-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


13.03.15 21:58, Monah Baki пишет:
> Hi All,
> 
> Installed squid on CentOS 6.6 and it's working, but mY access.log
> shows all TCP_MISS and no TCP_HIT. The following config:
> 
> squid.conf # Squid normally listens to port 3128 http_port 3128 
> http_port 3129 intercept

And that's all????

> 
> 
> 
> iptables
> 
> # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 
> *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT
> ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp
> --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m
> tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT #
> Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save
> v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] 
> :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j
> REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j
> ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state
> --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp
> --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j
> REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT
> --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13
> 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13
> 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT
> [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064] 
> :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport
> 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015
> 
> 
> Accessing sites, shows the IP address of the proxy 147.245.252.13.
> 
> Am I missing something in IPTables that it is not caching?
> 
> 
> Thanks Monah
> 
> On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries
> <squ...@treenet.co.nz> wrote:
> 
>> On 6/03/2015 1:19 a.m., Monah Baki wrote:
>>> Hi all, can anyone verify if this is correct, need to make ure
>>> that users will be able to access the internet via the squid.
>>> 
>>> Running FreeBSD with a single interface with Squid-3.5.2
>>> 
>>> Policy based routing on Cisco with the following:
>>> 
>>> 
>>> interface GigabitEthernet0/0/1.1
>>> 
>>> encapsulation dot1Q 1 native
>>> 
>>> ip address 10.0.0.9 255.255.255.0
>>> 
>>> no ip redirects
>>> 
>>> no ip unreachables
>>> 
>>> ip nat inside
>>> 
>>> standby 1 ip 10.0.0.10
>>> 
>>> standby 1 priority 120
>>> 
>>> standby 1 preempt
>>> 
>>> standby 1 name HSRP
>>> 
>>> ip policy route-map CFLOW
>>> 
>>> 
>>> 
>>> ip access-list extended REDIRECT
>>> 
>>> deny   tcp host 10.0.0.24 any eq www
>>> 
>>> permit tcp host 10.0.0.23 any eq www
>>> 
>>> 
>>> 
>>> route-map CFLOW permit 10
>>> 
>>> match ip address REDIRECT set ip next-hop 10.0.0.24
>>> 
>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to
>>> any port 80 -> 10.0.0.24 port 3129
>>> 
>>> # block in pass in log quick on bge0 pass out log quick on
>>> bge0 pass out keep state
>>> 
>>> and finally in my squid.conf: http_port 3128 http_port 3129
>>> intercept
>>> 
>>> 
>>> 
>>> And for testing purposes from the squid server: ./squidclient
>>> -h 10.0.0.24 -p 3128 http://www.freebsd.org/
>>> 
>>> If I replace -p 3128 with -p 80, I get a access denied, and if
>>> I omit the -p 3128 completely, I can access the websites.
>> 
>> If you omit the -p entirely squidclient assumes "-p 3128" (the
>> proxy default listening port), so it works exactly the same as if
>> you had used -p 3128 explicitly.
>> 
>> If you use -p 80 you also need to change the pther parameters so
>> they generate port-80 syntax message: - the -h with IP or
>> hostname of the remote web server, and - the URL parameters being
>> a relative URL, and - the -j parameter with Host: header domain
>> name of the server ... eg. squidclient -h www.freebsd.org -j
>> www.freebsd.org -p 80 /
>> 
>> NP: if your squidclient is too old to support -j, use this
>> instead: -H 'Host: www.freebsd.org\n'
>> 
>> ** this test should work from the squid box without having gone
>> through the proxy. Only from the client machine should it work
>> *with* NAT passing it through the proxy.
>> 
>> 
>> 
>> Using a proxy syntax message sent directly to the proxy receiving
>> port, or with the proxy as receiving IP on port 80 (NAT'ed to
>> Squid) is a guaranted forwarding loop failure.
>> 
>> 
>> That doesn't fix your clients issue, but hopefully makes it clear
>> that the above desribed test is broken enough to prevent you
>> identifying when the client issue is fixed if that happens on
>> some change.
>> 
>> Amos _______________________________________________ squid-users
>> mailing list squid-users@lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
> 
> 
> _______________________________________________ squid-users mailing
> list squid-users@lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJVAw3gAAoJENNXIZxhPexGk4EH/2YErYeV3IcEOyngCUHZJbyk
5sY2bMrA+0kpxTa9YQsVzC9QuULvh7NLbT/1J1Tx7k0CYkM+9T1qTjx6WPmHHE4x
GrsrW6qBVM2t0zgHcd4d5BQqDqs03F5fNkEINgufdMaBAkazr7YMWNciaX6j/36Y
BWFKFPB8BJNRbbamEqTrtL0r0qntNRXrBQjlP52PzXpqnnREn8n/mwLPn3wlTQl5
17HbvXBhgliyypIoitNGGWbM2SNdJSkrR0DqrM5SNfjPX9Ffm6FBRM2obA+TNl/q
j3elyeu/QHZhbxfJJmZYsJB+B2Q7dQXVvm37LVpRc2wHF6nUNEgmsjcG9Y98xqc=
=Dg4r
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to