LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 12-15-2005, 07:22 PM   #1
Balkce
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Rep: Reputation: 0
Squid as Web Filter + Web Server in other machine


Hi,

I have gone to various forums, and I haven't gotten this answered thoroughly, so please bare with me.

I have a network that involves a gateway with FreeBSD on it and an internal Windows server running IIS (I know, I know, hate it too, but was part of the job) and some other services like Exchange. The server resides on the same subnetwork as the users' computers.

I have put Squid on the gateway as a webfilter, but somehow, when I start the squid service, I cannot access the web server that resides on the windows box from outside the network nor does it receive any mail from outside.

[EDIT: thanks for born4linux for typo in the last paragraph]

I have read many HOWTO's, but Squid can do so much that right now I'm getting very confused with the terminology... so, my question is: is it possible that Squid be on a gateway serving as just a webfilter (if it's a web cache, I don't mind, better for me) and let packets go through an internal server?

If so, my squid.conf is as follows:

http_port 3128
icp_port 3130
cache_swap_low 75
cache_swap_high 85
memory_pools off
cache_mgr admin@domain.com #changed for security reasons
maximum_object_size 4096 KB
cache_dir ufs /usr/local/squid/cache 50 16 256
cache_access_log /dev/null
cache_log none
cache_store_log /dev/null
logfile_rotate 7
client_netmask 255.255.255.0
visible_hostname gateway.domain.com #changed for security reasons

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

acl my_network src 192.168.3.0/255.255.255.0 #changed for security reasons
acl priviledge_user arp 00:01:02:03:04:05 #changed for security reasons
acl unpriviledge_user_with_mail arp 00:01:02:03:04:06 #changed for security reasons

acl SSLPORT port 443 563
acl SAFEPORT port 21 70 80 210 443 563 1025-65535
#ftp gopher http wais https snews unregistered
acl SAFEPORT port 280 #http-mgmt
acl SAFEPORT port 488 #gss-http
acl SAFEPORT port 591 #filemaker
acl SAFEPORT port 777 #multiling http
acl CONNECT method CONNECT

acl ADSDOM url_regex "/usr/local/etc/squid/block/blacklists/ads/domains"
acl ADSURL url_regex "/usr/local/etc/squid/block/blacklists/ads/urls"
acl AGGRESSIVEDOM url_regex "/usr/local/etc/squid/block/blacklists/aggressive/domains"
acl AGGRESSIVEURL url_regex "/usr/local/etc/squid/block/blacklists/aggressive/urls"
acl AVDOM url_regex "/usr/local/etc/squid/block/blacklists/audio-video/domains"
acl AVURL url_regex "/usr/local/etc/squid/block/blacklists/audio-video/urls"
acl DRUGDOM url_regex "/usr/local/etc/squid/block/blacklists/drugs/domains"
acl DRUGURL url_regex "/usr/local/etc/squid/block/blacklists/drugs/urls"
acl GAMBLINGDOM url_regex "/usr/local/etc/squid/block/blacklists/gambling/domains"
acl HACKDOM url_regex "/usr/local/etc/squid/block/blacklists/hacking/domains"
acl HACKURL url_regex "/usr/local/etc/squid/block/blacklists/hacking/urls"
acl MAILDOM url_regex "/usr/local/etc/squid/block/blacklists/mail/domains"
acl PORNDOM url_regex "/usr/local/etc/squid/block/blacklists/porn/domains"
acl PORNURL url_regex "/usr/local/etc/squid/block/blacklists/porn/urls"
acl PROXYDOM url_regex "/usr/local/etc/squid/block/blacklists/proxy/domains"
acl VIOLENCEDOM url_regex "/usr/local/etc/squid/block/blacklists/violence/domains"
acl WAREZDOM url_regex "/usr/local/etc/squid/block/blacklists/warez/domains"
acl WAREZURL url_regex "/usr/local/etc/squid/block/blacklists/warez/urls"

http_access allow manager localhost
http_access deny manager
http_access deny !SAFEPORT
http_access deny CONNECT !SSLPORT

