Re: AW: [suse-security] trouble with http

...

I'm not sure I understand you, Markus. I use squid as a proxy server for web browsing including downloading files by ftp for all the users on my network, (except me), and have done for years. He was talking about _transparent_ proxy, this means that the proxy is not configured at client end, but all packets going to port 80 are intercepted and routed to the squid proxy. This way you can force users to go over

On Sep 26, Andrew Bennett wrote: the proxy. If "normal browsing" works, but no downloading, I guess that the MTU is set wrong or something else. Gabriel: Do downloads work from the linux box? Try to download a file that fails with wget from the linux box.

First try without proxy and then with proxy again. Maybe your rules in the firewall are totally false! You must redirect internal interface (not ip xy) from 80 to 3128. If the proxy is not the problem try to set different mtu. You can read more about it with keyworks dsl/adsl! There is much help on the suse support database: http://sdb.suse.de/sdb/de/html/key_form.html (german help) For DSL-Help: http://sdb.suse.de/cgi-bin/sdbsearch.cgi?stichwort=dsl&searchtype=and This is connectionrelated! Maybe the squid is setup false! Check the rules on your proxy! Default is mostly bad and won't work for all purposes, even, if SuSE tells you it should! You must have : acl <name> src/proto/port expression [...] http_access allow/deny <name> That means: One acl and one rule allowing/denieing the rule. Episode one say always two the are, no more, no less! Don't forget to only set one rule and only allow/deny one rule at a time! If there are more than one rule in a line (e.g.: http_access allow all localhost) the rules won't work correct in all cases! One line one acl and one acl only one name! If you changed your /etc/squid/squid.conf to that all should work correct. Another thing is make firewall redirect port 80 -> 3128 from internal interface and not the same with ftp! Here is a rule for iptables (redirect 80 to 3128!): /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 ftp sometines works with differents auth, than setup in /etc/squid/squid.conf! If you say generic user/passwd for all ftp over squid, not all will work! Some servers use user:passwd@host, some let anonymous:guest@host and others anonymous:E-Mail@host! So safe setting is to do not cache ftp, but only http and only redirect 80 to 3128! This works at our facility! Do not setup false ways in the firewall (redirect 80 to 3128 from external won't work unless external access is prohibited in /etc/squid/squid.conf!)! So remind that! Test all in small steps by deactivating single tools, until all works well. If so, look, what made the error and correct it by reading manuals or howtos. Good way to find help: use http://www.google.de/linux/ and keywords "squid +transparent +proxy"! You will find useful help for this thematics! Reguards Philippe