Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

A problen with iptables and proxy server

Discussion in 'Tech, Gadgets & Science Forum' started by Freelancer, Jun 30, 2010.

  1. Freelancer

    Freelancer JF-Expert Member

    #1
    Jun 30, 2010
    Joined: Sep 22, 2008
    Messages: 2,068
    Likes Received: 640
    Trophy Points: 280
    Iam using fedora 12 and I have installed squid through yum. I have configured ip tables so that all traffic to port 80 can be redirected to squid. I have enabled squid to run as a transparent proxy server by having a line http_port proxy_server_ip:3128 in squid.conf. Now the problem I have is that only https traffic pass through the proxy without any problem. http traffic can't pass. I do get the message invalid url returned by squid. I have searched in every forum I can't find the solution that solves my problem. Iam using broadband to connect to the internet. May be if you have encountered the same problem before and u got the solution pliz help. My squid version is 3.x...
     
  2. Kiranga

    Kiranga JF-Expert Member

    #2
    Jun 30, 2010
    Joined: Jan 29, 2009
    Messages: 34,583
    Likes Received: 5,633
    Trophy Points: 280
    Are you getting invalid certificate or invalid URL error? What is the exact error message?

    Are you blocking plain http somewhere in squid/ firewall rules?

    Did you configure port 80 as a safe port in your ACL ?
     
  3. Freelancer

    Freelancer JF-Expert Member

    #3
    Jun 30, 2010
    Joined: Sep 22, 2008
    Messages: 2,068
    Likes Received: 640
    Trophy Points: 280
    I'm getting invalid url from squid. Yes port 80 is among safe ports. In my iptables there is no pace where I have specified to allow only traffic from port 443 which is https. It is very strange. And many people are getting it in fedora. May be I should get sources for squid and compile them wioth transparent for my kernel
     
  4. Kiranga

    Kiranga JF-Expert Member

    #4
    Jun 30, 2010
    Joined: Jan 29, 2009
    Messages: 34,583
    Likes Received: 5,633
    Trophy Points: 280
    If many people are getting it check with the known bugs in Fedora just to make sure it is not a known bug, you don't wanna waste your time troubleshooting something that is a known bug.

    Also, probably long shots, but in the spirit of leaving no stone unturened see the below links for any relevant info/patches (long shot) or directions (in the wiki).

    SquidFaq/TroubleShooting - Squid Web Proxy Wiki

    SecurityTracker.com Archives - Squid HTTP Request Processing Error Lets Remote Users Deny Service
     
  5. Freelancer

    Freelancer JF-Expert Member

    #5
    Jul 1, 2010
    Joined: Sep 22, 2008
    Messages: 2,068
    Likes Received: 640
    Trophy Points: 280
    It is not listed among fedora bugs. Any one has come accross this problem and he knows the solution pliz help
     
  6. Steve Dii

    Steve Dii JF-Expert Member

    #6
    Jul 1, 2010
    Joined: Jun 25, 2007
    Messages: 6,414
    Likes Received: 40
    Trophy Points: 145
    Dude, am no so familiar with Fedora core nor its configuration. But in the interest of trying to find a solution for the problem you presented here, I came across a site where settings for squid.conf is mentioned. Well, just in case your setting of the ports etc is incorrect, or indeed, you are yet to come across the site; here is the link: How To: Configure Squid Proxy Server | Fedora Linux.

    Will paste below contents from the site, just in case the link become defunct.

    Code:
    # The port on which squid will listen for requests
    http_port 8080
    # If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache
    # and should go to target web-server.
    hierarchy_stoplist cgi-bin ?
    # If url contains 'cgi-bin' or '?', then it must not be cached
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    # Absolute path to squid access log.
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern .               0       20%     4320
    # Access control list to control every IP address
    acl all src 0.0.0.0/0.0.0.0
    # Access control list for source machine in LAN
    acl lan_src src 192.168.0.0/16
    # Access control list for destination machine in LAN
    acl lan_dst dst 192.168.0.0/16
    # Access control list to manage squid cache
    acl manager proto cache_object
    # Access control list to define IP address allowed for source localhost
    acl localhost src 127.0.0.1/255.255.255.255
    # Access control list to define IP addresses allowed for localhost as destination
    acl to_localhost dst 127.0.0.0/8
    # Access control list to define Safe ports that should be allowed by default
    acl SSL_ports port 443 563 1863 5190 5222 5050 6667
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    # Allow cache management only from localhost
    http_access allow manager localhost
    # Deny cache management from remote hosts
    http_access deny manager
    # Deny http access via all the ports which are not listed as safe
    http_access deny !Safe_ports
    # Deny all connections via all ports which are not listed as safe
    http_access deny CONNECT !SSL_ports
    # Allow http access from localhost
    http_access allow localhost
    # Allow http access from machines on LAN
    http_access allow lan_src
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    # Deny caching for everyone so that there is not caching at all
    cache deny all
    coredump_dir /var/spool/squid
    # Never allow direct connection to machines on the internet
    prefer_direct off
    never_direct allow all
    # Allow direct connetion if the destination machine is on LAN
    always_direct allow lan_dst
    # Delete this line if you don't have /etc/hosts file
    hosts_file /etc/hosts
    # Allow AIM connections
    # Delete the following 9 lines if you don't want people to connect to AIM
    acl AIM_ports port 5190 9898 6667
    acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
    acl AIM_domains dstdomain .messaging.aol.com .aim.com
    acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
    acl AIM_nets dst 64.12.0.0/255.255.0.0
    acl AIM_methods method CONNECT
    http_access allow AIM_methods AIM_ports AIM_nets
    http_access allow AIM_methods AIM_ports AIM_hosts
    http_access allow AIM_methods AIM_ports AIM_domains
    # Allow connections to Yahoo Messenger
    # Delete the following 6 lines if you don't want people to connect to Yahoo Messenger
    acl YIM_ports port 5050
    acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
    acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
    acl YIM_methods method CONNECT
    http_access allow YIM_methods YIM_ports YIM_hosts
    http_access allow YIM_methods YIM_ports YIM_domains
    # Allow connections to Google Talk
    # Delete the following 6 lines if you don't want people to connect to Google Talk
    acl GTALK_ports port 5222 5050
    acl GTALK_domains dstdomain .google.com
    acl GTALK_hosts dstdomain talk.google.com
    acl GTALK_methods method CONNECT
    http_access allow GTALK_methods GTALK_ports GTALK_hosts
    http_access allow GTALK_methods GTALK_ports GTALK_domains
    # Allow connections to MSN
    # Delete the following 6 lines if you don't want people to connect to Google Talk
    acl MSN_ports port 1863 443 1503
    acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
    acl MSN_hosts dstdomain messenger.hotmail.com
    acl MSN_nets dst 207.46.111.0/255.255.255.0
    acl MSN_methods method CONNECT
    http_access allow MSN_methods MSN_ports MSN_hosts
     
Loading...