On 01.03.2012 21:00, Mustafa Raji wrote:
hi
i have some problem with squid cache server
the problem is the requests are looped inside the access.log
file when i activate squid server, the server was working
normally in the last days, this day i noticed a slow
performance in web browsing when i checked the cache.log no
error or any warning is logged, only a few queue congestion
warning which is normally because it's test server and the
cache dir is in the same sata hard drive, but checking the
access.log file it's logs so many repeated requests as shown
1330586819.008 0 192.168.40.1
TCP_HIT/302 972 GET
http://o-o.preferred.fra02s05.v24.lscache1.c.youtube.com/videoplayback?
- NONE/- text/html
<snip>
this is just sample of the access.log file, these requests
are infinite, now when i activate the cache server these
request are increased abnormally, the server is configured
in intercept mode, when i connect to the server using manual
configuration in the web browser (intercept mode disabled)
the cache server work normally, so i thing it's iptables
rules problem my iptables rule are
first rule, for destination nat to convert traffic to port
3128
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 192.168.40.2:3128
and the second rule is for preventing forwarding loops in
mangle table
iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j
DROP
This does not prevent forwarding loops like you think. It prevents
machines contacting your intercept port directly (ie for the nasty URL
http://192.168.40.2:3128/).
To prevent forwarding loops in squid.conf you have "via on" (the
default is "on"). And in iptables you add:
iptables -t nat -A PREROUTING -p tcp -s XX --dport 80 -j ACCEPT
...
where "XX" is the outgoing IP your Squid uses (192.168.40.2? or
192.168.40.1?), and you place this rule *in front* of the DNAT rule.
i have one interface to the internet and to the clients
using mikrotik dnat rule , so i don't need for MASQUERADE ,
MASQUERADE is there to make the NAT changes symmetrical. DNAT is only
changing the destination IP;port on packets from the client. The ones
from squid to client needs SNAT performed to "undo" the change.
MASQUERADE takes care of that automatically without having to setup a
SNAT rule for every unique destination IP:port you change with DNAT.
client --- DNAT -----> Squid <--->Internet
<--MASQUERADE ---/
Also you said "using mikrotik dnat rule". Does that mean your NAT is
being done by the Mikrotik instead of the Squid box? that is bad. Use
policy routing or WCCP to push the packets unchanged to the Squid box
instead.
Amos
