Squid Cache is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
[quote]An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). So the client never realize and don’t have to configure the client machine to use the proxy, but they are using it.[/quote]
Squid Cache Proxy Installation
- Open up your shell and type this command:
sudo apt-get install squid
- Finish.
For other OS you can download the binary package here.
Configure Squid Cache Proxy as Transparent Proxy
To configure squid proxy as transparent proxy you need to edit squid.conf file in /etc/squid/squid.conf as follow:
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet src 192.168.1.0/24 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_reply_access allow localnet http_reply_access deny all icp_access allow localnet icp_access deny all http_port 8080 transparent hierarchy_stoplist cgi-bin ? cache_mem 256 MB cache_dir ufs /var/spool/squid 2048 16 256 cache_mgr [email protected] cache_effective_user squid cache_effective_group squid access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|?) 0 0% 0 refresh_pattern . 0 20% 4320 visible_hostname yourdomain.com icp_port 3130 always_direct allow all forwarded_for off coredump_dir /var/spool/squid
The most important line is
“http_port 8080 transparent” : This line means, Squid proxy run as transparent proxy at port 8080 (by default 3128). Later you need to edit the iptables to bypass every request/response connection through this port.
Note: That setting is for Squid v2.6 or v2.7. For later version like Squid v3.1, “transparent” option is being deprecated, you need to use option “intercept” instead.
There are many things that squid can do, like limiting download speed for certain ip, denied some “time wasting” sites, denied some ports, denied download some files in certain hours, and many more case that you can name. So take your time to read their documentation guide here.
Note: Squid Web Proxy installation steps above only for Ubuntu/Debian. For others it might working but need adjustment.
Iptables Configurations
To make Squid as the transparent proxy (“man in the middle”), you need to configure the iptables.
I got this script to help you:
#!/bin/sh # ------------------------------------------------------------------------------------ # See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html # (c) 2006, nixCraft under GNU/GPL v2.0+ # ------------------------------------------------------------------------------------- # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP
Okay, that’s all of it. If you like it please leave me a comment.
Hi,
I'm configuring my iptables and squid proxy like your's. But can't be transparent, sorry for my english.
I have two ethernet karts and eth1 > internet, eth0>LAN
configured them for my network but still runing normal proxy, not transparent.
Please help, and so thanks!
Hi,
I’m configuring my iptables and squid proxy like your’s. But can’t be transparent, sorry for my english.
I have two ethernet karts and eth1 > internet, eth0>LAN
configured them for my network but still runing normal proxy, not transparent.
Please help, and so thanks!
Hi Emre, there are some point you need to configure:
1. Please be sure this line is in your squid.conf
"http_port 8080 transparent" (without quotes), that's mean you run squid on port 8080 as transparent.
2. You need to configure the iptables script:
SQUID_SERVER="192.168.1.1" => your squid's ip
INTERNET="eth0" => your ethernet that go to the internet
LAN_IN="eth1" => your ethernet that go to the your network
SQUID_PORT="3128" => the squid's port 3128 is the default squid port, for my example use 8080
Hope this help you. Cheers.
Ivan
Hi Emre, there are some point you need to configure:
1. Please be sure this line is in your squid.conf
“http_port 8080 transparent” (without quotes), that’s mean you run squid on port 8080 as transparent.
2. You need to configure the iptables script:
SQUID_SERVER=”192.168.1.1″ => your squid’s ip
INTERNET=”eth0″ => your ethernet that go to the internet
LAN_IN=”eth1″ => your ethernet that go to the your network
SQUID_PORT=”3128″ => the squid’s port 3128 is the default squid port, for my example use 8080
Hope this help you. Cheers.
Ivan
how i can install anonymous proxy….
please help me with my config….
please make complete tutorial…
or just email me…
how i can install anonymous proxy….
please help me with my config….
please make complete tutorial…
or just email me…
Hi Kevin,
To install squid as anonymous proxy,
you can do the following:
1. disable all log, edit your squid.conf to:
access_log none
cache_store_log none
2. you need to have a public ip and allow any ip you like, edit the squid.conf:
acl IPALLOW 210.83.0.0/19 (Note you can add as many ip you like here)
http_access allow IPALLOW
http_access deny all
3. Then you need to edit this line in squid.conf:
visible_hostname <your public IP>
4. restart your squid.
Hi Kevin,
To install squid as anonymous proxy,
you can do the following:
1. disable all log, edit your squid.conf to:
access_log none
cache_store_log none
2. you need to have a public ip and allow any ip you like, edit the squid.conf:
acl IPALLOW 210.83.0.0/19 (Note you can add as many ip you like here)
http_access allow IPALLOW
http_access deny all
3. Then you need to edit this line in squid.conf:
visible_hostname
4. restart your squid.
How do I connect(physical) the transparent proxy server in my network? I have a DSL modem and a LinkSys wireless router.
If you have a router with squid transaprent proxy installed, just point your computer gateway and dns to your router ip.
How do I connect(physical) the transparent proxy server in my network? I have a DSL modem and a LinkSys wireless router.
