[strongSwan] Connect strongSwan and Squid on same server
Varun Singh
varun.singh at gslab.com
Thu Jan 19 11:34:23 CET 2017
On Thu, Jan 19, 2017 at 4:01 PM, Moataz Elmasry
<moataz.elmasry2 at gmail.com> wrote:
> Hi Varun,
>
> No this is a misunderstanding, the link you show states that the error is a
> 400 error:invalid-request, while you are getting a 403 TCP_DENIED, which
> means that the traffic passed through strongswan, redirected to 3128
> unmangled with, that Squid was successfully able to read it and deny it.
> The squid conf you showed has a couple of issues, in squid define everything
> you need explicitly instead of "allow all" for better reading, also in
> nowhere did you enable the intercept mode.Here's a minimum example that
> hopefully will work:
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> #acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> #acl Safe_ports port 280 # http-mgmt
> #acl Safe_ports port 488 # gss-http
> #acl Safe_ports port 591 # filemaker
> #acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> http_access allow all
>
> http_port 3127
> http_port 3128 intercept
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache/squid
>
> Hope this helps.
>
> P.s. @admins Please don't shoot me for sharing a squid example on strongswan
>
> On 01/19/2017 06:49 AM, Varun Singh wrote:
>>
>> On Jan 18, 2017 11:34 PM, "Moataz Elmasry" <moataz.elmasry2 at gmail.com>
>> wrote:
>>
>> Ah, I just saw now the TCP_DENIED error in your squid access.log
>> Actually this means that your old iptable rule is working fine and
>> redirecting the traffic to squid. This is now definitely a squid
>> problem.
>> I assume somewhere in your squid config file there is a "http_access
>> deny all rule" rule defined before the "http_access allow all" which
>> is causing all your traffic to be denied.
>> But to really judge that, you should post your complete squid.conf
>> file on the squid mailing list
>>
>> Cheers,
>> Moataz
>>
>>
>> On 01/18/2017 06:50 PM, Varun Singh wrote:
>>>
>>> On Wed, Jan 18, 2017 at 10:28 PM, Moataz Elmasry
>>> <moataz.elmasry2 at gmail.com> wrote:
>>>>
>>>> Correct. No additional rules should be needed
>>>>
>>>>
>>>> On 01/18/2017 05:47 PM, Varun Singh wrote:
>>>>>
>>>>> On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
>>>>> <moataz.elmasry2 at gmail.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I just had a similar problem, here's how I solved it:
>>>>>> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
>>>>>> Then:
>>>>>> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>>>>>> iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j
>>>>>> REDIRECT
>>>>>> --to-ports 3128
>>>>>>
>>>>>> The first rule will masquarde the traffic as usual from the private to
>>>>>> the
>>>>>> public network. You need this anyway
>>>>>> The second rule will redirect the traffic ONLY from your subnet to
>>>>>> squid.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 01/18/2017 05:33 PM, Varun Singh wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>>>>>>> 16.04 server and I am trying to connect both. By connect I mean, I am
>>>>>>> trying to achieve following:
>>>>>>>
>>>>>>> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>>>>>>>
>>>>>>> My objective is to connect a VPN client to VPN server and use Squid
>>>>>>> for filtering out blocked Urls. strongSwan and Squid work fine on
>>>>>>> their own. I can access internet when connected to VPN server and
>>>>>>> also
>>>>>>> when configured HTTP Proxy without VPN.
>>>>>>>
>>>>>>> From what I understand, to achieve what I want, I am supposed to
>>>>>>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>>>>>>> enter following IPTables rule:
>>>>>>>
>>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>>>>>> --to-port 3128
>>>>>>>
>>>>>>> Once I do this and try to access internet from a connected VPN
>>>>>>> client,
>>>>>>> I get error. Pasting a log of /var/log/squid/access.log
>>>>>>>
>>>>>>>
>>>>>>> 1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>>>>>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>>>>>>> 1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET
>>>>>>>
>>>>>>>
>>>>>>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET
>>>>>>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>>>>>>> 1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET
>>>>>>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>>>>>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>>>>>>> 1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET
>>>>>>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>>>>>>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>>>>>>> 1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET
>>>>>>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484738368.148 0 114.143.194.190 TCP_DENIED/403 4352 GET
>>>>>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484738368.255 0 114.143.194.190 TCP_DENIED/403 4352 GET
>>>>>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484738368.296 0 114.143.194.190 TCP_DENIED/403 4316 GET
>>>>>>> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484738368.348 0 114.143.194.190 TCP_DENIED/403 4253 GET
>>>>>>> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
>>>>>>> 1484738376.374 0 114.143.194.190 TCP_DENIED/403 4655 GET
>>>>>>> http://www.apple.com/ - HIER_NONE/- text/html
>>>>>>> 1484738376.456 0 114.143.194.190 TCP_DENIED/403 4711 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484738385.761 0 114.143.194.190 TCP_DENIED/403 4655 GET
>>>>>>> http://www.apple.com/ - HIER_NONE/- text/html
>>>>>>> 1484738385.828 0 114.143.194.190 TCP_DENIED/403 4747 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET
>>>>>>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>>>>>>> 1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET
>>>>>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484739057.166 0 10.99.1.1 TAG_NONE/400 3970 GET
>>>>>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>>>>>> 1484739057.211 0 10.99.1.1 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484739057.267 0 10.99.1.1 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484739057.340 0 10.99.1.1 TAG_NONE/400 3982 GET
>>>>>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484739057.436 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484739060.563 0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484739071.241 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484739071.439 0 10.99.1.1 TCP_DENIED/403 4290 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484739092.972 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484739093.151 0 10.99.1.1 TCP_DENIED/403 4621 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484739093.306 0 10.99.1.1 TAG_NONE/400 3994 GET
>>>>>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484739093.364 0 10.99.1.1 TAG_NONE/400 3970 GET
>>>>>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>>>>>> 1484739093.427 0 10.99.1.1 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484739093.480 0 10.99.1.1 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484739093.529 0 10.99.1.1 TAG_NONE/400 3982 GET
>>>>>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484739093.578 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484741172.545 0 123.240.104.249 TAG_NONE/400 3924 GET / -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484742330.250 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484742335.479 0 10.99.1.2 TAG_NONE/400 4220
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> %E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484742335.538 0 10.99.1.2 TAG_NONE/400 4234
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> %BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484742335.605 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484742335.691 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484742339.640 0 10.99.1.2 TAG_NONE/400 4022
>>>>>>> %C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
>>>>>>> 1484742339.697 0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484742339.885 0 10.99.1.2 TCP_DENIED/403 4556 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484742340.105 0 10.99.1.2 TAG_NONE/400 3994 GET
>>>>>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484742340.195 0 10.99.1.2 TAG_NONE/400 3970 GET
>>>>>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>>>>>> 1484742340.258 0 10.99.1.2 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484742340.309 0 10.99.1.2 TAG_NONE/400 3958 GET
>>>>>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>>>>>> 1484742340.359 0 10.99.1.2 TAG_NONE/400 3982 GET
>>>>>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>>>>>> 1484742340.413 0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484742378.858 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484742510.612 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484742517.730 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>>>>>> error:invalid-request - HIER_NONE/- text/html
>>>>>>> 1484744550.653 0 10.99.1.2 TAG_NONE/400 4174 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484744597.163 0 10.99.1.1 TAG_NONE/400 4022 GET
>>>>>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484744597.361 0 10.99.1.1 TAG_NONE/400 4034 GET
>>>>>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484744599.970 0 10.99.1.1 TAG_NONE/400 5352 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484744606.878 0 10.99.1.1 TAG_NONE/400 4022 GET
>>>>>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484744606.879 0 10.99.1.1 TAG_NONE/400 4034 GET
>>>>>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484744608.852 0 10.99.1.1 TAG_NONE/400 5352 GET
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2FI
>>>>>>> do this and try to access internet from a connected
>>>>>>>
>>>>>>>
>>>>>>> V&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>>>>>>
>>>>>>> - HIER_NONE/- text/html
>>>>>>> 1484744615.457 0 10.99.1.1 TAG_NONE/400 4022 GET
>>>>>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484744615.526 0 10.99.1.1 TAG_NONE/400 4008 GET
>>>>>>> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484744615.587 0 10.99.1.1 TAG_NONE/400 4034 GET
>>>>>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484744625.891 0 10.99.1.1 TAG_NONE/400 3952 GET
>>>>>>> /retail/geniusbar/ - HIER_NONE/- text/html
>>>>>>> 1484744626.062 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- image/png
>>>>>>> 1484744643.114 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>>>>>> text/html
>>>>>>> 1484744643.268 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>>>>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>>>>>> HIER_NONE/- image/png
>>>>>>> 1484746410.764 0 108.189.96.202 TAG_NONE/400 3923 GET / -
>>>>>>> HIER_NONE/- text/html
>>>>>>> 1484751091.543 0 153.142.43.105 TAG_NONE/400 3923 GET / -
>>>>>>> HIER_NONE/- text/html
>>>>>>>
>>>>>>>
>>>>>>> My /etc/squid/squid.conf file has only one change and that is:
>>>>>>> http_access allow all
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Following is my /etc/ipsec.conf file:
>>>>>>> config setup
>>>>>>> strictcrlpolicy=no
>>>>>>> uniqueids = no
>>>>>>>
>>>>>>> conn %default
>>>>>>> mobike=yes
>>>>>>> dpdaction=clear
>>>>>>> dpddelay=35s
>>>>>>> dpdtimeout=200s
>>>>>>> fragmentation=yes
>>>>>>>
>>>>>>> conn iOS-IKEV2
>>>>>>> auto=add
>>>>>>> keyexchange=ike
>>>>>>> eap_identity=%any
>>>>>>> left=%any
>>>>>>> leftsubnet=0.0.0.0/0
>>>>>>> rightsubnet=10.99.1.0/24
>>>>>>> leftauth=psk
>>>>>>> leftid=%any
>>>>>>> right=%any
>>>>>>> rightsourceip=10.99.1.0/24
>>>>>>> rightauth=eap-mschapv2
>>>>>>> rightid=%any
>>>>>>>
>>>>>>> Following is NAT IPTables entries. I get this by entering sudo
>>>>>>> iptables -t nat -L
>>>>>>>
>>>>>>> Chain PREROUTING (policy ACCEPT)
>>>>>>> target prot opt source destination
>>>>>>> REDIRECT tcp -- anywhere anywhere tcp
>>>>>>> dpt:http redir ports 3128
>>>>>>>
>>>>>>> Chain INPUT (policy ACCEPT)
>>>>>>> target prot opt source destination
>>>>>>>
>>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>>> target prot opt source destination
>>>>>>>
>>>>>>> Chain POSTROUTING (policy ACCEPT)
>>>>>>> target prot opt source destination
>>>>>>> MASQUERADE all -- 10.99.1.0/24 anywhere
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> If any of you have faced this problem before and was able to resolve
>>>>>>> it, can you please help me? Thanks.
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.strongswan.org
>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>> Thanks. Did you use any other iptables rules for strongSwan? From what
>>>>> I understand:
>>>>>
>>>>> This is needed for strongSwan
>>>>> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>>>>>
>>>>>
>>>>> And this will be needed to connect strongSwan with Squid
>>>>> iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j
>>>>> REDIRECT
>>>>>
>>>>> is that correct?
>>>>
>>>>
>>>>
>>> I tried this solution. But got the same error. I added following two
>>> iptables rules:
>>>
>>> sudo iptables -t nat -A POSTROUTING -s 10.99.1.0/24 -o eth0 -j MASQUERADE
>>> sudo iptables -t nat -I PREROUTING -s 10.99.1.0/24 -p tcp --dport 80
>>> -j REDIRECT --to-ports 3128
>>>
>>>
>>> 10.99.1.0/24 is the subnet of VPN clients. IPTables NAT looks like this:
>>>
>>> Chain PREROUTING (policy ACCEPT)
>>> target prot opt source destination
>>> REDIRECT tcp -- ip-10-99-1-0.ap-south-1.compute.internal/24
>>> anywhere tcp dpt:http redir ports 3128
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain POSTROUTING (policy ACCEPT)
>>> target prot opt source destination
>>> MASQUERADE all -- ip-10-99-1-0.ap-south-1.compute.internal/24
>>> anywhere
>>>
>>>
>>> Attaching access.log content:
>>>
>>> 1484761431.693 0 10.99.1.1 TAG_NONE/400 4154 GET
>>>
>>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>>> - HIER_NONE/- text/html
>>> 1484761435.383 0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484761435.383 0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css -
>>> HIER_NONE/- text/html
>>> 1484761435.383 0 10.99.1.1 TAG_NONE/400 4006 GET
>>> /ac/localnav/3.0/styles/ac-localnav.built.css - HIER_NONE/- text/html
>>> 1484761435.435 0 10.99.1.1 TAG_NONE/400 3998 GET
>>> /wss/fonts/?family=Myriad+Set+Pro&v=2 - HIER_NONE/- text/html
>>> 1484761435.435 0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/scripts/ac-globalnav.built.js - HIER_NONE/-
>>> text/html
>>> 1484761435.436 0 10.99.1.1 TAG_NONE/400 3992 GET
>>> /wss/fonts/?family=Apple+Icons&v=1 - HIER_NONE/- text/html
>>> 1484761435.482 0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484761435.489 0 10.99.1.1 TAG_NONE/400 4014 GET
>>> /metrics/ac-analytics/1.1/scripts/ac-analytics.js - HIER_NONE/-
>>> text/html
>>> 1484761435.528 0 10.99.1.1 TAG_NONE/400 4008 GET
>>> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
>>> 1484761436.456 0 10.99.1.1 TAG_NONE/400 4028 GET
>>> /v/home/dc/images/gallery/macbookpro_portrait_medium.jpg - HIER_NONE/-
>>> text/html
>>> 1484761436.877 0 10.99.1.1 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484761436.942 0 10.99.1.1 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484761437.024 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484761437.074 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484761437.125 0 10.99.1.1 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484761437.176 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484761443.337 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484761504.632 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484761504.909 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- image/png
>>>
>> Making 'http_access allow all' is the only change I have made in
>> squid.conf. Rest of the settings are default.
>> Following is squid.conf content:
>>
>>
>> *******************************************************************************
>>
>> # WELCOME TO SQUID 3.5.12
>> # ----------------------------
>> #
>> # This is the documentation for the Squid configuration file.
>> # This documentation can also be found online at:
>> # http://www.squid-cache.org/Doc/config/
>> #
>> # You may wish to look at the Squid home page and wiki for the
>> # FAQ and other documentation:
>> # http://www.squid-cache.org/
>> # http://wiki.squid-cache.org/SquidFaq
>> # http://wiki.squid-cache.org/ConfigExamples
>> #
>> # This documentation shows what the defaults for various directives
>> # happen to be. If you don't need to change the default, you should
>> # leave the line out of your squid.conf in most cases.
>> #
>> # In some cases "none" refers to no default setting at all,
>> # while in other cases it refers to the value of the option
>> # - the comments for that keyword indicate if this is the case.
>> #
>>
>> # Configuration options can be included using the "include" directive.
>> # Include takes a list of files to include. Quoting and wildcards are
>> # supported.
>> #
>> # For example,
>> #
>> # include /path/to/included/file/squid.acl.config
>> #
>> # Includes can be nested up to a hard-coded depth of 16 levels.
>> # This arbitrary restriction is to prevent recursive include references
>> # from causing Squid entering an infinite loop whilst trying to load
>> # configuration files.
>> #
>> # Values with byte units
>> #
>> # Squid accepts size units on some size related directives. All
>> # such directives are documented with a default value displaying
>> # a unit.
>> #
>> # Units accepted by Squid are:
>> # bytes - byte
>> # KB - Kilobyte (1024 bytes)
>> # MB - Megabyte
>> # GB - Gigabyte
>> #
>> # Values with spaces, quotes, and other special characters
>> #
>> # Squid supports directive parameters with spaces, quotes, and other
>> # special characters. Surround such parameters with "double quotes". Use
>> # the configuration_includes_quoted_values directive to enable or
>> # disable that support.
>> #
>> # Squid supports reading configuration option parameters from external
>> # files using the syntax:
>> # parameters("/path/filename")
>> # For example:
>> # acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
>> #
>> # Conditional configuration
>> #
>> # If-statements can be used to make configuration directives
>> # depend on conditions:
>> #
>> # if <CONDITION>
>> # ... regular configuration directives ...
>> # [else
>> # ... regular configuration directives ...]
>> # endif
>> #
>> # The else part is optional. The keywords "if", "else", and "endif"
>> # must be typed on their own lines, as if they were regular
>> # configuration directives.
>> #
>> # NOTE: An else-if condition is not supported.
>> #
>> # These individual conditions types are supported:
>> #
>> # true
>> # Always evaluates to true.
>> # false
>> # Always evaluates to false.
>> # <integer> = <integer>
>> # Equality comparison of two integer numbers.
>> #
>> #
>> # SMP-Related Macros
>> #
>> # The following SMP-related preprocessor macros can be used.
>> #
>> # ${process_name} expands to the current Squid process "name"
>> # (e.g., squid1, squid2, or cache1).
>> #
>> # ${process_number} expands to the current Squid process
>> # identifier, which is an integer number (e.g., 1, 2, 3) unique
>> # across all Squid processes of the current service instance.
>> #
>> # ${service_name} expands into the current Squid service instance
>> # name identifier which is provided by -n on the command line.
>> #
>>
>> # TAG: broken_vary_encoding
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: cache_vary
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: error_map
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: external_refresh_check
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: location_rewrite_program
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: refresh_stale_hit
>> # This option is not yet supported by Squid-3.
>> #Default:
>> # none
>>
>> # TAG: hierarchy_stoplist
>> # Remove this line. Use always_direct or cache_peer_access ACLs
>> instead if you need to prevent cache_peer use.
>> #Default:
>> # none
>>
>> # TAG: log_access
>> # Remove this line. Use acls with access_log directives to control
>> access logging
>> #Default:
>> # none
>>
>> # TAG: log_icap
>> # Remove this line. Use acls with icap_log directives to control icap
>> logging
>> #Default:
>> # none
>>
>> # TAG: ignore_ims_on_miss
>> # Remove this line. The HTTP/1.1 feature is now configured by
>> 'cache_miss_revalidate'.
>> #Default:
>> # none
>>
>> # TAG: chunked_request_body_max_size
>> # Remove this line. Squid is now HTTP/1.1 compliant.
>> #Default:
>> # none
>>
>> # TAG: dns_v4_fallback
>> # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the
>> 'fallback' algorithm is no longer relevant.
>> #Default:
>> # none
>>
>> # TAG: emulate_httpd_log
>> # Replace this with an access_log directive using the format 'common'
>> or 'combined'.
>> #Default:
>> # none
>>
>> # TAG: forward_log
>> # Use a regular access.log with ACL limiting it to MISS events.
>> #Default:
>> # none
>>
>> # TAG: ftp_list_width
>> # Remove this line. Configure FTP page display using the CSS controls
>> in errorpages.css instead.
>> #Default:
>> # none
>>
>> # TAG: ignore_expect_100
>> # Remove this line. The HTTP/1.1 feature is now fully supported by
>> default.
>> #Default:
>> # none
>>
>> # TAG: log_fqdn
>> # Remove this option from your config. To log FQDN use %>A in the log
>> format.
>> #Default:
>> # none
>>
>> # TAG: log_ip_on_direct
>> # Remove this option from your config. To log server or peer names use
>> %<A in the log format.
>> #Default:
>> # none
>>
>> # TAG: maximum_single_addr_tries
>> # Replaced by connect_retries. The behaviour has changed, please read
>> the documentation before altering.
>> #Default:
>> # none
>>
>> # TAG: referer_log
>> # Replace this with an access_log directive using the format 'referrer'.
>> #Default:
>> # none
>>
>> # TAG: update_headers
>> # Remove this line. The feature is supported by default in storage
>> types where update is implemented.
>> #Default:
>> # none
>>
>> # TAG: url_rewrite_concurrency
>> # Remove this line. Set the 'concurrency=' option of
>> url_rewrite_children instead.
>> #Default:
>> # none
>>
>> # TAG: useragent_log
>> # Replace this with an access_log directive using the format 'useragent'.
>> #Default:
>> # none
>>
>> # TAG: dns_testnames
>> # Remove this line. DNS is no longer tested on startup.
>> #Default:
>> # none
>>
>> # TAG: extension_methods
>> # Remove this line. All valid methods for HTTP are accepted by default.
>> #Default:
>> # none
>>
>> # TAG: zero_buffers
>> #Default:
>> # none
>>
>> # TAG: incoming_rate
>> #Default:
>> # none
>>
>> # TAG: server_http11
>> # Remove this line. HTTP/1.1 is supported by default.
>> #Default:
>> # none
>>
>> # TAG: upgrade_http0.9
>> # Remove this line. ICY/1.0 streaming protocol is supported by default.
>> #Default:
>> # none
>>
>> # TAG: zph_local
>> # Alter these entries. Use the qos_flows directive instead.
>> #Default:
>> # none
>>
>> # TAG: header_access
>> # Since squid-3.0 replace with request_header_access or
>> reply_header_access
>> # depending on whether you wish to match client requests or server
>> replies.
>> #Default:
>> # none
>>
>> # TAG: httpd_accel_no_pmtu_disc
>> # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port
>> instead.
>> #Default:
>> # none
>>
>> # TAG: wais_relay_host
>> # Replace this line with 'cache_peer' configuration.
>> #Default:
>> # none
>>
>> # TAG: wais_relay_port
>> # Replace this line with 'cache_peer' configuration.
>> #Default:
>> # none
>>
>> # OPTIONS FOR SMP
>> #
>> -----------------------------------------------------------------------------
>>
>> # TAG: workers
>> # Number of main Squid processes or "workers" to fork and maintain.
>> # 0: "no daemon" mode, like running "squid -N ..."
>> # 1: "no SMP" mode, start one main Squid process daemon (default)
>> # N: start N main Squid process daemons (i.e., SMP mode)
>> #
>> # In SMP mode, each worker does nearly all what a single Squid daemon
>> # does (e.g., listen on http_port and forward HTTP requests).
>> #Default:
>> # SMP support disabled.
>>
>> # TAG: cpu_affinity_map
>> # Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
>> #
>> # Sets 1:1 mapping between Squid processes and CPU cores. For example,
>> #
>> # cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
>> #
>> # affects processes 1 through 4 only and places them on the first
>> # four even cores, starting with core #1.
>> #
>> # CPU cores are numbered starting from 1. Requires support for
>> # sched_getaffinity(2) and sched_setaffinity(2) system calls.
>> #
>> # Multiple cpu_affinity_map options are merged.
>> #
>> # See also: workers
>> #Default:
>> # Let operating system decide.
>>
>> # OPTIONS FOR AUTHENTICATION
>> #
>> -----------------------------------------------------------------------------
>>
>> # TAG: auth_param
>> # This is used to define parameters for the various authentication
>> # schemes supported by Squid.
>> #
>> # format: auth_param scheme parameter [setting]
>> #
>> # The order in which authentication schemes are presented to the client is
>> # dependent on the order the scheme first appears in config file. IE
>> # has a bug (it's not RFC 2617 compliant) in that it will use the basic
>> # scheme if basic is the first entry presented, even if more secure
>> # schemes are presented. For now use the order in the recommended
>> # settings section below. If other browsers have difficulties (don't
>> # recognize the schemes offered even if you are using basic) either
>> # put basic first, or disable the other schemes (by commenting out their
>> # program entry).
>> #
>> # Once an authentication scheme is fully configured, it can only be
>> # shutdown by shutting squid down and restarting. Changes can be made on
>> # the fly and activated with a reconfigure. I.E. You can change to a
>> # different helper, but not unconfigure the helper completely.
>> #
>> # Please note that while this directive defines how Squid processes
>> # authentication it does not automatically activate authentication.
>> # To use authentication you must in addition make use of ACLs based
>> # on login name in http_access (proxy_auth, proxy_auth_regex or
>> # external with %LOGIN used in the format tag). The browser will be
>> # challenged for authentication on the first such acl encountered
>> # in http_access processing and will also be re-challenged for new
>> # login credentials if the request is being denied by a proxy_auth
>> # type acl.
>> #
>> # WARNING: authentication can't be used in a transparently intercepting
>> # proxy as the client then thinks it is talking to an origin server and
>> # not the proxy. This is a limitation of bending the TCP/IP protocol to
>> # transparently intercepting port 80, not a limitation in Squid.
>> # Ports flagged 'transparent', 'intercept', or 'tproxy' have
>> # authentication disabled.
>> #
>> # === Parameters common to all schemes. ===
>> #
>> # "program" cmdline
>> # Specifies the command for the external authenticator.
>> #
>> # By default, each authentication scheme is not used unless a
>> # program is specified.
>> #
>> # See http://wiki.squid-cache.org/Features/AddonHelpers for
>> # more details on helper operations and creating your own.
>> #
>> # "key_extras" format
>> # Specifies a string to be append to request line format for
>> # the authentication helper. "Quoted" format values may contain
>> # spaces and logformat %macros. In theory, any logformat %macro
>> # can be used. In practice, a %macro expands as a dash (-) if
>> # the helper request is sent before the required macro
>> # information is available to Squid.
>> #
>> # By default, Squid uses request formats provided in
>> # scheme-specific examples below (search for %credentials).
>> #
>> # The expanded key_extras value is added to the Squid credentials
>> # cache and, hence, will affect authentication. It can be used to
>> # autenticate different users with identical user names (e.g.,
>> # when user authentication depends on http_port).
>> #
>> # Avoid adding frequently changing information to key_extras. For
>> # example, if you add user source IP, and it changes frequently
>> # in your environment, then max_user_ip ACL is going to treat
>> # every user+IP combination as a unique "user", breaking the ACL
>> # and wasting a lot of memory on those user records. It will also
>> # force users to authenticate from scratch whenever their IP
>> # changes.
>> #
>> # "realm" string
>> # Specifies the protection scope (aka realm name) which is to be
>> # reported to the client for the authentication scheme. It is
>> # commonly part of the text the user will see when prompted for
>> # their username and password.
>> #
>> # For Basic the default is "Squid proxy-caching web server".
>> # For Digest there is no default, this parameter is mandatory.
>> # For NTLM and Negotiate this parameter is ignored.
>> #
>> # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
>> #
>> # The maximum number of authenticator processes to spawn. If
>> # you start too few Squid will have to wait for them to process
>> # a backlog of credential verifications, slowing it down. When
>> # password verifications are done via a (slow) network you are
>> # likely to need lots of authenticator processes.
>> #
>> # The startup= and idle= options permit some skew in the exact
>> # amount run. A minimum of startup=N will begin during startup
>> # and reconfigure. Squid will start more in groups of up to
>> # idle=N in an attempt to meet traffic needs and to keep idle=N
>> # free above those traffic needs up to the maximum.
>> #
>> # The concurrency= option sets the number of concurrent requests
>> # the helper can process. The default of 0 is used for helpers
>> # who only supports one request at a time. Setting this to a
>> # number greater than 0 changes the protocol used to include a
>> # channel ID field first on the request/response line, allowing
>> # multiple requests to be sent to the same helper in parallel
>> # without waiting for the response.
>> #
>> # Concurrency must not be set unless it's known the helper
>> # supports the input format with channel-ID fields.
>> #
>> # NOTE: NTLM and Negotiate schemes do not support concurrency
>> # in the Squid code module even though some helpers can.
>> #
>> #
>> #
>> # === Example Configuration ===
>> #
>> # This configuration displays the recommended authentication scheme
>> # order from most to least secure with recommended minimum configuration
>> # settings for each scheme:
>> #
>> ##auth_param negotiate program <uncomment and complete this line to
>> activate>
>> ##auth_param negotiate children 20 startup=0 idle=1
>> ##auth_param negotiate keep_alive on
>> ##
>> ##auth_param digest program <uncomment and complete this line to activate>
>> ##auth_param digest children 20 startup=0 idle=1
>> ##auth_param digest realm Squid proxy-caching web server
>> ##auth_param digest nonce_garbage_interval 5 minutes
>> ##auth_param digest nonce_max_duration 30 minutes
>> ##auth_param digest nonce_max_count 50
>> ##
>> ##auth_param ntlm program <uncomment and complete this line to activate>
>> ##auth_param ntlm children 20 startup=0 idle=1
>> ##auth_param ntlm keep_alive on
>> ##
>> ##auth_param basic program <uncomment and complete this line>
>> ##auth_param basic children 5 startup=5 idle=1
>> ##auth_param basic realm Squid proxy-caching web server
>> ##auth_param basic credentialsttl 2 hours
>> #Default:
>> # none
>>
>> # TAG: authenticate_cache_garbage_interval
>> # The time period between garbage collection across the username cache.
>> # This is a trade-off between memory utilization (long intervals - say
>> # 2 days) and CPU (short intervals - say 1 minute). Only change if you
>> # have good reason to.
>> #Default:
>> # authenticate_cache_garbage_interval 1 hour
>>
>> # TAG: authenticate_ttl
>> # The time a user & their credentials stay in the logged in
>> # user cache since their last request. When the garbage
>> # interval passes, all user credentials that have passed their
>> # TTL are removed from memory.
>> #Default:
>> # authenticate_ttl 1 hour
>>
>> # TAG: authenticate_ip_ttl
>> # If you use proxy authentication and the 'max_user_ip' ACL,
>> # this directive controls how long Squid remembers the IP
>> # addresses associated with each user. Use a small value
>> # (e.g., 60 seconds) if your users might change addresses
>> # quickly, as is the case with dialup. You might be safe
>> # using a larger value (e.g., 2 hours) in a corporate LAN
>> # environment with relatively static address assignments.
>> #Default:
>> # authenticate_ip_ttl 1 second
>>
>> # ACCESS CONTROLS
>> #
>> -----------------------------------------------------------------------------
>>
>> # TAG: external_acl_type
>> # This option defines external acl classes using a helper program
>> # to look up the status
>> #
>> # external_acl_type name [options] FORMAT.. /path/to/helper [helper
>> arguments..]
>> #
>> # Options:
>> #
>> # ttl=n TTL in seconds for cached results (defaults to 3600
>> # for 1 hour)
>> #
>> # negative_ttl=n
>> # TTL for cached negative lookups (default same
>> # as ttl)
>> #
>> # grace=n Percentage remaining of TTL where a refresh of a
>> # cached entry should be initiated without needing to
>> # wait for a new reply. (default is for no grace period)
>> #
>> # cache=n Limit the result cache size, default is 262144.
>> # The expanded FORMAT value is used as the cache key, so
>> # if the details in FORMAT are highly variable a larger
>> # cache may be needed to produce reduction in helper load.
>> #
>> # children-max=n
>> # Maximum number of acl helper processes spawned to service
>> # external acl lookups of this type. (default 20)
>> #
>> # children-startup=n
>> # Minimum number of acl helper processes to spawn during
>> # startup and reconfigure to service external acl lookups
>> # of this type. (default 0)
>> #
>> # children-idle=n
>> # Number of acl helper processes to keep ahead of traffic
>> # loads. Squid will spawn this many at once whenever load
>> # rises above the capabilities of existing processes.
>> # Up to the value of children-max. (default 1)
>> #
>> # concurrency=n concurrency level per process. Only used with helpers
>> # capable of processing more than one query at a time.
>> #
>> # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
>> #
>> # ipv4 / ipv6 IP protocol used to communicate with this helper.
>> # The default is to auto-detect IPv6 and use it when available.
>> #
>> #
>> # FORMAT specifications
>> #
>> # %LOGIN Authenticated user login name
>> # %un A user name. Expands to the first available name
>> # from the following list of information sources:
>> # - authenticated user name, like %ul or %LOGIN
>> # - user name sent by an external ACL, like %EXT_USER
>> # - SSL client name, like %us in logformat
>> # - ident user name, like %ui in logformat
>> # %EXT_USER Username from previous external acl
>> # %EXT_LOG Log details from previous external acl
>> # %EXT_TAG Tag from previous external acl
>> # %IDENT Ident user name
>> # %SRC Client IP
>> # %SRCPORT Client source port
>> # %URI Requested URI
>> # %DST Requested host
>> # %PROTO Requested URL scheme
>> # %PORT Requested port
>> # %PATH Requested URL path
>> # %METHOD Request method
>> # %MYADDR Squid interface address
>> # %MYPORT Squid http_port number
>> # %PATH Requested URL-path (including query-string if any)
>> # %USER_CERT SSL User certificate in PEM format
>> # %USER_CERTCHAIN SSL User certificate chain in PEM format
>> # %USER_CERT_xx SSL User certificate subject attribute xx
>> # %USER_CA_CERT_xx SSL User certificate issuer attribute xx
>> # %ssl::>sni SSL client SNI sent to Squid
>> # %ssl::<cert_subject SSL server certificate DN
>> # %ssl::<cert_issuer SSL server certificate issuer DN
>> #
>> # %>{Header} HTTP request header "Header"
>> # %>{Hdr:member}
>> # HTTP request header "Hdr" list member "member"
>> # %>{Hdr:;member}
>> # HTTP request header list member using ; as
>> # list separator. ; can be any non-alphanumeric
>> # character.
>> #
>> # %<{Header} HTTP reply header "Header"
>> # %<{Hdr:member}
>> # HTTP reply header "Hdr" list member "member"
>> # %<{Hdr:;member}
>> # HTTP reply header list member using ; as
>> # list separator. ; can be any non-alphanumeric
>> # character.
>> #
>> # %ACL The name of the ACL being tested.
>> # %DATA The ACL arguments. If not used then any arguments
>> # is automatically added at the end of the line
>> # sent to the helper.
>> # NOTE: this will encode the arguments as one token,
>> # whereas the default will pass each separately.
>> #
>> # %% The percent sign. Useful for helpers which need
>> # an unchanging input format.
>> #
>> #
>> # General request syntax:
>> #
>> # [channel-ID] FORMAT-values [acl-values ...]
>> #
>> #
>> # FORMAT-values consists of transaction details expanded with
>> # whitespace separation per the config file FORMAT specification
>> # using the FORMAT macros listed above.
>> #
>> # acl-values consists of any string specified in the referencing
>> # config 'acl ... external' line. see the "acl external" directive.
>> #
>> # Request values sent to the helper are URL escaped to protect
>> # each value in requests against whitespaces.
>> #
>> # If using protocol=2.5 then the request sent to the helper is not
>> # URL escaped to protect against whitespace.
>> #
>> # NOTE: protocol=3.0 is deprecated as no longer necessary.
>> #
>> # When using the concurrency= option the protocol is changed by
>> # introducing a query channel tag in front of the request/response.
>> # The query channel tag is a number between 0 and concurrency-1.
>> # This value must be echoed back unchanged to Squid as the first part
>> # of the response relating to its request.
>> #
>> #
>> # The helper receives lines expanded per the above format specification
>> # and for each input line returns 1 line starting with OK/ERR/BH result
>> # code and optionally followed by additional keywords with more details.
>> #
>> #
>> # General result syntax:
>> #
>> # [channel-ID] result keyword=value ...
>> #
>> # Result consists of one of the codes:
>> #
>> # OK
>> # the ACL test produced a match.
>> #
>> # ERR
>> # the ACL test does not produce a match.
>> #
>> # BH
>> # An internal error occurred in the helper, preventing
>> # a result being identified.
>> #
>> # The meaning of 'a match' is determined by your squid.conf
>> # access control configuration. See the Squid wiki for details.
>> #
>> # Defined keywords:
>> #
>> # user= The users name (login)
>> #
>> # password= The users password (for login= cache_peer option)
>> #
>> # message= Message describing the reason for this response.
>> # Available as %o in error pages.
>> # Useful on (ERR and BH results).
>> #
>> # tag= Apply a tag to a request. Only sets a tag once,
>> # does not alter existing tags.
>> #
>> # log= String to be logged in access.log. Available as
>> # %ea in logformat specifications.
>> #
>> # clt_conn_tag= Associates a TAG with the client TCP connection.
>> # Please see url_rewrite_program related documentation
>> # for this kv-pair.
>> #
>> # Any keywords may be sent on any response whether OK, ERR or BH.
>> #
>> # All response keyword values need to be a single token with URL
>> # escaping, or enclosed in double quotes (") and escaped using \ on
>> # any double quotes or \ characters within the value. The wrapping
>> # double quotes are removed before the value is interpreted by Squid.
>> # \r and \n are also replace by CR and LF.
>> #
>> # Some example key values:
>> #
>> # user=John%20Smith
>> # user="John Smith"
>> # user="J. \"Bob\" Smith"
>> #Default:
>> # none
>>
>> # TAG: acl
>> # Defining an Access List
>> #
>> # Every access list definition must begin with an aclname and acltype,
>> # followed by either type-specific arguments or a quoted filename that
>> # they are read from.
>> #
>> # acl aclname acltype argument ...
>> # acl aclname acltype "file" ...
>> #
>> # When using "file", the file should contain one item per line.
>> #
>> # Some acl types supports options which changes their default behaviour.
>> # The available options are:
>> #
>> # -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
>> # case-insensitive, use the -i option. To return case-sensitive
>> # use the +i option between patterns, or make a new ACL line
>> # without -i.
>> #
>> # -n Disable lookups and address type conversions. If lookup or
>> # conversion is required because the parameter type (IP or
>> # domain name) does not match the message address type (domain
>> # name or IP), then the ACL would immediately declare a mismatch
>> # without any warnings or lookups.
>> #
>> # -- Used to stop processing all options, in the case the first acl
>> # value has '-' character as first character (for example the '-'
>> # is a valid domain name)
>> #
>> # Some acl types require suspending the current request in order
>> # to access some external data source.
>> # Those which do are marked with the tag [slow], those which
>> # don't are marked as [fast].
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
>> # for further information
>> #
>> # ***** ACL TYPES AVAILABLE *****
>> #
>> # acl aclname src ip-address/mask ... # clients IP address [fast]
>> # acl aclname src addr1-addr2/mask ... # range of addresses [fast]
>> # acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
>> # acl aclname localip ip-address/mask ... # IP address the client
>> connected to [fast]
>> #
>> # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
>> # # [fast]
>> # # The 'arp' ACL code is not portable to all operating systems.
>> # # It works on Linux, Solaris, Windows, FreeBSD, and some other
>> # # BSD variants.
>> # #
>> # # NOTE: Squid can only determine the MAC/EUI address for IPv4
>> # # clients that are on the same subnet. If the client is on a
>> # # different subnet, then Squid cannot find out its address.
>> # #
>> # # NOTE 2: IPv6 protocol does not contain ARP. MAC/EUI is either
>> # # encoded directly in the IPv6 address or not available.
>> #
>> # acl aclname srcdomain .foo.com ...
>> # # reverse lookup, from client IP [slow]
>> # acl aclname dstdomain [-n] .foo.com ...
>> # # Destination server from URL [fast]
>> # acl aclname srcdom_regex [-i] \.foo\.com ...
>> # # regex matching client name [slow]
>> # acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
>> # # regex matching server [fast]
>> # #
>> # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
>> # # based URL is used and no match is found. The name "none" is used
>> # # if the reverse lookup fails.
>> #
>> # acl aclname src_as number ...
>> # acl aclname dst_as number ...
>> # # [fast]
>> # # Except for access control, AS numbers can be used for
>> # # routing of requests to specific caches. Here's an
>> # # example for routing all requests for AS#1241 and only
>> # # those to mycache.mydomain.net:
>> # # acl asexample dst_as 1241
>> # # cache_peer_access mycache.mydomain.net allow asexample
>> # # cache_peer_access mycache_mydomain.net deny all
>> #
>> # acl aclname peername myPeer ...
>> # # [fast]
>> # # match against a named cache_peer entry
>> # # set unique name= on cache_peer lines for reliable use.
>> #
>> # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
>> # # [fast]
>> # # day-abbrevs:
>> # # S - Sunday
>> # # M - Monday
>> # # T - Tuesday
>> # # W - Wednesday
>> # # H - Thursday
>> # # F - Friday
>> # # A - Saturday
>> # # h1:m1 must be less than h2:m2
>> #
>> # acl aclname url_regex [-i] ^http:// ...
>> # # regex matching on whole URL [fast]
>> # acl aclname urllogin [-i] [^a-zA-Z0-9] ...
>> # # regex matching on URL login field
>> # acl aclname urlpath_regex [-i] \.gif$ ...
>> # # regex matching on URL path [fast]
>> #
>> # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
>> # # ranges are alloed
>> # acl aclname localport 3128 ... # TCP port the client connected to
>> [fast]
>> # # NP: for interception mode
>> this is usually '80'
>> #
>> # acl aclname myportname 3128 ... # *_port name [fast]
>> #
>> # acl aclname proto HTTP FTP ... # request protocol [fast]
>> #
>> # acl aclname method GET POST ... # HTTP request method [fast]
>> #
>> # acl aclname http_status 200 301 500- 400-403 ...
>> # # status code in reply [fast]
>> #
>> # acl aclname browser [-i] regexp ...
>> # # pattern match on User-Agent header (see also req_header below) [fast]
>> #
>> # acl aclname referer_regex [-i] regexp ...
>> # # pattern match on Referer header [fast]
>> # # Referer is highly unreliable, so use with care
>> #
>> # acl aclname ident username ...
>> # acl aclname ident_regex [-i] pattern ...
>> # # string match on ident output [slow]
>> # # use REQUIRED to accept any non-null ident.
>> #
>> # acl aclname proxy_auth [-i] username ...
>> # acl aclname proxy_auth_regex [-i] pattern ...
>> # # perform http authentication challenge to the client and match against
>> # # supplied credentials [slow]
>> # #
>> # # takes a list of allowed usernames.
>> # # use REQUIRED to accept any valid username.
>> # #
>> # # Will use proxy authentication in forward-proxy scenarios, and plain
>> # # http authenticaiton in reverse-proxy scenarios
>> # #
>> # # NOTE: when a Proxy-Authentication header is sent but it is not
>> # # needed during ACL checking the username is NOT logged
>> # # in access.log.
>> # #
>> # # NOTE: proxy_auth requires a EXTERNAL authentication program
>> # # to check username/password combinations (see
>> # # auth_param directive).
>> # #
>> # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
>> # # as the browser needs to be configured for using a proxy in order
>> # # to respond to proxy authentication.
>> #
>> # acl aclname snmp_community string ...
>> # # A community string to limit access to your SNMP Agent [fast]
>> # # Example:
>> # #
>> # # acl snmppublic snmp_community public
>> #
>> # acl aclname maxconn number
>> # # This will be matched when the client's IP address has
>> # # more than <number> TCP connections established. [fast]
>> # # NOTE: This only measures direct TCP links so X-Forwarded-For
>> # # indirect clients are not counted.
>> #
>> # acl aclname max_user_ip [-s] number
>> # # This will be matched when the user attempts to log in from more
>> # # than <number> different ip addresses. The authenticate_ip_ttl
>> # # parameter controls the timeout on the ip entries. [fast]
>> # # If -s is specified the limit is strict, denying browsing
>> # # from any further IP addresses until the ttl has expired. Without
>> # # -s Squid will just annoy the user by "randomly" denying requests.
>> # # (the counter is reset each time the limit is reached and a
>> # # request is denied)
>> # # NOTE: in acceleration mode or where there is mesh of child proxies,
>> # # clients may appear to come from multiple addresses if they are
>> # # going through proxy farms, so a limit of 1 may cause user problems.
>> #
>> # acl aclname random probability
>> # # Pseudo-randomly match requests. Based on the probability given.
>> # # Probability may be written as a decimal (0.333), fraction (1/3)
>> # # or ratio of matches:non-matches (3:5).
>> #
>> # acl aclname req_mime_type [-i] mime-type ...
>> # # regex match against the mime type of the request generated
>> # # by the client. Can be used to detect file upload or some
>> # # types HTTP tunneling requests [fast]
>> # # NOTE: This does NOT match the reply. You cannot use this
>> # # to match the returned file type.
>> #
>> # acl aclname req_header header-name [-i] any\.regex\.here
>> # # regex match against any of the known request headers. May be
>> # # thought of as a superset of "browser", "referer" and "mime-type"
>> # # ACL [fast]
>> #
>> # acl aclname rep_mime_type [-i] mime-type ...
>> # # regex match against the mime type of the reply received by
>> # # squid. Can be used to detect file download or some
>> # # types HTTP tunneling requests. [fast]
>> # # NOTE: This has no effect in http_access rules. It only has
>> # # effect in rules that affect the reply data stream such as
>> # # http_reply_access.
>> #
>> # acl aclname rep_header header-name [-i] any\.regex\.here
>> # # regex match against any of the known reply headers. May be
>> # # thought of as a superset of "browser", "referer" and "mime-type"
>> # # ACLs [fast]
>> #
>> # acl aclname external class_name [arguments...]
>> # # external ACL lookup via a helper class defined by the
>> # # external_acl_type directive [slow]
>> #
>> # acl aclname user_cert attribute values...
>> # # match against attributes in a user SSL certificate
>> # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
>> #
>> # acl aclname ca_cert attribute values...
>> # # match against attributes a users issuing CA SSL certificate
>> # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
>> #
>> # acl aclname ext_user username ...
>> # acl aclname ext_user_regex [-i] pattern ...
>> # # string match on username returned by external acl helper [slow]
>> # # use REQUIRED to accept any non-null user name.
>> #
>> # acl aclname tag tagvalue ...
>> # # string match on tag returned by external acl helper [fast]
>> # # DEPRECATED. Only the first tag will match with this ACL.
>> # # Use the 'note' ACL instead for handling multiple tag values.
>> #
>> # acl aclname hier_code codename ...
>> # # string match against squid hierarchy code(s); [fast]
>> # # e.g., DIRECT, PARENT_HIT, NONE, etc.
>> # #
>> # # NOTE: This has no effect in http_access rules. It only has
>> # # effect in rules that affect the reply data stream such as
>> # # http_reply_access.
>> #
>> # acl aclname note name [value ...]
>> # # match transaction annotation [fast]
>> # # Without values, matches any annotation with a given name.
>> # # With value(s), matches any annotation with a given name that
>> # # also has one of the given values.
>> # # Names and values are compared using a string equality test.
>> # # Annotation sources include note and adaptation_meta directives
>> # # as well as helper and eCAP responses.
>> #
>> # acl aclname adaptation_service service ...
>> # # Matches the name of any icap_service, ecap_service,
>> # # adaptation_service_set, or adaptation_service_chain that Squid
>> # # has used (or attempted to use) for the master transaction.
>> # # This ACL must be defined after the corresponding adaptation
>> # # service is named in squid.conf. This ACL is usable with
>> # # adaptation_meta because it starts matching immediately after
>> # # the service has been selected for adaptation.
>> #
>> # acl aclname any-of acl1 acl2 ...
>> # # match any one of the acls [fast or slow]
>> # # The first matching ACL stops further ACL evaluation.
>> # #
>> # # ACLs from multiple any-of lines with the same name are ORed.
>> # # For example, A = (a1 or a2) or (a3 or a4) can be written as
>> # # acl A any-of a1 a2
>> # # acl A any-of a3 a4
>> # #
>> # # This group ACL is fast if all evaluated ACLs in the group are fast
>> # # and slow otherwise.
>> #
>> # acl aclname all-of acl1 acl2 ...
>> # # match all of the acls [fast or slow]
>> # # The first mismatching ACL stops further ACL evaluation.
>> # #
>> # # ACLs from multiple all-of lines with the same name are ORed.
>> # # For example, B = (b1 and b2) or (b3 and b4) can be written as
>> # # acl B all-of b1 b2
>> # # acl B all-of b3 b4
>> # #
>> # # This group ACL is fast if all evaluated ACLs in the group are fast
>> # # and slow otherwise.
>> #
>> # Examples:
>> # acl macaddress arp 09:00:2b:23:45:67
>> # acl myexample dst_as 1241
>> # acl password proxy_auth REQUIRED
>> # acl fileupload req_mime_type -i ^multipart/form-data$
>> # acl javascript rep_mime_type -i ^application/x-javascript$
>> #
>> #Default:
>> # ACLs all, manager, localhost, and to_localhost are predefined.
>> #
>> #
>> # Recommended minimum configuration:
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> #acl localnet src fc00::/7 # RFC 4193 local private network range
>> #acl localnet src fe80::/10 # RFC 4291 link-local (directly
>> plugged) machines
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # TAG: proxy_protocol_access
>> # Determine which client proxies can be trusted to provide correct
>> # information regarding real client IP address using PROXY protocol.
>> #
>> # Requests may pass through a chain of several other proxies
>> # before reaching us. The original source details may by sent in:
>> # * HTTP message Forwarded header, or
>> # * HTTP message X-Forwarded-For header, or
>> # * PROXY protocol connection header.
>> #
>> # This directive is solely for validating new PROXY protocol
>> # connections received from a port flagged with require-proxy-header.
>> # It is checked only once after TCP connection setup.
>> #
>> # A deny match results in TCP connection closure.
>> #
>> # An allow match is required for Squid to permit the corresponding
>> # TCP connection, before Squid even looks for HTTP request headers.
>> # If there is an allow match, Squid starts using PROXY header information
>> # to determine the source address of the connection for all future ACL
>> # checks, logging, etc.
>> #
>> # SECURITY CONSIDERATIONS:
>> #
>> # Any host from which we accept client IP details can place
>> # incorrect information in the relevant header, and Squid
>> # will use the incorrect information as if it were the
>> # source address of the request. This may enable remote
>> # hosts to bypass any access control restrictions that are
>> # based on the client's source addresses.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #Default:
>> # all TCP connections to ports with require-proxy-header will be denied
>>
>> # TAG: follow_x_forwarded_for
>> # Determine which client proxies can be trusted to provide correct
>> # information regarding real client IP address.
>> #
>> # Requests may pass through a chain of several other proxies
>> # before reaching us. The original source details may by sent in:
>> # * HTTP message Forwarded header, or
>> # * HTTP message X-Forwarded-For header, or
>> # * PROXY protocol connection header.
>> #
>> # PROXY protocol connections are controlled by the proxy_protocol_access
>> # directive which is checked before this.
>> #
>> # If a request reaches us from a source that is allowed by this
>> # directive, then we trust the information it provides regarding
>> # the IP of the client it received from (if any).
>> #
>> # For the purpose of ACLs used in this directive the src ACL type always
>> # matches the address we are testing and srcdomain matches its rDNS.
>> #
>> # On each HTTP request Squid checks for X-Forwarded-For header fields.
>> # If found the header values are iterated in reverse order and an allow
>> # match is required for Squid to continue on to the next value.
>> # The verification ends when a value receives a deny match, cannot be
>> # tested, or there are no more values to test.
>> # NOTE: Squid does not yet follow the Forwarded HTTP header.
>> #
>> # The end result of this process is an IP address that we will
>> # refer to as the indirect client address. This address may
>> # be treated as the client address for access control, ICAP, delay
>> # pools and logging, depending on the acl_uses_indirect_client,
>> # icap_uses_indirect_client, delay_pool_uses_indirect_client,
>> # log_uses_indirect_client and tproxy_uses_indirect_client options.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #
>> # SECURITY CONSIDERATIONS:
>> #
>> # Any host from which we accept client IP details can place
>> # incorrect information in the relevant header, and Squid
>> # will use the incorrect information as if it were the
>> # source address of the request. This may enable remote
>> # hosts to bypass any access control restrictions that are
>> # based on the client's source addresses.
>> #
>> # For example:
>> #
>> # acl localhost src 127.0.0.1
>> # acl my_other_proxy srcdomain .proxy.example.com
>> # follow_x_forwarded_for allow localhost
>> # follow_x_forwarded_for allow my_other_proxy
>> #Default:
>> # X-Forwarded-For header will be ignored.
>>
>> # TAG: acl_uses_indirect_client on|off
>> # Controls whether the indirect client address
>> # (see follow_x_forwarded_for) is used instead of the
>> # direct client address in acl matching.
>> #
>> # NOTE: maxconn ACL considers direct TCP links and indirect
>> # clients will always have zero. So no match.
>> #Default:
>> # acl_uses_indirect_client on
>>
>> # TAG: delay_pool_uses_indirect_client on|off
>> # Controls whether the indirect client address
>> # (see follow_x_forwarded_for) is used instead of the
>> # direct client address in delay pools.
>> #Default:
>> # delay_pool_uses_indirect_client on
>>
>> # TAG: log_uses_indirect_client on|off
>> # Controls whether the indirect client address
>> # (see follow_x_forwarded_for) is used instead of the
>> # direct client address in the access log.
>> #Default:
>> # log_uses_indirect_client on
>>
>> # TAG: tproxy_uses_indirect_client on|off
>> # Controls whether the indirect client address
>> # (see follow_x_forwarded_for) is used instead of the
>> # direct client address when spoofing the outgoing client.
>> #
>> # This has no effect on requests arriving in non-tproxy
>> # mode ports.
>> #
>> # SECURITY WARNING: Usage of this option is dangerous
>> # and should not be used trivially. Correct configuration
>> # of follow_x_forwarded_for with a limited set of trusted
>> # sources is required to prevent abuse of your proxy.
>> #Default:
>> # tproxy_uses_indirect_client off
>>
>> # TAG: spoof_client_ip
>> # Control client IP address spoofing of TPROXY traffic based on
>> # defined access lists.
>> #
>> # spoof_client_ip allow|deny [!]aclname ...
>> #
>> # If there are no "spoof_client_ip" lines present, the default
>> # is to "allow" spoofing of any suitable request.
>> #
>> # Note that the cache_peer "no-tproxy" option overrides this ACL.
>> #
>> # This clause supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #Default:
>> # Allow spoofing on all TPROXY traffic.
>>
>> # TAG: http_access
>> # Allowing or Denying access based on defined access lists
>> #
>> # To allow or deny a message received on an HTTP, HTTPS, or FTP port:
>> # http_access allow|deny [!]aclname ...
>> #
>> # NOTE on default values:
>> #
>> # If there are no "access" lines present, the default is to deny
>> # the request.
>> #
>> # If none of the "access" lines cause a match, the default is the
>> # opposite of the last line in the list. If the last line was
>> # deny, the default is allow. Conversely, if the last line
>> # is allow, the default will be deny. For these reasons, it is a
>> # good idea to have an "deny all" entry at the end of your access
>> # lists to avoid potential confusion.
>> #
>> # This clause supports both fast and slow acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #
>> #Default:
>> # Deny, unless rules exist in squid.conf.
>> #
>>
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> #http_access allow localnet
>> http_access allow localhost
>>
>> # And finally deny all other access to this proxy
>> http_access allow all
>>
>> # TAG: adapted_http_access
>> # Allowing or Denying access based on defined access lists
>> #
>> # Essentially identical to http_access, but runs after redirectors
>> # and ICAP/eCAP adaptation. Allowing access control based on their
>> # output.
>> #
>> # If not set then only http_access is used.
>> #Default:
>> # Allow, unless rules exist in squid.conf.
>>
>> # TAG: http_reply_access
>> # Allow replies to client requests. This is complementary to http_access.
>> #
>> # http_reply_access allow|deny [!] aclname ...
>> #
>> # NOTE: if there are no access lines present, the default is to allow
>> # all replies.
>> #
>> # If none of the access lines cause a match the opposite of the
>> # last line will apply. Thus it is good practice to end the rules
>> # with an "allow all" or "deny all" entry.
>> #
>> # This clause supports both fast and slow acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #Default:
>> # Allow, unless rules exist in squid.conf.
>>
>> # TAG: icp_access
>> # Allowing or Denying access to the ICP port based on defined
>> # access lists
>> #
>> # icp_access allow|deny [!]aclname ...
>> #
>> # NOTE: The default if no icp_access lines are present is to
>> # deny all traffic. This default may cause problems with peers
>> # using ICP.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #
>> ## Allow ICP queries from local networks only
>> ##icp_access allow localnet
>> ##icp_access deny all
>> #Default:
>> # Deny, unless rules exist in squid.conf.
>>
>> # TAG: htcp_access
>> # Allowing or Denying access to the HTCP port based on defined
>> # access lists
>> #
>> # htcp_access allow|deny [!]aclname ...
>> #
>> # See also htcp_clr_access for details on access control for
>> # cache purge (CLR) HTCP messages.
>> #
>> # NOTE: The default if no htcp_access lines are present is to
>> # deny all traffic. This default may cause problems with peers
>> # using the htcp option.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #
>> ## Allow HTCP queries from local networks only
>> ##htcp_access allow localnet
>> ##htcp_access deny all
>> #Default:
>> # Deny, unless rules exist in squid.conf.
>>
>> # TAG: htcp_clr_access
>> # Allowing or Denying access to purge content using HTCP based
>> # on defined access lists.
>> # See htcp_access for details on general HTCP access control.
>> #
>> # htcp_clr_access allow|deny [!]aclname ...
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #
>> ## Allow HTCP CLR requests from trusted peers
>> #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
>> #htcp_clr_access allow htcp_clr_peer
>> #htcp_clr_access deny all
>> #Default:
>> # Deny, unless rules exist in squid.conf.
>>
>> # TAG: miss_access
>> # Determines whether network access is permitted when satisfying a
>> request.
>> #
>> # For example;
>> # to force your neighbors to use you as a sibling instead of
>> # a parent.
>> #
>> # acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
>> # miss_access deny !localclients
>> # miss_access allow all
>> #
>> # This means only your local clients are allowed to fetch relayed/MISS
>> # replies from the network and all other clients can only fetch cached
>> # objects (HITs).
>> #
>> # The default for this setting allows all clients who passed the
>> # http_access rules to relay via this proxy.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #Default:
>> # Allow, unless rules exist in squid.conf.
>>
>> # TAG: ident_lookup_access
>> # A list of ACL elements which, if matched, cause an ident
>> # (RFC 931) lookup to be performed for this request. For
>> # example, you might choose to always perform ident lookups
>> # for your main multi-user Unix boxes, but not for your Macs
>> # and PCs. By default, ident lookups are not performed for
>> # any requests.
>> #
>> # To enable ident lookups for specific client addresses, you
>> # can follow this example:
>> #
>> # acl ident_aware_hosts src 198.168.1.0/24
>> # ident_lookup_access allow ident_aware_hosts
>> # ident_lookup_access deny all
>> #
>> # Only src type ACL checks are fully supported. A srcdomain
>> # ACL might work at times, but it will not always provide
>> # the correct result.
>> #
>> # This clause only supports fast acl types.
>> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
>> #Default:
>> # Unless rules exist in squid.conf, IDENT is not fetched.
>>
>> # TAG: reply_body_max_size size [acl acl...]
>> # This option specifies the maximum size of a reply body. It can be
>> # used to prevent users from downloading very large files, such as
>> # MP3's and movies. When the reply headers are received, the
>> # reply_body_max_size lines are processed, and the first line where
>> # all (if any) listed ACLs are true is used as the maximum body size
>> # for this reply.
>> #
>> # This size is checked twice. First when we get the reply headers,
>> # we check the content-length value. If the content length value exists
>> # and is larger than the allowed size, the request is denied and the
>> # user receives an error message that says "the request or reply
>> # is too large." If there is no content-length, and the reply
>> # size exceeds this limit, the client's connection is just closed
Yes you are right. The main issue was not setting transparent mode. My
problem is resolved. But I will look into your other suggestions too.
Thanks.
--
Regards,
Varun
More information about the Users
mailing list