Alexander Noack wrote:
Hi Richard,
I have a site where there is Squid setup as transparent proxy. What you will want to do is setup Squid to run as httpd_accel(erator) and to redirect the outgoing traffic on port 80 to Squid using ipchains.
Here's part of the Squid-conf:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on http_access deny !localdomains (where you set "acl localdomains src your.network/requirednetmask") proxy_auth /etc/httpd/htpasswd (having all users in /etc/httpd/htpasswd, use htpasswd that comes with apache)
and to redirect the traffic execute ipchains -A output -i external_device -p TCP -d any/0 80 -j REDIRECT your_squid_port
make sure tu have your kernel compiled with "Transparent_Proxy yes"
You should consider not to cache ssl connections. Ftp will only work as ftp over http (e.g. the ftp your browser uses) I don't know of any NNTP proxy. What you can do is to setup a local newsfeed like leafnode and restrict access to it.
You definetly should have a look at the Transparent Proxy mini-HOWTO (www.linuxdoc.org)
Regards,
Alex
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Alexander, This solution is Ok, I read about it but it's not enough. My kernel is of course compiled with "Transparent proxy yes" and so on ... Did you read the previous messages? The problem is that the squid server is running on another PC (I called it on my previous emails PC2) and the packet filtering is happening on PC1 !!! So I need to redirect to a port on another machine! This is not possible directly with ipchains, isnt' it? Redirecting to another port on the same machine is not the problem. Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.