Re: [squid-users] RE: Help Cant update compiters using squid3

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 17 Jan 2011 11:34:40 +1300

On 17/01/11 10:42, Shawn wrote:
> yes squid is running on my firewall which is debian lenny
>
>
> here is the rule for the web based traffic
>
> -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport
> --dports 80,21,443 -j ACCEPT
>
>
> here is the other rules
>
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,21,443 -j DNAT --to-destination 10.2.2.4:23654
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 80,21,443 -j DNAT --to-destination 10.2.2.3:56754

Ah, Squid is an HTTP proxy. It cannot intercept port 21 or 443.

For port 21 you need one of the following:
  * browsers configured to pass the proxy FTP URLs inside HTTP requests.
  * a dedicated FTP proxy, frox is the one I recommend to people.

For port 443 you simply can't intercept it. The browser *has* to be
configured to know about the proxy. Clients will get connection security
rejections otherwise.

What you need to do is setup WPAD/PAC on your network. This is also
called "transparent proxy" or browser auto-configuration. It will set
the client browsers to work properly with the proxy without having to
manually configure them all.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Sun Jan 16 2011 - 22:34:45 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 17 2011 - 12:00:03 MST