Hi Emmanuel
I filed a bug for this issue a few months ago. Unfortunately no developers have taken notice yet. Hopefully soon, though.
http://bugs.squid-cache.org/show_bug.cgi?id=3982
Kind regards
Dan
On 12 Mar 2014, at 7:03 am, Emmanuel LAZARO - S.IM.KO. <em.lazaro_at_simko.fr> wrote:
> Hi all,
>
> I hope you can help me on that problem.
>
> I compiled on my debian wheezy squid (3.4.4) server squid with the followinf options :
>
> ./configure --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid3 --enable-ssl --enable-ssl-crtd --enable-eui - –enable-icap-client --with-default-user=proxy
>
> What we want to do ?
>
> A transparent http/https proxy for logging connexions and bloking website like facebook (https/http).
>
> The problem is in the access.log file. Even if my clients are directly connected to the squid server (no router) the mac address are not in the logfile :
>
> 11/Mar/2014:16:50:09 -0300 00:00:00:00:00:00 192.162.20.2 https://packages.debian.org/Pics/gradient.png - 1037
> 11/Mar/2014:16:50:09 -0300 00:00:00:00:00:00 192.162.20.2 https://packages.debian.org/Pics/reddot.png packages.debian.org 918
> 11/Mar/2014:16:50:09 -0300 00:00:00:00:00:00 192.162.20.2 https://packages.debian.org/favicon.ico - 5454
> 11/Mar/2014:16:50:24 -0300 00:00:00:00:00:00 192.162.20.2 https://globalsan.net/TimeServer/timestamp.php globalsan.net 529
>
> I can add i have a netfilter script to nat the connexions from 80 and 443 ports to 3328 and 3329 squid ports.
>
> #!/bin/sh
>
> # squid proxy's IP address (which is attached to eth0)
> SQUID_SERVER=`ifconfig eth0 | sed -ne 's/.*inet addr:\([^ ]*\).*/\1/p'`
>
> # interface connected to WAN
> INTERNET="eth2"
>
> # interface connected to LAN
> LAN_IN="eth0"
>
> # squid port
> SQUID_PORT="3128"
> SQUID_PORT_HTTPS="3129"
>
>
> # clean old firewall
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
> # load iptables modules for NAT masquerade and IP conntrack
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> # define necessary redirection for incoming http traffic (e.g., 80)
> iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
>
> iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT_HTTPS
>
> # forward locally generated http traffic to Squid
> iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT
>
> iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner --uid-owner proxy -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports $SQUID_PORT_HTTPS
>
> # forward the rest of non-http traffic
> iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
> iptables --append FORWARD --in-interface $INTERNET -j ACCEPT
>
> # enable IP forwarding for proxy
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> The squid.conf is really too long to past it here but i can answer to you on what i written inside.
>
> Someone encountered this problem yet ?
Received on Tue Mar 11 2014 - 22:30:24 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 12 2014 - 12:00:07 MDT
