Captive portal + squid3-dev trouble
-
Hi!
I have a problem that I can't seem to be able to figure out on my own. I've been having lots of trouble with Captive portal combined with squid3/squid3-dev, I basically just want to run squid so that I can redirect all of the DNS requests to OpenDNS to control
what the users can access. I managed to get it working with squid3, but since it sporadically stopped working for some reason (after rebooting it would work sometimes and sometimes it wouldn't) I decided to give squid3-dev a go to see if it was more reliable in that regard.With the identical settings as I used with squid3 I can't get it to work at all. None of the requests are blocked when they're supposed to and every page resolves. The weird thing is that when I shut the squid3-dev service down it won't resolve any DNS addresses, so all of the DNS traffic is clearly using squid3-dev but for some reason it doesn't seem to use the correct DNS server to resolve the actual addresses. Here is my config:
# This file is automatically generated by pfSense # Do not edit manually ! http_port 10.0.60.1:3128 http_port 127.0.0.1:3128 intercept icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /dev/null cache_log /var/squid/logs/cache.log cache_store_log none logfile_rotate 0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.0.60.0/24 uri_whitespace strip dns_nameservers 208.67.220.220 208.67.222.222 acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 1 MB maximum_object_size_in_memory 1 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost quick_abort_min 0 KB quick_abort_max 0 KB request_body_max_size 10000 KB reply_body_max_size 10000 KB allsrc delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 # Throttle extensions matched in the url acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl" delay_access 1 allow throttle_exts delay_access 1 deny allsrc # Reverse Proxy settings # Custom options before auth # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrcI have patched Captive portal as well as reinstalled squid3-dev and also reconfigured Captive portal several times to make sure that I've not made any mistakes. HTTPS/SSL interception is turned off, do I need to enable that?
Hope you guys can help me out, just ask me if you need any more info.
-
Check squid access.log and cache.log
-
If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.
Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…
-
+1. Using squid to force usage of particular DNS servers? WTF.
-
If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.
Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…
Thanks!
That is just what I wanted to achieve. I couldn't get it to resolve the Captive portal page at first, but then I forgot that I'd not allowed the OpenDNS addresses through… Before I figured that out I thought I'd go with squid3 to work around my (non existent really) problem.
-
You can also try to forward any dns request to a specific dns server using nat rules.
