Setting up Squid/Dansguardian - I keep getting "Access Denied."
OK, I am trying to set up a simple unit to cache/save bandwidth and filter the kid's internet. I'm using Fedora. I downloaded the Squid source, compiled, make, installed. I change the folder owner of the log/cache folders, and set the cache_effective_user. I set my http_access list to:
Code:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl cortiaus src 192.168.0.0/24
http_access allow cortiaus
# And finally deny all other access to this proxy
http_access deny all
Kind of a mix of my stuff and the default setting (still getting familiar with this). I installed Dansguardian and set it up. The guide I was following told me to set this IPtables thing:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
According to the guide, I would point my computers at port 3128, and it would automatically forward them to 8080. So I go to a test machine, and set up the proxy. I point it to the IP. If I point it at port 3128, the internet runs fine but it doesn't block any pages (I have played with Dansguardian before and I know for sure it is configured correctly). If I point it at port 8080, I get this:
Code:
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.hardocp.com/
The following error was encountered:
* Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
Generated Tue, 09 May 2006 21:50:44 GMT by localhost.localdomain (squid/2.5.STABLE13)
It says it's coming from Squid, but isn't port 8080 the one that Dansguardian listens on? What's up here guys? I'm new to all this, and am still wet around the ears with Linux, but I'm starting to get the hang of it. Any help?
iptables rule for squid/dansguardian transparent proxy
Hi - you've probably already resolved your issue by now, but by changing a couple of settings you can use the squid/firewall machine as a transparent proxy, and you won't need to set a proxy server in your client machines browsers.
the iptables rule looks like:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
and you would set "proxyport = 3128" and "proxyip = your.internal.ip.address" in your /etc/dansguardian/dansguardian.conf.
You'll probably also need to set the following to "on" in your squid.conf:
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Although those may just be necessary for me as I also serve webpages from apache on this host as well :)
Now if you want to bypass dansguardian, you can set proxy server in your client browser to your squid host's internal ip address, port 3128.
