been bumbling about with this for a few days, (1st serious attempt at setting this sort of thing up so might be slight overawed)
i have managed to setup a squid proxy which works fine if the browser is pointed at it directly but for the small LAN i need to provide internet for i dont want the users having to enter proxy information.
i had originally tried using a smoothwall express installation for this but had issues with HTTPS sites/traffic not being allowed (if the proxy was added to the browser the problem disappeared even with https being allowed to pass through the smoothwall firewall.
so i was thinking that a pure squid install would give me more flexibility, but its not working transparently i have it running squid 3.1 on centos 6.5 so im guessing something is wrong with my firewall setup on the centos install
below is my squid.conf and IPTABLES (the iptables was generated from a script i found in a squid proxy guide..)
Squid.confCode:# Generated by iptables-save v1.4.7 on Wed May 7 10:12:02 2014 *mangle :PREROUTING ACCEPT [265:23495] :INPUT ACCEPT [229:21595] :FORWARD ACCEPT [1:66] :OUTPUT ACCEPT [51:4904] :POSTROUTING ACCEPT [52:4970] COMMIT # Completed on Wed May 7 10:12:02 2014 # Generated by iptables-save v1.4.7 on Wed May 7 10:12:02 2014 *nat :PREROUTING ACCEPT [191:17945] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed May 7 10:12:02 2014 # Generated by iptables-save v1.4.7 on Wed May 7 10:12:02 2014 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -j LOG -A INPUT -j DROP -A FORWARD -i eth1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT COMMIT # Completed on Wed May 7 10:12:02 2014
We are sat behind an LEA controlled firewall so the next question would be do i need to have ports opened for https traffic to be passed to the upstream proxy?Code:# We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 intercept # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/spool/squid 5000 16 256 cache_mem 512 MB # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname doorstop #fireall options cache_peer 172.x.x.x parent 3128 0 no-query default never_direct allow all
help ang suggestions greatly recieved as they is alot of conflicting info on the internet
Don't know if this will be of any use to you, but we have a configuration document here http://www.exa.net.uk/supportdocumen...quidadicap.pdf for how to configure it for use with our filtering service, but many of the principals are the same regardless and we have an opensource project called ExaProxy, which you can get to the site here https://code.google.com/p/exaproxy/ as well as links to various community and proxygroup information. Hope it helps.
There are currently 1 users browsing this thread. (0 members and 1 guests)