If you have a router with squid transaprent proxy installed, just point your computer gateway and dns to your router ip.
Hi all,
Can someone give me the configuration guide to make a Squid transparent proxy in Vista OS. I have tried but not succeeded.
Please guide me the Ethernet configuration(iptables script) on Vista also.
My network: DNS Modem –> [T-Proxy] –> Swtich –> Client machines
Thanks in advance,
Siva
Hi all,
Can someone give me the configuration guide to make a Squid transparent proxy in Vista OS. I have tried but not succeeded.
Please guide me the Ethernet configuration(iptables script) on Vista also.
My network: DNS Modem –> [T-Proxy] –> Swtich –> Client machines
Thanks in advance,
Siva
Hi,
Can someone give the configuration steps of Squid Transparent proxy in Vista.
I have tried, but not able to succeed. Please give the ethernet NIC (iptable similar for Win) configuration info for Vista.
Thanks in advance,
Siva
Hi Siva,
i haven't tried yet. But why do you want make your vista as cache server? isn't that waste to much resources?
Hi,
Can someone give the configuration steps of Squid Transparent proxy in Vista.
I have tried, but not able to succeed. Please give the ethernet NIC (iptable similar for Win) configuration info for Vista.
Thanks in advance,
Siva
Hi Siva,
i haven’t tried yet. But why do you want make your vista as cache server? isn’t that waste to much resources?
Thanks for the reply..! Yes you are right. I changed my plan now.
Could you please tell me, can we install Squid Transparent proxy in "CentOS" if yes, please tell me which version I should download and configure.
Note: All my clients are running Vista. Guide me in IP setting also, we've one DNS Static IP.
My Network: DNS Modem –> [T-Proxy server] –> Swtich –> Client machines
Please aid me in the Ethernet card configuration.
Thanks for the reply..! Yes you are right. I changed my plan now.
Could you please tell me, can we install Squid Transparent proxy in “CentOS” if yes, please tell me which version I should download and configure.
Note: All my clients are running Vista. Guide me in IP setting also, we’ve one DNS Static IP.
My Network: DNS Modem –> [T-Proxy server] –> Swtich –> Client machines
Please aid me in the Ethernet card configuration.
Hi Siva,
Just follow my guide in this article, it also work for CentOS.
But replace command "apt-get install squid" to "yum install squid" (without quotes). It will install squid v2.6 STABLE21.
And the rest configuration is same.
Good luck.
Hi Siva,
Just follow my guide in this article, it also work for CentOS.
But replace command “apt-get install squid” to “yum install squid” (without quotes). It will install squid v2.6 STABLE21.
And the rest configuration is same.
Good luck.
Ivan, I have done all the configuration, but my Squid access.log is not populating. 🙁
And tell me do i need to configure DHCP in my squid server?
You don't need to configure DHCP in your squid.
Did you miss iptables config?
Ivan, I have done all the configuration, but my Squid access.log is not populating. 🙁
And tell me do i need to configure DHCP in my squid server?
You don’t need to configure DHCP in your squid.
Did you miss iptables config?
Hi,
Thanks for info…
My current setup is
my two desktop machines gateway is CISCO PIX (IP 192.168.10.1) & DNS is my AD & DNS Server (192.168.10.10).. Currently I am running squid with manual proxy configuration….for squid as transparent proxy is it required to add rules on PIX firewall? to forward port 80 traffic to squid port 3128.. or is it required to change gateway of my all desktop machines to Squid proxy server IP? (192.168.10.20) please suggest…thanks in advance..
is it ok if I use eth0 & eth1 password from same subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
Hi Santy,
Actually i don't understand how your network structure.
Can you tell me more clear?
And yes, to run squid as transparent proxy you need to to edit rule in iptables. i provided that in my post.
Put that in rc.local so everytime your server boot it will automatically configured.
Hi,
Thanks for info…
My current setup is
my two desktop machines gateway is CISCO PIX (IP 192.168.10.1) & DNS is my AD & DNS Server (192.168.10.10).. Currently I am running squid with manual proxy configuration….for squid as transparent proxy is it required to add rules on PIX firewall? to forward port 80 traffic to squid port 3128.. or is it required to change gateway of my all desktop machines to Squid proxy server IP? (192.168.10.20) please suggest…thanks in advance..
is it ok if I use eth0 & eth1 password from same subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
Hi Santy,
Actually i don’t understand how your network structure.
Can you tell me more clear?
And yes, to run squid as transparent proxy you need to to edit rule in iptables. i provided that in my post.
Put that in rc.local so everytime your server boot it will automatically configured.
is it ok if I use eth0 & eth1 IP Address from same the subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
is it ok if I use eth0 & eth1 IP Address from same the subnet (e.g 192.168.10.5 & 192.168.10.6 for eth0 & eth1 respectively) for squid transparent proxy)
No I ran it, but I don't know how to check it out… Can u please give me the configurations for squid as well as iptable.
I do no how to trace the issue when its not working. 🙁
My Server eth0= 192.168.1.21(From Modem) eth1= 192.168.2.31(To LAN N/W)
Guide me,no problem if i need to change the IP's also.
Hi Siva,
in the squid.conf please change
acl localnet src 192.168.1.0/24
To
acl localnet src 192.168.2.0/24
and in iptables config change to:
SQUID_SERVER="192.168.1.21"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"
Restart squid and run the script.
Please point all of your client computer gateway to 192.168.2.31
Cheers
No I ran it, but I don’t know how to check it out… Can u please give me the configurations for squid as well as iptable.
I do no how to trace the issue when its not working. 🙁
My Server eth0= 192.168.1.21(From Modem) eth1= 192.168.2.31(To LAN N/W)
Guide me,no problem if i need to change the IP’s also.
Hi Siva,
in the squid.conf please change
acl localnet src 192.168.1.0/24
To
acl localnet src 192.168.2.0/24
and in iptables config change to:
SQUID_SERVER=”192.168.1.21″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”8080″
Restart squid and run the script.
Please point all of your client computer gateway to 192.168.2.31
Cheers
Thanks a lot….!! I did as u said, now its working perfectly. 🙂 [Cheers]
Ivan, Presently I don't have control over the client machines. (Like customer own PC) Can i achive this gateway setup through DHCP..? If yes, please guide in the DHCP configuration.
Thanks again..!!
Yes, you should use DHCP instead. Later i will make an article how to install a DHCP server.
Thanks a lot….!! I did as u said, now its working perfectly. 🙂 [Cheers]
Ivan, Presently I don’t have control over the client machines. (Like customer own PC) Can i achive this gateway setup through DHCP..? If yes, please guide in the DHCP configuration.
Thanks again..!!
Yes, you should use DHCP instead. Later i will make an article how to install a DHCP server.
Ivan, Please help me in this if you can. I have done with all even in reporting through SARG apps. Issue is, I could only view client host IP address in my report. Is there any possiblities to see the client host name instead of IP address in SARG report?
Like changing the Squid access.log format instead of IP address remote HOST NAME..!
Thanks in advance…!!
I'm sorry Siva, i don't use SARG apps. So i don't know about it.
But i'm using my own report, by see continuous log from the squid. I publish the article on my blog at http://www.ivankristianto.com/2009/07/tips-show-squid-log-continuously-squid-web-proxy/
Hope you like it.
Thanks.
Ivan, Please help me in this if you can. I have done with all even in reporting through SARG apps. Issue is, I could only view client host IP address in my report. Is there any possiblities to see the client host name instead of IP address in SARG report?
Like changing the Squid access.log format instead of IP address remote HOST NAME..!
Thanks in advance…!!
I’m sorry Siva, i don’t use SARG apps. So i don’t know about it.
But i’m using my own report, by see continuous log from the squid. I publish the article on my blog at http://www.ivankristianto.com/2009/07/tips-show-squid-log-continuously-squid-web-proxy/
Hope you like it.
Thanks.
hi dear i m using centos 5.3 &2.6 squid i m using so can u help me for transparent squid i got yahoo problem with this so help me for proper work plz mail me on this id [email protected]
plz help
Hi Ashar,
What is the problem?
Please follow my guide step by step. It will work.
I'm using CentOS 5.1 with Squid 2.6. And it running for 2 years now.
Cheers.
hi dear i m using centos 5.3 &2.6 squid i m using so can u help me for transparent squid i got yahoo problem with this so help me for proper work plz mail me on this id [email protected]
plz help
Hi Ashar,
What is the problem?
Please follow my guide step by step. It will work.
I’m using CentOS 5.1 with Squid 2.6. And it running for 2 years now.
Cheers.
Is it possible to implement transparent proxy for https? I know it is not allowed because it will be a 'man-in-the-middle attack'. Any options to allow https accesses through transparent proxy? Any help will be appreciated.
Thanks a lot in advance.
-RB
Is it possible to implement transparent proxy for https? I know it is not allowed because it will be a ‘man-in-the-middle attack’. Any options to allow https accesses through transparent proxy? Any help will be appreciated.
Thanks a lot in advance.
-RB
i save file in iptable.sh
Then i run :
root@cembeliq-laptop:/home/cembeliq/Documents# ./iptable.sh
1
./iptable.sh: 28: gt: not found
./iptable.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied
Any solution for this?
Hi cembelig,
Please change ">" to ">" without quotes.
and save.
it will run now.
Thanks
i save file in iptable.sh
Then i run :
root@cembeliq-laptop:/home/cembeliq/Documents# ./iptable.sh
1
./iptable.sh: 28: gt: not found
./iptable.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied
Any solution for this?
Hi cembelig,
Please change “>” to “>” without quotes.
and save.
it will run now.
Thanks
yeah.. i finally got it
thank Mr. Ivan..
yeah.. i finally got it
thank Mr. Ivan..
Mr. ivan i have 2 lines adsl and how to add the second line in your script? LAN is Eth0, modem 1 = Eth1,modem 2= Eth2 please send to my email. thx
best regards
andre
[email protected]
Hi Andre,
why do you need 2 modem?
i don't know how to set the script to provide your architecture.
If anyone know that, please share it with us here.
thanks.
Mr. ivan i have 2 lines adsl and how to add the second line in your script? LAN is Eth0, modem 1 = Eth1,modem 2= Eth2 please send to my email. thx
best regards
andre
[email protected]
Hi Andre,
why do you need 2 modem?
i don’t know how to set the script to provide your architecture.
If anyone know that, please share it with us here.
thanks.
which path i save the iptables files and how to run this file
you can save and run it frm /opt or /home/user folder.
give run permission with chmod +x to the file.
and you can run it by ./iptables.sh
Cheers.
which path i save the iptables files and how to run this file
you can save and run it frm /opt or /home/user folder.
give run permission with chmod +x to the file.
and you can run it by ./iptables.sh
Cheers.
Thank you verymuch for this wonderful script !
I always have problem with iptables, but this script that's fine? THHX
It's nice to hear i can help you out… 🙂
Thank you verymuch for this wonderful script !
I always have problem with iptables, but this script that's fine? THHX
It's nice to hear i can help you out… 🙂
Hi Everyone,
My Problem is little bit confusing.I m using redhat5.2 and set up transparent proxy.My problem is that i am not able to get http access, but suprisingly i can acess https://example.com:7071 etc even can access ftp server.
Can Anybody tell me the problem ?
Here is My Iptables command
# squid server IP
SQUID_SERVER="203.153.41.76"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
and if I do lan sttings(browser sttings than i can access the http sites)
Thanks In Advance
Yogesh
[email protected]
Hi Yogesh,
Your iptables seems fine with me.
How about your squid config?
Please check your squid config around this code:
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 8080 transparent
Hi Everyone,
My Problem is little bit confusing.I m using redhat5.2 and set up transparent proxy.My problem is that i am not able to get http access, but suprisingly i can acess https://example.com:7071 etc even can access ftp server.
Can Anybody tell me the problem ?
Here is My Iptables command
# squid server IP
SQUID_SERVER="203.153.41.76"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="8080"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
and if I do lan sttings(browser sttings than i can access the http sites)
Thanks In Advance
Yogesh
[email protected]
Hi Yogesh,
Your iptables seems fine with me.
How about your squid config?
Please check your squid config around this code:
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 8080 transparent
Hi Ivan
Thanks for a quick reply….
My squid version is squid-2.6.STABLE-5.el5 and Squid configuration is this
http_port 192.168.1.10:8080 transparent
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow lan
http_access deny all
***************************
Thanks & Regards
Yogesh
Hi Yogesh,
Your squid server ip is 203.153.41.76
but in your squid conf you made: http_port 192.168.1.10:8080 transparent
Please change it to:
http_port 8080 transparent
and change in your ipables script:
SQUID_SERVER="192.168.1.10"
Please let me know if it is works.
Hi Ivan
Thanks for a quick reply….
My squid version is squid-2.6.STABLE-5.el5 and Squid configuration is this
http_port 192.168.1.10:8080 transparent
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl lan src 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow lan
http_access deny all
***************************
Thanks & Regards
Yogesh
Hi Yogesh,
Your squid server ip is 203.153.41.76
but in your squid conf you made: http_port 192.168.1.10:8080 transparent
Please change it to:
http_port 8080 transparent
and change in your ipables script:
SQUID_SERVER="192.168.1.10"
Please let me know if it is works.
Dear Ivan,
203.153.41.76 is the connected to Internet, and 192.168.1.10 is the local network IP.
Please forgive if i am wrong anywhere……
Yes Yogesh,
you should bypass all Lan connection to squid port before connect to internet.
Dear Ivan,
203.153.41.76 is the connected to Internet, and 192.168.1.10 is the local network IP.
Please forgive if i am wrong anywhere……
Yes Yogesh,
you should bypass all Lan connection to squid port before connect to internet.
Thanks IVAN,
I got my problem solved…..
Thanks Again
You are welcome Yogesh.
Glad to hear that 🙂
Good luck.
Thanks IVAN,
I got my problem solved…..
Thanks Again
You are welcome Yogesh.
Glad to hear that 🙂
Good luck.
Hi Ivan,
thanks for the helpful article.
i have apply all the setup for the transparent proxy,but suddenly my access.log is empty. i cannot track either my client browser is using the proxy or not. hope u can help me.
one more, i save the iptables.sh in the same folder with the squid.conf. it is ok?
thanks
hi long, yes you can save iptable.sh anywhere as long as you have execute permission.
Please check your network config, squid config and iptables config carefully.
And check if squid is running.
Thanks
Hi Ivan,
thanks for the helpful article.
i have apply all the setup for the transparent proxy,but suddenly my access.log is empty. i cannot track either my client browser is using the proxy or not. hope u can help me.
one more, i save the iptables.sh in the same folder with the squid.conf. it is ok?
thanks
hi long, yes you can save iptable.sh anywhere as long as you have execute permission.
