Re: [squid-users] How to set up squid? from Amos Jeffries on 2009-05-29 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 30 May 2009 15:32:50 +1200

Yan Seiner wrote:
> Amos Jeffries wrote:
>> Yan Seiner wrote:
>>> I have a question about setting up squid in my environment.
>>>
>>> My network is fairly generic:
>>>
>>> a firewall running openwrt, 4 mb flash and 8 mb ram, providing NAT
>>> a server providing DNS and DHCP services; this machine is also used
>>> for terminal services so users are logged in to this machine directly
>>> assorted clients
>>>
>>> I've had squid set up on a 'opt-in' basis. Now I have a request to
>>> make it transparent for all users with the intent of disabling web
>>> access during specified hours.
>>>
>>> The problem I have is that my firewall is not able to run squid, and
>>> all the examples assume that the squid box is either the firewall or
>>> provides NAT.
>>>
>>> Is it possible, without a huge amount of complications, to run squid
>>> on this sort of setup?
>>>
>>> If so, does anyone have a recipe for doing so?
>>>
>>
>> Squid box had best be the one doing NAT because all source info is
>> lost during NAT interception and Squid needs to look it up. Note I
>> wrote "NAT interception", thats a more correct name for "transparent".
>>
>> Squid does not have to be on the firewall or router to do NAT though:
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>> the tutorial ironically was written for people using OpenWRT :)
>>
>> Amos
> Hi Amos:
>
> Obvously I got something just half right:
>
>
> The requested URL could not be retrieved
>
> ------------------------------------------------------------------------
>
> While trying to retrieve the URL:
> http://arstechnica.com/tech-policy/news/2009/05/landmark-study-drm-truly-does-make-pirates-out-of-us-all.ars
>
>
> The following error was encountered:
>
> Unable to determine IP address from host name for /arstechnica.com/
> The dnsserver returned:
>
> Server Failure: The name server was unable to process this query.
> This means that:
>

Is it actually using the '/' there?
It looks a lot like the 'transparent' option to http_port is missing still.

>
> I've configured this as best as I can following
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> on the firewall/router
> and
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect on
> the squid box.
>
> As soon as I enable the iptablesPolicyRoute on the fw my DNS fails....
>
> I can't figure out why.... Those rules should only affect tcp packets to
> port 80.
>
> Does anyone have this setup working? Could they please send me some
> instructions for morons?

That was them ;).

Does the Squid box have normal DNS if its used as a regular proxy
without the PolicyRouting?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1

Received on Sat May 30 2009 - 03:32:58 MDT

This archive was generated by hypermail 2.2.0 : Sat May 30 2009 - 12:00:02 MDT