holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Re-organize Squid document

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-09-08 08:08:16 -07:00
parent c13bdbd316
commit 0dd7ad7920
1 changed files with 85 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/Shorewall_Squid_Usage.xml
View File

@ -139,7 +139,6 @@ httpd_accel_uses_host_header on</programlisting>
http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you
must open those ports as well.</para> must open those ports as well.</para>
</caution> </caution>
</section>
<section id="Configurations"> <section id="Configurations">
<title>Configurations</title> <title>Configurations</title>
@ -159,8 +158,8 @@ httpd_accel_uses_host_header on</programlisting>
<para>You want to redirect all local www connection requests EXCEPT <para>You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of proxy running on the firewall and listening on port 3128. Squid will
course require access to remote web servers.</para> of course require access to remote web servers.</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
@ -170,9 +169,10 @@ ACCEPT $FW net tcp www
REDIRECT loc 3128 tcp www - !206.124.146.177 REDIRECT loc 3128 tcp www - !206.124.146.177
</programlisting> </programlisting>
<para>There may be a requirement to exclude additional destination hosts <para>There may be a requirement to exclude additional destination
or networks from being redirected. For example, you might also want hosts or networks from being redirected. For example, you might also
requests destined for 130.252.100.0/24 to not be routed to Squid.</para> want requests destined for 130.252.100.0/24 to not be routed to
Squid.</para>
<para>If needed, you may just add the additional hosts/networks to the <para>If needed, you may just add the additional hosts/networks to the
ORIGINAL DEST column in your REDIRECT rule.</para> ORIGINAL DEST column in your REDIRECT rule.</para>
@ -181,12 +181,12 @@ REDIRECT loc 3128 tcp www - !206.124.146.
# PORT(S) DEST # PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para> REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>People frequently ask <emphasis>How can I exclude certain internal <para>People frequently ask <emphasis>How can I exclude certain
systems from using the proxy? I want to allow those systems to go internal systems from using the proxy? I want to allow those systems
directly to the net</emphasis>.</para> to go directly to the net</emphasis>.</para>
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from <para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
the proxy. Your rules would then be:</para> from the proxy. Your rules would then be:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST # PORT(S) DEST
@ -225,11 +225,11 @@ REDIRECT $FW 3128 tcp www - -
<section id="Local"> <section id="Local">
<title>Squid (transparent) Running in the local network</title> <title>Squid (transparent) Running in the local network</title>
<para>You want to redirect all local www connection requests to a Squid <para>You want to redirect all local www connection requests to a
transparent proxy running in your local zone at 192.168.1.3 and Squid transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be listening on port 3128. Your local interface is eth1. There may also
a web server running on 192.168.1.3. It is assumed that web access is be a web server running on 192.168.1.3. It is assumed that web access
already enabled from the local zone to the Internet.</para> is already enabled from the local zone to the Internet.</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -274,8 +274,9 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
<section id="DMZ"> <section id="DMZ">
<title>Squid (transparent) Running in the DMZ</title> <title>Squid (transparent) Running in the DMZ</title>
<para>You have a single system in your DMZ with IP address 192.0.2.177. <para>You have a single system in your DMZ with IP address
You want to run both a web server and Squid on that system.</para> 192.0.2.177. You want to run both a web server and Squid on that
system.</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
@ -284,6 +285,7 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting> DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
</section> </section>
</section> </section>
</section>
<section id="Manual"> <section id="Manual">
<title>Squid as a Manual Proxy</title> <title>Squid as a Manual Proxy</title>
@ -310,7 +312,7 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
</section> </section>
<section id="TPROXY"> <section id="TPROXY">
<title>Transparent with TPROXY</title> <title>Squid3 as a Transparent Proxy with TPROXY</title>
<para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from <para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header and requires Squid 3 or REDIRECT in that it does not modify the IP header and requires Squid 3 or