I am trying to use Squid as http proxy (proxy all requests from 88.99.219.124 using 85.10.219.144/29 subnet).
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
acl proxy dst 85.10.219.144/29
http_access allow client proxy
http_access deny all
http_port 3129
$ tail -f /var/log/squid3/access.log
1543865940.128 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.138 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.147 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.156 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
Whats wrong with my config?
Squid config:
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
http_access allow client
http_access deny all
http_port 3129
debug_options ALL,1
To allow your server to use 85.10.219.144/29 subnet, add ip adresses from subnet to network interfaces.
Use subnet calculator to find min & max ip in subnet range.
Network interfaces:
$ cat /etc/network/interfaces
...
auto vmbr0
iface vmbr0 inet static
address x.x.x.x
netmask x.x.x.x
gateway x.x.x.x
bridge-ports __network_interface_name__
bridge-stp off
bridge-fd 0
auto vmbr0:0
iface vmbr0:0 inet static
address 85.10.219.145
netmask 255.255.255.248
auto vmbr0:1
iface vmbr0:1 inet static
address 85.10.219.146
netmask 255.255.255.248
auto vmbr0:2
iface vmbr0:2 inet static
address 85.10.219.147
netmask 255.255.255.248
auto vmbr0:3
iface vmbr0:3 inet static
address 85.10.219.148
netmask 255.255.255.248
auto vmbr0:4
iface vmbr0:4 inet static
address 85.10.219.149
netmask 255.255.255.248
auto vmbr0:5
iface vmbr0:5 inet static
address 85.10.219.150
netmask 255.255.255.248
And now when we try to use our proxy, it works!
$ curl -x http://85.10.219.150:3129 -L http://google.com
In log file:
$ cat /var/log/squid/access.log
1544717769.941 58 _your_ip_ TCP_MISS/200 13234 GET http://www.google.com/ - HIER_DIRECT/2a00:1450:4001:809::2004 text/html
Related
I configured Squid Proxy v4.13 with SSL bump on Ubuntu. I read about the url_regex directive and my objective is to access only https sites and block other. However it is not working for me as it sees only the domain part of the URL when i use url_regex directive.
For example,
1.) acl whitelist url_regex cric(info|buzz) allows cricbuzz.com and cricinfo.com and blocks other URL
2.) acl whitelist url_regex https:// blocks all URLs
My understanding is that if i have line 2 in conf file, the regex should match all URL starting with https:// right?
Also i tried using ssl::server_name_regex directive with no go. Do i have to modify squid.conf file in order to make this to work? Could someone explain me what's the issue?
Thanks in advance!!
Here is my conf file:
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl whitelist url_regex https://
http_access allow whitelist
http_access deny all
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 432
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
Use https_port #https_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
Use http_access #http_acces only serves to handle traffic without ssl, to block all unsafe traffic, just http_access deny all
I have centos 7.6 & installed squid 4.5 on it.
sudo yum -y install squid
I followed this link for Basic Authentication.
Without authentication squid works fine.
Here is squid.conf file after adding # Basic Authentication part :
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
# http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Basic Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
# allow all requests
acl all src 0.0.0.0/0
http_access allow all
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Please see # Basic Authentication part.
The problem is :
/usr/lib64/squid/basic_ncsa_auth file not exist.
Where is that file?
How can i fix this problem & What is the correct configuration of squid 4.5?
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
for squid v4:
yum install squid-helpers
Change the path for basic_ncsa_auth library:
Basic Authentication
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
for:
Basic Authentication
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
this will work :)
I have a plain installation of new Squid and Apache2. Both are with default configuration. The Server (ubunut 18.04) is registered on internal DNS Server like: srv1.foo.bar.
If some one is not allowed to get access to the internet squid displays the internal Error Message Page but without die Squid logo. I get the following Error Message in Log File:
TCP_DENIED/403 4187 GET http://srv1.foo.bar:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
The only thing to display the logo was remark http_access deny all. my configuration: Squid Cache: Version 3.5.27
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3128
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl localhost src 127.0.0.1/32
acl localnet src 192.168.168.0/24
http_access allow localhost
http_access allow localnet
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
Hope someone can help me. wrbrgds AxelF
I want to succesfully ping some hostnames. These hostnames have the same IP, 127.0.0.1
So i edited /etc/network/hosts:
127.0.0.1 host1
127.0.0.1 host2
127.0.0.1 host3
127.0.0.1 host4
127.0.0.1 host5
127.0.0.1 host6
127.0.0.1 host7
127.0.0.1 host8
127.0.0.1 host9
My /etc/network/interfaces file was:
auto lo
iface lo inet loopback
Then i added this:
iface eth0 inet static
address 127.0.0.1
network 127.0.0.0
netmask 255.255.255.0
broadcast 127.0.0.255
But when i try to do:
ping host1
it doesn't work, even with other hostnames in /etc/network/hosts
In the recent kernels the couples hostname-IP are saved in /etc/hosts, not in /etc/network/hosts, the edit in /etc/network/interfaces is useless, i just tried everything
When a DNS request/reply is sent to/by a DNS server on another subnet, what IP destination address will be used in the IP header?
DNS is a normal UDP protocol: The real IP-address of the Client-Host and DNS-Server is sent (it will only change if there is a NAT-Service in between).
Example:
Host: 1.1.1.1
NAT-Router-Service: private 1.1.1.2 / public 2.2.2.2
DNS-Server: 3.3.3.3
1. Host: request-packet from 1.1.1.1 to 3.3.3.3
2. NAT-Service: request-packet from 2.2.2.2 to 3.3.3.3
3. DNS-Server: reply-packet from 3.3.3.3 to 2.2.2.2
4. NAT-Service: reply-packet from 3.3.3.3 to 1.1.1.1
Regards Thomas