<![CDATA[Chillispot Forum — Chillispot + Squid (transparent proxy) on same Ubuntu box]]> http://www.chillispot.org/chilliforum/topic390-chillispot-squid-transparent-proxy-on-same-ubuntu-box.html Sun, 04 Oct 2009 11:36:28 +0000 PunBB 1.4.4 <![CDATA[Re: Chillispot + Squid (transparent proxy) on same Ubuntu box]]> http://www.chillispot.org/chilliforum/post1122.html#p1122 Hi dmkhn.

We are using Chillispot for public WiFi in trains. We expect up to 1000 users per train set.
Each train set has a computer with special radio link which connect to internet. This computer also run chillispot and a squid proxy.
The squid proxy is there to reduce bandwidth requirements on radio link.

To setup squid with chillispot follow these instructions:

Add this to IP tables to make it work:

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.182.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

------------------------
If you need more info about how IPTABLES work, then see Squid tutorial on YouTube.
------------------------

The following is the squid.conf file that I use. (I know very little about squid)
Please remember to change cache_mgr, visible_hostname, acl YourNet
# ============================================== #
# NETWORK OPTIONS
# ============================================== #
http_port 3128 transparent
icp_port 0
# ============================================== #
# OPTIONS WHICH AFFECT THE NEIGHBOUR SELECTION ALGORITHM
# ============================================== #
dead_peer_timeout 30 seconds
mcast_icp_query_timeout 10
log_icp_queries on
connect_timeout 2 minutes
peer_connect_timeout 30 seconds
request_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# ============================================== #
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ============================================== #
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# =============================================== #
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# =============================================== #
#cache_dir diskd /cache1 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache2 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache3 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache4 12600 29 256 Q1=64 Q2=72
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /dev/null
#mime_table /usr/local/etc/squid/mime.conf
coredump_dir /var/spool/squid
# =============================================== #
# HTTPD-ACCELERATOR OPTIONS
# =============================================== #
log_ip_on_direct on
# dns_nameservers 192.168.168.4 194.239.134.83
# =============================================== #
# MISCELLANEOUS
# =============================================== #
logfile_rotate 7
digest_generation on
digest_bits_per_entry 10
digest_rebuild_period 30 minute
digest_rewrite_period 30 minute
digest_swapout_chunk_size 6000 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
# icp_access allow all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
# =============================================== #
# REFRESH PATTERN
# =============================================== #
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
#refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
#refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
# =============================================== #
# ADMINISTRATIVE PARAMETERS
# =============================================== #
cache_mgr thomas@etjam.dk
cache_effective_user proxy
cache_effective_group proxy
visible_hostname ubuntu_dev.etjam.dk
hosts_file /etc/hosts
# ============================================== #
# ACCESS CONTROLS
# ============================================== #
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl YourNet src 192.168.182.0/24
acl to_localhost dst 127.0.0.0/8
# ============================================== #
# ACL Different access
# ============================================== #
acl SSL_ports port 443 563 873
acl Safe_ports port 21 80 280 448 591 777 443 563 808 70 210 4190-65535
acl purge method PURGE
acl CONNECT method CONNECT
# ============================================== #
# Access Denied
# ============================================== #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# ============================================== #
# Internet Access
# ============================================== #
http_access allow localhost
http_access allow YourNet
http_access deny all
# =============================================== #
--------

Use this command to check if Squid is working
tail -f /var/log/squid/access.log

When it works you will see TCP_MEM_HIT lines.
]]> Sun, 04 Oct 2009 11:36:28 +0000 http://www.chillispot.org/chilliforum/post1122.html#p1122 <![CDATA[Re: Chillispot + Squid (transparent proxy) on same Ubuntu box]]> http://www.chillispot.org/chilliforum/post1120.html#p1120 Bommer!

I got it working.
I had forgotten to run /etc/init.d/iptables to get my new settings activated. :-)

Now squid is running and access.log is filled.
I get access denied with the original squid config
and
I it is working with a modified configuration from this post http://www.chillispot.info/chilliforum/viewtopic.php?id=189

]]> Sat, 03 Oct 2009 08:09:20 +0000 http://www.chillispot.org/chilliforum/post1120.html#p1120 <![CDATA[Chillispot + Squid (transparent proxy) on same Ubuntu box]]> http://www.chillispot.org/chilliforum/post1118.html#p1118 Hi.

I have setup chillispot on Ubuntu and it is working great.
Now I want to add a Squid transparent proxy on the same machine.
I have installed Squid 2.6.STABLE18 without problems and it can run with the default squid.conf file.

Everything still working, but nothing in the /var/log/squid/access.log
(I was told that I squid is not functioning properly until I see messages in the above log)

I found these two post on this forum
- chillispot on same server as squid proxy
- Squid drop Radius Upload rules

And I tried to apply the same IPTABLE rules in those posts. + keyword transparent to squid.conf
Still everything is running and woking, but no entries in the access.log file. (so I assume the Squid is not doing any work)

What am I doing wrong?
Is there a better way to verify if Squid is actually caching anything.

/Thanks, Thomas

]]> Fri, 02 Oct 2009 21:12:40 +0000 http://www.chillispot.org/chilliforum/post1118.html#p1118