Trio3b Posted February 8, 2006 Report Share Posted February 8, 2006 (edited) Running MDK 10.2 on both PCs and also installed squid-2.5.stable9-1.5.102.mdk on both PCs. This is squid.conf from PC2 WELCOME TO SQUID 2 # ------------------ # # This is the default Squid configuration file. You may wish # to look at the Squid home page (http://www.squid-cache.org/) # for the FAQ and other documentation. # # The default Squid config file shows what the defaults for # various options happen to be. If you don't need to change the # default, you shouldn't uncomment the line. Doing so may cause # run-time problems. In some cases "none" refers to no default # setting at all, while in other cases it refers to a valid # option - the comments for that keyword indicate if this is the # case. # # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be # visible on the internal address. # #Default: # http_port 3128 # TAG: https_port # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] # # The socket address where Squid will listen for HTTPS client # requests. # # This is really only useful for situations where you are running # squid in accelerator mode and you want to do the SSL work at the # accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # # Options: # # cert= Path to SSL certificate (PEM format) # # key= Path to SSL private key file (PEM format) # if not specified, the certificate file is # assumed to be a combined certificate and # key file # # version= The version of SSL/TLS supported # 1 automatic (default) # 2 SSLv2 only # 3 SSLv3 only # 4 TLSv1 only etc..........this goes on for three pages ________________________________________________________________________________ ____________________________________ this is squid.conf from PC1 [user@user2 squid]$ cat squid.conf http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir diskd /var/spool/squid 100 16 256 cache_store_log none auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 half_closed_clients off acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost acl mynetwork src 192.168.10.0/255.255.255.0 http_access allow mynetwork http_access allow localhost http_reply_access allow all icp_access allow all visible_hostname myfirewall@mydomain.com httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on append_domain .gateway.2wire.net err_html_text admin@mydomain.com deny_info ERR_CUSTOM_ACCESS_DENIED all memory_pools off coredump_dir /var/spool/squid ie_refresh on What am I missing? Why different files? Have read almost all of the squid howtos but they all describe how to change three or four settings but don't explain squid usage in CONTEXT or in relation to hdwr modem firewall, shorewall, dansguardian. Do not describe how to run on network. All PCs? Just the gateway? etc. Sorry but it is very poor documentation. Would like to be able to understand these files but may have to start looking for a GUI solution. Any out there? Any help out there? Thanks Edited February 8, 2006 by Trio3b Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 8, 2006 Report Share Posted February 8, 2006 First you don't need squid on both machines. Squid is a proxy cache, therefore, you configure one of the machines to use the cache on the other machine. Therefore one machine will do all the caching depending on which machine browses, providing that each browser is pointing to the ip of the machine with squid on it, and port 3128. Squid works using acls or access control lists to provide or prevent access to certain actions (eg: safe_ports allows you to access these ports, but nothing else unless you specify). Then after this you have the http_access command that gives access to specific machines, groups of machines depending on how you set it up. With Mandriva, you can urpmi drakwizard, then go into MCC/Configure Your Computer, and there is a Proxy Server wizard, so you can configure it with this, if you're unsure of what to do. Then afterwards, you'll have a basic configured squid proxy server. I've configured a massive squid script with acls and access/deny configs and the config is huge. Bear in mind that the list is read top to bottom. So you want to give specific access first, and then deny everything at the bottom that doesn't conform to the rules mentioned earlier. If you block too much earlier, no one will be able to gain access. If you want more info, please do post more on what you're trying to achieve, so I can try to help more. Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 8, 2006 Author Report Share Posted February 8, 2006 (edited) Thank you for reply. I will try to be specific. If you could walk me through this it would be greatly appreciated. 1. Basically trying to use a web filter to protect a small home network from bad sites. Chose Dansguardian because it is default in MDK and read good reviews. But indicates it needs Squid to operate. 2. this is my setup: Both PCs running MDK 10.2 . internet -> DSL modem(this is NOT router but does have hdw firewall) <- > eth1 <-> PC1 <-> eth0 <-> hub <-> eth0 <-> PC2 PC1 eth1 was setup w/MCC using DHCP PC1 eth0 and PC2 eth0 were setup static w/MCC using 192.168.10.1 and 192.168.10.2 respectively PC1 setup as gateway in MCC wizards. I have internet sharing setup and ssh working between the two PCs. I have installed both squid and dansguardian on PC1 and PC2 but as per your advice have removed from PC2 and am ready to alter squid.conf on PC1, but really don't understand: 1. Some of the config choices seem contradictory 2. Where do iptables, shorewall and the DSL modem firewall fit into the picture? Notice many squid questions in several forums go unanswered. Maybe this topic is more complex than it appears. Hope you can help! thanks Edited February 8, 2006 by Trio3b Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 8, 2006 Report Share Posted February 8, 2006 OK, first thing first. urpmi drakwizard and run through the wizard to get a basic config up for squid. This will at least get you running, then test this, and make sure squid is running correctly. On PC2, in Connection Settings, choose Manual Proxy config, enter the IP of PC1 and port 3128. If you have firewall installed on PC1, then you'll need to make sure that port 3128 is not being blocked by it. Make sure squid is running: service squid status and if not, start it with: service squid start Test PC2, then check in /var/log/squid/access.log and see if you can see entries from PC2's IP address loading files up. Chances are if the browser was working with the proxy config on PC2, then you will see entries here, and squid is working. As it happens, I've not used dansguardian. I've used squidGuard, and configured this. Sometimes can be a bit hit and miss, but it did work fine when I set it up a short while ago. I'm not sure how dansguardian works, whether it utilises squidGuard or not. You can check this, to see if squidGuard is installed on your machine or not. Once you've done the basics and squid proxy is working, we can then work to restricting access from various sites, or whatever. For achieving your blocking access, there's really only two sections we need to worry about. These are the acl and http_access sections. The acl creates the policy, and the http_access denies/grants access based on the acl. Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 9, 2006 Author Report Share Posted February 9, 2006 Thanks for reply. ....frustrated- I have been posting for weeks about this, you are the first person to even suggest using drakwizard. It had not been installed, but is now. Squid is running on PC1 and is set to port 3128 as per default. I had been reading about port8080 but this failed so went back to default. OK, squid on PC1 passes test. On PC2 do you mean connection settings in Mozilla preferences for proxy settings or in MCC ? There are several places to alter connection settings in MCC. My internet connection on PC2 is now gone. Sorry, I need very explicit advice, but we have already made progress - Thanks Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 9, 2006 Report Share Posted February 9, 2006 You configure within the browser, so in Firefox, Edit Preferences, and then in the Connection settings in here. Choose Manual, and then set it to go to the PC1. I never configure proxy settings in MCC, other than using the drakwizard to get the basic config of squid running. After that, I edit my acl's and access manually in the squid.conf file. Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 10, 2006 Author Report Share Posted February 10, 2006 On PC2 opened preferences in firefox>select connection settings>set to manual>set http:// to http;//192.168.10.1 port 3128 log onto home page>receive error message "proxy you have setup could not be found" Also on PC1 there are 2 squid.conf files, one with ~ on PC2 there is just one squid.conf any reason? Thanks Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 10, 2006 Report Share Posted February 10, 2006 The squid.conf~ is a backup after the first one has been edited. First check if squid is running: service squid status chkconfig --list squid this will show if squid is running, and whether the service is set to "on" for runlevel 3 and 5, as well as the other runlevels, but 3 and 5 are the most important. Now, if these say that squid is running, check that squid is listening for connections: netstat -na | grep 3128 this will do a netstat and filter for ports 3128. If nothing comes back, which it should do if the service is running, it should work. If not, then I suggest on PC1 to start from scratch doing this: urpme squid rm /etc/squid/squid.conf urpmi squid I would also remove squid from PC2 to save confusion, or disable the service using: service squid stop chkconfig squid off Post back your results for the netstat if having problems, or try the remove, and post back after you've reinstalled it. After reinstallation, run the wizard for proxy config, it will default to port 3128 in the wizard anyway. Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 11, 2006 Author Report Share Posted February 11, 2006 (edited) Ok, could not start squid, but modified squid.conf~ to port3128 and here are results: Starting squid: . [ OK ] [root@****2 squid]# chkconfig --list squid squid 0:off 1:off 2:off 3:on 4:on 5:on 6:off [root@****2 squid]# netstat -na | grep 3128 tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN [root@****2 squid]# I know squid.conf~ is a backup but why does it look so different and what is the relationship. I thought maybe squid.conf~ is the file without all the commented instructions? hope this helps Thanks Edited February 11, 2006 by Trio3b Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 11, 2006 Author Report Share Posted February 11, 2006 (edited) OK, making progress stopped squid and dansguardian on PC2 Just on a hunch under preferences>manual proxies, I filled in the http:// slot with this HTTP PROXY http://192.168.10.2 PORT 3128 Didn't work removed the http:// and I now have 'net connection to PC2. OK ssh is working and internet sharing is working. 1.As per last post am I correct in assuming squid.conf~ is a stripped down version of squid.conf? 2. Also noticed that starting squid via CL showed OK, but then viewing MCC services squid was not started . I guess MCC is a frontend for config files, but MCC GUI does not 'follow' files altered by CL? 3. Where does shorewall fit into all of this? 4. Next- Squidguard, Dansguardian, or GuardDog on PC1 or PC2? Thanks Edited February 11, 2006 by Trio3b Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 11, 2006 Report Share Posted February 11, 2006 You only need squid on one machine, and let both machines use this proxy. This requires both machines be on if squid is on PC1, else PC2 can't browse. shorewall is a firewall, which would secure your machine with all ports closed for incoming connections. Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 11, 2006 Author Report Share Posted February 11, 2006 Will try poking around config files for a while. Thanks to ianw1974. Unfortunately, documentation leaves out most basic information. Fortunately, users can help other users. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted February 11, 2006 Report Share Posted February 11, 2006 OK, let me know how you get on. If you have any probs, post your squid.conf and I'll take a look at it. Also post your ip range, eg, if using 192.168.1.0 or whatever. Specific IP's not required, just the first part of the ip range, and what subnet mask being used. Quote Link to comment Share on other sites More sharing options...
tr3s Posted February 14, 2006 Report Share Posted February 14, 2006 ok. here's what i did to enable internet connection sharing.. its very simple using MCC on pc1 (proxy server) 1. go to Network & Internet (you do not need drakwizard, actually) 2. click on Share the internet connection with other local machines. just follow the instructions. this will configure squid, you do not need to edit anything on the config files. just click on the 'reconfigure' option during the process if you have already installed and configured squid manually on pc2 (client) 1. just set your browser's proxy settings to whatever ip address (local) your proxy server has (e.g. 192.168.0.1, port 80 or 3128) that's it for ICS. web filtering with dansguardian or squidguard is a next step. hope this helps Quote Link to comment Share on other sites More sharing options...
Trio3b Posted February 16, 2006 Author Report Share Posted February 16, 2006 Thanks, had 'net sharing before, but when installed squid it went away until I set proxy in Firefox preferences. So I have it now. You are correct, webfiltering oof PC1 is next to keep the kids off the stoooopid sites. Unfortunately, will have to leave the PCs alone for a week or two due to other obligations. I'll be back. Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.