[squid-users] Fwd: squid intercept config

2015-03-06 Thread Monah Baki 
Hi All,

As an addition to my yesterday's issue,

Tail -f cache.log, I am getting the following:

015/03/06 13:54:02| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
Accept: image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/40.0.2214.115 Safari/537.36
Referer: http://www.openbsd.org/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ar;q=0.6
Via: 1.1 ISN-PHC-CACHE (squid/3.5.2)
X-Forwarded-For: 10.0.0.23
Cache-Control: max-age=0
Connection: keep-alive


2015/03/06 13:54:02| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
Host: www.openbsd.org
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/40.0.2214.115 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ar;q=0.6
Via: 1.1 ISN-PHC-CACHE (squid/3.5.2)
X-Forwarded-For: 10.0.0.23
Cache-Control: max-age=259200
Connection: keep-alive

Any ideas?

-- Forwarded message --
From: Monah Baki 
Date: Thu, Mar 5, 2015 at 7:19 AM
Subject: squid intercept config
To: Squid Users 


Hi all, can anyone verify if this is correct, need to make ure that users
will be able to access the internet via the squid.

Running FreeBSD with a single interface with Squid-3.5.2

Policy based routing on Cisco with the following:


interface GigabitEthernet0/0/1.1

encapsulation dot1Q 1 native

ip address 10.0.0.9 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

standby 1 ip 10.0.0.10

standby 1 priority 120

standby 1 preempt

standby 1 name HSRP

ip policy route-map CFLOW



ip access-list extended REDIRECT

deny   tcp host 10.0.0.24 any eq www

permit tcp host 10.0.0.23 any eq www



route-map CFLOW permit 10

match ip address REDIRECT
set ip next-hop 10.0.0.24

In my /etc/pf.conf
rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
3129

# block in
pass in log quick on bge0
pass out log quick on bge0
pass out keep state

and finally in my squid.conf:
http_port 3128
http_port 3129 intercept



And for testing purposes from the squid server:
 ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/

If I replace -p 3128 with -p 80, I get a access denied, and if I omit the
-p 3128 completely, I can access the websites.

tcpdump with (-p 3128)

13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: Flags
[.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr
1054387720], length 0
13:15:02.681421 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags
[.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720
ecr 985588501], length 1448
13:15:02.681575 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags
[.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720
ecr 985588501], length 1448



Did I miss anything?

Thanks
Monah
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Antony Stone 
On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:

> Hi All,
> 
> As an addition to my yesterday's issue,
> 
> Tail -f cache.log, I am getting the following:
> 
> 015/03/06 13:54:02| WARNING: Forwarding loop detected for:

> Any ideas?

Is your NAT rule catching the HTTP requests from the proxy itself (as well as 
the requests from the clients) and sending *everything* to the proxy 
(including the requests the proxy is trying to make out to the Internet)?

I'm not an expert on Cisco or BSD, but it does strike me that your rule:

rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129

looks like it will match requests from the proxy's address 10.0.0.24 as well 
as all the clients...

Try adding an exception in before the NAT rule, saying "traffic from 10.0.0.24 
should not be NATted".


Regards,


Antony.

-- 
"Once you have a panic, things tend to become rather undefined."

 - murble

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Monah Baki 
I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client station
we are testing on, same results. Forward loop detected

Thanks

On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone <
antony.st...@squid.open.source.it> wrote:

> On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:
>
> > Hi All,
> >
> > As an addition to my yesterday's issue,
> >
> > Tail -f cache.log, I am getting the following:
> >
> > 015/03/06 13:54:02| WARNING: Forwarding loop detected for:
>
> > Any ideas?
>
> Is your NAT rule catching the HTTP requests from the proxy itself (as well
> as
> the requests from the clients) and sending *everything* to the proxy
> (including the requests the proxy is trying to make out to the Internet)?
>
> I'm not an expert on Cisco or BSD, but it does strike me that your rule:
>
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
> 3129
>
> looks like it will match requests from the proxy's address 10.0.0.24 as
> well
> as all the clients...
>
> Try adding an exception in before the NAT rule, saying "traffic from
> 10.0.0.24
> should not be NATted".
>
>
> Regards,
>
>
> Antony.
>
> --
> "Once you have a panic, things tend to become rather undefined."
>
>  - murble
>
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Yuri Voinov 

Did you have another listening process on 80 port on your proxy box?

