problem setting up web proxy

firepb · 30 May 2023 08:31

Hello everyone,

I’m trying to set up a web proxy on an IPFire.
However, when I set my configurations and try to connect my web browser (firefox) with this service, I can’t access any internet search.

Below are the configurations I’ve set up.

I have enabled the following

Enabled on Green
Enabled on Blue
Transparent on Blue
Proxy Port 800
Transparent port 80

URL Filter enabled, Update accelerator enabled.
Log Enabled
Active cachemanager
Amount of filedescriptors 16384
Memory cache size (MB) 2048
Min object size (KB) 0
Number of level-1 subdirs 16
Memory replacement policy heap GDSF
Cache replacement policy heap LFUDA
Harddisk cache size (MB) 4096
Max obj size (KB) 4096
Do not cache these domains (…) list of local hosts

Desitnation port Allowed standard ports
80 # http
21 # ftp
443 # https
563 # snews
70 # gopher
210 # wais
1025-65535 # unregistered ports
280 # http-mgmt
488 # gss-http
591 # filemaker
777 # multiling http
800 # Squids port (for icons)

Allowed SSL ports
443 # https
563 # snews

Network vased access control
Allowed subnets (local subnets)
Network address of my green network

Disable internal proxy access from Blue to other subnets
Authentication method
None

To set up the web browser, I tested with just the hostname of my IPFire and also added the ports, but once set up I can’t do any more searches.
Here’s what I set up on the browser side:
for HTTP: http://hostname:800/
and for HTTPS: http://hostname:800/

or

for the http :

http://hostname
for https:
http://hostname

If anyone could enlighten me on the subject.
Thank you in advance for your time.

FirePb

bbitsch · 30 May 2023 08:38

Have you tried with proxy greenIP:800?

trash-trash · 30 May 2023 10:36

@firepb
Set back your change of Transparent port 80. To the default 3128 then it should work.

Please note:
Transparent do not support http(s), just http.

To force use port 800 at Firefox :

BR
Trash

firepb · 31 May 2023 07:35

Hello @bbitsch ,

Thanks for your reply.

Yes of course I tried with the IP address of the green network but I still get the same error message from firefox saying “The timeout has expired”.

firepb · 31 May 2023 07:39

Hello @trash-trash ,

Thanks for your reply.

I followed your advice by setting the transparent port back to 3128 and I also did my configuration on firefox as you indicated on your second screen but still get the same error message when I do a firefox search afterwards which is “Timeout has expired”.

I remain available for any information.

trash-trash · 31 May 2023 10:17

This behavior only starts when the proxy is activated?
IPFire gateway and DNS and NTP are all configured right?

Please check if the Web Proxy Service is started:
IPFire UI Home/Status/Status information … Web Proxy RUNNING …

Relevant for the client communication, are the settings under :

Client itself is set to DHCP for IP and DNS
DHCP server “green and blue”
Proxy setting (we already know this)
URL filter setting (if necessary “Network based access control” enter the computer IP for a test)
The firewall setting (in block mode ?) is not granted according to the port release “allowed” … Set for test FORWARD Allowed and the OUTGOING Allowed

BR
Trash

firepb · 1 June 2023 13:06

This behavior only starts when I connect my firefox browser to my proxy.

The gateway is well established and so is the DNS, which corresponds to the IP address of the IPFire.
As for the NTP server, these are IPFire’s “0.ipfire.pool.ntp.org” and “1.ipfire.pool.ntp.org” servers.

In the Web interface, the proxy is running.

Compared to the information given and your screens, the only thing I haven’t filled in is secondary DNS, primary NTP server and secondary NTP server for the green and blue network.

I was wondering whether I shouldn’t make a firewall rule so that the flow on port 800 is reachable?

Thanks again for your help.

Fire Pb

trash-trash · 1 June 2023 14:28

@firepb
At now for the work of Proxy and findout of background, you need no firewall rules. Put “Default firewall behaviour” for FORWARD to Allowed and OUTGOING to Allowed. My last mail there the last screenshot.
Please note: Some action at settings needs to reboot IPFire.
So reboot it once for the case it was not done yet.

Anyway
I’m at the point where I would say, lets start TeamViewer. But we are at forum, not at job
I think it is your turn to send screenshots to all your settings done to IPFire.

BR
Trash

firepb · 2 June 2023 07:31

Okay, fine, I’ll put some screenshots of the configuration in place below.

Fire Pb

trash-trash · 2 June 2023 21:17

The matter you have, is not an issue of Proxy. Keep those settings for now and for further tests.

You had enabled IDS? IP Blocklist as Bogon??
Disable IDS for all 4 eth and any IP Blocklist for test.

Connect by SSH to IPFire, by CLI send ping to:
google.com
8.8.8.8
Eth red
Gateway
Your DNS resolver

Then do the same from computer where you are connected to IPFire.
Post the screenshots.

BR
Trash

firepb · 5 June 2023 08:53

OK, that’s fine.

Yes, I had activated the IDS and some Blocklists, so I deactivated everything. See the screenshots below:

The SSH connection to my IPFire on the command line is extremely buggy, I very rarely manage to access it and I don’t know why…

However, here are the screenshots from my machine that you asked me for:
ping_dns_gateway

ping_eth_red

However, in my firewall rules I put this in as a precaution:
firewall_rules

Thanks again for your help.

Fire Pb

trash-trash · 5 June 2023 09:38

OMG all blackend “soot”

IPFire eth red is connected?? Hudini says give it a try

If yes: Through the network cable in the trash and check settings at next switch or router … Permission IPFire have there and possible need.
Maybe there is an IP conflict.

BR
Trash

firepb · 5 June 2023 09:45

I’ve blocked it so that I only allow the feeds I want. This is not a good configuration ?

I didn’t understand what you meant. Sorry.

Fire Pb

tphz · 5 June 2023 15:15

edit

@firepb Have you read the following pages?

BR