Home » forums » Imported debian.org Mailing Lists » Debian User

Squid with Dansguardian problem.

Tags:

I am sorry for asking question to debian list about dansguardian.
I am using dansguardian + squid3 + clamav but i have a problem.

I have two NIC and eth1:192.168.0.0/24(inside) and eth0:192.168.1.0/24(outside)

1)I configured Dansguardianlike below:

filterip =192.168.0.1
filterport = 8080
proxyip = 127.0.0.1 (Same server)
proxyport = 3128
usernameidmethodproxyauth = on ( i tried "off" but not worked)
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off

2)And configured squid like below:

http_port 3128 transparent

cache_dir ufs /media/httpcache/squid3 512 16 256
access_log /media/httpcache/log/squid3/access.log

acl all src 0.0.0.0/0.0.0.0
acl yerel src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow yerel

http_reply_access allow all

icp_access allow all

3)and configured iptables like this:

iptables -t nat -A PREROUTING -p tcp -i $INTIF -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 8080

but when i try enter to any website,web browser print this:

--------ERRORThe requested URL could not be retrievedThe fallowing error was encountered:

Invalid URL

-Missing or incorrect access protocol (Should be http:// or smilar)
-Missing hostname
-Illegal double-escape in the URL-Path
-Illegal character in hostname;underscores are not allowed
---------------

But when i use only squid(REDIRECT 3128),i have not a problem.

Why dont work squid with dansguardian ?

If you help me,i will be happy.

-- Semih Gokalp

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Google
  • Yahoo
  • Technorati
0
‹ How to get microphone working on dell d630? Eclipse 3.3.1 ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Squid with Dansguardian problem.

Submitted by Mihira Fernando on Wed, 2007-11-14 08:00.

Semih Gokalp wrote:
> I am sorry for asking question to debian list about dansguardian.
> I am using dansguardian + squid3 + clamav but i have a problem.
[snip]
> 2)And configured squid like below:
>
> http_port 3128 transparent
Try giving the IP:Port notation like this :

http_port 127.0.0.1:3128 transparent
http_port 192.168.0.1:3128 transparent

[snip]

> iptables -t nat -A PREROUTING -p tcp -i $INTIF -s 192.168.0.0/24
> --dport 80 -j REDIRECT --to-port 8080
Suggest you leave the -s parameter out until your setup is working.

Mihira.
--
Random Quotes From Megas XLR
Coop: You see? The mysteries of the Universe are revealed when you break stuff.
Jamie: When in doubt, blow up a planet.
Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.
Glorft Technician: Unnecessary use of force in capturing the Earthers has been
approved.

--

»

Squid with Dansguardian problem.

Submitted by Semih Gokalp on Wed, 2007-11-14 09:00.

Thanks for reply but i tried before:http_port 127.0.0.1:3128 transparenthttp_port
192.168.0.1:3128 transparent but not worked.I tried different ip tables rules like below:iptables -t nat -A PREROUTING -p tcp -i $INTIF --dport 80 -j DNAT --to 192.168.0.1:8080
but no worked.When i configure web browser manually(http proxy 192.168.0.1 and port 8080), and remove
iptables rule (iptables -t nat -A PREROUTING -p tcp -i $INTIF -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 8080 ) , it works.
But why do not squid works with redirect iptables rule.I dont understand.I suppose,problem is url because web browser error page is like this:ERRORThe requested URL could not be retrived
While trying to retrive the URL: /2007/11/14/guncel/?ver=0but real website adress is www.milliyet.com.tr/2007/11/14/guncel/?ver=0
what do you think about this ?Thanks.On 14/11/2007, Mihira Fernando <
> wrote:Semih Gokalp wrote:> I am sorry for asking question to debian list about dansguardian.
> I am using dansguardian + squid3 + clamav but i have a problem.[snip]> 2)And configured squid like below:>> http_port 3128 transparentTry giving the IP:Port notation like this :
http_port 127.0.0.1:3128 transparenthttp_port 192.168.0.1:3128 transparent[snip]> iptables -t nat -A PREROUTING -p tcp -i $INTIF -s
192.168.0.0/24> <http://192.168.0.0/24> --dport 80 -j REDIRECT --to-port 8080Suggest you leave the -s parameter out until your setup is working.
Mihira.--Random Quotes From Megas XLRCoop: You see? The mysteries of the Universe are revealed when you break stuff.Jamie: When in doubt, blow up a planet.Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.
Glorft Technician: Unnecessary use of force in capturing the Earthers has beenapproved.--To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org-- Iyi calismalar.Basarilar..
.Semih GokalpIstanbul/Turkiye

»

Squid with Dansguardian problem.

Submitted by Mihira Fernando on Thu, 2007-11-15 00:00.

Semih Gokalp wrote:
> Thanks for reply but i tried before:
>
> http_port 127.0.0.1:3128 transparent
> http_port 192.168.0.1:3128 transparent
>
> but not worked.
>
> I tried different ip tables rules like below:
> iptables -t nat -A PREROUTING -p tcp -i $INTIF --dport 80 -j DNAT --to
> 192.168.0.1:8080
>
> but no worked.
>
> When i configure web browser manually(http proxy 192.168.0.1
> and port 8080), and remove iptables rule (iptables
> -t nat -A PREROUTING -p tcp -i $INTIF -s 192.168.0.0/24
> --dport 80 -j REDIRECT --to-port 8080 ) , it works.
>
> But why do not squid works with redirect iptables rule.I dont understand.
>
> I suppose,problem is url because web browser error page is like this:
>
> ERROR
> The requested URL could not be retrived
> While trying to retrive the URL: /2007/11/14/guncel/?ver=0
>
> but real website adress is www.milliyet.com.tr/2007/11/14/guncel/?ver=0
>
>
> what do you think about this ?
>
> Thanks.
I think your Squid and Dansguardian setups are fine.
Your problem is with Iptables. I assumed you had all the Iptables commands
already in place for a NAT+transparent proxy setup but I guess you didnt have it.
Leave Squid and Dansguardian as it it and try the following bash script for
Iptables.

---------------------------
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

EXTIF="eth0"
INTIF="eth1"

echo " External interface : $EXTIF"
echo " Internal interace : $INTIF"

echo " loading modules"
$DEPMOD -a

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the stateful connection tracking framework - "ip_conntrack"
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

#Load the general IPTABLES NAT code - "iptable_nat"
echo -en "iptable_nat, "
$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

echo -e " Done loading modules.\n"

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo " Rerouting http hits to proxy server "
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
--to-port 8080

---------------------------

Mihira.

--
Random Quotes From Megas XLR
Coop: You see? The mysteries of the Universe are revealed when you break stuff.
Jamie: When in doubt, blow up a planet.
Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.
Glorft Technician: Unnecessary use of force in capturing the Earthers has been
approved.

--

»

Squid with Dansguardian problem.

Submitted by Semih Gokalp on Thu, 2007-11-15 04:00.

Thanks for reply Mihira.I tried script and remove manual web browser configure for proxy but not worked.Invalid URL Error page is squid error page that i see on the web browser.I think,it means web request is being redirected to dansguardian by iptables and dansguardian is forwarding request to squid but squid dont resolve the URL-path.
Am i wrong ? What do you think ?On 15/11/2007, Mihira Fernando <mihiratheace@gmail.com
> wrote:Semih Gokalp wrote:> Thanks for reply but i tried before:>
> http_port 127.0.0.1:3128 <http://127.0.0.1:3128/> transparent> http_port 192.168.0.1:3128 <
http://192.168.0.1:3128/> transparent>> but not worked.>> I tried different ip tables rules like below:> iptables -t nat -A PREROUTING -p tcp -i $INTIF --dport 80 -j DNAT --to
> 192.168.0.1:8080 <http://192.168.0.1:8080>>> but no worked.>> When i configure web browser manually(http proxy
192.168.0.1> <http://192.168.0.1> and port 8080), and remove iptables rule (iptables> -t nat -A PREROUTING -p tcp -i $INTIF -s
192.168.0.0/24> <http://192.168.0.0/24> --dport 80 -j REDIRECT --to-port 8080 ) , it works.>> But why do not squid works with redirect iptables rule.I dont understand.
>> I suppose,problem is url because web browser error page is like this:>> ERROR> The requested URL could not be retrived> While trying to retrive the URL: /2007/11/14/guncel/?ver=0
>> but real website adress is www.milliyet.com.tr/2007/11/14/guncel/?ver=0> <
http://www.milliyet.com.tr/2007/11/14/guncel/?ver=0>>> what do you think about this ?>> Thanks.I think your Squid and Dansguardian setups are fine.Your problem is with Iptables. I assumed you had all the Iptables commands
already in place for a NAT+transparent proxy setup but I guess you didnt have it.Leave Squid and Dansguardian as it it and try the following bash script forIptables.---------------------------IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmodMODPROBE=/sbin/modprobeEXTIF="eth0"INTIF="eth1"echo "      External interface : $EXTIF"echo "      Internal interace : $INTIF"
echo "      loading modules"$DEPMOD -aecho "----------------------------------------------------------------------"#Load the main body of the IPTABLES module - "iptable"
echo -en "ip_tables, "$MODPROBE ip_tables#Load the stateful connection tracking framework - "ip_conntrack"echo -en "ip_conntrack, "$MODPROBE ip_conntrack
#Load the general IPTABLES NAT code - "iptable_nat"echo -en "iptable_nat, "$MODPROBE iptable_nat#Loads the FTP NAT functionality into the core IPTABLES codeecho -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftpecho -e "   Done loading modules.\n"echo "   Enabling forwarding.."echo "1" > /proc/sys/net/ipv4/ip_forwardecho "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT$IPTABLES -F INPUT$IPTABLES -P OUTPUT ACCEPT$IPTABLES -F OUTPUT$IPTABLES -P FORWARD DROP$IPTABLES -F FORWARD$IPTABLES -t nat -F$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT$IPTABLES -A FORWARD -j LOGecho "   Enabling SNAT (MASQUERADE) functionality on $INTIF"$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "   Rerouting http hits to proxy server "$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT--to-port 8080-----------------------------
Iyi calismalar.Basarilar...Semih GokalpIstanbul/Turkiye

