-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
13.03.15 21:58, Monah Baki пишет: > Hi All, > > Installed squid on CentOS 6.6 and it's working, but mY access.log > shows all TCP_MISS and no TCP_HIT. The following config: > > squid.conf # Squid normally listens to port 3128 http_port 3128 > http_port 3129 intercept And that's all???? > > > > iptables > > # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 > *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT > ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp > --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp > --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m > tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # > Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save > v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m > state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j > REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j > ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state > --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j > REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT > --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13 > 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 > 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT > [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064] > :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport > 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015 > > > Accessing sites, shows the IP address of the proxy 147.245.252.13. > > Am I missing something in IPTables that it is not caching? > > > Thanks Monah > > On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries > <squ...@treenet.co.nz> wrote: > >> On 6/03/2015 1:19 a.m., Monah Baki wrote: >>> Hi all, can anyone verify if this is correct, need to make ure >>> that users will be able to access the internet via the squid. >>> >>> Running FreeBSD with a single interface with Squid-3.5.2 >>> >>> Policy based routing on Cisco with the following: >>> >>> >>> interface GigabitEthernet0/0/1.1 >>> >>> encapsulation dot1Q 1 native >>> >>> ip address 10.0.0.9 255.255.255.0 >>> >>> no ip redirects >>> >>> no ip unreachables >>> >>> ip nat inside >>> >>> standby 1 ip 10.0.0.10 >>> >>> standby 1 priority 120 >>> >>> standby 1 preempt >>> >>> standby 1 name HSRP >>> >>> ip policy route-map CFLOW >>> >>> >>> >>> ip access-list extended REDIRECT >>> >>> deny tcp host 10.0.0.24 any eq www >>> >>> permit tcp host 10.0.0.23 any eq www >>> >>> >>> >>> route-map CFLOW permit 10 >>> >>> match ip address REDIRECT set ip next-hop 10.0.0.24 >>> >>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to >>> any port 80 -> 10.0.0.24 port 3129 >>> >>> # block in pass in log quick on bge0 pass out log quick on >>> bge0 pass out keep state >>> >>> and finally in my squid.conf: http_port 3128 http_port 3129 >>> intercept >>> >>> >>> >>> And for testing purposes from the squid server: ./squidclient >>> -h 10.0.0.24 -p 3128 http://www.freebsd.org/ >>> >>> If I replace -p 3128 with -p 80, I get a access denied, and if >>> I omit the -p 3128 completely, I can access the websites. >> >> If you omit the -p entirely squidclient assumes "-p 3128" (the >> proxy default listening port), so it works exactly the same as if >> you had used -p 3128 explicitly. >> >> If you use -p 80 you also need to change the pther parameters so >> they generate port-80 syntax message: - the -h with IP or >> hostname of the remote web server, and - the URL parameters being >> a relative URL, and - the -j parameter with Host: header domain >> name of the server ... eg. squidclient -h www.freebsd.org -j >> www.freebsd.org -p 80 / >> >> NP: if your squidclient is too old to support -j, use this >> instead: -H 'Host: www.freebsd.org\n' >> >> ** this test should work from the squid box without having gone >> through the proxy. Only from the client machine should it work >> *with* NAT passing it through the proxy. >> >> >> >> Using a proxy syntax message sent directly to the proxy receiving >> port, or with the proxy as receiving IP on port 80 (NAT'ed to >> Squid) is a guaranted forwarding loop failure. >> >> >> That doesn't fix your clients issue, but hopefully makes it clear >> that the above desribed test is broken enough to prevent you >> identifying when the client issue is fixed if that happens on >> some change. >> >> Amos _______________________________________________ squid-users >> mailing list squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > > _______________________________________________ squid-users mailing > list squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVAw3gAAoJENNXIZxhPexGk4EH/2YErYeV3IcEOyngCUHZJbyk 5sY2bMrA+0kpxTa9YQsVzC9QuULvh7NLbT/1J1Tx7k0CYkM+9T1qTjx6WPmHHE4x GrsrW6qBVM2t0zgHcd4d5BQqDqs03F5fNkEINgufdMaBAkazr7YMWNciaX6j/36Y BWFKFPB8BJNRbbamEqTrtL0r0qntNRXrBQjlP52PzXpqnnREn8n/mwLPn3wlTQl5 17HbvXBhgliyypIoitNGGWbM2SNdJSkrR0DqrM5SNfjPX9Ffm6FBRM2obA+TNl/q j3elyeu/QHZhbxfJJmZYsJB+B2Q7dQXVvm37LVpRc2wHF6nUNEgmsjcG9Y98xqc= =Dg4r -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users