Linux Forums - Linux Help,Advice & support community:LinuxSolved.com

Linux in General => Linux Tutorials & How To's => Topic started by: Ricky on January 08, 2004, 05:45:12 PM

Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 08, 2004, 05:45:12 PM
Hello..
After lots loads of questions about squid I decide to write this tutorial..
Here We are going to do our job in two major steps.
(a) Configuring Squid Proxy
(b) Making squid work in Transparent way

So (a) is for those who want squid working and if you want squid in transparent way then go for (a) and (b) both.

But before making squid transparent make sure you have seen
NAT / Interent Sharing in Linux How to (http://www.linuxsolved.com/linux-forums/internet-sharing-in-linux-nat-how-to-t115.0.html)


Part (a)
Configuring Squid for Simple Proxy
I encourage people to install squid from source code. If you want to use squid in transparent way then install squid with following options
This is to configure Squid with support for transparent proxy
Code: [Select]
# enabling the transparent proxy feature during compliation.
./configure --enable-linux-netfilter
 # then make
make
 # then make install
make install
After installing squid successfully we have to configure squid to work for us.

So open /usr/local/squid/etc/squid.conf and uncomment the options which you requires or use the following  squid.conf and modify it according to your use..
Code: [Select]


  # Set the maximums size of the object which will be cached.

maximum_object_size 8192 KB 

  # Set maximum physical RAM to be used for storing objects.
  # NOTE: typically squid uses much more RAM then specified so when we said 16 MB then actually it is using around 25 MB RAM.

cache_mem 16 MB


  # use to set where to store cache. here it is /cache of size 2048 MB.
  # Here 22 and 256 are used to define directory structure so you don't have to touch it.

cache_dir ufs /cache 2048 22 256


  # Here we are disabling cache_store_log as it will only increase disk usage.
  # You can enable it anytime by specifying path instead of "none" directive"

cache_store_log none


  # Here we are specifying that when we say "all " then it means whole internet.
  # Also specifying some required acls.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


   # Here specifying acls for which ports are allowed, which network is allowed to use our proxy .
    # Here "your_netwrok" is the name use for your network.
    # Change 192.168.0.0/255.255.255.0 to address of your LAN

acl your_network src 192.168.0.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


    # Here giving permission for localhost ie this machine to access proxy.

http_access allow manager localhost
http_access deny manager


    # Denying access to ports which are not safe

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


     # Allowing access to LAN and denying others.

http_access allow your_network
http_access deny all
icp_access allow all
miss_access allow all


      # Give the email of your adminstrator which can be contacted if anything goes wrong by the users.

cache_mgr you@yourdomain.com


      # Set here the hostname of your proxy box. You can set anything if don't have any FQDN .

visible_hostname you.yourdomain.com
unique_hostname you.yourdomain.com


      # Directive for squid proxy to work also in Transparent mode.
      # If not using transparent proxy then you still keep them.

httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


      # Set the port which will be used by clients to access squid proxy

http_port 3128

Now you have your squid.conf ready to go. But before running squid run following to initialized the cache directory
Code: [Select]
/usr/local/squid/sbin/squid -z If it don't give any error then we should move to next step.

Now run squid by (Internet should be already connected)
Code: [Select]
/usr/local/squid/sbin/squid
Now see  /usr/local/squid/var/logs/cache.log if you see some thing like this..
Code: [Select]

2004/01/08 22:48:30| Ready to serve requests. 


2004/01/08 22:48:30|   Completed Validation Procedure
2004/01/08 22:48:30|   Validated 7002 Entries
2004/01/08 22:48:30|   store_swap_size = 63960k
2004/01/08 22:48:31| storeLateRelease: released 0 objects 
If you see some thing like above then you have squid configured correctly and it is working.
Now you have squid ready to use.

Note:
To Use squid configure your clients brower to use proxy by setting the ip of proxy server as your computer's ip running squid and specifying the port as 3128 or other which have changed in squid.conf . Make sure you add same port for SSL proxy as for HTTP proxy .
Now try to surf the net from client and check /usr/local/squid/var/logs/access.log to see whether the site you have opened is recored in access.log to make sure your  computer is using squid.
It is now all done. I have tried to make it simple and practical but there are various other aspect of squid which are not covered here. But I hope as you get your squid working then you will understand them all yourself.


Part (b)
Setting Up squid to run in Transparent Mode
After making sure that your proxy is working fine. You can use transparent proxy if you want to use it.
To run proxy in Transparent mode add the following lines to your NAT script as I specified here NAT / internet shaaring how to (http://www.linuxsolved.com/forums/ftopic115.html)
Code: [Select]
#Transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And now set your client's browser to not to use the proxy and open a site from client then check the access.log to see that the site opened by use is redirected to squid or not.
If you are able to open websites and also that is getting logged in access.log then your transparent proxy is up and working.

If this don't work but you are able to open sites using simple proxy then you are probably not having NAT. See NAT / internet sharing how to (http://www.linuxsolved.com/linux-forums/internet-sharing-in-linux-nat-how-to-t115.0.html)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: lugoteehalt on January 08, 2004, 07:09:32 PM
Sorry such a basic question but see a lot of stuff about 'transparent proxies':

What is a transparent proxy? Have looked in dictionaries but do not really understand.

Thanks for any help.

 :D
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: ashwin_ice on January 09, 2004, 12:15:37 PM
Thanks a Billion, Ricky... that was really considerate of you and I think that this would help a lot of people. And to those who need to understand what a transparent proxy is... BUT REMEMBER TO USE THE SETTINGS GIVEN IN RICKY'S TUTORIAL AS THE ONE GIVEN THERE IS MORE COMPLEX....

TRANSPARENT PROXY(For those Who Dont Know What a TransParent Proxy is):

A transparent cache is so named because it works by intercepting the network traffic transparently to the browser. In this mode, the cache short-circuits the retrieval process if the desired file is in the cache. Transparent caches are especially useful to ISPs because they require no browser setup modification. Transparent caches are also the simplest way to use a cache internally on a network, because they do not require explicit coordination with other caches. The purpose of this white paper is to discuss the various methods of implementating transparent caching using Squid on Linux with a policy based router, an externalL4 switch, and an L4 switch inside the Linux Squid box. First, some basic concepts will be discussed, followed by the advantages of transparent caching, and finally redirecting packets to Squid using IP-Chains.

 
 
What is transparent caching?  The full explanation about the term "Transparent Caching and Transparent Proxying" depends on the context, but we can assume the context here is HTTP proxy/caches with transparent hijacking of port 80, which is the default HTTP traffic in the internet.

The difference is that the cache includes a cache, while the proxy only proxies without caching. The term transparent is overloaded, having different meanings depending on the situation. To some it means a setup that hijacks port 80 traffic where the client tried to go to other servers, to some it means a semantically transparent proxy that does not change the meaning or content of requests/replies. There is no such thing as a truly transparent proxy, only semitransparent and certainly not such a thing as a truly transparent cache. Squid can be configured to act transparently. In this mode, clients are not required to configure their browsers to access the cache, but Squid will transparently pick up the appropriate packets and cache requests. This solves the biggest problem with caching: i.e. getting users to use the cache server.

 
More Info : http://squid.visolve.com/white_papers/trans_caching.htm

But remember follow Ricky's suggestions or ure gonna screw up like I did   :lol:
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: lugoteehalt on January 10, 2004, 01:22:24 PM
Right, so a proxy is a second computer that also holds a web page, say. Proxy 'The management of another's affairs.'

And transparent means the browser 'sees through it' - if it does not have the desired page it just lets the browser's request out to the net.

Sorry if being dense :D
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 10, 2004, 04:32:22 PM
Hmm.. well Transparent proxy is Proxy+NAT
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: lugoteehalt on January 12, 2004, 03:23:16 PM
NAT

Short for Network Address Translation, NAT as specified in RFC 1631 is an Internet standard that enables a local-area network (LAN) to use one or more IP addresses for internal traffic and a second for external. A network NAT is commonly used by home users to allow multiple computers to easily connect to a broadband connection. NAT is also used to hide internet network addresses by using the single NAT address.
Today there are two different variants of NAT used. NAPT which is short for Network Address Port Translation, NAPT and PAT which is short for Port Address Translation.

Also see: Network definitions, Proxy


 
Proxy server

A Proxy is a computer server or software program which is part of the gateway server or another computer that separates a local network from outside networks.
A proxy server will generally cache all pages accessed through the network. When a page is accessed that is not in the proxy servers cache the proxy server will access the page using its own IP address cache the page and forward it to the user accessing that page.

Users who wish to setup a proxy at home or home office to be used to share a internet connection VIA modem or other internet connection may wish to consider any of the following products:

- Sygate Home Network
- WinProxy
- SpoonProxy
- ShareTheNet

Also see: ICS, Network definitions http://www.mrhope.com/jargon/n/nat.htm
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 13, 2004, 06:34:07 AM
I think we here we have now a good explanation. It is now a good tutorial..  :)
Title: linux squid and iptable error
Post by: vasu on February 11, 2004, 06:21:05 AM
hi

  everyone i configured  redhat linux9.0 squid it is workiing fine after i add iptables squid is show running but cilent system net acces is not comming.
Title: linux bandwidth controlle software
Post by: vasu on February 11, 2004, 06:34:51 AM
hi
 
          i have  in redhat linux 9.0.i configured two lan cards eth0 directly conneted internet eth1 is private ip,s with i configured linux with  nat so i want now some private ips given some restrication how to it. this is my right now is using script.


and i want manging bandwidth controlle software in linux u have any free software is there please given website link

i#/bin/sh
service ipchains stop
/sbin/rmmod  ipchains
/sbin/insmod ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables --table nat --append POSTROUTING -s 192.168.1.2  -j MASQUERADE
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on February 11, 2004, 07:35:02 AM
What do want to do ? Simple internet sharing or Proxy or Transparent proxy ?
I can tell you how to block specific ip address but you have to tell me that wht do you want to use .. Iptable or squid ??
You can also have bandwidth management using squid on the per user basis by using delay pools..
Title: how to block ftp service in redhat linux nat
Post by: vasu on February 12, 2004, 01:06:27 PM
hi

   i work now  rh9.0 iin nat ip masqureade so i want now how to block ftp in nat private ip

this is my nat script please tell mee how block ftp service this pariticular ip 192.168.1.2


i#/bin/sh
service ipchains stop
/sbin/rmmod ipchains
/sbin/insmod ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables --table nat --append POSTROUTING -s 192.168.1.2 -j MASQUERADE
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on February 13, 2004, 03:13:41 PM
Vasu your question has been answered here.. in new thread wher you have asked it..
http://www.linuxsolved.com/forums/viewtopic.php?t=180
Title: Requesting advice
Post by: kmashraf on April 10, 2004, 01:48:56 PM
I have a gateway machine with the following config
IDT WinChip 200 MHz
32 MB RAM
2 GB HDD
2 NIC's (one eth0 connected to a cable modem and the other eth1 connected to the local lan)
I run Vector Linux 3.2 on it. Like the small footprint and intend to use it for purposes such as NAT, FIREWALLING, PROXYING.
This box is already doing NAT for my local network as well as firewalling.
It also is running Psionic PortSentry. Nifty little piece of software.
I do not want to change any of that.
I want to install a minimalist proxy on it. Just want to block all of 'em steamy sites from specific ip's cause I don't want the kids to loose it. I like to believe that I am liberal and  would rather educate the kids. But others are not so cool.The want this sh.... cut off.
I am a little confused about caching. I want to know if I have to setup squid as a caching proxy to achieve these ends ? I am not really concerned about the performance of web access. I only wanna block off specific sites to specific ip's.
Thanks
All help greatly appreciated
Love the Brave GNU World ! 8)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on April 10, 2004, 05:21:32 PM
For kmashraf..
Well to do all that you can just install smoothwall.
BTw.. to block a site u can make acl, search linuxsolved.com forums using search feature.
INstalling squid caching server will increase the performance.
I would rather suggest to incrase RAM if you are going to install squid.
Title: Re Requesting Advice
Post by: kmashraf on April 11, 2004, 02:55:15 AM
Using Smoothwall would mean losing my existing setup. Not a happy thought, since I spent time setting it up.
So you say that 32 MB RAM is not enough for Squid ? The RAM I have are SIMM's, getting more or replacing with higher capacity RAM will be a difficult exercise.
The machine in question has been in service 24/7/365 for the past 3 years. Running mostly RedHat and Mandrake. Vector Linux I setup only recently for I felt that RH and Mandrake are too much for a machine of that config.
Thank you.
Khan Md Ashraf
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on April 11, 2004, 05:42:14 AM
Well squid uses too much of RAM when it runs in caching mode i think same for simple proxy but not sure. Smoothwall is preconfigured.. give that a look.
Title: Re Requesting Advice
Post by: kmashraf on April 11, 2004, 06:02:09 AM
Will surely in future keep Smoothwall in mind.
Am going to try my luck with a simple Squid setup, if that is possible.
Thanks.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on April 11, 2004, 06:22:07 AM
Ya. simple proxy is possible , you can also make caching proxy. that will also enhance ur performance..  just keep cache_mem 4 MB and cache dir  around 200 mb not more..
Title: Squid Proxy
Post by: efren_rio on April 25, 2004, 08:49:36 AM
How do I use Squid Proxy to point to an ISP's Proxy?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on April 25, 2004, 11:24:58 AM
Simply add following lines to ur squid.conf
Code: [Select]

cache_peer <parent IP> parent 3128 3130
Change parent ip to the ip address of the main proxy server or u can used domain also instead of IP.
Title: squid running and ftp has no access
Post by: carrguerr on May 14, 2004, 01:10:32 PM
I have squid running on RH9, as a server for windoze. The windoze pc's have dreamweaver installed but DW cant access remote files. I tried to use cuteFTP, wsFTP, etc and they cant connect to my ftp server. How do I set up squid so that DW and the rest of the FTP clients have access to an outside ftp server?

Thnx
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on May 14, 2004, 01:26:39 PM
mostly ftp clients works. problem occur with only mail clients..
Try to use passive modes in ftp clients..
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: carrguerr on May 15, 2004, 06:34:16 PM
OK ... the only ftp server I get to is the Linux box. I still cant get out to a remote server with any ftp client.
I have some web sites that I want to work with thru ftp but squid wont let me thru.

How does one log in to a ftp site?
ftp.site.com/user/pass ???

dreamweaver still wont connect.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on May 23, 2004, 10:11:54 AM
I am having a problem. When I run the sample squid.conf given by Ricky as well as the default squid.conf. I run into a 'FATAL: Failed to make swap directory /usr/local/squid/var/cache/00: 13 permission denied' problem.
My Linux is Vector Linux 4.0. I am also using the firewall script from http://projectfiles.com on this box. I have installed squid from the tar.gz available at the squid site. Is the problem related to ownership of the /usr/local/squid/var/cache directory ? By the way there is no default 'squid' user created in Vector Linux. I have to create one. What kind of permissions should this directory have for it to create the cache ?
 :?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on May 24, 2004, 06:11:46 AM
Ya this is the permission problem, You can have to make squid as the owner of the cache directory then have to give proper permission to them. It is like this.
Say we have a user squid of group squid..
Code: [Select]
chown squid:squid <ur cache directory>then set permission to read, write execute to group and user..
Code: [Select]
chmod 770 <ur cache dir> Then initialize chaze using -z

Also then you have to set same permission for log directory of squid ie.. /usr/local/squid/var/log
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on June 28, 2004, 06:15:33 AM
i try this squid step by step same failed need help
[root@tomamodi squid-2.4.STABLE6]# /usr/local/squid/bin/squid -z
2004/06/28 09:12:54| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/cache/00: (13) Permission
denied
Squid Cache (Version 2.4.STABLE6): Terminated abnormally.
CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 8
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on June 28, 2004, 12:02:35 PM
hmm..
Did you saw my last post in this Thread ? Well that is the solution to your problem. Simply learn litlle more about chown and chmod and follow my last post.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: lakshmi on July 09, 2004, 02:37:49 PM
I have a problem in starting the squid service.  Getting error message "starting squid...... FAILED".

I have configured squid.conf file as mentioned in the tutorial. I am successfull in creating the swap directories but unable to start the service. Can any one help me. I am new to linux.

Thanks
Title: Still working on it !
Post by: kmashraf on July 14, 2004, 04:11:06 PM
Hi thanks for the info and I've got squid running now. I have a problem though
I am unable to deny sites from a file.
This is the relevant portion of my squid.conf

#Recommended minimum configuration:
acl banned dstdomain "/usr/local/squid/etc/block"
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow localnet
http_access allow manager localhost
http_access deny banned
http_access deny all
Can you tell me what I doing wrong !

Thanks for all your help without which I would not have got this far.
Ashraf
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 16, 2004, 05:40:54 PM
Hey.. !! Kmashraf..

