Страница 1 из 1

SQUID не пускает по хттп

Добавлено: 2008-10-21 13:54:36
mediamag
squid.conf

Код: Выделить всё

http_port 3128

icp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 128 MB

maximum_object_size 8092 KB

maximum_object_size_in_memory 512 KB

cache_dir ufs /usr/local/squid/cache 2048 64 256

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

cache_mgr h-a-k-e-r@inbox.ru

visible_hostname pie.inet.local

tcp_outgoing_address 192.168.1.2

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

url_rewrite_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf

url_rewrite_children 10



acl     all             src             0.0.0.0/0.0.0.0


acl     localhost       src             127.0.0.0/8

acl     our_networks    src             192.168.2.0/24

#http_access    deny    denied_sites
#http_access     allow   allowed_sites
#http_access     deny    limited_IP

http_access     allow   our_networks

http_access     allow   localhost

http_access     deny    all


http_port 3128 transparent


coredump_dir /usr/local/squid/cache

pid_filename /usr/local/squid/logs/squid.pid

firewall.sh

Код: Выделить всё

#!/bin/sh


extif="sk0"
extnet="192.168.1.0/24"
extip="192.168.1.2"


intif="sk1"
intnet="192.168.2.0/24"
intip="192.168.2.108"

fwcmd="/sbin/ipfw "


${fwcmd} -f flush

${fwcmd} -f pipe flush

${fwcmd} -f queue flush


# dynamic rules 

${fwcmd} add 50 check-state

# loopback

${fwcmd} add 100 allow ip from any to any via lo0



${fwcmd} add 200 deny ip from any to 127.0.0.0/8
${fwcmd} add 250 deny ip from 127.0.0.0/8 to any



${fwcmd} add 300 deny all from ${intnet} to any in via ${extif}
${fwcmd} add 350 deny all from ${extnet} to any in via ${intif}



${fwcmd} add 400 deny ip from any to 10.0.0.0/8 in via ${extif}
${fwcmd} add 410 deny ip from any to 172.16.0.0/12 in via ${extif}
${fwcmd} add 420 deny ip from any to 0.0.0.0/8 in via ${extif}
${fwcmd} add 430 deny ip from any to 169.254.0.0/16 in via ${extif}



${fwcmd} add 500 deny ip from any to 224.0.0.0/4 in via ${extif}
${fwcmd} add 510 deny ip from any to 240.0.0.0/4 in via ${extif}



${fwcmd} add 600 deny icmp from any to any frag
${fwcmd} add 610 deny icmp from any to any in icmptype 5,9,13,14,15,16,17



${fwcmd} add 700 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${fwcmd} add 710 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${fwcmd} add 720 reject tcp from any to any not established tcpflags fin



${fwcmd} add 800 deny tcp from any to any 113 in via ${extif}



${fwcmd} add 900 deny tcp from any to any 137 in via ${extif}
${fwcmd} add 910 deny tcp from any to any 138 in via ${extif}
${fwcmd} add 920 deny tcp from any to any 139 in via ${extif}



${fwcmd} add 1000 deny log icmp from any to 255.255.255.255 in via ${extif}
${fwcmd} add 1010 deny log icmp from any to 255.255.255.255 out via ${extif}

${fwcmd} add 1050 fwd 127.0.0.1,3128 tcp from 192.168.2.0/24 to any 80 via sk0

${fwcmd} add 1100 divert natd ip from ${intnet} to any out via ${extif}
${fwcmd} add 1110 divert natd ip from any to ${extip} in via ${extif}



${fwcmd} add 1200 deny ip from 10.0.0.0/8 to any out via ${extif}
${fwcmd} add 1210 deny ip from 172.16.0.0/12 to any out via ${extif}
${fwcmd} add 1220 deny ip from 0.0.0.0/8 to any out via ${extif}
${fwcmd} add 1230 deny ip from 169.254.0.0/16 to any out via ${extif}



${fwcmd} add 1300 deny ip from 224.0.0.0/4 to any out via ${extif}
${fwcmd} add 1310 deny ip from 240.0.0.0/4 to any out via ${extif}



${fwcmd} add 1400 allow icmp from any to any icmptype 0,8,11



${fwcmd} add 1500 allow ip from any to ${intnet} in via ${intif}
${fwcmd} add 1550 allow ip from ${intnet} to any out via ${intif}



${fwcmd} add 1600 allow tcp from any to any established



${fwcmd} add 1700 allow udp from any to ${extip} 53 in via ${extif}
${fwcmd} add 1710 allow udp from ${extip} 53 to any out via ${extif}



${fwcmd} add 1800 allow tcp from any to ${extip} 53 in via ${extif}



${fwcmd} add 1900 allow tcp from any to ${extip} 22 in via ${extif} setup



#${fwcmd} add 1700 allow udp from any 27015-27025 to ${intnet} in via ${extif}
#${fwcmd} add 1710 allow udp from any 27015-27025 to ${intnet} out via ${intif}
#${fwcmd} add 1720 allow udp from ${intnet} to any 27015-27025 in via ${intif}
#${fwcmd} add 1730 allow udp from ${extip} to any 27015-27025 out via ${extif}



${fwcmd} add 2000 deny log tcp from any to ${extip} in via ${extif} setup



${fwcmd} add 2100 allow tcp from ${extip} to any out via ${extif} setup
${fwcmd} add 2110 allow tcp from any to ${extip} in via ${intif} setup



${fwcmd} add 2200 allow tcp from any to 192.168.0.1 8181 via ${extif}
${fwcmd} add 2205 allow tcp from any to 192.168.0.1 8181 via ${intif}

${fwcmd} add 2210 allow tcp from any to 192.168.0.123 8282 via ${extif}
${fwcmd} add 2215 allow tcp from any to 192.168.0.123 8282 via ${intif}



${fwcmd} add 2300 allow tcp from ${intnet} to any 20,21,25,80,110,443,587,993,5190,5222,5223,7014 in via ${intif} setup



${fwcmd} add 2400 allow tcp from 192.168.2.123 to not ${intnet} in via ${intif} setup



