Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 15/01/2013 5:00 a.m., Leslie Jensen wrote: 2013-01-14 16:05, Eliezer Croitoru skrev: On 1/14/2013 1:48 PM, Leslie Jensen wrote: I've now upgraded squid to 3.2 and rewritten the firewall rule that resulted in a forwarding loop. Unfortunately I've got no access now and I can't see where I've made the error. The browser says squid is rejecting the requests: Access control configuration prevents your request from being allowed at this time. 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET http://www.skatteverket.se/ - HIER_NONE/- text/html 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1 text/html 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html Look closly.. it's not squid. if it was squid you would have seen TCP_DENIED. you get a TCP_MISS which squid is ok with but a remote server DENIES you with a 403 response. Looking even closer there is a HEIR_NONE showing the frst TCP_MISS we from Squid. I think there are two bugs here: 1) the Host verification logic is resulting in TCP_MISS being logged instead of TCP_DENIED on its 403 rejection. 2) his firewall intercept rules are catching Squid outbound traffic and redirecting it to Squid. I would say it looks pretty bad since every request seems to go into squid from two IP addresses which is like a loop.. but one which squid can not recognize from an unknown reason. 172.18.0.1 is Squids own IP. What have you done in the firewall to prevent the forwarding loop? By the way did you tried to have a rule that allows all web requests from the local machine of the proxy to not be intercepted? Regards, Eliezer I've tried two things. First I disabled the rule that redirects the web traffic so that it goes directly to the Internet. It works. Then with the above rule still disabled I made the browser aware of the proxy by setting it manually in the browser settings. Then I get the same behaviour. I'm aware that tcp_miss should not be squid but with the redirecting rule disabled I do not quite understand where it goes wrong. I'll look into your suggestion and see if it helps. Thanks :-) /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
2013-01-14 16:05, Eliezer Croitoru skrev: On 1/14/2013 1:48 PM, Leslie Jensen wrote: I've now upgraded squid to 3.2 and rewritten the firewall rule that resulted in a forwarding loop. Unfortunately I've got no access now and I can't see where I've made the error. The browser says squid is rejecting the requests: Access control configuration prevents your request from being allowed at this time. 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET http://www.skatteverket.se/ - HIER_NONE/- text/html 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1 text/html 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html Look closly.. it's not squid. if it was squid you would have seen TCP_DENIED. you get a TCP_MISS which squid is ok with but a remote server DENIES you with a 403 response. I would say it looks pretty bad since every request seems to go into squid from two IP addresses which is like a loop.. but one which squid can not recognize from an unknown reason. What have you done in the firewall to prevent the forwarding loop? By the way did you tried to have a rule that allows all web requests from the local machine of the proxy to not be intercepted? Regards, Eliezer I've tried two things. First I disabled the rule that redirects the web traffic so that it goes directly to the Internet. It works. Then with the above rule still disabled I made the browser aware of the proxy by setting it manually in the browser settings. Then I get the same behaviour. I'm aware that tcp_miss should not be squid but with the redirecting rule disabled I do not quite understand where it goes wrong. I'll look into your suggestion and see if it helps. Thanks :-) /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 1/14/2013 1:48 PM, Leslie Jensen wrote: I've now upgraded squid to 3.2 and rewritten the firewall rule that resulted in a forwarding loop. Unfortunately I've got no access now and I can't see where I've made the error. The browser says squid is rejecting the requests: Access control configuration prevents your request from being allowed at this time. 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET http://www.skatteverket.se/ - HIER_NONE/- text/html 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1 text/html 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html Look closly.. it's not squid. if it was squid you would have seen TCP_DENIED. you get a TCP_MISS which squid is ok with but a remote server DENIES you with a 403 response. I would say it looks pretty bad since every request seems to go into squid from two IP addresses which is like a loop.. but one which squid can not recognize from an unknown reason. What have you done in the firewall to prevent the forwarding loop? By the way did you tried to have a rule that allows all web requests from the local machine of the proxy to not be intercepted? Regards, Eliezer
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
I've now upgraded squid to 3.2 and rewritten the firewall rule that resulted in a forwarding loop. Unfortunately I've got no access now and I can't see where I've made the error. The browser says squid is rejecting the requests: Access control configuration prevents your request from being allowed at this time. 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET http://www.skatteverket.se/ - HIER_NONE/- text/html 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1 text/html 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html My squid.conf --- http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 cache_mem 32 MB maximum_object_size 100 MB cache_dir ufs /usr/local/squid/cache 1024 16 256 cache_store_log none access_log /usr/local/squid/logs/access.log squid logfile_rotate 2 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (cgi-bin|\?)00% 0 refresh_pattern . 0 20% 4320 acl localnet src 172.18.0.1-172.18.0.254 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 591 # filemaker acl CONNECT method CONNECT acl PURGE method PURGE http_access allow manager localhost http_access deny manager http_access allow PURGE localhost http_access deny PURGE http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all visible_hostname machine01.no-ip.org cache_mgr mym...@domain.se buffered_logs on coredump_dir /usr/local/squid/cache ---
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 11/22/2012 12:14 PM, Leslie Jensen wrote:
<>
At the moment I've reverted back to 3.1 but I would like to make a
successful upgrade :-)
Thanks
/Leslie
It seems to me like there is a problem in your NAT settings in PF.
but I didnt tested it.
I have been using this:
##start
ext_if=em0
int_if=em1
rede="{192.168.11.0/24}"
nat on $ext_if from $rede to any -> ($ext_if)
#rdr on $ext_if inet proto tcp to port 22 -> 192.168.1.102 22
#set skip on $int_if << These lines commented out
#set skip on $wi_if
# redirect only IPv4 web traffic to squid
rdr pass inet proto tcp from 192.168.11.0/24 to any port 80 -> 127.0.0.1
port 3129
#block in
pass in quick on $int_if
pass in quick on $ext_if
pass out keep state
##end
with: squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
##end
and it seems to work fine.
I compiled squid with basic
./configure --enable-pf-transparent
nothing more.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngt...@sip2sip.info
IT consulting for Nonprofit organizations
eliezer ngtech.co.il
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Ho, This is another story. it seems to me like you configured something wrong in you IPFW. It might be connected to squid but not directly. Take a look at this Example and make sure what your settings are: http://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw What can be the problem is lack of definition of the SRC\CLIENTS interface interception only. Hope it will help you. if you can share you IPFW rules\script it will be helpful to others. Regards, Eliezer On 11/24/2012 3:18 PM, Leslie Jensen wrote: I've rebuild and installed version 3.2 The message below comes with every site I try to connect to. I understand that a forwarding loop is not good but I fail to see the cause. 2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1^M Host: www.squid-cache.org^M User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox /6.0.2^M Accept: image/png,image/*;q=0.8,*/*;q=0.5^M Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3^M Accept-Encoding: gzip, deflate^M Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^M Referer: http://www.aftonbladet.se/^M Via: 1.1 dentista01.no-ip.org (squid/3.2.3)^M X-Forwarded-For: 172.18.0.100^M Cache-Control: max-age=259200^M Connection: keep-alive^M Thanks /Leslie -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Eliezer Croitoru skrev 2012-11-23 09:13: On 11/23/2012 10:00 AM, Leslie Jensen wrote: I'm not really sure that I understand the meaning or effect of the above. We do not have browsers configured with proxy. When I set this up a few years back the whole idea was that the users should not have to make any configuration of the browser. Maybe that's why we got the error with 3.2? So if I understand correctly this is what I should do http_port 127.0.0.1:8080 intercept http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 http_port 172.18.0.1:8080 The above settings cannot exist! this is since you are using one port paired with IP for intercept. squid must have one http_port XXX what ever if you will use it or not. if you have one port used for either intercept or regular forward proxy you can't use for another whatever use you want so: http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 should be what need. Also I dont know why you should have a 127.0.0.1:8080 with intercept on the same line. I have never seen a use for that in real world unless you are intercepting the local outgoing connections which I doubt is good. But it's your needs. Regards, Eliezer I've rebuild and installed version 3.2 The message below comes with every site I try to connect to. I understand that a forwarding loop is not good but I fail to see the cause. 