Farhad Ibragimov wrote:
> Hi squid guru
>
> My server was configured with the following instruction
> http://wiki.squid-cache.org/Features/Tproxy4
> but not working. Please help me to resolve my problem
>
> Squid version 3.1.0.13
> iptables 1.4.3
> 2.6.30.5-second #1 SMP Sun Aug 23 03:36:29 AZST 2009 x86_64 x86_64 x86_64 GNU/Linu
>
> my squid configuration
<snip defaults>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access allow all
I hope that was only for testing. 'allow all' makes your squid a wide
open proxy.
TPROXY retains the correct concepts Internally of Squid for which IP
ranges are clients and which destinations. 'allow localnet' should have
been sufficient to let your clients out to the web with minimal
restrictions.
> http_port 3128
> http_port 3129 tproxy
<snip defaults>
>
> ACCESS LOGS
> 1250983412.365 132598 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/uk/2009/08/090822_uk_cars_scrappagescheme.shtml - DIRECT/www.bbc.co.uk -
> 1250983461.913 181020 85.132.47.219 TCP_MISS/504 4136 GET http://ru.fxfeeds.mozilla.com/ru/firefox/headlines.xml - DIRECT/63.245.209.93 text/html
> 1250983545.928 60793 85.132.47.219 TCP_MISS/503 0 CONNECT sb-ssl.google.com:443 - DIRECT/216.239.59.136 -
> 1250983596.266 110348 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/russia/2009/08/090822_russia_nationalflag_denisov.shtml - DIRECT/www.bbc.co.uk -
<snip>
Hmm, what those access lines show is that Squid is receiving a set of
HTTP requests and passing them to some external web servers.
The ones saying MISS/000 to bbc etc are where Squid has sent the whole
HTTP request outward to the server. But the TCP link is closed by the
far end before anything comes back.
The 5xx seems to be Squid timeout out past is maximum allowed wait
before anything comes back.
The two things to look at closely with TPROXY when this happens are:
1) the firewall rules. Both on the Squid box doing TPROXY and on any
machines between Squid and the Internet.
2) the routing rules. How are theres requests reaching Squid and what
is happening to the passed-on request.
Secondly on routing what happens to replies coming back from the
web server to the client IP and why do they not arrive at Squid?
Also, are you sure libcap support was built into Squid and is also
available on the box its currently running on? Tproxy support will turn
itself off inside Squid if libcap fails.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Mon Aug 24 2009 - 06:05:15 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 27 2009 - 12:00:04 MDT