squid config setting. round-robin interval - squid

Which tag or parameter can be used in squid.conf configuration to address each neighboring peer, not with every request, but after some time or quantitative interval.
Now with every request it goes to a new peer, but I need the peer to change every few minutes or every 10 requests.
acl all src 0.0.0.0/0
http_access allow all
http_port 3128
server_persistent_connections off
cache_peer 45.72.51.207 parent 7775 7 proxy-only round-robin default login=login
cache_peer 23.229.126.58 parent 7587 7 proxy-only round-robin default login=login
cache_peer 23.229.126.136 parent 7665 7 proxy-only round-robin default login=login
cache_peer 45.72.55.94 parent 7131 7 proxy-only round-robin default login=login
cache_peer 45.72.55.30 parent 7067 7 proxy-only round-robin default login=login
never_direct allow all

I understood with your explanation;
You need Weighted Round Robin.
It operates like a circle selecting the first peer, then the second, then the third, etc until
all peers have been used then selects the first again and repeats the sequence.
You could set weight= at the end of peer config line
Modified with weight= option to un-balance the connections.
Un-balance the connections to pick this peer N times each cycle.
Also you could set max-conn at the end of peer config line for maximum connection to peers.
sample for maximum connection :
cache_peer Server01 parent 80 0 no-query originserver login=PASS max-conn=10
cache_peer Server02 parent 80 0 no-query originserver login=PASS max-conn=50
cache_peer Server03 parent 80 0 no-query originserver login=PASS max-conn=60
sample for weight :
cache_peer Server01 parent 80 0 no-query originserver login=PASS weight=5
cache_peer Server02 parent 80 0 no-query originserver login=PASS weight=10
cache_peer Server03 parent 80 0 no-query originserver login=PASS weight=20

Related

Freeradius extra open port

I have server with available many subnets, I would like to my Freeradius only listen on specific IP addresses. I use freeradius configuration from Arch package freeradius-3.0.19-3. The only changes are:
removed IPv6 listen sections
in IPv4 listen section I configured listening address to ipaddr="192.168.1.1"
In my configuration I have also listening on 127.0.0.1:18120, but when I check open ports I got:
ss -nlp|grep radiusd
udp UNCONN 0 0 0.0.0.0:40012 0.0.0.0:* users:(("radiusd",pid=22199,fd=9))
udp UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* users:(("radiusd",pid=22199,fd=7))
udp UNCONN 0 0 192.168.1.1:1812 0.0.0.0:* users:(("radiusd",pid=22199,fd=8))
This port 40012 is dynamic allocated after freeradius service restart the number is different.
ss -nlp|grep radiusd
udp UNCONN 0 0 0.0.0.0:42447 0.0.0.0:* users:(("radiusd",pid=26490,fd=9))
udp UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* users:(("radiusd",pid=26490,fd=7))
udp UNCONN 0 0 192.168.1.1:1812 0.0.0.0:* users:(("radiusd",pid=26490,fd=8))
How to get rid of this port? What is a function of it?
This extra port is used for sending and receiving proxy packets. If you are not using proxying you can disable it in radiusd.conf, look for
proxy_requests = yes
$INCLUDE proxy.conf
change it to "no", and comment out the INCLUDE line.
If you want to change the address and/or port that is used, look at the listen sections in e.g. raddb/sites-enabled/default. You can add a new section with type = proxy to specifically set the address and port that is used.

Parent proxy with different IP protocol

My machine L has only an IPv4 address.
I want to access a web page S from L through a VPS P2 that has only an IPv6 address.
I have a VPS P1 that has a single interface with two addresses: IPv4 and IPv6.
So the whole chain should be L(IPv4) -> P1(IPv4) -> P1(IPv6) -> P2(IPv6) -> S(IPv6)
I have installed Squid 3.3.8 on each VPS (running Ubuntu).
Here is the configuration of P1:
http_port 3128
cache_peer 2001:XXXX:XXX:XX:XXX:XXXX:XXXX:66bc parent 3128 0 no-query no-digest default
never_direct allow all
Here is the configuration of P2:
http_port 3128
http_access allow all
I get this error: HTTP/1.1 403 Forbidden. It appears that there is a problem in P1(IPv4) -> P1(IPv6) or in P1(IPv6) -> P2(IPv6). The latter is more likely, I guess. How can I fix this?
Notes:
I know I can access S directly from P1. I tried it (by using http_access allow all instead of never_direct allow all). It works. But this is not what I want.
I don't care about security now (e.g., setting restrictive ACLs).
The problem was in the configuration of P1. I should have maintained http_access allow all:
http_port 3128
cache_peer 2001:XXXX:XXX:XX:XXX:XXXX:XXXX:66bc parent 3128 0 no-query no-digest default
never_direct allow all
http_access allow all

Squid refuses all websites when creating proxy server

so I'm trying to create a proxy server for my crawler to use, and I'm unsure about why I'm getting denied from even myself. When I go to any website in a browser, on the computer that I've installed Squid and everything on, it's giving me the following error message:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.whatismyipaddress.com/
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
Generated Sun, 08 Nov 2015 04:03:13 GMT by WIN-AIUOBK0JHPA (squid/2.7.STABLE8)
I've edited my LAN settings in Internet Options to allow for a proxy server at the correct IP address (IPv4 when I run ipconfig), gave it the correct port to open up to, and I've also opened up the port in my Windows Firewall.
Below are segments of my squid.conf file:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localhost src 192.168.1.0/255.255.255.255
http_access allow localhost
(skip through some commented out segments....)
http_access allow manager localhost
http_access allow localnet
As you can tell, I've stripped out a lot of unnecessary commented parts. Down lower, I have my...
http_port ####
...line.
I have no idea why I'm getting blocked out. I will be constantly refreshing, so if you need any more information or have any questions, please let me know. Thank you so much!!
your config should somewhat look like below
http_access allow localhost
http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
and remove the following line from your config
acl localhost src 192.168.1.0/255.255.255.255
localhost need not to be specified as ACL its just for accessing localhost pages. You have mixed up localhost with localnet, modify that line like below
acl localnet src 192.168.1.0/255.255.255.255
your lan clients local ip that hitting the proxy should belong to the above mentioned src range or modify the range as you require. all other requests from other ips will be denied
I just got rid of all the default config and used the following:
# cat /etc/squid/squid.conf
http_port 3128
acl vpc_no_internet src 10.130.0.0/255.255.0.0
http_access allow vpc_no_internet
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
Note: The above config allows access for the specified subnet only.
I had a similar situation and the solution was to use the following commands:
unset https_proxy
unset http_proxy
unset ftp_proxy
I placed these into a script to run every time I logged in to my server.
This may not be the correct solution for you but it worked in my situation as I wasn't using the proxy and was connecting via vpn.
The only reason I am posting this is I haven't seen this answer posted anywhere else. As usual, YMMV.

Can not divert packet to pf when configure transparent squid 3.4.13 on OpenBSD 5.7

I am trying to build transparent proxy with squid on OpenBSD 5.7 with pf firewall.
I compile squid from source with below options:
$ squid -v
Squid Cache: Version **3.4.13**
configure options:
--prefix=/usr/local/squid
--with-default-user=squid
--enable-icmp
--enable-storeio=ufs,aufs
--enable-removal-policies=lru,heap
--disable-snmp
--disable-wccp
--disable-wccpv2
--enable-pf-transparent
--enable-ipv6
--enable-referer-log
--with-nat-devpf
--enable-debug-cbdata
--enable-useragent-log
--enable-refererlog
--enable-cache-digests
--with-large-files
--with-pthreads
--without-mit-krb5
--without-heimdal-krb5
--without-gnugss
--disable-eui
--disable-auth
--enable-ltdl-convenience
$ uname -a
OpenBSD dns.localdomain 5.7 GENERIC#825 amd64
My squid.conf:
visible_hostname dns.local
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# allow
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 intercept
# disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Enabled gateway to connect Internet:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
pf.conf:
int_if = "vic1"
ext_if = "vic0"
lan_net = "192.168.1.0/24"
# Settings
set block-policy return
set loginterface egress
set skip on lo
# NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick log inet from 192.168.1.0/24 divert-reply
#
# Rules
#
block all
# allow dns
pass quick on {$int_if, $ext_if} inet proto udp from {self, $lan_net} to any port 53
# allow local access to web
pass quick on $ext_if inet proto tcp from {self} to any port 80
# allow icmp
pass quick on $int_if inet proto icmp from $lan_net to any
# allow ssh from $ext_if
pass quick on $ext_if inet proto tcp from any to ($ext_if) port 22
I think problem in pf rule. Because pf can not divert packet to port 3129? I've tested with command:
nc -l 3129
but it didn't response any HTTP header.
The rule in Squid wiki can not apply to pf because syntax error.
Thank You in advance
Maybe you mean $int_if instead of $ext_if on this rule? :
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
As I understand, you want to divert traffic comming from internal network to local port 3129.

Squid Rotating Exit IPs with cache_peer

I am trying to duplicate the configuration described in this blog post.
http://www.everydayinternetstuff.com/2011/03/squid-random-outgoing-ipinterface-selection/
This technique as I understand it is supposed to trick squid into thinking it's both a parent and a cache_peer thus allowing you to roll exit IPs from a single instance.
Using this configuration I have been able to exit the IPs that I enter on, but I am unable to rotate exit IPs when entering .
The error page being reported is an Access Denied error page from squid cache.
I'd appreciate any assistance or suggestions. Also if anyone has a working configuration done a different way, I'd appreciate hearing those suggestions as well.
http_port <entry ip>:3128
http_port <exit1>:3128
http_port <exit2>:3128
http_port <exit3>:3128
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic children 5
auth_param basic realm ProxyBox
auth_param basic credentialsttl 2 hours
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth
acl src_01 src <exit1>
acl src_02 src <exit2>
acl src_03 src <exit3>
tcp_outgoing_address <exit1> src_01
tcp_outgoing_address <exit2> src_02
tcp_outgoing_address <exit3> src_03
acl first_req src 127.0.0.0/8
acl second_req src <exitnet>/29
cache_peer <exit1> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer <exit2> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer <exit3> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer_access <exit1> allow first_req
cache_peer_access <exit2> allow first_req
cache_peer_access <exit3> allow first_req
cache_peer_access <exit1> deny second_req
cache_peer_access <exit2> deny second_req
cache_peer_access <exit3> deny second_req
never_direct allow first_req
never_direct deny second_req
I think that the configuration described in that link is a big mess. Use a standard Squid configuration and use iptables to distribute the load between your IPs:
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 -j SNAT --to 192.168.1.201
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 2 -j SNAT --to 192.168.1.202
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 1 -j SNAT --to 192.168.1.203
Those IPs should be your local IPs.
Regards,
Diego

Resources