Форум "ОС~ы"

Операционные системы

#0 11 © 11.01.08 09:51:13 - 18.01.08 20:17:23 Настройка передачи данных через порт 443 в Linux Есть сервер под управлением Linux. На нём установлен Squid. В iptables разрешена передача через порт 443. В Squid также передача разрешена. #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80        # http acl Safe_ports port 21        # ftp acl Safe_ports port 443 563    # https, snews acl Safe_ports port 70        # gopher acl Safe_ports port 210        # wais acl Safe_ports port 1025-65535    # unregistered ports acl Safe_ports port 280        # http-mgmt acl Safe_ports port 488        # gss-http acl Safe_ports port 591        # filemaker acl Safe_ports port 777        # multiling http acl CONNECT method CONNECT #Recommended minimum configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports   Где ещё смотреть? Где ещё может быть закрыт порт?

#1 FonMax © 11.01.08 10:00:52 дай вывод cat /etc/sysconfig/iptables-config. дай нормальный обзор и версию squid.conf. покажи вывод route.

#2 11 © 11.01.08 10:57:55 cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) #   Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modules.conf. IPTABLES_MODULES="" # Unload modules on restart and stop #   Value: yes|no,  default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes"­ # Save current firewall rules on stop. #   Value: yes|no,  default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. #   Value: yes|no,  default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="no"­ # Save (and restore) rule and chain counter. #   Value: yes|no,  default: no # Save counters for rules and chains to /etc/sysconfig/iptables if # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. IPTABLES_SAVE_COUNTER="no" # Numeric status output #   Value: yes|no,  default: yes # Print IP addresses and port numbers in numeric format in the status output. IPTABLES_STATUS_NUMERIC="yes"­ route Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface ats730as2.te.ne *               255.255.255.255 UH    0      0        0 ppp0 192.168.2.0     *               255.255.255.0   U     0      0        0 eth2 192.168.1.0     *               255.255.255.0   U     0      0        0 eth1 192.168.0.0     *               255.255.255.0   U     0      0        0 eth0 169.254.0.0     *               255.255.0.0     U     0      0        0 eth2 default         ats730as2.te.ne 0.0.0.0         UG    0      0        0 ppp0

#3 11 © 11.01.08 11:04:47 squid/2.5.STABLE6 squid.conf правил данный по умолчанию тут привёл лишь изменения и важные параметры. #    WELCOME TO SQUID 2 #    ------------------ # NETWORK OPTIONS # ---------------------------------------­-------------------------------------- #  TAG: http_port http_port 3128 #  TAG: https_port #Default: https_port 3128 #  TAG: icp_port icp_port 3130 #  TAG: udp_incoming_address #  TAG: udp_outgoing_address udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ---------------------------------------­-------------------------------------- #  TAG: cache_peer cache_peer proxy.te.net.ua parent 3128 3130 default #  TAG: maximum_icp_query_timeout    (msec) maximum_icp_query_timeout 2000 #  TAG: mcast_icp_query_timeout    (msec) mcast_icp_query_timeout 2000 #  TAG: dead_peer_timeout    (seconds) dead_peer_timeout 10 seconds #  TAG: hierarchy_stoplist #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? #  TAG: no_cache acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZE # ---------------------------------------­-------------------------------------- #  TAG: cache_mem    (bytes) cache_mem 32 MB #  TAG: cache_swap_low    (percent, 0-100) #  TAG: cache_swap_high    (percent, 0-100) cache_swap_low 80 cache_swap_high 85 #  TAG: maximum_object_size    (bytes) maximum_object_size 4096 KB #  TAG: minimum_object_size    (bytes) minimum_object_size 0 KB #  TAG: maximum_object_size_in_memory    (bytes) maximum_object_size_in_memory 200 KB #  TAG: ipcache_size    (number of entries) #  TAG: ipcache_low    (percent) #  TAG: ipcache_high    (percent) ipcache_size 1024 ipcache_low 90 ipcache_high 95 #  TAG: fqdncache_size    (number of entries) fqdncache_size 1024 #  TAG: cache_replacement_policy cache_replacement_policy lru #  TAG: memory_replacement_policy memory_replacement_policy lru # LOGFILE PATHNAMES AND CACHE DIRECTORIES # ---------------------------------------­-------------------------------------- #  TAG: cache_dir cache_dir ufs /var/spool/squid 200 16 256 #  TAG: cache_access_log #Default: cache_access_log /var/log/squid/access.log #cache_access_log /dev/null #  TAG: cache_log #Default: # cache_log /var/log/squid/cache.log cache_log /dev/null #  TAG: cache_store_log #Default: # cache_store_log /var/log/squid/store.log cache_store_log none #  TAG: emulate_httpd_log    on|off emulate_httpd_log off #  TAG: log_ip_on_direct    on|off log_ip_on_direct on #  TAG: mime_table mime_table /etc/squid/mime.conf #  TAG: log_mime_hdrs    on|off log_mime_hdrs off #  TAG: pid_filename pid_filename /var/run/squid.pid #  TAG: log_fqdn    on|off log_fqdn off #  TAG: client_netmask client_netmask 255.255.255.255 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ---------------------------------------­-------------------------------------- #  TAG: auth_param #Recommended minimum configuration: auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # OPTIONS FOR TUNING THE CACHE # ---------------------------------------­-------------------------------------- # TIMEOUTS # ---------------------------------------­-------------------------------------- # ACCESS CONTROLS # ---------------------------------------­-------------------------------------- #  TAG: acl #Examples: #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl lucifer src 192.168.2.128/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl udenied url_regex -i "/etc/squid/urls.denied" acl squid_porn url_regex -i "/etc/squid/squidblock/porn.block.­txt" acl ucross url_regex -i "/etc/squid/urls.cross" acl SSL_ports port 443 563 acl Safe_ports port 80        # http acl Safe_ports port 21        # ftp acl Safe_ports port 443 563    # https, snews acl Safe_ports port 70        # gopher acl Safe_ports port 210        # wais acl Safe_ports port 1025-65535    # unregistered ports acl Safe_ports port 280        # http-mgmt acl Safe_ports port 488        # gss-http acl Safe_ports port 591        # filemaker acl Safe_ports port 777        # multiling http acl CONNECT method CONNECT #  TAG: http_access #Default: #http_access deny all #v internet mozhno vsem http_access allow all http_access allow all ucross http_access deny all udenied http_access deny all squid_porn #Recommended minimum configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost

#4 11 © 12.01.08 23:32:42 А Zebra может учавствовать в закрытии порта 443?

#5 FonMax © 15.01.08 16:30:13 если это брендмауэр или какой-то из фронт-эндов к нему, то может. попробуй iptables stop

#6 11 © 15.01.08 20:33:10 GNU Zebra is free software that manages TCP/IP based routing protocols. > попробуй iptables stop Это, типа, передать всё управление трафиком на Squid?

#7 FonMax © 18.01.08 20:17:23 нет. это остановить файрвол.

Написать ответ Имя: Регистрация HTML? Потом перейти в: Новые темы Текущий раздел Список форумов Текущую тему Задать вопрос Пустая страница