2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1^M Host: www.squid-cache.org^M User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox /6.0.2^M Accept: image/png,image/*;q=0.8,*/*;q=0.5^M Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3^M Accept-Encoding: gzip, deflate^M Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^M Referer: http://www.aftonbladet.se/^M Via: 1.1 dentista01.no-ip.org (squid/3.2.3)^M X-Forwarded-For: 172.18.0.100^M Cache-Control: max-age=259200^M Connection: keep-alive^M Thanks /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Eliezer Croitoru skrev 2012-11-23 09:13: The above settings cannot exist! this is since you are using one port paired with IP for intercept. squid must have one http_port XXX what ever if you will use it or not. if you have one port used for either intercept or regular forward proxy you can't use for another whatever use you want so: http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 should be what need. Also I dont know why you should have a 127.0.0.1:8080 with intercept on the same line. I have never seen a use for that in real world unless you are intercepting the local outgoing connections which I doubt is good. But it's your needs. Regards, Eliezer Thank you! I've made the change. When I first set up this machine it was with squid version 2.6 or 2.7 if I remember correctly. It is set up with pf so that all outgoing http traffic should go through squid. I followed instructions on the pf website and I also got advise from this list. The configuration file has been along all the time and I might not have been totally observant for changes that where introduced in the various squid versions. As long as it has been working I've been happy. With squid running so well I've not had to bother with configuration and therefore I'm sure I've forgot why I did certain configurations. That's why I comment a lot in the config file. I really appreciate your help and I'm very open for suggestions that optimizes what I already have. /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 11/23/2012 10:00 AM, Leslie Jensen wrote: I'm not really sure that I understand the meaning or effect of the above. We do not have browsers configured with proxy. When I set this up a few years back the whole idea was that the users should not have to make any configuration of the browser. Maybe that's why we got the error with 3.2? So if I understand correctly this is what I should do http_port 127.0.0.1:8080 intercept http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 http_port 172.18.0.1:8080 The above settings cannot exist! this is since you are using one port paired with IP for intercept. squid must have one http_port XXX what ever if you will use it or not. if you have one port used for either intercept or regular forward proxy you can't use for another whatever use you want so: http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 should be what need. Also I dont know why you should have a 127.0.0.1:8080 with intercept on the same line. I have never seen a use for that in real world unless you are intercepting the local outgoing connections which I doubt is good. But it's your needs. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Amos Jeffries skrev 2012-11-23 03:14: + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. ** you need at minimum to add a http_port line without "intercept" on it for the Squid icons and configured browsers to fetch from. I'm not really sure that I understand the meaning or effect of the above. We do not have browsers configured with proxy. When I set this up a few years back the whole idea was that the users should not have to make any configuration of the browser. Maybe that's why we got the error with 3.2? So if I understand correctly this is what I should do http_port 127.0.0.1:8080 intercept http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 http_port 172.18.0.1:8080 Thanks /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Amos Jeffries skrev 2012-11-23 03:14: On 23/11/2012 11:45 a.m., Eliezer Croitoru wrote: The basic thing is to know he IP address of the client since you are allowing only specific number of IP addresses to use the proxy. You can send it to me on my private mail and just the relevant "denied" lines are what I need. Regards, Eliezer On 11/22/2012 4:41 PM, Leslie Jensen wrote: Eliezer Croitoru skrev 2012-11-22 15:19: Next time just clean the file first to make it more readable: use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d' ##start ##end it seems to me like forward proxy and the only reason