SOrry for late reply.. Actually what i suggest to see few last post of mine about proxy .. If still it don't work then we will sort it out ! :)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 17, 2004, 03:58:18 AM
Hey !
You had me worried there.
Well I searched through all the posts regarding squid but could not find an answer to my particular problem.
I want to block sites based on domain names from a file
such as
acl banned dstdomain "/usr/local/squid/etc/block"
and I deny it with
http_access deny banned
as can be seen from the portion of my squid file included in the previous post
where 'block' is the file containing the list of domain names I want blocked.
This file has the required format of one domain per line. In fact I got it from the link given in the Squid FAQ, ACL chapter.
But I find that inspite of inserting these lines I am still getting access to the sites listed in my block file.
I need to know if there is a particular order to be followed for the acl and http_access list ?
Also am I making a mistake in placing the file, /usr/local/squid/etc/ ?
Because I am not getting any error ! Mostly it serves me without trouble, occasionally complaining of DNS resolution problems. I would blame my
ISP' s DNS server behaviour.
Only strange entry in my 'cache.log'
Rebuilding storage in /usr/local/squid/var/cache (DIRTY)
what does this '(DIRTY)' imply ?
Thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 17, 2004, 08:52:31 AM
Quote from: "kmashraf"
acl banned dstdomain "/usr/local/squid/etc/block"
and I deny it with
http_access deny banned

I don't feel anything wrong in that..  What you should that you can also make that file like block.txt instead of blcok (i m not sure it is fault) may be it can help.

your block file should be situtated in that directory where squid has proper permissions to access it.  check permissions also so that they are allowed to read by user under which squid is running.

Also your file should look like
Code: [Select]
.site1.com
site.com
anothersite.com
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 17, 2004, 09:53:14 AM
In fact I changed the owner ship of the file to 'squid'. I am also reflecting the file name 'block' as is.
I will try renaming the file as *.txt and try.
Would this be of significance
'Acl-operators are checked in the order that they occur in the file (ie from top to bottom). The frst acl-operator line that matches causes Squid to drop out of the acl list. Squid will not check through all acl-operators if the first denies the request."
I got it from http://squid-docs.sourceforge.net/latest/html/x591.html
What caught my attentiion is "The frst acl-operator line that matches causes Squid to drop out of the acl list. Squid will not check through all acl-operators if the first denies the request".
So once again my question is if the acl-operator line order is important ?
Thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 17, 2004, 02:49:50 PM
Yes it matters in squid but that is not so complex..

IF you simply follow the pattern of My squid.conf example in Linux How to section then there should be no such probs..

If it founds any condition true then it don't checks further rules. >
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 17, 2004, 05:32:35 PM
Hi,
If I sound dense please bear with me for I am a little dense.
And as always thanks.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 19, 2004, 08:33:30 AM
Hi,
Willl all this work if I don't have a FQDN ? I don't !
Is that why it is not working ? Names in my file are not being resolved because I don't have an FQDN.
Thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 19, 2004, 09:17:44 AM
What ? FQDN is nothing to consider here..  anyway.. y u think so ?? can i have lil more explanation about that thought ?
Title: I am also getting a problem?
Post by: saxiee on July 19, 2004, 02:08:46 PM
Hello
  I am getting problem when try to run squid2.5 on Redhat 9.0 of "$squid $squid_opts 2>/dev/null"   when i check the status of squid i got "could not determine fully quallified hostname please set visible_hostname" when i set the visible hostname to my workgroup name i got "cannot run a copy" and also getting error of "page faults with physical i/o:388"   please help me to solve problem
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 20, 2004, 04:08:51 AM
Well it is like this. Even when I use 'acl banned dstdomain [www.sex.com]' it still does not work. I am able to access the site and it seems to be caching the same. I found this by looking at the logs. The access.log shows this

1090338621.321   1378 192.168.0.xx TCP_MISS/302 707 GET [http://www.sex.com/] - DIRECT/209.81.7.93 text/html
1090338622.600   1276 192.168.0.xx TCP_MISS/302 593 GET [http://india.sex.com/index.html] - DIRECT/209.81.7.23 text/html
1090338624.717   2112 192.168.0.xx TCP_MISS/200 4285 GET [http://www.sex.com/s.html?] - DIRECT/209.81.7.93 text/html
1090338626.023   1788 192.168.0.xx TCP_MISS/200 2876 GET [http://www.sex.com/common/functions.js] - DIRECT/209.81.7.93 text/html
(My modification '[' ']' and 'xx')  

One part of your tutorial I've not included in my config is
visible_hostname you.yourdomain.com
unique_hostname you.yourdomain.com

This is why I am asking about the FQDN.
Much obliged
Ashraf
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on July 20, 2004, 04:40:06 AM
dear RICKY
i see here you are very active and cooprative
i need your help in very small mater for you and very difficult for me as new
i am going to install squid transperent cache in lan
i have setting
modem --> router --->hub 24 pc connected  in this 24 i want connect one as cache transperent to hub ex:no 12 where i am
 i want that linux box on this place where it is win98 running so i am producing the winipcfg report to see and what to understand where i have to put the following in your sample squid.conf
<winipcfg>
dns it is in router 10.0.0.2
mac address xx-xx-xx-xx-xx-xx
ip of this pc 10.0.0.12
subnet mask 255.255.255.0
gateway 10.0.0.2
where i have to put this settings to make this place as linux cache/trans
thanks for guide
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 20, 2004, 05:21:13 AM
@ TOMAMODI

Man.. Configure your One PC as Linux PRoxy server as I have mentioned then in all your box..

1. IF you are using static ip.. ie no DHCP then manual configuration will require..

Say you have network 192.168.1.0

then in ur clients..

Gateway   :: <ip of your linux box>
DNS server :: <ip of ur ISP or IP of ur linux box when caching nameserver is enabled --for caching nameserver find how to do in the  previous posts.>
IP address :: 192.168.1.x
Subnet :: 255.255.255.0

I hope u are cleared !

2. If you have setup DHCP server then simply configure ur clients to get IP from DHCP
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 20, 2004, 05:28:05 AM
@kmAshraf

Umm.. strange.. anyway.. instead of [www.abc.com] use .abc.com !!

Also u look about

acl banned url_regex -i  word1 word2 word3

That should work effectively!!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 20, 2004, 05:33:06 AM
@saxiee

Man. pls give the last 10 lines of ur cache.log
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: saxiee on July 20, 2004, 09:18:45 AM
cache_mem 4 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 1096 KB
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 20, 2004, 09:36:14 AM
@saxiee
Man.. this is not what i want.. there is cache.log.. give last 10 lines of that
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on July 21, 2004, 09:51:37 AM
Thanks
Is this ok for 50 clients  and i also want to some webs to be blocked is it possible in this
This is red hat 9 default workstation install

==========
squid-2.5.STABLE6.tar.gz

# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1
# mkdir /cache/
#chown -R squid.squid /cache/
#chmod 770 squid.squid /cache
#tar -zxvf squid-2.4.STABLE6-src.tar.gz
#./configure --enable-linux-netfilter
#make
# make install
#/usr/local/squid/sbin/squid -z
#/usr/local/squid/sbin/squid
==
where this ? in rc.d
#Transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

And  i have some thing very critical so i want to use PM is it ok
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 23, 2004, 02:49:06 AM
Ricky !
Apologies for the delay !
I am looking into your suggestions.
Can you tell me what all you need to make an analysis of my squid configuration ?
Thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 23, 2004, 04:26:42 AM
Quote from: "tomamodi"
where this ? in rc.d
#Transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Well it is OK for 50 clients, and about that line.. see again the tutorial and also NAT how to you will easily figure that out.
However, Use dhcp server to assign ips in 50 clients setup.

To block web.. see dstdomain and url_regex acls :)

@kmashraf
OK you send me your squid.conf and your last 15 lines of cache.log in my PM.  BTW.. have you tried url_regex directive yet ?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on July 23, 2004, 07:42:12 AM
Yes I did ! But stilll same problem.
One question though, if the site is already in the cache, will it still block the site provided everything is working normally ?
I will send both as required by you shortly.
thanks a ton !
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 23, 2004, 08:21:38 AM
Quote from: "kmashraf"
One question though, if the site is already in the cache, will it still block the site provided everything is working normally ?

Yes it will block that !!
Title: is this clear
Post by: tomamodi on July 31, 2004, 08:59:09 AM
First download squid
Then start

[root@linuxbox root]# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1
[root@linuxbox root]# mkdir /cache/
[root@linuxbox root]# chown -R squid.squid /cache/

untar squid

[root@linuxbox root]# tar -zxvf squid-2.4.STABLE6-src.tar.gz
[root@linuxbox root]# cd squid-2.4.STABLE6
[root@linuxbox root]#./configure --enable-linux-netfilter
[root@linuxbox root]# make
[root@linuxbox root]# make install
[root@linuxbox root]# cd /etc/squid
[root@linuxbox squid]#vi squid.conf
============================
maximum_object_size 8192 KB
cache_mem 16 MB
cache_dir ufs /cache 2048 22 256
cache_store_log none
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl your_network src 192.168.8.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow your_network
http_access deny all
icp_access allow all
miss_access allow all
cache_mgr you@yourdomain.com
visible_hostname you.yourdomain.com
unique_hostname you.yourdomain.com
httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128

=================================

chown squid:squid ?( here your help where is the directry)
chmod 770 ?( here your help where is the directry)


 [root@linuxbox root]#  /usr/local/squid/sbin/squid -z
 [root@linuxbox root]#  /usr/local/squid/sbin/squid
--------------------------
is this all

Then follow nat
then in ie put 192.168.8 0  :port 8080

please did this need any more
now i reinstall redhat 9 want new squid install
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: goldman on July 31, 2004, 11:54:25 AM
cache_effective_user squid
cache_effective_group squid
fine put this two lines more
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on July 31, 2004, 12:01:41 PM
thanks Goldman
i am totally blind in this subject so main thinG is i didnt understand about this ip/matter my router is on 192.168.8.1 and linux box in lan ip is 192.168.8.22 it connected in hub so i want my web cahe here not at gate way NOT AS SERVER ONLY WANT AS WEB/CACHE
with only one nic eth0 i want it recive req and give the req if not in cache it forward to router 192.168.8.1 and make it new cach also for next
i am following  MR RICKY  so waiting for procced with his reply
After all your help appresiated
THANKS AGAIN
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 01, 2004, 02:12:40 PM
..
Well.. Little busy these days..


Anyway ..

Quote
then in ie put 192.168.8 0 :port 8080

here you have to pute 3128 as port b'coz u have have specified it as port.. the "http_port" directive.  if you change "http_port 8080" then you can  use as you have done above.

Lastly now what you have to do is assign proper permission and ownership to your cache directory.
Btw.. did you got any error when your initialized your cache using -z ? if no then still follow few steps below.

Now as you have made group squid and user squid so your permission should look like ..
type following commands one by one..
Code: [Select]
chown root:root /usr/local/squid/

chmod 755 /usr/local/squid/

cd /usr/local/squid/sbin

chown root:root .  chown root:root *

chmod 755 . *

cd /usr/local/squid/etc

chmod 2775 .

chown root:squid . *

chown squid:squid /usr/local/squid/logs

chmod 770 /usr/local/squid/logs

chown squid:squid /cache

chmod 770 /cache
Now run -z to initialize cache...
btw.. this time I have used little copy'n'paste but hope will be helpful to u!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 01, 2004, 02:15:03 PM
Also..

@ Tommandi
If you can redirect all port 80 request coming to ur router from your clients to Squid machine on port 8080 ( or 3128) then you will not need to put proxy address in each client.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 02, 2004, 06:32:41 AM
umum
but how i redirect you no that i am new to all this this is very help full for me
after all this i put this box connected to one of my hub,s port it its OK

not router, port
as i told you the
modem----->router ----> hub here all pc +this squid box OK
THANKS AGAIN
FOR YOUR THIS DRAG AND DROP COMMANDS
IT COVER UP MY UN SKILLED TYPING
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 02, 2004, 06:58:28 AM
Quote
FOR YOUR THIS DRAG AND DROP COMMANDS
IT COVER UP MY UN SKILLED TYPING


Actually that is not real copy paste.. have modified according to you.. better you see man page for "chown" and "chmod" if you are new to linux.

About redirection .. that is specific to your router..consult online documentation for that !!
Title: Finally !
Post by: kmashraf on August 05, 2004, 06:40:42 PM
I' ve finally got it going.
Even after all the to and froing between Ricky and me I did not see the light.
So ah just lay low for sometime thinking things through. In the meanwhile a guy I know got it going too. So ah asked him what he did that I hadn't and he told me this
Please note that I am running squid/2.5.STABLE5.
I was putting my acl and http access in the wrong place.
That is all there was to it. And boy I sure am dense and slow.
This is where you have to put it.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
                                                                           
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl our_networks src 192.168.1.0/24 192.168.2.0/24
acl banned url_regex -i "filename'
acl myown dstdomain 'www.xxx.com' (without the quotes)
http_access deny banned
http_access deny myown
http_access allow our_networks
                                                                           
# And finally deny all other access to this proxy
http_access deny all

And I was putting it everywhere but here and wondering why it didn't work.
I think that if you put your acl anywhere else it is not going to work.
Now after doing so it works just fine.
Thanks Ricky.
It would not have happened without your help.
Title: nothing at all
Post by: tomamodi on August 08, 2004, 06:41:54 PM
dear ricky
nothing works when i reach   cd  /ets/squid

[root@modi squid-2.4.STABLE6]# cd /etc/squid
bash: cd: /etc/squid: No such file or directory

i think that all i done just nothing i write every command and put on diffrent  forums

and when i go throug  no result
so i put here too that is this ok
and get your confirmation before proccess
i think you didnt read all  that commands
please read again and give me advice if you can
Title: tomamodi
Post by: tomamodi on August 09, 2004, 04:05:03 AM
HI
Tomamodi
I now all your commands are wrong they didnt take you to
cd /etc/squid
but you say you want to follow only advice from RICKY so ignore to say any thing
And ricky advice you to read   CHOWN & CHMOD  when you read and understand  then you will be advised to read about directries if that finnished
Then you didnt need any forum help

Your self you can do every thing


OK BYE
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 09, 2004, 06:19:53 AM
dear  i think before forums is for new if understand all really not necessery to see any step by step
but i tried nearly 20 forums and every step by step i tried ten ten times but failed to succed  then reinstall the oprating system
again i reinstall and try some new
i think all writen step by step are for experts
so i can not take benifet of

I my self electronics expert in still camera,s

specially yashica  mf2 and yashica electro35   mamiya rb67 haselbeld

i wrote some step by step for my students that step by step are work even with closed eyes   with  more then 500 parts to dismental and re join all
but here i saw all step by step stop in some place so i think this all are waist of time for bigner like me is better to go through books
so there is no step by step who take you to run your cache i tried more then twenty i like the best is at  bigpond    and he also not explain that did his cache work with one nic or two did  work in lan or it should be connected to router direct or to hub with other client pc
even i buy ready to use step by step docomentation for $100  
regret
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 09, 2004, 07:19:21 AM
Quote from: "tomamodi"
dear ricky
nothing works when i reach cd /ets/squid

[root@modi squid-2.4.STABLE6]# cd /etc/squid
bash: cd: /etc/squid: No such file or directory

i think that all i done just nothing i write every command and put on diffrent forums

and when i go throug no result
so i put here too that is this ok
and get your confirmation before proccess
i think you didnt read all that commands
please read again and give me advice if you can
Back to top    
       
tomamodi
Awared



Joined: 25 May 2004
Posts: 15

   
Posted: Mon Aug 09, 2004 4:05 am    Post subject: tomamodi    
HI
Tomamodi
I now all your commands are wrong they didnt take you to
cd /etc/squid
but you say you want to follow only advice from RICKY so ignore to say any thing
And ricky advice you to read CHOWN & CHMOD when you read and understand then you will be advised to read about directries if that finnished
Then you didnt need any forum help

Your self you can do every thing


OK BYE
Back to top    
       
tomamodi
Awared



Joined: 25 May 2004
Posts: 15

   
Posted: Mon Aug 09, 2004 6:19 am    Post subject:    
dear i think before forums is for new if understand all really not necessery to see any step by step
but i tried nearly 20 forums and every step by step i tried ten ten times but failed to succed then reinstall the oprating system
again i reinstall and try some new
i think all writen step by step are for experts
so i can not take benifet of

I my self electronics expert in still camera,s

specially yashica mf2 and yashica electro35 mamiya rb67 haselbeld

i wrote some step by step for my students that step by step are work even with closed eyes with more then 500 parts to dismental and re join all
but here i saw all step by step stop in some place so i think this all are waist of time for bigner like me is better to go through books
so there is no step by step who take you to run your cache i tried more then twenty i like the best is at bigpond and he also not explain that did his cache work with one nic or two did work in lan or it should be connected to router direct or to hub with other client pc
even i buy ready to use step by step docomentation for $100

Hmm...

Well what is all above ?
What you feel is right .. btw.. first of all you should know that when you install squid from rpm then every config file of squid goes to /etc/squid but when you install it from source it from package tar.gz then mostly it goes to /usr/local/squid

!!!

yes you are the only one who can decided wht to do or wht not !!! basically tutorials are written so that anyone can get help, either it is newbie or expert !! but make sure you also use your own stuff.. and yes you also grab new things.. This tutorial is about squid not about Linux at whole so the things which are GNU/linux OS related common task are not taught here, just told to do !!

