R
R
Rad1us2015-06-05 19:29:06
FreeBSD
Rad1us, 2015-06-05 19:29:06

Squid does not work properly on FreeBSD. Where is the mistake?

Greetings. Friends, I've only been learning FreeBSD for a few days. At the initial stage, I chose the book of K.A. Kornienko "FreeBSD9 Corporate Internet Server".
I conduct all experiments on VMware Workstation, in which two virtual machines are installed, one with FreeBSD, the other with XP (which is, like, in LAN behind a proxy server). Installed Squid, configured everything as described, prescribed a rule that forbids going to yandex.ru, but that's bad luck:
1. XP does not go to yandex.ru, but if you enter https://yandex.ru , the site opens.
2. XP does not go to any site at all now, except for those to which you can add https://
And yes, while Squid was not transparent, there was such a feature - when entering yandex.ru, a page appeared with the squid logo and "access denied....". Now the default is "page not available".
What is the problem? Tell me please! I haven't been able to figure it out for a couple of days now, I've read a lot of forums, but there is no result...
Everything I configured in FreeBSD:
uname -a
FreeBSD free9.home.com 9.3-RELEASE FreeBSD 9.3-RELEASE #0:
rc.conf
hostname="free9. home.com"
sshd_enable="YES"
ntpd_enable="YES"
dumpdev="NO"
#____Networks
ifconfig_em0="inet 192.168.1.252 netmask 255.255.255.0"
ifconfig_em1="inet 172.16.0.1 netmask 255.255.255.0"
#____Firewall
firewall_enable="YES"
firewall_type="/etc/firewall.conf"
#____Named
named_enable="YES"
#____NAT
gateway_enable="YES"
natd_enable="YES"
natd_interface="em0"
#____SQUID
squid_enable="YES"
named. conf
acl ACCESS { 127.0.0.1; 172.16.0.0/24 ;};
options {
listen-on { 127.0.0.1; 172.16.0.1; };
allow recursion { ACCESS; };
forwarders {
192.168.1.1;
8.8.8.8;
};
};
firewall.conf
add 4000 divert natd ip from any to any via em0
add 4100 fwd 127.0.0.1,
add 65500 allow ip from any to any
squid.conf
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/24 # RFC1918 possible internal network
acl dom_deny dstdomain yandex.ru
#acl users src "/ usr/local/etc/squid/users.txt"
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/ 10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet !dom_deny
#http_access allow localhost
#http_access allow users
http_access deny all
http_port 3128 transparent
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
mureevms, 2015-06-06
@rad1us

When doing troubleshooting, keep the influence of all possible components to a minimum. Namely -
- switch the firewall to allow all mode
- completely disable https in the squid
- remove all your acls from the squid, except for

acl localnet src  172.16.0.0/24 #у Вас же эта подсеть виртуальная
http_access allow localnet

If everything is correct, then it should work.

A
Alexander, 2015-06-05
@Tilk

The http_access deny CONNECT !SSL_ports rule instructs the squid to block everything except https.

K
Konkase, 2015-06-06
@Konkase

You cannot block https traffic to the domain you need. To block by a custom domain, you need to know what's inside the encrypted traffic, and this is either to have the owner's private key or replace it with your own, or block completely by IP.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question