I can think of to not work is: Missing credentials related settings. With the current config file squid only allows users with specific SRC ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/ Also you didnt posted the access.log output for the request but it seem like you have one missing ACL. + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. ** you need at minimum to add a http_port line without "intercept" on it for the Squid icons and configured browsers to fetch from. Also, on checking the config file there are some minor anoyances which will be adding extra warnings into your cache.log: * the "QUERY" ACL is now deprecated. You should remove it from your config along with the "no_cache" (obsolete by itself) directive that uses it. * the hierarchy_stoplist is also deprecated and causes slightly more harm than good. Can be removed. * default refresh pattern is outdated. The current CGI pattern is " refresh_pattern -i (/cgi-bin/|\?)0 0% 0 " * remove localhost ACL re-definition. Using the old definition will cause existing Squid to not even start. Fix for that has yet to be published. * remove localhost ACL re-definition * remove to_localhost ACL re-definition Amos Thank you for all the good advise. I couldn't find any denied lines in the log! I'll run another test with 3.2 in the weekend using Amos suggestions and report back from that. /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 23/11/2012 11:45 a.m., Eliezer Croitoru wrote: The basic thing is to know he IP address of the client since you are allowing only specific number of IP addresses to use the proxy. You can send it to me on my private mail and just the relevant "denied" lines are what I need. Regards, Eliezer On 11/22/2012 4:41 PM, Leslie Jensen wrote: Eliezer Croitoru skrev 2012-11-22 15:19: Next time just clean the file first to make it more readable: use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d' ##start ##end it seems to me like forward proxy and the only reason I can think of to not work is: Missing credentials related settings. With the current config file squid only allows users with specific SRC ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/ Also you didnt posted the access.log output for the request but it seem like you have one missing ACL. + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. ** you need at minimum to add a http_port line without "intercept" on it for the Squid icons and configured browsers to fetch from. Also, on checking the config file there are some minor anoyances which will be adding extra warnings into your cache.log: * the "QUERY" ACL is now deprecated. You should remove it from your config along with the "no_cache" (obsolete by itself) directive that uses it. * the hierarchy_stoplist is also deprecated and causes slightly more harm than good. Can be removed. * default refresh pattern is outdated. The current CGI pattern is " refresh_pattern -i (/cgi-bin/|\?)0 0% 0 " * remove localhost ACL re-definition. Using the old definition will cause existing Squid to not even start. Fix for that has yet to be published. * remove localhost ACL re-definition * remove to_localhost ACL re-definition Amos
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
The basic thing is to know he IP address of the client since you are allowing only specific number of IP addresses to use the proxy. You can send it to me on my private mail and just the relevant "denied" lines are what I need. Regards, Eliezer On 11/22/2012 4:41 PM, Leslie Jensen wrote: Eliezer Croitoru skrev 2012-11-22 15:19: Next time just clean the file first to make it more readable: use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d' ##start ##end it seems to me like forward proxy and the only reason I can think of to not work is: Missing credentials related settings. With the current config file squid only allows users with specific SRC ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/ Also you didnt posted the access.log output for the request but it seem like you have one missing ACL. What are the IPFW rules for interception? Eliezer I'll remember to clean the file next time. I've got the access.log. It's quite a large file and there are no timestamps so that I could clean it and post the relevant information. How should I do? Thanks /Leslie -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Eliezer Croitoru skrev 2012-11-22 15:19: Next time just clean the file first to make it more readable: use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d' ##start http_port 127.0.0.1:8080 intercept http_port 172.18.0.1:8080 intercept hierarchy_stoplist cgi-bin ? php asp acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 32 MB maximum_object_size 100 MB cache_dir ufs /usr/local/squid/cache 1024 16 256 cache_store_log none access_log /usr/local/squid/logs/access.log squid logfile_rotate 2 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #acl localnet src 172.18.0.1-172.18.0.254 #try to change this into acl localnet src 172.18.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 591 # filemaker acl CONNECT method CONNECT acl PURGE method PURGE http_access allow manager localhost http_access deny manager http_access allow PURGE localhost http_access deny PURGE http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all #remove these if you want to remove something visible_hostname cache_mgr YYY buffered_logs on coredump_dir /usr/local/squid/cache ##end it seems to me like forward proxy and the only reason I can think of to not work is: Missing credentials related settings. With the current config file squid only allows users with specific SRC ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/ Also you didnt posted the access.log output for the request but it seem like you have one missing ACL. What are the IPFW rules for interception? Eliezer I'll remember to clean the file next time. I've got the access.log. It's quite a large file and there are no timestamps so that I could clean it and post the relevant information. How should I do? Thanks /Leslie
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Next time just clean the file first to make it more readable: use the command cat squid.conf|sed 's/^[ \t]*//'|sed 's/^#.*//'|sed '/^$/d' ##start http_port 127.0.0.1:8080 intercept http_port 172.18.0.1:8080 intercept hierarchy_stoplist cgi-bin ? php asp acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 32 MB maximum_object_size 100 MB cache_dir ufs /usr/local/squid/cache 1024 16 256 cache_store_log none access_log /usr/local/squid/logs/access.log squid logfile_rotate 2 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 #acl localnet src 172.18.0.1-172.18.0.254 #try to change this into acl localnet src 172.18.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 591 # filemaker acl CONNECT method CONNECT acl PURGE method PURGE http_access allow manager localhost http_access deny manager http_access allow PURGE localhost http_access deny PURGE http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all #remove these if you want to remove something visible_hostname cache_mgr YYY buffered_logs on coredump_dir /usr/local/squid/cache ##end it seems to me like forward proxy and the only reason I can think of to not work is: Missing credentials related settings. With the current config file squid only allows users with specific SRC ip which are only localhost\127.0.0.1/8 and a range of 172.18.0.0/24/ Also you didnt posted the access.log output for the request but it seem like you have one missing ACL. What are the IPFW rules for interception? Eliezer On 11/22/2012 3:39 PM, Leslie Jensen wrote: Amos Jeffries skrev 2012-11-22 13:24: On 23/11/2012 12:28 a.m., Leslie Jensen wrote: Pavel Bychykhin skrev 2012-11-22 12:15: 22.11.2012 12:14, Leslie Jensen пишет: Hi list. I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3 In my squid.conf I had the following lines that I got complaints from when starting squid after the upgrade. --- Define access control lists # acl all is defined by default in version 3.0 STABLE acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 You should to remove all 3 entires from squid.conf, as they all are predefined in squid 3.2 As I wrote, I did so but the users now get the error I described. ACCESS_DENIED is an explicit ACL rejection. Your configuration details, as well as that domain name and client IP you elided are important to track this down. Also, are you using a forward proxy? interception proxy? (how?) reverse proxy? or a mixture of the above? Amos Sorry about that. With squid working with my conf file at version 3.1 but not 3.2 I didn't realise that the domain name would be important. Here's my config file attached and the complete error message. CacheHost: dentista01.no-ip.org ErrPage: ERR_ACCESS_DENIED Err: [none] TimeStamp: Wed, 21 Nov 2012 07:47:59 GMT ClientIP: 172.18.0.1 HTTP Request: GET / HTTP/1.1 Host: www.praktikertjanst.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: CP=null*; Vizzit=pn1180RxoESjRcHErLVI3Q==:1328713777 Via: 1.1 dentista01.no-ip.org (squid/3.2.3) X-Forwarded-For: 172.18.0.101 Cache-Control: max-age=259200 Connection: keep-alive Thanks /Leslie -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Amos Jeffries skrev 2012-11-22 13:24: On 23/11/2012 12:28 a.m., Leslie Jensen wrote: Pavel Bychykhin skrev 2012-11-22 12:15: 22.11.2012 12:14, Leslie Jensen пишет: Hi list. I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3 In my squid.conf I had the following lines that I got complaints from when starting squid after the upgrade. --- Define access control lists # acl all is defined by default in version 3.0 STABLE acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 You should to remove all 3 entires from squid.conf, as they all are predefined in squid 3.2 As I wrote, I did so but the users now get the error I described. ACCESS_DENIED is an explicit ACL rejection. Your configuration details, as well as that domain name and client IP you elided are important to track this down. Also, are you using a forward proxy? interception proxy? (how?) reverse proxy? or a mixture of the above? Amos Sorry about that. With squid working with my conf file at version 3.1 but not 3.2 I didn't realise that the domain name would be important. Here's my config file attached and the complete error message. CacheHost: dentista01.no-ip.org ErrPage: ERR_ACCESS_DENIED Err: [none] TimeStamp: Wed, 21 Nov 2012 07:47:59 GMT ClientIP: 172.18.0.1 HTTP Request: GET / HTTP/1.1 Host: www.praktikertjanst.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: CP=null*; Vizzit=pn1180RxoESjRcHErLVI3Q==:1328713777 Via: 1.1 dentista01.no-ip.org (squid/3.2.3) X-Forwarded-For: 172.18.0.101 Cache-Control: max-age=259200 Connection: keep-alive Thanks /Leslie # Squid listens on the loopback and on # the internal interface (8080 port) # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. # This way Squid will only be visible on the internal address. # transparent to work with PF # In Squid 3.1+ the transparent option has been split. # Use 'intercept to catch PF packets. # # http_port 127.0.0.1:8080 transparent http_port 127.0.0.1:8080 intercept # http_port 172.18.0.1:8080 transparent http_port 172.18.0.1:8080 intercept # Words defined in this tag when matched in the URLs, # directs squid not to query caches. # For example dynamic content - php or asp pages. hierarchy_stoplist cgi-bin ? php asp acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # Specify the amount of RAM, to be used for caching the # so called: In-Transit objects, Hot Objects, # Negative-Cached objects. cache_mem 32 MB # If a file size is less than - 100 MB, # squid will place it in cache maximum_object_size 100 MB # Define the path to cache directory where all objects # which are to be cached are stored: # 1024 - is the amount of disk space (MB) # to use under /usr/local/squid/cache directory # 16 - is the number of first-level subdirectories # which will be created under the # /usr/local/squid/cache directory # 256 - is the number of second-level # subdirectories which will be created under # each first-level directory # Specify the amount of RAM, to be used for caching the # so called: In-Transit objects, Hot Objects, # Negative-Cached objects. cache_mem 32 MB # If a file size is less than - 100 MB, # squid will place it in cache maximum_object_size 100 MB # Define the path to cache directory where all objects # which are to be cached are stored: # 1024 - is the amount of disk space (MB) # to use under /usr/local/squid/cache directory # 16 - is the number of first-level subdirectories # which will be created under the # /usr/local/squid/cache directory # 256 - is the number of second-level # subdirectories which will be created under #
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
On 23/11/2012 12:28 a.m., Leslie Jensen wrote: Pavel Bychykhin skrev 2012-11-22 12:15: 22.11.2012 12:14, Leslie Jensen пишет: Hi list. I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3 In my squid.conf I had the following lines that I got complaints from when starting squid after the upgrade. --- Define access control lists # acl all is defined by default in version 3.0 STABLE acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 You should to remove all 3 entires from squid.conf, as they all are predefined in squid 3.2 As I wrote, I did so but the users now get the error I described. ACCESS_DENIED is an explicit ACL rejection. Your configuration details, as well as that domain name and client IP you elided are important to track this down. Also, are you using a forward proxy? interception proxy? (how?) reverse proxy? or a mixture of the above? Amos
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
Pavel Bychykhin skrev 2012-11-22 12:15: 22.11.2012 12:14, Leslie Jensen пишет: Hi list. I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3 In my squid.conf I had the following lines that I got complaints from when starting squid after the upgrade. --- Define access control lists # acl all is defined by default in version 3.0 STABLE acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 You should to remove all 3 entires from squid.conf, as they all are predefined in squid 3.2 As I wrote, I did so but the users now get the error I described.
Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3
22.11.2012 12:14, Leslie Jensen пишет: Hi list. I just upgraded Squid from 3.1 to 3.2 on my Freebsd version 8.3 In my squid.conf I had the following lines that I got complaints from when starting squid after the upgrade. --- Define access control lists # acl all is defined by default in version 3.0 STABLE acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 You should to remove all 3 entires from squid.conf, as they all are predefined in squid 3.2 -- Best regards, Pavel
