Re: [squid-users] Dual homed squid under XP problems

On 25/08/11 00:26, knapper wrote:
>
> ----- Original Message -----
> From: "Amos Jeffries"
<snip>
>>
>> FWIW; nothing you talk about below has anything to do with
> being
>> dual-homed (connected to _three_ networks, two being
> Internet links).
> Thanks.
>> What you are describing is a perfectly normal router setup
> with Squid on
>> the router, which happens to run Windows XP. Well in this
> case XP is NOT the router.
> That is handled by a separate router firewall.
>

So you have two routers. The squid box and the primary one.

Physical wiring:
  Clients->Router->Squid->Internet
or
  Clients->Squid->Router->Internet

Anyways, my point being this is normal standard config. :)

>>
>>> XP PRO with 2 nics. I need to set squid up to serve as a
>>> proxy server on one nic, and the other nic is the network
>>> interface.
>>> Nic A:
>>> 192.168.0.195 is the Dell server box and it points to 0.1
>>> for the internet gateway.
>>> I can browse the internet just fine without squid.
>>> Nic B is 192.168.9.195 is the second nic in the Dell
> box,
>>> and this is hooked to a WAP for the laptops in the small
>>> school.
>>> (not sure where to point it's gateway, but I don't think
>>> pointing it to 0.195 is going
>>> to work).
>>>
>>> I want to configure squid to listen on the 9.x network,
> and
>>
>> http_port 192.168.9.195:3128
>>
>>> relay, and cache the traffic out the 0.x network. This
> way
>>
>> acl localnet src 192.168.0.0/24
>> http_access allow localnet
>
> I'm confused here. http access needs to be limited to the
> 9.x network I think.

Oops, yes you are right there.

> The local network will be the 9.x network, which are the
> schools laptops. They communicate
> over the wireless router (a D-Link) which is attached to a
> NIC, that has the address 192.168.9.195
>
> Ideally, the other nic will just attach to a DSL
> modem/gateway 192.168.0.1, and maybe the teachers laptop.
>
> The one wrinkle in that, is the possibility of having to use
> a Cellular "dongle" because DSL is not available at the
> school. Essentially, that is a USB device that acts as a
> modem, and installs as any
> other network card. In that case, the "dongle" will be
> attached to the box that squid wants to run on, and I'll
> have to configur squid to use *it's* ip address.

That would be up to the OS. All Squid does is open connections. Possibly
with tcp_outgoing_address to force a particular IP address.

>
> o.k. some questions here, what is the tcp_outgoing_address
> config line for?
> I was trying to use it to force traffic out. 192.168.0.1

The "source" IP address on Squid->Internet TCP connections. Should be
completely optional.
  You could use it as an extra safety precaution to avoid firewall
issues with the strict firewall rules I assume you will be adding. It
can to prevent things like the OS unexpectedly giving Squid a TCP
connection " 192.168.9.195 -> *.*.*.* " for Internet requests.
  You can set the firewall with certainty that IP X will be used by
squid outbound.

>
> The squid service is currently just hanging.
>
>> Ah students. That scenario is one I'm quite familiar with.
>
> PreK - 8th
>>
>>
>> When working with squid in school situations you will
> usually need to
>> set it up as a captive portal proxy to prevent a lot of
> trivial
>> bypassing.
>
> This is why I want the actual access to the internet to be
> on the 0.x network, and only allow the students access to it
> THROUGH the cache side of squid.

Of course.

I should mention, you won't be able to use any of the transparent
interception tricks due to Windows not having NAT support.

>
>> Look into blocking port 80 and other aliases of it getting
> to
>> the Internet. Adding WPAD protocol to the network and a
> PAC file doing
>> auto-configuration of browsers to use the proxy.
>
> I'm lost on this one, will have to go look these up.
>

http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

>> The squid langpack bundles ship customizable error pages
> ERR_AGENT_*
>> that can be displayed in a captive-portal setup to
> instruct the users to
>> configure their browser properly for portals.
>>
>> At which point you don't need NetNany for HTTP. Squid
> provides a full
>> array of URL and request controls. It passes traffic to
> other software
>> (via HTTP or in 3.1+ via ICAP/eCAP) for the complex jobs
> of handling
>> page content filtering.
>> NP: NetNanny is not one of those other software AFAIK.
>
> NetNanny is designed to run on one machine, and intercept
> browser traffic from that machine and
> filter it.
> I need to fake it into thinking it is protecting just one
> machine the "server", so it would be getting the
> requests out to 0.1 since it would be running with that as
> it's gateway. It is a pretty comprehensive
> filtering package.
>
> I believe that by running squid on one side, using it to
> cache content, and then pass content to the 0.1 side, that
> NetNanny will work on the 0.1 side, block any proxy
> bypasses, but happily send data
> back to the squid side.

Interesting. Might work. Depends on exactly what that anti-proxy
functionality they were talking about does.

<snip>
>
> here is the config file that I tried to use. (I stripped all
> the comments out of this
> copy that I'm sending)
>
> Can you take a quick look and tell me what I need to change,
> and what I can delete.
>
<snip, ignoring okay bits>
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where
> browsing
> # should be allowed
> acl localnet src 10.0.0.0/24 # RFC1918 possible internal
> network
> acl localnet src 172.16.0.0/16 # RFC1918 possible internal
> network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
> network

Those bits. Like they say, are examples. Replace the localnet lines
above with the one for 192.168.9.0/24

<snip, ignoring okay bits>
>
> # http_access deny all

weird, but could cause you confusion later. can erase that commented out
line.

>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>

There is "http_access allow localnet" missing right here.

>
> http_access deny all
>
> icp_access allow localnet
> icp_access deny all
>
> htcp_access allow localnet

ICP and HTCP are for proxy-to-proxy communications.
If you don't need it right now set them to just "deny all" and make sure
the matching icp_port/htcp_port are set to 0. Can be easily setup later.

>
> # Squid normally listens to port 3128
> #http_port 3128
> http_port 192.168.9.195:8080 no-connection-auth transparent
> http_port 192.168.9.195:3128 no-connection-auth transparent
> http_port 192.168.9.195:80 no-connection-auth transparent

This "transparent" could be part of the cause of your hang.

  ** Windows does not provide NAT.

Best you can do is use GPO policy and/or the WPAD protocol to do
"transparent configuration"/auto-configuration on the network.
The squid part of that is a regular proxy port like "http_port 3128".

>
> #internal nic 1
> #acl normal_service_net src 192.168.9.0/8

NP: definitely not /8. Parts outside of the 192.168.*.*/16 are allocated
to real organizations elsewhere.

>
> #second nic to internet appliance
> tcp_outgoing_address 192.168.0.1

This would be another part of the hang.

** Set to an IP on the Squid box facing the Internet. Or erase.

Otherwise it looks okay.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10