Please check your network config, squid config and iptables config carefully.
And check if squid is running.
Thanks
thanks for the fast respon.
i'm able to get back my access.log with the related info.
i want to ask u about iptables. i need to flush my iptables before my browser can surf internet. why? if not, i cannot surf the internet.
thanks
@long:
You need to run the iptables.sh on boot.
so it will automatically load when boot process.
thanks for the fast respon.
i'm able to get back my access.log with the related info.
i want to ask u about iptables. i need to flush my iptables before my browser can surf internet. why? if not, i cannot surf the internet.
thanks
@long:
You need to run the iptables.sh on boot.
so it will automatically load when boot process.
Ivan,
how can i make it run on boot?
sorry.i'm a newbie to unix.
thanks
@long,
Please refer to my blogpost
http://www.ivankristianto.com/os/ubuntu/howto-run-script-on-boot-process-in-ubuntu/1171/
Ivan,
how can i make it run on boot?
sorry.i'm a newbie to unix.
thanks
@long,
Please refer to my blogpost
http://www.ivankristianto.com/os/ubuntu/howto-run-script-on-boot-process-in-ubuntu/1171/
thanks ivan for your helpful article.
thanks ivan for your helpful article.
Hi Ivan,
i have a new problem now..suddenly i cannot stop my squid.
if my enter 'service squid restart' it will pop up
stopping squid:…………………………………..
starting squid: [failed]
Please post your squid.log here.
I will try to help you.
Hi Ivan,
i have a new problem now..suddenly i cannot stop my squid.
if my enter 'service squid restart' it will pop up
stopping squid:…………………………………..
starting squid: [failed]
Please post your squid.log here.
I will try to help you.
Hi IVan,
sory for late reply. i'm able to solve my previous issue. right now, i faced new problem,
suddenly my setup for transparent proxy is not working. access.log not populated any more.prior this, i have configured my squid to transparent proxy and url_rewrite_program for URL redirection. my browser suppose to work in transparent and do a url redirection based to certain condition i created. please do advised me on how to fix this. thanks
my squid server is '202.45.139.161'
interface to internet is 'eth0'
interface to lan is '202.45.139.163'
my squid.conf setup is:
acl lan src 202.45.139.163/255.255.255.255
below is my setup for iptables:
SQUID_SERVER=”202.45.139.161″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”202.45.139.163″
# Squid port
SQUID_PORT=”3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Hi Ivan. to add for below post.
before this problem happen. i can surf on transparent mode on mozilla firefox and google chrome but cannot with Internet Explorer.the only way is i need to set IE to use proxy,then it will populating in the access.log.. why is this happen? thanks
Hi long,
Have you check the iptables rule?
Hi Ivan,
i have check the iptables rule. i using eth0 instead of etho in the iptables..seem right now my setting for transparent proxy is not working. What other thing i need to check more?
thanks
hi,
after i execute iptables. below is the result when i type iptables -L
:
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere
LOG all — anywhere anywhere LOG level warning
DROP all — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
is this the problem?
thanks
Hi long,
please describe your network topology.
Where is your client, router and modem. How the client connect to the internet.
And have you install DHCP and Bind server?
Add me to gmail chat if you want, and we can talk freely.
Hi Ivan,
my client is connected to a switch and go the server(squid).
my server(squid) is also connected to a same switch
from switch to a gateway and go to the internet.
i also have other local server that will be used for url_rewrite_program.
this local server have the same connection to the switch.
my server(squid) is running on centos.
i think my centos already equipped with DHCP and Bind. i will check further
tomorrow.
tomorrow i will add to gmail chat and we can talk more about this setup.
thanks,
long
If i have only one NIC ( eth0 ) card is it possible to make a transparent proxy server .. if so what should changes should be done in this ? can you pls help me to configure ?
Haven't try it yet. But you can set port forwarding from port 80 to squid port.
Newbie here. I was wondering what the changes to the IP tables would be if I only have one NIC?
Hi Ivan,
i have changed my network topology and my transparent proxy mode works.
i realized my mistakes when i read several times your article. i followed all the steps and finally i am able to surf with transparent proxy. thanks a lot for your guide.
long
It's nice to know that you are finally get it working.
I'm happy for you.
Btw can you tell us where did you go wrong? so if someday another reader come and read this article can learn from you.
thanks. my mistakes came from the setup of my system. before this, i'm not using eth1 as the interface to the client. the client is separately from the squid's server. i fix this problem by connect the client directly to the server eth1. i restart the squid and run the iptables and it works.
Hello Ivan,
Hope you are doing well.
I am using squid Version 2.6.STABLE6 in transparent mode, My users use squid server ip 192.168.1.1 as their gateway to access internet. I have made various acl's and working well.
But now I want to disable gmail chat with gtalk messanger.although i have setup squid to block gmail chat in browser and it is also working but when user type https://gmail.com/ than it is not effective. and users are also using gtalk. Pls help me to disable gmail chat and gtalk.
