Squid help

[Trio3b]

Running MDK 10.2 on both PCs and also installed squid-2.5.stable9-1.5.102.mdk on both PCs.

This is squid.conf from PC2

 

 

WELCOME TO SQUID 2

# ------------------

#

# This is the default Squid configuration file. You may wish

# to look at the Squid home page (http://www.squid-cache.org/)

# for the FAQ and other documentation.

#

# The default Squid config file shows what the defaults for

# various options happen to be. If you don't need to change the

# default, you shouldn't uncomment the line. Doing so may cause

# run-time problems. In some cases "none" refers to no default

# setting at all, while in other cases it refers to a valid

# option - the comments for that keyword indicate if this is the

# case.

#

 

 

# NETWORK OPTIONS

# -----------------------------------------------------------------------------

 

# TAG: http_port

# Usage: port

# hostname:port

# 1.2.3.4:port

#

# The socket addresses where Squid will listen for HTTP client

# requests. You may specify multiple socket addresses.

# There are three forms: port alone, hostname with port, and

# IP address with port. If you specify a hostname or IP

# address, Squid binds the socket to that specific

# address. This replaces the old 'tcp_incoming_address'

# option. Most likely, you do not need to bind to a specific

# address, so you can use the port number alone.

#

# The default port number is 3128.

#

# If you are running Squid in accelerator mode, you

# probably want to listen on port 80 also, or instead.

#

# The -a command line option will override the *first* port

# number listed here. That option will NOT override an IP

# address, however.

#

# You may specify multiple socket addresses on multiple lines.

#

# If you run Squid on a dual-homed machine with an internal

# and an external interface we recommend you to specify the

# internal address:port in http_port. This way Squid will only be

# visible on the internal address.

#

#Default:

# http_port 3128

 

# TAG: https_port

# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]

#

# The socket address where Squid will listen for HTTPS client

# requests.

#

# This is really only useful for situations where you are running

# squid in accelerator mode and you want to do the SSL work at the

# accelerator level.

#

# You may specify multiple socket addresses on multiple lines,

# each with their own SSL certificate and/or options.

#

# Options:

#

# cert= Path to SSL certificate (PEM format)

#

# key= Path to SSL private key file (PEM format)

# if not specified, the certificate file is

# assumed to be a combined certificate and

# key file

#

# version= The version of SSL/TLS supported

# 1 automatic (default)

# 2 SSLv2 only

# 3 SSLv3 only

# 4 TLSv1 only

 

 

 

etc..........this goes on for three pages

________________________________________________________________________________

____________________________________

this is squid.conf from PC1

 

[user@user2 squid]$ cat squid.conf

 

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_dir diskd /var/spool/squid 100 16 256

cache_store_log none

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

half_closed_clients off

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

acl mynetwork src 192.168.10.0/255.255.255.0

http_access allow mynetwork

http_access allow localhost

http_reply_access allow all

icp_access allow all

visible_hostname myfirewall@mydomain.com

httpd_accel_host virtual

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

append_domain .gateway.2wire.net

err_html_text admin@mydomain.com

deny_info ERR_CUSTOM_ACCESS_DENIED all

memory_pools off

coredump_dir /var/spool/squid

ie_refresh on

 

 

What am I missing? Why different files?

Have read almost all of the squid howtos but they all describe how to change three or four settings but don't explain squid usage in CONTEXT or in relation to hdwr modem firewall, shorewall, dansguardian. Do not describe how to run on network. All PCs? Just the gateway? etc.

Sorry but it is very poor documentation. Would like to be able to understand these files but may have to start looking for a GUI solution. Any out there?

 

 

Any help out there?

Thanks

Edited February 8, 2006 by Trio3b

[ianw1974]

First you don't need squid on both machines. Squid is a proxy cache, therefore, you configure one of the machines to use the cache on the other machine. Therefore one machine will do all the caching depending on which machine browses, providing that each browser is pointing to the ip of the machine with squid on it, and port 3128.

 

Squid works using acls or access control lists to provide or prevent access to certain actions (eg: safe_ports allows you to access these ports, but nothing else unless you specify). Then after this you have the http_access command that gives access to specific machines, groups of machines depending on how you set it up.

