I hope I dont get flack for this question but I am a little puzzled on the
behavior of squid and shorewall with the transparent proxy on.
If you tell your browser to use the proxy port 3128 and you have shorewall set
to redirect to that port then there is no reason to set your browser to use the
proxy server in the first place. (IE: transparent, no settings needed on the
browser)
The reason I ask that if you do set the browser to use proxy I have had
troubles, with browsers set to use port 80 then shorewall redirects to the proxy
and it works
good. I thought you could go both ways is that not correct.
Thanks
Mike
landers@lanlinecomputers.com wrote:> I hope I dont get flack for this question but I am a little puzzled on the behavior of squid and shorewall with the transparent proxy on. > If you tell your browser to use the proxy port 3128 and you have shorewall set to redirect to that port then there is no reason to set your browser to use the proxy server in the first place. (IE: transparent, no settings needed on the browser) > The reason I ask that if you do set the browser to use proxy I have had troubles, with browsers set to use port 80 then shorewall redirects to the proxy and it works > good. I thought you could go both ways is that not correct. >I believe that you have to use Squid as either a transparent proxy OR as a configured proxy but not both simultaneously. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > I believe that you have to use Squid as either a transparent proxy OR as > a configured proxy but not both simultaneously. >Mike, I did a little experimentation and added this to my Transparent Squid Configuration: http_port 8080 With that additional ''http_port'' specification, I was able to configure my browser to proxy using port 8080 and it worked fine. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > With that additional ''http_port'' specification, I was able to configure > my browser to proxy using port 8080 and it worked fine. >Of course I had to add a rule allowing tcp port 8080 connections from my ''loc'' zone to my ''dmz'' zone (where the proxy server runs). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Yes,
It does for the most part, but for instance I cant log into webmin with
the browser set to 3128 Squid says 111 access denied. I have spent about
three hours trying to fugure out why by a client could not get to
http://www.gmcommontraining.com which then redirects you to
https://www.gmcommontraining.com, in which squid will tell him access
denied. But if he turned off the 3128 setting in his IE 6.0 browser
everything works fine. And he is still blocked from squidgaurds blacklist.
So after that I found a squid newsgroup past post that the quy said
thats what transparent proxy means is you don''t even know your using a
proxy. There is no
need for any settings. But I read a lot of posts and that was the only one
that I could find that made any since for my trouble.
The squid log I used for the search was TCP_DENIED/403 1020 CONNECT
ns1.lanlinecomputers.com:10000 - NONE/- -
That is with my browser set to use proxy 3128. If I uncheck use proxy then
no troubles??????????
Thanks :-) Mike
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Tom Eastep" <teastep@shorewall.net>
Cc: <landers@lanlinecomputers.com>;
<shorewall-users@lists.shorewall.net>
Sent: Friday, February 14, 2003 2:45 PM
Subject: Re: [Shorewall-users] shorewall with proxy
> Tom Eastep wrote:
>
> >
> > I believe that you have to use Squid as either a transparent proxy OR
as
> > a configured proxy but not both simultaneously.
> >
>
> Mike,
>
> I did a little experimentation and added this to my Transparent Squid
> Configuration:
>
> http_port 8080
>
> With that additional ''http_port'' specification, I was
able to configure
> my browser to proxy using port 8080 and it worked fine.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
>
>
landers@lanlinecomputers.com wrote:> So after that I found a squid newsgroup past post that the quy said > thats what transparent proxy means is you don''t even know your using a > proxy.That''s the generally accepted definition of _transparent_ proxy all right... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
landers@lanlinecomputers.com wrote:> Yes, > It does for the most part, but for instance I cant log into webmin with > the browser set to 3128 Squid says 111 access denied. I have spent about > three hours trying to fugure out why by a client could not get to > http://www.gmcommontraining.com which then redirects you to > https://www.gmcommontraining.com, in which squid will tell him access > denied. But if he turned off the 3128 setting in his IE 6.0 browser > everything works fine. And he is still blocked from squidgaurds blacklist. > So after that I found a squid newsgroup past post that the quy said > thats what transparent proxy means is you don''t even know your using a > proxy. There is no > need for any settings. But I read a lot of posts and that was the only one > that I could find that made any since for my trouble. > The squid log I used for the search was TCP_DENIED/403 1020 CONNECT > ns1.lanlinecomputers.com:10000 - NONE/- - > That is with my browser set to use proxy 3128. If I uncheck use proxy then > no troubles??????????If you want to use http connect method to access port 10000 via squid you need to add port 10000 to SSL_ports. That is: acp SSL_ports port 443 563 10000 By default squid will allow ssl connect to ports 443 and 563. This problem doesn''t come up if you use transpartent porxy because only requests to port 80 are normally transparently proxied. -- Tuomo Soini <tis@foobar.fi> Linux and Network specialist Foobar Oy http://foobar.fi/