cache not working is squid
I was trying to setup squid (transparent) to learn and later on set up dansguardian. My PC is hardwired to a router (linksys ) and the linksys is connected to a cable modem. I'm understand that I only can cache stuff on this computer and not the entire LAN due to the way I have it wired.
I don't get any errors in the cache.log but theres no address listed after "accepting transparently proxied http connections" which concerns me. Code:
2007/09/22 16:43:35| Starting Squid Cache version 2.6.STABLE14 for i486-slackware-linux-gnu... Code:
bash-3.1# cat squid.conf Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 So, if there's someone willing to read through this an point me in the right direction it would be greatly appreciated. Thanks in advance for any help. |
you just using the browser on the same machine is not going to cache anything because the source port is not 80 so it will never proxy or cache anything on that machine in transparent mode. While in transparent mode you can still use it as an explicit proxy. Normally you have a L4 switch or a cisco switch that you can redirect traffic based on port numbers or on cisco using wccp. Unless you have the network hardware to support a transparent proxy i would only use it as an explicit proxy.
|
slimm609,
I did as you suggested and set squid up as a normal proxy and it worked just like it was suppose to. Of course since this is a learning exercise I'm not done yet. You total lost me with the "explicit proxy" so now I've got to try to understand proxy types. I was under the impression that if I used iptables correctly to redirect port 80 to 3128 which is the squid port that it would work in transparent mode. Any Idea's on if that is possible. Thanks again. |
an explicit proxy is when you configure the browser to use that as a proxy. for a transparent proxy you need some where to get the users traffic to the proxy server.
|
Quote:
You are using iptables to redirect traffic to squid, but this command: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 will not redirect local (generated by local process) traffic to squid, because squid is local process too. Chain PREROUTING is placed after network interface, but before local processes. But you are need to redirect traffic from local process (browser) to local process (squid). You can do this by setting proxy settings in your browser. Or you can try to redirect traffic by this: iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 All requests on port 80 will go to port 3128 on local machine. But it is not all. If you will do so, all requests from squid to port 80 will go back to squid on port 3128. And it will be cycle. You will need to think about ports that uses squid to send requests. If browser, for example, sends requests from local ports 1000-2000, but squid uses for this another range of ports, let it be for example, 5000-10000, you can use this to split requests by this: iptables -t nat -A OUTPUT -p tcp --dport 80 -m multiport --sport 1000:2000 -j REDIRECT --to-port 3128 I'm not sure that browser and squid using different port to send requests, but you can try. If short - your trouble is in iptables. For complete information on iptables you're better to go here: h t t p : / / i p t a b l e s - t u t o r i a l . f r o z e n t u x . n e t / Hope i was useful :) |
And some more... In your squid cache.log there is a string:
Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12. This is tells that squid is listening on all interfaces available in your system. By security reasons you'll need to change IP on which squid is listening for connections. If there is 0.0.0.0 - squid is listening on all interfaces!!! If your machine will be in the internet all users from internet can access to squid and use it for their own needs. I've already tryed to do this mistake - 180Mb of my own (i'm paying by megabytes to my provider) traffic was used by somebody from Cali :( They were used my squid as an anonymous proxy to hide their ip or something like that. So change listen address to private your network, for example 192.168.0.1 or something like this. |
mbmx:
Thanks for you reply, was reading over some old post when I seen it. I did manage to get squid working with the following iptables rules. Code:
iptables -t nat -A OUTPUT -p TCP --dport 80 -m owner --uid-owner squid -j ACCEPT |
All times are GMT -5. The time now is 06:45 AM. |