Squid winxlinx Linux - Networking 1 02-21-2006 04:40 PM
block specific users in squid alan.belizario Linux - Security 4 09-09-2005 11:43 PM


All times are GMT -5. The time now is 01:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration