Cant get web proxy to work

webfilter
proxy
v7

(StreetGuru) #1

NethServer Version: NethServer release 7.3.1611 (Final)
Module: squid, lightsquid

Hi all,

I’ve been trying to get web proxy and filter to work but have so far been unsuccessful.

I’ve configured NS with LDAP. Installed squid web proxy and web filter. Enabled web proxy in transparent mode. Also, nethserver is installed on a remote VPS and the only network interface is green (ens3).

When I go to web proxy stats i get the following error:

Error : report folder ‘/var/lightsquid’ not contain any valid data! Please run lightparser.pl (and check ‘report’ folder content)
Please check config file !
Variable value
$tplpatph /usr/share/lightsquid/tpl
$templatename nethesis
$langpatph /usr/share/lightsquid/lang
$langname eng
$reportpath /var/lightsquid
Access to ‘/var/lightsquid’ folder yes
$graphreport 1

When I run lightparser.pl from shell there is no output. Also, the /var/lightsquid folder is empty.

I’ve also run check-setup.pl from /etc/lightsquid/ and it gives me an error:

LightSquid Config Checker, © 2005-9 Sergey Erokhin GNU GPL
can’t access to /etc/lightsquid/lightsquid.cfg !!!

Even though lightsquid.cfg is present in /etc/lightsquid.

I’m trying to use a windows 10 pc to use proxy going to settings>network & Internet>proxy and enabling “manual proxy setup”; as proxy server i’m using the FQDN, i.e., nethesis.mydomain.co.uk, port 3128.

output of config show dns and sssd:

[root@nethesis ~]# config show dns
dns=configuration
NameServers=8.8.8.8,8.8.4.4

[root@nethesis ~]# config show sssd
sssd=service
AdDns=
LdapURI=ldap://127.0.0.1
Provider=ldap
Realm=
Workgroup=
status=enabled

I’ve tried finding a solution in the manual and forum but can’t find any solution. Any help would be greatly appreciated.

Thanks.


(EnzoC) #2

Transparent mode work only if proxy is your gateway.
You need to set proxy ip:3128 in your browser.

There is an error in lightsquid because it is empty, has not logged in yet
Is nethesis.mydomain.co.uk resolved correctly at the command prompt?
ping nethesis.mydomain.co.uk
Can you load any page?


(StreetGuru) #3

Thanks for the help!

No, I cant load any page when I activate proxy.

I can ping the domain in cmd:

Pinging nethesis.mydomain.co.uk [185.196.32.26] with 32 bytes of data:
Request timed out.
Reply from 185.196.32.26: bytes=32 time=55ms TTL=51
Reply from 185.196.32.26: bytes=32 time=55ms TTL=51
Reply from 185.196.32.26: bytes=32 time=57ms TTL=51

Ping statistics for 185.196.32.26:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 55ms, Maximum = 57ms, Average = 55ms

I’ve tried both manual and transparent mode, none seems to work.

I use chrome as browser - changing proxy settings takes me to the windows proxy configuration (Google Chrome is using your computer’s system proxy settings to connect to the network)

What about the error resulting from check-setup.pl stating that it can’t access /etc/lightsquid/lightsquid.cfg even though the file is present? May it be a permissions/ownership issue?

Thanks in advance for your help.


(EnzoC) #4

Stupid question … the vps sail?

Or maybe being a public ip (which I would obscure with a bit of XXX in your place) the firewall does not accept connections?!:confused:
try to check in the NS firewall and in VPS panel (have a control panel?)


(StreetGuru) #5

Not sure what you mean by “VPS sail”?

I did edit the ip (just some made up numbers) and domain before posting, thanks. Firewall detects the only interface available and sets it as green (i think this needs to be done on remote VPS? At least I think it was the case with NS 6). I checked the rules and squid is allowed. VPS is KVM environment and there is no cp firewall.

thanks.


(EnzoC) #6

Sorry for my traslated english.
Your VPS have a working interent connection with default gatway and dns?
If you connect via ssh to VPS and type nslookup google.co.uk

have a reply similar to?

Server:         127.0.0.1
Address:        127.0.0.1#53
Non-authoritative answer:
Name:   google.co.uk
Address: 216.58.205.35

if yes, type netstat -plnt
(if you dont have netstat yum install net-tools )
and find listen port 3128 3129 or 3130


(StreetGuru) #7

Not a problem, thank you for your help!

Yes, VPS has a working connection and I’ve changed default DHCP settings to manual configuration - maybe this is the issue? I do believe I have all settings defined correctly but when I installed NS7 the VPS was configured in DHCP.

I also notice the RAM jumping from 40% to 80% when i turn on web proxy?

I’ve installed nethserver on a fresh minimal install of Centos7 using shell (as recommended):

yum localinstall -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm
nethserver-install

Using netstat, it seems squid is only listening in ipv6?

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 15519/master
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 14900/smbd
tcp 0 0 185.196.32.26:139 0.0.0.0:* LISTEN 14900/smbd
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 912/memcached
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 15396/dovecot
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 15396/dovecot
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 15519/master
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 15196/epmd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 16713/dnsmasq
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15519/master
tcp 0 0 0.0.0.0:2120 0.0.0.0:* LISTEN 922/sshd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 15651/slapd
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 14900/smbd
tcp 0 0 185.196.32.26:445 0.0.0.0:* LISTEN 14900/smbd
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 15396/dovecot
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 15198/beam.smp
tcp 0 0 127.0.0.1:20000 0.0.0.0:* LISTEN 14822/sogod
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 15396/dovecot
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 15396/dovecot
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 15651/slapd
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 15198/beam.smp
tcp 0 0 0.0.0.0:5223 0.0.0.0:* LISTEN 15198/beam.smp
tcp 0 0 0.0.0.0:42759 0.0.0.0:* LISTEN 15198/beam.smp
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 15337/amavisd (mast
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 15519/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1367/mysqld
tcp6 0 0 :::587 :::* LISTEN 15519/master
tcp6 0 0 :::11211 :::* LISTEN 912/memcached
tcp6 0 0 :::110 :::* LISTEN 15396/dovecot
tcp6 0 0 :::143 :::* LISTEN 15396/dovecot
tcp6 0 0 :::80 :::* LISTEN 15038/httpd
tcp6 0 0 :::465 :::* LISTEN 15519/master
tcp6 0 0 :::980 :::* LISTEN 903/httpd
tcp6 0 0 :::53 :::* LISTEN 16713/dnsmasq
tcp6 0 0 :::3128 :::* LISTEN 16780/(squid-1)
tcp6 0 0 :::25 :::* LISTEN 15519/master
tcp6 0 0 :::2120 :::* LISTEN 922/sshd
tcp6 0 0 :::443 :::* LISTEN 15038/httpd
tcp6 0 0 :::636 :::* LISTEN 15651/slapd
tcp6 0 0 :::4190 :::* LISTEN 15396/dovecot
tcp6 0 0 :::993 :::* LISTEN 15396/dovecot
tcp6 0 0 :::995 :::* LISTEN 15396/dovecot
tcp6 0 0 :::389 :::* LISTEN 15651/slapd
tcp6 0 0 ::1:10024 :::* LISTEN 15337/amavisd (mast

Thanks in advance for your help.


(EnzoC) #8

I think the problem is not nethserver!
I think vps will not allow connection to non-standard ports.

Try replicating nethserver installation on your pc with virtualbox.
Set the network card shared with your main interface in bridged mode.
At this point try the proxy in manual mode.

I’m sure you will not have problems, having the same solution at home.
GW 192.168.3.1
MyPC 192.168.3.10
NAS with NethServer in Virtualbox 192.168.3.100 (NAS) 192.168.3.242 (Proxy)

I also use it on android device by setting the proxy on home wifi connection 192.168.3.242:3128 with shalla list, block direct ip and custom blacklist.


(StreetGuru) #9

Nope, that aint it.
I have now installed nethserver on a dedicated server from OVH and I have the exact same problem.
Also, in both servers I am unable to request a letsencrypt certificate to the server - I always get an error.
I’m thinking it may be an issue with network configuration or something specific to net install - on both servers I’ve installed nethserver from rpm instead of using the distro.
Anyone else using nethserver on external VPS and facing this issue?


(EnzoC) #10

In Security->Trusted Network add your public ip address or your lan subnet.

In alternative, create openvpn server on nethserver.

Check firewall log for info


(StreetGuru) #11

Thanks for the continuous help @sharpec
In Trusted Networks there is already a pre-defined network that I’m unable to edit - if my ip address is 176.185.23.20 it shows up as 176.185.23.0 with a network mask of 255.255.255.0
If I try to add a new ip address (my VPS ip address with the same netmask) I have an “Invalid network address” error; If I add the ip address with a netmask of 255.255.255.255 I get a “Network already in Use” error.
Any way to define a “trusted ip address” without having to make the all network trusted? Being on an hosted environment, having the entire network classified as trusted is problematic.
Any tutorial to set up through openvpn?
Thanks


(StreetGuru) #12

I’m now inclined to think this may be some issue with the firewall?
When I look into the /var/log/squid/access.log I can see the connections are being denied:

1497275428.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275430.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275432.679 0 176.185.23.20 TCP_DENIED/403 4063 CONNECTcommunity.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275433.678 0 176.185.23.20 TCP_DENIED/403 4087 CONNECT community.nethserver.org:443 - HIER_NONE/- text/html
1497275434.678 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275435.002 0 176.185.23.20 TCP_DENIED/403 4036 CONNECT 127.0.0.1:59243 - HIER_NONE/- text/html
1497275436.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275437.630 1 176.185.23.20 TCP_DENIED/403 5420 POST http://community.nethserver.org/message-bus/a9be173714d54eea8eac682eaecec493/poll? - HIER_NONE/- text/html
1497275438.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html
1497275440.680 0 176.185.23.20 TCP_DENIED/403 4063 CONNECT community.nethserver.org/t/cant-get-web-proxy-to-work/6890:443 - HIER_NONE/- text/html

Is there any specific firewall configuration required? The only network interface is set as green so I would imagine it would open all connections? Do i have to authorize specific ip’s/workstations to connect to nethserver?

Thanks


(EnzoC) #13

http://docs.nethserver.org/en/v7/vpn.html

In addition, from created vpn user, download ovpn profile.
Download openvpn for you client pc and install. For windows copy .ovpn file in c:\program files\openvpn\config
Run openvpn gui as administrator.
Double click on systray icon of openvpn gui, if connection is up, icon was green.
If you setup openvpn roadworrior server routed, you can try to ping 192.168 180.1. if good, set as proxy ip


(StreetGuru) #14

I also cant get vpn to work…
I’m thinking this may be a network configuration issue.
I’ve created another topic here: