Re: [squid-users] Help with accelerated site
a...@gmail wrote: Hi All, I get this in my cache log, does anyone know what it means please? Unlinkd pipe opened on FD 13 Everytime I get this I know something is going pear shape again Thank you all Regards Adam unlinkd (linux-style abbreviation for 'unlink daemon') is the name of the helper Squid used to erase disk files from cache. That link means it's working. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Help with accelerated site
a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without accel flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file ... from the below I'd guess you are changing both the Squid http_port and the apache listening Port entries at the same time in your tests. here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org The tutorial and advice so far as I've seen has been to place Squid listening on http_port 80 accel vhost and apache listening on Port 81. Okay stop here. Check that. Make it so. Restart both software if needed. If another bind error comes up during the restart let us know right now. Continue reading... cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main Those two lines are (or 'were' right?) a loop. Squid listening on 192.168.1.3 port 81 is to fetch requests from source server listening on 192.168.1.3 port 81. What you should have after my suggested change above is: Squid listening on port 80 fetched from server on port 81. Test this: fetch a request for http://192.168.1.3:81/ EXPECTED: results in the apache it works, or your VirtualHost * site. fetch a request for http://192.168.1.3/ EXPECTED: results in the apache it works, or your VirtualHost* site. Received through Squid. (using wget, curl, or squidclient to display the response errors the second fetch there should contains Via: header which is not present in the first fetch.) IF (and only if) there was no bind error, and the headers check above fails to show a Via: header properly. We work on that in next email... acl dstdomain our_sites dstdomain www.mysite1.orgwww.mysite2.com www.mysite3.net http_allow_access main allow our_sites http_peer_access main deny all At the moment all of these sites are running on the same server (virtualhost) The only thing I am not sure of is probably the cache_peer directive cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main If it's wrong then I don't know what to put in there The IP address and port of your Apache server. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Help with accelerated site
Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No Bind error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without accel flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file ... from the below I'd guess you are changing both the Squid http_port and the apache listening Port entries at the same time in your tests. here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org The tutorial and advice so far as I've seen has been to place Squid listening on http_port 80 accel vhost and apache listening on Port 81. Okay stop here. Check that. Make it so. Restart both software if needed. If another bind error comes up during the restart let us know right now. Continue reading... cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main Those two lines are (or 'were' right?) a loop. Squid listening on 192.168.1.3 port 81 is to fetch requests from source server listening on 192.168.1.3 port 81. What you should have after my suggested change above is: Squid listening on port 80 fetched from server on port 81. Test this: fetch a request for http://192.168.1.3:81/ EXPECTED: results in the apache it works, or your VirtualHost * site. fetch a request for http://192.168.1.3/ EXPECTED: results in the apache it works, or your VirtualHost* site. Received through Squid. (using wget, curl, or squidclient to display the response errors the second fetch there should contains Via: header which is not present in the first fetch
Re: [squid-users] Help with accelerated site
Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No Bind error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without accel flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file ... from the below I'd guess you are changing both the Squid http_port and the apache listening Port entries at the same time in your tests. here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org The tutorial and advice so far as I've seen has been to place Squid listening on http_port 80 accel vhost and apache listening on Port 81. Okay stop here. Check that. Make
Re: [squid-users] Help with accelerated site
Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com; squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No Bind error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without accel flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C
Re: [squid-users] Help with accelerated site
Hi Adam, Did you read the page: http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html Under vhost, it clearly says: Accelerator mode using Host header for virtual domain support. Implies accel. So, if you want Squid listener on 3128 to be acting as forward proxy, then don't use vhost. When your internal users are hitting squid for regular internet usage, every port 80 website is automatically proxied, including your internal ones. If it is not working, then there must be a relevant line in the access.log or cache.log which will tell you what happened to that request. You are configuring the same box for both forward and reverse proxy, which can be tricky. If you are indeed a developer (and no, writing HTML does not count), then you need to use your programming hat a bit more when you're trying to even configure open source software. Did you read: http://wiki.squid-cache.org/SquidFaq/ReverseProxy It explains a lot of concepts. Please go through them, and try to understand how all this is supposed to work. Please do not bombard the list with email after email without getting a response first. Not nice. Most irritating is when someone: 1. appears to not have read the manual with great care 2. appears to have not searched the internet for this problem 3. starts to blame the software because they can't make it work 4. starts to whine on the mailing list, and sends emails one after another without waiting for an acceptable time (at least 48 hours) for someone to respond Regards HASSAN On Mon, Mar 29, 2010 at 1:55 AM, a...@gmail adbas...@googlemail.com wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com; squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost (note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No Bind error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site
Re: [squid-users] Help with accelerated site
You seemed to have missed my note quoted below. quote I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. /quote This presumes that your inside guys are on the 192.168.3.x network. They do not need proxying to reach the 192.168.3.1 server since it is on the same subnet. I assume that they do not need proxying to get outside since you router probably handles that for them. I am not sure how the outside world reaches the Squid proxy but I assume that you have a NAT in the router that gets them from a public Internet address on the router to the Squid server on port 80. Do you really need proxying for your inside guys or are they perfectly happy going out to the public Internet normally though your router and can directly address the back-end server without Squid if the backend httpd is on port 80? The only case where you need to use port 81 is where squid and the httpd server are on the same machine and you want port 80 to belong to squid and squid needs to pass its requests to httpd on another port. 3128 is for proxying internal browsers on a non-routable network 192.168.x.x where you do not have a router that is NATing the inside guys for you. Squid will handle the mapping of outgoing requests and responses by giving the Internet a routable address. It requires that the inside browsers be configured to use a proxy and not try to bang on port 80 but use 3128 on the proxy for all requests. It does not seem that you need this since your router likely does this for you. I suspect that you only have to change the 2 lines in the out-of-the-box squid to get this going. Ron a...@gmail wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com; squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost(note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local
Re: [squid-users] Help with accelerated site
