[strongSwan] Connect strongSwan and Squid on same server
Moataz Elmasry
moataz.elmasry2 at gmail.com
Thu Jan 19 11:41:10 CET 2017
Hi Varun,
No this is a misunderstanding, the link you show states that the error
is a 400 error:invalid-request, while you are getting a 403 TCP_DENIED,
which means that the traffic passed through strongswan, redirected to
3128 unmangled with, that Squid was successfully able to read it and
deny it.
The squid conf you showed has a couple of issues, in squid define
everything you need explicitly instead of "allow all" for better
reading, also in nowhere did you enable the intercept mode.Here's a
minimum example that hopefully will work:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
#acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3127
http_port 3128 intercept
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
Hope this helps.
P.s. @admins Please don't shoot me for sharing a squid example on
strongswan
More information about the Users
mailing list