Re: [squid-users] Squid not working for me
Dave Coventry wrote: On Jan 8, 2008 11:59 AM, Indunil Jayasooriya wrote: my dhcp server assigns both ip addresses and dns servers to clinets. I have set my Ubuntu box 'Base' up as a DNS Server and tried to use squid with partial results. Firefox returns the following: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.cricinfo.com/ The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. Your cache administrator is webmaster. Generated Wed, 09 Jan 2008 10:47:36 GMT by Base (squid/2.6.STABLE14) /var/log/squid/cache.log has the following. [EMAIL PROTECTED]:/home/dave# cat /var/log/squid/cache.log 2008/01/09 07:35:12| storeDirWriteCleanLogs: Starting... 2008/01/09 07:35:12| Finished. Wrote 56 entries. 2008/01/09 07:35:12| Took 0.0 seconds (325581.4 entries/sec). 2008/01/09 07:35:12| logfileRotate: /var/log/squid/store.log 2008/01/09 07:35:12| logfileRotate: /var/log/squid/access.log 2008/01/09 12:44:04| Failed to select source for 'http://en-gb.start2.mozilla.com/firefox?client=firefox-arls=org.mozilla:en-GB:official' 2008/01/09 12:44:04| always_direct = -1 2008/01/09 12:44:04|never_direct = 1 2008/01/09 12:44:04|timedout = 0 These requests are hitting squid but squid is configured to deny direct access outbound (never_direct is 1). Probably without any peers configured to handle non-direct access. However, I can no longer ssh into Base as the name won't reconcile, I now must access 192.168.60.254 (eth1) or 192.168.10.23 (eth0) Hmm, windows (or the source box you are ssh'ing from cannot locate the FQDN of Base or a local domain to generate a FQDN from for DNS). I think it should be as simple as taking the space out of your config setting string: option domain-name domain.org; I would expect the above to be attempting a DNS lookup of exactly Base. domain.org and failing. I feel I am getting close, but need to find out why 'Base' is no longer working (you will notice that the prompt is '[EMAIL PROTECTED]'. Can you offer any suggestions? Amos -- Please use Squid 2.6STABLE17 or 3.0STABLE1. There are serious security advisories out on all earlier releases.
Re: [squid-users] Squid not working for me
Dave Coventry wrote: Hi Amos. I feel I'm getting there, albeit slowly... I can ping www.google.com from the client Laptop. but I'm getting this error in Firefox: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.google.com/search? The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and Did you read that error page carefully? or the first lines of my previous post? squid.conf seems to have a line never_direct deny all or something to that effect for your laptop. * All configured parent caches are currently unreachable. Your cache administrator is webmaster. Generated Thu, 10 Jan 2008 12:55:03 GMT by Base (squid/2.6.STABLE14) My /var/logs/squid/access.log is as follows: [EMAIL PROTECTED]:/home/dave# cat /var/log/squid/access.log 192.168.60.199 - - [10/Jan/2008:10:26:02 +0200] GET http://www.cricinfo.com/ HTTP/1.1 504 1408 TCP_MISS:ANY_PARENT 192.168.60.199 - - [10/Jan/2008:10:26:40 +0200] GET http://en-gb.start2.mozilla.com/firefox? HTTP/1.1 504 1440 TCP_MISS:ANY_PARENT 122.116.116.34 - - [10/Jan/2008:12:14:08 +0200] GET http://www.scanproxy.com/px_judge.php? HTTP/1.0 503 1622 TCP_MISS:NONE 192.168.60.199 - - [10/Jan/2008:14:51:17 +0200] GET http://content-rsa.cricinfo.com/wivzimsa/engine/current/match/298803.html? HTTP/1.1 503 1687 TCP_MISS:NONE 192.168.60.199 - - [10/Jan/2008:14:51:24 +0200] GET http://content-rsa.cricinfo.com/wivzimsa/engine/current/match/298803.html HTTP/1.1 503 1685 TCP_MISS:NONE 192.168.60.199 - - [10/Jan/2008:14:55:03 +0200] GET http://www.google.com/search? HTTP/1.1 503 1597 TCP_MISS:NONE 192.168.60.199 - - [10/Jan/2008:14:55:20 +0200] GET http://www.cricinfo.com/ HTTP/1.1 503 1587 TCP_MISS:NONE My /var/logs/squid/cache.log is as follows: 2008/01/10 10:19:25| Starting Squid Cache version 2.6.STABLE14 for i386-debian-linux-gnu... 2008/01/10 10:19:25| Process ID 6652 2008/01/10 10:19:25| With 1024 file descriptors available 2008/01/10 10:19:25| Using epoll for the IO loop 2008/01/10 10:19:25| DNS Socket created at 0.0.0.0, port 32782, FD 6 2008/01/10 10:19:25| Adding domain linux.lan from /etc/resolv.conf 2008/01/10 10:19:25| Adding nameserver 192.168.60.254 from /etc/resolv.conf 2008/01/10 10:19:25| User-Agent logging is disabled. 2008/01/10 10:19:25| Referer logging is disabled. 2008/01/10 10:19:25| Unlinkd pipe opened on FD 11 2008/01/10 10:19:25| Swap maxSize 102400 KB, estimated 7876 objects 2008/01/10 10:19:25| Target number of buckets: 393 2008/01/10 10:19:25| Using 8192 Store buckets 2008/01/10 10:19:25| Max Mem size: 8192 KB 2008/01/10 10:19:25| Max Swap size: 102400 KB 2008/01/10 10:19:25| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/01/10 10:19:25| Rebuilding storage in /var/spool/squid (CLEAN) 2008/01/10 10:19:25| Using Least Load store dir selection 2008/01/10 10:19:25| Set Current Directory to /var/spool/squid 2008/01/10 10:19:25| Loaded Icons. 2008/01/10 10:19:25| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2008/01/10 10:19:25| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2008/01/10 10:19:25| HTCP Disabled. 2008/01/10 10:19:25| WCCP Disabled. 2008/01/10 10:19:25| Ready to serve requests. 2008/01/10 10:19:25| Done reading /var/spool/squid swaplog (56 entries) 2008/01/10 10:19:25| Finished rebuilding storage from disk. 2008/01/10 10:19:25|56 Entries scanned 2008/01/10 10:19:25| 0 Invalid entries. 2008/01/10 10:19:25| 0 With invalid flags. 2008/01/10 10:19:25|56 Objects loaded. 2008/01/10 10:19:25| 0 Objects expired. 2008/01/10 10:19:25| 0 Objects cancelled. 2008/01/10 10:19:25| 0 Duplicate URLs purged. 2008/01/10 10:19:25| 0 Swapfile clashes avoided. 2008/01/10 10:19:25| Took 0.3 seconds ( 207.6 objects/sec). 2008/01/10 10:19:25| Beginning Validation Procedure 2008/01/10 10:19:25| Completed Validation Procedure 2008/01/10 10:19:25| Validated 56 Entries 2008/01/10 10:19:25| store_swap_size = 1920k 2008/01/10 10:19:25| Configuring Parent proxy.ua.pt/3128/3130 2008/01/10 10:19:26| storeLateRelease: released 0 objects 2008/01/10 10:22:32| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:23:02| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:23:10| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:23:32| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:23:40| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:24:02| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:24:10| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:24:32| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:24:40| TCP connection to proxy.ua.pt/3128 failed 2008/01/10 10:25:02| TCP connection to
Re: [squid-users] Squid not working for me
On Jan 8, 2008 11:59 AM, Indunil Jayasooriya wrote: my dhcp server assigns both ip addresses and dns servers to clinets. I have set my Ubuntu box 'Base' up as a DNS Server and tried to use squid with partial results. Firefox returns the following: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.cricinfo.com/ The following error was encountered: * Unable to forward this request at this time. This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that: * The cache administrator does not allow this cache to make direct connections to origin servers, and * All configured parent caches are currently unreachable. Your cache administrator is webmaster. Generated Wed, 09 Jan 2008 10:47:36 GMT by Base (squid/2.6.STABLE14) /var/log/squid/access.log contains the following: [EMAIL PROTECTED]:/home/dave# cat /var/log/squid/access.log 192.168.60.199 - - [09/Jan/2008:12:44:04 +0200] GET http://en-gb.start2.mozilla.com/firefox? HTTP/1.1 503 1619 TCP_MISS:NONE 192.168.60.199 - - [09/Jan/2008:12:46:44 +0200] GET http://en-gb.start2.mozilla.com/firefox? HTTP/1.1 503 1619 TCP_MISS:NONE 192.168.60.199 - - [09/Jan/2008:12:47:29 +0200] GET http://google.com/ HTTP/1.1 503 1575 TCP_MISS:NONE 192.168.60.199 - - [09/Jan/2008:12:47:29 +0200] GET http://google.com/favicon.ico HTTP/1.1 503 1597 TCP_MISS:NONE 192.168.60.199 - - [09/Jan/2008:12:47:29 +0200] GET http://google.com/favicon.ico HTTP/1.1 503 1597 TCP_MISS:NONE 192.168.60.199 - - [09/Jan/2008:12:47:36 +0200] GET http://www.cricinfo.com/ HTTP/1.1 503 1587 TCP_MISS:NONE /var/log/squid/cache.log has the following. [EMAIL PROTECTED]:/home/dave# cat /var/log/squid/cache.log 2008/01/09 07:35:12| storeDirWriteCleanLogs: Starting... 2008/01/09 07:35:12| Finished. Wrote 56 entries. 2008/01/09 07:35:12| Took 0.0 seconds (325581.4 entries/sec). 2008/01/09 07:35:12| logfileRotate: /var/log/squid/store.log 2008/01/09 07:35:12| logfileRotate: /var/log/squid/access.log 2008/01/09 12:44:04| Failed to select source for 'http://en-gb.start2.mozilla.com/firefox?client=firefox-arls=org.mozilla:en-GB:official' 2008/01/09 12:44:04| always_direct = -1 2008/01/09 12:44:04|never_direct = 1 2008/01/09 12:44:04|timedout = 0 2008/01/09 12:46:44| Failed to select source for 'http://en-gb.start2.mozilla.com/firefox?client=firefox-arls=org.mozilla:en-GB:official' 2008/01/09 12:46:44| always_direct = -1 2008/01/09 12:46:44|never_direct = 1 2008/01/09 12:46:44|timedout = 0 [EMAIL PROTECTED]:/home/dave# cat /var/log/squid/cache.log 2008/01/09 07:35:12| storeDirWriteCleanLogs: Starting... 2008/01/09 07:35:12| Finished. Wrote 56 entries. 2008/01/09 07:35:12| Took 0.0 seconds (325581.4 entries/sec). 2008/01/09 07:35:12| logfileRotate: /var/log/squid/store.log 2008/01/09 07:35:12| logfileRotate: /var/log/squid/access.log 2008/01/09 12:44:04| Failed to select source for 'http://en-gb.start2.mozilla.com/firefox?client=firefox-arls=org.mozilla:en-GB:official' 2008/01/09 12:44:04| always_direct = -1 2008/01/09 12:44:04|never_direct = 1 2008/01/09 12:44:04|timedout = 0 2008/01/09 12:46:44| Failed to select source for 'http://en-gb.start2.mozilla.com/firefox?client=firefox-arls=org.mozilla:en-GB:official' 2008/01/09 12:46:44| always_direct = -1 2008/01/09 12:46:44|never_direct = 1 2008/01/09 12:46:44|timedout = 0 2008/01/09 12:47:29| Failed to select source for 'http://google.com/' 2008/01/09 12:47:29| always_direct = -1 2008/01/09 12:47:29|never_direct = 1 2008/01/09 12:47:29|timedout = 0 2008/01/09 12:47:29| Failed to select source for 'http://google.com/favicon.ico' 2008/01/09 12:47:29| always_direct = -1 2008/01/09 12:47:29|never_direct = 1 2008/01/09 12:47:29|timedout = 0 2008/01/09 12:47:29| Failed to select source for 'http://google.com/favicon.ico' 2008/01/09 12:47:29| always_direct = -1 2008/01/09 12:47:29|never_direct = 1 2008/01/09 12:47:29|timedout = 0 2008/01/09 12:47:36| Failed to select source for 'http://www.cricinfo.com/' 2008/01/09 12:47:36| always_direct = -1 2008/01/09 12:47:36|never_direct = 1 2008/01/09 12:47:36|timedout = 0 However, I can no longer ssh into Base as the name won't reconcile, I now must access 192.168.60.254 (eth1) or 192.168.10.23 (eth0) I feel I am getting close, but need to find out why 'Base' is no longer working (you will notice that the prompt is '[EMAIL PROTECTED]'. Can you offer any suggestions?
Re: [squid-users] Squid not working for me
I have found the following Kernel requirements: (http://wiki.squid-cache.org/SquidFaq/InterceptionProxy ) # # Code maturity level options # CONFIG_EXPERIMENTAL=y # # Networking options # CONFIG_FIREWALL=y # CONFIG_NET_ALIAS is not set CONFIG_INET=y CONFIG_IP_FORWARD=y # CONFIG_IP_MULTICAST is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_VERBOSE is not set CONFIG_IP_MASQUERADE=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_ALWAYS_DEFRAG=y # CONFIG_IP_ACCT is not set CONFIG_IP_ROUTER=y My Configuration (kernel 2.6.22-14) has the following set: CONFIG_EXPERIMENTAL=y -check! CONFIG_FIREWALL=y CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_VERBOSE is not set -No options for FIREWALL. # CONFIG_NET_ALIAS is not set -No options for NET_ALIAS CONFIG_INET=y -Check! CONFIG_IP_FORWARD=y -No Options for FORWARD # CONFIG_IP_MULTICAST is not set -IP_MULTICAST IS SET CONFIG_IP_MASQUERADE=y -CONFIG_IP_NF_TARGET_MASQUERADE is set to m CONFIG_IP_TRANSPARENT_PROXY=y -No Options for TRANSPARENT_PROXY CONFIG_IP_ALWAYS_DEFRAG=y -No Options for DEFRAG # CONFIG_IP_ACCT is not set -No Options for IP_ACCT CONFIG_IP_ROUTER=y -IP_ADVANCED_ROUTER=y I'm planning on compiling kernel 2.6.23-12 with the following options: CONFIG_EXPERIMENTAL=y CONFIG_INET=y FORWARD # CONFIG_IP_MULTICAST is not set CONFIG_IP_NF_TARGET_MASQUERADE = y IP_ADVANCED_ROUTER=y Any comments?
Re: [squid-users] Squid not working for me
On Jan 8, 2008 1:14 PM, Dave Coventry [EMAIL PROTECTED] wrote: Damn! Did it again. Sent the reply direct rather than to the list. Sorry. Indunil, #For squid traffic to Accept iptables -A INPUT -i eth1 -d 192.168.60.254 -p tcp -s 192.168.60.0/24 --dport 3128 -j ACCEPT I get this error message. --dport not found. command again, pls note this is one LINE. iptables -A INPUT -i eth1 -d 192.168.60.254 -p tcp -s 192.168.60.0/24 --dport 3128 -j ACCEPT I just tried on my RedHat EL4 box. It worked. I'm thinking of recompiling my kernel, I can't think it will help, but it's worth a try... The above command is VERY basic. So, I think no need to recompile. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid not working for me
On Jan 8, 2008 10:37 AM, Indunil Jayasooriya wrote: command again, pls note this is one LINE. iptables -A INPUT -i eth1 -d 192.168.60.254 -p tcp -s 192.168.60.0/24 --dport 3128 -j ACCEPT I just tried on my RedHat EL4 box. It worked. Sorry, yes that is what happened. It still doesn't help, though. iptables are as follows: [EMAIL PROTECTED]:/home/dave# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.60.0/24 Base.local tcp dpt:3128 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination and [EMAIL PROTECTED]:/home/dave# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywheretcp dpt:www to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:3128 to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:webcache to:192.168.60.254:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0-- 192.168.60.0/24 anywhere neither /var/log/squid/access.log nor /var/log/squid/cache.log show any activity, either through firefox which returns Server not found or telnet iether to Base 3128 or to Base 80.
Re: [squid-users] Squid not working for me
I have a laptop running XP (Home) connected to eth1 which reports the following in response to 'ipconfig' IP Address ..192.168.60.199 Default Gateway192.168.60.254 My Laptop cannot access the Internet, it just says Server not found Hey, Could you pls check DNS entries in your Windows XP PC. I think We will have to look in to it as well. You have a DHCP server that assingns ips to clients. Does it also assign Dns to clients? just try whether something similar given below are in your dchpd.conf file in Ubuntu box. option domain-name domain.org; option domain-name-servers 192.168.1.1,192.168.1.2; here is my /etc/dhcpd.conf file on Centos 4.5. where squid 2.5 is running as transparent intercepting [EMAIL PROTECTED] ~]# cat /etc/dhcpd.conf ddns-update-style interim; ignore client-updates; subnet 192.168.101.0 netmask 255.255.255.0 { authoritative; # --- default gateway option routers 192.168.101.254; option subnet-mask 255.255.255.0; option broadcast-address192.168.101.255; # option nis-domain domain.org; option domain-name domain.org; # option domain-name-servers 192.168.1.1; option domain-name-servers 192.168.100.124, 192.168.100.127; option time-offset -18000; # Eastern Standard Time # option ntp-servers 192.168.1.1; # option netbios-name-servers 192.168.1.1; # --- Selects point-to-point node (default is hybrid). Don't change this unless # -- you understand Netbios very well # option netbios-node-type 2; range dynamic-bootp 192.168.101.225 192.168.101.230; default-lease-time 21600; max-lease-time 43200; # Don't forward DHCP requests from this # NIC interface to any other NIC # interfaces option ip-forwarding off; # we want the nameserver to appear at a fixed address # host ns { # next-server marvin.redhat.com; # hardware ethernet 12:34:56:78:AB:CD; # fixed-address 207.175.42.254; # } } # # List an unused interface here # subnet 192.168.100.0 netmask 255.255.255.0 { } my dhcp server assigns both ip addresses and dns servers to clinets. Please use Squid 2.6STABLE17 or 3.0STABLE1. There are serious security advisories out on all earlier releases. YES of course. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid not working for me
Dave Coventry wrote: I cannot get squid to work on Ubuntu 7.10. I have a DHCP server (IP 192.168.60.254, named 'Base') set uo on the Ubuntu box which is correctly allocating IPs in the range 192.168.60.100-192.168.60.199 on eth1. I have eth0 connecting to my router/ADSL Modem and acquiring an IP through DHCP. I have a laptop running XP (Home) connected to eth1 which reports the following in response to 'ipconfig' IP Address ..192.168.60.199 Default Gateway192.168.60.254 My Squid /etc/squid/squid.conf is as follows: ### squid.conf # http_port 3128 transparent To operate transparent you need: - squid built with --enable-linux-netfilter on ubuntu - iptables setup with REDIRECT or DNAT properly http_port 192.168.60:80 vhost vport=8080 So this is a webserver accelerator too? Think about adding defaultsite= option to cope with the many broken web clients that may be accessing your server. This port is also the cause of your problem. You are running squid as a non-privileged user. To access a special port 1024 you MUST run squid as root and let it drop down to unprivileged by itself at the right times. hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl IQNetwork src 192.168.60.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow IQNetwork This might be better after some initial CONNECT etc. protection. http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access allow all cache_effective_user squid cache_effective_group squid visible_hostname Base end of squid.conf ## My /var/log/squid/cache.log looks like this: cache.log ## 2008/01/04 20:13:48| Starting Squid Cache version 2.6.STABLE14 for i386-debian-linux-gnu... 2008/01/04 20:13:48| Process ID 8698 2008/01/04 20:13:48| With 1024 file descriptors available 2008/01/04 20:13:48| Using epoll for the IO loop 2008/01/04 20:13:48| DNS Socket created at 0.0.0.0, port 32868, FD 6 2008/01/04 20:13:48| Adding nameserver 192.168.1.254 from /etc/resolv.conf 2008/01/04 20:13:48| User-Agent logging is disabled. 2008/01/04 20:13:48| Referer logging is disabled. 2008/01/04 20:13:48| Unlinkd pipe opened on FD 11 2008/01/04 20:13:48| Swap maxSize 102400 KB, estimated 7876 objects 2008/01/04 20:13:48| Target number of buckets: 393 2008/01/04 20:13:48| Using 8192 Store buckets 2008/01/04 20:13:48| Max Mem size: 8192 KB 2008/01/04 20:13:48| Max Swap size: 102400 KB 2008/01/04 20:13:48| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/01/04 20:13:48| Rebuilding storage in /var/spool/squid (CLEAN) 2008/01/04 20:13:48| Using Least Load store dir selection 2008/01/04 20:13:48| Current Directory is / 2008/01/04 20:13:48| Loaded Icons. 2008/01/04 20:13:48| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2008/01/04 20:13:48| commBind: Cannot bind socket FD 14 to 192.168.0.60:80: (99) Cannot assign requested address 2008/01/04 20:13:48| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2008/01/04 20:13:48| HTCP Disabled. 2008/01/04 20:13:48| WCCP Disabled. 2008/01/04 20:13:48| Ready to serve requests. 2008/01/04 20:13:48| Done reading /var/spool/squid swaplog (0 entries) 2008/01/04 20:13:48| Finished rebuilding storage from disk. 2008/01/04 20:13:48| 0 Entries scanned 2008/01/04 20:13:48| 0 Invalid entries. 2008/01/04 20:13:48| 0 With invalid flags. 2008/01/04 20:13:48| 0 Objects loaded. 2008/01/04 20:13:48| 0 Objects expired. 2008/01/04 20:13:48| 0 Objects cancelled. 2008/01/04 20:13:48| 0 Duplicate URLs purged. 2008/01/04 20:13:48| 0 Swapfile clashes avoided. 2008/01/04 20:13:48| Took 0.3 seconds ( 0.0 objects/sec). 2008/01/04 20:13:48| Beginning Validation Procedure 2008/01/04 20:13:48|
Re: [squid-users] Squid not working for me
AAaaargh! Sorry, I meant to reply to the list, but that doesn't seem to be the default. Sorry. Amos, Many thanks for the reply; I had almost given up! On Jan 7, 2008 12:52 PM, Amos Jeffries [EMAIL PROTECTED] wrote: So this is a webserver accelerator too? Think about adding defaultsite= option to cope with the many broken web clients that may be accessing your server. The main requirement is for some kind of control over the user's browsing habits. This port is also the cause of your problem. You are running squid as a non-privileged user. To access a special port 1024 you MUST run squid as root and let it drop down to unprivileged by itself at the right times. Yes it is being started as root with /etc/init.d/squid restart, or by the boot sequence. The line http_port 192.168.60:80 vhost vport=8080 has a typo, which I have since corrected. In fact I have been researching this quite extensively and have tried a number of different configurations of squid.conf without success so far. My squid.conf now looks like this: visible_hostname Base acl IQNetwork src 192.168.60.0/24 acl all src 0.0.0.0/0.0.0.0 http_access allow IQNetwork http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 Please use Squid 2.6STABLE17 or 3.0STABLE1. There are serious security advisories out on all earlier releases. I have downloaded and recompiled Squid2.6.STABLE17 as part of the ongoing effort to get it working, but still no joy. My iptables look like this: [EMAIL PROTECTED]:/home/dave# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywheretcp dpt:www to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:https to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:3128 to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:webcache to:192.168.60.254:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0-- 192.168.60.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination But still no joy
Re: [squid-users] Squid not working for me
Dave Coventry wrote: AAaaargh! Sorry, I meant to reply to the list, but that doesn't seem to be the default. Sorry. Amos, Many thanks for the reply; I had almost given up! On Jan 7, 2008 12:52 PM, Amos Jeffries [EMAIL PROTECTED] wrote: So this is a webserver accelerator too? Think about adding defaultsite= option to cope with the many broken web clients that may be accessing your server. The main requirement is for some kind of control over the user's browsing habits. This port is also the cause of your problem. You are running squid as a non-privileged user. To access a special port 1024 you MUST run squid as root and let it drop down to unprivileged by itself at the right times. Yes it is being started as root with /etc/init.d/squid restart, or by the boot sequence. The line http_port 192.168.60:80 vhost vport=8080 has a typo, which I have since corrected. In fact I have been researching this quite extensively and have tried a number of different configurations of squid.conf without success so far. My squid.conf now looks like this: visible_hostname Base acl IQNetwork src 192.168.60.0/24 acl all src 0.0.0.0/0.0.0.0 http_access allow IQNetwork http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 Please use Squid 2.6STABLE17 or 3.0STABLE1. There are serious security advisories out on all earlier releases. I have downloaded and recompiled Squid2.6.STABLE17 as part of the ongoing effort to get it working, but still no joy. My iptables look like this: [EMAIL PROTECTED]:/home/dave# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywheretcp dpt:www to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:https to:192.168.60.254:3128 The current releases of squid do not support HTTPS transparently. There is only an experimental patch waiting for 3.1 called SSLBump which is supposed to handle that sort of thing. DNAT tcp -- anywhere anywheretcp dpt:3128 to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:webcache to:192.168.60.254:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0-- 192.168.60.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination But still no joy Does squid have port 80 outbound without going through the redirect? what does cache.log say? (usually .../logs/cache.log) Amos -- Please use Squid 2.6STABLE17 or 3.0STABLE1. There are serious security advisories out on all earlier releases.
Re: [squid-users] Squid not working for me
On Jan 7, 2008 4:32 PM, Amos Jeffries wrote: The current releases of squid do not support HTTPS transparently. There is only an experimental patch waiting for 3.1 called SSLBump which is supposed to handle that sort of thing. Yes, I understand that. Obviously ssl cannot go through a man-in-the-middle. I'll remove the iptable rule. DNAT tcp -- anywhere anywheretcp dpt:3128 to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:webcache to:192.168.60.254:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0-- 192.168.60.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination But still no joy Does squid have port 80 outbound without going through the redirect? what does cache.log say? (usually .../logs/cache.log) Yes, I think it does. I can use firefox on the machine and there is no corresponding entry in /var/log/squid/cache.log Here is the contents of /var/log/squid/cache.log 2008/01/07 13:44:55| Starting Squid Cache version 2.6.STABLE14 for i386-debian-linux-gnu... 2008/01/07 13:44:55| Process ID 5934 2008/01/07 13:44:55| With 1024 file descriptors available 2008/01/07 13:44:55| Using epoll for the IO loop 2008/01/07 13:44:55| DNS Socket created at 0.0.0.0, port 32775, FD 6 2008/01/07 13:44:55| Adding nameserver 192.168.10.213 from /etc/resolv.conf 2008/01/07 13:44:55| User-Agent logging is disabled. 2008/01/07 13:44:55| Referer logging is disabled. 2008/01/07 13:44:55| Unlinkd pipe opened on FD 11 2008/01/07 13:44:55| Swap maxSize 102400 KB, estimated 7876 objects 2008/01/07 13:44:55| Target number of buckets: 393 2008/01/07 13:44:55| Using 8192 Store buckets 2008/01/07 13:44:55| Max Mem size: 8192 KB 2008/01/07 13:44:55| Max Swap size: 102400 KB 2008/01/07 13:44:55| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/01/07 13:44:55| Rebuilding storage in /var/spool/squid (CLEAN) 2008/01/07 13:44:55| Using Least Load store dir selection 2008/01/07 13:44:55| Set Current Directory to /var/spool/squid 2008/01/07 13:44:55| Loaded Icons. 2008/01/07 13:44:55| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13. 2008/01/07 13:44:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2008/01/07 13:44:55| HTCP Disabled. 2008/01/07 13:44:55| WCCP Disabled. 2008/01/07 13:44:55| Ready to serve requests. 2008/01/07 13:44:55| Done reading /var/spool/squid swaplog (56 entries) 2008/01/07 13:44:55| Finished rebuilding storage from disk. 2008/01/07 13:44:55|56 Entries scanned 2008/01/07 13:44:55| 0 Invalid entries. 2008/01/07 13:44:55| 0 With invalid flags. 2008/01/07 13:44:55|56 Objects loaded. 2008/01/07 13:44:55| 0 Objects expired. 2008/01/07 13:44:55| 0 Objects cancelled. 2008/01/07 13:44:55| 0 Duplicate URLs purged. 2008/01/07 13:44:55| 0 Swapfile clashes avoided. 2008/01/07 13:44:55| Took 0.4 seconds ( 136.4 objects/sec). 2008/01/07 13:44:55| Beginning Validation Procedure 2008/01/07 13:44:55| Completed Validation Procedure 2008/01/07 13:44:55| Validated 56 Entries 2008/01/07 13:44:55| store_swap_size = 1920k 2008/01/07 13:44:55| Configuring Parent proxy.ua.pt/3128/3130 2008/01/07 13:44:56| storeLateRelease: released 0 objects I'm going to recompile my kernel next and see if that's not the problem. Anything else I could try?
Re: [squid-users] Squid not working for me
My iptables look like this: [EMAIL PROTECTED]:/home/dave# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywheretcp dpt:www to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:https to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:3128 to:192.168.60.254:3128 DNAT tcp -- anywhere anywheretcp dpt:webcache to:192.168.60.254:3128 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0-- 192.168.60.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination But still no joy What about iptables' INPUT chain. try to add below. #For squid traffic to Accept iptables -A INPUT -i eth1 -d 192.168.60.254 -p tcp -s 192.168.60.0/24 --dport 3128 -j ACCEPT I assume eth1 is the interface connected to LAN. -- Thank you Indunil Jayasooriya
Re: [squid-users] Squid not working for me
Damn! Did it again. Sent the reply direct rather than to the list. Sorry. Indunil, Thanks very much for your assistance. On Jan 8, 2008 4:57 AM, Indunil Jayasooriya wrote: What about iptables' INPUT chain. try to add below. #For squid traffic to Accept iptables -A INPUT -i eth1 -d 192.168.60.254 -p tcp -s 192.168.60.0/24 --dport 3128 -j ACCEPT I get this error message. --dport not found. I'm thinking of recompiling my kernel, I can't think it will help, but it's worth a try... I assume eth1 is the interface connected to LAN. Yes, eth1 is on the LAN.