Hi Hassan, Did you read the page: http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html Yes I did read it and I read a great deal more and I have been on many forums, and I have been through the mailing list and and... Yes it says it clearly but what it doesn't say clearly is whether your clients can have access to the internet and let people access your websites via a proxy that's what I was asking. Under vhost, it clearly says: Accelerator mode using Host header for virtual domain support. Implies accel. So, if you want Squid listener on 3128 to be acting as forward proxy, then don't use vhost. When your internal users are hitting squid for regular internet usage, every port 80 website is automatically proxied, including your internal ones. If it is not working, then there must be a relevant line in the access.log or cache.log which will tell you what happened to that request. You are configuring the same box for both forward and reverse proxy, which can be tricky. If you are indeed a developer (and no, writing HTML does not count), then you need to use your programming hat a bit more when you're trying to even configure open source software. Did you read: http://wiki.squid-cache.org/SquidFaq/ReverseProxy It explains a lot of concepts. Please go through them, and try to understand how all this is supposed to work. Yes I have read this too Please do not bombard the list with email after email without getting a response first. Not nice. Most irritating is when someone: 1. appears to not have read the manual with great care (read it) 2. appears to have not searched the internet for this problem (Done it) 3. starts to blame the software because they can't make it work (yes because some softwares are badly written) 4. starts to whine on the mailing list, and sends emails one after (I thought that was where you can get help, No?) another without waiting for an acceptable time (at least 48 hours) for (I oly did it once, because I forgot something or I had something else to add) someone to respond Regards HASSAN I don't understand why is it that you never help oin this mailing list the only time we see you is when somebody complains then suddenly you popup from somewhere all the time you keep silent, you never help with solutions or suggestions. Yes Squid whether you like it or not is by far not the easiest piece of software to use or to configure it doesn't mean it is brilliant It's difficult and I know it can be made to be a lot easier et user friendly without having to go a great length of time to understand it's logic, not because you used it for a long time or you are somehow involved that you think everybody should open the box and get it to work If that was the case, why then we have the mailing list?? If that was as simple as you're trying to make out. Please if you the only time you show up is to tell me what and I mustn't do then spare me your moral lectures on how I should behave. If this mailing list is yours and I am irritating you then say so I will leave and leave you in peace. Other than that please keep away from me This is the second time and it's ones too many. Regards Adam On Mon, Mar 29, 2010 at 1:55 AM, a...@gmail adbas...@googlemail.com wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com; squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config
Re: [squid-users] Help with accelerated site
Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com www.mysite.net http_access allow our_sites cache_peer_access main allow our_sites cache_peer_access deny all I can access my 3 websites from inside my network and from the Internet no problems apart for it being a little slower than before, but it's working The problem I have right now is None of clients can access the internet The error as before The requested URL could not be retrieved here is the other part of config acl manager proto cache object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all htcp_access allow localnet htcp_access deny all icp_access allow localnet icp_access deny all http_port 3128 vhost (note if I remove the vhost I won't access my websites) if I leave it I can't access the internet from my local network) No Bind error at this time I hope that would help see if there's anything wrong with the configuration Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:06 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error This error: The following error was encountered while trying to retrieve the URL: / ... appearing in a reverse-proxy setup means Squid received a reverse-proxy/accelerated request intended for a web server on a port without accel flag configured. Please read all my notes below right to the end of the email before changing anything. I'm commenting on each fine detail and what it means... My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another ... so, we need you to stop bouncing and concentrate on one issue at a time. When we are satisfied that you are understanding that one move on ... I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file ... from the below I'd guess you are changing both the Squid http_port and the apache listening Port entries at the same time in your tests. here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org The tutorial and advice so far as I've seen has been to place Squid
Re: [squid-users] Help with accelerated site
Hi Hassan, If I had made a long email before is because somebody asked me to post some of my log files some of my config file, some of my iptables and explain what I was trying to achieve so they can see. There was one email where I tried to express my frustration it was not directed to anybody in particular. Anyway, if you read my posts you'd see that I have tested this with and without the vhost If I use http_port 3128 vhost I can access my websites internally and externally right? If I use it without the vhost my network clients will have access to the internet through the proxy but nobody can access the websites from outside I get the error The requested URL could not be retrieved That's all I asked if there's a way around this or is it one or the other situation? Regards Adam - Original Message - From: Nyamul Hassan mnhas...@usa.net To: Squid Users squid-users@squid-cache.org Sent: Sunday, March 28, 2010 11:09 PM Subject: Re: [squid-users] Help with accelerated site See what happened? While you answered to the parts where I complained about your mailing-list behaviour, you failed to try out what was suggested, and report back with the logs. All the other criticisms that you make, is making the emails unnecessarily big. That's the main complain from myself (and probably others too), so please stop all the other messages. Did you make the change back to without vhost? Where are you stuck now? The way I see it, without using vhost, you have: 1. A reverse proxy where out-of-network requests are properly forwarded to your not-in-same-box Web Servers 2. A forward proxy, where all your internal network customers can access the Internet using Squid as their proxy. 3. However, the internal requests don't work for only domains hosted in your Web Servers as in #1. Please mention if this is correct. Or specify where it is wrong. Regards HASSAN On Mon, Mar 29, 2010 at 3:49 AM, a...@gmail adbas...@googlemail.com wrote: Hi Hassan, Did you read the page: http://www.squid-cache.org/Versions/v2/2.7/cfgman/http_port.html Yes I did read it and I read a great deal more and I have been on many forums, and I have been through the mailing list and and... Yes it says it clearly but what it doesn't say clearly is whether your clients can have access to the internet and let people access your websites via a proxy that's what I was asking. Under vhost, it clearly says: Accelerator mode using Host header for virtual domain support. Implies accel. So, if you want Squid listener on 3128 to be acting as forward proxy, then don't use vhost. When your internal users are hitting squid for regular internet usage, every port 80 website is automatically proxied, including your internal ones. If it is not working, then there must be a relevant line in the access.log or cache.log which will tell you what happened to that request. You are configuring the same box for both forward and reverse proxy, which can be tricky. If you are indeed a developer (and no, writing HTML does not count), then you need to use your programming hat a bit more when you're trying to even configure open source software. Did you read: http://wiki.squid-cache.org/SquidFaq/ReverseProxy It explains a lot of concepts. Please go through them, and try to understand how all this is supposed to work. Yes I have read this too Please do not bombard the list with email after email without getting a response first. Not nice. Most irritating is when someone: 1. appears to not have read the manual with great care (read it) 2. appears to have not searched the internet for this problem (Done it) 3. starts to blame the software because they can't make it work (yes because some softwares are badly written) 4. starts to whine on the mailing list, and sends emails one after (I thought that was where you can get help, No?) another without waiting for an acceptable time (at least 48 hours) for (I oly did it once, because I forgot something or I had something else to add) someone to respond Regards HASSAN I don't understand why is it that you never help oin this mailing list the only time we see you is when somebody complains then suddenly you popup from somewhere all the time you keep silent, you never help with solutions or suggestions. Yes Squid whether you like it or not is by far not the easiest piece of software to use or to configure it doesn't mean it is brilliant It's difficult and I know it can be made to be a lot easier et user friendly without having to go a great length of time to understand it's logic, not because you used it for a long time or you are somehow involved that you think everybody should open the box and get it to work If that was the case, why then we have the mailing list?? If that was as simple as you're trying to make out. Please if you the only time you show up is to tell me what and I mustn't do then spare me your moral lectures on how I should behave. If this mailing list
Re: [squid-users] Help with accelerated site
Hi Ron thanks again for your reply No I think you're a little confused here I have one network at the moment and is the 192.168.1.0 My Router and proxy are both on the same machine which is 192.168.1.4 My backend server is on 192.168.1.3 Two different machines but on the same network However if I use this http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 originserver name=whatever But the probleme is elsewhere because if I use http_port 3128 vhost I can access my website both from inside my network and from the internet If I use http_port 3128 without the vhost my network clients can access the Internet but I can't access my websites (backend server) This is the situation right now. I hope this slightly clearer Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: squid-users@squid-cache.org Sent: Sunday, March 28, 2010 10:21 PM Subject: Re: [squid-users] Help with accelerated site You seemed to have missed my note quoted below. quote I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.orgcache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. /quote This presumes that your inside guys are on the 192.168.3.x network. They do not need proxying to reach the 192.168.3.1 server since it is on the same subnet. I assume that they do not need proxying to get outside since you router probably handles that for them. I am not sure how the outside world reaches the Squid proxy but I assume that you have a NAT in the router that gets them from a public Internet address on the router to the Squid server on port 80. Do you really need proxying for your inside guys or are they perfectly happy going out to the public Internet normally though your router and can directly address the back-end server without Squid if the backend httpd is on port 80? The only case where you need to use port 81 is where squid and the httpd server are on the same machine and you want port 80 to belong to squid and squid needs to pass its requests to httpd on another port. 3128 is for proxying internal browsers on a non-routable network 192.168.x.x where you do not have a router that is NATing the inside guys for you. Squid will handle the mapping of outgoing requests and responses by giving the Internet a routable address. It requires that the inside browsers be configured to use a proxy and not try to bang on port 80 but use 3128 on the proxy for all requests. It does not seem that you need this since your router likely does this for you. I suspect that you only have to change the 2 lines in the out-of-the-box squid to get this going. Ron a...@gmail wrote: Hi Again, Well my local network can't access the Internet since I had to put the vhost option on the http_port 3128 They can access my sites internally not a problem, but the problem is they can no longer access the internet I have kept the original config The only thing I have changed was adding the acceleration mode for my backend server (sites) and add the vhost option after the http_port 3128 like this http_port 3128 vhost I hope that makes more sense Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com; squid-users@squid-cache.org Sent: Sunday, March 28, 2010 8:40 PM Subject: Re: [squid-users] Help with accelerated site Are you trying to build an accellerator for your site or a proxy. Pick one and get it to work. The config that I sent you is an accelerator. I would suggest to stick with the accelerator and let your inside guys hit your server on port 80. 1) Put your backend server back on port 80 http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 80 whatever I had in my config should be fine once you change my 81 to 80. I needed to use 81 since I had both apache and squid on the same machine. You do not have this problem. This way your inside guys are still hitting your backend the old fashioned way and your clients are coming through your front door with a caching proxy. Get rid of the acl stuff until you get it going and then decide how to block people. Check my acl settings but I do not recall doing anything to control access. KISS Good luck Ron a...@gmail wrote: Hi Amos, Thanks for your time at the moment my config is as follow it's working as far is the acceleration mode is concerned http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl out_sites dstdomain www.mysite.org www.mysite.com
Re: [squid-users] Help with accelerated site
On Sun, 28 Mar 2010 23:37:38 +0100, a...@gmail adbas...@googlemail.com wrote: Hi Ron thanks again for your reply No I think you're a little confused here I have one network at the moment and is the 192.168.1.0 My Router and proxy are both on the same machine which is 192.168.1.4 My backend server is on 192.168.1.3 Two different machines but on the same network However if I use this http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 originserver name=whatever But the probleme is elsewhere because if I use http_port 3128 vhost I can access my website both from inside my network and from the internet If I use http_port 3128 without the vhost my network clients can access the Internet but I can't access my websites (backend server) This is the situation right now. Right. Okay. STOP touching the reverse-proxy parts of the config. You have them working. http_port 3128 should stay with no other special flags. In the config you posted earlier you had these lines: acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all If you read them top to bottom the way Squid reads them you will clearly see that you have a deny all right in the middle. This does exactly what it says denies ALL access to things which are not permitted above it. You need to remove the our_network ACL completely and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Amos
Re: [squid-users] Help with accelerated site
Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed our_network and the relevant http_access etc.. But couldn't access the internet After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine I am not sure it's being wise to make squid listen on more than one port, I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host you can use the following http_port 3128 vhost http_port 8080 or whatever you want to use for your clients and then simply configure your clients to use that port I just want to thank everyone here who tried to help Best regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Monday, March 29, 2010 12:12 AM Subject: Re: [squid-users] Help with accelerated site On Sun, 28 Mar 2010 23:37:38 +0100, a...@gmail adbas...@googlemail.com wrote: Hi Ron thanks again for your reply No I think you're a little confused here I have one network at the moment and is the 192.168.1.0 My Router and proxy are both on the same machine which is 192.168.1.4 My backend server is on 192.168.1.3 Two different machines but on the same network However if I use this http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 originserver name=whatever But the probleme is elsewhere because if I use http_port 3128 vhost I can access my website both from inside my network and from the internet If I use http_port 3128 without the vhost my network clients can access the Internet but I can't access my websites (backend server) This is the situation right now. Right. Okay. STOP touching the reverse-proxy parts of the config. You have them working. http_port 3128 should stay with no other special flags. In the config you posted earlier you had these lines: acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl our_network 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all http_access allow our_network http_access deny all If you read them top to bottom the way Squid reads them you will clearly see that you have a deny all right in the middle. This does exactly what it says denies ALL access to things which are not permitted above it. You need to remove the our_network ACL completely and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Amos
Re: [squid-users] Help with accelerated site
On Mon, 29 Mar 2010 00:39:40 +0100, a...@gmail adbas...@googlemail.com wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed our_network and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. You need to remove the our_network ACL completely Part #2 of my sentence (how to enable access) apparently ignored. ... and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup http_port 80 accel vhost to receive reverse-proxy mode traffic (public website) and http_port 3128 to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
At this point, the best suggestion that I can provide to Adam is to remove the existing config, and re-instate the default config that came with Squid. Then, start from there. No need to define make custom ACLs, make everything accessible at first. Just concentrate on making the FWD + REV configs working, then moving to ACLs. Regards HASSAN On Mon, Mar 29, 2010 at 6:22 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Mon, 29 Mar 2010 00:39:40 +0100, a...@gmail adbas...@googlemail.com wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed our_network and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. You need to remove the our_network ACL completely Part #2 of my sentence (how to enable access) apparently ignored. ... and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup http_port 80 accel vhost to receive reverse-proxy mode traffic (public website) and http_port 3128 to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
Hi Amos, Thanks again for your reply You asked me to remove the our_network Acl completely, I have done so I didn't even comment it, I removed it. I have commented out the # acl localnet 172.0.0 I have commented out the # acl localnet 10.0.0.0/8 I have put my own localnet acl localnet 192.168.1.0/32 http_access allow manager localhost http_access deny manager http_access allow localnet right? Now for 100% sure I will give it as I said a day or two and see how it goes for now everything seem to be working fine. I will email you my website I have done what you suggested now if there's something you think I haven't done please let me know Thanks again Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Monday, March 29, 2010 1:22 AM Subject: Re: [squid-users] Help with accelerated site On Mon, 29 Mar 2010 00:39:40 +0100, a...@gmail adbas...@googlemail.com wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed our_network and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. You need to remove the our_network ACL completely Part #2 of my sentence (how to enable access) apparently ignored. ... and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup http_port 80 accel vhost to receive reverse-proxy mode traffic (public website) and http_port 3128 to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
Hi Hassan, Thanks for your suggestion, I just did that about 10 times already lol I started from scratch, the one I have right now is basically a default config with few changes I can easily remove them, but with the default config there was no way I could access my sites the only thing it did allow was the access to the internet for network clients I will double check what Amos has suggested once again and see if I hadn't missed anything Regards Adam - Original Message - From: Nyamul Hassan mnhas...@usa.net To: Squid Users squid-users@squid-cache.org Sent: Monday, March 29, 2010 1:32 AM Subject: Re: [squid-users] Help with accelerated site At this point, the best suggestion that I can provide to Adam is to remove the existing config, and re-instate the default config that came with Squid. Then, start from there. No need to define make custom ACLs, make everything accessible at first. Just concentrate on making the FWD + REV configs working, then moving to ACLs. Regards HASSAN On Mon, Mar 29, 2010 at 6:22 AM, Amos Jeffries squ...@treenet.co.nz wrote: On Mon, 29 Mar 2010 00:39:40 +0100, a...@gmail adbas...@googlemail.com wrote: Hello Amos, Thanks for your reply and suggestion I have just done what you suggested and I still couldn't access the internet from my local network I completely removed our_network and the relevant http_access etc.. But couldn't access the internet Part #1 of my sentence (cleaning out config garbage) completed. You need to remove the our_network ACL completely Part #2 of my sentence (how to enable access) apparently ignored. ... and adjust the localnet ACL as per the default config instructions so that it only specifies your internal LAN IP address range(s). Instead you went on and made up your own approach which complicates your setup A LOT and now requires you to juggle many other software configurations as well to make them all match the fancy squid.conf ... After that I did the following added and http_port 8080 to the config and up my clients could access the internet and I can still access my backend server from the internet So normally everything is working fine 100% sure about that? What is your public website name? I am not sure it's being wise to make squid listen on more than one port, ... not sure it's _wise_ ?! It's REQUIRED for safe security to run a different port for each type of input the proxy receives. When doing so firewall and squid.conf rules become very easy to understand and get correct without causing security breaches by accidental misconfiguration. What we have been trying to get you to do is properly setup http_port 80 accel vhost to receive reverse-proxy mode traffic (public website) and http_port 3128 to receive forward-proxy mode traffic (your LAN). I'll keep a closer eye on it and see what will happen in the next day or two. Anyway this for the benefit of anybody who find themselves in the same or similar situation if you're forced to use http_port 3128 vhost (in order to access your sites from outside i.e Internet) This is if your sites are on the same webserver on a virtual host Nobody is ever forced to do this by Squid. You are no exception. Amos
Re: [squid-users] Help with accelerated site
Hi Amos, Yes I didn't copy paste it I just typed it and I forgot to mention it but it is in the actual config, because what I did basically I took a default config copy pasted everything that was uncommented to a file I then created another config file because to go through the amount of comments in the default everytime I need to do something is very tiring, so that way it's much clearer Yes I have the src and dst on one of them Thank you again I hope I won't have more issues with other applications, such as Java applets and other things similar Thanks again for your support and patience Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Monday, March 29, 2010 2:59 AM Subject: Re: [squid-users] Help with accelerated site On Mon, 29 Mar 2010 02:39:24 +0100, a...@gmail adbas...@googlemail.com wrote: Hi Amos, Thanks again for your reply You asked me to remove the our_network Acl completely, I have done so I didn't even comment it, I removed it. I have commented out the # acl localnet 172.0.0 I have commented out the # acl localnet 10.0.0.0/8 I have put my own localnet acl localnet 192.168.1.0/32 http_access allow manager localhost http_access deny manager http_access allow localnet right? Close. You don't have the word src in that config line you display for the ACL definition. I hope that is just a typo in the email text. That is all at this point. Amos
Re: [squid-users] Help with accelerated site
No one at all? No suggestions, no ideas? Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=Squid on 192.168.1.4 == Apache on 192.168.1.4:81 (vhost) ==Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler rwhee...@artifact-software.com wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the vhost option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and nobody could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URLAnd I followed a suggestion I read on the mailing list, that maybe I needed to add a vhost after the http_port 3128Now I am getting this instead:The requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: http://www.mysite.org/Access Denied.Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.Your cache administrator is webmaster.It's not acctually working at all, all it does is taking you from one problem to another, and so forth it's a none stop it'a bag of problems and nasty surprises, not to mention things you need to tweak on my system to make Mr Squid happierI am sorry guys but this thing doesn't work and I believe it when I see it and even if I see it working it's still ridiculousto spend as much time to get one piece of software to work.I have followed the tutorials to the letter and many suggestions, not to mention the amount of time I wasted on this thingnever before in my life I have spent as much time on any programme, this is the first time and I am not willing to spend the rest of my life trying to figure out something that doesn't work.Sorry guys but I am very very disapointed with this, I am just going to completely uninstall the whole thingAnd go back to the way it was before or perhaps look for an alternative for something that works.Thanks to all of you who tried to helpBest of luck to anyone who's still trying to solve Squid's never ending issues.Thank you.RegardsAdam- Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=Squid on 192.168.1.4 == Apache on 192.168.1.4:81 (vhost) ==Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: Amos Jeffries squ
RE: [squid-users] Help with accelerated site
