11745 Help needed with Squid 3 transparent proxy - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Web & Network Services
Reload this Page Help needed with Squid 3 transparent proxy
Register FAQ Calendar Search Today's Posts Mark Forums Read

Web & Network Services Discussion related to network/web services such as apache, bind, sendmail, etc.

Reply
 
Thread Tools Display Modes
  #1  
Old January 9th, 2009, 22:01
loko loko is offline
Junior Member
  
Join Date: Nov 2008
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Help needed with Squid 3 transparent proxy
Hello,
I am trying to setup transparent caching proxy with squid 3.0 and FreeBSD 7 for my http traffic, but unfortunately with no luck. When I try to open any webpage I see this:
Code:
ERROR
The requested URL could not be retrieved


While trying to retrieve the URL: / 

The following error was encountered: 

Invalid URL 
Some aspect of the requested URL is incorrect. Possible problems: 

Missing or incorrect access protocol (should be `http://'' or similar) 
Missing hostname 
Illegal double-escape in the URL-Path 
Illegal character in hostname; underscores are not allowed 
Your cache administrator is webmaster. 

Generated Fri, 09 Jan 2009 20:41:39 GMT by HOMER (squid/3.0.RC1+PatchSets-20071001)
My squid.conf looks like this:

Code:
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /usr/local/squid/logs/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.50.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname HOMER
always_direct allow all
coredump_dir /usr/local/squid/cache
Can you tell me what is wrong with this configuration. Why I type http://freebsd.org in my address bar but the error says
Code:
While trying to retrieve the URL: /
Thanks in advance!
Last edited by DutchDaemon; May 19th, 2011 at 13:19.
Reply With Quote
  #2  
Old January 9th, 2009, 23:39
bluetick's Avatar
bluetick bluetick is offline
Member
  
Join Date: Nov 2008
Posts: 110
Thanks: 2
Thanked 4 Times in 4 Posts
Default
I don't know if it's required but I always add this to mine.
Code:
dns_nameservers xx.xx.xx.ip xx.xx.xx.ip
I think this is the proper form to control access on the lan.
Code:
acl all src 192.168.50/24
You have.
Code:
acl lan src 192.168.50.0/24
__________________
Not being able to sleep is terrible. You have the misery of having partied all night... without the satisfaction.
Lynn Johnston
Last edited by DutchDaemon; May 19th, 2011 at 13:19.
Reply With Quote
  #3  
Old February 1st, 2009, 05:21
geeknik geeknik is offline
Junior Member
  
Join Date: Feb 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Quote:
Originally Posted by bluetick View Post
acl lan src 192.168.50.0/24
This is valid.

I have
Code:
acl localnet src 10.0.0.0/24
in my squid.conf with no problems.
Last edited by DutchDaemon; May 19th, 2011 at 13:19.
Reply With Quote
  #4  
Old February 2nd, 2009, 13:56
sniper007's Avatar
sniper007 sniper007 is offline
Member
  
Join Date: Nov 2008
Location: Slovenia
Posts: 110
Thanks: 8
Thanked 2 Times in 2 Posts
Default
Transparent Cache

Transparent cache achieves the same goal as a standard proxy cache, but operates transparently to the browser. The browser does not need to be explicitly configured to access the cache. Instead, the transparent cache intercepts network traffic, filters HTTP traffic (on port 80) and handles the request if the object is in the cache. If the object is not in the cache, the packets are forwarded to the origin web server.

Configuring as Transparent Proxy

Using squid transparently is a two part process, requiring first that squid be configured properly to accept non-proxy requests (performed in the squid module) and second that web traffic gets redirected to the squid port (achieved in three ways namely policy based routing, Using smart switching or by setting squid Box as a gateway).

Getting transparent caching to work requires the following steps

For some operating systems, have to configure and build a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For BSD-based systems, you probably have to configure squid with the --enable-ipf-transparent option, and you have to configure squid as

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

You have to configure your cache host to accept the redirected packets - any IP address, on port 80 - and deliver them to your cache application. This is typically done with IP filtering/forwarding features built into the kernel. On linux they call this ipfilter (kernel 2.4.x), ipchains (2.2.x) or ipfwadm (2.0.x). On FreeBSD and other BSD systems they call it ip filter or ipnat; on many systems, it may require rebuilding the kernel or adding a new loadable kernel module.
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #5  
Old February 2nd, 2009, 14:05
sniper007's Avatar
sniper007 sniper007 is offline
Member
  
Join Date: Nov 2008
Location: Slovenia
Posts: 110
Thanks: 8
Thanked 2 Times in 2 Posts
Default
Quote:
Originally Posted by bluetick View Post
I think this is the proper form to control access on the lan.
acl all src 192.168.50/24
This is absolutly wrong !

Squid uses CIDR notation. IPv4 uses 32bit IP address and your 192.168.50 have only 24bit. (no way)

/24 is netmask and mean ( 11111111 11111111 11111111 00000000 ) => subnet with 254 hosts.
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #6  
Old February 2nd, 2009, 14:18
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Administrator
  
Join Date: Nov 2008
Location: Rotterdam, the Netherlands
Posts: 9,856
Thanks: 30
Thanked 1,892 Times in 1,335 Posts
Default
Quote:
Originally Posted by sniper007 View Post
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Extremely outdated.

And I believe 'acl all' is depreciated and actually produces errors nowadays.
Reply With Quote
  #7  
Old February 3rd, 2009, 03:08
sniper007's Avatar
sniper007 sniper007 is offline
Member
  
Join Date: Nov 2008
Location: Slovenia
Posts: 110
Thanks: 8
Thanked 2 Times in 2 Posts
Default
Quote:
Originally Posted by DutchDaemon View Post
Extremely outdated.
huh, probably you are right because I have a book from 2004 (Squid: The Definitive Guide), also never tried to set up transparent cache.

my mistake..
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #8  
Old July 15th, 2009, 03:00
bufo333 bufo333 is offline
Junior Member
  
Join Date: Jul 2009
Posts: 6
Thanks: 1
Thanked 1 Time in 1 Post
Default missing keword transparent
This problem is easy to fix, when you are using ipfw or ipfilter to redirect ports in transparent mode, you get that weird error unless you tell squid you are in transparent mode.

Add the following line to fix the problem.

http_port 3128 transparent
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf transparent proxy squid nat Galactic_Dominator Firewalls 1 February 4th, 2010 10:45
pf, ftp-proxy, nat, and dhcp neurosis Firewalls 15 May 20th, 2009 08:16
Squid orcun Web & Network Services 5 March 1st, 2009 17:13
updating src via proxy ? mgp Installing & Upgrading 11 January 28th, 2009 19:41
freeBSD newbie trying to run squid with dual cards miscar Networking 2 December 24th, 2008 02:52


All times are GMT +1. The time now is 14:08.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0