ive got a config thats client -> server ->Dansguardian->Squid -> onward adn I want to transparently redirect web traffic to DG/Squid Not sure where the problem lies - hoping you guys can help me and at least tell me that its NOT my shorewall config heres the configs When I point a browser straight at 3128 or 3129 I get web pages back and the appropriate stuff in the logs . I get a squid error when the client browser is configured for ''direct connection'' squid log direct connection (ie shorewall) 1168243262.106 1 10.0.0.159 TCP_DENIED/400 1929 GET error:invalid-request - NONE/- text/html client browser -> port 3129 1168243337.878 209 127.0.0.1 TCP_MISS/200 21875 GET http://www.google.co.uk/search? - DIRECT/66.249.85.99 text/html client browser -> 3128 1168243389.259 304 10.0.0.159 TCP_MISS/200 6117 GET http://www.google.co.uk/search? - DIRECT/66.249.85.104 text/html I cant spot what the problem is , Im afraid thanks for the help gravity ~ # grep ^[A-Za-z] /etc/shorewall/rules Web/ACCEPT net $FW Web/ACCEPT loc $FW SMB/ACCEPT $FW loc SMB/ACCEPT loc $FW DNS/ACCEPT $FW net DNS/ACCEPT loc $FW SSH/ACCEPT loc $FW SSH/ACCEPT net $FW Webmin/ACCEPT loc $FW Webmin/ACCEPT net $FW Ping/ACCEPT loc $FW Ping/ACCEPT net $FW REDIRECT loc 3128 tcp www - ACCEPT $FW net tcp www gravity ~ # grep ^[A-Za-z] /etc/squid/squid.conf http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.0.0/24 10.0.0.0/24 127.0.0.1 http_access allow our_networks http_access allow localhost http_reply_access allow all icp_access allow all forwarded_for off coredump_dir /var/cache/squid gravity ~ # grep ^[A-Za-z] /etc/dansguardian/dansguardian.conf reportinglevel = 3 languagedir = ''/etc/dansguardian/languages'' language = ''ukenglish'' loglevel = 3 logexceptionhits = on logfileformat = 1 filterip filterport = 3129 proxyip = 127.0.0.1 proxyport = 3128 < filtering onfig stuff snipped> urlcacheage = 900 phrasefiltermode = 2 preservecase = 0 hexdecodecontent = 0 forcequicksearch = 0 reverseaddresslookups = off reverseclientiplookups = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off preemptivebanning = on forwardedfor = on usexforwardedfor = off logconnectionhandlingerrors = on maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 ipcfilename = ''/tmp/.dguardianipc'' urlipcfilename = ''/tmp/.dguardianurlipc'' nodaemon = off nologger = off softrestart = off ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
paul cooper wrote:> ive got a config thats > client -> server ->Dansguardian->Squid -> onward adn I want to > transparently redirect web traffic to DG/Squid > > Not sure where the problem lies - hoping you guys can help me and at > least tell me that its NOT my shorewall config > heres the configs > When I point a browser straight at 3128 or 3129 I get web pages back > and the appropriate stuff in the logs . > I get a squid error when the client browser is configured for ''direct > connection'' > > squid log > direct connection (ie shorewall) > > 1168243262.106 1 10.0.0.159 TCP_DENIED/400 1929 GET > error:invalid-request - NONE/- text/html > > client browser -> port 3129 > 1168243337.878 209 127.0.0.1 TCP_MISS/200 21875 GET > http://www.google.co.uk/search? - DIRECT/66.249.85.99 text/html > > client browser -> 3128 > 1168243389.259 304 10.0.0.159 TCP_MISS/200 6117 GET > http://www.google.co.uk/search? - DIRECT/66.249.85.104 text/html > > I cant spot what the problem is , Im afraid >Neither can we without a complete problem report -- see http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> paul cooper wrote: >> ive got a config thats >> client -> server ->Dansguardian->Squid -> onward adn I want to >> transparently redirect web traffic to DG/Squid >> >> Not sure where the problem lies - hoping you guys can help me and at >> least tell me that its NOT my shorewall config >> heres the configs >> When I point a browser straight at 3128 or 3129 I get web pages back >> and the appropriate stuff in the logs . >> I get a squid error when the client browser is configured for ''direct >> connection'' >> >> squid log >> direct connection (ie shorewall) >> >> 1168243262.106 1 10.0.0.159 TCP_DENIED/400 1929 GET >> error:invalid-request - NONE/- text/html >> >> client browser -> port 3129 >> 1168243337.878 209 127.0.0.1 TCP_MISS/200 21875 GET >> http://www.google.co.uk/search? - DIRECT/66.249.85.99 text/html >> >> client browser -> 3128 >> 1168243389.259 304 10.0.0.159 TCP_MISS/200 6117 GET >> http://www.google.co.uk/search? - DIRECT/66.249.85.104 text/html >> >> I cant spot what the problem is , Im afraid >> > > Neither can we without a complete problem report -- see > http://www.shorewall.net/support.htm#GuidelinesAlthough from the files you posted, it looks like you are redirecting web requests from the ''loc'' zone directly to Squid (port 3128) which is not configured for transparent proxying. To redirect to Dansguardian, you want this REDIRECT rule: REDIRECT loc 3129 tcp www ---- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV