next »

[tallship]

by the way, when I run squid I see the following warning:

aclParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.0.1/255.255.255.0'

 make it                      

acl mynet src 192.168.0.0/255.255.255.0

Yes. 192.168.0.1 is a /32 (an individual host number using all 32 bits). If you were to set it up with an acl, you would have done this instead:

Code:

acl mynet src 192.168.0.1/255.255.255.255

That makes it a single host. But it's not very useful Therefore, you want to want something that applies to your entire Class C network (a /24 - 24 bits are used for the network and the rest are the hosts).

So use the recomendation provided by Tomamodi instead for the network number of 192.168.0."0" - ."1" is a particular host where all 32bits are used to represent that particular machine.

Remember, that the range for any particular /24 network begins and ends with a 32 bit number that you cannot use for a host.

i.e., 192.168.0.0 - 192.168.0.255

This includes the possibility for 254 actual hosts, 192.168.0.0 is the network number, and 192.168.0.255 is the broadcast address in CIDR if you have not subnetted the network any further (if you haven't, for example, split it up into two /25 networks).

This yields 192.168.0.1 - 192.168.0.254 as usable host IPs, with a netmask of 255.255.255.0 (you're only using 24 of the 32 bits for the network portion).

I hope that helps more than it confuses

Kindest regards,

Bradley

[Nano]

Hi all,

well welll well have the same pb of rights but quite sure my rights are good ... cause i've started Squid one time and it worked now i have reinitilised the cache due to squid process that stack overflowed the memory ...

Using Fedora Core 3
configured my cache directory like that :

chown squid:squid to my  /usr/local/squid/cache.
chmod 770 /usr/local/squid/cache

drwxrwx---   2 squid squid 4096 nov 26 17:46 cache

and also have changed to my var/log/squid directory

drwxrwx---   2 squid    squid        4096 nov 29 12:14 squid

Squid fail when initializing the /etc/init.d/squid start

init_cache_dir /usr/local/squid/cache... Démarrage de squid :....................                                                          [FAILED]

In the squid.out have :

 2004/11/29 12:09:10| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/cache/00: (13) Permission denied
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.002 seconds = 0.002 user + 0.000 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0


In the cache.log :

2004/11/29 12:09:24| /usr/local/squid/cache/00: (2) No such file or directory
FATAL:  Failed to verify one of the swap directories, Check cache.log
        for details.  Run 'squid -z' to create swap directories
        if needed, or if running Squid for the first time.
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.059 seconds = 0.031 user + 0.028 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0


when trying to launch squid -z i have nothing on the console :

[root@azimov squid]# squid -z
[root@azimov squid]#


I'm sure that it's a pb of rights but where i d'on't have a clue where the error might be ...

any ideas
bye

[Ricky]

Hmm.. So you are using squid as USER squid ! then

first delete your cache directory and then recreate it and now give it the following access rules

Code:

chown squid:squid /path/to/cache

chmod 770 /path/to/cache

And tell me how is that going !

[Nano]

Well i've detected what was wrong
The squid installed was from a package with yum for my FC 3 and it seems that the install put the good rights only for the directory /var/spool/cache and  the daemon launched by /etc/init.d/squid start  need this directory.

I've made another test i've installed from crash the Squid  (compiling it and make install) and now i have a directory /usr/local/squid/bin (the directory is not created with the install by RPM).

I have granted the good rights to the directory /usr/ocal/squid/.. and now it works fine ....  

To conclue : As usual better starting from crash than using an install ....

 :lol:  :lol:  :lol:

Thx for your help .

[kes_bang]

This tutorail is really helpful.

But I have few things to discuss.

My requirement is like this..

I have a proxy server Microsoft web proxy 2.0 I need to configure squid to all users to access internet, internally this squid proxy server will request microsoft web proxy.

I need to configure squid as cache only server.

I have enabled authentication on MS proxy so need to give login id and password to access the MS proxy from squid.

Initially I donot want to configure any acl...

Please guide me how to go about this....

