Results 1 to 8 of 8

Thread: Squid Proxy Problem

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    450

    Squid Proxy Problem

    Hi people I am hoping someone can help with with a small problem I seem to be having with squid.

    I run a linux gateway to the internet running squid (transparent proxy), dansguardian and gshield firewall.

    OK, problem is the kids found out that if they entered no port numbers (ie blank) in the browser proxy settings they not only bypass dansguardian but direct connect to squid and can basically download to their hearts content ... well 1.1gb in just over an hour yesterday, to be exact. I dont have any filtering rules in squid, its a web-cache proxy and works with adzap to cull ad's on webpages - so anyone direct connecting has the world at their feet, so to speak.

    Transparent proxy works and works well - there is no direct connection to the internet from the network at all.

    I thought it might be some quirky thing with IE Explorer on their XP boxes, but alas, Opera 7.5 on my linux workstation does the same thing when you take out the port number and just leave in the IP of the squid box in the proxy settings.

    I googled and googled until the fingers bled .... and couldn't find an acceptable answer. Some suggested that there is another proxy running on the machine ... nope, not that I can see, stopped apache just in case - but no wasn't that ... netstat didn't throw up any clues either.

    I finally ended up setting up an acl in squid that stops my darling teenage sons getting access to the squid box without passing through dansguardian (which I use to block downloads mp3, avi etc - my RIAA MPAA insurance so to speak) - but this does not solve the mystery as to why they could connect to the proxy server in the first place without entering a port number in the browser settings.

    I am just wondering if anyone has experienced this or knows anything about it ? and is prepared to shed a little light on the subect for me.

    Thanks in advance.

    PP

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I don't know much about squid and/or dansguardian but I can take a stab

    I'm assuming the clients connect to the dansguardian which in turn connects to squid on the localhost. Am I right?

    If so make sure squid only listens on localhost instead of all ip addresses (probably a config option).

    normal:
    clients --server-->[dansguardian on port 8080]--localhost-->[squid on port 1080]-->outside

    bypassed:
    clients -----------------------------server---------------------------->[squid on port 1080]-->outside


    They're probably bypassing dansguardian by connecting to the server directly on port 1080. Since squid listens on all ip addresses it will accept the connection.

    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    May 2002
    Posts
    450
    SirDice

    Thanks for the reply (my post must have made a little sense - your pretty much on the mark with the network setup) Clients >>> Dansguardian >>> Squid >>> WWW is spot on.

    I'll look into the localhost/squid issue - I thought I had tried that, but will revisit and check it out.

    Thanks again.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It was the only setup that made sense (including the bypassing).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    How is your transparent proxying setuped on the firewall? My bet is that it forwards port 80/443 traffic to squid's port (3128 by default) and not dansguardian's port so that when no proxy port is specified, it goes to squid instead of dansguardian.

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    ammo is right.
    If user remove proxy settings, frames will be sent direct to fw (router) and firewall will redirect them to squid, like in Netfilter' redirect.
    It ammo is correct, just create a rule on squid box (activate netfilter there) and reject any frame that comes direct from a user pc.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member
    Join Date
    May 2002
    Posts
    450
    .... making sense now, specially ammo's comment.

    Looks like I have to go in and tweak the firewall settings, its only a couple of machines that need to go through dansguardian, the rest (being the responsible, bill paying owners of the account - read parents) just need to go through squid.

    A few lines in the firewall to specifically nail down the kids machines and leave the acl's in squid to deny them direct access should do the trick nicely.

    Thanks heaps people, - day 2 without the cigarettes and I guess I wasn't thinking too clearly

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    congrat Phat about quit smoking. Im clear 6 years now.

    but i still want to start again
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •