Re: [squid-users] Squid +XChat + Bitlbee

From: stephane lepain <penguindeb@dont-contact.us>
Date: Tue, 05 Feb 2008 13:37:20 +0100

Amos Jeffries wrote:
> stephane lepain wrote:
>> Hi,
>>
>> I have added am acl in order for me to connect to Xchat through my
>> proxy. it works fine. Now, I want to use bitlbee using XChat to try
>> to connect to msn and everything going through my proxy. Everytime I
>> lunch Bitlbee and I get the error HTTP/1.0 503 Service Unavailable.
>> Proxy traversal failed. The way I connect to bitlbee through Xchat is
>> "/server 127.0.0.1 and then this is when I get the error mentioned
>> above.
>> I can't see the reason why I would be able to connect to XChat and
>> not bitlbee. When I check the access.log I do see a tcp_miss 503.
>> Thanks for your help
>
> That would be because your squid is not listening on 127.0.0.1.
>
> Lets go over your config and improve it a bit shall we?
>
>>
>> ### ACCESS CONTROLS
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 # https
>> acl SSL_ports port 563 # snews
>> acl SSL_ports port 873 # rsync
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>> acl iguane src 192.168.1.8 127.0.0.1
>> acl heaven src 192.168.1.10
>> acl zongo src 192.168.1.5
>> acl margoullat src 192.168.1.6 192.168.1.7
>> acl livebox src 192.168.1.1
>> acl xchat port 6667 1863
>> http_access allow CONNECT xchat
>> http_access deny CONNECT xchat
>
> The allow line above lets anyone use xchat through you.
> Blocking it here or below has no effect.
>
>> http_access allow iguane
>> http_access allow heaven
>> http_access allow zongo### OPTIONS FOR X-FORWARDED-FOR
>> ### NETWORK OPTIONS
>
> That missing newline will be causing some problems I think.
>
>> http_access allow margoullat
>> http_access allow livebox
>
> You could be creating a single ACL which contains all those machines
> IP addresses (like Safe_Ports is done) instead of a seperate line
> each. That would help keep his and the ICP lines below sync'd up.
>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>> http_access deny purge
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny to_localhost
>> http_access allow localhost
>
> Like I said to someone else recently. These safety controls (from the
> manager down) need to be at the top of the squid http_access lines to
> have any effect.
>
> NP: If "deny CONNECT !SSL_Ports" blocks your xchat just add " !xchat"
> at the end of it.
>
>> http_access deny all
>
>> icp_access allow iguane
>> icp_access allow heaven
>> icp_access allow zongo
>> icp_access allow margoullat
>> icp_access allow livebox
>
> Again combining these machines into a single ACL wil let you use it
> here too in a nice and short way.
>
>> icp_access deny ALL
>
> Might be worth changing the case on that one ;-)
>
>> http_port 192.168.1.7:3128
>
> And here Squid is ONLY listening on the public IP address of its
> machine. If you only have one network card you can safely remove the
> IP address part of that line.
>
>> hierarchy_stoplist cgi-bin ?
>> access_log /var/log/squid/access.log squid
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> quick_abort_min 0 KB
>> quick_abort_max 0 KB
>> quick_abort_pct 95
>> negative_ttl 2 minutes
>> request_header_max_size 12 KB
>> request_header_max_size 12 KB
>> request_body_max_size 0 KB # 0=nolimit
>> via off
>> cache_vary off
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> refresh_stale_hit 5 seconds
>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>> header_access From deny all
>> header_access Referer deny all
>> header_access Server deny all
>> header_access User-Agent deny all
>> header_access WWW-Authenticate deny all
>
> Huh? you never want to login anywhere external?
>
>> header_access Link deny all
>> forward_timeout 2 minutes
>> cache_mgr penguindeb@gmail.com
>> htcp_port 4827
>> cache_peer cache.orange.fr parent 3128 3130 default no-query
>> hosts_file /etc/hosts
>> append_domain .macitos.fr
>> memory_pools_limit 50 MB
>> forwarded_for off
>> client_db off
>> reload_into_ims on
>> coredump_dir /var/spool/squid
>>
>
> Amos
Hi Amos,

Thanks for the great advices. I have changed the conf

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
*acl locallan src 192.168.1.0/24*
*acl xchat port 6667 *

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports *! xchat*
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
*http_access allow locallan*
http_access deny all
*icp_access allow locallan

*for the line "http_port 192.168.1.7:3128", I do have two nics on that
server.

As far as connecting bitlbee on 127.0.0.1, I am changing it to one of
the squid server NICS. That way, I can see that squid is now filtering
and I think it is more secure (I have a lot more control).

On the same content, is SQUID capable of filtering BITTORENT? I am using
to filter emule great but last night to my surprise SQUID didn't filter
BITTORENT.

Could you please advise ?
Received on Tue Feb 05 2008 - 05:36:51 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:04 MST