Linux - Setup A Transparent Proxy With Squid in Three Easy Steps

3/7/12
Linux: Setup a transparent proxy with Squid in three easy steps
About Forum Howtos & FAQs Low graphics Shell Scripts RSS/Feed
nixcraft - insight into linux admin work

by LinuxTitli on May 27, 2006 270 comments Y'day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.
My Setup:
i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid). ii) Eth0: IP:192.168.1.1 iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems)) iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros) Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration
Step #1 : Squid configuration so that it will act as a transparent proxy Step #2 : Iptables configuration a) Configure system as router b) Forward all http requests to 3128 (DNAT) Step #3: Run scripts and start squid service First, Squid server installed (use up2date squid) and configured by adding following directives to file:
#v /t/qi/qi.of i ecsudsudcn
Modify or add following squid directives:

htdaclhs vrul tp_ce_ot ita htdaclpr 8 tp_ce_ot 0 htdaclwt_rx o tp_ce_ihpoy n htdaclue_othae o tp_ce_sshs_edr n allnsc1218111218202 c a r 9.6.. 9.6../4 ht_cesalwlclot tpacs lo oahs ht_cesalwln tpacs lo a
Where, httpd_accel_host virtual: Squid as an httpd accelerator httpd_accel_port 80: 80 is port you want to act as a proxy httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy. httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL. acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid http_access allow localhost: Squid access to LAN and localhost ACL only http_access allow lan: -- same as above -Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
#ge - "# /t/qi/qi.of|sd- '^/' rp v ^" ecsudsudcn e e /$d
OR, try out sed (thanks to kotnik for small sed trick)
#ct/t/qi/qi.of|sd' */;/ */' a ecsudsudcn e / #d ^ $d
Output:
heacysols cibn? irrh_tpit g-i alQEYulahrgxcibn\ c UR rpt_ee g-i ? n_ah dn QEY occe ey UR hssfl /t/ot ot_ie echss rfehpten^t:14 2%100 ers_atr fp 40 0 08 rfehptenôhr 14 0 14 ers_atr gpe: 40 % 40
www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
1/56
3/7/12
rfehpten.02%42 ers_atr 0 30 alalsc00000000 c l r .../... almngrpoocceojc c aae rt ah_bet
allclotsc1700125252525 c oahs r 2.../5.5.5.5 alt_oahs dt170008 c olclot s 2.../ alpremto PRE c ug ehd UG alCNETmto CNET c ONC ehd ONC ccemm12 M ah_e 04 B ht_cesalwmngrlclot tpacs lo aae oahs ht_cesdn mngr tpacs ey aae ht_cesalwprelclot tpacs lo ug oahs ht_cesdn pre tpacs ey ug ht_cesdn !aeprs tpacs ey Sf_ot ht_cesdn CNET!S_ot tpacs ey ONC SLprs allnsc1218111218202 c a r 9.6.. 9.6../4 ht_cesalwlclot tpacs lo oahs ht_cesalwln tpacs lo a ht_cesdn al tpacs ey l ht_el_cesalwal tprpyacs lo l ipacs alwal c_ces lo l vsbehsnm mcin.otaecm iil_otae ylethsnm.o htdaclhs vrul tp_ce_ot ita htdaclpr 8 tp_ce_ot 0 htdaclwt_rx o tp_ce_ihpoy n htdaclue_othae o tp_ce_sshs_edr n crdm_i /a/po/qi oeupdr vrsolsud
Iptables configuration
Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
itbe - nt- PEOTN - eh - tp-dot8 - DA -t 12181132 pals t a A RRUIG i t1 p c -pr 0 j NT -o 9.6..:18 itbe - nt- PEOTN - eh - tp-dot8 - RDRC -t-ot32 pals t a A RRUIG i t0 p c -pr 0 j EIET -opr 18
Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#/i/h !bns #sudsre I qi evr P SUDSRE=121811 QI_EVR"9.6.." #Itraecnetdt Itre nefc once o nent ITRE=eh" NENT"t0 #Itraecnetdt LN nefc once o A LNI=eh" A_N"t1 #Sudpr qi ot SUDPR=32" QI_OT"18 #D NTMDF BLW O O OIY EO #Cenodfrwl la l ieal itbe pals F itbe pals X itbe - ntpals t a F itbe - ntpals t a X itbe - mnl pals t age F itbe - mnl pals t age X #La ITBE mdlsfrNTadI cntakspot od PALS oue o A n P onrc upr mdrb i_onrc opoe pcntak mdrb i_onrc_t opoe pcntakfp #Frwnx fpcin o i p t let #opoei_a_t mdrb pntfp eh 1>/rcssntiv/pfrad co po/y/e/p4i_owr #Stigdfutfle plc etn eal itr oiy itbe - IPTDO pals P NU RP itbe - OTU ACP pals P UPT CET #Ulmtdacs t lo bc niie ces o op ak itbe - IPT- l - ACP pals A NU i o j CET itbe - OTU - l - ACP pals A UPT o o j CET #AlwUP DSadPsieFP lo D, N n asv T itbe - IPT- $NENT- sae-saeETBIHDRLTD- ACP pals A NU i ITRE m tt -tt SALSE,EAE j CET #stti sse a arue frRs o LN e hs ytm s otr o et f A itbe -tbent-apn PSRUIG-otitrae$NENT- MSURD pals -al a -ped OTOTN -u-nefc ITRE j AQEAE itbe -apn FRAD-i-nefc $A_N- ACP pals -ped OWR -nitrae LNI j CET #ulmtdacs t LN niie ces o A itbe - IPT- $A_N- ACP pals A NU i LNI j CET itbe - OTU - $A_N- ACP pals A UPT o LNI j CET #DA pr 8 rqetcmigfo LNssest sud32 (SUDPR)aatasaetpoy NT ot 0 eus omn rm A ytm o qi 18 $QI_OT k rnprn rx itbe - nt- PEOTN - $A_N- tp-dot8 - DA -t $QI_EVR$QI_OT pals t a A RRUIG i LNI p c -pr 0 j NT -o SUDSRE:SUDPR
2/56
3/7/12
#i i i sm sse f t s ae ytm
itbe - nt- PEOTN - $NENT- tp-dot8 - RDRC -t-ot$QI_OT pals t a A RRUIG i ITRE p c -pr 0 j EIET -opr SUDPR #DO eeyhn adLgi RP vrtig n o t itbe - IPT- LG pals A NU j O itbe - IPT- DO pals A NU j RP
Save shell script. Execute script so that system will act as a router and forward the ports:
#cmd+ /t/wpoy ho x ecf.rx #/t/wpoy ecf.rx #srieitbe sv evc pals ae #ckofgitbe o hcni pals n
Start or Restart the squid:

#/t/ntdsudrsat ecii./qi etr #ckofgsudo hcni qi n
Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
#ti - /a/o/qi/ceslg al f vrlgsudacs.o
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions

(a) Windows XP FTP Client All Desktop client FTP session request ended with an error: Illegal PORT command. I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
#mdrb i_a_t opoe pntfp
Please note that modprobe command is already added to a shell script (above). (b) Port 443 redirection I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, "Long answer: SSL is specifically designed to prevent "man in the middle" attacks, and setting up squid in such a way would be the same as such a "man in the middle" attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL". Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved. (c) Squid Proxy authentication in a transparent mode You cannot use Squid authentication with a transparently intercepting proxy.
Further reading:
How do I use Iptables connection tracking feature? How do I build a Simple Linux Firewall for DSL/Dial-up connection? Update: Forum topic discussion: Setting up a transparent proxy with Squid peering to ISP squid server Squid, a user's guide Squid FAQ Transparent Proxy with Linux and Squid mini-HOWTO Updated for accuracy. Featured Articles: 20 Linux System Monitoring Tools Every SysAdmin Should Know 20 Linux Server Hardening Security Tips Linux: 20 Iptables Examples For New SysAdmins My 10 UNIX Command Line Mistakes 25 PHP Security Best Practices For Sys Admins The Novice Guide To Buying A Linux Laptop Top 5 Email Client For Linux, Mac OS X, and Windows Users Top 20 OpenSSH Server Best Security Practices Top 10 Open Source Web-Based Project Management Software
www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html 3/56
3/7/12
Share this with other sys admins! 3 Facebook it - Tweet it - Print it We're here to help you make the most of sysadmin work. So, subscribe! { 270 comments read them below or add one } 1 Jay of Today May 27, 2006 you gotta be kidding, only 150 desktops and 8 gigs of RAM??????? I use to have p133 with 64megs with that setup way back then!!! bah, newschoolers SUCKS Reply 2 LinuxTitli May 27, 2006 LOL :D 8GB gives you the best performance. Squid performance = more ram + fast SCSI disk Cost of RAM : Yet another reason or factor to have a more ram. Even people started to use desktop system with 1GiB:P Reply 3 venkat June 2, 2011 Shell i install squid proxy in normal pc(Hp i5processor,8gb RAM) Reply 4 kotnik May 27, 2006 Use following sed magic to remove both comments and empty lines at the same expense: sed / *#/d; /^ *$/d Reply 5 LinuxTitli May 27, 2006 kotnik, Nice sed trick, no need to use grep :) Appreciate your post. Reply 6 Aaron May 28, 2006 Hi, I have similar setup, only one question, How do I block Yahoo and MSN messengers (block at router or transparent proxy+iptables level) ? Cheers, Aaron Reply 7 LinuxTitli May 28, 2006 Aaron, My firewall policy @ router: Default firewall Policy: Close all door and open only required windows Block all incoming and outgoing request Open only required ports i.e. 80 (from proxy only) , 443, 21, 22, 25 etc as per requirement. This configuration automatically blocks rest of stuff. You can implement similar policy using Squid ACL or iptables. Reply 8 Scott May 29, 2006 Nice, quick, down and dirty article. :-)
3/7/12
Aaron: http://www.mail-archive.com/squid-users@squid-cache.org/msg38193.html will explain how to block Yahoo, MSN and other IMs. For anyone interested, I have thrown together a HOWTO on getting Squid to work properly in conjunction with Active Directory authentication. It can be found here: http://cryptoresync.com/2006/05/18/installing-squid-with-active-directory-authentication/ Enjoy! Reply 9 Bill May 29, 2006 Aaron, My findings with chat networks like AIM is that, even if you block the specific ports used by the network (ie, 5190), the login server will accept connections to other ports that are common, such as 80, 25, 443, 23, etc. Your best bet for blocking chat traffic is to block the ports used by the network, as well as the IP addresses associated with the login servers, like login.oscar.aol.com. Additionally, write your internal routing rules such that only traffic passing through your proxy can reach the Internet. Otherwise, users will be able to circumvent your proxy and use a public proxy. Reply 10 Desert Zarzamora May 29, 2006 Sometime ago, i wrote another how-to, but this time for a COMPLETELY transparent proxy. That is, a bridged proxy. That a bit more esoteric stuff, but very useful if you really cant mess with your network topology. Have a look at: http://freshmeat.net/articles/view/1433/ Reply 11 Hans May 29, 2006 I would love to run into your office, replace your server with a Pentium 200 with 128mb of RAM you probably wouldnt notice the difference, if all you are using it is for squid. then I would actually make some good use of the machine. Ive got a pentium 200 doing far more (proper proxy, apache server, svn, samba, etc etc) and handles it perfectly well ??? Reply 12 LinuxTitli May 29, 2006 @Desert Zarzamora and Scott, nice tutorial (thanks for links) @Hans, heh Well to be frank I am just admin and decision regarding h/w or infrastructure made by someone else this is how things work in an enterprise IT division (they dont care about money as they also make more money from core business so they want world class stuff). However, I agree with you about h/w requirement can be low to run other services. @Bill, Good advice there. Appreciate all of yours post and feedback :) Reply 13 Steve May 30, 2006 just wondering do wew really need quid acting as an accelerator here? nice article, and what a beast of a proxy server i think everyone else is just jealous cos they only have p1s Reply 14 ADHDPHP June 1, 2006 Thanks LinuxTitli!!! I really appreciate you sharing your knoledge with others! Keep up the great work! KMC Reply 15 ADHDPHP June 1, 2006 Also, LinuxTitli do you have any need to use dansguardian in conjuntion with squid for conent filtering? That would probably make good use of that RAM too! Thanks again!
3/7/12
Reply 16 massage therapy products June 1, 2006 Well, Ill be needing to set one of these up eventually, so youre bookmarked. I wonder how performance would be if I set up a RAID system on USB drives Reply 17 avanish June 1, 2006 how we can config the ftp service in squid proxy reply avanish gupta india Reply 18 Vivek June 1, 2006 Avanish, Add following line to config file acl ftp proto FTP http_access allow ftp If clients compters are using IE browser then Goto > Tools > Advance > and Uncheck option that reads Enable folder view for FTP-Sites. FTP proxy only work through browser and it will not work at command line. Remember squid is not a real ftp proxy. Reply 19 nesargha June 2, 2006 thank you, i had little bit problems in running the script on redhat 9 , i had remove the $lan_in etc.. and type the actual values but at last i worked fine with me nesargha india Reply 20 Aaron P June 4, 2006 Using squid transparently, you lose the ability to authenticate users (bummer). While I can understand why (to a certain degree), is there a way to just get the username for logging purposes? Its like Im up a (little river) without a (rowing device). I need squid for logging user hits, but I cant do it without transparent routing. And I cant authenticate in transparent mode due to the accelerator. Any ideas? Awesome article. Thanks! AP Reply 21 hosseini May 29, 2011 Hi I send filter with easy installation However, strong and durable Reply 22 Vivek June 4, 2006 @Aaron, Simple answer is you cannot do both things (transparent proxy + auth). The browser has no way of knowing it is using a proxy. So, what you can do is use automatic URL configuration (i.e. no transparent proxy) with WPAD. The information for WAPD and automatic URL configuration available at official Squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-5.html If you find any other way then let us know
3/7/12
Hope this helps. @nesargha, May be because of html formatting I will upload script as a text file so that others can use it directly (but you still need to make changes to script) Reply 23 Martin Wallace June 17, 2006 I am just a newbie, but I think theres an error in your configuration of iptables. The lines should read : iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT -to 192.168.1.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port 3128 That is, you need , not -, before to, to-port and dport. Correct me if Im wrong. Martin Reply 24 Martin Wallace June 17, 2006 I see that the problem is with formatting. You need two dashes, not one, before to, to-port and dport, but they look like one (slightly longer) dasjh onm my screen. Try again: iptables -t nat -A PREROUTING -i eth1 -p tcp dport 80 -j DNAT to 192.168.1.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp dport 80 -j REDIRECT to-port 3128 Reply 25 vivek June 17, 2006 Martin, I just checked the script. There is no problem. However, it looks like, HTML formatting breaks the script. Direct link to download script: http://www.cyberciti.biz/tips/wp-content/uploads/2006/06/fw.proxy.txt Hope this helps :) Reply 26 sohan July 12, 2006 i am using same rules given above , Can I block my users to use public proxy. Do i have to modify my squid.conf or Iptables Reply 27 nixcraft July 12, 2006 sohan, You just need to setup LAN ACL. If you are using above config then it only allows access from LAN. Reply 28 WebSean July 30, 2006 I am running Squid 2.5 on Macintosh OS X (10.3.7) with the handy SquidMan port for OS X / Darwin and it works great. The interface does allow me to make the httpd_accel_ modifications to the squid.conf file for transparent proxying, but how do I set-up the iptables step? My system uses ipfw instead and I have tried sudo ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to any 80 only to see my port 80 malfunction. How can I configure the port 80 hijack/redirect function to get transparency working on OS X? Thanks in advance. Reply 29 tony September 6, 2010 WebSean, Did you ever get a reply back? I have similar setup browser->dansguardian->squid->internet and Im using ipfw Cant seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8080 Ive tried all and each with different combinations of the following below in my ipfw ruleset nothing works ..just goes straight to internet ..bypasses dansguadian completely ${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80
3/7/12
#ipfw add 50 fwd 127.0.0.1 tcp from any to any 80 #${IPF} add 01006 allow tcp from 127.0.0.1 to any 80 #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT #${IPF} add 01008 allow tcp from me to any 80 out xmit lo0 #${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established ${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80 my squid.conf looks like this http_port 127.0.0.1:3333 transparent because that is what squid 3.1.7 version all needs Reply 30 tony September 6, 2010 WebSean, Did you ever get a reply back? I have similar setup browser->dansguardian->squid->internet and Im using ipfw Cant seem to get transparent working. Meaning redirecting requests coming to port 80 to dansguardian port 8883 Ive tried all and each with different combinations of the following below in my ipfw ruleset nothing works ..just goes straight to internet ..bypasses dansguadian completely ${IPF} add 01000 allow tcp from me to any 80 out via $EXT_INT setup $KS #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 #ipfw add 50 fwd 127.0.0.1 tcp from any to any 80 #${IPF} add 01006 allow tcp from 127.0.0.1 to any 80 #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 in recv $EXT_INT #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from any to any 80 #${IPF} add 01007 fwd 127.0.0.1,8883 tcp from me to any 80 via $EXT_INT #${IPF} add 01008 allow tcp from me to any 80 out xmit lo0 #${IPF} add 01009 allow tcp from any 80 to me in recv lo0 established ${IPF} add 7000 fwd 127.0.0.1,8883 tcp from any to any 80 my squid.conf looks like this http_port 127.0.0.1:3333 transparent because that is what squid 3.1.7 version all needs Reply 31 Emre October 2, 2006 To not to see both empty lines and remarks grep can be used in this way; grep -Ev ^$|^# /etc/squid/squid.conf Reply 32 Praveen October 29, 2006 Hi, Is it possible to retain public Ip address, while using squid, All pc in my lan having public ip address. I want to use squid. But whenever i use transparent squid, the outgoing packet keeps squid servers ip as source ip address. how can i use squid httpd_accel without proxy. Reply 33 nixcraft October 29, 2006 The whole point of using transparent proxy/NAT is to hide internal IP address. As long as you have squid in between internet and other boxes anyone will see your squid ip address Reply 34 karthick November 11, 2006 dear,
3/7/12
cyberciti guys,thank you very very mush.because your web site is good food for linux hungry peoples. Contineue yours job with gods blassings. By, Yours S.Karthick Reply 35 Marlon November 15, 2006 Hi guys, I ask something about my firewall-squid-dhcp server in one box, i have eth0 for internet-connection and eth1 for local-connectioni want to do is, to be transparent proxy all clients connected at eth1 local-connection. Could you provide me the minimal config of iptables/squid.conf to make work as a transparent proxy my all-in-one linux box. i want the minimal config of iptables without filtering temporary. Thanks! Reply 36 nixcraft November 15, 2006 Squid config remains the same. Only iptables will changes. Type following at command prompt to get started temporary:
itbe - nt- PEOTN - eh - tp-dot8 - DA -t 12181132 pals t a A RRUIG i t0 p c -pr 0 j NT -o 9.6..:18 itbe - nt- PEOTN - eh - tp-dot8 - RDRC -t-ot32 pals t a A RRUIG i t1 p c -pr 0 j EIET -opr 18
Replace 192.168.1.1 with your actual Linux server IP address (local LAN IP) Reply 37 Jaimohan November 17, 2006 Dear friends, can i run the VPN-Checkpoint software with squid using transparent proxying, please reply asap Regrds Jai Reply 38 nixcraft November 17, 2006 Yes you can as long as everything is configured you should able to use VPN with any other internet service Reply 39 Mimbari November 24, 2006 For a completely totally transparent proxy, use http://www.balabit.com/downloads/tproxy/linux-2.6/ That way the client IP address will be used by the Squid, still caching etc too. Needs inbound routing of reply server traffic to be routed back through the Squid box though. Its kernel & iptables patching only, yielding the tproxy iptables table.. In Valens Name. Reply 40 neddy November 27, 2006 Hi there, i have a few questions 1) will this proxy things such as steam games / downloads, Microsoft updates, anti-virus updates and other things that do not run on port 80? 2) The proxy appears to work, and i have set my ip address to it, but if i download a 10mb file, then download the same file on another pc, the speeds are still slow, indicating that the proxy may not be working when i run: tail -f /var/log/squid/access.log i get the log to screen & file, and it is showing that there is data being proxied, but everything still runs slow 3) I am running it on public ip addresses, one for the eth0 (internet) 203.16.209.x and the second ip address for the people using the proxy is eth1 (lan) 203.221.91.x the proxy all works, but could this be why it is running slow? - cheers Reply 41 nixcraft November 27, 2006
3/7/12
Neddy , Yes everything should work as long as remote site is using port 80 for downloading updates and patches. If you need to cache larger file you need to enable cache object size. Default is 4 MB. However it is not recommended to use such large cache object size until and unless you have monster cache server (normally ISP enables large cache object). You need to tune out your squid for this. The defaults are good to improve overall user experience. Proxy should work fast. Make sure you have correct DNS server setup. Try to use OpenDNS server http://opendns.com/ HTH. Reply 42 woodsturtle November 29, 2006 I am having trouble accessing an MS sharepoint server through squid 2.6 configured in transparent proxy mode. Everything that I have read so far suggest that I must bypass squid althogether because of the NTLM authentication require to access share point. Is this the case? Also, what is the iptables statement which I should use before the DNAT statement? I am using wccp and have created a GRE tunnel on the squid box. Reply 43 Hernan November 29, 2006 Excelent guide, It work forme. Thanks. Now I{m working on acl that let a few machines acces msn. Reply 44 woodsturtle November 29, 2006 What guide are you referring to? Reply 45 ReMSiS December 12, 2006 Hello, Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! How can we access mail, i.e: Clients using outlook are not enabled to send and recieve mail because the ports is blocked or it is not able to make resolution to the mail server. How can I make the mail work too ? because now only http is working pop3 and smtp is not !!! how can I do that ? Regards, Reply 46 nixcraft December 12, 2006 I think your topic is already answered @ our forum. Reply 47 ReMSiS December 13, 2006 Yes nixcraft answered but still not working right, the script yesterday worked now its not !!! I maybe going crazy Reply 48 sohan January 2, 2007 I have installed Squid-2.4 on Red Hat Linux enterprise 4 2 Public IPs are available from 2 different ISPs. Now I want to configure Squid so as to apportion traffic among the IPs by destination (external) IP and by source (internal) IP. The aim is to give complete bandwidth available from one ISP to one set of users for thier access to specific URLs. Is there any way to do the same in Squid ? Reply 49 sohan January 2, 2007 Hi All I want to put quota limit on Squid for users. I want to limit users for specific data limit like If i want to allow users to consume on 4 GB Data through Squid then what i need to do. Is there any additional tool for squid to do this or squid can do this also ? If anybody have solution for this please let me know. thanks
3/7/12
Reply 50 Raghuram January 31, 2007 Hi, Nice tut. Just what I wanted for an education facility of 45 machines. Have a 2Mbps ADSL connection which I want to share across the LAN. This is my first time with squid. One doubt my lan ip (eth1) is DHCP driven while eth0 (internet facing) has a static IP. In this case, will squid work? thanks. Reply 51 raghu January 31, 2007 will squid work with DHCP aasigned eth0 and static Ip eth1? Nie tuttorial.thanks Reply 52 nixcraft February 1, 2007 raghu, You can use Squid with DHCP assigned IP Reply 53 Marco A. Barragan February 7, 2007 All this not work for 2.6, in the case of using: http_port x.x.x.x:xx vhost transparent or any combination, the message is Cant use transparent and cache in the same port, if you try to use the cache_peer command, appear an error FATAL: Bundle in line x: cache_peer So, now you cant use the server for caching and proxy at the same time :S Reply 54 nixcraft February 7, 2007 #1: You cannot set proxy and transparent http on same port. @2: There is some discussion going on about cache peering @ our forum. HTH Reply 55 Clay February 8, 2007 Im trying to setup squid transparently on a box that has one network interface, but is plugged into a hub between the Internet connection and the switch that the clients are on. (I realize this is not ideal, but its what I have to work with.) Can anyone point me in the right direction? Reply 56 rakesh February 9, 2007 sir well i have one problem, i am one system with two ether lan card one connected to Public ip and another with local network. what i want is if any exterbal client send an request on port 80, that request should be redirect to my local DNS. how can it be possible. another thing i have two domain mydomain.com (local) and another http://www.com (internet). now if any client request to http://www.com it request should be redirect to mydomain.com. can it be possible, if possible plz send me the solution Reply 57 raghu February 11, 2007 Hi vivek, Can squid be set up on a machine different from the internet gateway machine? I have a DHCP (FC5) server on which I want to set up squid. My internet gateway (ADSL) machine runs Windows Xp and I dont want to disturb it. Thanks. Reply 58 Marco A. Barragan February 17, 2007
3/7/12
But how i can configure it? any idea? how to activate the cache for my network? any can help me to make the right stuff? Im redirecting the port 80 to 3128 with iptables (old style squid) and using this: http_port 10.42.0.1:3128 transparent half_closed_clients on visible_hostname 201.234.228.139 coredump_dir /var/spool/squid Where 10.42.0.1 is the network interface (eth0) conected to lan, and eth1 is the Wan lan. I want make the cahce for my users with squid, and also using proxy, but i cant go to every client to configure proxy setting, need transparent, and cache, i try all, i use this: http_port 10.42.0.1:3128 transparent cache_peer 127.0.0.1 parent 3128 3130 originserver half_closed_clients on visible_hostname 201.234.228.139 coredump_dir /var/spool/squid Not work, use all arrows that i imagine and noting, can any explain me how to do it? Really thanks a lot for any help. Reply 59 Siva February 19, 2007 how to control my bandwidth using squid proxy Reply 60 Marco A. Barragan February 21, 2007 for bandwidth you can use this: first step configure how many delay pools you going to use, for example if you have 2 types of users (one with big badwidth and others with low bandwidth) you need put this: delay_pools n, in our exaple: delay_pools 2 then you need define the class of bandwidth, there are 3 types, 1, 2, 3, in our example we use the class 1 and 2, for unlimited general and the restricted: delay_class 1 1 delay_class 2 2 then use the parameter to define the velocity, remember, if you want 128 kbps, you need multiply it for 128 to convert to bps: delay_parameters 1 -1/-1 delay_parameters 2 -1/-1 16384/57600 -1 means unlimited second is for 128 and boost of 450 last step is defining the acl, in my case: acl localhost src 127.0.0.1/255.255.255.255 acl clientes src 10.42.100.0/255.255.255.0 acl limitados src 10.42.99.0/255.255.255.0 delay_access 1 allow clientes localhost !limitados delay_access 2 allow limitados delay_access 1 deny all delay_access 2 deny all Dunno if is correct but is an example, you can investigate more. Reply 61 bitou February 26, 2007 This fw.proxy is to be started every time the computer is started, manually. Then only transparent proxy will work.Is there a method to do it automatically , so that the script is executed on start up even without the need of the user to log in. Regards Reply 62 nixcraft February 26, 2007 bitou, If you are using RedHat/CentOS/FC Linux type:
srieitbe sv evc pals ae
12/56
3/7/12
ckofgitbe o hcni pals n
If you are using Debian/Ubuntu Linux read this Reply 63 Coders2020 March 7, 2007 In the past I had serious problems with configuring squid on my local network. I am alrady under university firewall/proxy. Can I configure proxy under proxy(I know it has no pracktical use but just asking for testing purpose) ? Reply 64 Prabir Das March 19, 2007 its good education packeg to us Reply 65 Prashant Soni March 20, 2007 Hi, My name is Prashant. I am Sr.Network Engineer in an ISP. I would like to put a transparent proxy with bridge between our local networks and Internet. Id tryinn to configure squid transparent proxy with bridge couple of times, but yet not successful. I am explaining the scenario and hope somebody will help me. SCENARIO : We have 2 ip pools in our networks. 1. 128.0.0.0/18 (fake ip) 2. 59.x.x.96/27 (real ip) 3. 59.x.x.0/27 (Real IP Used in internetwork) We have one mikrotik master router from which both network goes to the radware(which is load balancer and using internetwork ip listed in a cisco). Now I want to put squid between mikrotik and radware (load-balancer) In my network nobody uses authentications so not needed. When, I configured the squid with trasparent proxy in bridge mod, sometimes it gives me acl errors. But when I changed in squid.conf access_allow all , no error comes but page is not loading till done. With this settings I can ping , traceroute to the internet from client addresses also but page is not loading. Ive done all configuration as stated in below link : http://freshmeat.net/articles/view/1433/ Please guide me regarding this matter. Regards, Prashant Reply 66 Nandkishor March 27, 2007 Hi, I have configured the DHCP server using ES Linux-4 .It having 2 ethernet cards. eth0 is used dhcp (Lan) & eth1 is connceted to Internet. eth0 using IP 192.x.x.x Netmask 255.255.255.0 Gateway 59.x.x.x (this is IP of eth1) eth1 using Ip 59.x.x.x Netmask 255.255.255.240 Gateway 59.x.x.129 Client M/cs ping to IP of eth0, also ping to gateway of eth0 & ip of eth1. But not able to ping Gateway of eth1-59.x.x.129 so they are not able to connect to the internet. So plz give me the solution for this. Reply 67 Nandkishor March 30, 2007 Hi, I have configured the transperant proxy with dhcp server. How I block the files for downloading like *.dll & *.mp3 &*.mp4 etc. for a specific time.
3/7/12
Reply 68 nixcraft March 30, 2007 Nandkishor, Please see this article Reply 69 xaviero March 30, 2007 how about if i use another PC for router & gateway, then use another PC (SLES installed) just for transparent proxy (DMZ). the proxy already worked, but its not transparent. what should i do with the iptable ? advice plz Reply 70 Nandkishor April 3, 2007 Hi, I have configured the many virtual hosts at one server and added same big file in that all virtual hosts. But because of this big file more size is required. So it is posible to me create one folder on that server, put that file & give the path of that folder in the all virtual hosts. But How it is possible? Plz give me the solution for this. Reply 71 Nandkishor April 3, 2007 Hi, I have see the article for blocking of the .dll, .mp3 ,mp4, .exe & many files downloades, & do the configuration. But this is not working to block the files downloading. Plz give me the solution for this. Reply 72 Gurpinder Singh April 7, 2007 hello everybody i want to configure a squid server on fedora core 5. i want to that range of ip address is 192.168.1.1 192.168.1.60, and 192.168.1.101-192.168.1.160 . internet is running on this client machines. not running internet on others ip address i.e 192.168.1.61 192.168.1.100. please urgent reply me on my mail address. Gurpinder Singh Reply 73 Alex Ling April 10, 2007 Hi all i would like to know how to forward HTTP request to others proxy (like privoxy). Thanks. Reply 74 mark April 26, 2007 Good day. Im currently running squid 2.5 on my centOS server I needed authentication for my users before accessing the internet (80, 21, 443, etc) so I configured it correspondingly. However, one of my clients needs to access an ftp server which enforces a username and password authentication. Squid tries to connect using an anonymous user rather than prompting for a password My question being: How could I enable user authentication to public ftp servers if my machine is behind a squid proxy server? Id appreciate your best effort. Thanks in advance. Reply 75 pankaj chauhan April 28, 2007 hello every body, i have a squid proxy server my server ip is 192.168.0.1 my client ip is 192.168.0.2 to 192.168.0.240 internet is working proper on client can it possible that first 30 client (192.168.0.2-192.168.0.30) get more bandwith than rest client plz told me wat change will do on squid.conf file for it. Reply
3/7/12
76 Tapan May 3, 2007 how to prevent bypassing sarg and dansguardian Reply 77 tushar May 9, 2007 Hi All My name is tushar and i want to make proejct on squid proxy server, because I want to submit the complet project on squid proxy server. Thanks. Tushar Raut Reply 78 Frank May 10, 2007 Is there any indication to use some sort of virus/malware filter in this setup, aka, HAVP HTTP. http://www.server-side.de/ Cheers! Frank Reply 79 chandrakant May 24, 2007 Hi Thanks for the fw.proxy file. after enableing this file im able to run my system as router and proxy server. But after restart server Im reciveing so many logs messages. Please have look and tel me how can block them. Due to this my server responding slovely System log:May 24 12:45:06 pune dbus: Cant send to audit system: USER_AVC pid=2658 uid=81 loginuid=-1 message=avc: denied { send_msg } for scontext=root:system_r:unconfined_t tcontext=user_u:system_r:initrc_t tclass=dbus May 24 11:28:21 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=000 PREC=000 TTL=128 ID=29613 PROTO=UDP SPT=137 DPT=137 LEN=58 May 24 11:28:22 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=000 PREC=000 TTL=128 ID=29615 PROTO=UDP SPT=137 DPT=137 LEN=58 May 24 11:28:23 pune kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:85:64:d7:3e:08:00 SRC=10.20.204.70 DST=10.20.255.255 LEN=78 TOS=000 PREC=000 TTL=128 ID=29616 PROTO=UDP SPT=137 DPT=137 LEN=58 Regards, Chandrakant Reply 80 csbot May 24, 2007 chandrakant, Remove last line:
itbe - IPT- LG pals A NU j O
BTW, log will not slow down your server. Reply 81 cedric May 27, 2007 your instructions work good but i cant connect to my network printer and another server on my lan. also having problem setting up static ip for eth0. i followed the instruction from the link you gave. i tried to do it several times and always had to go back to using dhcp. i need some help and what gateway would i use for eth0? Reply 82 Chandrakant May 31, 2007 Hi, One more problem i am facing with above configuration. I am not able to use web access of exchange 2003 server. and office scan http url can any buddy help me resolve this. Chandrakant
3/7/12
Reply 83 bhupesh karankar June 1, 2007 Hello Friend, i am bhupesh karankar, i have problem in squid. as above, i have implement squid in my server. but still my client not able to access mail via outlook with squid. wating for ur reply i have same configuration as above. wating for ur reply, need help Bhupesh Karankar bkarankar@gmail.com 0998110488 Reply 84 Brent June 1, 2007 Thanks for posting the transparent proxy script. It works very well. I like the way you choose to close everything and only open what you need. I do need to open a few ports, like https (443) and possibly one or two more (ssh). Can you post how you would do this? Thanks. Reply 85 vivek June 1, 2007 Find line
#DO eeyhn adLgi RP vrtig n o t
Add your iptables rules before that line. Remember you must deal with eth0 and eth1, otherwise you will create a new security issue. Reply 86 bhupesh karankar June 2, 2007 hello, this is nice script. but when i use this, it blocked smb and squid and my web server, what to do. wating for reply bkarankar@gmail.com bhupesh karankar Reply 87 vivek June 2, 2007 bhupesh, Open those port using iptables rules as this script locks down eveything. read my comment # 82. If you have more questions please post to our forum. Reply 88 Maroon Ibrahim June 11, 2007 Prashant!!! allow access for ICP Regards Reply 89 Nandkishor June 11, 2007 Hi, I configured the transperant proxy & also set the IPtables. This is working fine. But recentaly I trust by a trouble. If I try to open any site like gmail.com or any other sites. Some time that are works but some time they give follwing error. The requested URL could not be retrieved While trying to retrieve the URL: http://gmail.com/ The following error was encountered: Unable to determine IP address from host name for gmail.com The dnsserver returned:
3/7/12
Refused: The name server refuses to perform the specified operation. This means that: The cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is root. Pleas give me the solution for this. Regards, Nandkishor Reply 90 Linuxnewbie June 11, 2007 Hi, I need to install transparent proxy with squid caching, but my eth0 is connected using DHCP, so what all changes need to be done ? Thank you for publishing your experiences and configurations Regards Reply 91 vivek June 11, 2007 Hi Linuxnewbie, Make sure eth0 always get same IP using eth0, if not possible modify a script to obtain IP address using following statement:
icni eh |ge 'ntad: |ct-''-2|ak' pit$} fofg t0 rp ie dr' u d: f w { rn 1'
Set SQUID_SERVER as follows:

SUDSRE=(fofgeh |ge 'ntad: |ct-''-2|ak' pit$}) QI_EVR$icni t0 rp ie dr' u d: f w { rn 1'
NOTE: you only need to use above, if SQUID_SERVER ip is dynamic; otherwise it should work out of box. HTH Reply 92 linxnewbie June 12, 2007 Thanks for the replyso no need to make any changes in the IPTABLES, right ? Reply 93 chandar June 25, 2007 Hi Vivek, I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario client> Squid + Router > pix> Router> Internet. In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip Is Pix ip or router ip. This problem is resolved when I restart network service of Linux machine. and its happened every time. Please find below linux machine iptables snap. # squid server IP SQUID_SERVER=10.30.200.1 # Interface connected to Internet INTERNET=eth0 # Interface connected to LAN LAN_IN=eth1 # Squid port SQUID_PORT=3128 # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack
3/7/12
modprobe ip_conntrack_ftp # For win xp ftp client modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables table nat append POSTROUTING out-interface $INTERNET -j MASQUERADE iptables append FORWARD in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp dport 80 -j DNAT to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp dport 80 -j REDIRECT to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP Reply 94 permittivity March 6, 2011 check /etc/resolv.conf on the gateway and squid while the network is working fine, then when its not working fine, check it again Reply 95 chandar June 25, 2007 Hi Vivek, I configured squid/2.6.STABLE12 with the help of your script file. below is my N/W scenario client> Squid + Router > pix> Router> Internet. In this case everything is working very fine. For few minutes. After sometime client not able to ping gateway that is my squid server. But client able to ping next hope ip Is Pix ip or router ip. This problem is resolved when I restart network service of Linux machine. and its happened every time. Please help me to resolve this issue. Regards, Chandru Reply 96 shellyacs June 27, 2007 Need help. I have read the forum on transparent proxy. I have followed it to the letter. A cannot get it to work. I am using Suse linux 10.2. I can get to the internet from the workstations, but only if I setup the squid server as a proxy in IE. Any help would be greatly appreciated. Thanks Reply 97 Amrendra July 6, 2007 I have used above kind of firewall (IPTABLE), I dont want to use transparent proxy because we need to use authentication, and if I am allowing forward and unlimited access to LAN then they are also able to bypass the proxy to use internet, So can anyone give me solution that, for accessing websites ( http/https) people must go through Proxy and its authentication, and rest for everything they should be allowed from the LAN rest everything includes (FTP , DNS ) respose. Thanks Amrendra. Reply 98 forweb July 9, 2007 I had got some errors when I used the instructions above, 400 something like syntax of the request was wrong The script above works great but this is what I have to add to get it to work on my ubuntu 7.04 squid.conf: http_port 80 http_port 192.168.1.9:3128 transparent
3/7/12
(this is NIC connected to internet) acl jamal_net src 192.168.2.0/24 (this LAN Nic) http_access allow jamal_net http_access allow localhost Change your IPs to comply with you above script. start your squid.conf start your fw-proxy add it to rc.local so it will boot at startup. Reply 99 oj July 16, 2007 Execellent write-up.Very helpful to me Reply 100 Slavko July 26, 2007 From SquidFaq For Squid-2.6 and Squid-3.0 you simply need to add the keyword t a s a e ton the h t _ o t t a y u p o y w l r c i e t e r d r c e r q e t rnprn tppr ht or rx il eev h eietd euss
o a teaoedrcie aentncsayadi fc hv be rmvdi toerlae: n s h bv ietvs r o eesr n n at ae en eoe n hs eess ht_ot32 tasaet tppr 18 rnprn
Reply 101 eq1425 July 29, 2007 hi all, will this shel script work even if i install a redirector program(i.e squidguard)on squid?and how?? thanks Reply 102 John August 5, 2007 I work in a public library and we provide wireless access to our patrons. No configuration is required on their laptops because transparent proxying is in effect, via a rule in SUSE Firewall. Im using SUSE 10.2, SQUID, Dansguardian, and the SUSE2 Firewall. Is it possible with my existing setup to also forward users to a custom home page that I have set up? This page will have our wireless policy, etc. on it. If so, how exactly would this be done? Thanks! Reply 103 ankush August 7, 2007 how configure best squid server on RHEL 5 i have create in RHEL 4 but i have problem about RHEL 5 Reply 104 Mani August 8, 2007 Hi, when i execute squid -z.the following error is appear. FATAL: Could not determine fully qualified hostname. Please set visible_hostname Squid Cache (Version 2.6.STABLE13): Terminated abnormally. CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Aborted but i configure visible_hostname myhostname in my squid.conf file.still the same error comming again.what can i do? Reply
3/7/12
105 IRFAN August 13, 2007 any one have squid configaration than can use any where Reply 106 Mark Ng August 15, 2007 I have a box running public IP on eth0 and private IP on eth1. Everything seems to be working but my sites running apache cant be accessed via their Public IP anymore. However I can still access them via eth1. Any help is appreciated. Reply 107 Abdul Latif August 17, 2007 Sir, is there any solution regarding linux Squid Proxy which responsible to handle two ADSL internet connection. combining bandwidth, Provide loadsharing, feed back if one connection goes down. Reply 108 Elliott August 20, 2007 Thanks for your excellent site. I have followed your guide and set this up successfully. I will recommend this guide to anyone setting up a squid server. Elliott Systems Administrator Reply 109 Rith November 21, 2011 Hi ALL , i want to allow window 7 can activated by using internet proxy server. but i cant do it Please give me some advice ? THANKS. Reply 110 Chris August 26, 2007 What about setting this up using the latest version of Squid? Fedora 6 comes with squid but the parameters mentioned above are not there. They have been updated. Any help? Reply 111 Chris August 26, 2007 DUH, i see the post explaining it. Disregard my last post Reply 112 vijay August 30, 2007 I like to know how to configure ftp and proxy for my internal use and external( internet) ftp with proxy. Please help Reply 113 king of the internet September 18, 2007 You said allowing port 443 out solves your problems, but in fact it creates more. Now users can simply use SSL-based web proxies to tunnel past your proxy. This means no logging, control, nothing. For example, try https://vtunnel.com/ Reply 114 vivek September 19, 2007 King, You cannot redirect port 443 with a transparent proxy and this the only solution. Other option is disable a transparent proxy and use port such as 3128.
3/7/12
HTH Reply 115 Saji Alexander October 22, 2007 Hi, I had gone thru your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on centos. I need all the users to access only certain sites during the office hours and after office hours they can access anysites as they wish. This should not be applicable for managers who can access anysite at anytime. This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port. The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ???? Something to do with firewall. I tried but I failed. I am pasting it can you correct it. $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp dport 80 -j DNAT to $SQUID_SERVER:$SQUID_PORT squid_server has two network card. One is having internal ip and the other external ip. I had give external ip for SQUID_SERVER. SQUID_PORT is 8080 Thanks and Regards, Saji Alexander. Reply 116 Wolfox October 25, 2007 Anyone knows how to get this instructions working on SuSe 9 Enterprise Edition. It looks like some of the syntax doesnt work. Because in my case I cannot get it to work. Please help, Im a newbie that is very eager to learn about proxying. Please Help Thanks in advance Reply 117 hanz October 25, 2007 I have read your instruction but I have the same question as Saji ALexander. I have been trying to figure this out but failed. Is it possible to force all browser on a server running transparent proxy to use its proxy service for its web traffic? The server has dual interface. Thanks hanz Reply 118 vivek October 25, 2007 @Saji, You have to define TIME based ACL for squid to put time based restrictions. @hanz, yup, this config force all http traffic via squid. Reply 119 harish November 24, 2007 Hi Dear, Thanks or very simple steps. Harish Reply 120 fmstereo November 28, 2007 I have configured the transparent proxy but not all users are able to use it. Most of them must have the proxy in their browsers, just a few are able to conect without having to configure. And is very slow with transparent proxy. Any sugestions?
3/7/12
Reply 121 Babu Ram Dawadi December 12, 2007 thanks for ur three steps to create transparent proxy but i am not sure it works with squid 2.6 stables 13. because i tried ur step on this squid 2.6. may be this article suit to squid 2.5. :) hi fmstereo>>i think u have to enable one options on ur proxy which is previously off like the following httpd_accel_no_pmtu_disc off change it to httpd_accel_no_pmtu_disc on Reply 122 Atman December 12, 2007 Why not use only one utility to filter out comments and empty lines when going through squid.conf: grep -v ^# /etc/squid/squid.conf | grep -v ^$ or if you prefer sed: sed / *#/d; /^ *$/d < /etc/squid/squid.conf Reply 123 arun December 13, 2007 give me a step of linux centos proxy setting and iptables confige and many more service starting Reply 124 Vijay Godiyal December 20, 2007 Hello Friends, Need help from you I had configured my squid server, squid+dansguardian with Linux RHCL-4 .. its working for a hrs abustaly fine but abt 1 hrs its getting slow and get stoped work .. i m not able to understand the problem. normail proxy is working fine but when it get started with dansguardian then problenm comes. can someone help me out on this i have squid version squid-2.5.STABLE6-3.4E.11 and dansG is dansguardian-2.8.0.6-1.2.el4.rf following is the conf file dansguardian. ################################################# DansGuardian config file for version 2.8.0 # **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf # Web Access Denied Reporting (does not affect logging) # # -1 = log, but do not block Stealth mode # 0 = just say Access Denied # 1 = report why but not what denied phrase # 2 = report fully # 3 = use HTML template file (accessdeniedaddress ignored) recommended # reportinglevel = 3 # Language dir where languages are stored for internationalisation. # The HTML template within this dir is only used when reportinglevel # is set to 3. When used, DansGuardian will display the HTML file instead of # using the perl cgi script. This option is faster, cleaner # and easier to customise the access denied page. # The language file is used no matter what setting however. # languagedir = /etc/dansguardian/languages # language to use from languagedir. language = ukenglish # Logging Settings # 0 = none 1 = just denied 2 = all text based 3 = all requests loglevel = 2 # Log Exception Hits # Log if an exception (user, ip, URL, phrase) is matched and so
3/7/12
# the page gets let through. Can be useful for diagnosing # why a site gets through the filter. on | off logexceptionhits = on # Log File Format # 1 = DansGuardian format 2 = CSV-style format # 3 = Squid Log File Format 4 = Tab delimited logfileformat = 1 # Log file location # # Defines the log directory and filename. #loglocation = /var/log/dansguardian/access.log # Network Settings # # the IP that DansGuardian listens on. If left blank DansGuardian will # listen on all IPs. That would include all NICs, loopback, modem, etc. # Normally you would have your firewall protecting this, but if you want # you can limit it to only 1 IP. Yes only one. filterip = # the port that DansGuardian listens to. filterport = 3128 # the ip of the proxy (default is the loopback i.e. this server) proxyip = 172.16.24.12 # the port DansGuardian connects to proxy on proxyport = 8080 # accessdeniedaddress is the address of your web server to which the cgi # dansguardian reporting script was copied # Do NOT change from the default if you are not using the cgi. # accessdeniedaddress = http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl # Non standard delimiter (only used with accessdeniedaddress) # Default is enabled but to go back to the original standard mode dissable it. nonstandarddelimiter = on # Banned image replacement # Images that are banned due to domain/url/etc reasons including those # in the adverts blacklists can be replaced by an image. This will, # for example, hide images from advert sites and remove broken image # icons from banned domains. # 0 = off # 1 = on (default) usecustombannedimage = 1 filtergroupslist = /etc/dansguardian/filtergroupslist # Authentication files location bannediplist = /etc/dansguardian/bannediplist exceptioniplist = /etc/dansguardian/exceptioniplist banneduserlist = /etc/dansguardian/banneduserlist exceptionuserlist = /etc/dansguardian/exceptionuserlist # Show weighted phrases found # If enabled then the phrases found that made up the total which excedes # the naughtyness limit will be logged and, if the reporting level is # high enough, reported. on | off showweightedfound = on # Weighted phrase mode # There are 3 possible modes of operation: # 0 = off = do not use the weighted phrase feature. # 1 = on, normal = normal weighted phrase operation. # 2 = on, singular = each weighted phrase found only counts once on a page. # weightedphrasemode = 2 # Positive result caching for text URLs # Caches good pages so they dont need to be scanned again # 0 = off (recommended for ISPs with users with disimilar browsing) # 1000 = recommended for most users # 5000 = suggested max upper limit urlcachenumber = 5000
3/7/12
# # Age before they are stale and should be ignored in seconds # 0 = never # 900 = recommended = 15 mins urlcacheage = 9000 # Smart and Raw phrase content filtering options # Smart is where the multiple spaces and HTML are removed before phrase filtering # Raw is where the raw HTML including meta tags are phrase filtered # CPU usage can be effectively halved by using setting 0 or 1 # 0 = raw only # 1 = smart only # 2 = both (default) phrasefiltermode = 2 # Lower casing options # When a document is scanned the uppercase letters are converted to lower case # in order to compare them with the phrases. However this can break Big5 and # other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented # characters are supported. # 0 = force lower case (default) # 1 = do not change case preservecase = 0 # Hex decoding options # When a document is scanned it can optionally convert %XX to chars. # If you find documents are getting past the phrase filtering due to encoding # then enable. However this can break Big5 and other 16-bit texts. # 0 = disabled (default) # 1 = enabled hexdecodecontent = 0 # Force Quick Search rather than DFA search algorithm # The current DFA implementation is not totally 16-bit character compatible # but is used by default as it handles large phrase lists much faster. # If you wish to use a large number of 16-bit character phrases then # enable this option. # 0 = off (default) # 1 = on (Big5 compatible) forcequicksearch = 0 # Reverse lookups for banned site and URLs. # If set to on, DansGuardian will look up the forward DNS for an IP URL # address and search for both in the banned site and URL lists. This would # prevent a user from simply entering the IP for a banned address. # It will reduce searching speed somewhat so unless you have a local caching # DNS server, leave it off and use the Blanket IP Block option in the # bannedsitelist file instead. reverseaddresslookups = off # Reverse lookups for banned and exception IP lists. # If set to on, DansGuardian will look up the forward DNS for the IP # of the connecting computer. This means you can put in hostnames in # the exceptioniplist and bannediplist. # It will reduce searching speed somewhat so unless you have a local DNS server, # leave it off. reverseclientiplookups = off # Build bannedsitelist and bannedurllist cache files. # This will compare the date stamp of the list file with the date stamp of # the cache file and will recreate as needed. # If a bsl or bul .processed file exists, then that will be used instead. # It will increase process start speed by 300%. On slow computers this will # be significant. Fast computers do not need this option. on | off createlistcachefiles = on # POST protection (web upload and forms) # does not block forms without any file upload, i.e. this is just for # blocking or limiting uploads # measured in kibibytes after MIME encoding and header bumph # use 0 for a complete block # use higher (e.g. 512 = 512Kbytes) for limiting # use -1 for no blocking #maxuploadsize = 512 #maxuploadsize = 0 maxuploadsize = -1
3/7/12
# Max content filter page size # Sometimes web servers label binary files as text which can be very # large which causes a huge drain on memory and cpu resources. # To counter this, you can limit the size of the document to be # filtered and get it to just pass it straight through. # This setting also applies to content regular expression modification. # The size is in Kibibytes eg 2048 = 2Mb # use 0 for no limit maxcontentfiltersize = 256 # Username identification methods (used in logging) # You can have as many methods as you want and not just one. The first one # will be used then if no username is found, the next will be used. # * proxyauth is for when basic proxy authentication is used (no good for # transparent proxying). # * ntlm is for when the proxy supports the MS NTLM authentication # protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED** # * ident is for when the others dont work. It will contact the computer # that the connection came from and try to connect to an identd server # and query it for the user owner of the connection. usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off # Preemptive banning this means that if you have proxy auth enabled and a user accesses # a site banned by URL for example they will be denied straight away without a request # for their user and pass. This has the effect of requiring the user to visit a clean # site first before it knows who they are and thus maybe an admin user. # This is how DansGuardian has always worked but in some situations it is less than # ideal. So you can optionally disable it. Default is on. # As a side effect disabling this makes AD image replacement work better as the mime # type is know. preemptivebanning = on # Misc settings # if on it adds an X-Forwarded-For: to the HTTP request # header. This may help solve some problem sites that need to know the # source ip. on | off forwardedfor = off # if on it uses the X-Forwarded-For: to determine the client # IP. This is for when you have squid between the clients and DansGuardian. # Warning headers are easily spoofed. on | off usexforwardedfor = off # if on it logs some debug info regarding fork()ing and accept()ing which # can usually be ignored. These are logged by syslog. It is safe to leave # it on or off logconnectionhandlingerrors = on # Fork pool options # sets the maximum number of processes to sporn to handle the incomming # connections. Max value usually 250 depending on OS. # On large sites you might want to try 180. maxchildren = 120 # sets the minimum number of processes to sporn to handle the incomming connections. # On large sites you might want to try 32. minchildren = 8 # sets the minimum number of processes to be kept ready to handle connections. # On large sites you might want to try 8. minsparechildren = 4 # sets the minimum number of processes to sporn when it runs out # On large sites you might want to try 10. preforkchildren = 6 # sets the maximum number of processes to have doing nothing. # When this many are spare it will cull some of them. # On large sites you might want to try 64. maxsparechildren = 32 # sets the maximum age of a child process before it croaks it. # This is the number of connections they handle before exiting.
3/7/12
# On large sites you might want to try 10000. maxagechildren = 500 # Process options # (Change these only if you really know what you are doing). # These options allow you to run multiple instances of DansGuardian on a single machine. # Remember to edit the log file path above also if that is your intention. # IPC filename # # Defines IPC server directory and filename used to communicate with the log process. ipcfilename = /tmp/.dguardianipc # URL list IPC filename # # Defines URL list IPC server directory and filename used to communicate with the URL # cache process. urlipcfilename = /tmp/.dguardianurlipc # PID filename # # Defines process id directory and filename. #pidfilename = /var/run/dansguardian.pid # Disable daemoning # If enabled the process will not fork into the background. # It is not usually advantageous to do this. # on|off ( defaults to off ) nodaemon = off # Disable logging process # on|off ( defaults to off ) nologger = off # Daemon runas user and group # This is the user that DansGuardian runs as. Normally the user/group nobody. # Uncomment to use. Defaults to the user set at compile time. # daemonuser = nobody # daemongroup = nobody # Soft restart # When on this disables the forced killing off all processes in the process group. # This is not to be confused with the -g run time option they are not related. # on|off ( defaults to off ) softrestart = off Reply 125 Robert December 22, 2007 I am building a rather unique Proxy server I need to be able to forward requests by maching the destintaions to 3 lists: - blacklist -> Block, - freelist -> Forward to upstreem Proxy with Spesified username and password same for all, - DirrectAccesslist Retreve directly, What ever is remaining is forward to the upstreem proxy which will request username and password for charging purposes. The AD and charging Side of this I will work out later, it is the routeing with creds by list lookup that I have no idea where to start.. Site info 300 computers, 1000 users, 40M internet link I have a Dual Xeon 1.6 with 2G ram SCSI HW Raid HDD Server for the task (retired Ms Server) Ideas? Thanks Reply 126 Sai Wunna Aung January 5, 2008 hello all friends, pls help me. now i created squid 2.6 server on windows server 2003. but our ISP is burnned some websites.e.g http://mail.yahoo.com, https://mail.google.com .so, i want to open that web site and other to squids redirect setting. i want to know http redirect setting of squid 2.6. best reguards,
3/7/12
Sai Wunna Aung Network Technician Reply 127 Ali Bhai January 8, 2008 hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bies. Thx Again Reply 128 Ambot January 11, 2008 Hey guys, How do i able to open the ports in proxy? i have the problems on my network, in which i cant able to view webcam and voice in the yahoo messenger As what i know 5000-5010 used for voice both tcp and udp while 5100 for video as tcp I put it in Safe_ports but it seems not working And also im not able to upload files but good downloadings. Reply 129 Sajid January 11, 2008 Hi, Please help me to solve this problem. i have four network cards in linux machine 3 NC for WAN 1 for local LAN my squid is sending all the internet traffic to only on one network card other two are free its is possible that squid bind three wan NC and combine the Internet. thanks Reply 130 Arulkumar January 19, 2008 how to manage users browsing time quotas by squid. Example: Set a limit of 1 hour per day for the user Reply 131 dennyhalim January 24, 2008 dual xeon with 8 gig ram? how many (hundreds?) users this monster serve??? im using old refurbished p3 with 384meg ram serving 50+ heavy downloaders users with no problem. and, with ipcop, it only takes TWO clicks to activate transparent proxy from its web gui. off course, you learn nothing with ipcop. coz its simply usable and minimal learning curve. youll learn a lot from getting dirty on cli. :) Reply 132 Mangal January 31, 2008 How can we block PC using Mac addresses ? I tried by: acl block arp 12:23:43:df:32:df but my squid does not know keyword arp for solving this i tried to rebuild it but i failed can u help me to rebuild ? Reply 133 vivek January 31, 2008 Mangal, See our Squid MAC Filtering FAQ Reply 134 Anas January 31, 2008 Dear all
3/7/12
Need Help . I have Squid 2.6 STABLE6 Actually when I add httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl Tiajri src 10.0.0.0/24 http_access allow localhost http_access allow Tijari and when I tried to Stop And Start Squid service it gaves me Faild to start Faild . please help me Reply 135 Pirkia.lt admin February 2, 2008 Simple script to save your users from badware:
#/i/ah !bnbs UL=tp/wwmp.r/ihl20/ot.x R0ht:/w.vsogwnep02hsstt UL=tp/eeyhnin.o/ot R1ht:/vrtigstcmhss SUDAWR=ecsudbdaels QIBDAE/t/qi/awr_it BDAETT=ecsudbdaesas AWRSAS/t/qi/awr_tt we $R0- /m/QIBDAE - /e/ul gt UL O tpSUDAWR0 o dvnl we $R1- /m/QIBDAE - /e/ul gt UL O tpSUDAWR1 o dvnl BDAE=ct/m/QIBDAE` AWR0à tpSUDAWR0 eh "BDAE"> /m/QIBDAE co $AWR0 > tpSUDAWR1 ct/m/QIBDAE |ge 17001|sd'/2... /g >/m/QIBDAE a tpSUDAWR1 rp 2... e s17001 /' tpSUDAWR2 ct/m/QIBDAE |ge - lclot|ct- ""- 1>/m/QIBDAE a tpSUDAWR2 rp v oahs u d # f tpSUDAWR3 r $QIBDAEbcu m SUDAWR.akp m $QIBDAE$QIBDAEbcu v SUDAWR SUDAWR.akp c /m/QIBDAE $QIBDAE p tpSUDAWR3 SUDAWR SM`c- $QIBDAE U=w l SUDAWR` DT=dt +Y%-d AEàe %-m%` eh "DT $U"> $AWRSAS co $AE SM > BDAETT r /m/QIBDAE /m/QIBDAE /m/QIBDAE /m/QIBDAE m tpSUDAWR0 tpSUDAWR1 tpSUDAWR2 tpSUDAWR3 /t/ntdsudrla >/e/ul ecii./qi eod dvnl
To squid.conf add/update following lines:

alBDAELS_ dtoanulrgx- "ecsudbdaels" c AWR_IT1 sdmi r_ee i /t/qi/awr_it dn_noERBDAEACS_EIDBDAELS_ eyif R_AWR_CESDNE AWR_IT1 . . ht_cesdn BDAELS_ tpacs ey AWR_IT1 ht_cesdn !aeprsBDAELS_ tpacs ey Sf_ot AWR_IT1 ht_cesdn CNET!S_ot tpacs ey ONC SLprs
Dont forget add this script to your crontab
cotb rna e 3 2 ***/aasrpssudur.h 0 3 dt/cit/qigads
Reply 136 Faisal February 5, 2008 Dear I am using CentOS Linux server here I dont need to define proxy in squid.conf. kindly guide me how to use without ISP proxy. also i have 3 DSL modems connected in office and i need to configure all together if 1 is not working it switch to other
3/7/12
automatically. your quick response will be higly appreciative. Best Regards. Faisal Reply 137 Santosh February 8, 2008 Hi, This site is good with good comments. can you help me. i am using the same config. Pls clear my 2 doubts. 1.after making proxy transparent. the sites which are blocked in squid-block.acl does not works from client pc. (again if we use a proxy server then only it works). 2. how to block a website (such as http://www.youtube.com) using iptables. regards, Santosh Reply 138 Santosh February 8, 2008 hello, pls reply ASAP. regards, santosh Reply 139 nandhakumar February 22, 2008 Hi all I configured squid proxy in our office but problem is outlook express not working please help me out.. regards nandha Reply 140 vaibhavraj June 29, 2010 Hi, Just put IP of outlook machine as a acl in squid.conf. It will work. Regards, Vaibhavraj Reply 141 Sulman March 5, 2008 Dear, i have 3 NIC in Squid Proxy, One connect with Lan and other 2 connect with 2 DSL modems. I want to combine more than 1 DSL link speed togetehr. Kindly Helo me regarding this what will be need to configure in Linux. Halp me ASAP Thanks Reply 142 Jit March 13, 2008 Hi, Ive configured my Squid as par your guidence but am nt able to access any website from client nor Im able to ping. though Im able to open some of websites from their IP and even able to open control panel of my ADSL Router! Ive no clue where things are wrong! :( I wud highly be grateful to you help me to fix this issue! here is the complete scenario of my network
3/7/12
[LAN] > e1 [ SQUID ] e0 -> [ADSL] 192.168.2.0 [LAN] 192.168.2.1 [e1 of squid] 192.168.1.2 [e0 of squid] 192.168.1.1 [adsl router ip] waiting despreatly! Rock on Jit Reply 143 Yusuf March 15, 2008 I have configured SQUID PROXY with TRANSPARENT using this site help Thanks Reply 144 gautam April 8, 2008 I had gone throug your notes. It is very good and interesting. I have 2 network cards in my squid proxy server on RHEL5. I need all the users to access only certain sites during the office hours and after office hours they can access any sites as they wish. This should not be applicable for managers who can access any site at anytime. This I made it but when I configured squid I had given the port 8080 instead of 3128 the default port. The end users if the remove the proxy (ip of squid server) then they can access any site during the office hours. How to disable this ???? Something to do with firewall. I tried but I failed. I am pasting it can you correct it. $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp dport 80 -j DNAT to $SQUID_SERVER:$SQUID_PORT squid_server has two network card. One is having internal ip and the other external ip. I had give external ip for SQUID_SERVER. SQUID_PORT is 8080 Please help me.. It is very urgent. Thanks and Regards, Reply 145 flex April 11, 2008 I have a clarkconnect linux box am not that good in linux but can configure when given the example. My network has layer three switch which does the routing for all Vlans. I have created a specia Vlan where all traffic fron the LAN Vlans is routed, coonected this node to CC box LAN interface. Also i have added the static routes on the CC box and all vlans can access the internet properly. But i want to use proxy. WHEN I START THE SQUID PROCESS it block all outgoing traffic and gives me the ip and port to configure as proxy on brower settings , that i do but still cannt connect. here is a file for my routes Adding extra LANs on Clark Connect #/etc/system/network file EXTRALANS=10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24 10.0.7.0/24 10.0.8.0/24 10.0.9.0/24 10.0.10.0/24 10.0.11.0/24 10.0.12.0/24 10.0.13.0/24 10.0.14.0/24 10.0.15.0/24 10.0.16.0/24 10.0.17.0/24 10.0.18.0/24 10.0.19.0/24 10.0.20.0/24 10.0.21.0/24 10.0.22.0/24 10.0.23.0/24 10.0.24.0/24 10.0.25.0/24 10.0.26.0/24 10.0.27.0/24 10.0.28.0/24 10.0.29.0/24 10.0.30.0/24 10.0.31.0/24 10.0.32.0/24 10.0.33.0/24 10.0.34.0/24 10.0.35.0/24 10.0.36.0/24 10.0.37.0/24 10.0.38.0/24 10.0.39.0/24 #Adding Static routes to Clark Connect for Vlans to work with proxy #This should work #/etc/sysconfig/network-scripts/route-eth1 10.0.2.0/24 via 10.2.56.2 10.0.3.0/24 via 10.2.56.2 10.0.4.0/24 via 10.2.56.2 10.0.5.0/24 via 10.2.56.2 10.0.6.0/24 via 10.2.56.2 10.0.7.0/24 via 10.2.56.2 10.0.8.0/24 via 10.2.56.2
3/7/12
10.0.9.0/24 via 10.2.56.2 10.0.10.0/24 via 10.2.56.2 10.0.11.0/24 via 10.2.56.2 10.0.12.0/24 via 10.2.56.2 10.0.13.0/24 via 10.2.56.2 10.0.14.0/24 via 10.2.56.2 10.0.15.0/24 via 10.2.56.2 10.0.16.0/24 via 10.2.56.2 10.0.17.0/24 via 10.2.56.2 10.0.18.0/24 via 10.2.56.2 10.0.19.0/24 via 10.2.56.2 10.0.20.0/24 via 10.2.56.2 10.0.21.0/24 via 10.2.56.2 10.0.22.0/24 via 10.2.56.2 10.0.23.0/24 via 10.2.56.2 10.0.24.0/24 via 10.2.56.2 10.0.25.0/24 via 10.2.56.2 10.0.26.0/24 via 10.2.56.2 10.0.27.0/24 via 10.2.56.2 10.0.28.0/24 via 10.2.56.2 10.0.29.0/24 via 10.2.56.2 10.0.30.0/24 via 10.2.56.2 10.0.31.0/24 via 10.2.56.2 10.0.32.0/24 via 10.2.56.2 10.0.33.0/24 via 10.2.56.2 10.0.34.0/24 via 10.2.56.2 10.0.35.0/24 via 10.2.56.2 10.0.36.0/24 via 10.2.56.2 10.0.37.0/24 via 10.2.56.2 10.0.38.0/24 via 10.2.56.2 10.0.39.0/24 via 10.2.56.2 which other file should i configure for web proxy to work IP and port CC is giving for proxy is 10.2.56.2 8080 or 3128 but does not work Reply 146 Sohbet April 27, 2008 hey, nice work. I appreciate the way u spread your knowledge just alike a teacher spreads to new bies. Thx Again Reply 147 Ye khaung May 8, 2008 I just test smooth wall express with in built squid. Not only in that squid but all, i cant find where to put web server chaining i.e forward request to upstream proxy(isps proxy). Can any one explain me about following case. My server have 2 NIC card. Eth0 : 10.254.8.1.1 (internet) Eth1 : 192.168.0.1 (Lan) Subnet: 255.255.252.0 D.G : 10.254.8.1 My isp give their proxy ip and port. 203.81.71.148:9090 They prevent direct access. In that case i want a proxy server in my own. I want my clients computers to use proxy of mine but not ISP. (i want them to put my server Eth1 no as a proxy ip and port 9090 in ther IE and fire fox) Can any one give me a sample scripts? Please help me out. Our country is not very familiar with linux. S.O.S Ye Khaung Burma
3/7/12
Reply 148 Peyman June 8, 2008 Excellent! Simply it worked. But after running the iptables shell script I could not reach my server via SSH or VNC. I had to comment these 4 lines of the script to get my remote access back. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j DROP Is it no problem commenting those lines? my squid is working as I want ;) Reply 149 Padani June 28, 2008 When i gave the above config to the squid on a VPS (Debain).The following errors came. I didnt implement that iptable rules root@x:/etc/squid# /etc/init.d/squid restart Restarting Squid HTTP proxy: squid2008/06/28 11:02:10| parseConfigFile: unrecognized: 2008/06/28 11:02:10| parseConfigFile: line 44 unrecognized: httpd_accel_host virtual 2008/06/28 11:02:10| parseConfigFile: line 45 unrecognized: httpd_accel_port 80 2008/06/28 11:02:10| parseConfigFile: line 46 unrecognized: httpd_accel_with_proxy on 2008/06/28 11:02:10| parseConfigFile: line 47 unrecognized: httpd_accel_uses_host_header on 2008/06/28 11:02:10| WARNING cache_mem is larger than total disk cache space! FATAL: No port defined Squid Cache (Version 2.6.STABLE5): Terminated abnormally. CPU Usage: 0.005 seconds = 0.000 user + 0.005 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 /etc/init.d/squid: line 74: 30103 Aborted start-stop-daemon quiet start pidfile $PIDFILE chuid $CHUID exec $DAEMON $SQUID_ARGS </dev/null Reply 150 ramesh July 25, 2008 Hi, I have a problem I configured Transparent proxy it is working fine. problem with web server wheni tried to access the web page from external network. Error message : ERROR The requested URL could not be retrieved Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect Reply 151 nazrin July 29, 2008 dear guys, is there anyway of doing proxy on port 25 and 110. i wanted to test it with spamassassin checking on that port using transparent proxy. thanks, nazrin. Reply 152 Khalid August 2, 2008 I am running FC6, 2.6.STABLE13 and I need help 2 network cards: eth0 on a local LAN address 10.6.9.171 eth1 190.2.168.0.0/24 my server is running DHCP and assigning addresses to local clients But Squid is giving me a headache I did follow the stpes in this tutorial, and my Squid FAILS to start everytime Firt it gave me this error ACL name Safe_ports not defined!
3/7/12
FATAL: Bungled squid.conf line 19: http_access deny !Safe_ports Squid Cache (Version 2.6.STABLE13): Terminated abnormally. Then when I defiene Safe_ports by adding definitions that I got from another website is does not like the added lines and it asks for a hostname 2008/08/01 16:08:53| parseConfigFile: line 36 unrecognized: http_accel_host virtual 2008/08/01 16:08:53| parseConfigFile: line 37 unrecognized: http_accel_port 80 2008/08/01 16:08:53| parseConfigFile: line 38 unrecognized: http_accel_with_proxy on 2008/08/01 16:08:53| parseConfigFile: line 39 unrecognized: http_accel_uses_host_header on FATAL: Could not determine fully qualified hostname. Please set visible_hostname Can someone please direct me on what Im missing here ======================= here is my config file: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT cache_mem 1024 MB http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl lan src 10.6.9.177 192.168.0.0/24 http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all visible_hostname proxytest httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on coredump_dir /var/spool/squid ================================ Khalid Reply 153 Seymur November 7, 2010 remove httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Reply 154 Jakykong August 7, 2008 I thought I would mention that newer Squid versions (or maybe its older ones I use 2.7) dont accept the httpd_accel_* entries. Another way to do the same thing, which seems to work the same way, is to use the http_port entry. When you set the port (3128 by default), you can add transparent to the end of the line to make the proxy transparent. Reply 155 shantanu August 7, 2008 hiii, i know very less abt squid and linux, m in a college and my isp has blocked many of the sites and downloads , i need to unblock those sites as want to see my favourite
3/7/12
football matches, so plz will anyone guide me how to unblock these sites and see streaming videos, my isp uses squid/2.6.STABLE6, plz reply.. Reply 156 shantanu August 12, 2008 if any one knows plz tell me e mail id is gupta.shaan5@gmail.com !!! Reply 157 Baku August 27, 2008 Excellent article. The firewall script works fine in my GNU/Linux Debian Etch. However, the squid.conf should be update to squid 2.6 a later versions, which have the specific transparent parameter. In addition, should be convenient add a fourth step: configure named daemon on squid host. Best regards Baku Reply 158 we3cares September 2, 2008 Very Good Work :) But, I can tell a small easier step instead of grep -v ^# /etc/squid/squid.conf | sed -e /^$/d Use: # grep -v ^# /etc/squid/squid.conf | cat -s Reply 159 Umer August 5, 2010 Gud .. Its working now Reply 160 MikeC September 25, 2008 Good write upquestion though. After setting everything up I get the following error when I try to access a site: While trying to retrieve the URL: / The following error was encountered: * Invalid URL Some aspect of the requested URL is incorrect. Possible problems: * Missing or incorrect access protocol (should be `http:// or similar) * Missing hostname * Illegal double-escape in the URL-Path * Illegal character in hostname; underscores are not allowed Any ideas would be appreciated! Reply 161 Muhammad Suleman Hasib October 22, 2011 just add transparent at the end of http_port. if you are using 3128 port then it should look as follows: http_port 3128 transparent Reply 162 Nandkishor September 26, 2008 Hi vivek, I have configured the transperant proxy & also Blocked the downloading of movies & songs. But some peoples are downloads by using the torrent or utorrent. Can u tell me how to blocked this torrent downloading by using squid or pear to pear? Reply 163 Rizwan Ahmed October 24, 2008 nice help
3/7/12
Reply 164 cpyd October 26, 2008 this is funny. okay first of all, thanks vivek, thanks a ton for your fantabulous article. I setup two servers using your script and it works great. save one freak stuff.. while i see everyone running around saying they cant accept anything except port 80, my problem is exact opposite! ie.. it seems my firewall is allowing every damn traffic through itself, and no, i dint change a thing in the script except, ofcourse the variables in beginning. the iptables -L command gives this :-
CanIPT(oiyDO) hi NU plc RP tre po otsuc dsiain agt rt p ore etnto ACP al- ayhr ayhr CET l - nwee nwee ACP al- ayhr ayhr saeRLTDETBIHD CET l - nwee nwee tt EAE,SALSE LGal- ayhr ayhr LGlvldbgpei Ò_RP' O l - nwee nwee O ee eu rfx LGDO ACP al- ayhr ayhr CET l - nwee nwee LGal- ayhr ayhr LGlvlwrig O l - nwee nwee O ee ann DO al- ayhr ayhr RP l - nwee nwee CanFRAD(oiyACP) hi OWR plc CET tre po otsuc dsiain agt rt p ore etnto ACP al- ayhr ayhr CET l - nwee nwee CanOTU (oiyACP) hi UPT plc CET tre po otsuc dsiain agt rt p ore etnto ACP al- ayhr ayhr CET l - nwee nwee ACP al- ayhr ayhr CET l - nwee nwee
i commented out the unlimited LAN access line, and i was completely blocked out, including the webserver running on the same machine. Anyone out there who can point me in the right direction?? I want to allow only ports 25, 465, 110, 995, 443 and 80 through my proxy server.. thanks :) Reply 165 jayarm December 7, 2008 I want to allow two prot which used for VOIP (port 8661 10500) how can enable the same Please tell me with the example , i am using redhat my ip is 172.21.100.10 (eth0) 192.168.103.10 (eth1) Reply 166 Nick December 14, 2008 Is it possible to set a machine with one ethernet adapter on the network as a transparent proxy? So my machine (machine2) on 10.0.0.2 becomes my default gateway (in the DHCP config), which in turn either transparently proxies or sends the packet on to the real default gateway at 10.0.0.1. Machine2 would need to match incoming packets and if not destined for it, and not destined for port 80, forward them to the router. Incoming packets not destined for the machine2, but are destined for port 80, forward to the squid proxy. This would be neat, as it would simplify network layout, avoid having to have two subnets, and make bypassing the proxy a simple method of adding a static network config with a different default gateway. Reply 167 bashir December 26, 2008 Hi i m using squid 2.6 in Centos 5.1. But i found some errors: 1. arp 2. when i blocked the ips but even that allow please helpd bashir pakistan islamabad Reply 168 khzied December 28, 2008 Hi everybody, I have a problem with squid..
35/56
3/7/12
In my network internet, i would like to have connection in the same time like this: * some ip address connect to internet with authentification * some ip address connect to internet without authentification How can i do in squid configuration and iptables rules.. Thanks :) Reply 169 khzied December 28, 2008 with ipcop, i use the type unrestricted user that access internet without authentification.. Other user without type unrestricted user should connect by authentification.. How can i do? Ps: I use squid 3.0 Thanks Reply 170 brijesh January 10, 2009 dear sir Sir i want to installation squitd proxy but not installedd please give the setup and how do you installed Reply 171 Ibru January 19, 2009 Hi, You have done an excellent work. How can I run fw.proxy script every time when my computer starts. Thanks Ibrhaim PP Reply 172 Bjornar January 28, 2009 Hi. When i load the script I get a error message: iptables: No chain/target/match by that name Someone know whats wrong? im a noob (A) Reply 173 needh January 29, 2009 I use your squid on ubuntu 7.04. It complains no httpd_accel, etc. If I remove those lines in squid.conf, thats no proxy at all. Nothing in access.log. Reply 174 baxbixbux February 20, 2009 good now i can setup squid Reply 175 col February 23, 2009 Hi thanks for the really useful information. I have now setup my main PC as a transparent proxy so can log and see all the websites that my family lan has been to. Is there a way to also log all MSN chat messages using squid? (we have a policy of open internet access, with the responsibility of where they choose to go being on the child, with them knowing that occasion spot checks of the logs will be carried out). Reply 176 iniabasi February 25, 2009 i have gone through all the comments here and I have done everything configuring the squid 2.7 stable 13 and iptables in ubuntu 8.10. my problem is that i only browse when i
3/7/12
fix the proxy in the explorer, the transparency does not work. when i add this line of code, i have errors: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on. I am really at a loss on what to do. This what my squid conf looks like acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl ECONOMICS src 10.0.0.0/24 # RFC1918 possible internal network http_access allow ECONOMICS acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access allow ECONOMICS icp_access deny all http_port 80 http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ÎCY\s[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server Âpache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT visible_hostname EconnetServer hosts_file /etc/hosts coredump_dir /var/spool/squid Please can someone help me. Thanks. Reply 177 manjunath February 25, 2009 Hi, I do have setup internet->router(cisco 2600)->firewall (506 E)->Cisco Switch (6500) no routing captability ->DHCP Server->Lan . Planning to have Squid transparent proxy. Plz help me how to setup I am new to Squid project. Manjunath
3/7/12
Reply 178 Xavier February 27, 2009 Hi all, My Squid server works fantastically with the script above if I only have 2 network adapters enabled. I have an eth2 that I wish Apache to listen on as I was getting some oddities with it running on eth0 and eth1 which i am guessing is attributed to SQUID. I can configure Apache to listen on eth2 ok, the problem is as soon as I enable and start eth2 everything dies. eth0 and eth1 are unpingable and squid doesnt work. All I am doing is an out of the box version of squid with a very basic conf and the script above. Any help? Thanks, Xavier. Reply 179 hana March 5, 2009 is it possible to implament transparent proxy using only one NIC? Reply 180 kpm March 14, 2009 We are using two ip numbers for accessing internet and intranet. The IP 172.16.0.0/24 is for accessing our Intranet application from our remote office. The IP 192.168.1.0/24 is local broadband connection used for accessing internet locally. I want to access both the connection in a single IP by configuring linux squid proxy sever. Can u please help me out how to do the settings. Reply 181 Christofer March 17, 2009 Thanks cyberciti for the great tutorial, help me a lot. Reply 182 vijay March 29, 2009 This setup can use in fedora 10 Reply 183 Tricky April 15, 2009 I like how youve built this post. The httpd entries dont seem to work on my server however its not a particularly important function for me. I think perhaps it wasnt built into the build I have from Arch Linux. On a purely academic note, I often work with grep and sed and I recognised some even shorter ways to strip the squid.conf file. The shortest is still a combination:
ge ./t/qi/qi.ofsd' */' rp ecsudsudcn|e / #d
unless you want to actually strip it inline:

