|
www-proxy
I use squid as a www-proxy. My question is as such:
If my kids are on the internet and I want them off when I say so I have a problem. What I tryed to do was issue from the command rcsquid stop and it says that is has shut down squid Sludge:/etc/squid # rcsquid stop Shutting down WWW-proxy squid Sludge:/etc/squid# but they can still get to the internet, why is that? |
Are you sure that their browser's are configured for that proxy?
Assuming they have separate machines, rather than their own accounts on your machine, try removing the gateway setting from their network settings. |
Under Internet Explorer I specify the proxy as my 192.168.2.1 port 8080. If I delete that entry then they cannot get to the internet!
|
I didn't say to delete the proxy setting, but the gateway setting.
ps. FYI squid's default port is 3128, not 8080. |
If I took out the gateway IP then how is there machine going to route. I will just be able to operate internally. Please clarify you point. 3128 is the default port that squid is preset too. why not 8080. Isn't it going to go through 8080 anyway when my proxy server request cache pages anyway. I could alway schedule to block IP in squid.conf at a certain time but I just want to know why if I down squid they can still go to the Internet. That defeats the whole purpose of squid.
|
Quote:
If it is separate, removing the gateway will mean that your browsing machine will ONLY be able to access the net through the proxy. Many applications have settings for this. If squid is on the same machine, then removing the gateway will mean squid can't reach the net either! Quote:
Quote:
Do you mean when your browser requests pages from the proxy? If so, that will depend on how you have configured your browser! If you mean when you proxy requests pages from the net, no ... unless you have an upstream proxy configured (ie. at your ISP)[/B][/QUOTE] Quote:
I can assure you that the default port is 3128. If you have configured your browser, disabling your proxy WILL cut off net access. If this is all running on the same machine, your browser should be set to use a proxy like: http://localhost:3128 (or similar) ... and disregard my 'remove gateway suggestion'! |
have you verified that
1) squid is really off ( ps aux | grep squid ) 2) your browser is really using the proxy? ( /path/to/your/access.log ) also, since it *looks* like you're running squid on your gateway, why don't you just run it in transpartent proxy mode and you won't have to setup anything on the client machnes...as it sounds like you have more than one computer with a webbrowser and only one computer running as the proxy..would be less work to setup the proxy correctly. |
this is my network setup:
Linux router/http proxy/firewall +++ +++ +++ DLINK wireless router +++ +++ +++ Wireless PC++++++++++Wireless PC++++++++++++Wireless PC I hope that give you a better view of my network. If I disable the go through proxy setting in internet explorer then they cannot get to the internet but If I am on my linux firewall/http proxyrouter server I shut down squid like: rcsquid stop my kids are still able to browse the net. I hope this help you understand. They shouldnt be able to do a freaking thing if I stop my proxy! |
OK, if
a) the wireless machines have IP addresses in the same subnet as your linux router (ie. linux router = 192.168.2.1, wireless#1=192.168.2.10 (for eg.)) then just delete the 'gateway' address in their network settings. They will still be able to reach everything in their own subnet, including the proxy, but nothing past that. or b) your wireless router has LAN and wireless as two subnets. Block http traffic (port 80 only) on your linux firewall. If you don't have a nice easy way to do that, try a rule something like (I'm guessing): /sbin/iptables -A input -p tcp -s 192.168.2.0/24 -d 192.168.2.1/32 80 -j DENY -l With either a or b, you should be able to turn the proxy off to stop all web traffic. I am unsure why turning off the proxy still allows them to browse when their browsers are configured for the proxy (maybe explorer falls-back to non-proxy operation?), however, these suggestions should at least help you to isolate the problem. (ps. -l at end of iptables for "LOG":)) |
Is there a difference between a transparent proxy and an http proxy. Just another note, the other day I noticed that in Internet explorer if I changed the setting in the browser to auto configure or through proxy they can STILL get to the internet. I will take out the gateway from my wireless clients and see if they can still get to the internet that way. I am still a little puzzled!
|
so is there anything on the firewall that would prevent someone from making a connection to port 80 on outside world ? if not, they still will beable to use the iNterwEb and stuff. I guess my arguement would be unless you're blocking outbound to port 80 it shouldn't matter if you have you proxy up or not. Moreover, just block http isn't going to do much if they start using IRC, aim, usenet, https, etc...you'd be better off with iptables.
uh whatelse... transparent proxy mode is cool...you should read up on it, basically you just redirect all outbound http connections to the squid cache which goes out and gets the webpages, so you never have to setup a client. there are lots of docs on the squid website. the iptables stuff is simple, just redirect stuff coming in on the internal interface going outbound port 80 to port <squid port> again, is squid really off? ps aux | grep squid |
A transparent proxy operates on port 80, so that the clients don't set a proxy on their browser, but all requests actually go through the proxy anyway. This is an interesting way of doing it, but if/when your proxy kicks the bucket, you've got no backup. Personally I like to switch between proxy and no-proxy, but for your setup a transparent proxy might be the answer. I'd suggest you get it working on port 3128 first though.
I have to admit I'm still puzzled too! :) (You haven't confirmed a lot of my 'if-then' setups.) To give an example using my setup (the proxy is on the gateway). I have a client using a proxy with the following routing table. # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.133 0.0.0.0 UG 0 0 0 eth0 The 0.0.0.0 address (ie. everything) is available through my gateway (192.168.0.133 = an ipcop box running a proxy). Let's just say, that I remove the defaut route through the gateway from the client: # route del -net 0.0.0.0 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # ping google.com connect: Network is unreachable # ping -c 1 192.168.0.133 PING 192.168.0.133 (192.168.0.133) 56(84) bytes of data. 64 bytes from 192.168.0.133: icmp_seq=1 ttl=64 time=5.05 ms Right! So now the client can't reach the net at all, but can reach the machine running the proxy. Now I can turn the proxy on and off to allow/disallow net access for my client. And this is not just the browser, most net apps can be set to use a proxy. Does that help to explain the concept better? Good luck! |
I think I finally understand. Everything is controlled via iptables, in my configuration through port 80. So whether or not I enable the proxy setting on the browers it will not make a difference because I have specified in my iptables rule to proxy out through 80. Which method is more secure for my users. I understand that it is an easier configuration but what about http proxy where my users have to login with a user name and password?
|
| All times are GMT -5. The time now is 09:36 AM. |