I am using red hat linux ver 8.0 squid ver  squid-2.4.STABLE7

Waiting for reply
Thanks in advance

[anybody]

hello

If you are configuring squid from the source

for the latest source tar.gz

there is ine little change

#after configure

it is now
make all instead of make

then it is  make install

[vikram0123]

Hi,

Can someone help me, I have a problem in configuring squid. I use wireless internet, so can any client detect the proxy automaticly without I need to configuring the proxy and the port. And can I block some PC to acces to internet cause some of the staff tend to give their username and password to other so other can access to internet, should i make a script to calsify each of their proxy comp or there is another way

thanks in advance
Vikram

[Ricky]

use transparent proxy and then do filtering.. you can see my various other posts about this in the forum !

[b0n3thug5]

I have installed and configured squid using tranparency proxy setup, I am able to surf to any website that uses on http:// but not https://.  My setup is as such I have a linux box that I use as a firewall and it then has two other network connections that access one DMZ network and one LOCAL network.  I have my squid server in the DMZ.  I have followed the setup as earlier in this post, almost to the T.  I would like to be able to access the https:// websites but also lock down my internet access since I have younger children that are getting ready to get on the internet.  All my traffic goes through the firewall then jumps to the DMZ server and uses that squid server to redirect the http to port 3128.

My configuration is as follows:

vi /etc/squid/squid.conf
maximum_object_size 8192 KB

cache_mem 16 MB
cache_dir ufs /var/spool/cache/ 2048 22 256
cache_store_log none
cache_mgr bryan.jones@thebuc.com
cache_effective_user squid
cache_effective_group squid

ftp_user bryan.jones@thebuc.com

#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic children 5
#auth_param basic realm [thebuc.com]  Squid proxy-caching web server authentication



#acl name proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255


acl internal_lightning src 192.168.110.47
acl loc_net src 192.168.110.0/255.255.255.0
#acl internal proxy_auth 192.168.110.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#http_access allow name
http_access allow loc_net
http_access allow internal_lightning
http_access deny all

redirector_access allow all
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
redirect_children 5

visible_hostname thebuc.com
unique_hostname  thebuc.com

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

http_port 3128

Things that I do on the firewall to access the squid server

First:
if [ -z "`ip rule list | grep www.out`" ] ; then
        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 65.66.142.44 dev eth2 table www.out
        ip route flush cache
fi

Second:
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 202

This is what I do on the squid server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Is there anything that I might be missing, or can I access https:// websites using transparency proxy in squid?

[Ricky]

the problem you are facing about squid not able to access https has been reported by a other guy also in the forum , here is the discussion ! may be you can understand what may be wrong, although your configuration seems to be alright here ..
See trasparent proxy and https

[b0n3thug5]

I have read that post and I guess, since I am new to squid, this does not make it quite clear what my issue might be.  Form the post that you refered me to earlier.... it says that I should try the following:

http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports

I have tried this but I am still not getting https:// access.  I guess I am a newbie to squid that I do not understand why I am not able to access https:// websites.  I figured, being some what naive, that I could get access to http:// and https:// access.  Where should I look, if it is possible, to have access to both... to assist me.

Thanks

[b0n3thug5]

I am not tied down to doing a transparency proxy, I just would like to be able to use sqiudGuard so that I can limit what sites my household surfs to.  My network is somewhat diverse, I have a firewall server (redhat linux) running iptables (shorewall setup), my squid server is in my DMZ (redhat 9) and I have a local network that currently is setup to masquerade to the internet.  I want to turn off masq and use the squid proxy to surf the internet.  I have my configuration in the post above, can someone assist me on how to setup my squid to allow for proxy service.

[Ricky]

so are you still facing problem on accessing https ?

In simple proxy , you have to configure your browser to use same port ie on which squid is running for https also ! ie same ports for all protocols !

[amnyarku]

Pls,

Help me to recompile my squid to run transparent proxy

Thankx

[Ricky]

The answer for your question has been already given on very first page of this thread..

   Recommend LS
   Linux User Around