»

Squid with Dansguardian problem.

Submitted by Mihira Fernando on Thu, 2007-11-15 00:00.

Darwin Pintado wrote:
> hi Mihira,
>
> can advise on my problem
>
> I also got an issue with dansguardian but this time I am using
> tinyproxy. Once I restart my box, dansguardian is not anymore finding
> tinyproxy.
> Anyone has an idea? I see that tinyproxy is included in startup
> Thanks,
> D
>

Check if the IP and port of the proxy server listed in Dansguardian are the ones
that tinyproxy is listening on.

Mihira.

PS. Please send replies to list.

--
Random Quotes From Megas XLR
Coop: You see? The mysteries of the Universe are revealed when you break stuff.
Jamie: When in doubt, blow up a planet.
Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.
Glorft Technician: Unnecessary use of force in capturing the Earthers has been
approved.

--

»

Squid with Dansguardian problem.

Submitted by Semih Gokalp on Thu, 2007-11-15 05:00.

If I redirect to squid(3128),i have not a problem but if I try redirect to dansguardian(8080),The squid error page(The requested URL coult not be retrieved) print on web browser.If i try manually configure proxy server on web browser(connection setting) to dansguardian(8080),it works.
it works like below:$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 but not works like below:$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port
8080On 15/11/2007, Mihira Fernando <mihiratheace@gmail.com> wrote:
Semih Gokalp wrote:> Thanks for reply Mihira.I tried script and remove manual web browser> configure for proxy but not worked.>> Invalid URL Error page is squid error page that i see on the web browser.
>> I think,it means web request is being redirected to dansguardian by> iptables and dansguardian is forwarding request to squid but squid dont> resolve the URL-path.>> Am i wrong ?
>> What do you think ?>Do you get the same result if Iptables redirect to squid instead of dansguardian ?change he redirection command like this and try :echo "   Rerouting http hits to proxy server "
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port  3128Mihira.--Random Quotes From Megas XLRCoop: You see? The mysteries of the Universe are revealed when you break stuff.
Jamie: When in doubt, blow up a planet.Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.Glorft Technician: Unnecessary use of force in capturing the Earthers has beenapproved.
-- Iyi calismalar.Basarilar...Semih GokalpIstanbul/Turkiye

»

Squid with Dansguardian problem.

Submitted by Mihira Fernando on Thu, 2007-11-15 06:00.

Semih Gokalp wrote:
> If I redirect to squid(3128),i have not a problem but if I try redirect
> to dansguardian(8080),The squid error page(The requested URL coult not
> be retrieved) print on web browser.
> If i try manually configure proxy server on web browser(connection
> setting) to dansguardian(8080),it works.
>
> it works like below:
>
> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> but not works like below:
>
> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT
> --to-port 8080

Your squid conf has a misconfiguration somewhere. Can you post the whole thing
here ? without any mangling of any kind.

Mihira.

--
Random Quotes From Megas XLR
Coop: You see? The mysteries of the Universe are revealed when you break stuff.
Jamie: When in doubt, blow up a planet.
Kiva: It's an 80 foot robot, if we can't see it, absolutely it's not here.
Glorft Technician: Unnecessary use of force in capturing the Earthers has been
approved.

--

»

RE: Squid with Dansguardian problem.

Submitted by pinpi on Fri, 2007-12-28 21:25.

Not sure if you've already solved this, but i was able to fix this problem on Squid3 by making sure this line in the squid.conf looks like this.

http_port 3128 transparent vhost

I guess that is the equivalent of the following on Squid 2.x

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

»
Syndicate content