Configuration of proxy on new OpenWrt Router

I have not installed the proxy package. How does the default config look like?

Then study the google-searching.
This is a must-have skill for a linux user.

What @trendy said:

1 Like

# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

#
# Add any of your own refresh_pattern entries above these.
#

cache_effective_user squid

#
# Logs, best to use only for debugging as they can become very large
#

access_log none  # daemon:/tmp/squid_access.log
cache_log /dev/null  # /tmp/squid_cache.log

Hello Sir,
i am already using Luci for Squid but there is only two option

  1. Basic where we can write
    Port
    3128
    Visible Hostname
    OpenWrt
    Coredump files directory
    /tmp/squid

  2. Advance, when i click on this a notepad type file open in same window (Basic Configuration file) But I don't know where to edit this file.

I am not using Squid (or any other proxy). I was just trying to help you with installing it as you requested.

Though, you may find this page sueful

1 Like

You can try something like
cache_peer 192.168.5.22 parent 3128 7 proxy-only no-query login=abcde:1234567
http://squidconfiguration.com/config-manual-2-4/neighbour-selection-algorithm/cache_peer/

This is not what he wants. He needs to authenticate to parent proxy, in your link they are describing how to authenticate clients of the proxy.

1 Like

My bad! I misread it.

Hello Sir,
After this i got following sys. logs

Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: Created PID file (/var/run/squid.pid)
Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: Set Current Directory to /tmp/squid
Tue Feb 19 10:33:52 2019 daemon.warn squid[1145]: Starting Squid Cache version 4.4 for mipsel-openwrt-linux-gnu...
Tue Feb 19 10:33:52 2019 daemon.warn squid[1145]: Service Name: squid
Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: Process ID 1145
Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: Process Roles: master worker
Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: With 1024 file descriptors available
Tue Feb 19 10:33:52 2019 daemon.notice squid[1145]: Initializing IP Cache...
Tue Feb 19 10:33:53 2019 daemon.notice squid[1145]: DNS Socket created at [::], FD 3
Tue Feb 19 10:33:53 2019 daemon.notice squid[1145]: DNS Socket created at 0.0.0.0, FD 12
Tue Feb 19 10:33:53 2019 daemon.notice squid[1145]: Adding domain lan from /etc/resolv.conf
Tue Feb 19 10:33:53 2019 daemon.notice squid[1145]: Adding nameserver 127.0.0.1 from /etc/resolv.conf
Tue Feb 19 10:33:53 2019 user.notice ARIA2C: Starting aria2c service
Tue Feb 19 10:33:53 2019 daemon.info procd: - init complete -
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Store logging disabled
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Swap maxSize 0 + 262144 KB, estimated 20164 objects
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Target number of buckets: 1008
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Using 8192 Store buckets
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Max Mem  size: 262144 KB
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Max Swap size: 0 KB
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Using Least Load store dir selection
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Set Current Directory to /tmp/squid
Tue Feb 19 10:33:54 2019 daemon.notice squid[1145]: Finished loading MIME types and icons.
Tue Feb 19 10:33:55 2019 daemon.notice squid[1145]: HTCP Disabled.
Tue Feb 19 10:33:55 2019 daemon.notice squid[1145]: Configuring Parent 192.168.3.10/3128/7
Tue Feb 19 10:33:55 2019 daemon.notice squid[1145]: Squid plugin modules loaded: 0
Tue Feb 19 10:33:55 2019 daemon.notice squid[1145]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 13 flags=9
Tue Feb 19 10:33:55 2019 daemon.notice squid[1145]: storeLateRelease: released 0 objects

But no connection to Internet

Don't you have an IPv4 socket open?
What is the output of netstat -lnp | grep 3128 ?

Squid uses v4mapping, where ipv6 sockets can receive v4 traffic. If the OpenWrt kernel can't do this it's a problem for squid, but others are using squid so I'm guessing the kernel has it enabled.

Also if you set the proxy via hostname, the clients will connect on the ULA addresses OpenWrt uses by default. Use the ULA addresses in your ACLs and voila you have ipv6 working well for squid. Don't break it!

2 Likes
# netstat -lnp "|" grep 3128
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      720/uhttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      962/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      698/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      720/uhttpd
tcp        0      0 :::53                   :::*                    LISTEN      962/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      698/dropbear
tcp        0      0 :::3128                 :::*                    LISTEN      904/squid
udp        0      0 0.0.0.0:59144           0.0.0.0:*                           904/squid
udp        0      0 0.0.0.0:53              0.0.0.0:*                           962/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           962/dnsmasq
udp        0      0 0.0.0.0:48052           0.0.0.0:*                           974/ntpd
udp        0      0 :::546                  :::*                                791/odhcp6c
udp        0      0 :::547                  :::*                                658/odhcpd
udp        0      0 :::53                   :::*                                962/dnsmasq
udp        0      0 :::49031                :::*                                904/squid
raw        0      0 ::%1:58                 ::%4443948:*            58          791/odhcp6c
raw        0      0 ::%1:58                 ::%4443948:*            58          658/odhcpd
raw        0      0 ::%1:58                 ::%4443948:*            58          658/odhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING        274 400/ubusd           /var/run/ubus.sock

Thank You @trendy. After this Confg. and changing my system proxy to 192.168.1.1 port 3258 (defined by me) i am able to connect to internet now without username and password. But i need one more help i want to connect without setting up proxy in System.

By System you mean the PCs and other hosts that connect on the LAN of the router and use the squid proxy?
You can continue this conversation in the other topic you have opened.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

1 Like

Sir. Can i solve this with port forword / redirect. I mean if i can direct all trafic coming from port 80 to port 3258
If yes then how?
I tried wpad method but no luck.

Try this one iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3258

You can put squid into transparent mode listening on port 3258 and do the redirect thing @trendy suggested, but it will not work for HTTPS connections which is about 75% of everything these days. So, if all you need it to do is download stuff via http from a software mirror site or something, then yes it can work, but basically you must tell the clients they need to CONNECT through a proxy if you want HTTPS to work properly in other words, you must put your router explicitly as the proxy in every device otherwise you will most likely break most of the internet.

3 Likes

This didn't work in my case.
I also tried with changing port for Luci web interface and assign port 80 to squid server. Now my server listing to 192.168.1.1:80 .. but problem is that i still have to manually feed proxy in browser to connect.I think port 80 is default Port for web and this should work without proxy.
Thanking you
looking for help.

Setup of transparent/intercepting squid is a bit sophisticated.
Best is, to do it on a full LINUX system first, and then to port it to openwrt.
For full LINUX, the "official" doc to be found here:
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.