Regards
[email protected]
Hi Yogesh, i suggesst you to block gtalk port instead of block the domain.
To block Gtalk, you can set the restriction to this address:
Block access to 216.239.37.125, 72.14.253.125, 72.14.217.189 and 209.85.137.125 on ports 20, 21, 80, 443, 5222 and 5223.
Good luck!
Hi Ivan,
Can you tell me what I need to do this to achieve ?
Pls keep in mind that we are also running our own mail server with instant messaging feature running on same port 5222
Regards
Yogesh
Hello Ivan, nice article, is there any way you can teach me how to block torrent connections via Squid or Iptables? I’m using Ubuntu. Thanks. 🙂
Hi Ivan ,
Pls suggest me how to block these ip for these particular ports because I have alredy tried lot more but still not able to block the gtalk.
Pls help me!
Thanks
Yogesh
To block torrent connection maybe a little tricky since it change overtime.
My suggestion is, block all the ports, except some important ports.
Ok, noob here, I cant get the script to execute? How do I run it?
Forgot to mention I get: bash: /etc/setup.iptables: /bin/sh^M: bad interpreter : No such file or directory
Did you run it with root permission or with sudo?
Hi, thank you for replying, you are a star in the dark expansive world of Linux. Yes I did used sudo (and sudo su) in terminal and tried running it trough webmin also, get the same error. I am using Ubuntu 10.04 LTS. Double checked on on your response to make sure, still get same error: bad interpreter: no such file or dierctoy.
Please try to run iptables -L or iptables -h
is the output show or error message?
Hi, doing it manually, get a problem on the echo line… [1] 2745 1 gt: command not found [1]+ done echo1 bash /proc/sys/net/ipv4/ip_foward: Permission denied (Did sudo)
I did google and tried this gksudo gedit /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.conf.default.forwarding=1
but the line in my file looks different:
net.ipv4.ip_foward=1
will it be ok to do it this way?
Yes ip forwarding should be on. but in your case it should be on by default.
I’m really making an effort on this side for this to work, so sorry for bugging you. What I find now is that squid ‘works’. When I type an ip in the browser on my workstations (say for google) it opens the web page. But if I use http://www.xxxxx.com it doesnt. If I do it with the ip it shows up in my squid tail log, if I type the web address it doenst work and nothing happens on the log in my server. What am I missing?
Have you install Bind9 as your dns server?
install Bind9 and forward all request to your dns server that you got from your provider.
You are a genuis! Bind9 did the trick. It is not packaged with Ubuntu 10 LTS desktop. Thank you!!
Glad to know that i can help you.
Thanks 🙂
hi Ivan,
i have setup transparent mode and redirector mode to my squid. it works fine based to condition that i created. my condition come from the status of the internet connection. when the internet on, i can see each request is populated in the access.log and able to surf. but when the connection is down, access log is not populated and browser is trying to reach the url. Supposedly the squid will catch the request and point to a dedicated url that i created. it looks like the squid is not intercept the request and just bypass squid. you have any ideas how this happen?
any advice from you is really appreciated.
thanks,
long
Thanks for the post…did everything as you mentioned however none of the network machines can get to the internet….they get an Invalid Request error….
The squid log says…..
1287048331.420 52 192.168.0.98 TCP_DENIED/400 2047 GET error:invalid-request – NONE/- text/html
Kindly advice.
hi
I have installed bind9.
it seems to be working
when I run
nemo@Userver:~$ sudo etcsquidsquid start
[sudo] password for nemo:
I get this:
nemo@Userver:~$ sudo squid start
[sudo] password for nemo:
2010/11/17 06:55:08| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0'
2010/11/17 06:55:08| WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree searching predictable
2010/11/17 06:55:08| WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named 'all'
2010/11/17 06:55:08| WARNING: '127.0.0.1' is a subnetwork of '127.0.0.1'
2010/11/17 06:55:08| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
2010/11/17 06:55:08| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
2010/11/17 06:55:08| WARNING: '10.2.0.0/255.255.255.0' is a subnetwork of '10.0.0.0/255.0.0.0'
2010/11/17 06:55:08| WARNING: because of this '10.2.0.0/255.255.255.0' is ignored to keep splay tree searching predictable
2010/11/17 06:55:08| WARNING: You should probably remove '10.2.0.0/255.255.255.0' from the ACL named 'localnet'
FATAL: getpwnam failed to find userid for effective user 'squid'
Squid Cache (Version 2.7.STABLE7): Terminated abnormally.
CPU Usage: 0.072 seconds = 0.068 user + 0.004 sys
Maximum Resident Size: 7296 KB
Page faults with physical i/o: 0
Aborted (core dumped)
nemo@Userver:~$
please
help
it's a misconfiguration of your squid.conf.
ivan, i am a noob, so please excuse the ignorance of my question. My config is slightly different then what others have described/ are using it for. I am a cisco access point with a guest wireless network that allows ip redirection. i want to direct all guest traffic to the proxy and limit local network access. i already ave the access point forwarding traffic, the proxy is just not doing anything with it.
i have an ubuntu server setup as a squid proxy on port 3128. the proxy itself seems to work fine if i set it manually in a browser. It is the transparent piece i am having an issue with. my server is a virtual machine with only one nic, ip 172.16.11.60. in order to use iptables to redirect traffic, do i need to setup another nic?
thanks for your help!
Well to work with squid proxy you need to have at least 2 nic as i know. but there are someone in the squid forum that successfully implement it with 1 nic, which need a couple tweaks with iptables rule, which i don't know yet. you can digging up more for it.
Ivan i need your help. I have setup squid proxy as per the article above. But when i try to open any http site say for example http://www.google.com, it says unable to connect from client machine i.e. Win XP system but i am able to open all the https sites. What could be the reason.
Please help me…
Please check the squid config. Make sure that you whitelist port 80.
And please recheck your iptables rule.
Thanks Ivan for instant reply
acl Safe_ports port 80 # http
Port 80 is whitelisted
Please add me to your gtalk, my gmail id is [email protected]
Nice article , really helped me , thanks
Hi Ivan
I tried above but still I need to configure the client browser otherwise I cant access the internet can you advice me in this
if you have DHCP server you automatically set gateway for all your client
Hi Ivan, I'm trying to install squid 3.1.10 using "yum install" command, but this only install the 2.6stable version. could you advise me how to do this?
thanks
The basic installation is still the same. But the squid configuration might be different a little bit. I will make another article to cover this. Stay tuned.
Hi Ivan
This is my setup CentOS 5.5 ,squid 2.6 ,eth0 192.168.1.100 (internet ) and eth1 172.16.2.1/24 for internal network .I ran the script as well as manually edited the iptable .but the transparent action is not working .I tried through dhcp and static.both cases I put 172.16.2.1 as default gateway .I did lot of experiments but still same rsult .How can I check the iptables wether it forwarding the in coming request to port 3128 or not ? .can help me how to configure Radius server then I can go fo that option for authentication
Looking forward
Nassar
To see if squid working you can find it in /var/log/squid.log.<br>Have you install BIND and forward the dns to your ISP dns setting?
UPDATE: See this link to see Squid log http://www.ivankristianto.com/os/ubuntu/tips-show-squid-log-continuously-squid-web-proxy/732/
Hi Ivan
I didnt check the bind and dns forwarding let me try
Thanks
Nassar
I am also having the permission denied error when I'm trying to execute the script. I saw you wrote to some guy to change the ">" to > without the quotes…uh where is that?
to give execute permission to script type this: chmod +x iptables.sh and then run it with ./iptables.sh
yes I did that and I still get the permission denied…
can you paste what is the result of this command?
ls -l iptables.sh
Ivan,
Here is my setup. DSLRouter>–<eth0.DebianLenny.eth1>–<WirelessNetgear>–<LaptopViaWireless>
i got squid and iptables to work. i see lthe access logs in squid. That part is cool. I assigned eth1 192.168.13.1 and Netgear WAN 192.168.13.2 connected to eth1 with direct cable. LAN (wireless) on netgear is 192.168.16.1 and disctributes 192.168.16.100 to my laptop connected via wireless. i only see the squid access.log file with router ip 192.168.13.2 and not the laptop ip 192.168.16.100. how to fix that ? Thanks in advance for your help. or do i need to re-arrange my network or some squid changes are required ?
since you are using a router (wireless router), all connection from the router will pass to use the same IP address. You need to enable One-To-One NAT in your wireless router. So your laptop ip 192.168.16.100 will translate to 192.168.13.102. For setting in your wireless router please refer to your product manual.
Thanks for the reply, so there are no settings on squid we can accomplish this with ?
As far as i know, there is no you can do with squid. because squid will only see the incoming ip connection which is your router ip. So the only way is setting one-to-one NAT. Anyway if you have better solution please let me know.
Hi Ivan.. Im Jake and i am a newbe in unix/linux world i have setup a FreeBSD tranparent proxy/cache server and it work fine.. my question is can i use squid to filter p2p download? and how do manage to restrict Pornsites in my Network? Thanks..
to restrict p2p is little bit tricky. You may need to block all port except the default port (ex: 80, 21, 22, etc). But it will block passive ftp or other program port as well. So you need extra attention to what port you really need to open.
Thanks Ivan,, 1 more thing, how can i force my client to use only my proxy server.. even if they manually configure thier browser to use proxy.skyinet.net they cannot access to web.
as of now when i block some site to my squid they cannot access the site but when they used the proxy.skyinet.net they can access my blocklist sites.. can you please help?
then block proxy.skyinet.net so they cannot access it.
Hi Ivan,
Nice Article !!!
Will it work with dansguadian?
Thanks
Boss
Hi Boss,
to have it works with dansguardian, you need to confugre squid and iptables.
Thanks for the update Ivan.
could you please update the configurations for both squid and iptables.
Please update only the iptables configuration. i configured the squid + dansguardian
Thanks in Advance!
Hi Ivan, couple of days back, i followed the article and installed and configure squid 2.6 and iptables on debian lenny, it worked fine for me. But now i installed Debian Squeeze in my test environment, that has squid 2.7, i configured it in same way as mentioned in this article but i am not able to ping to any site and not able to browse on my client system. What could be the reason? do i need to make any changes to the above article to work with Debian Squeeze?
Have you install BIND? And dns forwarding?
yes, i have local DNS installed and configured and also DNS forwarding is ON.
Have you check the iptables rules setup? and please see squid.log if there is any error.
Hi Ivan, thanks for the tute, it worked great even in win xp. The only thing I cant find is where the iptables file is to copy the data into it. Would you know? I am looking in squid/etc but it is not there, I am assuming that it is a txt like the config file?
Thanks
hi ivan.
I have setup the squid and the iptables rules.
my eth0(192.168.1.24) is connected to internet and my eth1(192.168.10.0/24) is connected to the client.
the problem is that my client cannot access the internet.
im using squid 2.7 and ubuntu server 10.10
please make sure you install BIND and forward DNS to your ISP DNS.
Also i have some problem with iptables..
when i restart the server all the rules is set back to default…
Im kinda a noob..
I have an internal dns server(192.168.1.1)
so do i still need to install bind??
thx in advance..
You need to install Bind in your Router box, so when your client try to resolve the address it will forward to your ISP dns server. And yes, you need bind.
thx this really helps..
i fix the iptables problem by adding it manually to /etc/iptables.up.rules
i didnt use the terminal…
it is really helpfull to me
Hi Ivan
I follow all steps one by one, but when I run your script i got the following error:
./iptables4squid.sh: 28: gt: not found
1
./iptables4squid.sh: 28: /proc/sys/net/ipv4/ip_forward: Permission denied
Could you give me a push please?
Regards
Christian
Hi Chrisitan,
Since WordPress automatically change special characters it turn > to "& g t;"
Please change it back to >
Thanks Ivan, this is very usefull script
thank bro,, you give one solution,, and in my main light out something,, and i get to try in my server,, my squid.conf is not valid,, and i try your configuration,, it so nice,,, thanks
hi ivan…
I was trying to configure my squid just like your configuration… but I was wondering why it is terminating automatically…
then I found out I had signal 6 error on messeges.log
Mar 22 18:16:19 localhost squid[1834]: Squid Parent: child process 1846 exited due to signal 6
then I tried to comment these:
#cache_mem 256 MB
#cache_dir ufs /var/spool/squid 2048 16 256
#cache_mgr [email protected]
#cache_effective_user squid
#cache_effective_group squid
then it started normally… why do you think is happening? i would greatly appreciate it if you help me.. thanks…
what is your squid version.
2.7
Hi i was wondering how i would go about configuring so that i can cap the amount of internet each proxy user can use, so say once a user has used 8GBs of cap, they're unable to access the internet anymore, unless their allocated amount of usage is increased
i thinks you need is not proxy/squid. try Mikrotik instead. It's a linux with lot of router application and feature.
Hi above are the very good tips,
can you please suggest me that how to block the website in squid.
Regards
Jitender Saini
http://www.ivankristianto.com/os/ubuntu/howtofilter-some-website-during-work-hour-with-squid/915/
Ok how about this scenario. I am using 80 as the squid http_port. So no need of redirection. And im not using iptables ( turned off ) at all for some reasons. How can I make my squid as transparent ? I need to redirect all http and https to be redirected to my squid server via ASA PIX 5510.
@8fa8bd4e70261688e1730c7b5e663f9d:disqus You still need iptables.
Nice article,I was trying for installing, but could not , this would guide me for installing and configuring the squid.
Hi Ivan ,
I am using squid 2.6 with no iptables but I can't able to access ftp and https connection
my proxy denied 443 and 21. I have done entry in Safe port and SSL port.
you need to use iptables.
I am running proxy server according to your configuration. I want to know what should I do to make my host name work instead of ip adress of the server to be place in the proxy.
my server name is: proxy.server.com
Lan: IP address is 192.168.111.1
I used this IP addres (192.168.111.1 and port 3128 to connect to internet).
Now, I dont want to use the IP address. I want to use the name instead of IP address.
When I try to use the name on ther server the internet is working( proxy.server.com:3127).
But when I try to use the name on the client. It is not working. Why it is not working?
do you have dns server in your local network? if yes in your dns server (usually bind9) configure proxy.server.com to correct address of your proxy server.
how like to configure. i have install bind9 and configure this is cache server nothing else. i can access the sites through ip from client but can’t through name.
please suggest|:
imran
[email protected]
@imran Yes it is dns problem. If you are not using squid, can you access the website with address name?
redhat 5.3 install complete and thaen provide ip address etho and eth1 client reply bhe aa raha hai per sir squid start nahi ho raha or message aa raha hai service squid start unrecognized service why are you problem
Nice Job Ivan, thank you very much from Argentina