Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Squid3 Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Squid3 Help

jarjar Patron Provider, Top Host, Veteran
edited January 2013 in Help

Sorry for coming to you guys with something that has a wealth of google results, but the problem is that either a bunch of what I find on google for Squid is either outdated or just plain wrong. Their documentation doesn't seem to fit the way my mind works either.

I'm trying to set up a web proxy for the school that I work at. My goal is to be as transparent as possible so as to not inconvenience anyone. I have a SonicWall that supports passing web traffic to a proxy with just IP/port. I know some of you have experience with Squid and you guys speak my language. I have three questions.

  1. Google fails to load only when passed through firewall to proxy, not when configured via firefox to proxy. Error is "Invalid URL." I suspect something along the lines of http redirected to https. The error says possible problems are as follows:

    Missing or incorrect access protocol (should be http:// or similar)
    Missing hostname
    Illegal double-escape in the URL-Path
    Illegal character in hostname; underscores are not allowed.

  2. Do you know how to disable cache or, if possible, create a list of websites to cache? I'd like to avoid potential caching issues while still saving a little bit of bandwidth, or just not cache altogether. The real goal here is detailed usage logs.

  3. Any suggestions or tips for optimization? I just want logs. Saving bandwidth through selective caching would be a bonus, but I would sacrifice https logs for a reliable pass through of secure websites.

Comments

  • Well I hope this helps

    1. Sounds like its not in transparent proxy mode, try adding vhost to the http_port option in the config.

    2. to just have direct connections use "always_direct allow all"
      heres the help page with more info
      http://www.squid-cache.org/Doc/config/always_direct/

    3. i still havent figured out how to deal with ssl with a transparent proxy

  • jarjar Patron Provider, Top Host, Veteran

    Hmm vhost ended with a 404 all around. Thanks for the advice, squid is a little overwhelming as the last proxy server I ran was AnalogX after Leo Laporte recommended it on ZDTV...

  • Has it fixed yet? If not, have you checked this part?

    http_access allow manager localhost
    http_access deny manager
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    #
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    http_access allow localhost
    
    # And finally deny all other access to this proxy
    http_access allow all

    Or, I can just paste the whole squid3 config I use in my private proxy :)

  • First one sounds like it might have something to do with Squid getting confused by the protocol-lacking absolute URL format Google's pretty fond of using.

  • jarjar Patron Provider, Top Host, Veteran

    @ErawanArifNugroho said: Has it fixed yet?

    Not yet :(
    I pretty much set all that to allow. It's completely internal so I really don't care what passes through it, rather block unwanted ports from the firewall. Even most secure sites seemed to work fine. Saw the green bar on Catalyst, got the SSL on facebook. Just that darn google.

    @ErawanArifNugroho said: Or, I can just paste the whole squid3 config I use in my private proxy :)

    Would be awesome if you don't mind sharing. Having never configured this before, I could be missing the most obvious and vital of settings.

    @MrDOS said: Google's pretty fond of using.

    Darn Google always messing with stuff :P

  • emreemre Member, LIR
    edited January 2013

    Maybe this helps:

    Anonymous Proxy Using SQUID 3 On Ubuntu Server – with web based auth!!

    1- setup ubuntu server
    2- apt-get install squid3
    3- backup original config
    mv /etc/squid3/squid.conf /etc/squid3/squid.conf.backup
    4- nano /etc/squid3/squid.conf
    and paste below text:
    !! Do not forget to change ip 99.99.99.99 with your own ip!!


    Recommended minimum configuration:

    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost

    http_access deny all

    icp_access deny all
    htcp_access deny all
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid3/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern (cgi-bin|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

    acl ncsaauth proxy_auth REQUIRED
    http_access allow ncsaauth

    forwarded_for off

    acl ip1 myip 99.99.99.99
    tcp_outgoing_address 99.99.99.99 ip1

    request_header_access Allow allow all
    request_header_access Authorization allow all
    request_header_access WWW-Authenticate allow all
    request_header_access Proxy-Authorization allow all
    request_header_access Proxy-Authenticate allow all
    request_header_access Cache-Control allow all
    request_header_access Content-Encoding allow all
    request_header_access Content-Length allow all
    request_header_access Content-Type allow all
    request_header_access Date allow all
    request_header_access Expires allow all
    request_header_access Host allow all
    request_header_access If-Modified-Since allow all
    request_header_access Last-Modified allow all
    request_header_access Location allow all
    request_header_access Pragma allow all
    request_header_access Accept allow all
    request_header_access Accept-Charset allow all
    request_header_access Accept-Encoding allow all
    request_header_access Accept-Language allow all
    request_header_access Content-Language allow all
    request_header_access Mime-Version allow all
    request_header_access Retry-After allow all
    request_header_access Title allow all
    request_header_access Connection allow all
    request_header_access Proxy-Connection allow all
    request_header_access User-Agent allow all
    request_header_access Cookie allow all
    request_header_access All deny all


    ctrl+x to save

    5- touch /etc/squid3/squid_passwd
    6- htpasswd /etc/squid3/squid_passwd yourproxyusername
    7- service squid3 restart

    All done!

    Proxy port will be 3128
    Please do change the ip 99.99.99.99 with your own ip in config
    After you activate it in any browser it will ask for u/p
    enter what you give at step6...

Sign In or Register to comment.