I.e., web-server?

06.03.15 19:26, Monah Baki пишет:
I went and changed the 10.0.0.0/8  to 10.0.0.23, 
which is the client station we are testing on, same results. Forward 
loop detected


Thanks

On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone 
> wrote:


On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:

> Hi All,
>
> As an addition to my yesterday's issue,
>
> Tail -f cache.log, I am getting the following:
>
> 015/03/06 13:54:02| WARNING: Forwarding loop detected for:

> Any ideas?

Is your NAT rule catching the HTTP requests from the proxy itself
(as well as
the requests from the clients) and sending *everything* to the proxy
(including the requests the proxy is trying to make out to the
Internet)?

I'm not an expert on Cisco or BSD, but it does strike me that your
rule:

rdr pass inet proto tcp from 10.0.0.0/8  to any
port 80 -> 10.0.0.24 port 3129

looks like it will match requests from the proxy's address
10.0.0.24 as well
as all the clients...

Try adding an exception in before the NAT rule, saying "traffic
from 10.0.0.24
should not be NATted".


Regards,


Antony.

--
"Once you have a panic, things tend to become rather undefined."

 - murble

 Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Monah Baki 
No other process on 80 is on the server. I also confirmed from the client
side if he runs "telnet www.openbsd.org 80" on his desktop, he gets a
response.

Thanks

On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov  wrote:

>  Did you have another listening process on 80 port on your proxy box?
>
> I.e., web-server?
>
> 06.03.15 19:26, Monah Baki пишет:
>
>  I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client
> station we are testing on, same results. Forward loop detected
>
>  Thanks
>
> On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone <
> antony.st...@squid.open.source.it> wrote:
>
>> On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:
>>
>> > Hi All,
>> >
>> > As an addition to my yesterday's issue,
>> >
>> > Tail -f cache.log, I am getting the following:
>> >
>> > 015/03/06 13:54:02| WARNING: Forwarding loop detected for:
>>
>> > Any ideas?
>>
>> Is your NAT rule catching the HTTP requests from the proxy itself (as
>> well as
>> the requests from the clients) and sending *everything* to the proxy
>> (including the requests the proxy is trying to make out to the Internet)?
>>
>> I'm not an expert on Cisco or BSD, but it does strike me that your rule:
>>
>> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
>> 3129
>>
>> looks like it will match requests from the proxy's address 10.0.0.24 as
>> well
>> as all the clients...
>>
>> Try adding an exception in before the NAT rule, saying "traffic from
>> 10.0.0.24
>> should not be NATted".
>>
>>
>> Regards,
>>
>>
>> Antony.
>>
>> --
>> "Once you have a panic, things tend to become rather undefined."
>>
>>  - murble
>>
>>Please reply to the
>> list;
>>  please *don't*
>> CC me.
>>  ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> ___
> squid-users mailing 
> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Yuri Voinov 

Ok.

In this case this is NAT misconfiguration.

You need to check it carefully.

06.03.15 19:43, Monah Baki пишет:
No other process on 80 is on the server. I also confirmed from the 
client side if he runs "telnet www.openbsd.org 
 80" on his desktop, he gets a response.


Thanks

On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov > wrote:


Did you have another listening process on 80 port on your proxy box?

I.e., web-server?

06.03.15 19:26, Monah Baki пишет:

I went and changed the 10.0.0.0/8  to
10.0.0.23, which is the client station we are testing on, same
results. Forward loop detected

Thanks

On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone
mailto:antony.st...@squid.open.source.it>> wrote:

On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:

> Hi All,
>
> As an addition to my yesterday's issue,
>
> Tail -f cache.log, I am getting the following:
>
> 015/03/06 13:54:02| WARNING: Forwarding loop detected for:

> Any ideas?

Is your NAT rule catching the HTTP requests from the proxy
itself (as well as
the requests from the clients) and sending *everything* to
the proxy
(including the requests the proxy is trying to make out to
the Internet)?

I'm not an expert on Cisco or BSD, but it does strike me that
your rule:

rdr pass inet proto tcp from 10.0.0.0/8 
to any port 80 -> 10.0.0.24 port 3129

looks like it will match requests from the proxy's address
10.0.0.24 as well
as all the clients...

Try adding an exception in before the NAT rule, saying
"traffic from 10.0.0.24
should not be NATted".


Regards,


Antony.

--
"Once you have a panic, things tend to become rather undefined."

 - murble

 Please reply to the list;
   please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org  

http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread monahbaki 
From squid or router? Thanks  Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. From: Yuri VoinovSent: Friday, March 6, 2015 8:44 AMTo: Monah BakiCc: squid-users@lists.squid-cache.orgSubject: Re: [squid-users] Fwd: squid intercept config
  

  
  
Ok.

In this case this is NAT misconfiguration.

You need to check it carefully.

06.03.15 19:43, Monah Baki пишет:


  
No other process on 80 is on the server. I also confirmed
  from the client side if he runs "telnet www.openbsd.org
  80" on his desktop, he gets a response.
  

Thanks
  
  
On Fri, Mar 6, 2015 at 8:28 AM, Yuri
  Voinov 
  wrote:
  
 Did you have another
  listening process on 80 port on your proxy box?
  
  I.e., web-server?
  
  06.03.15 19:26, Monah Baki пишет:
  
  

  

  I went and changed the 10.0.0.0/8
to 10.0.0.23, which is the client station we are
testing on, same results. Forward loop detected

  
  Thanks


  On Fri, Mar 6, 2015 at
8:14 AM, Antony Stone 
wrote:
On Friday 06
March 2015 at 14:03:28 (EU time), Monah Baki
wrote:

> Hi All,
>
> As an addition to my yesterday's issue,
>
> Tail -f cache.log, I am getting the
following:
>
> 015/03/06 13:54:02| WARNING: Forwarding
loop detected for:

  > Any ideas?
  
  Is your NAT rule catching the HTTP requests
  from the proxy itself (as well as
  the requests from the clients) and sending
  *everything* to the proxy
  (including the requests the proxy is trying to
  make out to the Internet)?
  
  I'm not an expert on Cisco or BSD, but it does
  strike me that your rule:
  
rdr pass inet proto tcp from 10.0.0.0/8
to any port 80 -> 10.0.0.24 port 3129

  looks like it will match requests from
  the proxy's address 10.0.0.24 as well
  as all the clients...
  
  Try adding an exception in before the NAT
  rule, saying "traffic from 10.0.0.24
  should not be NATted".
  
  
  Regards,
  
  
  Antony.
  
  --
  "Once you have a panic, things tend to
  become rather undefined."
  
   - murble
  
                                           
           Please reply to the list;
                                           
                 please *don't* CC me.

  
___
  squid-users mailing list
  squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Yuri Voinov 

On proxy box.

06.03.15 19:47, monahb...@gmail.com пишет:

From squid or router?

Thanks

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE 
network.

*From: *Yuri Voinov
*Sent: *Friday, March 6, 2015 8:44 AM
*To: *Monah Baki
*Cc: *squid-users@lists.squid-cache.org
*Subject: *Re: [squid-users] Fwd: squid intercept config


Ok.

In this case this is NAT misconfiguration.

You need to check it carefully.

06.03.15 19:43, Monah Baki пишет:
No other process on 80 is on the server. I also confirmed from the 
client side if he runs "telnet www.openbsd.org 
 80" on his desktop, he gets a response.


Thanks

On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov > wrote:


Did you have another listening process on 80 port on your proxy box?

I.e., web-server?

06.03.15 19:26, Monah Baki пишет:

I went and changed the 10.0.0.0/8  to
10.0.0.23, which is the client station we are testing on, same
results. Forward loop detected

Thanks

On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone
mailto:antony.st...@squid.open.source.it>> wrote:

On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:

> Hi All,
>
> As an addition to my yesterday's issue,
>
> Tail -f cache.log, I am getting the following:
>
> 015/03/06 13:54:02| WARNING: Forwarding loop detected for:

> Any ideas?

Is your NAT rule catching the HTTP requests from the proxy
itself (as well as
the requests from the clients) and sending *everything* to
the proxy
(including the requests the proxy is trying to make out to
the Internet)?

I'm not an expert on Cisco or BSD, but it does strike me
that your rule:

rdr pass inet proto tcp from 10.0.0.0/8 
to any port 80 -> 10.0.0.24 port 3129

looks like it will match requests from the proxy's address
10.0.0.24 as well
as all the clients...

Try adding an exception in before the NAT rule, saying
"traffic from 10.0.0.24
should not be NATted".


Regards,


Antony.

--
"Once you have a panic, things tend to become rather undefined."

 - murble

 Please reply to the list;
   please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org  

http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users







___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Monah Baki 
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf

So something else is missing?

On Fri, Mar 6, 2015 at 8:47 AM, Yuri Voinov  wrote:

>  On proxy box.
>
> 06.03.15 19:47, monahb...@gmail.com пишет:
>
> From squid or router?
>
>  Thanks
>
>  Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE
> network.
>*From: *Yuri Voinov
> *Sent: *Friday, March 6, 2015 8:44 AM
> *To: *Monah Baki
> *Cc: *squid-users@lists.squid-cache.org
> *Subject: *Re: [squid-users] Fwd: squid intercept config
>
>  Ok.
>
> In this case this is NAT misconfiguration.
>
> You need to check it carefully.
>
> 06.03.15 19:43, Monah Baki пишет:
>
>  No other process on 80 is on the server. I also confirmed from the
> client side if he runs "telnet www.openbsd.org 80" on his desktop, he
> gets a response.
>
>  Thanks
>
> On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov  wrote:
>
>>  Did you have another listening process on 80 port on your proxy box?
>>
>> I.e., web-server?
>>
>> 06.03.15 19:26, Monah Baki пишет:
>>
>>  I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client
>> station we are testing on, same results. Forward loop detected
>>
>>  Thanks
>>
>> On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone <
>> antony.st...@squid.open.source.it> wrote:
>>
>>> On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote:
>>>
>>> > Hi All,
>>> >
>>> > As an addition to my yesterday's issue,
>>> >
>>> > Tail -f cache.log, I am getting the following:
>>> >
>>> > 015/03/06 13:54:02| WARNING: Forwarding loop detected for:
>>>
>>> > Any ideas?
>>>
>>> Is your NAT rule catching the HTTP requests from the proxy itself (as
>>> well as
>>> the requests from the clients) and sending *everything* to the proxy
>>> (including the requests the proxy is trying to make out to the Internet)?
>>>
>>> I'm not an expert on Cisco or BSD, but it does strike me that your rule:
>>>
>>> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
>>> port 3129
>>>
>>> looks like it will match requests from the proxy's address 10.0.0.24 as
>>> well
>>> as all the clients...
>>>
>>> Try adding an exception in before the NAT rule, saying "traffic from
>>> 10.0.0.24
>>> should not be NATted".
>>>
>>>
>>> Regards,
>>>
>>>
>>> Antony.
>>>
>>> --
>>> "Once you have a panic, things tend to become rather undefined."
>>>
>>>  - murble
>>>
>>>Please reply to the
>>> list;
>>>  please *don't*
>>> CC me.
>>>  ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>>
>>
>> ___
>> squid-users mailing 
>> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Antony Stone 
On Friday 06 March 2015 at 14:50:50 (EU time), Monah Baki wrote:

> http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
> 
> So something else is missing?

Can you run a packet sniffer on the proxy, to see what packets come in (noting 
the MAC address of the previous hop), what packets go out (to what 
address/es), and whether they then seem to come back in again (and if so, from 
which MAC address)?

That might give you a clue as to where the forwarding loop is being created.


Regards,


Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - mnemonic for 3.14159265358979

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Fwd: squid intercept config

2015-03-06 Thread Monah Baki 
Windows Client - 10.0.0.23 MAC (9d:3a:96)

root@ISN-PHC-CACHE:/home/support # arp -a
 (10.0.0.9) at 00:00:0c:07:ac:01 on bge0 THIS IS THE PHYSICAL INTERFACE ON
THE ROUTER
 (10.0.0.10) at 88:5a:92:63:77:81 on bge0  THIS IS THE GATEWAY IP ON THE
DESKTOP AND SQUID SERVER
 (10.0.0.24) at a0:d3:c1:06:a5:c4 on bge0 THIS IS THE SQUID SERVER


User was trying to access www.espn.com

Frame 8 and 9 is where I get my access denied.

No. TimeSourceDestination   Protocol
Length Info
  7 0.50804168.71.212.158 10.0.0.23 TCP
3902   80→42794 [PSH, ACK] Seq=412 Ack=401 Win=65664 Len=1460

Frame 7: 3902 bytes on wire (31216 bits), 1500 bytes captured (12000 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.453922000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.453922000 seconds
[Time delta from previous captured frame: 0.000118000 seconds]
[Time delta from previous displayed frame: 0.000118000 seconds]
[Time since reference or first frame: 0.508041000 seconds]
Frame Number: 7
Frame Length: 3902 bytes (31216 bits)
Capture Length: 1500 bytes (12000 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4), Dst:
CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Destination: CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Source: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 68.71.212.158 (68.71.212.158), Dst:
10.0.0.23 (10.0.0.23)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
Total Length: 1500
Identification: 0x (8738)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x [validation disabled]
Source: 68.71.212.158 (68.71.212.158)
Destination: 10.0.0.23 (10.0.0.23)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 42794 (42794),
Seq: 412, Ack: 401, Len: 1460

No. TimeSourceDestination   Protocol
Length Info
  8 0.50807368.71.212.158 10.0.0.23 TCP
170[TCP Previous segment not captured] [TCP segment of a reassembled
PDU]

Frame 8: 170 bytes on wire (1360 bits), 170 bytes captured (1360 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.453954000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.453954000 seconds
[Time delta from previous captured frame: 0.32000 seconds]
[Time delta from previous displayed frame: 0.32000 seconds]
[Time since reference or first frame: 0.508073000 seconds]
Frame Number: 8
Frame Length: 170 bytes (1360 bits)
Capture Length: 170 bytes (1360 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags &&
!tcp.analysis.window_update]
Ethernet II, Src: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4), Dst:
CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Destination: CompalIn_9d:3a:96 (20:89:84:9d:3a:96)
Source: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 68.71.212.158 (68.71.212.158), Dst:
10.0.0.23 (10.0.0.23)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
Not-ECT (Not ECN-Capable Transport))
Total Length: 156
Identification: 0x2223 (8739)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x [validation disabled]
Source: 68.71.212.158 (68.71.212.158)
Destination: 10.0.0.23 (10.0.0.23)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 42794 (42794),
Seq: 4260, Ack: 401, Len: 116

No. TimeSourceDestination   Protocol
Length Info
  9 0.50883510.0.0.23 68.71.212.158 TCP
60 [TCP ACKed unseen segment] 42794→80 [ACK] Seq=401 Ack=3332 Win=65536
Len=0

Frame 9: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar  6, 2015 09:41:41.454716000 Eastern Standard Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1425652901.454716000 seconds
[Time delta from previous captured frame: 0.000762000 seconds]
[Time delta from previous displayed frame: 0.000762000 seconds]
[Time since reference or first frame: 0.

