Настройка https squid

0

0

Здравствуйте! Проблема такова: линукс машина CentOS 6.3 работает в виде шлюза в инет для двух локалок. К машине подключены 2 провайдера.

eth0      Link encap:Ethernet  HWaddr 08:00:27:83:62:D0  
          inet addr:192.168.7.200  Bcast:192.168.7.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe83:62d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9597 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2387251 (2.2 MiB)  TX bytes:3534 (3.4 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:42:C5:6F  
          inet addr:192.168.1.28  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe42:c56f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2704 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9907 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1710736 (1.6 MiB)  TX bytes:1321461 (1.2 MiB)

eth2      Link encap:Ethernet  HWaddr 08:00:27:D7:40:54  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fed7:4054/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:720 (720.0 b)

eth3      Link encap:Ethernet  HWaddr 08:00:27:3E:29:60  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe3e:2960/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2151 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:221167 (215.9 KiB)  TX bytes:1760006 (1.6 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Интерфейсы eth0 и eth1- провайдера, eth2 и eth3- локалки. eth2 ходит через eth0, eth3 через eth1. Пытаюсь настроить прозрачный прокси SQUID для блокировки нежелательных сайтов и рекламы. Блокировку сайтов настроил, рекламу пока нет, но есть проблема: из локалок недоступны сайты по протоколу https. Пытался настроить правила в iptables с 443 портом, да что-то не получается. Подскажите пожалуйста ошибку. Заранее огромное спасибо! Версия squid 3.1.23 Конфигурационный файл squid.conf:

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 192.168.0.0/24	# RFC1918 possible internal network
acl localnet src 192.168.2.0/24	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
#################################################################################
#acl url_filtred src 192.168.0.1-192.168.0.254
#acl url_filtred src 192.168.2.1-192.168.2.254
#acl blockkeyword1 url_regex mail
#acl blockkeyword1 url_regex ok
#acl blockkeyword1 url_regex vk
#acl blocksite1 dstdomain ok.ru
#acl blocksite2 dstdomain vk.com
#acl block dstdomain "/etc/squid/blacklist.acl"
#################################################################################
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl block url_regex "/etc/squid/blacklist.acl"
#
# Recommended minimum Access Permission configuration:
#
visible_hostname proxy
cache deny all
http_access deny block
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
#http_access deny blocksite1
#http_access deny blocksite2
#http_access deny blacklist url_filtred
#http_access deny block
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

forwarded_for off

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
#cache_dir null /tmp
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

Правила iptables

# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*nat
:PREROUTING ACCEPT [150:14588]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
#-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 3128
-A PREROUTING -s 192.168.7.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.7.200:3128
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.28:3128
-A PREROUTING -s 192.168.7.0/24 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.7.200:3128
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.28:3128
-A POSTROUTING -p tcp -s 192.168.0.0/24 --dport 80 -j SNAT --to-source 192.168.0.1 
-A POSTROUTING -p tcp -s 192.168.2.0/24 --dport 80 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -p tcp -s 192.168.0.0/24 --dport 443 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -p tcp -s 192.168.2.0/24 --dport 443 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Mon Sep 14 15:04:27 2015
# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [2:160]
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -i eth0 -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i eth2 -p icmp -j ACCEPT 
-A INPUT -i eth3 -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -i eth2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -i eth3 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.2.0/24 -i eth3 -o eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT 
-A FORWARD -s 192.168.0.0/24 -i eth2 -o eth0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -o eth2 -p icmp -j ACCEPT 
-A OUTPUT -o eth3 -p icmp -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT 
COMMIT
# Completed on Mon Sep 14 15:04:27 2015

Ссылка

←	Проброс трафика в локалку со 2-го провайдера (не дефолт роут)

администрирование samba

→

вот, что пишется в access.log, когда захожу на google.ru


1442466597.506    258 192.168.0.4 TCP_MISS/200 2383 GET http://sitecheck2.opera.com/? - DIRECT/82.145.215.41 text/xml
1442466597.666    418 192.168.0.4 TCP_MISS/301 657 GET http://google.ru/ - DIRECT/74.125.232.111 text/html
1442466597.906    136 192.168.0.4 TCP_MISS/200 2391 GET http://sitecheck2.opera.com/? - DIRECT/82.145.215.41 text/xml
1442466598.183    414 192.168.0.4 TCP_MISS/302 625 GET http://www.google.ru/ - DIRECT/74.125.232.127 text/html
1442466598.186      0 192.168.0.4 NONE/400 3989 NONE error:invalid-request - NONE/- text/html
1442466598.188      0 192.168.0.4 NONE/400 3989 NONE error:invalid-request - NONE/- text/html
1442466598.192      0 192.168.0.4 NONE/400 3989 NONE error:invalid-request - NONE/- text/html
1442466598.194      0 192.168.0.4 NONE/400 3989 NONE error:invalid-request - NONE/- text/html

Rino256
(17.09.15 08:55:46 MSK) автор топика

Ответ на: комментарий от Rino256 17.09.15 08:55:46 MSK

У тебя же прозрачный прокси. Сквид ждет читаемый http-заголвоок, чтобы обработать запрос, а получает холобурду SSL вместо него.

Radjah ★★★★★
(17.09.15 09:44:20 MSK)

Ссылка

Ответ на: комментарий от Rino256 17.09.15 08:55:46 MSK

На прозрачном сквиде https настраивают через SSL Bump вроде, но используя данный метод прийдется на все Компы и устройства в сети ставить свой сертификат. По другому никак

CeMKa ★
(17.09.15 14:18:28 MSK)

Ссылка

Ответ на: комментарий от Rino256 17.09.15 08:55:46 MSK

Лучше пусти юзверей по 443 порту через NAT. Если нужно будет заблочить сайт https блокируй через iptables. Imho

anonymous
(17.09.15 20:08:12 MSK)

Ссылка

Ответ на: комментарий от Rino256 17.09.15 08:55:46 MSK

Лучше пусти юзверей по 443 порту через NAT. Если нужно будет заблочить сайт https блокируй через iptables. Imho

anonymous
(17.09.15 20:09:03 MSK)

Ответ на: комментарий от anonymous 17.09.15 20:09:03 MSK

Не, мне нужно что бы все ходило именно через squid

Rino256
(18.09.15 07:30:21 MSK) автор топика

Ответ на: комментарий от Rino256 18.09.15 07:30:21 MSK

Тогда настрой нормальный прокси и «не занимайся черт знает чем». Про SSLBump тебе уже писали.

CHIPOK ★★★
(18.09.15 07:37:45 MSK)

Ссылка

Ответ на: комментарий от Rino256 18.09.15 07:30:21 MSK

Вообщем завернул я 443 порт через squid. Вот только вылезла другая трабла: не все сайты https корректно открываются, например mail.ru. вот лог при открытии mail.ru

1442550545.505    377 192.168.0.4 TCP_MISS/200 606 GET http://clients1.google.com/complete/search? - DIRECT/74.125.232.96 text/javascript
1442550546.150    339 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.248     93 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.337     85 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.426     85 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.515     85 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.606     86 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.711    101 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.801     86 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.899     94 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550546.989     85 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.081     88 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.172     87 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.265     88 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.354     83 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.451     93 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.541     86 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.631     85 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.724     88 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.815     87 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.903     84 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html
1442550547.994     86 192.168.0.4 TCP_MISS/302 618 GET http://mail.ru/ - DIRECT/94.100.180.202 text/html

или когда клиент пытается зайти на twitter.com

1442551869.388    444 192.168.0.4 TCP_MISS/200 572 GET http://clients1.google.com/complete/search? - DIRECT/74.125.232.100 text/javascript
1442551869.792    131 192.168.0.4 TCP_MISS/200 577 GET http://clients1.google.com/complete/search? - DIRECT/74.125.232.100 text/javascript
1442551870.692    384 192.168.0.4 TCP_MISS/200 615 GET http://sitecheck2.opera.com/? - DIRECT/82.145.223.176 text/xml
1442551870.916    607 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551871.124    208 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551871.345    217 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551871.557    208 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551871.768    206 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551871.977    206 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551872.192    212 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551872.407    210 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551872.620    209 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551872.846    221 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551873.069    220 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551873.294    222 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551873.517    218 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551873.746    226 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551873.969    218 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551874.193    221 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551874.407    210 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551874.619    208 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551874.847    226 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551875.073    223 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -
1442551875.285    207 192.168.0.4 TCP_MISS/301 329 GET http://twitter.com/ - DIRECT/199.16.156.6 -

Rino256
(18.09.15 07:58:50 MSK) автор топика

Ответ на: комментарий от Rino256 18.09.15 07:58:50 MSK

Вот настройки squid

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 192.168.0.0/24	# RFC1918 possible internal network
acl localnet src 192.168.2.0/24	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
#################################################################################
#acl url_filtred src 192.168.0.1-192.168.0.254
#acl url_filtred src 192.168.2.1-192.168.2.254
#acl blockkeyword1 url_regex mail
#acl blockkeyword1 url_regex ok
#acl blockkeyword1 url_regex vk
#acl blocksite1 dstdomain ok.ru
#acl blocksite2 dstdomain vk.com
#acl block dstdomain "/etc/squid/blacklist.acl"
#################################################################################
acl SSL_ports port 443
acl Safe_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl block url_regex "/etc/squid/blacklist.acl"
#
# Recommended minimum Access Permission configuration:
#
visible_hostname proxy
cache_effective_user squid
cache_effective_group squid
##redirect###
#url_rewrite_program /etc/squid/redirect.pl
#redirect_rewrites_host_header on
#redirect_children 20
############
cache deny all
http_access deny block
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow SSL_ports
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
#http_access deny blocksite1
#http_access deny blocksite2
#http_access deny blacklist url_filtred
#http_access deny block
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/ssl/squid.key cert=/etc/squid/ssl/squid.pem
#https_port 3129 transparent key=/etc/squid/key.pem cert=/etc/squid/certificate.pem
forwarded_for off
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

Rino256
(18.09.15 07:59:38 MSK) автор топика

Ответ на: комментарий от Rino256 18.09.15 07:59:38 MSK

и правила iptables

# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*nat
:PREROUTING ACCEPT [150:14588]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -i eth2 -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A PREROUTING -p tcp -i eth2 -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -p tcp -s 192.168.0.0/24 -m tcp --dport 80 -j SNAT --to-source 192.168.0.1 
-A POSTROUTING -p tcp -s 192.168.2.0/24 -m tcp --dport 80 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -p tcp -s 192.168.0.0/24 -m tcp --dport 443 -j SNAT --to-source 192.168.0.1
-A POSTROUTING -p tcp -s 192.168.2.0/24 -m tcp --dport 443 -j SNAT --to-source 192.168.2.1
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Mon Sep 14 15:04:27 2015
# Generated by iptables-save v1.4.7 on Mon Sep 14 15:04:27 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [2:160]
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -i eth0 -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i eth2 -p icmp -j ACCEPT 
-A INPUT -i eth3 -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -i eth2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -i eth3 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -s 192.168.2.0/24 -i eth3 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.2.0/24 -i eth3 -o eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth2 -o eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT 
-A FORWARD -s 192.168.0.0/24 -i eth2 -o eth0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -o eth2 -p icmp -j ACCEPT 
-A OUTPUT -o eth3 -p icmp -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -s 192.168.0.0/24 -o eth2 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -s 192.168.2.0/24 -o eth3 -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT 
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT 
COMMIT
# Completed on Mon Sep 14 15:04:27 2015

Подскажите пожалуйста что за фиговина и как ее решить, если кто сталкивался. Заранее спасибо

Rino256
(18.09.15 08:00:10 MSK) автор топика

Ответ на: комментарий от Rino256 18.09.15 08:00:10 MSK

Сайты, как я понял, перенаправляют. Может кто знает, как правильно либо разрешить как-то перенаправление

Rino256
(18.09.15 08:40:47 MSK) автор топика

Ссылка

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.

←	Проброс трафика в локалку со 2-го провайдера (не дефолт роут)

Admin

администрирование samba

→

Похожие темы