http_access allow priviledged_user
http_access allow unpriviledged_user_with_mail MAILDOM
http_access deny all SPAMMER
http_access deny all ADSDOM
http_access deny all ADSURL
http_access deny all AGGRESSIVEDOM
http_access deny all AGGRESSIVEURL
http_access deny all AVDOM
http_access deny all AVURL
http_access deny all DRUGDOM
http_access deny all DRUGURL
http_access deny all GAMBLINGDOM
http_access deny all HACKDOM
http_access deny all HACKURL
http_access deny all MAILDOM
http_access deny all PORNDOM
http_access deny all PORNURL
http_access deny all PROXYDOM
http_access deny all VIOLENCEDOM
http_access deny all WAREZDOM
http_access deny all WAREZURL
http_access allow demiurgo
http_access allow localhost
http_access allow my_network

http_access deny all

Last edited by Balkce; 12-17-2005 at 02:25 PM.
 
Old 12-17-2005, 04:00 AM   #2
BugZRevengE
Member
 
Registered: Oct 2005
Location: Australia
Distribution: Slackware & Kubuntu & CentOS
Posts: 106

Rep: Reputation: 17
You probably want to disable squid web server acceleration:
Quote:
httpd_accel_port 80
httpd_accel_host virutal
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
This is used to accelerate your web server by using squid to pass traffic externally caching dynamic content if possible. However with your allow/deny rules this may ban traffic. Also your Squid server may not know the address of the web server (I think you have to configure this, but I am not 100% sure - I have not really delved into squids acceleration features.. but am fairly fluent with the others)
 
Old 12-17-2005, 02:25 PM   #3
Balkce
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Original Poster
Rep: Reputation: 0
Ban rules...

thanks revenge...

about the allow/deny rules, what are the specific ones that may be banning traffic from the outside? or, what would be your suggestions for adding rules to allow traffic from the outside?

and, yes, I know that the web accelerator is on... my idea was to use the proxy as web accelerator for my network to access the whole internet making a HUGE cache... stupid, i know, but, thus, another reason to disable it, jeje.

i'll try and disable it and see what happens... thanks again for the help =)


ps. there's another typo on the squid.conf that I have corrected:

httpd_accel_host virutal

must be

httpd_accel_host virtual
 
Old 12-17-2005, 04:40 PM   #4
BugZRevengE
Member
 
Registered: Oct 2005
Location: Australia
Distribution: Slackware & Kubuntu & CentOS
Posts: 106

Rep: Reputation: 17
Squid has two purposes.
1. Web cache/Proxy server
2. Web server accelerator.

With number 1, clients on your network access the proxy server, requesting pages from it, it retrieves the pages from the internet, saves a copy (cache), and passes a copy to the client.
This is the most popular reason to use Squid. Being a caching proxy server, it does seem to accelerate the browsing experiance, because if you or another client of the proxy server has visited, it serves the cached copy for you.

With number 2, clients on the internet access your websever via the Squid web accelerator. This works essentially as number 1, except that clients are external to your network.

Configuration for 1 usually says anyone on my network can access anything on the internet, but no-one externally can access the proxy server:
acl all src 0.0.0.0/0.0.0.0
acl LOCAL_NETWORK src 192.168.3.0/255.255.255.0
http_access allow LOCAL_NETWORK
http_access deny all

Configuration for 2 usually says anyone externally (or anyware) can access only my web server and again anyone interally can access anything:
acl all src 0.0.0.0/0.0.0.0
acl LOCAL_NETWORK src 192.168.3.0/255.255.255.0
acl WEB_SERVER dst 192.168.3.2/255.255.255.255 # <-- note this is a 'dst' (destination) type rule
http_access allow mywebserver
http_access allow local_network
http_access deny all
Then you make sure your DNS for the web server points to the squid server.
Most people do not want to run Squid as a web server accelerator (2), only as a caching proxy server (1).

I hope this helps..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for web filter for linux server? TongueTied Linux - Software 12 07-03-2008 04:42 PM
Squid as Web Filter + Web Server in other machine Balkce Linux - Networking 2 12-15-2005 08:13 PM
Can anyone please help me out on building a DNS and web Server on my machine FC2 babyboss Linux - Networking 5 08-05-2005 04:40 PM
web filter tools for squid alnreddy Linux - Networking 4 03-28-2005 09:14 AM
Will this machine do for a web server? TheSwine Linux - General 6 01-05-2004 08:14 PM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 05:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration