Есть прозрачный проксик на Ubuntu 10.04, но сквид не хочет вести лог доступа /var/log/access.log
Сам файл в наличии, но он пустой. Havp не проверяет входящий трафик на вирусы (никакой реакции при скачивании тестового файла eicar)
Что интересное, если squid остановить (/etc/init.d/squid stop), то доступ во внешнюю сеть не прерывается. Это так и должно быть?
Выкладываю сквидовский конфиг:
# TAG: auth_param
# TAG: authenticate_cache_garbage_interval
# TAG: authenticate_ttl
# TAG: authenticate_ip_ttl
# TAG: authenticate_ip_shortcircuit_ttl
# TAG: external_acl_type
# TAG: acl
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.0.0/24 # our internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
# TAG: http_access
http_access allow localnet
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
# TAG: http_access2
# TAG: http_reply_access
# TAG: icp_access
icp_access allow localnet
icp_access deny all
# TAG: htcp_access
# TAG: htcp_clr_access
# TAG: miss_access
# TAG: ident_lookup_access
# TAG: reply_body_max_size bytes allow|deny acl acl...
# TAG: authenticate_ip_shortcircuit_access
# TAG: follow_x_forwarded_for
# TAG: acl_uses_indirect_client on|off
# TAG: delay_pool_uses_indirect_client on|off
# TAG: log_uses_indirect_client on|off
# TAG: ssl_unclean_shutdown
# TAG: ssl_engine
# TAG: sslproxy_client_certificate
# TAG: sslproxy_client_key
# TAG: sslproxy_version
# TAG: sslproxy_options
# TAG: sslproxy_cipher
# TAG: sslproxy_cafile
# TAG: sslproxy_capath
# TAG: sslproxy_flags
# TAG: sslpassword_program
# TAG: http_port
http_port 3128 transparent
# TAG: https_port
# TAG: tcp_outgoing_tos
# TAG: tcp_outgoing_address
# TAG: zph_mode
# TAG: zph_local
# TAG: zph_sibling
# TAG: zph_parent
# TAG: zph_option
# TAG: cache_peer
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
# TAG: cache_peer_domain
# TAG: cache_peer_access
cache_peer_access 127.0.0.1 allow all
# TAG: neighbor_type_domain
# TAG: dead_peer_timeout (seconds)
# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
# TAG: cache_mem (bytes)
# TAG: maximum_object_size_in_memory (bytes)
# TAG: memory_replacement_policy
# TAG: cache_replacement_policy
# TAG: cache_dir
cache_dir ufs /var/spool/squid 4096 32 256
# TAG: store_dir_select_algorithm
# TAG: max_open_disk_fds
# TAG: minimum_object_size (bytes)
# TAG: maximum_object_size (bytes)
# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
# TAG: update_headers on|off
# TAG: logformat
# TAG: access_log
access_log /var/log/squid/access.log squid
# TAG: log_access allow|deny acl acl...
# TAG: logfile_daemon
# TAG: cache_log
# TAG: cache_store_log
# TAG: cache_swap_state
# TAG: logfile_rotate
# TAG: emulate_httpd_log on|off
# TAG: log_ip_on_direct on|off
# TAG: mime_table
# TAG: log_mime_hdrs on|off
# TAG: useragent_log
# TAG: referer_log
# TAG: pid_filename
# TAG: debug_options
# TAG: log_fqdn on|off
# TAG: client_netmask
# TAG: forward_log
# TAG: strip_query_terms
# TAG: buffered_logs on|off
# TAG: netdb_filename
# TAG: ftp_user
# TAG: ftp_list_width
# TAG: ftp_passive
# TAG: ftp_sanitycheck
# TAG: ftp_telnet_protocol
# TAG: diskd_program
# TAG: unlinkd_program
# TAG: pinger_program
# TAG: storeurl_rewrite_program
# TAG: storeurl_rewrite_children
# TAG: storeurl_rewrite_concurrency
# TAG: url_rewrite_program
# TAG: url_rewrite_children
# TAG: url_rewrite_concurrency
# TAG: url_rewrite_host_header
# TAG: url_rewrite_access
# TAG: storeurl_access
# TAG: redirector_bypass
# TAG: location_rewrite_program
# TAG: location_rewrite_children
# TAG: location_rewrite_concurrency
# TAG: location_rewrite_access
# TAG: cache
# TAG: max_stale time-units
# TAG: refresh_pattern
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
# TAG: quick_abort_min (KB)
# TAG: quick_abort_max (KB)
# TAG: quick_abort_pct (percent)
# TAG: read_ahead_gap buffer-size
# TAG: negative_ttl time-units
# TAG: positive_dns_ttl time-units
# TAG: negative_dns_ttl time-units
# TAG: range_offset_limit (bytes)
# TAG: minimum_expiry_time (seconds)
# TAG: store_avg_object_size (kbytes)
# TAG: store_objects_per_bucket
# TAG: request_header_max_size (KB)
# TAG: reply_header_max_size (KB)
# TAG: request_body_max_size (KB)
# TAG: broken_posts
# TAG: upgrade_http0.9
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
# TAG: via on|off
# TAG: cache_vary
# TAG: broken_vary_encoding
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# TAG: collapsed_forwarding (on|off)
# TAG: refresh_stale_hit (time)
# TAG: ie_refresh on|off
# TAG: vary_ignore_expire on|off
# TAG: extension_methods
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
# TAG: request_entities
# TAG: header_access
# TAG: header_replace
# TAG: relaxed_header_parser on|off|warn
# TAG: server_http11 on|off
# TAG: ignore_expect_100 on|off
# TAG: external_refresh_check
# TAG: forward_timeout time-units
# TAG: connect_timeout time-units
# TAG: peer_connect_timeout time-units
# TAG: read_timeout time-units
# TAG: request_timeout
# TAG: persistent_request_timeout
# TAG: client_lifetime time-units
# TAG: half_closed_clients
# TAG: pconn_timeout
# TAG: ident_timeout
# TAG: shutdown_lifetime time-units
# TAG: cache_mgr
# TAG: mail_from
# TAG: mail_program
# TAG: cache_effective_user
# TAG: cache_effective_group
# TAG: httpd_suppress_version_string on|off
# TAG: visible_hostname
# TAG: unique_hostname
# TAG: hostname_aliases
# TAG: umask
# TAG: announce_period
# TAG: announce_host
# TAG: announce_file
# TAG: announce_port
# TAG: httpd_accel_no_pmtu_disc on|off
# TAG: delay_pools
# TAG: delay_class
# TAG: delay_access
# TAG: delay_parameters
# TAG: delay_initial_bucket_level (percent, 0-100)
# TAG: wccp_router
# TAG: wccp2_router
# TAG: wccp_version
# TAG: wccp2_rebuild_wait
# TAG: wccp2_forwarding_method
# TAG: wccp2_return_method
# TAG: wccp2_assignment_method
# TAG: wccp2_service
# TAG: wccp2_service_info
# TAG: wccp2_weight
# TAG: wccp_address
# TAG: wccp2_address
# TAG: client_persistent_connections
# TAG: server_persistent_connections
# TAG: persistent_connection_after_error
# TAG: detect_broken_pconn
# TAG: digest_generation
# TAG: digest_bits_per_entry
# TAG: digest_rebuild_period (seconds)
# TAG: digest_rewrite_period (seconds)
# TAG: digest_swapout_chunk_size (bytes)
# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
# TAG: snmp_port
# TAG: snmp_access
# TAG: snmp_incoming_address
# TAG: snmp_outgoing_address
# TAG: icp_port
# TAG: htcp_port
# TAG: log_icp_queries on|off
# TAG: udp_incoming_address
# TAG: udp_outgoing_address
# TAG: icp_hit_stale on|off
# TAG: minimum_direct_hops
# TAG: minimum_direct_rtt
# TAG: netdb_low
# TAG: netdb_high
# TAG: netdb_ping_period
# TAG: query_icmp on|off
# TAG: test_reachability on|off
# TAG: icp_query_timeout (msec)
# TAG: maximum_icp_query_timeout (msec)
# TAG: minimum_icp_query_timeout (msec)
# TAG: mcast_groups
# TAG: mcast_miss_addr
# TAG: mcast_miss_ttl
# TAG: mcast_miss_port
# TAG: mcast_miss_encode_key
# TAG: mcast_icp_query_timeout (msec)
# TAG: icon_directory
# TAG: global_internal_static
# TAG: short_icon_urls
# TAG: error_directory
error_directory /usr/share/squid/errors/Russian-koi8-r
# TAG: error_map
# TAG: err_html_text
# TAG: deny_info
# TAG: nonhierarchical_direct
# TAG: prefer_direct
# TAG: ignore_ims_on_miss on|off
# TAG: always_direct
# TAG: never_direct
# TAG: max_filedescriptors
# TAG: accept_filter
# TAG: tcp_recv_bufsize (bytes)
# TAG: incoming_rate
# TAG: check_hostnames
# TAG: allow_underscore
# TAG: cache_dns_program
# TAG: dns_children
# TAG: dns_retransmit_interval
# TAG: dns_timeout
# TAG: dns_defnames on|off
# TAG: dns_nameservers
# TAG: hosts_file
hosts_file /etc/hosts
# TAG: dns_testnames
# TAG: append_domain
# TAG: ignore_unknown_nameservers
# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# TAG: fqdncache_size (number of entries)
# TAG: memory_pools on|off
# TAG: memory_pools_limit (bytes)
memory_pools_limit 15 MB
# TAG: forwarded_for on|off
# TAG: cachemgr_passwd
# TAG: client_db on|off
# TAG: reload_into_ims on|off
# TAG: maximum_single_addr_tries
# TAG: retry_on_error
# TAG: as_whois_server
# TAG: offline_mode
# TAG: uri_whitespace
# TAG: coredump_dir
coredump_dir /var/spool/squid
# TAG: chroot
# TAG: balance_on_multiple_ip
# TAG: pipeline_prefetch
# TAG: high_response_time_warning (msec)
# TAG: high_page_fault_warning
# TAG: high_memory_warning
# TAG: sleep_after_fork (microseconds)
# TAG: zero_buffers on|off
# TAG: windows_ipaddrchangemonitor on|off
Настройки файервола после поднятия сети (запуск через post-up в /etc/network/interfaces)
#! /bin/sh
IPT="/sbin/iptables"
# Внутренняя сеть
LAN1="eth3"
# Внешка
#INET1="eth2"
INET1="ppp0"
# Очистка настроек
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# активируем форвардинг
echo 1 > /proc/sys/net/ipv4/ip_forward
# Всегда принимаем траф на loopback-interface
$IPT -A INPUT -i lo -j ACCEPT
# Разрешение соединений инициированные внутри (на eth3)
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state NEW -i $LAN1 -j ACCEPT
$IPT -A FORWARD -i $INET1 -o $LAN1 -m state --state ESTABLISH,RELATED -j ACCEPT
# Разрешаем выход из LAN во внешний мир
$IPT -A FORWARD -i $LAN1 -o $INET1 -j ACCEPT
#Masquerade
$IPT -t nat -A POSTROUTING -o $INET1 -j MASQUERADE
# Запрет форвардинга из внешки во внутрь
#$IPT -A FORBARD -i $INET1 -o $INET1 -j REJECT
$IPT -A FORBARD -i $INET1 -o $LAN1 -j REJECT
# Заворачиваем пакеты на 80 и 8080 порты на havp (и оттуда пойдет на проксик)
$IPT -t nat -A PREROUTING -i $LAN1 -d ! 192.168.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.0.100:3128
#iptables -t nat -A PREROUTING -m multiport -p tcp -s 192.168.0.0/24 -d ! 192.168.0.0/24 --dport 80,8080 -j REDIRECT --to-ports 3128
В конфиг havp никаких изменений не вносил, все по умолчанию.
Еще один интересный фактик, до краха винта и переустановки системы, с этими конфигами все работало нормально.
Почему сквид, зараза, не хочет вести журнал? Куда копать?
ps. Номера интерфейсов такие странные из-за того, что систему ставил на другой машине, потом перенес винт на проксик, т.к. там нет видеокарты и ставить систему не представляется возможным.
На будущее: пользуемся тегами code, spoiler.