hotfloppy 19 Report post Posted February 2, 2011 Assalamualaikum dan salam sejahtera.. Aku diberi satu project oleh trainer (a.k.a lecturer) untuk buat [b]Bridging Transparent Proxy[/b].. [b]Internet (Modem kat Bilik Server) --> PC1 (Bridge) --> PC2 (Client)[/b] Jadikan PC1 sebagai bridge dah okay.. Ni command2 yg aku guna.. [code] brctl addbr mybridge brctl addif mybridge eth0 brctl addif mybridge eth1 ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig mybridge 10.1.1.30 netmask 255.255.0.0 up route add default gw 10.1.0.4 dev mybridge [/code] Ni lak result ifconfig [code] [root@localhost ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:1C:F0:0C:41:4F inet6 addr: fe80::21c:f0ff:fe0c:414f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1153 errors:0 dropped:0 overruns:0 frame:0 TX packets:84 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:136220 (133.0 KiB) TX bytes:11312 (11.0 KiB) Interrupt:217 eth1 Link encap:Ethernet HWaddr 00:24:81:1D:4C:76 inet6 addr: fe80::224:81ff:fe1d:4c76/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:5712 errors:0 dropped:0 overruns:0 frame:0 TX packets:31865 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:669987 (654.2 KiB) TX bytes:2881578 (2.7 MiB) Memory:f0500000-f0520000 mybridge Link encap:Ethernet HWaddr 00:1C:F0:0C:41:4F inet addr:10.1.1.30 Bcast:10.1.255.255 Mask:255.255.0.0 inet6 addr: fe80::21c:f0ff:fe0c:414f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 TX bytes:5690 (5.5 KiB) [/code] Skang ni, yang aku tau, kena running Squid service.. Kat bawah ni script untuk [b]squid.conf[/b] aku: [code] acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blacklist_domain_contain url_regex -i "/etc/squid/blacklist_domains_contain.acl" acl blacklist_domain dstdomain "/etc/squid/blacklist_domain.acl" acl access_by_ip url_regex \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny Connect !SSL_ports http_access deny blacklist_domain_contain http_access deny blacklist_domain http_access deny access_by_ip http_access allow localnet http_access allow localhost http_access deny all icp_access allow all http_port 3128 transparent https_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /var/spool/squid [/code] Dalam file [b]/etc/squid/blacklist_domain.acl[/b] ngan [b]/etc/squid/blacklist_domain_contains.acl[/b] aku letak 1 URL je: [code] www.facebook.com [/code] Pastu kat Webmin.. Under [b]Squid Proxy Server > Ports and Networking[/b], aku assign port [b]3128[/b] dan [b]option for port aku letak transparent [/b]utk both Proxy & SSL.. Under [b]Squid Proxy Server > Access Control[/b], [b]Add Proxy Restrictions[/b], tick pada [b]Deny[/b], select [b]blacklist_domain_contains[/b] ngan [b]blacklist_domain[/b] dan [b]Save[/b].. Bila aku cuba run kan Squid, kluar error: [code] [root@localhost ~]# service squid status squid (pid 6793) is running... 2011/02/02 21:05:00| strtokFile: /etc/squid/blacklist_domain.acl not found 2011/02/02 21:05:00| aclParseAclLine: WARNING: empty ACL: acl blacklist_domain dstdomain "/etc/squid/blacklist_domain.acl" 2011/02/02 21:05:00| Failed to acquire SSL certificate '(null)': error:0200100E:system library:fopen:Bad address [root@localhost ~]# [/code] Aku cuba cari kat Google berkenaan error nih, ramai yang kata masalah permission.. So, aku set permission utk folder /etc/squid supaya Squid boleh access: [code] chown -R root:squid /etc/squid [/code] Cuba run Squid and error tadi still not resolved.. Search lagi kat Google.. Kali ni aku jumpa command [b]setfacl[/b] lak.. Aku try: [code] setfacl -m u:apache:r /etc/squid/blacklist_domain.acl setfacl -m u:squid:r /etc/squid/blacklist_domain.acl [/code] Tetap error tadi kuar.. Apa lagi yg perlu aku buat eh ?? p/s: Ada pape maklumat yg aku tak bagi ka ?? Ni bukan project yg ada dateline.. Just project sampingan.. Esok cuti, so, kalo ada reply lepas dari kol 4, minggu depan la baru aku leh try.. Quote Share this post Link to post Share on other sites
hotfloppy 19 Report post Posted February 4, 2011 Untuk masalah [b]*.acl[/b] tu, aku dah setelkan.. Aku check guna [b]Webmin[/b], mmg file tu nampak empty padahal ada isi.. So, aku just fill maklumat dari Webmin dan warning tu pun takde dah.. Cuma skang ni, masalah SSL certificate tu je la.. Untuk penyelesaian sementara, aku disable kan dulu [b]https_port 3128 transparent [/b]kat dalam [b]squid.conf[/b].. Skang ni, aku tengah cari cara camna nak bagi Squid monitor https activities.. Any idea?? p/s: Bleh tak sesapa suggest apa aku perlu study untuk membolehkan Squid monitor https activities nih.. Any keywords? Quote Share this post Link to post Share on other sites
TRUNASUCI 15 Report post Posted February 7, 2011 [quote name='hotfloppy' timestamp='1296824673' post='1061102'] Untuk masalah [b]*.acl[/b] tu, aku dah setelkan.. Aku check guna [b]Webmin[/b], mmg file tu nampak empty padahal ada isi.. So, aku just fill maklumat dari Webmin dan warning tu pun takde dah.. Cuma skang ni, masalah SSL certificate tu je la.. Untuk penyelesaian sementara, aku disable kan dulu [b]https_port 3128 transparent [/b]kat dalam [b]squid.conf[/b].. Skang ni, aku tengah cari cara camna nak bagi Squid monitor https activities.. Any idea?? p/s: Bleh tak sesapa suggest apa aku perlu study untuk membolehkan Squid monitor https activities nih.. Any keywords? [/quote] ehehe tak penah wat monitor https Quote Share this post Link to post Share on other sites
hotfloppy 19 Report post Posted February 9, 2011 mungkin kena study pasal certificate tu dlu kot.. nanti aku update balik.. p/s: kalo ada sesapa yg tau cara penyelesaian, sila2 la kongsi eh.. Quote Share this post Link to post Share on other sites
FarEast TechNo 1 Report post Posted October 28, 2013 Maaf, mybe thread ni dh lama.. cuma soalan saya..adakah anda menggunkan 2 NIC atau 1 sahaja? Maaf, mybe thread ni dh lama.. cuma soalan saya..adakah anda menggunkan 2 NIC atau 1 sahaja? Quote Share this post Link to post Share on other sites
umarzuki 78 Report post Posted October 29, 2013 (edited) aku pnah jumpa step yang SNAT packet dari satu network ke network lain, jadi tak perlu bridging https pula setakat nampak level domain je kot, tapi boleh terus drop per domain connection. langsung tak boleh buka. cuba cari https facebook squid kalau berminat di halaman google.com :D sekadar menambah bagi yang mencari Edited October 29, 2013 by umarzuki Quote Share this post Link to post Share on other sites