Re: [squid-users] squid intercept config

2015-03-06 Thread Amos Jeffries 
On 6/03/2015 1:19 a.m., Monah Baki wrote:
> Hi all, can anyone verify if this is correct, need to make ure that users
> will be able to access the internet via the squid.
> 
> Running FreeBSD with a single interface with Squid-3.5.2
> 
> Policy based routing on Cisco with the following:
> 
> 
> interface GigabitEthernet0/0/1.1
> 
> encapsulation dot1Q 1 native
> 
> ip address 10.0.0.9 255.255.255.0
> 
> no ip redirects
> 
> no ip unreachables
> 
> ip nat inside
> 
> standby 1 ip 10.0.0.10
> 
> standby 1 priority 120
> 
> standby 1 preempt
> 
> standby 1 name HSRP
> 
> ip policy route-map CFLOW
> 
> 
> 
> ip access-list extended REDIRECT
> 
> deny   tcp host 10.0.0.24 any eq www
> 
> permit tcp host 10.0.0.23 any eq www
> 
> 
> 
> route-map CFLOW permit 10
> 
> match ip address REDIRECT
> set ip next-hop 10.0.0.24
> 
> In my /etc/pf.conf
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
> 3129
> 
> # block in
> pass in log quick on bge0
> pass out log quick on bge0
> pass out keep state
> 
> and finally in my squid.conf:
> http_port 3128
> http_port 3129 intercept
> 
> 
> 
> And for testing purposes from the squid server:
>  ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/
> 
> If I replace -p 3128 with -p 80, I get a access denied, and if I omit the
> -p 3128 completely, I can access the websites.

If you omit the -p entirely squidclient assumes "-p 3128" (the proxy
default listening port), so it works exactly the same as if you had used
-p 3128 explicitly.

If you use -p 80 you also need to change the pther parameters so they
generate port-80 syntax message:
 - the -h with IP or hostname of the remote web server, and
 - the URL parameters being a relative URL, and
 - the -j parameter with Host: header domain name of the server
...
 eg.
 squidclient -h www.freebsd.org -j www.freebsd.org -p 80 /

NP: if your squidclient is too old to support -j, use this instead:
  -H 'Host: www.freebsd.org\n'

 ** this test should work from the squid box without having gone through
the proxy. Only from the client machine should it work *with* NAT
passing it through the proxy.



Using a proxy syntax message sent directly to the proxy receiving port,
or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a
guaranted forwarding loop failure.


That doesn't fix your clients issue, but hopefully makes it clear that
the above desribed test is broken enough to prevent you identifying when
the client issue is fixed if that happens on some change.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: Squid 3.5.2 Compile Error

2015-03-06 Thread Michel Peterson 
Hi friends,

I'm trying to compile squid 3.5.2 on debian wheezy and I am getting
the following error after running the command "make all":

Making all in compat
make[1]: Entrando no diretório `/root/squid-3.5.2/compat'
depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
/bin/bash ../libtool  --tag=CXX   --mode=compile g++
-DHAVE_CONFIG_H   -I.. -I../include -I../lib -I../src -I../include
-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror
-pipe -D_REENTRANT -m32 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64  -g
-O2 -march=native -std=c++11 -MT assert.lo -MD -MP -MF $depbase.Tpo -c
-o assert.lo assert.cc &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
-I../src -I../include -Wall -Wpointer-arith -Wwrite-strings -Wcomments
-Wshadow -Werror -pipe -D_REENTRANT -m32 -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -g -O2 -march=native -std=c++11 -MT assert.lo
-MD -MP -MF .deps/assert.Tpo -c assert.cc  -fPIC -DPIC -o
.libs/assert.o
In file included from ../include/squid.h:43:0,
 from assert.cc:9:
../compat/compat.h:49:57: error: operator '&&' has no right operand
make[1]: ** [assert.lo] Erro 1
make[1]: Saindo do diretório `/root/squid-3.5.2/compat'
make: ** [all-recursive] Erro 1



Help me plz.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users