${fwcmd} add 65534 deny ip from any to any

ipfw show

Код: Выделить всё

inet# ipfw show
00050  0     0 check-state
00100  0     0 allow ip from any to any via lo0
00200  0     0 deny ip from any to 127.0.0.0/8
00250  0     0 deny ip from 127.0.0.0/8 to any
00300  0     0 deny ip from 192.168.2.0/24 to any in via sk0
00350  0     0 deny ip from 192.168.1.0/24 to any in via sk1
00400  0     0 deny ip from any to 10.0.0.0/8 in via sk0
00410  0     0 deny ip from any to 172.16.0.0/12 in via sk0
00420  0     0 deny ip from any to 0.0.0.0/8 in via sk0
00430  0     0 deny ip from any to 169.254.0.0/16 in via sk0
00500  0     0 deny ip from any to 224.0.0.0/4 in via sk0
00510  0     0 deny ip from any to 240.0.0.0/4 in via sk0
00600  0     0 deny icmp from any to any frag
00610  0     0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00700  0     0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00710  0     0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00720  0     0 reject tcp from any to any not established tcpflags fin
00800  0     0 deny tcp from any to any dst-port 113 in via sk0
00900  0     0 deny tcp from any to any dst-port 137 in via sk0
00910  0     0 deny tcp from any to any dst-port 138 in via sk0
00920  0     0 deny tcp from any to any dst-port 139 in via sk0
01000  0     0 deny log logamount 100 icmp from any to 255.255.255.255 in via sk0
01010  0     0 deny log logamount 100 icmp from any to 255.255.255.255 out via sk0
01050 25  4059 fwd 127.0.0.1,3128 tcp from 192.168.2.0/24 to any dst-port 80 via sk0
01100  0     0 divert 8668 ip from 192.168.2.0/24 to any out via sk0
01110 11  2325 divert 8668 ip from any to 192.168.1.2 in via sk0
01200  0     0 deny ip from 10.0.0.0/8 to any out via sk0
01210  0     0 deny ip from 172.16.0.0/12 to any out via sk0
01220  0     0 deny ip from 0.0.0.0/8 to any out via sk0
01230  0     0 deny ip from 169.254.0.0/16 to any out via sk0
01300  0     0 deny ip from 224.0.0.0/4 to any out via sk0
01310  0     0 deny ip from 240.0.0.0/4 to any out via sk0
01400  0     0 allow icmp from any to any icmptypes 0,8,11
01500 41  2699 allow ip from any to 192.168.2.0/24 in via sk1
01550 42 23989 allow ip from 192.168.2.0/24 to any out via sk1
01600 45 15453 allow tcp from any to any established
01700 11  2325 allow udp from any to 192.168.1.2 dst-port 53 in via sk0
01710 11   842 allow udp from 192.168.1.2 53 to any out via sk0
01720  0     0 allow udp from any 53 to 192.168.1.2 in via sk0
01730  0     0 allow udp from 192.168.1.2 to any dst-port 53 out via sk0
01800  0     0 allow tcp from any to 192.168.1.2 dst-port 53 in via sk0
01900  0     0 allow tcp from any to 192.168.1.2 dst-port 22 in via sk0 setup
02000  0     0 deny log logamount 100 tcp from any to 192.168.1.2 in via sk0 setup
02100  0     0 allow tcp from 192.168.1.2 to any out via sk0 setup
02110  0     0 allow tcp from any to 192.168.1.2 in via sk1 setup
02200  0     0 allow tcp from any to 192.168.0.1 dst-port 8181 via sk0
02205  0     0 allow tcp from any to 192.168.0.1 dst-port 8181 via sk1
02210  0     0 allow tcp from any to 192.168.0.123 dst-port 8282 via sk0
02215  0     0 allow tcp from any to 192.168.0.123 dst-port 8282 via sk1
02300  5   240 allow tcp from 192.168.2.0/24 to any dst-port 20,21,25,80,110,443,587,993,5190,5222,5223,7014 in via sk1 setup
02400  0     0 allow tcp from 192.168.2.123 to not 192.168.2.0/24 in via sk1 setup
65534  2   458 deny ip from any to any
65535  0     0 allow ip from any to any

в аську заходит почту сосет...браузер показывает:

Код: Выделить всё

The following error was encountered:

    * Invalid Request 

Some aspect of the HTTP Request is invalid. Possible problems:

    * Missing or unknown request method
    * Missing URL
    * Missing HTTP Identifier (HTTP/1.0)
    * Request is too large
    * Content-Length missing for POST or PUT requests
    * Illegal character in hostname; underscores are not allowed 
что я мог забыть..делал точно по статье...как только правило прокси коментирую - инет раздается...помогите пожалуста понять что я мог забыть то?

Re: SQUID не пускает по хттп

Добавлено: 2008-10-21 16:39:06
manefesto
какой то странный конфиг сквида
почему в одном месте

Код: Выделить всё

http_port 3128
а в другом

Код: Выделить всё

http_port 3128 transparent
а?

Re: SQUID не пускает по хттп

Добавлено: 2008-10-21 17:02:06
mediamag
Присмотрись...эта опция есть у меня внизу...нижняя опция заменяет 3 строки из предыдущих версий сквида....httpd_accl....и все что с ним связанно..но проблему я решил сам..может кому то интересно....фряха 7,0 сквид 2,6 стейбл 13 ...вместо http_port 3128 transparent надо http_port 127.0.0.1:3128 transparent. и это не все...после правила 1710 добавить правила

Код: Выделить всё

${fwcmd} add 1720 allow udp from any 53 to ${extip} in via ${extif}
${fwcmd} add 1730 allow udp from ${extip} to any 53 out via ${extif}

вот тогда это все заработало + режик поставил..тоже поднялся при таком раскладе...без вышеперечисленных опций не работало