[Chilli] Squid transparent proxy on same server

Jason Allen jason at theallens.id.au
Fri Apr 16 01:02:57 UTC 2010


On Thu, Apr 15, 2010 at 19:32, Isidor Zeuner <chilli at quidecco.de> wrote:

> Hi Jason,
>
> >
> > How does it work? ( I could not find any further details on coova's
> website
> > or wiki). Does chilli auto redirect the post-auth user received packets
> to
> > the defined proxy server? Is it only port 80 destination traffic? Thus if
> > squid is installed on the same box as coova (and apache), then 127.0.0.1
> and
> > 3128 would be valid and correct entries?
> >
>
> Yes, the setting causes port 80 traffic to be routed through the
> supplied proxy server, plus port 443 traffic if the HS_REDIRSSL is
> set.
>
> I have used the "squid on the same box as chilli" scenario with squid
> listening on virtual IPs on the 10.0.0.0/8 block (because I had to
> have squid distinguish between different configurations based on these
> IPs), but I don't see why 127.0.0.1 shouldn't work, too.
>

Interesting. My concern is that if I have squid listening on the ethernet
adapter (or ip range) that the wireless clients are using, then wouldn't
they be able to bypass chilli and it's authentication altogether by
assigning the squid server directly within their browser?

Scenario ... chilli, dhcp, squid is on the one box called
wireless.mydomain.com. If the authenticated wireless client configures their
browser to us a proxy on wireless.mydomain.com:3128, then would they be able
to bypass chilli (and authentication) altogether? That's why my thinking is
that I would only want squid listening on the localhost and not on the
ethernet or ip range that wireless clients are using?



> > I'm using Coova v1.2.1 and have set the config file proxy settings to
> > 127.0.0.1 3128 but am not seeing any client activity in squid's
> access.log.
> > I know squid is working properly, because if I define the proxy in a
> client
> > browser then squid's access.log is recording the relevant entries.
> >
>
> Did you configure squid to run as a transparent proxy? This is most
> likely not what you would have if it is used in a browser proxy
> setting, but chilli's HS_POSTAUTH_PROXY setting expects a
> transparent proxy.
>

I have "http_port 3128 transparent" configured within squid, so I do not
think that is my issue


> With debug logging enabled, chilli will diagnostics like "rewriting
> packet for post-auth proxy..." when using the proxy setting, which
> might help to test your configuration.
>

I will give this a try and see what it reveals.

Thanks.

-- 
Cheers,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100416/038633e2/attachment.htm>


More information about the Chilli mailing list