Anyway.. be calm and energytic !!!
@your LAN Setup

Simply make a box proxy server, put Ip of your router as gateway in that and configure your other LAN machines to use squid proxy by putting squid machine's address and port in their browser.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 09, 2004, 12:14:04 PM
now not in age of learning doing is just need of time
so i want help from experts not to advised for learn  brain in 60s is not for learning  just need the way to follow and complete the project

this is what i am trying from more then a year but failed in end every one advise to read  :shock:

the rules will not change if you make your cache and run
 your router ip is 10.0.0.1
 and my "  "    is  10.0.0.2

what diffrence only of to change 2 insted of one not the chowns chmod or directories

i give all here is this right you say ok i go through and end up at  directory not fined

so if really you want help me give me full documentation this howto are good for experts

i dont need learn linux i want just run cache in lan
that it take req from 24 clinet and check if have stored give if not it turn the req to router for and cach  for next  


my line is dsl 256k
user name is modi@platinum.com
password is  2233456
proxy 212.162.130.80:port 8080
router address 192.168.8.1
dns 212.162.130.79 prim
dns sec 212.162.130.34

system scatche

modem/router  -------------hub 25       one of is redhat ip 192.168.8.22
subnet 255.255.255.0

redhat 9 installed default workstation

so do you help me to give some  i go through and put the cache in linux box
here i tried but didnt fined the ready to use  cache
i am agree to pay for the work also but dont want to lost between directories   chown chmod :x

i want same way like   "squid bigpond" but that is server i dont now how i connect direct and how configure two nic
so want with one nic only
 :?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 09, 2004, 12:54:05 PM
@tomamondi

Ok don't get confused ..  be calm .. I can understand wht is the problem.. you are just confused nothing else.. ok I will help as I am doing always..   so don't worry !!!

I will talk to u with PM. . :)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 10, 2004, 04:46:57 AM
thanks RICKY
 i am frusturated and mad about all i tried so many places to get help and ended with nothing
thank you very much
every thing is eassy with one who is expert in
so just need only to guid in right direction
THANK YOU AGAIN
AS I WROTE THAT I BUY THE SETUP FROM NETWORKSOLUTIONS
THEY SEND ME A FULLISH DOWN LOAD
I WILL POST IT HERE JUST FOR NO ONE FOOLED AND PAY $100
FOR THAT AGAIN
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 10, 2004, 01:01:05 PM
well.. you can't put the stuff you baught from them over here as that would be not good !! :)
Title: hello ricky i think done
Post by: tomamodi on August 11, 2004, 12:06:45 PM
2004/08/11 04:56:06| Process ID 3611
2004/08/11 04:56:06| With 1024 file descriptors available
2004/08/11 04:56:06| Performing DNS Tests...
2004/08/11 04:56:06| Successful DNS name lookup tests...
2004/08/11 04:56:06| DNS Socket created on FD 4
2004/08/11 04:56:06| Adding nameserver 212.26.70.62 from /etc/resolv.conf
2004/08/11 04:56:06| Adding nameserver 212.26.70.10 from /etc/resolv.conf
2004/08/11 04:56:06| Unlinkd pipe opened on FD 9
2004/08/11 04:56:06| Swap maxSize 2097152 KB, estimated 161319 objects
2004/08/11 04:56:06| Target number of buckets: 8065
2004/08/11 04:56:06| Using 8192 Store buckets
2004/08/11 04:56:06| Max Mem  size: 16384 KB
2004/08/11 04:56:06| Max Swap size: 2097152 KB
2004/08/11 04:56:06| Store logging disabled
2004/08/11 04:56:06| Rebuilding storage in /cache (CLEAN)
2004/08/11 04:56:06| Using Least Load store dir selection
2004/08/11 04:56:06| Set Current Directory to /cache
2004/08/11 04:56:06| Loaded Icons.
2004/08/11 04:56:07| Accepting HTTP connections at 0.0.0.0, port 3128, FD 8.
2004/08/11 04:56:07| Accepting ICP messages at 0.0.0.0, port 3130, FD 10.
2004/08/11 04:56:07| Accepting SNMP messages on port 3401, FD 11.
2004/08/11 04:56:07| WCCP Disabled.
2004/08/11 04:56:07| Ready to serve requests.

RICKY     here i am    DONE up to here
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 11, 2004, 12:32:13 PM
So now your Proxy is configured and running !!

Now first check that are you able to browse on squid box itself or not, I mean if your linux box is properly configured for internet or not !! if you are able to browse  then you have to configure your clients to use proxy ...

So wht I mean that internet should be connected to linux box then your clients will connect through this linux box to internet using proxy !

Now in your client's browser put ip address of squid box and port 3128 as you are using default port and you should be able to use internet on your  clients. :)
Title: squid
Post by: tomamodi on August 11, 2004, 07:23:28 PM
yes i try that but unable to brows from client i give proxy 10.0.0.22:3128

then i see in log there is req from other computer reach there but from squid it didnt come back i  also make file as you explain  for  rc.nat

next will be hope finish tommorow

thankyou again for your kind help
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 12, 2004, 05:59:25 AM
this is access.log
1092209245.518  52560 10.0.0.12 TCP_MISS/000 0 GET http://www.37.com/ - NONE/- -1092209283.818   2021 10.0.0.12 TCP_MISS/000 0 GET http://www.37.com/ - NONE/- -1092211893.560 115010 10.0.0.12 TCP_MISS/000 0 GET http://www.37.com/ - NONE/- -
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 12, 2004, 11:18:55 AM
This means that proxy is fine but your proxy box is not connected to internet . First make sure that proxy box is properly connected to internet ie. you can surf net on it as it is your server to internet to other clients.
Title: squid proxy transparent
Post by: tomamodi on August 15, 2004, 03:59:43 AM
Dear RICKY

As
Advised
1) squid installed configured
2)NAT  completed with both  instruction

squid box ip 10.0.0.22

client proxy  10.0.0.22:3128
reciving direct from parent  not cached

all are tcp_miss there is no tcp _hit

last few lines for view

1092455722.428   1469 10.0.0.14 TCP_MISS/200 1504 GET http://www.google.com/ - FIRST_UP_PARENT/212.26.70.36 text/html
1092455723.033    604 10.0.0.14 TCP_CLIENT_REFRESH_MISS/304 219 GET http://www.google.com/logos/summer2004_opening.gif - FIRST_UP_PARENT/212.26.70.36 text/html
1092455743.584   1964 10.0.0.14 TCP_MISS/302 618 GET http://www.gogle.com/ - FIRST_UP_PARENT/212.26.70.36 text/html
1092455744.236    647 10.0.0.14 TCP_MISS/200 1504 GET http://www.google.com/ - FIRST_UP_PARENT/212.26.70.36 text/html

first this then
unable to login   linuxsolve.com           hotmail.com    yahoo.com
Thanks for  help
Title: about reconfiguring squid.conf
Post by: tomamodi on August 18, 2004, 09:43:04 AM
Dear Ricky
please clear one thing
every time i change the sqid.conf  i just restart the pc and nothing else is this aright way or necessery to give -k reconfigure
THANKS
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 18, 2004, 11:24:07 AM
Well you don't need to restart .. better use -k reconfigure !!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 18, 2004, 11:24:43 AM
or you can restart squid..

-k restart
Title: ok
Post by: tomamodi on August 18, 2004, 07:00:00 PM
It means restart didnt reconfigure the changes in squid.conf?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 19, 2004, 05:52:49 AM
NO.. it do.. every time squid restart it checks squid.conf !!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 19, 2004, 08:49:58 AM
GOTIT
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 24, 2004, 03:28:51 AM
where have to put the information to run squid on restart automaticly
rc.d/local  or ?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 24, 2004, 03:58:16 AM
ricky is it possible to put  four dns in this squid.conf
 and i fined this for offline work did i put in squid.conf
offline_mode on
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: tomamodi on August 25, 2004, 03:16:03 AM
i have three proxy settings from my isp  
212.26.70.41
212.26.70.48
212.26.70.36
some times one not work we change the next
So how i put this three in squid to go through
thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 25, 2004, 12:19:28 PM
you can do this by using parent and sibling option
cache_peer 212.26.70.41      parent    3128  no-query
cache_peer 212.26.70.48      sibling   3128  no-query
cache_peer 212.26.70.36         sibling   3128  no-query

well if your isp proxy don't support ICP then you have to specify all as parent

use cache_peer 212.26.70.36         parent   3128  no-query default
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 25, 2004, 12:37:29 PM
Quote from: "tomamodi"
ricky is it possible to put  four dns in this squid.conf
 and i fined this for offline work did i put in squid.conf
offline_mode on

Well to this answer see this link
 linuxdevcenter.com/pub/a/linux/2001/08/02/offline_squid.html
Title: Re: Configuring Squid Proxy server & Transparent Proxy
Post by: tallship on September 12, 2004, 08:58:01 AM
Quote from: "Ricky"

(b) Making squid work in Transparent way


Hi Ricky :) (or anyone else who knows...)

What about this?

Code: [Select]

#  TAG: redirect_rewrites_host_header
#       By default Squid rewrites any Host: header in redirected
#       requests.  If you are running an accelerator then this may
#       not be a wanted effect of a redirector.
#
#Default:
# redirect_rewrites_host_header on


What are the ramifications of leaving this on verses turning it off - both wrt performance and otherwise? Suggestions? Recommendations?

.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on September 12, 2004, 11:47:46 AM
Well i have never altered such.. but wht it says is that turn it off when using accelerater ..

But that is using may !!  well I will look around for it. .if found something important then will tell you!
Title: How to get the mails from POP3 Server
Post by: khanduja75 on October 02, 2004, 06:07:36 PM
I am running SQUID Proxy on Redhat 9 Linux. But I am unable to get my POP3 mails through Outlook Express on my Client machine, which is having Win2000. Which Port are used for connecting to POP3 & SMTP mail server? What is the configuration for it(on Linux & Windows). Please help.
Thanks
Regards
khanduja75
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on October 03, 2004, 06:25:00 AM
khanduja.. this is the most common problem which people faced while using squid, you can either make squid completely transparent or do port forwarding only for port 25 and port 110 !

Well what all you need is to dig around this forum! there is lot which has been discussed here already !
Title: New to Squid
Post by: ben_linux on October 16, 2004, 10:16:32 AM
Hello to all,
Firstly, thank you everyone for excellent information which you have been posting over the past few months.  They are truely helpful!  I am new to squid and have a couple of quick and general questions before working myself up the ladder:

 I am currently running squid on my laptop (redhat vs. 8.0).  I have set http_port 80.  I currently do not have a network.  Is it still possible to configure squid and my webbrowser to perform caching as I am visiting web pages on my laptop?

I have already tried configuring my webbrowser after I followed the basic recommended changes on the squid.conf file.  In my webbrowser (Mozilla or Netscape) I clicked on Edit --> preferences --> advanced --> proxies and changed http proxy to 192.168.0.1 and the port to 80.  When I click ok and try to open a webpage, I get a "bad request: 400".  

I am probably doing somthing totally wrong, hence I decided to ask you folks.  I just want to know if I can run squid and cache in webpages on a stand alone prior to creating a network.

Thank you all!
Title: aclParseIPData
Post by: ben_linux on October 16, 2004, 10:23:04 AM
by the way, when I run squid I see the following warning:

aclParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.0.1/255.255.255.0'

what does this mean exactly? now mind you I have the following line on  squid.conf eventhough I dont have a network mynet.  Should I just comment this line out:


                                 acl mynet src 192.168.0.1/255.255.255.0

Thanks again!
ben
Title: Re: aclParseIPData
Post by: tomamodi on October 23, 2004, 06:18:23 AM
Quote from: "ben_linux"
by the way, when I run squid I see the following warning:

aclParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.0.1/255.255.255.0'


 make it                        

acl mynet src 192.168.0.0/255.255.255.0
Title: Re: aclParseIPData
Post by: tallship on October 24, 2004, 08:01:53 PM
Quote from: "tomamodi"
Quote from: "ben_linux"
by the way, when I run squid I see the following warning:

aclParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.0.1/255.255.255.0'


 make it                      

acl mynet src 192.168.0.0/255.255.255.0

Yes. 192.168.0.1 is a /32 (an individual host number using all 32 bits). If you were to set it up with an acl, you would have done this instead:

Code: [Select]

acl mynet src 192.168.0.1/255.255.255.255


That makes it a single host. But it's not very useful ;) Therefore, you want to want something that applies to your entire Class C network (a /24 - 24 bits are used for the network and the rest are the hosts).

So use the recomendation provided by Tomamodi instead for the network number of 192.168.0."0" - ."1" is a particular host where all 32bits are used to represent that particular machine.

Remember, that the range for any particular /24 network begins and ends with a 32 bit number that you cannot use for a host.

i.e., 192.168.0.0 - 192.168.0.255

This includes the possibility for 254 actual hosts, 192.168.0.0 is the network number, and 192.168.0.255 is the broadcast address in CIDR if you have not subnetted the network any further (if you haven't, for example, split it up into two /25 networks).

This yields 192.168.0.1 - 192.168.0.254 as usable host IPs, with a netmask of 255.255.255.0 (you're only using 24 of the 32 bits for the network portion).

I hope that helps more than it confuses ;)

Kindest regards,

Bradley
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Nano on November 29, 2004, 11:21:48 AM
Hi all,

well welll well have the same pb of rights but quite sure my rights are good ... cause i've started Squid one time and it worked now i have reinitilised the cache due to squid process that stack overflowed the memory ...

Using Fedora Core 3
configured my cache directory like that :

chown squid:squid to my  /usr/local/squid/cache.
chmod 770 /usr/local/squid/cache

drwxrwx---   2 squid squid 4096 nov 26 17:46 cache

and also have changed to my var/log/squid directory

drwxrwx---   2 squid    squid        4096 nov 29 12:14 squid

Squid fail when initializing the /etc/init.d/squid start

init_cache_dir /usr/local/squid/cache... Démarrage de squid :....................                                                          [FAILED]

In the squid.out have :

 2004/11/29 12:09:10| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/cache/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.002 seconds = 0.002 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0


In the cache.log :

2004/11/29 12:09:24| /usr/local/squid/cache/00: (2) No such file or directory
FATAL:  Failed to verify one of the swap directories, Check cache.log
        for details.  Run 'squid -z' to create swap directories
        if needed, or if running Squid for the first time.
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.059 seconds = 0.031 user + 0.028 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0


when trying to launch squid -z i have nothing on the console :

[root@azimov squid]# squid -z
[root@azimov squid]#


I'm sure that it's a pb of rights but where i d'on't have a clue where the error might be ...

any ideas ???
bye
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on November 29, 2004, 04:28:00 PM
Hmm.. So you are using squid as USER squid ! then

first delete your cache directory and then recreate it and now give it the following access rules
Code: [Select]
chown squid:squid /path/to/cache

chmod 770 /path/to/cache

And tell me how is that going !
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Nano on November 30, 2004, 08:09:09 AM
Well i've detected what was wrong
The squid installed was from a package with yum for my FC 3 and it seems that the install put the good rights only for the directory /var/spool/cache and  the daemon launched by /etc/init.d/squid start  need this directory.

I've made another test i've installed from crash the Squid  (compiling it and make install) and now i have a directory /usr/local/squid/bin (the directory is not created with the install by RPM).

I have granted the good rights to the directory /usr/ocal/squid/.. and now it works fine ....  

To conclue : As usual better starting from crash than using an install ....

 :lol:  :lol:  :lol:

Thx for your help .
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kes_bang on December 30, 2004, 08:05:26 AM
This tutorail is really helpful.

But I have few things to discuss.

My requirement is like this..

I have a proxy server Microsoft web proxy 2.0 I need to configure squid to all users to access internet, internally this squid proxy server will request microsoft web proxy.

I need to configure squid as cache only server.

I have enabled authentication on MS proxy so need to give login id and password to access the MS proxy from squid.

Initially I donot want to configure any acl...

Please guide me how to go about this....

I am using red hat linux ver 8.0 squid ver  squid-2.4.STABLE7

Waiting for reply
Thanks in advance
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: anybody on January 03, 2005, 02:10:52 PM
hello

If you are configuring squid from the source

for the latest source tar.gz

there is ine little change

#after configure

it is now
make all instead of make

then it is  make install
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: vikram0123 on January 12, 2005, 02:09:10 AM
Hi,

Can someone help me, I have a problem in configuring squid. I use wireless internet, so can any client detect the proxy automaticly without I need to configuring the proxy and the port. And can I block some PC to acces to internet cause some of the staff tend to give their username and password to other so other can access to internet, should i make a script to calsify each of their proxy comp or there is another way

thanks in advance
Vikram
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 12, 2005, 11:19:48 AM
use transparent proxy and then do filtering.. you can see my various other posts about this in the forum !
Title: Issue with transparency proxy using squid and access'g https
Post by: b0n3thug5 on January 14, 2005, 04:03:30 AM
I have installed and configured squid using tranparency proxy setup, I am able to surf to any website that uses on http:// but not https://.  My setup is as such I have a linux box that I use as a firewall and it then has two other network connections that access one DMZ network and one LOCAL network.  I have my squid server in the DMZ.  I have followed the setup as earlier in this post, almost to the T.  I would like to be able to access the https:// websites but also lock down my internet access since I have younger children that are getting ready to get on the internet.  All my traffic goes through the firewall then jumps to the DMZ server and uses that squid server to redirect the http to port 3128.

My configuration is as follows:

vi /etc/squid/squid.conf
maximum_object_size 8192 KB

cache_mem 16 MB
cache_dir ufs /var/spool/cache/ 2048 22 256
cache_store_log none
cache_mgr bryan.jones@thebuc.com
cache_effective_user squid
cache_effective_group squid

ftp_user bryan.jones@thebuc.com

#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
#auth_param basic realm [thebuc.com]  Squid proxy-caching web server authentication



#acl name proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


acl internal_lightning src 192.168.110.47
acl loc_net src 192.168.110.0/255.255.255.0
#acl internal proxy_auth 192.168.110.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#http_access allow name
http_access allow loc_net
http_access allow internal_lightning
http_access deny all

redirector_access allow all
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
redirect_children 5

visible_hostname thebuc.com
unique_hostname  thebuc.com

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

http_port 3128

Things that I do on the firewall to access the squid server

First:
if [ -z "`ip rule list | grep www.out`" ] ; then
        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 65.66.142.44 dev eth2 table www.out
        ip route flush cache
fi

Second:
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 202

This is what I do on the squid server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Is there anything that I might be missing, or can I access https:// websites using transparency proxy in squid?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 14, 2005, 10:32:03 AM
the problem you are facing about squid not able to access https has been reported by a other guy also in the forum , here is the discussion ! may be you can understand what may be wrong, although your configuration seems to be alright here ..
See trasparent proxy and https (http://www.linuxsolved.com/forums/ftopic944.html)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: b0n3thug5 on January 14, 2005, 05:04:57 PM
I have read that post and I guess, since I am new to squid, this does not make it quite clear what my issue might be.  Form the post that you refered me to earlier.... it says that I should try the following:

http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports

I have tried this but I am still not getting https:// access.  I guess I am a newbie to squid that I do not understand why I am not able to access https:// websites.  I figured, being some what naive, that I could get access to http:// and https:// access.  Where should I look, if it is possible, to have access to both... to assist me.

Thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: b0n3thug5 on January 14, 2005, 05:36:11 PM
I am not tied down to doing a transparency proxy, I just would like to be able to use sqiudGuard so that I can limit what sites my household surfs to.  My network is somewhat diverse, I have a firewall server (redhat linux) running iptables (shorewall setup), my squid server is in my DMZ (redhat 9) and I have a local network that currently is setup to masquerade to the internet.  I want to turn off masq and use the squid proxy to surf the internet.  I have my configuration in the post above, can someone assist me on how to setup my squid to allow for proxy service.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on January 15, 2005, 09:40:17 AM
so are you still facing problem on accessing https ?

In simple proxy , you have to configure your browser to use same port ie on which squid is running for https also ! ie same ports for all protocols !
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: amnyarku on April 30, 2005, 06:54:42 PM
Pls,

Help me to recompile my squid to run transparent proxy

Thankx
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on May 08, 2005, 09:59:48 AM
The answer for your question has been already given on very first page of this thread..
Title: Is this possible
Post by: JoeDirte on May 19, 2005, 04:36:51 PM
What i'm trying to setup is this.  when a user opens up any browser they are redirected to a login page once logged in the can browse the internet normaly.  depending on their login and pass certain websites are not allowed.  ie childs login bans certian websites while an admin has unrestriceted access to everything.
Trying to implement this with squid/squidguard.  I have seen something similar to this at the university with thier wireless connection. would like to use a transparent proxy with this setup.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on May 19, 2005, 05:04:56 PM
Proxy authentication don't works good in transparent way.. it works best when used as normal proxy.

Btw.. mutthu is also trying to solve something like yours.. better he can solve u out.. but it is possible.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: chandu on May 19, 2005, 07:20:09 PM
how to configure in linux for internet sharing
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on May 20, 2005, 11:06:00 AM
@chandu ..

You are actually asking for NAT. I have already given tutorial for that --> Internet sharing in linux (http://www.linuxsolved.com/forums/ftopic115.html) .
Instead you can also use firestarter. A gui for your task.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: sabobo on June 06, 2005, 11:23:37 AM
hi! i was trying to setup a proxy n i follow the confiig from the proxy how to but im having this mssg in my /var/logs/cache.log

Squid Cache (Version 2.5.STABLE1): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 478
2005/06/06 19:06:41| Starting Squid Cache version 2.5.STABLE1 for i386-redhat-linux-gnu...
2005/06/06 19:06:41| Process ID 4010
2005/06/06 19:06:41| With 1024 file descriptors available
2005/06/06 19:06:41| Performing DNS Tests...
FATAL: ipcache_init: DNS name lookup tests failed.

nd my client cant connect to the proxy i setup, i mean client cant brows using my proxy
what seems to be the problem
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on June 07, 2005, 06:34:57 AM
Code: [Select]
FATAL: ipcache_init: DNS name lookup tests failed.
This is the problem. Your proxy is not running and reason is that you need to make sure your internet is connected and you are able to open websites in that machine one which are running squid.
Actually squid is unable to verify if you are connected to internet or not.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: sabobo on June 08, 2005, 02:54:40 AM
ahhh... ok now i understand, Thank you! bro i really appreciate ur help. but theres another thing..... u see before i configure the squid.conf my pc can connect to the internet connecting to the dsl modem router, then i tried configuring rc.nat the one in ur rc.nat how2 n it works fine...all clients that i connect on my pc to share internet works fine, they are all connecting to internet using the ip of my pc. that means that i configure it good ryt?. but when i configure the squid.conf (follwng ur squid how2) that thing happend n when i try to surf on my pc i cant surf. am i missing somthing or what. oh btw my squid.conf is in /etc/squid/squid.conf not in usr/local/squid/etc/squid.conf and my cache.log is in /var/log/cache.log not in /usr/local/squid/var/logs/cache.log  n im using redhat 9......maybee that matters. does it?
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: omnia on June 08, 2005, 09:01:51 AM
Hi Ricky

im using fedora core 3 do i have to change any thing in the redirect command as im installing transparent squid

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

cause it seems to be not working

and when do i need to use DNAt
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on June 11, 2005, 09:37:16 AM
You don't need to do any changes.. all you have to make sure that you are specifiying right interface and right port.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Dafoe on July 18, 2005, 04:51:46 PM
Hi,

I´m trying to access my newly configured squid proxy on my linux box which is on a different localnet. The machine which is designed to use that proxy connects to internet through another machine.

So here´s my linux-box squid.conf

where "honnun" is the outside ipaddress of my computer.


Code: [Select]

maximum_object_size 8192 KB  


cache_mem 16 MB


cache_dir ufs /usr/local/misc/squid_cache 2048 22 256


cache_store_log none


#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255


#acl your_network src 192.168.0.0/255.255.255.0
acl honnun src 194.105.243.29
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


http_access allow honnun
http_access deny all
icp_access allow all
miss_access allow all

cache_mgr ari.bjornsson@gmail.com

visible_hostname bender.verk.hi.is
unique_hostname bender.verk.hi.is

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

http_port 3128



when I put bender.verk.hi.is and port 3128 in IE proxy settings I get the error:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
contact administrator ari.bjornsson@gmail.com

Squid starts normally, here is the log file:

Code: [Select]

2005/07/18 19:41:34| Starting Squid Cache version 2.5.STABLE9 for i386-debian-linux-gnu...
2005/07/18 19:41:34| Process ID 6449
2005/07/18 19:41:34| With 1024 file descriptors available
2005/07/18 19:41:34| DNS Socket created at 0.0.0.0, port 32812, FD 6
2005/07/18 19:41:34| Adding nameserver 130.208.165.10 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.82 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.11 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 130.208.165.87 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 213.176.128.50 from /etc/resolv.conf
2005/07/18 19:41:34| Adding nameserver 213.176.128.51 from /etc/resolv.conf
2005/07/18 19:41:34| User-Agent logging is disabled.
2005/07/18 19:41:34| Referer logging is disabled.
2005/07/18 19:41:34| Unlinkd pipe opened on FD 11
2005/07/18 19:41:34| Swap maxSize 2097152 KB, estimated 161319 objects
2005/07/18 19:41:34| Target number of buckets: 8065
2005/07/18 19:41:34| Using 8192 Store buckets
2005/07/18 19:41:34| Max Mem  size: 16384 KB
2005/07/18 19:41:34| Max Swap size: 2097152 KB
2005/07/18 19:41:34| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2005/07/18 19:41:34| Store logging disabled
2005/07/18 19:41:34| Rebuilding storage in /usr/local/misc/squid_cache (CLEAN)
2005/07/18 19:41:34| Using Least Load store dir selection
2005/07/18 19:41:34| Set Current Directory to /var/spool/squid
2005/07/18 19:41:34| Loaded Icons.
2005/07/18 19:41:35| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12.
2005/07/18 19:41:35| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2005/07/18 19:41:35| HTCP Disabled.
2005/07/18 19:41:35| WCCP Disabled.
2005/07/18 19:41:35| Ready to serve requests.
2005/07/18 19:41:35| Done reading /usr/local/misc/squid_cache swaplog (0 entries)
2005/07/18 19:41:35| Finished rebuilding storage from disk.
2005/07/18 19:41:35|         0 Entries scanned
2005/07/18 19:41:35|         0 Invalid entries.
2005/07/18 19:41:35|         0 With invalid flags.
2005/07/18 19:41:35|         0 Objects loaded.
2005/07/18 19:41:35|         0 Objects expired.
2005/07/18 19:41:35|         0 Objects cancelled.
2005/07/18 19:41:35|         0 Duplicate URLs purged.
2005/07/18 19:41:35|         0 Swapfile clashes avoided.
2005/07/18 19:41:35|   Took 0.3 seconds (   0.0 objects/sec).
2005/07/18 19:41:35| Beginning Validation Procedure
2005/07/18 19:41:35|   Completed Validation Procedure
2005/07/18 19:41:35|   Validated 0 Entries
2005/07/18 19:41:35|   store_swap_size = 0k
2005/07/18 19:41:35| storeLateRelease: released 0 objects


why can´t I access internet through my proxy ? (the linux-box is connected to the internet)

regards,
Ari Björnsson
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 20, 2005, 05:24:12 PM
Here problem is at two places..

1.
Code: [Select]

#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255

it should be .
Code: [Select]

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

as you should define ur own computer also..

Secondly ..
Code: [Select]
acl honnun src 194.105.243.29
will only allow acess to that ip .. ie 194.105.243.29.
I think you are trying to give acess to a network and hence it should be like..
Code: [Select]
acl honnun src 194.105.243.0/255.255.255.0 only if its a class C network.

Other than that I feel everything fine.. and kindly read the first page about configuration again.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: taiwo on August 03, 2005, 06:17:35 PM
the explanation you gave for the squid.when i tried it, it accepted all the syntax but it did not work for me .
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 06, 2005, 02:31:22 PM
taiwo..

sorry but I don't understand.. wht is not working for u ? ! can you explain little more ?
btw give me last few lines of your cache.log .. say last 10 lines.
Title: how to configure the smoothwall squid proxy
Post by: praful_thakare on August 11, 2005, 10:56:33 AM
Hello Rickey....javascript:emoticon(':D')
Very Happy

i ask u about how to configure squid proxy of smoothwall  you tell me about that thanks for that but my problem not solved yet.....javascript:emoticon(':(')
Sad

here i install the smoothwall it running fine all user accessing the intrenet through proxy only but i have no controlle over it....

i try to configure acl like allow only specific PC on the network i made changes in acl file here is my default configuration file

acl all src 0.0.0.0./0.0.0.0.
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_Ports port 445 443 441 563
acl Safe_Ports 80                                  #http
acl Safe_Ports 81                                    #smoothwall http
acl Safe_Ports 21                                   # ftp
acl Safe_Ports 445 443 441 563              # https,snews
acl Safe_Ports 70                                  # gopher
acl Safe_Ports 210                                # wais
acl Safe_Ports 1025-65535                    # unregistry ports
acl Safe_Ports 280                               # http_mgmt
acl Safe_Ports 488                              #gss_http
acl Safe_Ports 591                              # filemaker
acl Safe_Ports 777                              # multiling http

acl CONNECT method CONNECT
http_access allow localnet
http_access deny !safe_port
http_access deny CONNECT ! SSL_Potrs
http_access allow localnet
http_access dent all


this is my default config file i made changes for allow only speacific PC to access the internet i done cahnges at before line containing
http_access deny all
i inserted follwing line

acl ok_users src 192.168.0.2
acl ok_users src 192.168.0.3
http_access allow ok_users

and here i done one thing i comment the line
http_access allow localnet as
#http_access allow localnet

please kindly tell me where i m wrong because whenever i do this changes my whole internet access block by the proxy server that is squid...


here i want configure squid such that i can block the users from accessing internet and i have decide there time of accessing the internet


one more thing how install man pages in smoothwall...as there is no manual pages in the smmothwall


and want to one thing that is it possible to configure the squid such that while accessing the internet it will ask for username and password that is authontication

please help me here i am new one :(-
thank you
sorry for trouble   javascript:emoticon(':(')
Sad
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 11, 2005, 05:33:01 PM
hmm..

First of I would like to tell you that you have to understand few things about squid. here you are totally wrong and also smoothwall rewrite its squid.conf every time you start squid so you have to edit separate acl file in squid , I think you know it (now I don't remember its path).

So you have asked.
1. How to allow only specific ip.
2. How to allow user only at specific time.
3. How to install man pages.

For first question:
You should first make sure your squid.conf is normal one. Then remove line for local net ie don't allow local net , only allow specific ips.. for that
Code: [Select]
# This line will specify good ips, you can add as many as ip you want in this line, just leave a space after every ip.
acl good_ips src 192.168.4.4

 #this line will give access to good ips.
http_access allow good_ips

 #This one blocks everything else than the allowed one.
http_access deny all


For IInd question, see Squid time acl (http://www.linuxsolved.com/forums/ftopic166.html)

For IIIrd question. I recommend you to ask it as separate topic in appropriate section so that you can get better answers.
Title: Re: How to get the mails from POP3 Server
Post by: thenitin on September 13, 2005, 07:06:40 AM
Quote from: "khanduja75"
I am running SQUID Proxy on Redhat 9 Linux. But I am unable to get my POP3 mails through Outlook Express on my Client machine, which is having Win2000. Which Port are used for connecting to POP3 & SMTP mail server? What is the configuration for it(on Linux & Windows). Please help.
Thanks
Regards
khanduja75
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on September 13, 2005, 05:41:54 PM
ports u are asking are port 110 and port 25 . Also if you  are having transparent proxy then you might have not configured NAT part well b'coz then you wouldn't be facing such problem
Title: Great help!
Post by: zandarin on September 17, 2005, 05:30:46 AM
Thanks to all in this forum! I am new to Linux, but I am learning fast. After days of struggling, I came here and got motivated, and learned, and got a cache server going for my place of employment. I am very stoked! I have to thank my boss for pushing me though as well.. I can create a cache server in less than an hour now, including the OS load. :)

Zan

PS.. I am attaching my config for free use of course. :)

This conf file will run squid 2.5 transparent. This means users that access it will not need to enter any proxy settings to browse... and will not know they are connecting through a proxy... as long as you are not running an http server, like apache.make sure you create a user and group called squid if you decide to use this conf, and make sure that user has read/write access to the squid dir, and all sub directories. :)

[code]
#   WELCOME TO SQUID 2
#   ------------------
#
#   This is the default Squid configuration file. You may wish
#   to look at the Squid home page (http://www.squid-cache.org/)
#   for the FAQ and other documentation.
#
#   The default Squid config file shows what the defaults for
#   various options happen to be.  If you don't need to change the
#   default, you shouldn't uncomment the line.  Doing so may cause
#   run-time problems.  In some cases "none" refers to no default
#   setting at all, while in other cases it refers to a valid
#   option - the comments for that keyword indicate if this is the
#   case.
#
#******************************************************