 

With Mandriva, you can urpmi drakwizard, then go into MCC/Configure Your Computer, and there is a Proxy Server wizard, so you can configure it with this, if you're unsure of what to do. Then afterwards, you'll have a basic configured squid proxy server.

 

I've configured a massive squid script with acls and access/deny configs and the config is huge. Bear in mind that the list is read top to bottom. So you want to give specific access first, and then deny everything at the bottom that doesn't conform to the rules mentioned earlier. If you block too much earlier, no one will be able to gain access.

 

If you want more info, please do post more on what you're trying to achieve, so I can try to help more.

[Trio3b]

Thank you for reply. I will try to be specific. If you could walk me through this it would be greatly appreciated.

1. Basically trying to use a web filter to protect a small home network from bad sites. Chose Dansguardian because it is default in MDK and read good reviews. But indicates it needs Squid to operate.

2. this is my setup: Both PCs running MDK 10.2 .

 

internet -> DSL modem(this is NOT router but does have hdw firewall) <- > eth1 <-> PC1 <-> eth0 <-> hub <-> eth0 <-> PC2

 

PC1 eth1 was setup w/MCC using DHCP

PC1 eth0 and PC2 eth0 were setup static w/MCC using 192.168.10.1 and 192.168.10.2 respectively

PC1 setup as gateway in MCC wizards. I have internet sharing setup and ssh working between the two PCs.

 

I have installed both squid and dansguardian on PC1 and PC2 but as per your advice have removed from PC2 and am ready to alter squid.conf on PC1, but really don't understand:

1. Some of the config choices seem contradictory

2. Where do iptables, shorewall and the DSL modem firewall fit into the picture?

 

Notice many squid questions in several forums go unanswered. Maybe this topic is more complex than it appears. Hope you can help!

 

thanks

Edited February 8, 2006 by Trio3b

[ianw1974]

OK, first thing first.

 

urpmi drakwizard

 

and run through the wizard to get a basic config up for squid. This will at least get you running, then test this, and make sure squid is running correctly. On PC2, in Connection Settings, choose Manual Proxy config, enter the IP of PC1 and port 3128. If you have firewall installed on PC1, then you'll need to make sure that port 3128 is not being blocked by it.

 

Make sure squid is running:

 

service squid status

 

and if not, start it with:

 

service squid start

 

Test PC2, then check in /var/log/squid/access.log and see if you can see entries from PC2's IP address loading files up. Chances are if the browser was working with the proxy config on PC2, then you will see entries here, and squid is working.

 

As it happens, I've not used dansguardian. I've used squidGuard, and configured this. Sometimes can be a bit hit and miss, but it did work fine when I set it up a short while ago. I'm not sure how dansguardian works, whether it utilises squidGuard or not. You can check this, to see if squidGuard is installed on your machine or not.

 

Once you've done the basics and squid proxy is working, we can then work to restricting access from various sites, or whatever. For achieving your blocking access, there's really only two sections we need to worry about. These are the acl and http_access sections. The acl creates the policy, and the http_access denies/grants access based on the acl.

[Trio3b]

Thanks for reply. ....frustrated- I have been posting for weeks about this, you are the first person to even suggest using drakwizard. It had not been installed, but is now.

 

Squid is running on PC1 and is set to port 3128 as per default. I had been reading about port8080 but this failed so went back to default.

OK, squid on PC1 passes test.

 

 

On PC2 do you mean connection settings in Mozilla preferences for proxy settings or in MCC ? There are several places to alter connection settings in MCC.

 

My internet connection on PC2 is now gone.

 

Sorry, I need very explicit advice, but we have already made progress - Thanks

[ianw1974]

You configure within the browser, so in Firefox, Edit Preferences, and then in the Connection settings in here. Choose Manual, and then set it to go to the PC1.

 

I never configure proxy settings in MCC, other than using the drakwizard to get the basic config of squid running.

 

After that, I edit my acl's and access manually in the squid.conf file.

[Trio3b]

On PC2 opened preferences in firefox>select connection settings>set to manual>set http:// to http;//192.168.10.1 port 3128

 

log onto home page>receive error message "proxy you have setup could not be found"

 

Also on PC1 there are 2 squid.conf files, one with ~

on PC2 there is just one squid.conf

 

any reason?

 

Thanks

[ianw1974]

The squid.conf~ is a backup after the first one has been edited. First check if squid is running:

 

service squid status
chkconfig --list squid

 

this will show if squid is running, and whether the service is set to "on" for runlevel 3 and 5, as well as the other runlevels, but 3 and 5 are the most important.

 

Now, if these say that squid is running, check that squid is listening for connections:

 

netstat -na | grep 3128

 

this will do a netstat and filter for ports 3128. If nothing comes back, which it should do if the service is running, it should work. If not, then I suggest on PC1 to start from scratch doing this:

 

urpme squid
rm /etc/squid/squid.conf
urpmi squid

 

I would also remove squid from PC2 to save confusion, or disable the service using:

 

service squid stop
chkconfig squid off

 

Post back your results for the netstat if having problems, or try the remove, and post back after you've reinstalled it. After reinstallation, run the wizard for proxy config, it will default to port 3128 in the wizard anyway.

[Trio3b]

Ok, could not start squid, but modified squid.conf~ to port3128 and here are results:

 

Starting squid: . [ OK ]

[root@****2 squid]# chkconfig --list squid

squid 0:off 1:off 2:off 3:on 4:on 5:on 6:off

[root@****2 squid]# netstat -na | grep 3128

tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN

[root@****2 squid]#

 

I know squid.conf~ is a backup but why does it look so different and what is the relationship. I thought maybe squid.conf~ is the file without all the commented instructions?

 

hope this helps

 

 

Thanks

Edited February 11, 2006 by Trio3b

[Trio3b]

OK, making progress

 

stopped squid and dansguardian on PC2

Just on a hunch under preferences>manual proxies, I filled in the http:// slot with this

 

HTTP PROXY http://192.168.10.2 PORT 3128 Didn't work

removed the http:// and I now have 'net connection to PC2.

 

OK ssh is working and internet sharing is working.

 

1.As per last post am I correct in assuming squid.conf~ is a stripped down version of squid.conf?

 

2. Also noticed that starting squid via CL showed OK, but then viewing MCC services squid was not started .

I guess MCC is a frontend for config files, but MCC GUI does not 'follow' files altered by CL?

 

3. Where does shorewall fit into all of this?

 

4. Next- Squidguard, Dansguardian, or GuardDog on PC1 or PC2?

 

Thanks

Edited February 11, 2006 by Trio3b

[ianw1974]

You only need squid on one machine, and let both machines use this proxy. This requires both machines be on if squid is on PC1, else PC2 can't browse.

 

shorewall is a firewall, which would secure your machine with all ports closed for incoming connections.

[Trio3b]

Will try poking around config files for a while.

 

Thanks to ianw1974.

Unfortunately, documentation leaves out most basic information.

Fortunately, users can help other users.

[ianw1974]

OK, let me know how you get on. If you have any probs, post your squid.conf and I'll take a look at it. Also post your ip range, eg, if using 192.168.1.0 or whatever. Specific IP's not required, just the first part of the ip range, and what subnet mask being used.

[tr3s]

ok. here's what i did to enable internet connection sharing.. its very simple using MCC

 

on pc1 (proxy server)

1. go to Network & Internet (you do not need drakwizard, actually)

2. click on Share the internet connection with other local machines. just follow the instructions. this will configure squid, you do not need to edit anything on the config files. just click on the 'reconfigure' option during the process if you have already installed and configured squid manually

 

on pc2 (client)

1. just set your browser's proxy settings to whatever ip address (local) your proxy server has (e.g. 192.168.0.1, port 80 or 3128)

 

that's it for ICS. web filtering with dansguardian or squidguard is a next step.

 

hope this helps

[Trio3b]

Thanks, had 'net sharing before, but when installed squid it went away until I set proxy in Firefox preferences. So I have it now.

 

You are correct, webfiltering oof PC1 is next to keep the kids off the stoooopid sites. Unfortunately, will have to leave the PCs alone for a week or two due to other obligations. I'll be back.

 

Thanks