So i actually got it working!
Client -> gateway -> havp -> squid -> internets
I actually had blocked my self totally from squid3, so that was quite the head scratch. It turned out that http access deny all has to be
at the bottom of the config file. ;)
So then I pasted this into squid.conf
cache_peer 192.168.0.24 parent 3127 0 no-query no-digest
And then I reloaded and everything just worked.
Now my second server running debian wheezy is a first gen macbook. So that is not a beast. But it workes just fine.
The log folder is mounted in the ram to use most of the speed.
I made a little screencast of the thing working
Have a look
Thanks for the help everyone! :)
On Feb 14, 2013, at 17:24 , Andreas Westvik <andreas_at_spbk.no> wrote:
> havp supports parent setup, and as far as I have seen, it should be setup before squid.
> Now, I can always switch this around, and move the squid3 setup to 192.168.0.24 and setup
> havp on 192.168.0.1 of course.
> But 192.168.0.1 is running debian "production" and Debian does not
> support havp on a squeeze. So Im using a debian wheezy for havp in the mean while. And its not installed via apt.
>
>
> If squid caches infected files, the local clamav should take care of that anyways? Since havp on the other server are
> using clamav as well.
>
> I really don't think the iptables rules should be that difficult to setup up, since I intercept the web traffic with this:
>
> iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to-port 3128
>
> So it's basically the same thing, but kinda like -j REDIRECT -to-destination 192.168.0.24:3127
>
> But it's not working! grr!
>
> -Andreas
>
> On Feb 14, 2013, at 17:12 , babajaga <augustus_meyer_at_yahoo.de> wrote:
>
>> Then its more a question how to setup iptables, the clients and HAVP.
>> However, why HAV first ?
>> This has the danger of squid caching infected files. And HAV will scan
>> cached files over and over again.
>> Then squid will be an upstream proxy of HAV. IF HAV supports parent proxies,
>> then squid should have no problem.
>> But this then either needs a proxy.pac for the clients browsers or explicit
>> proxy config for the clients browsers.
>> This would be the easier path. When this works, then to think about using
>> ipt with explicit routing of all packets to HAV-box. And back, so you have
>> to consider NAT. I am not fit enough in ipt, so I would keep it simple:
>>
>> client-PC-----squid-----HAV------web
>>
>> And the transparent setup for squid is well documented.
>>
>> PS: Grafik ist etwas klein :-)
>>
>>
>>
>>
>>
>> --
>> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Securing-squid3-tp4658495p4658501.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Thu Feb 14 2013 - 21:18:58 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 15 2013 - 12:00:04 MST