WG: [squid-users] Securing squid3 from Fuhrmann, Marcel on 2013-02-14 (squid-users)

From: Fuhrmann, Marcel <Marcel.Fuhrmann_at_lux.ag>
Date: Thu, 14 Feb 2013 15:40:09 +0000

When you use havp and squid on the same server, you don't need iptables.

With

cache_peer localhost parent 8899 0 no-query no-digest

squid uses a parent proxy (havp). http://www.server-side.de/ideas.htm

Take a look here:
http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/

-----Ursprüngliche Nachricht-----
Von: Andreas Westvik [mailto:andreas_at_spbk.no]
Gesendet: Donnerstag, 14. Februar 2013 16:29
An: Fuhrmann, Marcel
Betreff: Re: [squid-users] Securing squid3

Thanks for the answers!

Went from:
tcp 0 0 *:3128 *:* LISTEN
to this:
tcp 0 0 192.168.0.1:3128 *:* LISTEN

Very good.
Now about the havp stuff you mention, I really did not understand.

> cache_peer localhost parent 8899 0 no-query no-digest

How will this redirect traffic to 192.168.0.24? I Im using this command to gather traffic, and send it to 192.168.0.1:3128

iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-port 3128

I have even tried without this command, and its not working.

-Andreas

On Feb 14, 2013, at 16:00 , "Fuhrmann, Marcel" <Marcel.Fuhrmann_at_lux.ag> wrote:

> Hi Andreas,
>
> take a look:
>
> 1.
> acl LAN 192.168.0.0/32
> ..
> ..
> http_access allow LAN
> http_access deny ALL
>
>
>
> 2. http_port SQUID-IP:3128
>
>
> 3. Example:
>
> squid.conf:
> cache_peer localhost parent 8899 0 no-query no-digest
>
> havp.conf:
> #Port
> PORT 8899
>
>
> --
> Marcel
>
>
> -----Ursprüngliche Nachricht-----
> Von: Andreas Westvik [mailto:andreas_at_spbk.no]
> Gesendet: Donnerstag, 14. Februar 2013 15:43
> An: squid-users
> Betreff: [squid-users] Securing squid3
>
> Hi everybody
>
> I have been running squid3 on my Debian squeeze on/off for a few weeks now.
> And there is a few things Im not sure of
>
> 1. How can I be sure that Im running it securely? I really only want squid3 to server my local clients (192.168.0.0/32).
> 2. Can I bind squid3 to only listen to any device/ip?
> 3. just for fun, I have setup havp on a different server. Is it possible to send my http traffic to that server first? (havp runs on 192.168.0.24) Then back to squid3?
>
> As of now, I need to configure my clients to connect to that havp server, then havp will send traffic back to squid. But I would like to happen with some automatic iptables commands.
> I have tried several iptables setup, but nothing will make this work.
> I cannot for the life of me intercept the port 80 traffic, then
> redirect it to 192.168.0.24:3127
>
>
>
> Like this: Client -> Gw 192.168.0.1 -> havp 192.168.0.24:3127 ->
> squid3 192.168.0.1:3128 -> internets
>
> This is my setup:
>
> http_port 3128 transparent
> acl LAN src 192.168.0.0/32
> acl localnet src 127.0.0.1/255.255.255.255 http_access allow LAN
> http_access allow localnet cache_dir ufs /var/spool/squid3 5000 16 256
>
> #Block
> acl ads dstdom_regex -i "/etc/squid3/squid.adservers"
> http_access deny ads
>
> eth3: 192.168.0.1 (non-dhcp envirment)
> eth4: wan official ip (non-dchp)
>
> -Andreas
Received on Thu Feb 14 2013 - 15:40:13 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 14 2013 - 12:00:05 MST