[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Squid Proxy Problem



Hi,

I´m running a squid proxy on a suse 8.1 box.
I have got some problems if I try to download files from websites like
http://website.de:8080
I got a connection error.

I have pasted port 8080 as safe in squid.conf and no other filter rules
should block the site.

Any hints ?

a) Firewallproblem:

/etc/sysconfig/SuSEfirewall

# 9.)
FW_SERVICES_INT_TCP="3128" # Squid normally runs on port 3128, change to
your setup!

or

/sbin/iptables -A INPUT -j ACCEPT -i eth1 -p tcp --dport 3128

# 12.)
FW_SERVICE_SQUID="yes"

# 15.) If you like transparent proxy ... (no setup on clients required)
FW_REDIRECT="0/0,192.168.0.0/24,tcp,80,3128" # change your network here

or

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 8080

b) Squidproblem:

There are many sites using different port for their webserver, e.g. with
apache tomcat (J2EE, sava-servlets, jsp) oder other webservers unsing non
standard http-port.
For accessing this servers you have to change the acls for your squid, so
port 8080 and others are accessible (and some other fixes following up):

/etc/squid/squid.conf

<file-start>

# Cache-ACL's

acl QUERY urlpath_regex cgi-bin \?
acl LOCALWEB url_regex ^http://127.0.0.1
acl UNILAN src 192.168.0.0-192.168.255.255 # <- put here your ip-range!
acl APACHE dstdomain .yourdomain.tdl # <- put here your domain-name, if you
have one
no_cache deny QUERY
no_cache deny LOCALWEB
no_cache deny UNILAN
always_direct allow APACHE

# Access-ACL's

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 21 80 280 448 591 777 443 563 70 210 1025-65535
acl CONNECT method CONNECT
acl localnet src 192.168.0.0-192.168.255.255 # <- put here your ip-range!
acl extern_eth0 src <put_here_your_externeal-ip>
acl inter_eth1 src <put_here_your_internal-ip>
# Basic Nimda-Protection
acl worm urlpath_regex -i \.eml$
http_access allow manager
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny worm
http_access allow localnet
http_access deny all

<file-end>

Save settings and "rcsquid restart"!

Philippe


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here