Topic: Chillispot + Squid (transparent proxy) on same Ubuntu box

Hi.

I have setup chillispot on Ubuntu and it is working great.
Now I want to add a Squid transparent proxy on the same machine.
I have installed Squid 2.6.STABLE18 without problems and it can run with the default squid.conf file.

Everything still working, but nothing in the /var/log/squid/access.log
(I was told that I squid is not functioning properly until I see messages in the above log)

I found these two post on this forum
- chillispot on same server as squid proxy
- Squid drop Radius Upload rules

And I tried to apply the same IPTABLE rules in those posts. + keyword transparent to squid.conf
Still everything is running and woking, but no entries in the access.log file. (so I assume the Squid is not doing any work)

What am I doing wrong?
Is there a better way to verify if Squid is actually caching anything.

/Thanks, Thomas

Re: Chillispot + Squid (transparent proxy) on same Ubuntu box

Bommer!

I got it working.
I had forgotten to run /etc/init.d/iptables to get my new settings activated. :-)

Now squid is running and access.log is filled.
I get access denied with the original squid config
and
I it is working with a modified configuration from this post http://www.chillispot.info/chilliforum/viewtopic.php?id=189

Re: Chillispot + Squid (transparent proxy) on same Ubuntu box

Hi dmkhn.

We are using Chillispot for public WiFi in trains. We expect up to 1000 users per train set.
Each train set has a computer with special radio link which connect to internet. This computer also run chillispot and a squid proxy.
The squid proxy is there to reduce bandwidth requirements on radio link.

To setup squid with chillispot follow these instructions:

Add this to IP tables to make it work:

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.182.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

------------------------
If you need more info about how IPTABLES work, then see Squid tutorial on YouTube.
------------------------

The following is the squid.conf file that I use. (I know very little about squid)
Please remember to change cache_mgr, visible_hostname, acl YourNet
# ============================================== #
# NETWORK OPTIONS
# ============================================== #
http_port 3128 transparent
icp_port 0
# ============================================== #
# OPTIONS WHICH AFFECT THE NEIGHBOUR SELECTION ALGORITHM
# ============================================== #
dead_peer_timeout 30 seconds
mcast_icp_query_timeout 10
log_icp_queries on
connect_timeout 2 minutes
peer_connect_timeout 30 seconds
request_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# ============================================== #
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ============================================== #
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# =============================================== #
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# =============================================== #
#cache_dir diskd /cache1 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache2 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache3 12600 29 256 Q1=64 Q2=72
#cache_dir diskd /cache4 12600 29 256 Q1=64 Q2=72
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /dev/null
#mime_table /usr/local/etc/squid/mime.conf
coredump_dir /var/spool/squid
# =============================================== #
# HTTPD-ACCELERATOR OPTIONS
# =============================================== #
log_ip_on_direct on
# dns_nameservers 192.168.168.4 194.239.134.83
# =============================================== #
# MISCELLANEOUS
# =============================================== #
logfile_rotate 7
digest_generation on
digest_bits_per_entry 10
digest_rebuild_period 30 minute
digest_rewrite_period 30 minute
digest_swapout_chunk_size 6000 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
# icp_access allow all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
# =============================================== #
# REFRESH PATTERN
# =============================================== #
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
#refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
#refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
# =============================================== #
# ADMINISTRATIVE PARAMETERS
# =============================================== #
cache_mgr thomas@etjam.dk
cache_effective_user proxy
cache_effective_group proxy
visible_hostname ubuntu_dev.etjam.dk
hosts_file /etc/hosts
# ============================================== #
# ACCESS CONTROLS
# ============================================== #
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl YourNet src 192.168.182.0/24
acl to_localhost dst 127.0.0.0/8
# ============================================== #
# ACL Different access
# ============================================== #
acl SSL_ports port 443 563 873
acl Safe_ports port 21 80 280 448 591 777 443 563 808 70 210 4190-65535
acl purge method PURGE
acl CONNECT method CONNECT
# ============================================== #
# Access Denied
# ============================================== #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# ============================================== #
# Internet Access
# ============================================== #
http_access allow localhost
http_access allow YourNet
http_access deny all
# =============================================== #
--------

Use this command to check if Squid is working
tail -f /var/log/squid/access.log

When it works you will see TCP_MEM_HIT lines.