LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-02-2014, 04:12 AM   #1
staticN
LQ Newbie
 
Registered: Oct 2014
Posts: 3

Rep: Reputation: Disabled
Iptables help needed (Squid proxy, backend web-server)


Hello,

I'm new to networking in Linux and don't get along with iptables.

My setup is like this:
Code:
                                                             web/ftp-server
                                                            /
Modem - Gateway/Router - (eth1) Squid proxy (eth0) - Switch - Users
The modem connection has 1 static/public IP address.
I'm running Squid version 3.4.7, static IPs for eth1 and eth0. IP of eth1 is 192.168.1.7, for eth0 it is 192.168.0.9.
I have configured Squid as a non-transparent proxy, i.e. just "http_port 3128". Along with ACLs for inbound connections I have also defined a virtual host (the www server) name.domain.tld like this:
Code:
http_port 80 accel defaultsite=www.domain.tld
cache_peer IP_OF_BACKENDSERVER parent 8080 0 no-query no-digest originserver name=site_www
acl site_www_users dstdomain site1.domain.tld
cache peer_access site_www allow site_www_users
cache peer_access site_www deny all
What I am totally at a loss of understanding is this:

- How do I configure the iptables properly so that the proxy server is reachable from outside and also so that when someone enters site1.domain.tld it will reach the backend server?

- How do I configure IP tables so that I ensure that all outbound trafic leaves the correct ethernet interface?

I have read many iptable examples regarding this, but they have all included transparent proxies. I don't think I want a transparent proxy though, but maybe this would be required when reverse proxying for outbound connections is needed?

Anything/Everything unclear - don't hesitate to ask.
 
Old 10-03-2014, 04:47 AM   #2
staticN
LQ Newbie
 
Registered: Oct 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
To add,

I have tried with this, so that the following iptable NAT rule is applied:

Code:
-A PREROUTING -i eth1 -p tcp -m tcp --dport 82 -j DNAT --to-destination 192.168.0.99:3128
Squid is running on 192.168.0.99. The reason why it is port 82 is that I do not want to overrule the current live website running at another Windows server at port 80. The gateway/router redirects port 80 trafic to this Windows server, while I have set the gateway/router to redirect port 82 trafic to eth1 of the Squid proxy server (192.168.1.4).

In the example I used the format www.domain.tld as the dstdomain and defaultsite, so when I enter www.domain.tld:82 I would reach IP_OF_BACKENDSERVER at port 8080.
But I don't.

Instead, what I get is a Squid error page:
Code:
The following error was encountered while trying to retrieve the URL: /

    Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

    Missing or incorrect access protocol (should be "http://" or similar)

    Missing hostname

    Illegal double-escape in the URL-Path

    Illegal character in hostname; underscores are not allowed.
From the LAN side I can access my vhosts without problems. Any hints? Or is this a hint that Squid just can't do what I want it to?
 
Old 10-27-2014, 04:34 AM   #3
staticN
LQ Newbie
 
Registered: Oct 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
For someone else looking for a solution, here's what I did:

1) Learn IPtables and do some more drawings of what I needed.
2) Use Squid for inbound traffic and Apache vhosts for outbound.

Basically what I did was to leave Squid alone and only listen on port 3128 on eth0, by specifying "http_port <internal_ip>:3128". This makes locally available vhosts possible to reach for inbound/LAN connections.

I installed Apached, and created a bunch of vhosts in apache listening at port 8030. I preroute trafic from eth1 at ports 80 to port 8030.
If anyone has any questions or similar setup issues, just ask in this thread, and maybe I can help.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to run Squid tranparent and web proxy squid in same server baskarang Linux - Server 3 09-09-2012 11:41 PM
Configure Squid proxy to point to a central policy web server dwarka13 Linux - Server 1 11-10-2010 05:31 PM
allow only two web sites access by squid proxy server singh_chitranjan Linux - Server 1 05-19-2010 09:16 AM
squid as Web proxy server in linux world salimshahzad Linux - Newbie 2 02-01-2010 05:57 AM
iptables rule to ignore squid proxy server satish Linux - Networking 4 07-02-2008 07:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration