How do I configure squid and make it publically accessible?

[RoboJ1M]

Hi,

I'm trying to restrict which websites a fleet of handheld comupters can reach via they're built in GPRS modem.
I trying to do this by using our external ebox as a public squid proxy with a valid domain list of just one domain.

I have an ebox with an internal (192.168.28.1) and external interface (a.b.c.98).
ebox-squid is installed and configured to run on port 55000.
There is a firewall redirect from a.b.c.98 port 55000 to 192.168.28.1:55000.

I can telnet to a.b.c.98:55000 and the port appears to be open.

My squid settings are:

**General**
Transparent : Off
Port: 55000
Default Policy: Filter

**Objects' Policy**
None

**Filter**
Threshold: Very Permissive
File Extension Filtering: Default (Allow everything)
MIME Types Filtering: Default (Allow everything)
Domains filtering:
   Block not listed domains: Yes
   Block sites specified only as IP: Yes
Domains List:
   cobalt-tt3.biz: Always allow.

Now, I have a Windows CE 5 handheld.
I start Internet Explorer and browse to the correct page at that domain.
This works.
Now, if I set the proxy to:

Use Proxy: yes
Proxy Address: a.b.c.98:55000
Bypass Local: Yes

The page now fails to load (Cannot find server or DNS Error)

Can anybody see why this doesn't work?

Thanks,

J1M.

[jjm1982]

Have you tried turning transparency on?

Jim

[RoboJ1M]

No, but it's not meant to be Transparent.
It's meant to be a explicit proxy.
And it couldn't be transparent as the Windows CE handhelds are on the public internet (not going through my router)

Thanks,

J1M.

[jjm1982]

Sorry, I misread where windows ce was connecting to, thought is was going through your router.

From what I take it so far, you have a win ce device connecting to the public internet then to you router to ebox. You have a firewall rule that redirects this connection to port 55000 which is also setup as the proxy. For this valid domain list, is this internal to your network or is it in the public domain?

...I'm thinking you may need a service to convert the proxy port (55000) back to port 80?

[RoboJ1M]

The cobalt web site is a real public website, not inside out intranet.
The handheld goes to a public website, via our public http proxy.

No, the http proxy is on 55000 but this has nothing to do with the public target website being on port 80.

Regards,

J1M.

[RoboJ1M]

From /var/log/syslog

Code: [Select]

Jun  4 13:33:48 router-external kernel: [12260.718726] ebox-firewall drop IN=eth0 OUT= SRC=89.193.237.138 DST=192.168.28.1 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=27137 DF PROTO=TCP SPT=3275 DPT=55000 WINDOW=32768 RES=0x00 SYN URGP=0
Jun  4 13:33:51 router-external kernel: [12263.508438] ebox-firewall drop IN=eth0 OUT= SRC=89.193.237.138 DST=192.168.28.1 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=27139 DF PROTO=TCP SPT=3275 DPT=55000 WINDOW=32768 RES=0x00 SYN URGP=0
Jun  4 13:33:57 router-external kernel: [12269.573301] ebox-firewall drop IN=eth0 OUT= SRC=89.193.237.138 DST=192.168.28.1 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=27140 DF PROTO=TCP SPT=3275 DPT=55000 WINDOW=32768 RES=0x00 SYN URGP=0
Jun  4 13:34:18 router-external kernel: [12290.770653] ebox-firewall drop IN=eth0 OUT= SRC=89.193.237.138 DST=a.b.c.98 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=0 PROTO=TCP SPT=3275 DPT=55000 WINDOW=0 RES=0x00 RST URGP=0
So, I have to add firewall rules? I thought redirects automatically added firewall rules?

J1M.

[jjm1982]

It looks that way. If that doesn't work how about using a vpn, going the vpn route you should surely work and be more secure.

[RoboJ1M]

OK, changes made, something else is happening.

Added a new Service (ExternalHTTPProxy, Any --> TCP 55000)
Added a new External to Ebox rule (Any Source to ExternalHTTPProxy)

Now, not more drops in syslog.

But, on the handheld I get:

Code: [Select]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to retrieve the URL:
<A HREF="www.cobalt-tt3.biz:443">www.cobalt-tt3.biz:443</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<
Is this a Squid access denied error?

J1M.

[RoboJ1M]

Right,

Almost there now.

I've set the Default Policy to Always Allow.
I've Disabled the content filter
I've removed the domain filter.

Now, I can finally see the website through the proxy!

However, I can of course see ANY website through the proxy! 
So, how do I lock down squid to only allow access to www.cobalt-tt3.biz?

Thanks,

J1M.

[RoboJ1M]

OK,

Looking pretty serious now... 

I can either allow all access of deny all access.
General Policy is the only settings that makes any difference, the rest are completely irrelevant.

Always Allow = Allow
Filter/Always Deny = Deny (regardless of what I change in Filter settings)

Bug?

Looking in /etc/squid/squid.conf:

Code: [Select]

# <EBOX> TAG_HTTPORT #
http_port 55000
# END_TAG #

visible_hostname localhost
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
coredump_dir /var/spool/squid
cache_effective_user proxy
cache_effective_group proxy
cache_mem 100 MB
access_log /var/log/squid/access.log squid


# <EBOX> TAG_ACL #

# END_TAG #
acl localhost src 127.0.0.0/8
acl localhostdst dst 127.0.0.0/8
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow localhost
http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all

# <EBOX> TAG_HTTP_ACCESS #
http_access allow all
# END_TAG #

always_direct allow localhostdst

There is nothing in # <EBOX> TAG_ACL #, should that be filled in with my stuff about cobalt-tt3.biz?

Regards,

James.

[RoboJ1M]

With Default Policy set to Filter you get this in the conf file:

Code: [Select]

# <EBOX> TAG_HTTP_ACCESS #
http_access deny all
# END_TAG #

I don't see anything in the file about a filter. Not that I know squid.conf files, but I would have thought there would be something tagged EBOX above the last, default deny all about filtering.

Anybody from eBox staff?

Thanks,

J1M.

[RoboJ1M]

Oops:

Code: [Select]

root@router-external:/var/log/squid# sudo /etc/init.d/dansguardian stop
 * Stopping DansGuardian dansguardian                                                                                                                         [ OK ]
root@router-external:/var/log/squid# sudo /etc/init.d/dansguardian start
 * Starting DansGuardian dansguardian                                                                                                                         [fail]
It's the same problem as this thread I think:

http://forum.ebox-platform.com/index.php?topic=1287

I'm going to go and post more information on my problem in that thread.

Regards,

J1M.

[javi]

Please post the output of:

Code: [Select]

apt-cache policy ebox-squid
apt-cache policy dansguardian


[RoboJ1M]

Will do:
I've also posted in that other thread.

Code: [Select]

administrator@router-external:~$ apt-cache policy ebox-squid
ebox-squid:
  Installed: 1.0.1-0ubuntu1~ppa1~hardy2
  Candidate: 1.0.1-0ubuntu1~ppa1~hardy2
  Version table:
 *** 1.0.1-0ubuntu1~ppa1~hardy2 0
        500 http://ppa.launchpad.net hardy/main Packages
        100 /var/lib/dpkg/status
     0.11.99-0ubuntu3 0
        500 http://gb.archive.ubuntu.com hardy/universe Packages
administrator@router-external:~$ apt-cache policy dansguardian
dansguardian:
  Installed: 2.9.9.7-2~hardy2ebox
  Candidate: 2.9.9.7-2~hardy2ebox
  Version table:
 *** 2.9.9.7-2~hardy2ebox 0
        500 http://ppa.launchpad.net hardy/main Packages
        100 /var/lib/dpkg/status
     2.9.9.7-2~hardy2 0
        500 http://gb.archive.ubuntu.com hardy-updates/universe Packages
        500 http://security.ubuntu.com hardy-security/universe Packages
     2.8.0.6-antivirus-6.4.4.1-4build1 0
        500 http://gb.archive.ubuntu.com hardy/universe Packages
administrator@router-external:~$

Regards,

J1M.

[javi]

Sorry for not getting back to you earlier.

We need to find out what's the problem with your dansguardain, please run:

Code: [Select]

sudo dansguardian

Check if it complains about anything...