[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Squid Proxy Problem


I´m running a squid proxy on a suse 8.1 box.
I have got some problems if I try to download files from websites like
I got a connection error.

I have pasted port 8080 as safe in squid.conf and no other filter rules
should block the site.

Any hints ?

a) Firewallproblem:


# 9.)
FW_SERVICES_INT_TCP="3128" # Squid normally runs on port 3128, change to
your setup!


/sbin/iptables -A INPUT -j ACCEPT -i eth1 -p tcp --dport 3128

# 12.)

# 15.) If you like transparent proxy ... (no setup on clients required)
FW_REDIRECT="0/0,,tcp,80,3128" # change your network here


/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 8080

b) Squidproblem:

There are many sites using different port for their webserver, e.g. with
apache tomcat (J2EE, sava-servlets, jsp) oder other webservers unsing non
standard http-port.
For accessing this servers you have to change the acls for your squid, so
port 8080 and others are accessible (and some other fixes following up):



# Cache-ACL's

acl QUERY urlpath_regex cgi-bin \?
acl LOCALWEB url_regex ^
acl UNILAN src # <- put here your ip-range!
acl APACHE dstdomain .yourdomain.tdl # <- put here your domain-name, if you
have one
no_cache deny QUERY
no_cache deny LOCALWEB
no_cache deny UNILAN
always_direct allow APACHE

# Access-ACL's

acl all src
acl manager proto cache_object
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 21 80 280 448 591 777 443 563 70 210 1025-65535
acl localnet src # <- put here your ip-range!
acl extern_eth0 src <put_here_your_externeal-ip>
acl inter_eth1 src <put_here_your_internal-ip>
# Basic Nimda-Protection
acl worm urlpath_regex -i \.eml$
http_access allow manager
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny worm
http_access allow localnet
http_access deny all


Save settings and "rcsquid restart"!


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here