marcuskuss
Member
Hallo zusammen,
habe ein etwas seltsames Problem mit meinen Squid Proxy wenn ich von den Clients aus aufs Internet Zugreifen möchte. Sobald ich im Firefox goggel od. irgend eine andere Internetseite aufrufen möchte wird dieses nach einer gewissen Zeit mit einer Zeitüberschreitung abgebrochen. Ich habe in den ACLs den Zugriff schon für das komplette LAN Freigegeben und es Funktioniert leider dann auch noch nicht. Sobald ich aber an dem Rechner wo der Squid eingerichtet ist die Einstellungen in Mozilla od. Konqueror vornehme um über den Proxy ins Internet zugelagen Funktioniert es Tatellos und ohne Probleme.
Hier der Auszug aus der squid.conf eventuell findet ihr ja noch Probleme od. Fehler die beim Erstellen bzw. Anpassen passiert sind:
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: follow_x_forwarded_for
# Allowing or Denying the X-Forwarded-For header to be followed to
# find the original source of a request.
#
# Requests may pass through a chain of several other proxies
# before reaching us. The X-Forwarded-For header will contain a
# comma-separated list of the IP addresses in the chain, with the
# rightmost address being the most recent.
#
# If a request reaches us from a source that is allowed by this
# configuration item, then we consult the X-Forwarded-For header
# to see where that host received the request from. If the
# X-Forwarded-For header contains multiple addresses, and if
# acl_uses_indirect_client is on, then we continue backtracking
# until we reach an address for which we are not allowed to
# follow the X-Forwarded-For header, or until we reach the first
# address in the list. (If acl_uses_indirect_client is off, then
# it's impossible to backtrack through more than one level of
# X-Forwarded-For addresses.)
#
# The end result of this process is an IP address that we will
# refer to as the indirect client address. This address may
# be treated as the client address for access control, delay
# pools and logging, depending on the acl_uses_indirect_client,
# delay_pool_uses_indirect_client and log_uses_indirect_client
# options.
#
# SECURITY CONSIDERATIONS:
#
# Any host for which we follow the X-Forwarded-For header
# can place incorrect information in the header, and Squid
# will use the incorrect information as if it were the
# source address of the request. This may enable remote
# hosts to bypass any access control restrictions that are
# based on the client's source addresses.
#
# For example:
#
# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all
# TAG: acl_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on
# TAG: delay_pool_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on
# TAG: log_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in the access log.
#
#Default:
# log_uses_indirect_client on
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl our_networks src 192.168.178.0/24
http_access allow our_networks
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
habe ein etwas seltsames Problem mit meinen Squid Proxy wenn ich von den Clients aus aufs Internet Zugreifen möchte. Sobald ich im Firefox goggel od. irgend eine andere Internetseite aufrufen möchte wird dieses nach einer gewissen Zeit mit einer Zeitüberschreitung abgebrochen. Ich habe in den ACLs den Zugriff schon für das komplette LAN Freigegeben und es Funktioniert leider dann auch noch nicht. Sobald ich aber an dem Rechner wo der Squid eingerichtet ist die Einstellungen in Mozilla od. Konqueror vornehme um über den Proxy ins Internet zugelagen Funktioniert es Tatellos und ohne Probleme.
Hier der Auszug aus der squid.conf eventuell findet ihr ja noch Probleme od. Fehler die beim Erstellen bzw. Anpassen passiert sind:
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: follow_x_forwarded_for
# Allowing or Denying the X-Forwarded-For header to be followed to
# find the original source of a request.
#
# Requests may pass through a chain of several other proxies
# before reaching us. The X-Forwarded-For header will contain a
# comma-separated list of the IP addresses in the chain, with the
# rightmost address being the most recent.
#
# If a request reaches us from a source that is allowed by this
# configuration item, then we consult the X-Forwarded-For header
# to see where that host received the request from. If the
# X-Forwarded-For header contains multiple addresses, and if
# acl_uses_indirect_client is on, then we continue backtracking
# until we reach an address for which we are not allowed to
# follow the X-Forwarded-For header, or until we reach the first
# address in the list. (If acl_uses_indirect_client is off, then
# it's impossible to backtrack through more than one level of
# X-Forwarded-For addresses.)
#
# The end result of this process is an IP address that we will
# refer to as the indirect client address. This address may
# be treated as the client address for access control, delay
# pools and logging, depending on the acl_uses_indirect_client,
# delay_pool_uses_indirect_client and log_uses_indirect_client
# options.
#
# SECURITY CONSIDERATIONS:
#
# Any host for which we follow the X-Forwarded-For header
# can place incorrect information in the header, and Squid
# will use the incorrect information as if it were the
# source address of the request. This may enable remote
# hosts to bypass any access control restrictions that are
# based on the client's source addresses.
#
# For example:
#
# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all
# TAG: acl_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on
# TAG: delay_pool_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on
# TAG: log_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in the access log.
#
#Default:
# log_uses_indirect_client on
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl our_networks src 192.168.178.0/24
http_access allow our_networks
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all