August 9, 2008 at 1:45 pm #41131
I run ZeroShell primarily for the Radius server so I can have a secure wireless network. Just last night, I updated from a very old beta to beta 10 and I’m interested in using the built-in proxy and its virus scanning feature.
But, in my environment, ZeroShell is just another machine on the network, not the gateway itself. Is there any way to configure my clients to communicate directly to the proxy server? Currently, I have another machine with Squid, so I’m simply pointing the clients to the squid IP, port 3128. When I tried the same thing against port 8080 on Zeroshell, I get an HAVP error page “The request is unknown: Invalid request”.
I’ve tried it both with an without capture rules in place, but get the same result. Is there something else to do to get HAVP to let me point directly to it?
PaulAugust 9, 2008 at 5:41 pm #46754
try to comment the line
in the file
and the restart the proxy service.
FulvioAugust 9, 2008 at 7:22 pm #46755
Thanks! That worked great.
Are you planning to include a WebGUI switch for this in future versions? Generally, I expect most people would rather have the transparent feature enabled, but maybe there are enough oddballs like me out there that this would be a decent feature to include.
As it is, I expect this to stop working the next time I reboot ZeroShell, correct? (I’m running the VMware edition of beta 10)
PaulAugust 10, 2008 at 8:05 am #46756
To make permanent the change you have to:
– copy your modified version of the file with
cp /root/kerbynet.cgi/template/havp.config /Database
– In the section [Setup][Startup] add the following line to the [Pre Boot] script:
cp /Database/havp.config /root/kerbynet.cgi/template
– Enable Pre Boot script by clicking on the [Enabled] flag.
I don’t like a network in which the users must change their browser configuration to use the proxy with the antivirus. I prefer the transparent mode in which any http request is automatically redirected to the proxy and the result scanned by ClamAV.
FulvioAugust 11, 2008 at 8:28 pm #46757
Thanks for the tip on how to make this change more permanent in my installation.
I agree with the idea of a transparent proxy, in theory. In practice, however, it hasn’t worked out that well for me. There were a few problems when I tried to use a transparent proxy back a year or so ago (with Squid running under pfSense). The only one that I can specifically recall is that iTunes sporadically had trouble with downloads of paid content. I could disable the transparent proxy and iTunes would immediately start working after having failed for hours before.August 12, 2008 at 8:05 am #46758
If you use a proxy (transparent or not) all requests reach the web servers with the IP of the proxy. This can be a problem with some servers (probably iTunes is one of them) because if two users of your LAN make requests in the same time slot the server thinks it is a duplicate. For this reason Zeroshell has two type of capturing rules:
– “Capture” with which it is possible to define interfaces, clients and servers to be redirected to the proxy;
– “Do not capure” with which you can exclude the redirection and the http requests are directly forwarded.
You should just exclude the IP subnets of iTunes.
You must be logged in to reply to this topic.