Captive portal + squid3-dev trouble



  • Hi!

    I have a problem that I can't seem to be able to figure out on my own. I've been having lots of trouble with Captive portal combined with squid3/squid3-dev, I basically just want to run squid so that I can redirect all of the DNS requests to OpenDNS to control
    what the users can access. I managed to get it working with squid3, but since it sporadically stopped working for some reason (after rebooting it would work sometimes and sometimes it wouldn't) I decided to give squid3-dev a go to see if it was more reliable in that regard.

    With the identical settings as I used with squid3 I can't get it to work at all. None of the requests are blocked when they're supposed to and every page resolves. The weird thing is that when I shut the squid3-dev service down it won't resolve any DNS addresses, so all of the DNS traffic is clearly using squid3-dev but for some reason it doesn't seem to use the correct DNS server to resolve the actual addresses. Here is my config:

    
    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 10.0.60.1:3128
    http_port 127.0.0.1:3128 intercept
    icp_port 7
    dns_v4_first off
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/pbi/squid-amd64/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /dev/null
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    
    logfile_rotate 0
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  10.0.60.0/24
    uri_whitespace strip
    dns_nameservers 208.67.220.220 208.67.222.222 
    acl dynamic urlpath_regex cgi-bin \?
    cache deny dynamic
    
    cache_mem 1 MB
    maximum_object_size_in_memory 1 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    
    minimum_object_size 0 KB
    maximum_object_size 4 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    
    # No redirector configured
    
    #Remote proxies
    
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src 127.0.0.1/32
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
    acl sslports port 443 563  
    
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer. 
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    
    quick_abort_min 0 KB
    quick_abort_max 0 KB
    request_body_max_size 10000 KB
    reply_body_max_size 10000 KB allsrc 
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    # Throttle extensions matched in the url
    acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"
    delay_access 1 allow throttle_exts
    delay_access 1 deny allsrc
    
    # Reverse Proxy settings
    
    # Custom options before auth
    
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc
    
    

    I have patched Captive portal as well as reinstalled squid3-dev and also reconfigured Captive portal several times to make sure that I've not made any mistakes. HTTPS/SSL interception is turned off, do I need to enable that?

    Hope you guys can help me out, just ask me if you need any more info.



  • Check squid access.log and cache.log



  • If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

    Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…


  • Banned

    +1. Using squid to force usage of particular DNS servers? WTF.



  • @rjcrowder:

    If you just want to force use of OpenDNS you can set their servers as the DNS servers and create a rule to block anyone from hitting another server on port 53.

    Not sure if you are doing anything else with squid. If not, it would be a lot more simple to just use rules…

    Thanks!

    That is just what I wanted to achieve. I couldn't get it to resolve the Captive portal page at first, but then I forgot that I'd not allowed the OpenDNS addresses through… Before I figured that out I thought I'd go with squid3 to work around my (non existent really) problem.



  • You can also try to forward any dns request to a specific dns server using nat rules.


Log in to reply