nixCraft

Hi All.
I'm a researcher at a telecom institute on our university campus, being served internet through our university proxy.
What I need to do is to set up our own internal proxy to forward all our port 80 connections to port 3128, making it a transparent proxy.
I've been on tldp and on other posts from nixcraft and they all talk about direct connections, not proxy to proxy connections.

this is my current squid.conf output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
acl lan src 192.168.7.0/255.255.255.0
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname hng.av.it.pt
coredump_dir /var/spool/squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan


Thanks, just dont know what to do anymore
Rick

It seems that you want to use nearby proxy (ISP proxy) to save bandwidth or to improve speed. If so.. then you need to setup cache peer for hierarchy configuration.
For example consider following option (squid.conf):

Where,
cache.isp.cache.com ISP cache
parent (see url for more info http://squid.visolve.com/squid/squid24s1/neighbour.htm)
3128 Proxy port
3130 ICMP port
proxy-only (options can be found at above url or in squid.conf)

But your ISP must provide the access to ICMP port 3130 (or whatever used on that squid proxy).

If you have more questions reply back.

Hi there,

My original article topic was only single proxy server. Nevertheless, setting up peering is not a big issue.

Assuming that:
a) Your Linux Squid proxy1 hostname is proxy1.av.it.pt
b) Your Linux Squid proxy2 hostname is proxy2.av.it.pt

Open squid.conf on proxy1.av.it.pt and type (append) following:
Save the file and Open squid.conf on proxy2.av.it.pt and type (append) following:
Adjust port 3128 (if you changed) for your setup.

Restart both proxy and the servers should start to checking each other's caches before connecting to Internet/ISP network. Please note that if you want to access ISP squid proxy, then you need to ask them for ports and settings (may be username and password too).

__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat

hi, thanks for the reply,
my major problem here is that nothing will show in access.log.
no access at all,i could only get some entries on store.log and cache.log
dont know what the problem is

If you are not getting anything in log file it means either squid is not running at all or if you are using a Transparent Linux Squid, then your iptables rules not correct one.

Find out if squid is running or not
Look for port 3128 in open state.

Paste your iptables rules here so that we can verify your rules

root@stan:/var/log/squid# netstat -vat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:smux *:* LISTEN
tcp 0 0 localhost.localdo:zebra *:* LISTEN
tcp 0 0 localhost.localdom:ripd *:* LISTEN
tcp 0 0 *:3128 *:* LISTEN
tcp6 0 0 ip6-localhost:ripngd *:* LISTEN
tcp6 0 0 *:ssh *:* LISTEN
tcp6 0 0 stan-eth1-8f:ssh piper-eth0-70:4512 ESTABLISHED
root@stan:/var/log/squid#


and my iptables:
root@stan:/var/log/squid# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- itav113.av.it.pt anywhere tcp dpt:www to:10.10.1.1:3128
(this line is so i dont disturb other users on the network while proxy testing, only affects my laptop)
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/8 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Are you sure firewall is not blocking your access?

Type the following command at squid-proxy server shell prompt to verify the problem:
tail –f /var/log/message

Goto laptop and try to connect, see what error you get also can you telnet from laptop to port 3128 or 80 (if redirecting)
OR

well sorry for the last message, one of the problems was pure stupidity by my part, i was bound to a public ip and not a network ip so thats why it wouldnt connect, so this is the latest i get:

root@piper:~# telnet 10.10.1.1 3128
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
^X
Connection closed by foreign host.
root@piper:~#

root@piper:~# telnet 10.10.1.1 80
Trying 10.10.1.1...
telnet: Unable to connect to remote host: Connection refused
root@piper:~#

and the message log:
daidalos@stan:~$ tail /var/log/messages
Jun 16 15:45:32 localhost -- MARK --
Jun 16 16:03:27 localhost kernel: [345347.793942] ip_conntrack: table full, drop ping packet.
Jun 16 16:03:36 localhost kernel: [345356.900819] ip_conntrack: table full, drop ping packet.
Jun 16 16:03:37 localhost kernel: [345357.637898] ip_conntrack: table full, drop ping packet.
Jun 16 16:03:38 localhost kernel: [345358.388780] ip_conntrack: table full, drop ping packet.
Jun 16 16:20:11 localhost squid[16069]: Squid Parent: child process 16071 exited with status 0
Jun 16 16:20:12 localhost squid[16222]: Squid Parent: child process 16224 starte d
Jun 16 16:45:33 localhost -- MARK --
Jun 16 17:03:28 localhost kernel: [348948.681508] ip_conntrack: table full, drop ping packet.
Jun 16 17:03:29 localhost kernel: [348949.431507] ip_conntrack: table full, drop ping packet.
daidalos@stan:~$

ok, so after i changed my proxy definitions to my squid proxy server i could now see data in my access.log file.

it seems to be working fine.

my last problem is that i dont want to need to configure the proxy on my browser to access the web.

here goes my latest squid.conf file
http_port 3128
cache_peer proxy.ua.pt parent 3128 3130 proxy-only no-netdb-exchange default no-query no-digest
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /var/log/squid/access.log
emulate_httpd_log on
log_fqdn on
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl ruilaa src 193.136.82.194/255.255.255.255
acl tux src 193.137.86.170/255.255.255.255
acl it src 193.136.92.0/255.255.255.0
acl it1 src 193.136.93.0/255.255.255.0
acl vpn src 192.168.140.0/255.255.255.0
acl vpn1 src 192.168.120.0/255.255.255.0
acl vpn2 src 192.168.1.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 873 1863 5222 # https, snews
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1863 # MSN
acl MSN port 1863 # MSN
acl JABBER port 5222 # Jabber / Google Talk
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_access allow localhost
http_access allow localhost
http_access allow it
http_access allow it1
http_access allow vpn
http_access allow vpn1
http_access allow vpn2
http_access allow ruilaa
http_access allow tux
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname hng.av.it.pt
always_direct allow MSN
always_direct allow JABBER
never_direct deny MSN
never_direct deny JABBER
never_direct allow all
coredump_dir /var/spool/squid
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on