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

#  TAG: http_port
#   Usage:   port
#      hostname:port
#      1.2.3.4:port
#
#   The socket addresses where Squid will listen for HTTP client
#   requests.  You may specify multiple socket addresses.
#   There are three forms: port alone, hostname with port, and
#   IP address with port.  If you specify a hostname or IP
#   address, Squid binds the socket to that specific
#   address.  This replaces the old 'tcp_incoming_address'
#   option.  Most likely, you do not need to bind to a specific
#   address, so you can use the port number alone.
#
#   The default port number is 3128.
#
#   If you are running Squid in accelerator mode, you
#   probably want to listen on port 80 also, or instead.
#
#   The -a command line option will override the *first* port
#   number listed here.   That option will NOT override an IP
#   address, however.
#
#   You may specify multiple socket addresses on multiple lines.
#
#   If you run Squid on a dual-homed machine with an internal
#   and an external interface we recommend you to specify the
#   internal address:port in http_port. This way Squid will only be
#   visible on the internal address.
#
#Default:
http_port 80
httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#  TAG: https_port
# Note: This option is only available if Squid is rebuilt with the
#       --enable-ssl option
#
#        Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
#        The socket address where Squid will listen for HTTPS client
#        requests.
#
#        This is really only useful for situations where you are running
#        squid in accelerator mode and you want to do the SSL work at the
#        accelerator level.
#
#   You may specify multiple socket addresses on multiple lines,
#   each with their own SSL certificate and/or options.
#
#   Options:
#
#      cert=   Path to SSL certificate (PEM format)
#
#      key=      Path to SSL private key file (PEM format)
#         if not specified, the certificate file is
#         assumed to be a combined certificate and
#         key file
#
#      version=   The version of SSL/TLS supported
#             1   automatic (default)
#             2   SSLv2 only
#             3   SSLv3 only
#             4   TLSv1 only
#
#      cipher=   Colon separated list of supported ciphers
#
#      options=   Varions SSL engine options. The most important
#         being:
#             NO_SSLv2  Disallow the use of SSLv2
#             NO_SSLv3  Disallow the use of SSLv3
#             NO_TLSv1  Disallow the use of TLSv1
#         See src/ssl_support.c or OpenSSL documentation
#         for a more complete list.
#
#Default:
# none

#  TAG: ssl_unclean_shutdown
# Note: This option is only available if Squid is rebuilt with the
#       --enable-ssl option
#
#   Some browsers (especially MSIE) bugs out on SSL shutdown
#   messages.
#
#Default:
# ssl_unclean_shutdown off

#  TAG: icp_port
#   The port number where Squid sends and receives ICP queries to
#   and from neighbor caches.  Default is 3130.  To disable use
#   "0".  May be overridden with -u on the command line.
#
#Default:
# icp_port 3130

#  TAG: htcp_port
# Note: This option is only available if Squid is rebuilt with the
#       --enable-htcp option
#
#   The port number where Squid sends and receives HTCP queries to
#   and from neighbor caches.  Default is 4827.  To disable use
#   "0".
#
#Default:
# htcp_port 4827

#  TAG: mcast_groups
#   This tag specifies a list of multicast groups which your server
#   should join to receive multicasted ICP queries.
#
#   NOTE!  Be very careful what you put here!  Be sure you
#   understand the difference between an ICP _query_ and an ICP
#   _reply_.  This option is to be set only if you want to RECEIVE
#   multicast queries.  Do NOT set this option to SEND multicast
#   ICP (use cache_peer for that).  ICP replies are always sent via
#   unicast, so this option does not affect whether or not you will
#   receive replies from multicast group members.
#
#   You must be very careful to NOT use a multicast address which
#   is already in use by another group of caches.
#
#   If you are unsure about multicast, please read the Multicast
#   chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
#
#   Usage: mcast_groups 239.128.16.128 224.0.1.20
#
#   By default, Squid doesn't listen on any multicast groups.
#
#Default:
# none

#  TAG: udp_incoming_address
#  TAG: udp_outgoing_address
#   udp_incoming_address   is used for the ICP socket receiving packets
#            from other caches.
#   udp_outgoing_address   is used for ICP packets sent out to other
#            caches.
#
#   The default behavior is to not bind to any specific address.
#
#   A udp_incoming_address value of 0.0.0.0 indicates Squid
#   should listen for UDP messages on all available interfaces.
#
#   If udp_outgoing_address is set to 255.255.255.255 (the default)
#   it will use the same socket as udp_incoming_address. Only
#   change this if you want to have ICP queries sent using another
#   address than where this Squid listens for ICP queries from other
#   caches.
#
#   NOTE, udp_incoming_address and udp_outgoing_address can not
#   have the same value since they both use port 3130.
#
#Default:
# udp_incoming_address 0.0.0.0
# udp_outgoing_address 255.255.255.255


# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------

#  TAG: cache_peer
#   To specify other caches in a hierarchy, use the format:
#
#      cache_peer hostname type http_port icp_port
#
#   For example,
#
#   #                                        proxy  icp
#   #          hostname             type     port   port  options
#   #          -------------------- -------- ----- -----  -----------
#   cache_peer parent.foo.net       parent    3128  3130  [proxy-only]
#   cache_peer sib1.foo.net         sibling   3128  3130  [proxy-only]
#   cache_peer sib2.foo.net         sibling   3128  3130  [proxy-only]
#
#         type:  either 'parent', 'sibling', or 'multicast'.
#
#   proxy_port:  The port number where the cache listens for proxy
#           requests.
#
#     icp_port:  Used for querying neighbor caches about
#           objects.  To have a non-ICP neighbor
#           specify '7' for the ICP port and make sure the
#           neighbor machine has the UDP echo port
#           enabled in its /etc/inetd.conf file.
#
#       options: proxy-only
#           weight=n
#           ttl=n
#           no-query
#           default
#           round-robin
#           multicast-responder
#           closest-only
#           no-digest
#           no-netdb-exchange
#           no-delay
#           login=user:password | PASS | *:password
#           connect-timeout=nn
#           digest-url=url
#           allow-miss
#           max-conn
#           htcp
#           carp-load-factor
#
#           use 'proxy-only' to specify objects fetched
#           from this cache should not be saved locally.
#
#           use 'weight=n' to specify a weighted parent.
#           The weight must be an integer.  The default weight
#           is 1, larger weights are favored more.
#
#           use 'ttl=n' to specify a IP multicast TTL to use
#           when sending an ICP queries to this address.
#           Only useful when sending to a multicast group.
#           Because we don't accept ICP replies from random
#           hosts, you must configure other group members as
#           peers with the 'multicast-responder' option below.
#
#           use 'no-query' to NOT send ICP queries to this
#           neighbor.
#
#           use 'default' if this is a parent cache which can
#           be used as a "last-resort." You should probably
#           only use 'default' in situations where you cannot
#           use ICP with your parent cache(s).
#
#           use 'round-robin' to define a set of parents which
#           should be used in a round-robin fashion in the
#           absence of any ICP queries.
#
#           'multicast-responder' indicates the named peer
#           is a member of a multicast group.  ICP queries will
#           not be sent directly to the peer, but ICP replies
#           will be accepted from it.
#
#           'closest-only' indicates that, for ICP_OP_MISS
#           replies, we'll only forward CLOSEST_PARENT_MISSes
#           and never FIRST_PARENT_MISSes.
#
#           use 'no-digest' to NOT request cache digests from
#           this neighbor.
#
#           'no-netdb-exchange' disables requesting ICMP
#           RTT database (NetDB) from the neighbor.
#
#           use 'no-delay' to prevent access to this neighbor
#           from influencing the delay pools.
#
#           use 'login=user:password' if this is a personal/workgroup
#           proxy and your parent requires proxy authentication.
#           Note: The string can include URL escapes (i.e. %20 for
#           spaces). This also means % must be written as %%.
#
#           use 'login=PASS' if users must authenticate against
#           the upstream proxy. This will pass the users credentials
#           as they are to the peer proxy. This only works for the
#           Basic HTTP authentication sheme. Note: To combine this
#           with proxy_auth both proxies must share the same user
#           database as HTTP only allows for one proxy login.
#           Also be warned this will expose your users proxy
#           password to the peer. USE WITH CAUTION
#
#           use 'login=*:password' to pass the username to the
#           upstream cache, but with a fixed password. This is meant
#           to be used when the peer is in another administrative
#           domain, but it is still needed to identify each user.
#           The star can optionally be followed by some extra
#           information which is added to the username. This can
#           be used to identify this proxy to the peer, similar to
#           the login=username:password option above.
#
#           use 'connect-timeout=nn' to specify a peer
#           specific connect timeout (also see the
#           peer_connect_timeout directive)
#
#           use 'digest-url=url' to tell Squid to fetch the cache
#           digest (if digests are enabled) for this host from
#           the specified URL rather than the Squid default
#           location.
#
#           use 'allow-miss' to disable Squid's use of only-if-cached
#           when forwarding requests to siblings. This is primarily
#           useful when icp_hit_stale is used by the sibling. To
#           extensive use of this option may result in forwarding
#           loops, and you should avoid having two-way peerings
#           with this option. (for example to deny peer usage on
#           requests from peer by denying cache_peer_access if the
#           source is a peer)
#
#           use 'max-conn' to limit the amount of connections Squid
#           may open to this peer.
#
#           use 'htcp' to send HTCP, instead of ICP, queries
#           to the neighbor.  You probably also want to
#           set the "icp port" to 4827 instead of 3130.
#
#           use 'carp-load-factor=f' to define a parent
#           cache as one participating in a CARP array.
#           The 'f' values for all CARP parents must add
#           up to 1.0.
#
#
#   NOTE: non-ICP/HTCP neighbors must be specified as 'parent'.
#
#Default:
# none

#  TAG: cache_peer_domain
#   Use to limit the domains for which a neighbor cache will be
#   queried.  Usage:
#
#   cache_peer_domain cache-host domain [domain ...]
#   cache_peer_domain cache-host !domain
#
#   For example, specifying
#
#      cache_peer_domain parent.foo.net   .edu
#
#   has the effect such that UDP query packets are sent to
#   'bigserver' only when the requested object exists on a
#   server in the .edu domain.  Prefixing the domainname
#   with '!' means the cache will be queried for objects
#   NOT in that domain.
#
#   NOTE:   * Any number of domains may be given for a cache-host,
#        either on the same or separate lines.
#      * When multiple domains are given for a particular
#        cache-host, the first matched domain is applied.
#      * Cache hosts with no domain restrictions are queried
#        for all requests.
#      * There are no defaults.
#      * There is also a 'cache_peer_access' tag in the ACL
#        section.
#
#Default:
# none

#  TAG: neighbor_type_domain
#   usage: neighbor_type_domain neighbor parent|sibling domain domain ...
#
#   Modifying the neighbor type for specific domains is now
#   possible.  You can treat some domains differently than the the
#   default neighbor type specified on the 'cache_peer' line.
#   Normally it should only be necessary to list domains which
#   should be treated differently because the default neighbor type
#   applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
#   cache_peer  parent cache.foo.org 3128 3130
#   neighbor_type_domain cache.foo.org sibling .com .net
#   neighbor_type_domain cache.foo.org sibling .au .de
#
#Default:
# none

#  TAG: icp_query_timeout   (msec)
#   Normally Squid will automatically determine an optimal ICP
#   query timeout value based on the round-trip-time of recent ICP
#   queries.  If you want to override the value determined by
#   Squid, set this 'icp_query_timeout' to a non-zero value.  This
#   value is specified in MILLISECONDS, so, to use a 2-second
#   timeout (the old default), you would write:
#
#      icp_query_timeout 2000
#
#Default:
# icp_query_timeout 0

#  TAG: maximum_icp_query_timeout   (msec)
#   Normally the ICP query timeout is determined dynamically.  But
#   sometimes it can lead to very large values (say 5 seconds).
#   Use this option to put an upper limit on the dynamic timeout
#   value.  Do NOT use this option to always use a fixed (instead
#   of a dynamic) timeout value. To set a fixed timeout see the
#   'icp_query_timeout' directive.
#
#Default:
# maximum_icp_query_timeout 2000

#  TAG: mcast_icp_query_timeout   (msec)
#   For Multicast peers, Squid regularly sends out ICP "probes" to
#   count how many other peers are listening on the given multicast
#   address.  This value specifies how long Squid should wait to
#   count all the replies.  The default is 2000 msec, or 2
#   seconds.
#
#Default:
# mcast_icp_query_timeout 2000

#  TAG: dead_peer_timeout   (seconds)
#   This controls how long Squid waits to declare a peer cache
#   as "dead."  If there are no ICP replies received in this
#   amount of time, Squid will declare the peer dead and not
#   expect to receive any further ICP replies.  However, it
#   continues to send ICP queries, and will mark the peer as
#   alive upon receipt of the first subsequent ICP reply.
#
#   This timeout also affects when Squid expects to receive ICP
#   replies from peers.  If more than 'dead_peer' seconds have
#   passed since the last ICP reply was received, Squid will not
#   expect to receive an ICP reply on the next query.  Thus, if
#   your time between requests is greater than this timeout, you
#   will see a lot of requests sent DIRECT to origin servers
#   instead of to your parents.
#
#Default:
# dead_peer_timeout 10 seconds

#  TAG: hierarchy_stoplist
#   A list of words which, if found in a URL, cause the object to
#   be handled directly by this cache.  In other words, use this
#   to not query neighbor caches for certain objects.  You may
#   list this option multiple times.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

#  TAG: no_cache
#   A list of ACL elements which, if matched, cause the request to
#   not be satisfied from the cache and the reply to not be cached.
#   In other words, use this to force certain objects to never be cached.
#
#   You must use the word 'DENY' to indicate the ACL names which should
#   NOT be cached.
#
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------

#  TAG: cache_mem   (bytes)
#   NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
#   IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
#   USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
#   THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
#   'cache_mem' specifies the ideal amount of memory to be used
#   for:
#      * In-Transit objects
#      * Hot Objects
#      * Negative-Cached objects
#
#   Data for these objects are stored in 4 KB blocks.  This
#   parameter specifies the ideal upper limit on the total size of
#   4 KB blocks allocated.  In-Transit objects take the highest
#   priority.
#
#   In-transit objects have priority over the others.  When
#   additional space is needed for incoming data, negative-cached
#   and hot objects will be released.  In other words, the
#   negative-cached and hot objects will fill up any unused space
#   not needed for in-transit objects.
#
#   If circumstances require, this limit will be exceeded.
#   Specifically, if your incoming request rate requires more than
#   'cache_mem' of memory to hold in-transit objects, Squid will
#   exceed this limit to satisfy the new requests.  When the load
#   decreases, blocks will be freed until the high-water mark is
#   reached.  Thereafter, blocks will be used to store hot
#   objects.
#
#Default:
# cache_mem 8 MB

#  TAG: cache_swap_low   (percent, 0-100)
#  TAG: cache_swap_high   (percent, 0-100)
#
#   The low- and high-water marks for cache object replacement.
#   Replacement begins when the swap (disk) usage is above the
#   low-water mark and attempts to maintain utilization near the
#   low-water mark.  As swap utilization gets close to high-water
#   mark object eviction becomes more aggressive.  If utilization is
#   close to the low-water mark less replacement is done each time.
#
#   Defaults are 90% and 95%. If you have a large cache, 5% could be
#   hundreds of MB. If this is the case you may wish to set these
#   numbers closer together.
#
#Default:
# cache_swap_low 90
# cache_swap_high 95

#  TAG: maximum_object_size   (bytes)
#   Objects larger than this size will NOT be saved on disk.  The
#   value is specified in kilobytes, and the default is 4MB.  If
#   you wish to get a high BYTES hit ratio, you should probably
#   increase this (one 32 MB object hit counts for 3200 10KB
#   hits).  If you wish to increase speed more than your want to
#   save bandwidth you should leave this low.
#
#   NOTE: if using the LFUDA replacement policy you should increase
#   this value to maximize the byte hit rate improvement of LFUDA!
#   See replacement_policy below for a discussion of this policy.
#
#Default:
# maximum_object_size 4096 KB

#  TAG: minimum_object_size   (bytes)
#   Objects smaller than this size will NOT be saved on disk.  The
#   value is specified in kilobytes, and the default is 0 KB, which
#   means there is no minimum.
#
#Default:
# minimum_object_size 0 KB

#  TAG: maximum_object_size_in_memory   (bytes)
#        Objects greater than this size will not be attempted to kept in
#        the memory cache. This should be set high enough to keep objects
#        accessed frequently in memory to improve performance whilst low
#        enough to keep larger objects from hoarding cache_mem .
#
#Default:
# maximum_object_size_in_memory 8 KB

#  TAG: ipcache_size   (number of entries)
#  TAG: ipcache_low   (percent)
#  TAG: ipcache_high   (percent)
#   The size, low-, and high-water marks for the IP cache.
#
#Default:
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95

#  TAG: fqdncache_size   (number of entries)
#   Maximum number of FQDN cache entries.
#
#Default:
# fqdncache_size 1024

#  TAG: cache_replacement_policy
#   The cache replacement policy parameter determines which
#   objects are evicted (replaced) when disk space is needed.
#
#       lru       : Squid's original list based LRU policy
#       heap GDSF : Greedy-Dual Size Frequency
#       heap LFUDA: Least Frequently Used with Dynamic Aging
#       heap LRU  : LRU policy implemented using a heap
#
#   Applies to any cache_dir lines listed below this.
#
#   The LRU policies keeps recently referenced objects.
#
#   The heap GDSF policy optimizes object hit rate by keeping smaller
#   popular objects in cache so it has a better chance of getting a
#   hit.  It achieves a lower byte hit rate than LFUDA though since
#   it evicts larger (possibly popular) objects.
#
#   The heap LFUDA policy keeps popular objects in cache regardless of
#   their size and thus optimizes byte hit rate at the expense of
#   hit rate since one large, popular object will prevent many
#   smaller, slightly less popular objects from being cached.
#
#   Both policies utilize a dynamic aging mechanism that prevents
#   cache pollution that can otherwise occur with frequency-based
#   replacement policies.
#
#   NOTE: if using the LFUDA replacement policy you should increase
#   the value of maximum_object_size above its default of 4096 KB to
#   to maximize the potential byte hit rate improvement of LFUDA.
#
#   For more information about the GDSF and LFUDA cache replacement
#   policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
#   and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
#
#Default:
# cache_replacement_policy lru

#  TAG: memory_replacement_policy
#   The memory replacement policy parameter determines which
#   objects are purged from memory when memory space is needed.
#
#   See cache_replacement_policy for details.
#
#Default:
# memory_replacement_policy lru


# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------

#  TAG: cache_dir
#   Usage:
#
#   cache_dir Type Directory-Name Fs-specific-data [options]
#
#   You can specify multiple cache_dir lines to spread the
#   cache among different disk partitions.
#
#   Type specifies the kind of storage system to use. Only "ufs"
#   is built by default. To eanble any of the other storage systems
#   see the --enable-storeio configure option.
#
#   'Directory' is a top-level directory where cache swap
#   files will be stored.  If you want to use an entire disk
#   for caching, this can be the mount-point directory.
#   The directory must exist and be writable by the Squid
#   process.  Squid will NOT create this directory for you.
#
#   The ufs store type:
#
#   "ufs" is the old well-known Squid storage format that has always
#   been there.
#
#   cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
#   'Mbytes' is the amount of disk space (MB) to use under this
#   directory.  The default is 100 MB.  Change this to suit your
#   configuration.  Do NOT put the size of your disk drive here.
#   Instead, if you want Squid to use the entire disk drive,
#   subtract 20% and use that value.
#
#   'Level-1' is the number of first-level subdirectories which
#   will be created under the 'Directory'.  The default is 16.
#
#   'Level-2' is the number of second-level subdirectories which
#   will be created under each first-level directory.  The default
#   is 256.
#
#   The aufs store type:
#
#   "aufs" uses the same storage format as "ufs", utilizing
#   POSIX-threads to avoid blocking the main Squid process on
#   disk-I/O. This was formerly known in Squid as async-io.
#
#   cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
#   see argument descriptions under ufs above
#
#   The diskd store type:
#
#   "diskd" uses the same storage format as "ufs", utilizing a
#   separate process to avoid blocking the main Squid process on
#   disk-I/O.
#
#   cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
#   see argument descriptions under ufs above
#
#   Q1 specifies the number of unacknowledged I/O requests when Squid
#   stops opening new files. If this many messages are in the queues,
#   Squid won't open new files. Default is 64
#
#   Q2 specifies the number of unacknowledged messages when Squid
#   starts blocking.  If this many messages are in the queues,
#   Squid blocks until it receives some replies. Default is 72
#
#   When Q1 < Q2 (the default), the cache directory is optimized
#   for lower response time at the expense of a decrease in hit
#   ratio.  If Q1 > Q2, the cache directory is optimized for
#   higher hit ratio at the expense of an increase in response
#   time.
#
#   The coss store type:
#
#   block-size=n defines the "block size" for COSS cache_dir's.
#   Squid uses file numbers as block numbers.  Since file numbers
#   are limited to 24 bits, the block size determines the maximum
#   size of the COSS partition.  The default is 512 bytes, which
#   leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note
#   you should not change the coss block size after Squid
#   has written some objects to the cache_dir.
#
#   Common options:
#
#   read-only, this cache_dir is read only.
#
#   max-size=n, refers to the max object size this storedir supports.
#   It is used to initially choose the storedir to dump the object.
#   Note: To make optimal use of the max-size limits you should order
#   the cache_dir lines with the smallest max-size value first and the
#   ones with no max-size specification last.
#
#   Note that for coss, max-size must be less than COSS_MEMBUF_SZ
#   (hard coded at 1 MB).
#
#Default:
cache_dir ufs /usr/local/squid/var/cache 100 16 256

#  TAG: cache_access_log
#   Logs the client request activity.  Contains an entry for
#   every HTTP and ICP queries received. To disable, enter "none".
#
#Default:
cache_access_log /usr/local/squid/var/logs/access.log

#  TAG: cache_log
#   Cache logging file. This is where general information about
#   your cache's behavior goes. You can increase the amount of data
#   logged to this file with the "debug_options" tag below.
#
#Default:
cache_log /usr/local/squid/var/logs/cache.log

#  TAG: cache_store_log
#   Logs the activities of the storage manager.  Shows which
#   objects are ejected from the cache, and which objects are
#   saved and for how long.  To disable, enter "none". There are
#   not really utilities to analyze this data, so you can safely
#   disable it.
#
#Default:
cache_store_log /usr/local/squid/var/logs/store.log

#  TAG: cache_swap_log
#   Location for the cache "swap.state" file. This log file holds
#   the metadata of objects saved on disk.  It is used to rebuild
#   the cache during startup.  Normally this file resides in each
#   'cache_dir' directory, but you may specify an alternate
#   pathname here.  Note you must give a full filename, not just
#   a directory. Since this is the index for the whole object
#   list you CANNOT periodically rotate it!
#
#   If %s can be used in the file name it will be replaced with a
#   a representation of the cache_dir name where each / is replaced
#   with '.'. This is needed to allow adding/removing cache_dir
#   lines when cache_swap_log is being used.
#
#   If have more than one 'cache_dir', and %s is not used in the name
#   these swap logs will have names such as:
#
#      cache_swap_log.00
#      cache_swap_log.01
#      cache_swap_log.02
#
#   The numbered extension (which is added automatically)
#   corresponds to the order of the 'cache_dir' lines in this
#   configuration file.  If you change the order of the 'cache_dir'
#   lines in this file, these log files will NOT correspond to
#   the correct 'cache_dir' entry (unless you manually rename
#   them).  We recommend you do NOT use this option.  It is
#   better to keep these log files in each 'cache_dir' directory.
#
#Default:
# none

#  TAG: emulate_httpd_log   on|off
#   The Cache can emulate the log file format which many 'httpd'
#   programs use.  To disable/enable this emulation, set
#   emulate_httpd_log to 'off' or 'on'.  The default
#   is to use the native log format since it includes useful
#   information Squid-specific log analyzers use.
#
#Default:
emulate_httpd_log on

#  TAG: log_ip_on_direct   on|off
#   Log the destination IP address in the hierarchy log tag when going
#   direct. Earlier Squid versions logged the hostname here. If you
#   prefer the old way set this to off.
#
#Default:
# log_ip_on_direct on

#  TAG: mime_table
#   Pathname to Squid's MIME table. You shouldn't need to change
#   this, but the default file contains examples and formatting
#   information if you do.
#
#Default:
# mime_table /usr/local/squid/etc/mime.conf

#  TAG: log_mime_hdrs   on|off
#   The Cache can record both the request and the response MIME
#   headers for each HTTP transaction.  The headers are encoded
#   safely and will appear as two bracketed fields at the end of
#   the access log (for either the native or httpd-emulated log
#   formats).  To enable this logging set log_mime_hdrs to 'on'.
#
#Default:
# log_mime_hdrs off

#  TAG: useragent_log
# Note: This option is only available if Squid is rebuilt with the
#       --enable-useragent-log option
#
#   Squid will write the User-Agent field from HTTP requests
#   to the filename specified here.  By default useragent_log
#   is disabled.
#
#Default:
# none

#  TAG: referer_log
# Note: This option is only available if Squid is rebuilt with the
#       --enable-referer-log option
#
#   Squid will write the Referer field from HTTP requests to the
#   filename specified here.  By default referer_log is disabled.
#
#Default:
# none

#  TAG: pid_filename
#   A filename to write the process-id to.  To disable, enter "none".
#
#Default:
# pid_filename /usr/local/squid/var/logs/squid.pid

#  TAG: debug_options
#   Logging options are set as section,level where each source file
#   is assigned a unique section.  Lower levels result in less
#   output,  Full debugging (level 9) can result in a very large
#   log file, so be careful.  The magic word "ALL" sets debugging
#   levels for all sections.  We recommend normally running with
#   "ALL,1".
#
#Default:
# debug_options ALL,1

#  TAG: log_fqdn   on|off
#   Turn this on if you wish to log fully qualified domain names
#   in the access.log. To do this Squid does a DNS lookup of all
#   IP's connecting to it. This can (in some situations) increase
#   latency, which makes your cache seem slower for interactive
#   browsing.
#
#Default:
# log_fqdn off

#  TAG: client_netmask
#   A netmask for client addresses in logfiles and cachemgr output.
#   Change this to protect the privacy of your cache clients.
#   A netmask of 255.255.255.0 will log all IP's in that range with
#   the last digit set to '0'.
#
#Default:
# client_netmask 255.255.255.255


# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------

#  TAG: ftp_user
#   If you want the anonymous login password to be more informative
#   (and enable the use of picky ftp servers), set this to something
#   reasonable for your domain, like wwwuser@somewhere.net
#
#   The reason why this is domainless by default is the
#   request can be made on the behalf of a user in any domain,
#   depending on how the cache is used.
#   Some ftp server also validate the email address is valid
#   (for example perl.com).
#
#Default:
# ftp_user Squid@

#  TAG: ftp_list_width
#   Sets the width of ftp listings. This should be set to fit in
#   the width of a standard browser. Setting this too small
#   can cut off long filenames when browsing ftp sites.
#
#Default:
# ftp_list_width 32

#  TAG: ftp_passive
#   If your firewall does not allow Squid to use passive
#   connections, turn off this option.
#
#Default:
# ftp_passive on

#  TAG: ftp_sanitycheck
#   For security and data integrity reasons Squid by default performs
#   sanity checks of the addresses of FTP data connections ensure the
#   data connection is to the requested server. If you need to allow
#   FTP connections to servers using another IP address for the data
#   connection turn this off.
#
#Default:
# ftp_sanitycheck on

#  TAG: ftp_telnet_protocol
#   The FTP protocol is officially defined to use the telnet protocol
#   as transport channel for the control connection. However, many
#   implemenations are broken and does not respect this aspect of
#   the FTP protocol.
#
#   If you have trouble accessing files with ASCII code 255 in the
#   path or similar problems involving this ASCII code you can
#   try setting this directive to off. If that helps, report to the
#   operator of the FTP server in question that their FTP server
#   is broken and does not follow the FTP standard.
#
#Default:
# ftp_telnet_protocol on

#  TAG: cache_dns_program
# Note: This option is only available if Squid is rebuilt with the
#       --disable-internal-dns option
#
#   Specify the location of the executable for dnslookup process.
#
#Default:
# cache_dns_program /usr/local/squid/libexec/dnsserver

#  TAG: dns_children
# Note: This option is only available if Squid is rebuilt with the
#       --disable-internal-dns option
#
#   The number of processes spawn to service DNS name lookups.
#   For heavily loaded caches on large servers, you should
#   probably increase this value to at least 10.  The maximum
#   is 32.  The default is 5.
#
#   You must have at least one dnsserver process.
#
#Default:
# dns_children 5

#  TAG: dns_retransmit_interval
#   Initial retransmit interval for DNS queries. The interval is
#   doubled each time all configured DNS servers have been tried.
#
#
#Default:
# dns_retransmit_interval 5 seconds

#  TAG: dns_timeout
#   DNS Query timeout. If no response is received to a DNS query
#   within this time all DNS servers for the queried domain
#   are assumed to be unavailable.
#
#Default:
# dns_timeout 2 minutes

#  TAG: dns_defnames   on|off
# Note: This option is only available if Squid is rebuilt with the
#       --disable-internal-dns option
#
#   Normally the 'dnsserver' disables the RES_DEFNAMES resolver
#   option (see res_init(3)).  This prevents caches in a hierarchy
#   from interpreting single-component hostnames locally.  To allow
#   dnsserver to handle single-component names, enable this
#   option.
#
#Default:
# dns_defnames off

#  TAG: dns_nameservers
#   Use this if you want to specify a list of DNS name servers
#   (IP addresses) to use instead of those given in your
#   /etc/resolv.conf file.
#   On Windows platforms, if no value is specified here or in
#   the /etc/resolv.conf file, the list of DNS name servers are
#   taken from the Windows registry, both static and dynamic DHCP
#   configurations are supported.
#
#   Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none

#  TAG: hosts_file
#   Location of the host-local IP name-address associations
#   database.  Most Operating Systems have such a file: under
#   Un*X it's by default in /etc/hosts.  MS-Windows NT/2000 places
#   it in %SystemRoot%(by default
#   c:\winnt)\system32\drivers\etc\hosts, while Windows 9x/ME
#   places it in %windir%(usually c:\windows)\hosts
#
#   The file contains newline-separated definitions, in the
#   form ip_address_in_dotted_form name [name ...] names are
#   whitespace-separated.  lines beginnng with an hash (#)
#   character are comments.
#
#   The file is checked at startup and upon configuration.  If
#   set to 'none', it won't be checked.  If append_domain is
#   used, that domain will be added to domain-local (i.e. not
#   containing any dot character) host definitions.
#
#Default:
# hosts_file /etc/hosts

#  TAG: diskd_program
#   Specify the location of the diskd executable.
#   Note that this is only useful if you have compiled in
#   diskd as one of the store io modules.
#
#Default:
# diskd_program /usr/local/squid/libexec/diskd

#  TAG: unlinkd_program
#   Specify the location of the executable for file deletion process.
#
#Default:
# unlinkd_program /usr/local/squid/libexec/unlinkd

#  TAG: pinger_program
# Note: This option is only available if Squid is rebuilt with the
#       --enable-icmp option
#
#   Specify the location of the executable for the pinger process.
#
#Default:
# pinger_program /usr/local/squid/libexec/pinger

#  TAG: redirect_program
#   Specify the location of the executable for the URL redirector.
#   Since they can perform almost any function there isn't one included.
#   See the FAQ (section 15) for information on how to write one.
#   By default, a redirector is not used.
#
#Default:
# none

#  TAG: redirect_children
#   The number of redirector processes to spawn. If you start
#   too few Squid will have to wait for them to process a backlog of
#   URLs, slowing it down. If you start too many they will use RAM
#   and other system resources.
#
#Default:
# redirect_children 5

#  TAG: redirect_rewrites_host_header
#   By default Squid rewrites any Host: header in redirected
#   requests.  If you are running an accelerator this may
#   not be a wanted effect of a redirector.
#
#Default:
# redirect_rewrites_host_header on

#  TAG: redirector_access
#   If defined, this access list specifies which requests are
#   sent to the redirector processes.  By default all requests
#   are sent.
#
#Default:
# none

