[K12OSN] squidGuard working but not as a separate/redirect server...?

Steve Hargadon steve.hargadon at gmail.com
Sat Oct 30 00:32:16 UTC 2004


I set up a separate K12LTSP (4.0.1) server to install squidGuard and
Dan's Guardian.  I've only installed the squidGuard so far.  If I surf
from that actual server, setting the proxy settings to "localhost,"
port 3128, it works just like it should.  But when redirect outbound
traffic from my main K12LTSP (4.1.1) server to this proxy/filter
server, the main K12 server and its clients can only see secure
(https) sites.  Non-secure sites are denied.  Because https uses port
433, I believe that indicates that the port 80 regular traffic is
trying to use the proxy/filter server, and the port 433 traffic
bypasses that server.

So if the proxy/filter server uses squidGuard correctly on a local
level, there must be something I am missing when I try to send the
port 80 traffic to the proxy/filter server.

Anybody know what I've done?  My install steps are below... cobbled
together from other threads.

1.  Download squidGuard from
ftp://k12linux.mesd.k12.or.us/pub/squidGuard/ to proxy/filter server.
2.  Install squidGuard package.  Dependencies require yum install of "compat-db"
3.  Add the following lines to /etc/squid/squidconf
redirect_program /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf
redirect_children 5
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy  on
httpd_accel_uses_host_header on
4.  Start squid service
5.  Run /usr/sbin/update_squidguard_blacklists to update blacklist files
6.  Run the following iptable line additions on *main* K12LTSP server:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
192.168.1.1:3128
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:3128
(chaging the ip address to my proxy/filter servers ip)
7.  Restart the network service on *main* server.
  
One additional line for the squid.conf file I hadn't seen before but
which is in Michael William's setup instructions for squidGuard and
Dan's Guardian is "httpd_accel_single_host off".  Would that make a
difference?  It's not in squidGuard's instructions, or in the mesd
instructions...
Also, I am assuming that if I wanted to protect 433 traffic, I'd add
additional lines on the main servers iptables with those ports?

-- 
Steve Hargadon
916-652-8600 ext. 711




More information about the K12OSN mailing list