[FUG-BR] Squid 2.6 + PF
Wesley Miranda
wesleymiranda2 em gmail.com
Segunda Janeiro 28 00:52:33 BRST 2008
Tive problemas com o squid 2.6.x em um cliente fazendo a mesma coisa que
voce, a solução foi baixar pra versão 2.5.x, outro detale utilizei ipfw,
segue o squid.conf e a regra.
squid.conf
---------------------------------------------------
http_port 8181
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
cache_effective_user squid
cache_effective_group squid
maximum_object_size 512 MB
minimum_object_size 0 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir diskd /usr/local/squid/cache 2048 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
cache_swap_log /usr/local/squid/logs/swap.log
logfile_rotate 2
redirect_rewrites_host_header off
cache_replacement_policy GDSF
emulate_httpd_log off
pid_filename /usr/local/squid/logs/squid.pid
debug_options ALL,1
log_fqdn on
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnet src 192.168.17.0/255.255.255.0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_mgr wesley em freebsdconsult.com.br
visible_hostname http://www.freebsdconsult.com.br
memory_pools on
forwarded_for on
log_icp_queries off
buffered_logs on
icon_directory /usr/local/etc/squid/icons
error_directory /usr/local/etc/squid/errors/Portuguese
mime_table /usr/local/etc/squid/mime.conf
--------------------------------------------------------
Regra ipfw
/sbin/ipfw add 500 allow tcp from me to any dst-port 80
/sbin/ipfw add 600 fwd 127.0.0.1,8181 tcp from 192.168.17.0/24 to any
dst-port 80
OBS : http_access allow all > Voce pretende liberar sua proxy da rede
interna pra qualquer pessoa fora da rede utilizar ? O correto é Deny pra não
terem acesso externo.
Abraço.
2008/1/27, multnick <multfree em gmail.com>:
>
> Ola galera,
>
> Estou com pequeno problema para deixar o proxy transparent.
> Compilei kernel com suporte a pf.
> Compilei o squid via ports versao 2.6.18 com suporte a pf.
> No squid.conf setei:
>
> http_port 3128 transparent
>
> Criei acl para a rede interna:
>
> acl redeinterna src 10.0.0.1
>
> E liberei:
>
> http_access allow all
>
> No arquivo pf.conf setei.
> rdr pass on xl1 proto tcp from any to any port 80 -> 127.0.0.1 port 3128
>
> Sendo que:
> xl0 = 192.168.1.1 -> saida modem DLS.
> xl1 = 10.0.0.1 -> rede interna.
>
> Maq. da rede interna com IP 10.0.0.2 Mask 255.0.0.0 Gateway 10.0.0.1.
>
> Essa config, nao esta navegando por transparent, porem se eu coloco o IP
> 10.0.0.1 no Navegador abre pagina normal.
>
> Desde ja' agradeco.
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd