I have recently set up Squid 2.5 Stable 6 running on FreeBSD box running 4.9
Everything is working, however I have all my client machines using an automatic configuration script, so that everyone has to pass through the Squid box to get to the Internet.
Since it is possible to connect using alternate browsers, is there a way to make the squid box a Default gateway, rather than my firewall? This way nobody will be able to bypass the proxy.
Currently my firewall is responsible for NAT and PAT... The firewall is a Cisco Pix 506.
Thanks in advance
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
This is the procedure necessary if there is a Cisco Router. I don't have a Cisco Router. I have a Cisco Pix 506 Firewall. The Firewall can not route any packets.
Currently the Firewall is setup to forward everything to the router of my ISP. The router is not under my control...
So essentially I need to understand how incoming requests to squid on Port 80 can be forwarded to squid port 3128 ?
Thanks,
just add another host_port directive:
http_port 80
see details on
http://squid.visolve.com/s
In that case use use
cache_effective_user username
cache_effective_group groupname
and start squid as root. It will start listenign on port 80 and change user on which squid will run. See details
http://squid.visolve.com/s
You may want to take a look at ipnat portion of the IPFilter code.
YourPrompt> man 8 ipnat
YourPrompt> man 5 ipnat
You'll have to build a kernel using a config with this line:
options IPFILTER
Then, you'd route your client PCs to the squid box, enable routing on the squid box (gateway_enable="YES" in /etc/rc.conf).
Reboot and set up an ipnat.conf file with an entry similar to the following:
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
Then "ipnat -f ipnat.conf"
Oh, you also need to build squid with the option "--enable-ipf-transparent"
This should give you the transparent redirection you're looking for.
Finally,
This is exactly what I am looking for. It is very clear and consise.
I am a newbie to FreeBSD, but I am doing well so far (I think). I understand your email but I have a few followup questions. Please forgive my ignorance
1. I have never rebuild the kernel before. I take it that all I need to do is add the line - options IPFILTER - to the kernel and recompile? Would you happen to have a document or a site that would detail exactly what needs to be done?
2. I take it that in the command
rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
xx refers to my NIC. How can I find out what the name of my NIC is on my system?
3. I believe I did NOT create squid with --enable-ipf-transparent. so do I have to
./configure --enable-ipf-transparent
make
make all
All over again?
4. Is there anything that I would have to create i.e. an *.sh file so that certain daemons fire up automatically when the server is rebooted? I have created one for squid so that is launches automatically when the server is rebooted. I was wondering if this needs to be done for ipnat?
All over again?
1)
The definitive resource for kernel building is the FreeBSD handbook:
http://www.freebsd.org/doc
2) ifconfig will tell you what your network interface(s) is (are). If you have two, you want the rdr on the *inbound* interface (the one that faces the clients).
3) Yes, that's exactly correct. Don't forget make install.
4) ipnat is a kernel module and so will load itself once compiled in.
Good luck!
You will indeed have to create the /etc/ipnat.rules file yourself. (Ours is called ipnat.conf but I see that FreeBSD has standardized on ipnat.rules.)
You wiil also need to add the following in /etc/rc.conf:
ipnat_enable="YES"
This will cause it to load the rule(s) on startup. Sorry for the confusion.
I guess if you were to call it something other than ipnat.rules, you would have to add a separate line to the /etc/rc.conf like
ipnat_rules=/etc/ipnat.con
Either way, I added
ipnat_enable="YES" (I am curious. Does this mean that my FreeBSD box is doing NAT? My Cisco box currently does NAT and PAT for my network)
add I created the /etc/ipnat.rules with the following
rdr xxx 0/0 port 80 -> 127.0.0.1 port 3128 tcp
add life was good. Transparent proxy is working !!!! Thanks for all you help and pointing me in the right direction. I will add that up top of this you must make sure that the following exists within your squid.conf file for transparent proxy to work. (For anybody else who happens upon this post and is trying to set this up as well):
http_port 8080
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
Your FreeBSD box is using its NAT functionality to do the transparent redirection (those things happen at the same spot in the network stack and so are handled by the same code). Setting up an actual NAT would use the "map" ipnat ruletype instead of "rdr."
It is a sort of NAT if you think about it. Usually with NAT you have a client , the NAT, and a server. The NAT pretends to be the client while talking to the server. In this case, the NAT pretends to be the server while talking to the client. So it's really the same thing, just from a different perspective.
I don't think you need those squid.conf lines you quoted. Those are for reverse proxy (accel) configuration, which is something entirely different, and you are not running on port 8080.
In any case, I'm glad it's working for you.
I got this information right off the Squid website (See below)... I actually remed (#) those items to see if it made a difference and it did. The minute I disabled those tags, transparent proxy no longer worked. Either way, I appreciate all you help in getting this to work.
However, I have one problem now that I didn't have before. I created an acl to block all ports except 80 and 21. This worked prior to the setup of transparent proxy but now it no longer works.
acl !Safe_ports port 1-20
acl !Safe_ports port 22-79
acl !Safe_ports port 81-65535
http_access deny !Safe_ports
I have tried them in different areas in the squid.conf file but with no luck.. Is there something I am missing?
The http_port 8080 in this example assumes you will redirect incoming port 80 packets to port 8080 on your cache machine. If you are running Squid on port 3128 (for example) you can leave it there via http_port 3128, and redirect to that port via your IP filtering or forwarding commands.
In the httpd_accel_host option, virtual is the magic word!
The httpd_accel_with_proxy on is required to enable interception proxy mode; essentially in interception proxy mode Squid thinks it is acting both as an accelerator (hence accepting packets for other IPs on port 80) and a caching proxy (hence serving files out of cache.)
You must use httpd_accel_uses_host_head
Well here is the problem...
If I have my squid box as the default gateway then my rules to block these ports i.e 443 no longer work. However, if I put in the proxy setting in the web browser the ports are no blocked.
Since ports other than 80 are not capable of transparent proxy, I guess the ideal situation would be to setup the squid box as your default gateway, but at the same time configure the browser to the squid box as well. Is this the case? or am I totally off?
I did a little research and what I want to do is not possible since Squid is a HTTP proxy server, and can't be used to proxy other protocols.
However, implementing the transparent proxy combined with a Automatic Configuration script will allow you to make sure that nobody will be able to by-pass your proxy (See below for a sample configuration script). The language is java and you must save with this with a *.pac extension. Modify according to your environment.
function FindProxyForURL(url,host) {
if (url.substring(0,5) == "http:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else if (url.substring(0,6) == "https:") {
return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
else {
return "DIRECT"; }
}
Wouldnt it be easiler to use ipchains and Squid together? no need to recompile anything for testing...
I remember my uni used to forward all port 80 access to a transparent cache/proxy and intentionally ban all outgoing traffic to non-80 ports. Problem... some webserver run on port 81, then access to those server will timeout.
cchinoy,
"I did a little research and what I want to do is not possible since ..."
What exactly u want to do??? I thought u only want to force all out-going port-80 access to firstly fetch from local proxy. You can do that quite easily without configurating any browser...
-Dan
Business Accounts
Answer for Membership
by: ramazanyichPosted on 2004-09-01 at 08:37:19ID: 11953854
It is described in SQUID FAQ: http://www.squid-cache.org