#  TAG: auth_param
#   This is used to define parameters for the various authentication
#   schemes supported by Squid.
#
#   format: auth_param scheme parameter [setting]
#
#   The order in which authentication schemes are presented to the client is
#   dependant on the order the scheme first appears in config file. IE
#   has a bug (it's not rfc 2617 compliant) in that it will use the basic
#   scheme if basic is the first entry presented, even if more secure
#   schemes are presented. For now use the order in the recommended
#   settings section below. If other browsers have difficulties (don't
#   recognise the schemes offered even if you are using basic) either
#   put basic first, or disable the other schemes (by commenting out their
#   program entry).
#
#   Once an authentication scheme is fully configured, it can only be
#   shutdown by shutting squid down and restarting. Changes can be made on
#   the fly and activated with a reconfigure. I.E. You can change to a
#   different helper, but not unconfigure the helper completely.
#
#   Please note that while this directive defines how Squid processes
#   authentication it does not automatically activate authentication.
#   To use authenticaiton you must in addition make use of acls based
#   on login name in http_access (proxy_auth, proxy_auth_regex or
#   external with %LOGIN used in the format tag). The browser will be
#   challenged for authentication on the first such acl encountered
#   in http_access processing and will also be rechallenged for new
#   login credentials if the request is being denied by a proxy_auth
#   type acl.
#
#   WARNING: authenitcation can't be used in a transparently intercepting
#   proxy as the client then thinks it is talking to an origin server and
#   not the proxy. This is a limitation of bending the TCP/IP protocol to
#   transparently intercepting port 80, not a limitation in Squid.
#
#   === Parameters for the basic scheme follow. ===
#
#   "program" cmdline
#   Specify the command for the external authenticator.  Such a program
#   reads a line containing "username password" and replies "OK" or
#   "ERR" in an endless loop. "ERR" responses may optionally be followed
#   by a error description available as %m in the returned error page.
#
#   By default, the basic authentication sheme is not used unless a
#   program is specified.
#
#   If you want to use the traditional proxy authentication, jump over to
#   the helpers/basic_auth/NCSA directory and type:
#      % make
#      % make install
#
#   Then, set this line to something like
#
#   auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd
#
#   "children" numberofchildren
#   The number of authenticator processes to spawn.
#   If you start too few Squid will have to wait for them to process a
#   backlog of usercode/password verifications, slowing it down. When
#   password verifications are done via a (slow) network you are likely to
#   need lots of authenticator processes.
#   auth_param basic children 5
#
#   "realm" realmstring
#   Specifies the realm name which is to be reported to the client for
#   the basic proxy authentication scheme (part of the text the user
#   will see when prompted their username and password).
#   auth_param basic realm Squid proxy-caching web server
#
#   "credentialsttl" timetolive
#   Specifies how long squid assumes an externally validated
#   username:password pair is valid for - in other words how often the
#   helper program is called for that user. Set this low to force
#   revalidation with short lived passwords.  Note that setting this high
#   does not impact your susceptability to replay attacks unless you are
#   using an one-time password system (such as SecureID). If you are using
#   such a system, you will be vulnerable to replay attacks unless you
#   also use the max_user_ip ACL in an http_access rule.
#   auth_param basic credentialsttl 2 hours
#
#   "casesensitive" on|off
#   Specifies if usernames are case sensitive. Most user databases are
#   case insensitive allowing the same username to be spelled using both
#   lower and upper case letters, but some are case sensitive. This
#   makes a big difference for user_max_ip ACL processing and similar.
#   auth_param basic casesensitive off
#
#   === Parameters for the digest scheme follow ===
#
#   "program" cmdline
#   Specify the command for the external authenticator.  Such a program
#   reads a line containing "username":"realm" and replies with the
#   appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1)
#   hash) does not exists.  See rfc 2616 for the definition of H(A1).
#   "ERR" responses may optionally be followed by a error description
#   available as %m in the returned error page.
#
#   By default, the digest authentication scheme is not used unless a
#   program is specified.
#
#   If you want to use a digest authenticator, jump over to the
#   helpers/digest_auth/ directory and choose the authenticator to use.
#   It it's directory type
#           % make
#           % make install
#
#   Then, set this line to something like
#
#   auth_param digest program /usr/local/squid/libexec/digest_auth_pw /usr/local/squid/etc/digpass
#
#
#   "children" numberofchildren
#   The number of authenticator processes to spawn (no default). If you
#   start too few Squid will have to wait for them to process a backlog of
#   H(A1) calculations, slowing it down.  When the H(A1) calculations are
#   done via a (slow) network you are likely to need lots of authenticator
#   processes.
#   auth_param digest children 5
#
#   "realm" realmstring
#   Specifies the realm name which is to be reported to the client for the
#   digest proxy authentication scheme (part of the text the user will see
#   when prompted their username and password).
#   auth_param digest realm Squid proxy-caching web server
#
#   "nonce_garbage_interval" timeinterval
#   Specifies the interval that nonces that have been issued to clients are
#   checked for validity.
#   auth_param digest nonce_garbage_interval 5 minutes
#
#   "nonce_max_duration" timeinterval
#   Specifies the maximum length of time a given nonce will be valid for.
#   auth_param digest nonce_max_duration 30 minutes
#
#   "nonce_max_count" number
#   Specifies the maximum number of times a given nonce can be used.
#   auth_param digest nonce_max_count 50
#
#   "nonce_strictness" on|off
#   Determines if squid requires strict increment-by-1 behaviour for nonce
#   counts, or just incrementing (off - for use when useragents generate
#   nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
#   auth_param digest nonce_strictness off
#
#   "check_nonce_count" on|off
#   This directive if set to off can disable the nonce count check
#   completely to work around buggy digest qop implementations in certain
#   mainstream browser versions. Default on to check the nonce count to
#   protect from authentication replay attacks.
#   auth_param digest check_nonce_count on
#
#   "post_workaround" on|off
#   This is a workaround to certain buggy browsers who sends an incorrect
#   request digest in POST requests when reusing the same nonce as aquired
#          earlier in response to a GET request.
#   auth_param digest post_workaround off
#
#   === NTLM scheme options follow ===
#
#   "program" cmdline
#   Specify the command for the external ntlm authenticator. Such a
#   program participates in the NTLMSSP exchanges between Squid and the
#   client and reads commands according to the Squid ntlmssp helper
#   protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
#   authenticator is ntlm_auth from Samba-3.X, but a number of other
#   ntlm authenticators is available.
#
#   By default, the ntlm authentication scheme is not used unless a
#   program is specified.
#
#   auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#
#   "children" numberofchildren
#   The number of authenticator processes to spawn (no default). If you
#   start too few Squid will have to wait for them to process a backlog
#   of credential verifications, slowing it down. When crendential
#   verifications are done via a (slow) network you are likely to need
#   lots of authenticator processes.
#   auth_param ntlm children 5
#
#   "max_challenge_reuses" number
#   The maximum number of times a challenge given by a ntlm authentication
#   helper can be reused. Increasing this number increases your exposure
#   to replay attacks on your network. 0 (the default) means use the
#   challenge is used only once. See also the max_ntlm_challenge_lifetime
#   directive if enabling challenge reuses.
#   auth_param ntlm max_challenge_reuses 0
#
#   "max_challenge_lifetime" timespan
#   The maximum time period a ntlm challenge is reused over. The
#   actual period will be the minimum of this time AND the number of
#   reused challenges.
#   auth_param ntlm max_challenge_lifetime 2 minutes
#
#   "use_ntlm_negotiate" on|off
#   Enables support for NTLM NEGOTIATE packet exchanges with the helper.
#   The configured ntlm authenticator must be able to handle NTLM
#   NEGOTIATE packet. See the authenticator programs documentation if
#   unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
#   option.
#   The NEGOTIATE packet is required to support NTLMv2 and a
#   number of other negotiable NTLMSSP options, and also makes it
#   more likely the negotiation is successful. Enabling this parameter
#   will also solve problems encountered when NT domain policies
#   restrict users to access only certain workstations. When this is off,
#   all users must be allowed to log on the proxy servers too, or they'll
#   get "invalid workstation" errors - and access denied - when trying to
#   use Squid's services.
#   Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
#   enabling this parameter will OVERRIDE the max_challenge_reuses and
#   max_challenge_lifetime parameters and set them to 0.
#   auth_param ntlm use_ntlm_negotiate off
#
#Recommended minimum configuration:
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
#auth_param basic program <uncomment and complete this line>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#  TAG: authenticate_cache_garbage_interval
#   The time period between garbage collection across the username cache.
#   This is a tradeoff between memory utilisation (long intervals - say
#   2 days) and CPU (short intervals - say 1 minute). Only change if you
#   have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour

#  TAG: authenticate_ttl
#   The time a user & their credentials stay in the logged in user cache
#   since their last request. When the garbage interval passes, all user
#   credentials that have passed their TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour

#  TAG: authenticate_ip_ttl
#   If you use proxy authentication and the 'max_user_ip' ACL, this
#   directive controls how long Squid remembers the IP addresses
#   associated with each user.  Use a small value (e.g., 60 seconds) if
#   your users might change addresses quickly, as is the case with
#   dialups. You might be safe using a larger value (e.g., 2 hours) in a
#   corporate LAN environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds

#  TAG: external_acl_type
#   This option defines external acl classes using a helper program to
#   look up the status
#
#     external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
#
#   Options:
#
#     ttl=n      TTL in seconds for cached results (defaults to 3600
#           for 1 hour)
#     negative_ttl=n
#           TTL for cached negative lookups (default same
#           as ttl)
#     children=n   Concurrency level / number of processes spawn
#         to service external acl lookups of this type.
#         Note: see compatibility note below
#     cache=n   result cache size, 0 is unbounded (default)
#     protocol=3.0   Use URL-escaped strings instead of quoting
#
#   FORMAT specifications
#
#     %LOGIN   Authenticated user login name
#     %IDENT   Ident user name
#     %SRC      Client IP
#     %DST      Requested host
#     %PROTO   Requested protocol
#     %PORT      Requested port
#     %METHOD   Request method
#     %{Header}   HTTP request header
#     %{Hdr:member}   HTTP request header list member
#     %{Hdr:;member}
#           HTTP request header list member using ; as
#           list separator. ; can be any non-alphanumeric
#         character.
#
#   In addition, any string specified in the referencing acl will
#   also be included in the helper request line, after the specified
#   formats (see the "acl external" directive)
#
#   The helper receives lines per the above format specification,
#   and returns lines starting with OK or ERR indicating the validity
#   of the request and optionally followed by additional keywords with
#   more details.
#
#   General result syntax:
#
#     OK/ERR keyword=value ...
#
#   Defined keywords:
#
#     user=      The users name (login)
#     error=   Error description (only defined for ERR results)
#
#   Keyword values need to be enclosed in quotes if they may contain
#   whitespace, or the whitespace escaped using \. Any quotes or \
#   characters within the keyword value must be \ escaped.
#
#   If protocol=3.0 then URL escaping of the strings is used instead
#   of the above described quoting format.
#
#   Compatibility Note: The children= option was named concurrency= in
#   Squid-2.5.STABLE3 and earlier and such syntax is still accepted to
#   keep compatibility within the Squid-2.5 release. However, the meaning
#   of concurrency= option has changed in Squid-3 and the old syntax of
#   the directive is therefore depreated from Squid-2.5.STABLE4 and later.
#   If you want to be able to easily downgrade to earlier Squid-2.5
#   releases you may want to continue using the old name, if not
#   please use the new name.
#
#Default:
# none


# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------

#  TAG: wais_relay_host
#  TAG: wais_relay_port
#   Relay WAIS request to host (1st arg) at port (2 arg).
#
#Default:
# wais_relay_port 0

#  TAG: request_header_max_size   (KB)
#   This specifies the maximum size for HTTP headers in a request.
#   Request headers are usually relatively small (about 512 bytes).
#   Placing a limit on the request header size will catch certain
#   bugs (for example with persistent connections) and possibly
#   buffer-overflow or denial-of-service attacks.
#
#Default:
# request_header_max_size 20 KB

#  TAG: request_body_max_size   (KB)
#   This specifies the maximum size for an HTTP request body.
#   In other words, the maximum size of a PUT/POST request.
#   A user who attempts to send a request with a body larger
#   than this limit receives an "Invalid Request" error message.
#   If you set this parameter to a zero (the default), there will
#   be no limit imposed.
#
#Default:
# request_body_max_size 0 KB

#  TAG: refresh_pattern
#   usage: refresh_pattern [-i] regex min percent max [options]
#
#   By default, regular expressions are CASE-SENSITIVE.  To make
#   them case-insensitive, use the -i option.
#
#   'Min' is the time (in minutes) an object without an explicit
#   expiry time should be considered fresh. The recommended
#   value is 0, any higher values may cause dynamic applications
#   to be erroneously cached unless the application designer
#   has taken the appropriate actions.
#
#   'Percent' is a percentage of the objects age (time since last
#   modification age) an object without explicit expiry time
#   will be considered fresh.
#
#   'Max' is an upper limit on how long objects without an explicit
#   expiry time will be considered fresh.
#
#   options: override-expire
#       override-lastmod
#       reload-into-ims
#       ignore-reload
#
#      override-expire enforces min age even if the server
#      sent a Expires: header. Doing this VIOLATES the HTTP
#      standard.  Enabling this feature could make you liable
#      for problems which it causes.
#
#      override-lastmod enforces min age even on objects
#      that were modified recently.
#
#      reload-into-ims changes client no-cache or ``reload''
#      to If-Modified-Since requests. Doing this VIOLATES the
#      HTTP standard. Enabling this feature could make you
#      liable for problems which it causes.
#
#      ignore-reload ignores a client no-cache or ``reload''
#      header. Doing this VIOLATES the HTTP standard. Enabling
#      this feature could make you liable for problems which
#      it causes.
#
#   Basically a cached object is:
#
#      FRESH if expires < now, else STALE
#      STALE if age > max
#      FRESH if lm-factor < percent, else STALE
#      FRESH if age < min
#      else STALE
#
#   The refresh_pattern lines are checked in the order listed here.
#   The first entry which matches is used.  If none of
Title: Been a long time
Post by: kmashraf on September 25, 2005, 03:45:57 AM
Since I was here last. All these days squid performed well without trouble.
But recently it failed with the following message in my logs
'Squid Parent: child process xxx exited due to signal 6'
On further investigation as follows
root@xxxxxxxx:/home/ashraf# /usr/local/squid/sbin/squid -NCd1
2005/09/25 08:46:21| Starting Squid Cache version 2.5.STABLE5 for i586-pc-linux-gnu...
2005/09/25 08:46:21| Process ID 6869
2005/09/25 08:46:21| With 1024 file descriptors available
2005/09/25 08:46:21| Performing DNS Tests...
2005/09/25 08:46:21| Successful DNS name lookup tests...
2005/09/25 08:46:21| DNS Socket created at 0.0.0.0, port 1059, FD 4
2005/09/25 08:46:21| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2005/09/25 08:46:21| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2005/09/25 08:46:21| Adding nameserver xxx.xxx.xxx.xxx from /etc/resolv.conf
2005/09/25 08:46:21| Unlinkd pipe opened on FD 9
2005/09/25 08:46:21| Swap maxSize 409600 KB, estimated 31507 objects
2005/09/25 08:46:21| Target number of buckets: 1575
2005/09/25 08:46:21| Using 8192 Store buckets
2005/09/25 08:46:21| Max Mem  size: 4096 KB
2005/09/25 08:46:21| Max Swap size: 409600 KB
2005/09/25 08:46:21| /usr/local/squid/var/cache/0D: (2) No such file or directory
FATAL:  Failed to verify one of the swap directories, Check cache.log
        for details.  Run 'squid -z' to create swap directories
        if needed, or if running Squid for the first time.
Aborted

On trying to recreate the swap directories I get this

root@ehorizon:/home/ashraf# /usr/local/squid/sbin/squid -z
2005/09/25 08:56:07| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/var/cache/0C/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE5): Terminated abnormally.
CPU Usage: 0.380 seconds = 0.060 user + 0.320 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 8

On further investigation in the cache.log I see this
access.log 116 MB
cache.log 100 MB
store.log 283 MB
and within the cache.log this message
2005/03/15 17:50:32| WARNING: Disk space over limit: -6160028 KB > 204800 KB and has been going on since that date.
In fact I never noticed this warning at all :shock:
Since squid worked without trouble till about three weeks back.
Originally as recommended by Ricky I set the cache_mem at 4 MB and cache_dir at 200  MB. I changed the cache_dir size to 400 MB and tried recreating the swap directories but to no avail.
All help appreciated
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on September 26, 2005, 06:12:47 PM
Setting up small disk cache is good if you are not having big traffic, and setting up 4 mb RAM cache memory was adviced when considering your system have atleast 16 MB RAM in spare. You can increase RAM memory size for squid to any uptill you have atleast 25% system RAM free always.

Now about the problem..
Disk size over limit only occures (I am not sure about it) when some cache data is corrupt , Here simple solution is delete your cache directory, create new one, set right permission for it then run "squid z" or
you can try also..
To check the permission of your current directory but I think its not good as its very big directory tree to check each directory. Try resetting the permission for all directory / subdirectory and then see.

Also before doing all do a disk repair using fsck .
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: kmashraf on September 27, 2005, 02:43:47 AM
Thanks Ricky
Your advice is as always invaluable.
I did the following and solved the problem. When I ran /usr/local/squid/sbin/squid -NCd1 and found in it this 2005/09/25 08:46:21| /usr/local/squid/var/cache/0D: (2) No such file or directory
FATAL: Failed to verify one of the swap directories, Check cache.log
I just created the missing cache directories from 0D through 0F and gave them proper permissions i.e. owned by squid and belonging to the squid group.
Voila it started working. My experience is that in GNU/Linux disk problems are extremely rare. And man this 2 GB HDD has been in continous use since 2000.
The internet traffic on this proxy comes mainly from three machines connected to the home network. A total of about 5 machines use this network currently.
Long may you reign GNU/Linux
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: luis51db on October 03, 2005, 08:53:51 PM
Hello I´m new in linux and I´m from Guatemala. so I don´t know a lot of people who knows linux very well.

That´s the principal reason I ask for your help, I´m desperate I need to get running squid in the following days. Here is the explanation of my problem:

I need to run squid transparent, I had already running squid but I can´t make squid run transparently, I had already read all.

My question is te next I have squid running with one authentication method, I don´t know if that cause the problem, or this I have intalled apache but I´m not running apache with squid at the same time.

Other question is I don´t know if the nat table exists because I try to list the rules of that table and return that the table doesn´t exist.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: luis51db on October 03, 2005, 09:04:08 PM
sorry I forget to post I´m using RedHat 9 and Squid 2.5
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on October 04, 2005, 04:08:50 AM
If you can run squid then running it transparent is not a problem at all, just add the iptable rules describe on first page in the startup script and your problem willl be solved.

Don' worry about chains.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: luis51db on October 04, 2005, 04:58:12 AM
thanks for the tip, unfurtonely I can´t try it now, but if I´m not wrong I have already done that.

My question is if I have apache installed in the server, that cause some problem.

I also have squid configured with an authentication program, I read somewhere here that this could cuase problems too. The problem is that I need the authentication program, is it imposible to do both things at the same time?
Title: I was wrong
Post by: kmashraf on October 05, 2005, 03:30:23 AM
"My experience is that in GNU/Linux disk problems are extremely rare. And man this 2 GB HDD has been in continous use since 2000. "
Though I still stick by the above statement.
The disk seems to have taken a beating. The innumerable power outages the machine seems to have suffered without much damage has finally hit the disk.
I've not had the time to do a fsck as suggested by Ricky. But squid starts up fine but does not work because the area where my cache directory is seems to have suffered damage. squid is unable to recreate or read the cache.
Currently my squid is down
The clue is rather obvious now because the output complained of disk IO problems.
Thanks Ricky as usual your advice is invaluable.
Title: proxy server
Post by: vher on October 06, 2005, 03:12:51 AM
Please help I try to configure the proxy server using this tutorial I have an error.

/usr/local/squid/sbin/squid -z
2005/10/06 11:07:45| Creating Swap Directories
FATAL: Failed to make swap directory /cache: (13) Permission denied
Squid Cache (Version 2.5.STABLE12-RC1): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 6


what can i do please help thanks.

vher
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on October 07, 2005, 04:44:47 PM
@vher
Your problem has been answered already many times, kindly see the page-4 of this thread and you will find the answer.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on October 07, 2005, 04:48:30 PM
@luis51db
Well, authentication works best in simple proxy mode, however in transparent mode, in first look it may looks like working but it causes problem. also apache and squid in transparent mode cause problem b'coz of redirection stuff.
Title: changing and initalizing cache directories
Post by: keever on October 18, 2005, 10:22:56 PM
General Information:

I using a PC with Fedora FC3 installed.  Squid 2.5 Stable came built with this distro.

My problem:

The default cache dir is /var/spool/squid.  Unfortunately /var is mounted on a much smaller partition than I want to use for squid.  So I wanted to move the cache dir to /usr/local/squid, which is on a partition with ample space.  After consulting with many web forums concerning SQUID configuraiton, I manually created the directory: /usr/local/squid, and then used chown to give 'squid' user and group onwership of the newly created directory  I then gave 755 perms to the /usr/local/squid directory.
Here are the perms for the directories:

[root@redprox local]# ls -las /usr/local/squid
total 16
8 drwxr-xr-x   2 squid squid 4096 Oct 18 15:05 .
8 drwxr-xr-x  12 root  root  4096 Oct 18 13:29 ..

So as you can see, 'squid' owns and has perms to the parent dir /usr/local/squid.

This is what I get for an error message when I try to initalize the /usr/local/squid cache directory:

squid -f /etc/squid/squid.conf -z

2005/10/18 15:09:10| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '172.16.3.1-172.16.3.254/255.255.255.0'
2005/10/18 15:09:10| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE11): Terminated abnormally.
CPU Usage: 0.001 seconds = 0.001 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0

How on earth does squid get a permission denied error when it has permission and ownership of /user/local/squid?  I even gave /usr/local/squid 777 perms, and it made no difference.   Just to confirm SQUID is being run as user squid within group squid.  What can be done to resolve this?


Also, if someone feels like it, can you tell me what the aclParseIpData Warning is all about?
Title: Re: changing and initalizing cache directories
Post by: Ricky on October 21, 2005, 06:24:40 PM
Quote from: "keever"
General Information:

I using a PC with Fedora FC3 installed.  Squid 2.5 Stable came built with this distro.

My problem:

The default cache dir is /var/spool/squid.  Unfortunately /var is mounted on a much smaller partition than I want to use for squid.  So I wanted to move the cache dir to /usr/local/squid, which is on a partition with ample space.  After consulting with many web forums concerning SQUID configuraiton, I manually created the directory: /usr/local/squid, and then used chown to give 'squid' user and group onwership of the newly created directory  I then gave 755 perms to the /usr/local/squid directory.


Why you have to move whole squid ? Well.. keeo every thing at there old place and keep it simple and straight.. The only thing you have to edit is squid.conf and there you can edit following
Code: [Select]
cache_dir ufs /anydirectoryyouwant 2048 22 256
Here just specify any directory you and make the squid as it owner. Hope you understand it.
Title: Thanks
Post by: keever on October 24, 2005, 05:14:44 PM
... but I knew how to specify a different cache directory.  The problem was that I couldnt' initalize the directory becuase it didn't have the right perms.  I thought chmod 755 on /usr/local/squid would do it, but it still failed.  The correct solution was to change the perms not only and the newly specified cache directory but also /var/log/squid dir.

this is what worked.


#chmod -R 777 /usr/local/squid/*
#chmod -R 777 /usr/local/squid
#chmod -R 777 /var/log/squid/*
#chmod -R 777 /var/log/squid
Title: Problem to Transparent
Post by: mr.fixit on October 31, 2005, 06:30:05 AM
hi

i m new in this forum. so hi to every body.

i have a problem to make my proxy transparent. i read this post and done every thing as said in this post. but browsing in not started but working using proxy name & port.

My proxy is not auto starting on reboot.

thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on November 01, 2005, 12:08:51 PM
fixit>
If you are not able to make it transparent then may be your NAT is not working fine, as you said squid is not started on startup then I suspect your NAT script is also not executed at startup.
See if it has "execute" permission or not.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: mr.fixit on November 06, 2005, 10:05:36 AM
hi Ricky

thanks for replying.

this is my rc.nat

{iptables=/sbin/iptables


iptables --flush -t nat


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 80}

and permissions are 755.
but still transparent is still not working.
i read another how to about transparent and add a script in /etc/rc.d/init.d/squid

#!/bin/bash
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

[ ${NETWORKING} = "no" ] && exit 0

[ -f /etc/squid/squid.conf ] || exit 0

[ -f /usr/sbin/squid ] && SQUID=squid
[ -z "$SQUID" ] && exit 0

CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
grep cache_dir | sed -e 's/cache_dir//' | \
cut -d ' ' -f 2`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid

SQUID_OPTS="-D"

RETVAL=0
case "$1" in

start)
   echo -n "Starting $SQUID: "
   for adir in $CACHE_SWAP; do
   if [ ! -d $adir/00 ] ; then
   echo -n "init_cache_dir $adir... "
   $SQUID -z -F 2>/dev/null
   fi
   done
   $SQUID SQUID_OPTS &
   RETVAL=$?
   echo $SQUID
   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
   ;;


stop)
   echo -n "Stopping $SQUID: "
   $SQUID -k shutdown &
   RETVAL=$?
   if [ $RETVAL -eq 0 ] ; then
   rm -f /var/lock/subsys/$SQUID
   while : ; do
   [ -f /var/run/squid.pid ] || break
   sleep 2 && echo -n "."
   done
   echo "done"
   else
   echo
   fi
   ;;

reload)
   $SQUID $SQUID_OPTS -k reconfigure
   exit $?
   ;;


restart)
   $0 stop
   $0 start
   ;;

status)
   status $SQUID
   $SQUID -k check
   exit $?
   ;;

probe)
   exit 0;
   ;;

*)
   echo "Usage: $0 {start|stop|status|reload|restart}"
   exit 1
   esac
   exit $RETVAL
and my squid.conf is
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on November 07, 2005, 04:57:56 PM
That script has nothing to do with transparent proxy, that one only helps you to operate squid easily.

Anyways. as I suspected, you are not having NAT at all..

you have to do simple internet connection sharing also.

See this iptables internet connection sharing (http://www.linuxsolved.com/forums/ftopic115.html)
Add masquerade first and then add redirection rule.
Title: transparent is working but with some other problem!
Post by: mr.fixit on November 14, 2005, 12:45:11 PM
hi Ricky

thanks again

my transparent is working now but mirc is not working.
my boss is using emule or edonkey that is also not working.
plz guid me.

thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on November 21, 2005, 04:59:38 PM
Configure both of things to connect directly, not via squid.
Title: voice chat problem
Post by: mr.fixit on February 10, 2006, 06:01:04 AM
Hi Ricky

my transparent proxy is running very well. i m facing a problem. voice chat on yahoo or msn is not connecting on clients behind that proxy.

what will u suggest?

thanks
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on February 10, 2006, 11:51:11 AM
well, those do not work most of the time behind proxy, try tracing the ports used by voice chat and then see if they are allowed in proxy or not.
Title: Re: How to get the mails from POP3 Server
Post by: avadhut on March 04, 2006, 03:10:58 PM
I am running SQUID Proxy on Redhat 9 Linux. But I am unable to get my POP3 mails through Outlook Express on my Client machine, which is having Win2000. Which Port are used for connecting to POP3 & SMTP mail server? What is the configuration for it(on Linux & Windows). Please help.
Thanks
Regards
avadhut
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: ilias on March 05, 2006, 11:22:09 AM
Hi

If u are planning to use outlook/outlook express with simple squid proxy, it is better to configure proxy as transparent. You can find the how to tutorial of configuring transparent proxy. By the way for your satisfaction you can try to open ports 25 and 110 for SMTO and Pop3. in squid.conf.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Austin on May 19, 2006, 11:42:32 PM
Hello this is my first post on the forum and I have been visiting it often for help , Thanks for make this wonderful forum.

I need some help in configuring transparent squid on single machine ie with a single NIC connected to network with fixed ip

I have configured squid as a transparent proxy server the following are changes I have made to the squid configuration file from the default

My machine IP is 164.99.12.14 on which squid is running

acl novell_network src 164.99.12.0/24
http_access allow novell_network

httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128

I checked the configuration adding the IP and Port in the browser and it works fine

Now to make transparent proxy work I use the iptables command  

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3128

well it seems browsing completely stops after that

What is that I am doing wrong ??

Thanks

Regards
Austin
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on June 02, 2006, 05:50:51 AM
sorry for late reply, I am away from computers .
This is because you can't do NAT on single NIC .. you need to have two or more nic to do packet forwarding.

Hope you understand
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Austin on June 02, 2006, 11:58:10 AM
Hi Ricky , Thanks for the reply , Yes indeed I figured that out a little late  :)
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Austin on June 05, 2006, 12:05:07 AM
Hello , Finally I  get a Transparent Proxy running on a single machine , Thanks to the help of IRC

The method is simple , configure Squid for Transparent proxy by adding all necessary paramaters.

and the iptables command for it is

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner squid -j REDIRECT --to-port 3128

It works like a charm :)

Thanks
Austin
Title: squid proxy
Post by: lito on June 20, 2006, 07:19:36 AM
i cant locate the       /usr/local/squid/etc/squid.conf
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on July 01, 2006, 07:01:35 AM
sometimes its in /etc/squid/ .
You may try there.
Title: POP3 problem
Post by: ruejos08 on August 02, 2006, 09:06:43 AM
EI thenitin we have the same problem. Did you already solve it? I have already up a dhcp server and internet proxy server(i used squid for the proxy). But when we try to access our POP3 mail server with the Microsoft Outlook Express, coz the clients were WinXP, I encountered a problem and I cant connect to the server. Our internet explorer works but the OutLook Express dont. Is there something to do with my squid configuration. Please help me on this. Godspeed!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 04, 2006, 01:50:31 PM
It is most common problem and can be solved by port forwarding. It has been discussed so many times and I am you will get benefitted from old discussion we had on this forum.
Title: POP3
Post by: ruejos08 on August 12, 2006, 12:56:01 AM
Ei Ricky can you give me some link to those forums. Thanks!
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 12, 2006, 07:11:45 AM
See Port forwarding (http://www.linuxsolved.com/forums/ftopic1316.html)
and NAT
Internet Sharing using NAT (http://www.linuxsolved.com/forums/ftopic115.html)

There are other numerous post and you find those in proxy section or General networking section.
Title: Creating cache dir
Post by: ruejos08 on August 22, 2006, 06:43:43 AM
Ei Ricky I encounter a problem when Im trying to create a cache dir with the code
/usr/local/squid/sbin/squid -z

Failed to make swap directory /usr/local/squid/var/cache: (13) Permission denied.

Please help me on this. Thanks!
Title: Creating Swap Directories
Post by: ruejos08 on August 22, 2006, 07:13:24 AM
Eniwei I am using Squid 2.6 STABLE.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 23, 2006, 03:41:37 PM
you have to see about permission structure, I have discussed same in this thread around page 4 or 6 . Kindly check that.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on August 23, 2006, 03:43:36 PM
Well. I have discussed here.. --> http://www.linuxsolved.com/forums/ftopic116-0-asc-45.html
Title: Problem with my microsoft outlook express
Post by: ruejos08 on August 24, 2006, 06:44:04 AM
Thanks a lot Ricky. I have tried all of your recommendations but still it does not solved my problem.

I have a Linux DHCP server and Proxy server with Microsoft Windows clients. We are using microsoft outlook express to access our mail server. But with the Linux Proxy server I have a problem connecting. The internet explorer was ok.

I found out the property and here are the details
Server Port Numbers
Our outgoing mail(SMTP) used port 25  and  our incoming mail(POP3) used port 110.
Our mail server is mail.inzpect.com.
While connecting here is the error.

The host'mail.inzpect.com' could not be found. Please verify that you have entered the server name correctly. Account: 'inzpect.com', Server: 'mail.inzpect.com', Protocol:POP3,Port: 110, Secure(SSL):no, Socket Error:11004,Error Number: 0x800CCC0d.

Please help me solve this. Thanks a lot.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: debasishg on September 10, 2006, 06:08:17 PM
Ricky,

I have found your tutorial and accroding the tutorial, i have configured my squid proxy in my Mandriva linux. i have also used your squid.conf file and put my IPs there and it was successfully running.

I have 25 client PCs. Due to soe internal problem, we have taken a DSL connection with a public IP which is mapped with our default intranet. We need to make the proxy setup in the browser to access the server with basic authentication. im using win xp and running analogX proxy to use the connection with the clients. now i have decided to use Linux and squid. i'm successful to make the connection with the clients using squid. but unable to use the redirection to the proxy address of our server. after going thru the tutorial, i think i have to use this

Code: [Select]
cache_peer <IP ADDRESS> parent 3128 no-query


if it is OK, then i have some query regarding this.

1. where do i put this line in to squid.conf file?
2. we are having diff ports to access the server as
Code: [Select]

HTTP:  <IP ADDRESS> port: 808
SSL:    <IP ADDRESS> port: 808
FTP:     <IP ADDRESS> port: 2121
Socks: <IP ADDRESS> port: 1080


how can i define these. currectly we need only HTTP.

Basicaly is it something like using a proxy server for a proxy server. [server will user proxy IP and clients will use proxy to access the proxy.]

now all the clients can get connected to the internet via SQUID.
Title: Configuring Squid Proxy server & Transparent Proxy
Post by: Ricky on September 11, 2006, 07:09:34 PM
put that line in begining mostly and squid handles all such request on one port so you don't need to define all such specially.
Title: Re: Configuring Squid Proxy server & Transparent Proxy
Post by: arvindsony on May 19, 2009, 11:42:07 AM
nice info
Title: Re: Configuring Squid Proxy server & Transparent Proxy
Post by: nikeshshk on June 19, 2009, 11:02:35 AM
Hello all I am running through some problem with squid.

here is my squid.conf configuration
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access deny manager
http_access allow Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl local src 192.168.0.0/24

acl test1 src 192.168.0.24

acl test2 src 192.168.0.66
http_access allow test1
http_access deny test2
acl sites dstdomain .gap.com .realplayer.com .yahoo.com
http_access deny sites
http_access deny local
http_access deny all

Ok what my problem is I cant deny ip 192.168.0.66 to access http
and also i cant deny the above list of sites to my client ip.

if i see access.log
i.e tail -f access.log
squid seems to be working because clients are going through squid and i can see what the clients are browsing.

what i feel is my rule on acl is not working properly.

Can anybody help me to get out of this trouble
Title: Re: Configuring Squid Proxy server & Transparent Proxy
Post by: jahangir on October 09, 2009, 05:21:30 PM
NAT

Short for Network Address Translation, NAT as specified in RFC 1631 is an Internet standard that enables a local-area network (LAN) to use one or more IP addresses for internal traffic and a second for external. A network NAT is commonly used by home users to allow multiple computers to easily connect to a broadband connection. NAT is also used to hide internet network addresses by using the single NAT address.
Today there are two different variants of NAT used. NAPT which is short for Network Address Port Translation, NAPT and PAT which is short for Port Address Translation.

Also see: Network definitions, Proxy


 
Proxy server

A Proxy is a computer server or software program which is part of the gateway server or another computer that separates a local network from outside networks.
A proxy server will generally cache all pages accessed through the network. When a page is accessed that is not in the proxy servers cache the proxy server will access the page using its own IP address cache the page and forward it to the user accessing that page.

Users who wish to setup a proxy at home or home office to be used to share a internet connection VIA modem or other internet connection may wish to consider any of the following products:

- Sygate Home Network
- WinProxy
- SpoonProxy
- ShareTheNet

Also see: ICS, Network definitions www.mrhope.com/jargon/n/nat.htm (http://www.mrhope.com/jargon/n/nat.htm)