Hi Adam, a few recommendations: 1) There are a number of consultancy and support organization that provide dedicated support for squid. If you can't find the answer here or yourself (via code or in docs), they might be an alternative you want to look into 2) The developers and people supporting squid on this list are all donating their time, they don't owe you, I, or anyone on here anything. Lambasting them isn't cool, and not appreciated by anyone on this list. 3) We all get frustrated with software, it's the nature of the business (I average a couple cycles of frustration a day myself). But lashing out in a public forum, against the very people that might be able to help you is like trying to catch flies with vinegar. 4) If you aren't getting the responses you need try refining your questions into smaller bites. There are a lot of emails in this forum and it's not always easy to digest a long email (again, the community support provided is free, if you need people to really dedicate time to your issue you should consider paying them for their time, e.g. refer back to suggestion #1). I wish you the best of luck with your task, unfortunately I don't know the answer to your question myself or I would offer my own suggestions. David -Original Message- From: a...@gmail [mailto:adbas...@googlemail.com] Sent: Saturday, March 27, 2010 7:07 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Help with accelerated site Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and nobody could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URLAnd I followed a suggestion I read on the mailing list, that maybe I needed to add a vhost after the http_port 3128Now I am getting this instead:The requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: http://www.mysite.org/Access Denied.Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.Your cache administrator is webmaster.It's not acctually working at all, all it does is taking you from one problem to another, and so forth it's a none stop it'a bag of problems and nasty surprises, not to mention things you need to tweak on my system to make Mr Squid happierI am sorry guys but this thing doesn't work and I believe it when I see it and even if I see it working it's still ridiculousto spend as much time to get one piece of software to work.I have followed the tutorials to the letter and many suggestions, not to mention the amount of time I wasted on this thingnever before in my life I have spent as much time on any programme, this is the first time and I am not willing to spend the rest of my life trying to figure out something that doesn't work.Sorry guys but I am very very disapointed with this, I am just going to completely uninstall the whole thingAnd go back to the way it was before or perhaps look for an alternative for something that works.Thanks to all of you who tried to helpBest of luck to anyone who's still trying to solve Squid's never ending issues.Thank you.RegardsAdam- Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting
Re: [squid-users] Help with accelerated site
Hi David, I wasn't having a go at anyone in particular yes I am frustrated with this software I didn't start yesterday in this business I know there is always a certain level of frustration when dealing with machines. But this particular software has NO logic whatsoever, You do something for instance it works, but not to what you want it, and then you add a directive to it either it gets worse or it changes then you undo what you just did, what would you expect normally? The previous result right? NO with squid it doesn't work that way it takes you from one error to another from one problem to another and so on... Yes I am a developper myself, but I make sure what I do has a certain level of logic I am not saying we don't have issues but we also make sure that the documentation is straight forward for anybody to understand it. It's like a manufacturer who makes gadgets and give you a vague idea on how the thing works. Besides I have followed all of the documentations, all of the examples which they are not easy to understand either and in the end no result it's been more than five weeks day in day out I couldn't even bring one of sites up, and every link forum I followed either it doesn't apply to my version or it is at least 2 years old. I didn't say you owe me anything or anybody here all I am saying is a little common sense, if you make something it's imperative that you make sure people will understand it's use. And it's not just me, this particular issue has been asked for the last two or three years, are you going to tell me that after all this time nobody gave an answer to this? It strikes me maybe even the developers don't know the answer to this, all I have read so far is try this and try that and nothing works. And I didn't attack anyone as far as I can see, and it's funny I posted three e-mails and nobody replied fair enough maybe they don't have an answer but no reply whatsoever but as soon as I say something against this whole project and the way it's been handled, I get an a reply. I wasn't disrespectful to anyone, but as a professional myself I do take it on the chin when I am criticised about what I do or the way I do it Being honest I was saying how I feel about this software, if anyone feels hurt by what I said I am sorry it wasn't my intention, and they can prove me wrong then. For instance up until now, I couldn't get my websites up, on my backend server, now I managd to access them locally, and guess what? All of the examples they gave in the tutorials were wrong, I had to reverse the process to be able to access them from my local network But I still can't access them from outside my network, anyway it's my problem, one thing I will make sure is IF I ever manage to get them working I will write a tutorial to help people who might need it, because there's nothing out there for version 3.0 in less than an hour I installed a DHCP and DNS servers configured them and they were rolling, but Squid It's five weeks later and I am still struggling with it, and I mean five weeks, day in day out, morning and evening. and late nights too. I didn't mean to affend anyone, but a bit of criticism is healthy in order to improve things in general. Thanks for you offer Good luck to all Regards Adam - Original Message - From: David Parks davidpark...@yahoo.com To: 'a...@gmail' adbas...@googlemail.com; squid-users@squid-cache.org Sent: Saturday, March 27, 2010 3:45 PM Subject: RE: [squid-users] Help with accelerated site Hi Adam, a few recommendations: 1) There are a number of consultancy and support organization that provide dedicated support for squid. If you can't find the answer here or yourself (via code or in docs), they might be an alternative you want to look into 2) The developers and people supporting squid on this list are all donating their time, they don't owe you, I, or anyone on here anything. Lambasting them isn't cool, and not appreciated by anyone on this list. 3) We all get frustrated with software, it's the nature of the business (I average a couple cycles of frustration a day myself). But lashing out in a public forum, against the very people that might be able to help you is like trying to catch flies with vinegar. 4) If you aren't getting the responses you need try refining your questions into smaller bites. There are a lot of emails in this forum and it's not always easy to digest a long email (again, the community support provided is free, if you need people to really dedicate time to your issue you should consider paying them for their time, e.g. refer back to suggestion #1). I wish you the best of luck with your task, unfortunately I don't know the answer to your question myself or I would offer my own suggestions. David -Original Message- From: a...@gmail [mailto:adbas...@googlemail.com] Sent: Saturday, March 27, 2010 7:07 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Help
Re: [squid-users] Help with accelerated site
It is a very stable piece of software that is used in production all the time. You have made a small mistake somewhere in your setup. One of your errors in a previous e-mail seemed to indicate that you had programmed a loop into your setup. You might try uninstalling and starting over with an out of the box configuration. I would also start with only one way proxying and get that working. If you are trying to act as an accelerator for your website, just do that. That is a trivial setup. You might also use Webmin to do the configuring since it gives you a gui and avoids fiddling with configuration file syntax. In my case, I have the proxy running on the same machine as the apache webserver accel defaultsite=www.artifact-software.com vhost Squid listens on port 80 and tries to satisfy requests from its cache. If it can not, it passes the request to port 127.0.0.1:81 where Apache is listening with about 20 vhost sites including 2 proxies for Tomcats on other backend servers. Works great so I would not ge at all concerned that you will have problems after you get your little misconfiguring fixed. Ron a...@gmail wrote: Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and nobody could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URLAnd I followed a suggestion I read on the mailing list, that maybe I needed to add a vhost after the http_port 3128Now I am getting this instead:The requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: http://www.mysite.org/Access Denied.Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.Your cache administrator is webmaster.It's not acctually working at all, all it does is taking you from one problem to another, and so forth it's a none stop it'a bag of problems and nasty surprises, not to mention things you need to tweak on my system to make Mr Squid happierI am sorry guys but this thing doesn't work and I believe it when I see it and even if I see it working it's still ridiculousto spend as much time to get one piece of software to work.I have followed the tutorials to the letter and many suggestions, not to mention the amount of time I wasted on this thingnever before in my life I have spent as much time on any programme, this is the first time and I am not willing to spend the rest of my life trying to figure out something that doesn't work.Sorry guys but I am very very disapointed with this, I am just going to completely uninstall the whole thingAnd go back to the way it was before or perhaps look for an alternative for something that works.Thanks to all of you who tried to helpBest of luck to anyone who's still trying to solve Squid's never ending issues.Thank you.RegardsAdam- Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should
Re: [squid-users] Help with accelerated site
Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl dstdomain our_sites dstdomain www.mysite1.orgwww.mysite2.com www.mysite3.net http_allow_access main allow our_sites http_peer_access main deny all At the moment all of these sites are running on the same server (virtualhost) The only thing I am not sure of is probably the cache_peer directive cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main If it's wrong then I don't know what to put in there Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: squid-users@squid-cache.org Sent: Saturday, March 27, 2010 4:34 PM Subject: Re: [squid-users] Help with accelerated site It is a very stable piece of software that is used in production all the time. You have made a small mistake somewhere in your setup. One of your errors in a previous e-mail seemed to indicate that you had programmed a loop into your setup. You might try uninstalling and starting over with an out of the box configuration. I would also start with only one way proxying and get that working. If you are trying to act as an accelerator for your website, just do that. That is a trivial setup. You might also use Webmin to do the configuring since it gives you a gui and avoids fiddling with configuration file syntax. In my case, I have the proxy running on the same machine as the apache webserver accel defaultsite=www.artifact-software.com vhost Squid listens on port 80 and tries to satisfy requests from its cache. If it can not, it passes the request to port 127.0.0.1:81 where Apache is listening with about 20 vhost sites including 2 proxies for Tomcats on other backend servers. Works great so I would not ge at all concerned that you will have problems after you get your little misconfiguring fixed. Ron a...@gmail wrote: Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I believe that we are the guinea pigs of this project where they made us believe that it works, I do not believe for one second that it acctually works. I have read so many questions regarding this particular issue and nobody could come up with a straight answer, are we the only people with this issue? are we the only people with no luck? The questions that was asked time and time again was never been answered, so please don't tell me that this thing works, I'd like to see it and don't tell me this whole site runs on a proxy Squid I'd like to see it aswell. I was getting this before: ERROR The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: * Invalid URLAnd I followed
Re: [squid-users] Help with accelerated site
Hi All, I get this in my cache log, does anyone know what it means please? Unlinkd pipe opened on FD 13 Everytime I get this I know something is going pear shape again Thank you all Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Sent: Saturday, March 27, 2010 5:07 PM Subject: Re: [squid-users] Help with accelerated site I sent you my working config. My squid is proxying Apache on its own machine http_port 192.168.1.3:81 is the port that squid is listening on it should just be 80 no host so it gets the incoming http requests. http_port 80 accel vhost defaultsite=www.mysite.org The host specification is why it can not bind. a...@gmail wrote: Hi Ron, Thanks for your reply and thanks for your time This is perhaps the 10th time I uninstalled it and reinstalled it And this is the very first time I could access my websites internally, externally nothing yet, I am still getting the error The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. My clients can all access the internet, Yes I am sure that there's a misconfiguration in my config file but I followed every tutorial trying desperately to get something up, after a while you're saturated and very tired, bouncing from on issue to another I checked and triple checked my iptables rules everything looks fine so far For instance, my backend server is listening right now on port 81, why did I put it on port 81 because I was getting Cannot bind to in the log file so I changed it to 81 and I am getting the same error, there's absolutely nothing else in my entire network that is using that port So why can't it bind to port 81? You see the type of things that can drive you through the wall at the moment I have only three machines A is Running the Proxy and the Router (IPTABLES) B is the back end server C is the DNS/DHCP servers And only the backend server that is currently listening on port 81 and before that it was listening on port 80 no matter which port I put in my config I get the Cannot bind to in the log file here is a bit of my config * http_port 192.168.1.3:81 accel parent vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl dstdomain our_sites dstdomain www.mysite1.orgwww.mysite2.com www.mysite3.net http_allow_access main allow our_sites http_peer_access main deny all At the moment all of these sites are running on the same server (virtualhost) The only thing I am not sure of is probably the cache_peer directive cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main If it's wrong then I don't know what to put in there Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: squid-users@squid-cache.org Sent: Saturday, March 27, 2010 4:34 PM Subject: Re: [squid-users] Help with accelerated site It is a very stable piece of software that is used in production all the time. You have made a small mistake somewhere in your setup. One of your errors in a previous e-mail seemed to indicate that you had programmed a loop into your setup. You might try uninstalling and starting over with an out of the box configuration. I would also start with only one way proxying and get that working. If you are trying to act as an accelerator for your website, just do that. That is a trivial setup. You might also use Webmin to do the configuring since it gives you a gui and avoids fiddling with configuration file syntax. In my case, I have the proxy running on the same machine as the apache webserver accel defaultsite=www.artifact-software.com vhost Squid listens on port 80 and tries to satisfy requests from its cache. If it can not, it passes the request to port 127.0.0.1:81 where Apache is listening with about 20 vhost sites including 2 proxies for Tomcats on other backend servers. Works great so I would not ge at all concerned that you will have problems after you get your little misconfiguring fixed. Ron a...@gmail wrote: Hello All. I have to say since I started using Squid I get thrown from one problem to another, followed every suggestion and every tutorial and I could not get through to my my backend server This is ridiculous now, I honestly start to believe that this whole project is a joke or the software isn't at all mature to deal with what it is supposed to deal with, it's still in a teething stages, and I
Re: [squid-users] Help with accelerated site
Hi Al, thanks for your reply, I don't acutally have a problem with the apache because the webserver is on another machine as the backend server switching off the apache running on the proxy machine doesn't bother me what I am having a problem with is that it doesn't pull the website from the backend server and right now it won't even allow me access from the local network I have commented out all of the deny accesses and yet it still won't allow any machine on my local network to access the internet. That's what I found very strange. My proxy server runs freely on a dedicated machine nothing else runs on that machine. Regards Adam - Original Message - From: Al - Image Hosting Services az...@zickswebventures.com To: a...@gmail adbas...@googlemail.com Cc: squid-users@squid-cache.org Sent: Friday, March 26, 2010 1:24 AM Subject: Re: [squid-users] Help with accelerated site Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: Listen 127.0.0.1:80 Change your squid config to: cache_peer 127.0.0.1 parent 80 0 no-query originserver http_port 1.2.3.4:80 accel vhost Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 - From: a...@gmail adbas...@googlemail.com To: Ron Wheeler rwhee...@artifact-software.com Cc: Amos Jeffries squ...@treenet.co.nz, squid-users@squid-cache.org Subject: Re: [squid-users] Help with accelerated site Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting Access Denied even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the deny directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B
Re: [squid-users] Help with accelerated site
--out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG #iptables -A INPUT -j DROP # modprobe ip_nat_ftp if I type this http://localhost I get the default apache webpage It Works if I type 192.168.1.3 I get the same thing as above I stopped the apache on the webserver, and I still get the same page as above I stopped both apaches the one on the proxy machine and the webserver I still get the default apache page It Works when I type 192.168.1.3 I am running out of ideas where does this come from, I have cleared the browser's cache and I still get it, when I stop the proxy server, obviously I get connection refused. I have one question does Squid packaged with apache? that's the only thing I can think of You help would be much appreciated Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Sent: Friday, March 26, 2010 5:14 PM Subject: Re: [squid-users] Help with accelerated site There are 2 uses for Squid: 1) to act as a proxy for browsers inside your network that want to get out to the Internet and you want to avoid 2 people downloading the same big file by having squid remember pages that it sees go by and giving the second requester the copy that is already in cache on its disk. In this case it is usually watching on port 3128 on the NIC attached to your internal LAN for requests that should be sent out on the public address. 2) To act as an accelerator for people outside who want pages from your web server. In this case it is watching for requests coming in on port 80 on the NIC that carries the public address and cheching to see if the page that they are requesting is in its cache and if it is, it responds to the request without bothering the webserver. Note in Case 2, it is not doing anything for your people on the inside since they do NOT come in through the ethernet interface that Squid is watching. You have to be clear in your configuring and testing that you are testing with the right connections. If you are testing case 2, you need to be outside your network to test. If you come into port 80 on the ethernet NIC that is part of your internal LAN, your accelerator may not even see it. Make sure that your firewall setup matches what you are trying to do. If you have got everything set up for whichever case you are testing, you might want to ask some of these questions to see what is happening. What happens when you try to reference the proxy with a browser on port 80? What is showing up in your squid log when you make the request? What is showing up in your firewall log when you make the request? What is showing up in the Apache log when you make the request? Post some of these results when asking for help. The answer usually is in the logs. Ron a...@gmail wrote: Hi Al, thanks for your reply, I don't acutally have a problem with the apache because the webserver is on another machine as the backend server switching off the apache running on the proxy machine doesn't bother me what I am having a problem with is that it doesn't pull the website from the backend server and right now it won't even allow me access from the local network I have commented out all of the deny accesses and yet it still won't allow any machine on my local network to access the internet. You can do both with Apache but the configurations and problems are very different. What exactly are you trying to do? Try to get one working first and then go after the other. That's what I found very strange. My proxy server runs freely on a dedicated machine nothing else runs on that machine. Regards Adam - Original Message - From: Al - Image Hosting Services az...@zickswebventures.com To: a...@gmail adbas...@googlemail.com Cc: squid-users@squid-cache.org Sent: Friday, March 26, 2010 1:24 AM Subject: Re: [squid-users] Help with accelerated site Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: Listen 127.0.0.1:80 Change your squid config to: cache_peer 127.0.0.1 parent 80 0 no-query originserver http_port 1.2.3.4:80 accel vhost Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 - From: a...@gmail adbas...@googlemail.com To: Ron Wheeler rwhee...@artifact
Re: [squid-users] Help with accelerated site
Hello again here few updates of my cache.log and access.log Can anybody translat to me what does that mean, I have changed my real site to mysite Thank you all I tried www.mysite.org from a local machine which is 192.168.1.1 remember the router is actually on 192.168.1.4 which is also the Squid machine. cache log report *** 2010/03/26 20:41:24| WARNING: Forwarding loop detected for: GET /favicon.ico HTTP/1.0 Host: www.mysite.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.18) Gecko/2010021501 Ubuntu/8.04 (hardy) Firefox/3.0.18 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Via: 1.1 proxy (squid/3.0.STABLE25) X-Forwarded-For: 192.168.1.1 Cache-Control: max-age=259200 Connection: keep-alive 2010/03/26 20:47:02| WARNING: Forwarding loop detected for: GET / HTTP/1.0 Host: www.mysite.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.18) Gecko/2010021501 Ubuntu/8.04 (hardy) Firefox/3.0.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Referer: http://www.mysite.org Via: 1.1 proxy (squid/3.0.STABLE25) X-Forwarded-For: 192.168.1.1 Cache-Control: max-age=259200 Connection: keep-alive ## acces.log 1269636041.546157 192.168.1.1 TCP_MISS/200 5178 GET http://www.google.com/ - DIRECT/66.102.9.104 text/html 1269636041.727163 192.168.1.1 TCP_MISS/200 9340 GET http://www.google.com/intl/fr_ALL/images/logo.gif - DIRECT/66.102.9.104 image/gif 1269636042.006168 192.168.1.1 TCP_MISS/200 21210 GET http://www.google.com/extern_js/f/CgJmciswCjheQB0sKzAOOAwsKzAWOBcsKzAXOAYsKzAYOAUsKzAZOBksKzAdOCUsKzAlOMqIASwrMCY4CSwrMCc4BCwrMCo4AywrMCs4CiwrMDw4AiwrMEA4DSwrMEQ4AiwrMEU4ASwrME44ASw/BYTXK9Z1bX4.js - DIRECT/66.102.9.104 text/javascript 1269636042.099 59 192.168.1.1 TCP_MISS/200 4144 GET http://www.google.com/extern_chrome/1ae1d100aea24288.js - DIRECT/66.102.9.104 text/html 1269636042.164113 192.168.1.1 TCP_MISS/204 239 GET http://clients1.google.com/generate_204 - DIRECT/209.85.227.101 text/html 1269636042.212 42 192.168.1.1 TCP_MISS/200 6059 GET http://www.google.com/images/nav_logo8.png - DIRECT/66.102.9.104 image/png 1269636042.298127 192.168.1.1 TCP_MISS/204 329 GET http://www.google.com/csi? - DIRECT/66.102.9.105 text/html 1269636054.744 0 192.168.1.1 TCP_HIT/200 456 GET http://192.168.1.3/ - NONE/- text/html 1269636054.865 6 192.168.1.1 TCP_MISS/404 665 GET http://192.168.1.3/favicon.ico - DIRECT/192.168.1.3 text/html 1269636057.864 0 192.168.1.1 TCP_NEGATIVE_HIT/404 674 GET http://192.168.1.3/favicon.ico - NONE/- text/html 1269636084.636 1 81.98.104.57 TCP_MISS/403 2263 GET http://www.mysite.org/ - NONE/- text/html 1269636084.637 92 192.168.1.1 TCP_MISS/403 2327 GET http://www.mysite.org/ - FIRST_UP_PARENT/main text/html 1269636084.667 1 81.98.104.57 TCP_MISS/403 2264 GET http://www.mysite.org/favicon.ico - NONE/- text/html 1269636084.668 2 192.168.1.1 TCP_MISS/403 2328 GET http://www.mysite.org/favicon.ico - FIRST_UP_PARENT/main text/html 1269636087.667 0 192.168.1.1 TCP_NEGATIVE_HIT/403 2335 GET http://www.mysite.org/favicon.ico - NONE/- text/html 1269636098.347 0 192.168.1.1 TCP_NEGATIVE_HIT/403 2335 GET http://www.mysite.org/ - NONE/- text/html 1269636422.015 1 81.98.104.57 TCP_MISS/403 2319 GET http://www.mysite.org/ - NONE/- text/html 1269636422.016105 192.168.1.1 TCP_MISS/403 2383 GET http://www.mysite.org/ - FIRST_UP_PARENT/main text/html Your time and help will be much appreciated Thanking you in advance Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Sent: Friday, March 26, 2010 5:14 PM Subject: Re: [squid-users] Help with accelerated site There are 2 uses for Squid: 1) to act as a proxy for browsers inside your network that want to get out to the Internet and you want to avoid 2 people downloading the same big file by having squid remember pages that it sees go by and giving the second requester the copy that is already in cache on its disk. In this case it is usually watching on port 3128 on the NIC attached to your internal LAN for requests that should be sent out on the public address. 2) To act as an accelerator for people outside who want pages from your web server. In this case it is watching for requests coming in on port 80 on the NIC that carries the public address and cheching
Re: [squid-users] Help with accelerated site
Hello guys, I don't know if any of you had a chance to take a look at my previous two posts, Now when I try to access my site I get the following ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: a.. Missing or incorrect access protocol (should be http:// or similar) b.. Missing hostname c.. Illegal double-escape in the URL-Path d.. Illegal character in hostname; underscores are not allowed. Your cache administrator is webmaster. Any idea of what needs to be done None of the above possibilities apply to this situation What can it be Thank you all Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=Squid on 192.168.1.4 == Apache on 192.168.1.4:81 (vhost) ==Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler rwhee...@artifact-software.com wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the vhost option on https_port 80. All traffic Squid receives on port 80 will go to Apache's
Re: [squid-users] Help with accelerated site
Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting Access Denied even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the deny directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=Squid on 192.168.1.4 == Apache on 192.168.1.4:81 (vhost) ==Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam
Re: [squid-users] Help with accelerated site
Hi, Although you can't have apache and squid listening on port 80 on the same IP, you can have them both running on port 80 on the same machine. Just do this: Change your apache config to: Listen 127.0.0.1:80 Change your squid config to: cache_peer 127.0.0.1 parent 80 0 no-query originserver http_port 1.2.3.4:80 accel vhost Where 1.2.3.4 is, put your public IP. -Al On Thu, 25 Mar 2010, a...@gmail wrote: Date: Thu, 25 Mar 2010 16:30:33 - From: a...@gmail adbas...@googlemail.com To: Ron Wheeler rwhee...@artifact-software.com Cc: Amos Jeffries squ...@treenet.co.nz, squid-users@squid-cache.org Subject: Re: [squid-users] Help with accelerated site Hi All, Thank you guys for your help I have tried your suggestions, Yes Ron I know that two programmes can't both listen on the same port at the same time but I thought the Apache was essential for the Proxy server, so thanks for the suggestion, I am including bits of my config here, because now I am getting Access Denied even from a local network: Can you guys please take a look at it and see if you can spot what's causing the access denied. note I have tried to allow everything and removed all the deny directives and yet it's still denies any access from my local network. That is why I get so confused with Squid, I don't understand it's logic to be perfectly honest, and let me remind you that this config used to work just fine at least it used to allow access to the internet to all the clients on my local network. # # Other Access Controls # acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks dst 192.168.1.0/32 acl our_sites dstdomain www.mysite.org acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network # acl localnet src 192.168.0.0/32 # RFC1918 possible internal network acl localnet src 192.168.1.0/32 #Local Network acl myaccelport port 80 # acl FTP proto FTP acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost #http_access deny manager # http_access deny !Safe_ports http_access allow localnet #http_access deny all # http_access allow intranet # http_access deny all http_access allow our_networks icp_access allow localnet #icp_access deny all htcp_access allow localnet #htcp_access deny all http_acceess allow CONNECT #http_access deny all hosts_file /etc/hosts visible_hostname proxy http_port 3128 hierarchy_stoplist cgi-bin ? cache_effective_user squid access_log /usr/local/squid/var/logs/access.log squid cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log pid_filename /usr/local/squid/var/logs/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 htcp_port 4827 # allow_underscore on coredump_dir /usr/local/squid/var/cache Can anyone see what's wrong with this config and if possible to point it out to me, your help would be much appreciated Thanking you in advance Regards Adam - Original Message - From: Ron Wheeler rwhee...@artifact-software.com To: a...@gmail adbas...@googlemail.com Cc: Amos Jeffries squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:58 AM Subject: Re: [squid-users] Help with accelerated site a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4
[squid-users] Help with accelerated site
Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam
Re: [squid-users] Help with accelerated site
What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam
Re: [squid-users] Help with accelerated site
On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler rwhee...@artifact-software.com wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the vhost option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Thank you all for your help Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler rwhee...@artifact-software.com wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the vhost option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos
Re: [squid-users] Help with accelerated site
a...@gmail wrote: Hello there, Thanks for the reply Ron and Amos Maybe my original e-mail wasn't clear a bit confusing I am sorry if I confused you I have squid running on Machine A with let's say local ip 192.168.1.4 the backend server is running on machine B and ip address 192.168.1.3 Now, instead of getting the website that is located on Machine B 192.168.1.3 which is listening on port 81 not 80. I am getting the default Apache Page on the Proxy server Machine which is 192.168.1.4 And I do have the vhost in my configuration Well there are two apaches running on the two machines, the proxy machine and the web-server machine, except the web-server apache listens on port 81, logically (technically) speaking it should work, but for some reason it doesn't. I hope it makes more sense to you what I am trying to describe here Very helpful. You can not have apache listening for port 80 on 192.168.1.4 and Squid trying to do the same thing. Only one process can have port 80. You will very likely find a note in the squid logs that says something to the effect that squid can not bind to port 80. If you shutdown apache on 192.168.1.4 and restart squid, your proxy will work (if the rest of the configuration is correct) If you then try to start apache on 192.168.1.4 it will certainly complain loudly about port 80 not being free. If you want to use Apache on both 192.168.1.4 and 192.168.1.3 you need to set the apache on 192.168.1.4 to listen on port 81 and set squid to proxy to the apache on 192.168.1.4 and use apache's proxy and vhost features to reach 192.168.1.5 which can be set to listen on port 80. This will support browser=Squid on 192.168.1.4 == Apache on 192.168.1.4:81 (vhost) ==Apache 192.168.1.3:80 That is a pretty common approach. Ron Thank you all for your help Regards Adam - Original Message - From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Thursday, March 25, 2010 1:01 AM Subject: Re: [squid-users] Help with accelerated site On Wed, 24 Mar 2010 19:48:27 -0400, Ron Wheeler rwhee...@artifact-software.com wrote: What is squid proxying? Usually the normal behaviour is exactly what you are getting since squid normally proxies Apache on 80. Browser == Squid on 80==proxied to Apache on port 81. If Squid is not proxying Apache, then it looks like you have Apache running on 80. If you are trying to redirect port 80 to another program that is not Apache, then you need to get Apache off port 80. You can not have 2 programs listening to port 80. If Apache is running and owns port 80, Squid will not start. If this is the case, You likely have errors in the logs to this effect. Shut down Apache and and restart Squid. Try to start Apache and now it should howl with anger (or log in anger) at not getting port 80. Ron a...@gmail wrote: Hello All, I have followed this configuration, but when I try and access the website from outside my network All I get is the default page of the apache on the machine where the Squid proxy is installed Here is the link: http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator here is the configuration I followed http_port 80 accel defaultsite=your.main.website.name(changed my port to 81 my backend server listens on port 81)I havehttp_port 81 accel defaultsite=www.my.website.org vhostand then used thiscache_peer ip.of.webserver parent 80 0 no-query originserver name=myAccelcache_peer 192.168.1.5 parent 81 0 no query originserver name=myAccel(myAccel I have put a name)and then acl our_sites dstdomain my.website.org http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all Anybody with any suggestions please?Any help would be appreciated thank youRegardsAdam Sorry, took me a while to un-mangle that original email text. You are missing the vhost option on https_port 80. All traffic Squid receives on port 80 will go to Apache's default virtual host. Amos