sd- ' */;/ */'/t/qi/qi.of e i / #d ^ $d ecsudsudcn
Reply 184 Bruce Smith April 16, 2009 Im looking for help for a fix. i work at a school. and im looking to run squid to speed up net access i have 2 up stream proxys we use 1 for kids 1 for staff, and i want to bind them in to 1 proxy in school with 2 ports. so port 8080 for students caching from upstream proxy student.proxy port 80 so port 8099 for staff caching from upstream proxy staff.proxy port 80 any one any clues ? Reply 185 nichive April 26, 2009 to da point, I need some help with this configuration Im running my squid on Ubuntu Server 8.10 with the transparent configuration applied, and the iptables script made, without any error on the start/restart part. but my problem is, I cant open anything through any web-browser that is installed on my Local Area Network
3/7/12
but if I try some ping command to any web-address, it works fine pitty, not doing so with the web-browser anyhelp would be appreciated :) Reply 186 nichive April 26, 2009 ignore my last question, I found out what my problem was.. my machine was a fresh installed one, didnt have the masquerading method just run the following command and voila
$sd atgtisalims uo p-e ntl paq
Reply 187 dave love May 7, 2009 I am using this setup but I am having trouble connecting to port 443. Any ideas? Do I need to tell it to use 443 and 80 in the squid.conf? Reply 188 Md. Saidur Hasan May 10, 2009 hi boss, its working but problem with the email. i cans download my email in outlook. my configuration is as follows # cat /etc/squid/squid.conf | sed / *#/d; /^ *$/d Output http_port 3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server Âpache broken_vary_encoding allow apache cache_mem 32 MB access_log /var/log/squid/access.log squid auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 30 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT acl bad_sites dstdomain /etc/squid/squid-block.acl http_access deny bad_sites acl esl src 172.16.10.0/24 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow esl http_access deny all http_reply_access allow all icp_access allow all cache_mgr ahmed.rahman@esl.com.bd visible_hostname ESL-NNC coredump_dir /var/spool/squid please help me.. Reply 189 chrkc May 25, 2009
3/7/12
Hi, I have three systems, my apache web server is running on 192.168.0.26 machine, squid/proxy is running on 192.168.0.25 and my firewall/shorewall is running on 192.168.0.20 And there is a local network 192.168.0.X of systems with gateway mentioned as 192.168.0.20. Can anyone tell me how do i manage in a way that all the http requests made are directed to the squid/proxy? As the people in the local network through the browser direct connection are able to open sites that were restricted through the proxy settings. Thanks Reply 190 Wiki June 8, 2009 Where can i find or where should i paste the following commands? in line number? httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy httpd_accel_uses_host_header on Reply 191 Nand June 17, 2009 I have setup the squid using transperant proxy & in iptables I have chnge the polixy of filter table to DROP. Everything is working fine. But any idea how to block the torrent downloading? what iptables rules are want to setup? Regards, Nandkishor Reply 192 Rashid Iqbal June 27, 2009 hi friends I am new to linux. right now i am using the fedora I configure the proxy and configure the iptables to forward the traffic Microsoft Outlook . now there is a problem that users are able to browse withoutt the client proxy settings although I only add the iptables script that forward the port 80 traffic to port 3128 that users should go through proxy secondly we are using the citrix server how to enable remote users to connect out db server through citrix server using TCP 1494 and UDP is 1600 to 1699 and tcp is 80.. and how to restrict the wireless users that they should go thorugh proxy. and finally I want that only some specific users to use the internet through client proxy settings and remaining will be blocked. please help me in this regard..I will be highly obliged.. Reply 193 Rashid Iqbal June 27, 2009 Friends I am new to squid I want to configure the proxy server with squid but not with the transparent. like that every used should put the ipaddress+port 3128.. secondly I want to receive the emails on Microsoft Outlook for this purpose I use the iptables now mail is working but user can bypass the proxy after putting the proxy address into the clients gateway.. please help me to solve this issue.. Reply 194 Anindya Banerjee July 6, 2009 How can I install and configure squid proxy in my red hat linux system. Reply 195 Mohd Anas July 14, 2009 Hi, Can someone suggest how can I configure my squid http proxy for FTP also. And what are the settings for ftp client like filezilla. Thanks Reply
40/56
3/7/12
196 Gregory I Okumoro July 22, 2009 Hi, I am new to Linux but I like what you have to say about port 80 redirection to port 3128. Currently, my website is unavailable online because the Cable Company (ISP) has blocked all the ports that I have to work except port 3128. !. What is the directory of the firewalls to which I have to copy the firewall scripts? 2.What directory do I copy fw.proxy to? Thanks, Gregory Omkpokoro Reply 197 Ajit Upadhyay August 4, 2009 Hi! I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISPs authenticated proxy). The detail of squid.conf is listed below:
almngrpoocceojc c aae rt ah_bet allclotsc170013 c oahs r 2.../2 alt_oahs dt170008 c olclot s 2.../ allcle sc1.../ c oant r 00008 allcle sc121../2 c oant r 7.6001 allcle sc121811 c oant r 9.6.. alSLprspr 43 c S_ot ot 4 alSf_ot pr 8 c aeprs ot 0 alSf_ot pr 2 c aeprs ot 1 alSf_ot pr 43 c aeprs ot 4 alSfprspr 7 c a_ot ot 0 alSf_ot pr 20 c aeprs ot 1 alSf_ot pr 12-53 c aeprs ot 05655 alSf_ot pr 20 c aeprs ot 8 alSf_ot pr 48 c aeprs ot 8 alSf_ot pr 51 c aeprs ot 9 alSf_ot pr 77 c aeprs ot 7 alpremto PRE c ug ehd UG alCNETmto CNET c ONC ehd ONC acs_o /a/o/qi/ceslg ceslg vrlgsudacs.o alpam_e sc121812 c lsant r 9.6.. alpam_e sc121813 c lsant r 9.6.. alpam_e sc121814 c lsant r 9.6.. alpam_e sc121815 c lsant r 9.6.. ht_cesalwpam_e tpacs lo lsant allnsc1.2..0 121811 c a r 016211 9.6.. ht_cesalwlclot tpacs lo oahs ht_cesalwln tpacs lo a ht_cesalwal tpacs lo l ht_cesalwlcle tpacs lo oant ht_cesdn al tpacs ey l alfppooFP c t rt T ht_cesalwfp tpacs lo t ht_cesalwmngrlclot tpacs lo aae oahs ht_cesdn mngr tpacs ey aae ht_cesalwprelclot tpacs lo ug oahs ht_cesdn pre tpacs ey ug ht_cesdn !aeprs tpacs ey Sf_ot ht_cesdn CNET!S_ot tpacs ey ONC SLprs ht_el_cesalwal tprpyacs lo l ipacs alwal c_ces lo l ipacs alwlcle c_ces lo oant ipacs dn al c_ces ey l hc_cesalwlcle tpacs lo oant hc_cesdn al tpacs ey l ht_ot12181132 tasaet tppr 9.6..:18 rnprn heacysols cibn? irrh_tpit g-i ccemm8M ah_e B mmr_elcmn_oiylu eoyrpaeetplc r ccerpaeetplc lu ah_elcmn_oiy r ccedrus/a/ah/qi 101 26 ah_i f vrccesud 0 6 5 mnmmojc_ie0K iiu_betsz B mxmmojc_ie49 K aiu_betsz 06 B ccesa_o 9 ah_wplw 0 ccelg/a/o/qi/ah.o ah_o vrlgsudccelg ccesoelg/a/o/qi/tr.o ah_tr_o vrlgsudsoelg euaehtdlgof mlt_tp_o f fppsieo t_asv n rfehpten^t:14 2 100 ers_atr fp 40 0 08 rfehptenôhr 14 014 ers_atr gpe: 40 40 rfehpten(g-i|? 000 ers_atr cibn\) rfehpten.02 42 ers_atr 0 30 awy_ietalwal lasdrc lo l cnettmot2mnts onc_ieu iue cin_ieie1dy letlftm as
41/56
3/7/12

ccemrwbatr ah_g emse vsbehsnm pam1 iil_otae lsa ippr 33 c_ot 10 errdrcoy/s/hr/qi/rosEgih ro_ietr ursaesuderr/nls crdm_i /a/ah/qi oeupdr vrccesud ccesa_ih9 ah_wphg 5
When any PC on network tries to use internet, I get following error in my access.log and 1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET http://webmail1.cat.ernet.in/newmail/images/dotted_bullet.gif DIRECT/10.11.100.123 1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www.google.com/ DIRECT/209.85.231.104 text/html 1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www.google.com/ DIRECT/209.85.231.104 text/html 1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www.yahoo.com/ DIRECT/69.147.76.15 text/html the user gets following error: while trying to retrieve the URL http://www.yahoo.com/ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable [whereas, i am able to access above url / ip from server] PLEASE, HELP me resolve this issue. Reply 198 Ajit Upadhyay August 4, 2009 Hi! I have a server with eth0 (10.126.2.101) connected to my ISP (proxy 10.31.31.10:3128 with authentication ie. userid/pwd) and eth1 (192.168.1.1) connected to local network through a fast ethernet switch. The server is also a DHCP sever for local network (192.168.1.2 192.168.1.254). Now, I have configured squid on this server so that local netwrok PCs can access internet thorugh my server (which is behind ISPs authenticated proxy). The detail of squid.conf is listed below: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.1.1 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl purge method PURGE acl CONNECT method CONNECT access_log /var/log/squid/access.log acl plasma_net src 192.168.1.2 acl plasma_net src 192.168.1.3 acl plasma_net src 192.168.1.4 acl plasma_net src 192.168.1.5 http_access allow plasma_net acl lan src 10.126.2.101 192.168.1.1 http_access allow localhost http_access allow lan http_access allow all http_access allow localnet http_access deny all acl ftp proto FTP http_access allow ftp http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_reply_access allow all icp_access allow all
3/7/12
icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 192.168.1.1:3128 transparent hierarchy_stoplist cgi-bin ? cache_mem 8 MB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/cache/squid 100 16 256 minimum_object_size 0 KB maximum_object_size 4096 KB cache_swap_low 90 cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log emulate_httpd_log off ftp_passive on refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern (cgi-bin|\?) 0 0 0 refresh_pattern . 0 20 4320 always_direct allow all connect_timeout 2 minutes client_lifetime 1 days cache_mgr webmaster visible_hostname plasma1 icp_port 3130 error_directory /usr/share/squid/errors/English coredump_dir /var/cache/squid cache_swap_high 95 When any PC on network tries to use internet, I get following error in my access.log and 1249380227.459 10 192.168.1.4 TCP_REFRESH_UNMODIFIED/304 259 GET webmail1. DIRECT/10.11.100.123 1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET http://www/ DIRECT/209.85.231.104 text/html 1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET http://www./ DIRECT/209.85.231.104 text/html 1249380437.333 184 192.168.1.4 TCP_MISS/503 2350 GET http://www/ DIRECT/69.147.76.15 text/html the user gets following error: while trying to retrieve the URL http://www./ The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable [whereas, i am able to access above url / ip from server] PLEASE, HELP me resolve this issue. Reply 199 Ajit Upadhyay August 4, 2009 further info: OS: openSuSE 11.0 Also, I have disabled firewall, as of now (MY ISP is highly secure / protected). Reply 200 Ajit Upadhyay August 4, 2009 I have also set in squid.conf cache_peer 10.31.31.10 parent 3128 0 no-query prefer_direct off where my ISPs proxy is 10.31.31.10:3128 but the error still continues. Reply 201 Javier August 17, 2009 Hello worot exactly the script and got a problem I can not see my etho that connect with my local lan. How I can delete this script
3/7/12
javier Reply 202 Javier August 18, 2009 After I complete the script I got a problem I can see the eth0 that is connected to my local network Reply 203 Marc August 18, 2009 Hello, Im using a transparent proxy bridge, and I noticed that a download never completes and it always cuts, as to connection to the server is reset ! Im using these rules in the firewall : ebtables -t broute -A BROUTING -p IPv4 ip-protocol 6 ip-destination-port 80 -j redirect redirect-target ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp dport 80 -j REDIRECT to-port 8080 iptables -t nat -A PREROUTING -i eth1 -p tcp dport 80 -j REDIRECT to-port 8080 iptables -t nat -A PREROUTING -i br0 -p tcp dport 80 -j REDIRECT to-port 8080 Where port 8080 is the dansguardian port for url filtering. Any idea why the connection resets ? Its like a tcp reset is being done. Thanks. Reply 204 jac August 18, 2009 Ehy, pay attention kotniks sed trick delete ALL rows that CONTAIN a #, not just that START with # Reply 205 John September 3, 2009 Hi, I am running a transparent bridge with squid and dansguardian. I noticed that a download can never complete and I get the message The connection with the server was reset as soon as the download starts. Very small files ( < 1MB ) are hardly able to finish. Browsing is fine, the problem is only with the downloads and they always cut. Anybody's having a similar problem with a transparent bridge ? Appreciate your help solving this critical matter. Thanks. John Reply 206 theleftfoot September 3, 2009 hey guys, i hope someone can help me out.ive got problems withe the following two steps: Save shell script. Execute script so that system will act as a router and forward the ports: # chmod +x /etc/fw.proxy # /etc/fw.proxy # service iptables save # chkconfig iptables on Start or Restart the squid: # /etc/init.d/squid restart # chkconfig squid on it doesnt work! got these error test:/ # chmod +x /etc/fw.proxy test:/ # /etc/fw.proxy test:/ # service iptables save [b]service: no such service iptables[/b] test:/ # can someone help me out? cheers raffa Reply
3/7/12
207 Anant Patel September 18, 2009 hello!!! my collage server blocked many ports like 3128,8822,3127,8125,8130so i cant access net..i have to use only collage provided netwhat can i do?? they stop also ports in utorrent plz help me.. thank u.. Reply 208 safdar azam September 24, 2009 hello. i am using Linux redhat version 3 and i have two lan port both are configured so i want to share my internet connection to winbee thin client. tell me how can connect with thinclient. plz i am witing Reply 209 Stolz October 7, 2009 AFAIK, the rule iptables -A OUTPUT -o lo -j ACCEPT is redundant because the default policy rule iptables -P OUTPUT ACCEPT already allows all outgoing traffic in all interfaces Reply 210 Baswaraj Ramshette November 13, 2009 Hi, I have followed whatever steps you have given in this article regarding transparent proxy configuration , I did everything according to your article I am getting following error please help me /etc/init.d/squid restart Stopping squid: 2009/11/13 12:42:28| parseConfigFile: line 4519 unrecognized: httpd_accel_host virtual 2009/11/13 12:42:28| parseConfigFile: line 4520 unrecognized: httpd_accel_port 80 2009/11/13 12:42:28| parseConfigFile: line 4521 unrecognized: httpd_accel_with_proxy on 2009/11/13 12:42:28| parseConfigFile: line 4522 unrecognized: httpd_accel_uses_host_header on . [ OK ] Starting squid: . [ OK ] On client side The requested url could not be retrive . Reply 211 Jeffry November 25, 2009 I need help, I use Ubuntu Jaunty 9.04, want to configure Squid, and everyting is okey, cause I took a proxy 1.1.1.1:3128 in every browser. but if i want to make the squid being transparent. i still get nothing. all i do is just put transparent next http_port 3128 . and few configuration like above. then put iptables like as usuall.. iptables -t nat -A PREROUTING -p tcp dport 80 -j REDIRECT to-port 3128 and in ubuntu, the iptables version is 1.1.4.1 please advice my hair become fall season :`( Reply 212 e December 9, 2009 how do i get on myspace from school Reply 213 Live December 15, 2009 Does anybodys question ever get answered in this tutorial? This tutorial is obsolete in later versions of SQUID! Reply 214 Sye MUshtaq Ahmed December 24, 2009 Hello, Really the guide is wonderful and it worked 100% for me and even the clients using it are amazed with its speed. But there is one problem now !!! When client access Email, like yahoo and hotmail any others in i.e: massege will show after few seconds this page cant be dis[layed plz solve my problem ASAP REGARDS Reply 215 Sam December 31, 2009
45/56
3/7/12
Hello, I facing a problem when setup the server as router. My client can ping to eth 1 and eth 0 succesfully. However the client cant browse internet through proxy servy (eth 0). For your information, i setup the proxy server follow exactly what was writen hre. May i know what is the problem? Thanks ! Reply 216 Devinka January 16, 2010 HI , Thanks for the howto . it works fine . Reply 217 Lalit Kumar January 16, 2010 Hi All, i have a issue with my transparent squid server it is working transparet for its own subnet or vlan systems . Like my sqy=uid server ip is 172.16.110.24 and it;s working fine for a system with ip 172.16.110.22 . but it is not working transparently for other systems like 172.16.119.37 and 172.16.122.43 i add acl mynet src 172.16.110.0 /24 172.16.119.0/24 http_access allow mynet . but it is working only for same vlan systems why ? can anyone help me out in this issue Reply 218 gopi chand January 19, 2010 where can I add the following line in squid.conf . please help me anybody .the line are httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan Reply 219 Kartik Vashishta February 4, 2010 So I have to enable IP rotuing for this to work, what is the command to do thattell eth0 to route to eth1? Reply 220 bobzi February 12, 2010 Dear LINUXTITLI I configured Squid 2.5 with your configuration. Everything is fine but HTTPS sites dont accept request. Ive tried several times to open HTTPS (SSL Port) in iptables by some different commands, however I still have problem. On the other hands, when I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem to login. And also I need setup clients without any setting in browser for some reasons. Actually I have a serious problem in this setting. I need some help. Could you please give a solution?! Dear LINUXTITLI or somebody else. I will be grateful. Many thanks Reply 221 Fredl February 12, 2010 Hi, kotniks magic filter in posting #4 ignores the greediness of sed. His code will hide any lines containing a # (and following comment) somewhere in them. This will reflect an uncomplete setup. Better use this grep-only command: grep -vE ^#|^*$ /etc/squid3/squid.conf To all the help-seekers here: Better try a suitable forum for your questions, a blog like this one is far from being a perfect platform for helping with configuration mistakes. Regards, Fredl.
46/56
3/7/12
Reply 222 Fredl February 12, 2010 NB: Sorry, forgot to say thank you for the fine tutorial, LINUXTITLI! :) @Lalit Kumar: try acl mynet src 172.16.110.0/24 172.16.119.0/24 172.16.122.0/24 or simplier (but less restrictive): acl mynet src 172.16.0.0/16 Most of the others here have some typos, too Reply 223 Manoj February 15, 2010 I configured RHEL5 squid server as an proxy server in windows envirnoment, it give me an problem for outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. However i have open the safe ports & iptable rules. Also, i want to configure an squid server as an proxy server in such way that some of the users are not able to access the specific web sites but some users are able to access same websites. While users get their IPs from DHCP server. Reply 224 saltio May 12, 2010 outlook express & for Ms outlook that users on windows side are not able to send & recieve their e-mails. What are the commands to open the safe ports & iptable rules. Thanks for the setup this will save alot of time. Reply 225 vikram February 24, 2010 I have always noticed one thing, while going for transparent squid or IP MASQUERADING, i always have to keep by named service on. and specify the DNS ip settings in client. Is dns necessary. because we dont need that in normal squid (non-transparent). Kindly Guide Reply 226 bezt March 4, 2010 can U tell me how i configure my iptables to non-transparen proxy Thx b4 regards Reply 227 Sharon March 9, 2010 Hi i am very bad at Linux and failed many a time, but want to setup a similar system including web content filtering using dansgaurdian package. This system is intented for use in non-profit organisations with which i am associated. If somebody could spare some time to setup this system please mail me back at my email address sharon.joel77@gmail.com Best Regards, Sharon. Reply 228 Anil March 19, 2010 I want to setup squid proxy servers ( three ) with one gateway server. I know it can be done by linux LVS. can somebody give me detailed howto or step by step guide to setup this. Thanks in advance Reply 229 Nick April 9, 2010 Please Help, i have installed and configured squid-3.1.1 on open suse 10.2 but and it starts well but for some reason client machines cant access internet through squid, I have one LAN port connected to the switch and i want all computers to use it as a proxy server with port 8080. Do i need to install Apache as well?..Below are the configurations acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
3/7/12
acl to_localhost dst ::1/128 acl mrc src 10.0.1.0/24 acl localnet src 10.0.0.0/24 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access allow mrc http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet http_port 3128 http_port 8080 hierarchy_stoplist cgi-bin ? cache_dir ufs /usr/local/squid/var/cache 1000 16 256 access_log /usr/local/squid/var/logs/cache.log squid cache_access_log /usr/local/squid/var/logs/access.log squid cache_store_log /usr/local/squid/var/logs/store.log squid cache_store_log /usr/local/squid/var/logs/store.log squid coredump_dir /usr/local/squid/var/cache coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_mgr root visible_hostname mskproxy.mrcuganda.org icp_port 3130 always_direct allow all cache_effective_user squid cache_effective_group squid htcp_port 4827 cache_mgr it@mrcuganda.org Reply 230 JAYGUPTA September 7, 2011 Sir i want to make Transperent proxy but i don`t know where is edit (httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ) this line in squid.conf !!!!! plz help me and thanks in advance !!!! Reply 231 Saad Hammad October 10, 2011 did u change the acl localnet src 10.0.0.0/8 network to 10.0.0.0/24 yourself? if you have give separate acl mrc then no need to put the RFC1918 defination just put # sign before the above line
3/7/12
#10.0.0.0/8 # RFC1918 possible internal and see if it works provided 10.0.0.0 is your internal network Reply 232 ammar ali April 13, 2010 i need all proxy seting Reply 233 Sarmed Rahman April 18, 2010 a million thanks ^_^ Reply 234 Prasad May 13, 2010 thanks for the info. i was really in need of this. Reply 235 hmtum01 May 19, 2010 how can i block user according to the mac address filtering in trasparent squid proxy. which is the version of that squid Reply 236 rocky May 31, 2010 thanks Reply 237 Alex Y. Telkov (Russia) June 2, 2010 Thank a lot! I have a problem with Total Commander while users from local net try to access FTP resources. I have classic architecture in local HQ lan LAN Linux-router CISCO 871-k9 Internet. I apologize, You approach in solving FTP-port-error problem helps me to solve my situation. If my server-under-construction be turned on at moment, I start to emplement You solution remotely immideatly! :) Reply 238 Pradip Raut Chhetri June 6, 2010 I have done everything, 3 easy steps for transparent proxy but every time i restart the squid, i m gettin error regarding followin:httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Help me, Do i have to set up httpd server before configuring your 3 easy steps transparent proxy. Thank YOU Reply 239 gbrane June 14, 2010 Important !!!!! for Ubuntu users !!! in /etc/sysctl.d/10-network-security.conf must be comment !! net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 i lost one month to solve this problem !!!!!! Reply 240 DEEPAK June 30, 2010 any budy help for the linux firewall configure this is first time using please help how to configure give some link either commond send.
3/7/12
Reply 241 Vijith P A August 31, 2010 Hai Guyz, I Configured Proxy server with Transparent in above mentioned way expect this code httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on When i trying to access internet in client side it will showing error message The following error was encountered while trying to retrieve the URL: / Invalid URL Actually i type http://www.google.com Error message of /var/log/squid3/access.log file is 1283269708.780 0 192.168.1.121 NONE/400 1951 GET /firefox NONE/- text/html Reply 242 tendy September 9, 2010 Will anyone ever give a solution to this problem??? httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Help me, Do i have to set up httpd server before configuring your 3 easy steps transparent proxy. Reply 243 Anonymous September 20, 2010 grep ^[^#] /etc/squid/squid.conf Reply 244 pdk October 4, 2010 Its not at all working as a transparent proxy. I have rhel5.3 and squid3. Packets come to clients only after mentioning the port and gateway IP otherwise not. Reply 245 wezt October 29, 2010 @vijith and tendy AFAIK but CMIIW, httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header o its not for squid all of above directives are not for squid-3.x version, only valid until squid-2.6 Reply 246 Bishal November 16, 2010 Hello all, I have different scenario. I have linux firewall and squid installed in different server. How can forward all lan clients to squid box from linux router, since forwarding from cisco router make squid box see all client coming from linux gateway ip. I want to see individual ip logs in squid box. How is it possible? cisco router | | Squid box rl0(172.160.10.2)|-Linux router eth0(172.16.103) | eth1 | LAN CLients (192.168.9.0/24) Reply 247 sleiman December 18, 2010
3/7/12
Hi all, i want to make cashe server any bady help me no problem about money i can pay plz send me email thx all Reply 248 sajeet January 24, 2011 hi, nice script for transparent proxy server in your script you uses 2 lan cards for proxy settings but i have only one lan card on my squid proxy server ,this is working fine . but i want to know how to configure Transparent proxy server using 1 LAN card. i uses squid 2.5 Stable in Redhat 9 so pls help me, waiting for ur reply Reply 249 aditya February 5, 2011 i have installed Red Hat Linux 5 Enterprises on one PC to make Web Proxy Server. internet access on this machine is working ok. the other win XP PCs not access the internet. i have cofigured squid as: acl lab src 192.168.2.1-192.168.2.249/255.255.255.0 pl. help me Reply 250 Volverin (Vivek) February 9, 2011 ThANKS A LOADS for the information. Following you. Reply 251 Bikash February 18, 2011 Hi frnds i have install linux 5.0 and configure squid but there is problem in transparent squid can anybody tell me how to transparent my linux to the clint desktop My squid is working when i manually put the proxy address on internet browser.. I want to make transparent so there is no need to put the proxy on internet brower I have a broadband connection. thanx Reply 252 Atul M February 20, 2011 guys!!! three hats to this article and people who has contributed everything before my opinion. this is one if the EXCELLENT!!! web page on the internet. I would say THE BEST Reply 253 nikhil February 24, 2011 hi can any one define that how to set the time limit in dansguardian. thnks in advance nikhil Reply 254 Denie April 25, 2011
3/7/12
my squid server only 256MB RAM & P4 only and serving ~300clients why do you need such big of RAM (8GB) for only 150 clients? Reply 255 Wasim Sheikh April 26, 2011 that is not filtering https traffic the user can access the block sites via httpsplease sugess how to filter https traffic via transparent proxy. Reply 256 Syed Mushtaq Ahmed April 27, 2011 Hi, I have configured the squid 2.6 Stable 6 server using Fedora core 6.It having 2 ethernet cards. eth0 is used intetnet (Lan) & eth1 is connceted to localArea. eth0 using IP 192.x.x.x Netmask 255.255.255.0 Gateway 192.168.x.x Dns 203.x.x.x Dns 203.x.x.x eth1 using Ip 192.x.x.x Netmask 255.255.255.0 When i run fw.proxy script and save iptable and restart squid then i ping to eth0 from client site its replying,and also ping to eth1 its not replying So plz give me the solution for this. Reply 257 soumalya June 3, 2011 Sir I have two lab in my college, one is 172.16.0.0 series and another is 192.168.10.0 series. Now I want to allow both the labs to access internet through squid which has 172.16.0.10 ip address. pls help. Reply 258 ericmilyon July 24, 2011 hi, im a newbie for can i know if can use iptables using freebsd? Thanks.. Reply 259 Muhammad Naveed July 27, 2011 Hi i am using linux 5 and squid 2.6.STABLE21. my eth 0 ip is 77.0.0.4 & eth 1 is 192.168.0.3. i want to set 3128 my squid port. i am unable to add or modify the lines mentioned below. i dont know where to add these 4 lines. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan Reply 260 Iain August 11, 2011 Hi, I tried running your script and got the following error FATAL: Error inserting nf_conntrack_ftp (/lib/modules/2.6.32-5-686/kernel/net/netfilter/nf_conntrack_ftp.ko): Cannot allocate memory Reply 261 JAYGUPTA September 7, 2011 i am use squid 3.0 version and i want to make transperent proxy plz help me i am edit one line in squid.conf and this line is http_access 8080 i change it http_port 3128 intercept
3/7/12
but it not work plz tell me why ?????? Reply 262 ben October 16, 2011 I live in europe, but Id like for my xbox360 to connect to xbox live in the states. Currently, I have the xbox go through my pc that is configured for the isa proxy. But Id love a solution that doesnt require my pc running! Maybe a tiny bare bones linux machine (raspberry pi? chumby? modified dd-wrt/tomato router?) that is capable of connecting the xbox to the internet via a proxy or vpn. Any suggestions? Reply 263 jonasor October 24, 2011 hi my question is: How I can make a specific ip not pass through the proxy? What would be the rule in IPtables? Reply 264 abizar October 25, 2011 how i can configure Squid as transparent proxy in windows 7 i install squid 2.7stable8 in windows 7 Reply 265 LtPitt October 28, 2011 Hi all! I have a lovely squid proxy working but my windows clients on the lan cant access using outlook express our mail server (external > on the internet). What can I do to solve the problem? Reply 266 Oleg November 26, 2011 Hi, I have the same probles of bobzi.. Everything is fine but HTTPS sites dont accept request. When I set Proxy in Internet Option tab, clients can open Secure sites, when I erase the proxy setting only the secure site has a problem Could you please give a solution?! Dear LINUXTITLI or somebody else. I will be grateful. Many thanks Reply 267 arfie December 23, 2011 Dear All, how to disconnect a client connect by proxy squid? Reply 268 Khuram Raza January 2, 2012 excellent tip on transparent proxy, but i want to configure parent proxy (cache_peer), any how can i do it with transparent proxy, so far when ever i ran your script my VPN (hamachi) stops working thus no connection to parent proxy Reply 269 David January 10, 2012 I want to setup online/cloud Transparent Proxy Server that will act as a gateway for all my clients PCs internet connections with authentication (e.g; PC MAC, Username & Password.,) to connect with the Proxy Server. Please how possible to setup this proxy server?? Reply 270 Y RCRAO January 22, 2012
3/7/12
Dear Sir, Plz give the steps how to install squid.conf in RHEL-4 System. Reply Leave a Comment Name * E-mail * Website
You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title=""> Notify me of followup comments via e-mail. Security Question:
What is 10 + 8 ?
Solve the simple math so we know that you are a human and not a bot.
Submit
Tagged as: /etc/squid/squid.conf, httpd accel host, httpd accel port, httpd accel uses host header, httpd accel with proxy, httpd accelerator, Iptables, proxy httpd, router server, squid configuration, squid server, transparent proxy
Previous post: MySQL Database Runs 60 to 90 Percent Faster on Solaris 10 Than on Red Hat Linux Next post: Interview: Red Hats open source scholarship challenge
GET FREE TIPS & NEWS

Make the most of Linux Sysadmin work!
Enter your email Join
42k+ Subscribers | Twitter | Google +
54/56
3/7/12
Search
55/56
3/7/12
Related Posts
Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5 nixCraft FAQ Roundup ~ Nov 1, 2007
2004-2012 nixCraft. All rights reserved. Cannot be reproduced without written permission. Privacy Policy | Terms of Service | Questions or Comments | Copyright Info | Sitemap
56/56

Linux - Setup A Transparent Proxy With Squid in Three Easy Steps

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux - Setup A Transparent Proxy With Squid in Three Easy Steps

Uploaded by

Copyright:

Available Formats

3/7/12

Linux: Setup a transparent proxy with Squid in three easy steps

nixcraft - insight into linux admin work

Linux: Setup a transparent proxy with Squid in three easy steps

Modify or add following squid directives:

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Start or Restart the squid:

Desktop / Client computer configuration

How do I test my squid proxy is working correctly?

Problems and solutions

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Set SQUID_SERVER as follows:

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

To squid.conf add/update following lines:

Dont forget add this script to your crontab

cotb rna e 3 2 ***/aasrpssudur.h 0 3 dt/cit/qigads

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

unless you want to actually strip it inline:

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps

Linux: Setup a transparent proxy with Squid in three easy steps