Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: AW: [suse-security] trouble with http
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Fri, 27 Sep 2002 00:59:15 +0200
  • Message-id: <004101c265b0$56123b00$52ef5b86@xxxxxxxxxxxxxxxxxx>
> On Sep 26, Andrew Bennett <andy@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > I'm not sure I understand you, Markus. I use squid as a proxy server
> > web browsing including downloading files by ftp for all the users on
> > network, (except me), and have done for years.
> He was talking about _transparent_ proxy, this means that the proxy is
> configured at client end, but all packets going to port 80 are
> and routed to the squid proxy. This way you can force users to go over
> proxy.
> If "normal browsing" works, but no downloading, I guess that the MTU
> set wrong or something else. Gabriel: Do downloads work from the linux
> box? Try to download a file that fails with wget from the linux box.

First try without proxy and then with proxy again.
Maybe your rules in the firewall are totally false!
You must redirect internal interface (not ip xy) from 80 to 3128.
If the proxy is not the problem try to set different mtu.
You can read more about it with keyworks dsl/adsl!
There is much help on the suse support database: (german help)

For DSL-Help:

This is connectionrelated!
Maybe the squid is setup false!
Check the rules on your proxy!
Default is mostly bad and won't work for all purposes, even, if SuSE
tells you it should!
You must have :

acl <name> src/proto/port expression


http_access allow/deny <name>

That means:

One acl and one rule allowing/denieing the rule.
Episode one say always two the are, no more, no less!
Don't forget to only set one rule and only allow/deny one rule at a

If there are more than one rule in a line (e.g.: http_access allow all
localhost) the rules won't work correct in all cases!
One line one acl and one acl only one name!

If you changed your /etc/squid/squid.conf to that all should work
Another thing is make firewall redirect port 80 -> 3128 from internal
interface and not the same with ftp!

Here is a rule for iptables (redirect 80 to 3128!):

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT --to-port 3128

ftp sometines works with differents auth, than setup in
If you say generic user/passwd for all ftp over squid, not all will
Some servers use user:passwd@host, some let anonymous:guest@host and
others anonymous:E-Mail@host!
So safe setting is to do not cache ftp, but only http and only redirect
80 to 3128!
This works at our facility!
Do not setup false ways in the firewall (redirect 80 to 3128 from
external won't work unless external access is prohibited in

So remind that!

Test all in small steps by deactivating single tools, until all works
If so, look, what made the error and correct it by reading manuals or
Good way to find help: use and keywords
"squid +transparent +proxy"!
You will find useful help for this thematics!



< Previous Next >