no matter if i put
in squid.conf,
always gime a access denied
mi PF config:
my squid.conf
cache.log (access to http://google.com):
and access.log
Code:
http_access allow all
always gime a access denied
mi PF config:
Code:
#external
ext="bce0"
#internal
int="bce1"
#i dont put 443 for testing squid
ports="(53,3130,3129,3121,80)"
ports-udp="(53)"
nat on $ext inet from !(ext) -> ($ext)
set skip on lo0
rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 3130
block in on $ext all
block in on $int all
pass in on $int inet proto tcp from any to any port $ports keep state
pass in on $int inet proto udp from any to any port $ports-udp
pass in on $ext inet proto tcp from any to any port 22 keep state
pass out on $ext inet proto tcp from any to any port $ports keep state
pass out on $ext inet proto udp from any to any port $ports-udp
pass in on $ext proto icmp
pass in on $int proto icmp
my squid.conf
Code:
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access allow all
# Squid normally listens to port 3128
http_port 127.0.0.1:3121
http_port 127.0.0.1:3130 intercept
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
cache.log (access to http://google.com):
Code:
2017/08/25 11:53:31 kid1| Set Current Directory to /var/squid/cache
2017/08/25 11:53:31 kid1| Starting Squid Cache version 3.5.26 for amd64-portbld-freebsd11.0...
2017/08/25 11:53:31 kid1| Service Name: squid
2017/08/25 11:53:31 kid1| Process ID 2483
2017/08/25 11:53:31 kid1| Process Roles: worker
2017/08/25 11:53:31 kid1| With 234864 file descriptors available
2017/08/25 11:53:31 kid1| Initializing IP Cache...
2017/08/25 11:53:31 kid1| DNS Socket created at [::], FD 6
2017/08/25 11:53:31 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/08/25 11:53:31 kid1| Adding nameserver 200.0.243.10 from /etc/resolv.conf
2017/08/25 11:53:31 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/08/25 11:53:31 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/08/25 11:53:31 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/08/25 11:53:31 kid1| Store logging disabled
2017/08/25 11:53:31 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/08/25 11:53:31 kid1| Target number of buckets: 1008
2017/08/25 11:53:31 kid1| Using 8192 Store buckets
2017/08/25 11:53:31 kid1| Max Mem size: 262144 KB
2017/08/25 11:53:31 kid1| Max Swap size: 0 KB
2017/08/25 11:53:31 kid1| Using Least Load store dir selection
2017/08/25 11:53:31 kid1| Set Current Directory to /var/squid/cache
2017/08/25 11:53:31 kid1| Finished loading MIME types and icons.
2017/08/25 11:53:31 kid1| HTCP Disabled.
2017/08/25 11:53:31 kid1| Pinger socket opened on FD 14
2017/08/25 11:53:31 kid1| Squid plugin modules loaded: 0
2017/08/25 11:53:31 kid1| Adaptation support is off.
2017/08/25 11:53:31 kid1| Accepting HTTP Socket connections at local=127.0.0.1:3121 remote=[::] FD 11 flags=9
2017/08/25 11:53:31 kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:3130 remote=[::] FD 12 flags=41
2017/08/25 11:53:31| pinger: Initialising ICMP pinger ...
2017/08/25 11:53:31| pinger: ICMP socket opened.
2017/08/25 11:53:31| pinger: ICMPv6 socket opened
2017/08/25 11:53:32 kid1| storeLateRelease: released 0 objects
2017/08/25 11:53:34| Error sending to ICMPv6 packet to [2800:3f0:4001:808::200e]. ERR: (65) No route to host
2017/08/25 11:53:34 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/5.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=102=Cs1oYjfIaZZAKFp-aAR2I4U_keKjeuTSD5u7Vxstw9NRtxmZ2eKuq9ZkY_2O4MGKRMyfklXbwDfMyULWczULOabbmSWqsIw0J-izCgt24ZvaYsZ0Qor1PTIyf8K9oCb5
Via: 1.1 "rtr" (squid/3.5.26)
X-Forwarded-For: 192.168.50.3
Cache-Control: max-age=259200
Connection: keep-alive
Host: google.com
2017/08/25 11:53:37 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/5.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=102=Cs1oYjfIaZZAKFp-aAR2I4U_keKjeuTSD5u7Vxstw9NRtxmZ2eKuq9ZkY_2O4MGKRMyfklXbwDfMyULWczULOabbmSWqsIw0J-izCgt24ZvaYsZ0Qor1PTIyf8K9oCb5
Upgrade-Insecure-Requests: 1
Via: 1.1 "rtr" (squid/3.5.26)
X-Forwarded-For: 192.168.50.3
Cache-Control: max-age=259200
Connection: keep-alive
Host: google.com
and access.log
Code:
1503672814.611 0 127.0.0.1 TCP_MISS/403 4319 GET http://google.com/favicon.ico - HIER_NONE/- text/html
1503672814.612 13 192.168.50.3 TCP_MISS/403 4409 GET http://google.com/favicon.ico - ORIGINAL_DST/127.0.0.1 text/html
1503672817.467 0 127.0.0.1 TCP_MISS/403 4398 GET http://google.com/ - HIER_NONE/- text/html
1503672817.467 1 192.168.50.3 TCP_MISS/403 4488 GET http://google.com/ - ORIGINAL_DST/127.0.0.1 text/html