Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: AW: [suse-security] trouble with http
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Fri, 27 Sep 2002 00:59:15 +0200
  • Message-id: <004101c265b0$56123b00$52ef5b86@xxxxxxxxxxxxxxxxxx>
> On Sep 26, Andrew Bennett <andy@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > I'm not sure I understand you, Markus. I use squid as a proxy server
for
> > web browsing including downloading files by ftp for all the users on
my
> > network, (except me), and have done for years.
> He was talking about _transparent_ proxy, this means that the proxy is
not
> configured at client end, but all packets going to port 80 are
intercepted
> and routed to the squid proxy. This way you can force users to go over
the
> proxy.
> If "normal browsing" works, but no downloading, I guess that the MTU
is
> set wrong or something else. Gabriel: Do downloads work from the linux
> box? Try to download a file that fails with wget from the linux box.

First try without proxy and then with proxy again.
Maybe your rules in the firewall are totally false!
You must redirect internal interface (not ip xy) from 80 to 3128.
If the proxy is not the problem try to set different mtu.
You can read more about it with keyworks dsl/adsl!
There is much help on the suse support database:

http://sdb.suse.de/sdb/de/html/key_form.html (german help)

For DSL-Help:

http://sdb.suse.de/cgi-bin/sdbsearch.cgi?stichwort=dsl&searchtype=and

This is connectionrelated!
Maybe the squid is setup false!
Check the rules on your proxy!
Default is mostly bad and won't work for all purposes, even, if SuSE
tells you it should!
You must have :

acl <name> src/proto/port expression

[...]

http_access allow/deny <name>

That means:

One acl and one rule allowing/denieing the rule.
Episode one say always two the are, no more, no less!
Don't forget to only set one rule and only allow/deny one rule at a
time!

If there are more than one rule in a line (e.g.: http_access allow all
localhost) the rules won't work correct in all cases!
One line one acl and one acl only one name!

If you changed your /etc/squid/squid.conf to that all should work
correct.
Another thing is make firewall redirect port 80 -> 3128 from internal
interface and not the same with ftp!

Here is a rule for iptables (redirect 80 to 3128!):

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128

ftp sometines works with differents auth, than setup in
/etc/squid/squid.conf!
If you say generic user/passwd for all ftp over squid, not all will
work!
Some servers use user:passwd@host, some let anonymous:guest@host and
others anonymous:E-Mail@host!
So safe setting is to do not cache ftp, but only http and only redirect
80 to 3128!
This works at our facility!
Do not setup false ways in the firewall (redirect 80 to 3128 from
external won't work unless external access is prohibited in
/etc/squid/squid.conf!)!

So remind that!

Test all in small steps by deactivating single tools, until all works
well.
If so, look, what made the error and correct it by reading manuals or
howtos.
Good way to find help: use http://www.google.de/linux/ and keywords
"squid +transparent +proxy"!
You will find useful help for this thematics!

Reguards

Philippe



< Previous Next >
References