[squid-users] PAC file on a squid proxy
Hi all, Our upstream proxy (cloud based) requires a PAC file to be deployed on each workstation. Is there a way to have a PAC file on a squid servers and then have users use the local squid servers instead. Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.4.9 on OpenBSD 5.6 on Sparc64
Hi all, ./configure '--prefix=/usr/local/squid' '--enable-pf-transparent' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' $ make Making all in compat /bin/sh ../libtool --tag=CXX--mode=compile g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include-I../libltdl-Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c -o assert.lo assert.cc libtool: compile: g++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I../libltdl -Wall -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Werror -pipe -D_REENTRANT -g -O2 -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC -DPIC -o .libs/assert.o In file included from ../compat/compat.h:98, from ../include/squid.h:66, from assert.cc:32: ../include/squid_endian.h:129:1: error: "le16toh" redefined In file included from /usr/include/sys/types.h:45, from ../compat/types.h:59, from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: /usr/include/sys/endian.h:63:1: error: this is the location of the previous definition In file included from ../compat/compat.h:98, from ../include/squid.h:66, from assert.cc:32: ../include/squid_endian.h:130:1: error: "le32toh" redefined In file included from /usr/include/sys/types.h:45, from ../compat/types.h:59, from ../compat/compat.h:51, from ../include/squid.h:66, from assert.cc:32: /usr/include/sys/endian.h:64:1: error: this is the location of the previous definition *** Error 1 in compat (Makefile:898 'assert.lo') *** Error 1 in /home/mbaki/squid-3.4.9 (Makefile:587 'all-recursive') Any help will be appreciated. Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Question
Hi All, How can I have 2 servers (parent/sibling) separated geographically, where the parent does not cache requests, but the sibling does. Certain sites will block the sibling due to its origin country, but I do not want the server in the U.S (parent) to cache anything. Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5.2 and MRTG
Hi all, I need to monitor squid 3.5.2 using MRTG and can't seem to find any examples on how to do that. I found the following but nothing happens.Clueless on how to do this. Thanks Target[proxy-hit]: cacheHttpHits&cacheServerRequests:pub...@proxy.sg.private :3401 # If you are using Squid 2.6 or later, uncomment the following line #RouterName[proxy-hit]: cacheUniqName MaxBytes[proxy-hit]: 10 Title[proxy-hit]: HTTP Hits PageTop[proxy-hit]: proxy Cache Statistics: HTTP Hits/Requests System:proxy.sg.private Maintainer:Serassio Guido Description:Squid Proxy server Suppress[proxy-hit]: y LegendI[proxy-hit]: HTTP hits LegendO[proxy-hit]: HTTP requests Legend1[proxy-hit]: HTTP hits Legend2[proxy-hit]: HTTP requests YLegend[proxy-hit]: perminute ShortLegend[proxy-hit]: req/min Options[proxy-hit]: nopercent, perminute, dorelpercent, unknaszero ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid in transparent
Hi all, I have client who has his Policy Based Routing as: interface GigabitEthernet0/0/1.1 (route policy on the LAN interface) ip policy route-map CFLOW ip access-list extended REDIRECT (Redirect of my IP www) deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 (route map) match ip address REDIRECT set ip next-hop 10.0.0.24 The 10.0.0.24 is my FreeBSD 10.1 running squid 3.5, with one interface, 10.0.0.23 is his laptop. The IP address of the Cisco is 10.0.0.9 I configured squid as: ./configure --prefix=/cache/squid --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock --enable-ipfw-transparent --enable-pf-transparent My squid.conf has the following; # Squid normally listens to port 3128 http_port 3128 intercept http_port 80 intercept snmp_port 3401 If I remove the intercept and from a client browser points to the squid, it works. If I add the intercept, it does not work, I do not see any logs in my access.log file. Any help will be highly appreciated Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid intercept config
Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state Thanks On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Show complete pf.conf, please. > > 05.03.15 19:45, Monah Baki пишет: > > In my squid.conf > > > > http_port 3128 http_port 3129 intercept > > > > Thanks > > > > On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov > > wrote: > > > > Squid access denied? > > > > Look at this: > > > > In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any > >>>>> port 80 -> 10.0.0.24 port 3129 > > > > Which port configured in Squid as intercept? > > > > 3129? > > > > and 3128 is forwarding? > > > > 05.03.15 19:36, monahb...@gmail.com пишет: > >>>> Yes that's what I followed and user is getting a "access > >>>> denied" from the squid when he tries www.cnn.com > >>>> > >>>> Sent from my BlackBerry 10 smartphone on the Verizon Wireless > >>>> 4G LTE network. Original Message From: Yuri Voinov Sent: > >>>> Thursday, March 5, 2015 8:22 AM To: > >>>> squid-users@lists.squid-cache.org Subject: Re: [squid-users] > >>>> squid intercept config > >>>> > >>>> > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute > >>>> > >>>> > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > >>>> > >>>> 05.03.15 18:19, Monah Baki пишет: > >>>>> Hi all, can anyone verify if this is correct, need to make > >>>>> ure that users will be able to access the internet via the > >>>>> squid. > >>>> > >>>>> Running FreeBSD with a single interface with Squid-3.5.2 > >>>> > >>>>> Policy based routing on Cisco with the following: > >>>> > >>>> > >>>>> interface GigabitEthernet0/0/1.1 > >>>> > >>>>> encapsulation dot1Q 1 native > >>>> > >>>>> ip address 10.0.0.9 255.255.255.0 > >>>> > >>>>> no ip redirects > >>>> > >>>>> no ip unreachables > >>>> > >>>>> ip nat inside > >>>> > >>>>> standby 1 ip 10.0.0.10 > >>>> > >>>>> standby 1 priority 120 > >>>> > >>>>> standby 1 preempt > >>>> > >>>>> standby 1 name HSRP > >>>> > >>>>> ip policy route-map CFLOW > >>>> > >>>> > >>>> > >>>>> ip access-list extended REDIRECT > >>>> > >>>>> deny tcp host 10.0.0.24 any eq www > >>>> > >>>>> permit tcp host 10.0.0.23 any eq www > >>>> > >>>> > >>>> > >>>>> route-map CFLOW permit 10 > >>>> > >>>>> match ip address REDIRECT set ip next-hop 10.0.0.24 > >>>> > >>>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 > >>>>> to any port 80 -> 10.0.0.24 port 3129 > >>>> > >>>>> # block in pass in log quick on bge0 pass out log quick on > >>>>> bge0 pass out keep state > >>>> > >>>>> and finally in my squid.conf: http_port 3128 http_port > >>>>> 3129 intercept > >>>> > >>>> > >>>> > >>>>> And for testing purposes from the squid server: > >>>>> ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ > >>>> > >>>>> If I replace -p 3128 with -p 80, I get a access denied, and > >>>>> if I omit the -p 3128 completely, I can access the > >>>>> websites. > >>>> > >>>>> tcpdump with (-p 3128) > >>>> > >>>>> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > > >>>>> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, > >>>>> options [nop,nop,TS val 985588797 ecr 1054387720], length > >>>>> 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > > >>>>> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, > >>>>> win 1040, options [nop,nop,TS val 1054387720 ecr > >>>>> 985588501], length 1448 13:15:02.681575 IP > >>>>> wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], > >>>>> seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val > >>>>> 1054387720 ecr 985588501], length 1448 > >>>> > >>>> > >>>> > >>>>> Did I miss anything? > >>>> > >>>>> Thanks Monah > >>>> > >>>> > >>>> > >>>>> ___ > >>>>> squid-users mailing list squid-users@lists.squid-cache.org > >>>>> http://lists.squid-cache.org/listinfo/squid-users > >>>> > >>>> ___ squid-users > >>>> mailing list squid-users@lists.squid-cache.org > >>>> http://lists.squid-cache.org/listinfo/squid-users > >>>> > >> > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+F8UAAoJENNXIZxhPexGUd0H/ikmReyo7lGbuMVZelLLdawa > mtKS3N+dfyVWDT6LCGlgJaWFYV8N0Xqvf3dUv73xkrr3Gqoh6pQIVDdUJOObOC/7 > /yX9qIPfHxz8pic18Hm3/RCwoeSzXp75JgD8LMy2xkOxto+Gvx3pFBBfMyViBYz9 > VTCumGjDvx7pVlcO8MlmZ86jdSvBoEpLYi8J9rjD+11UKhA5mzy8gqzC8OCCTLvc > mP9NcUfvIFPFIW//SyzS+X1DiM/fGJ/jFsJ6QVxU8oY///zpHWyXE9oYZzZ62DqA > 2VtPKduIu2NVZ/ibbnPI4CEU52Ct0uz2scbC1ZEvSqrkfYklg+RGDPj3ckcwGMU= > =xmOu > -END PGP SIGNATURE- > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
In my squid.conf http_port 3128 http_port 3129 intercept Thanks On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Squid access denied? > > Look at this: > > In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any > >> port 80 -> 10.0.0.24 port 3129 > > Which port configured in Squid as intercept? > > 3129? > > and 3128 is forwarding? > > 05.03.15 19:36, monahb...@gmail.com пишет: > > Yes that's what I followed and user is getting a "access denied" > > from the squid when he tries www.cnn.com > > > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G > > LTE network. Original Message From: Yuri Voinov Sent: Thursday, > > March 5, 2015 8:22 AM To: squid-users@lists.squid-cache.org > > Subject: Re: [squid-users] squid intercept config > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/Cisco2501PolicyRoute > > > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > > > > 05.03.15 18:19, Monah Baki пишет: > >> Hi all, can anyone verify if this is correct, need to make ure > >> that users will be able to access the internet via the squid. > > > >> Running FreeBSD with a single interface with Squid-3.5.2 > > > >> Policy based routing on Cisco with the following: > > > > > >> interface GigabitEthernet0/0/1.1 > > > >> encapsulation dot1Q 1 native > > > >> ip address 10.0.0.9 255.255.255.0 > > > >> no ip redirects > > > >> no ip unreachables > > > >> ip nat inside > > > >> standby 1 ip 10.0.0.10 > > > >> standby 1 priority 120 > > > >> standby 1 preempt > > > >> standby 1 name HSRP > > > >> ip policy route-map CFLOW > > > > > > > >> ip access-list extended REDIRECT > > > >> deny tcp host 10.0.0.24 any eq www > > > >> permit tcp host 10.0.0.23 any eq www > > > > > > > >> route-map CFLOW permit 10 > > > >> match ip address REDIRECT set ip next-hop 10.0.0.24 > > > >> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to > >> any port 80 -> 10.0.0.24 port 3129 > > > >> # block in pass in log quick on bge0 pass out log quick on bge0 > >> pass out keep state > > > >> and finally in my squid.conf: http_port 3128 http_port 3129 > >> intercept > > > > > > > >> And for testing purposes from the squid server: ./squidclient -h > >> 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > >> If I replace -p 3128 with -p 80, I get a access denied, and if I > >> omit the -p 3128 completely, I can access the websites. > > > >> tcpdump with (-p 3128) > > > >> 13:15:02.681106 IP ISN-PHC-CACHE.44017 > > >> wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, > >> options [nop,nop,TS val 985588797 ecr 1054387720], length 0 > >> 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > > >> ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win > >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length > >> 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > > >> ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win > >> 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length > >> 1448 > > > > > > > >> Did I miss anything? > > > >> Thanks Monah > > > > > > > >> ___ squid-users > >> mailing list squid-users@lists.squid-cache.org > >> http://lists.squid-cache.org/listinfo/squid-users > > > > ___ squid-users mailing > > list squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+F2gAAoJENNXIZxhPexGivEH/jh0uoMFUNiqROuSVfnCbd4F > pzcgm//4M3CRFCCGYT+u7VA14Uw5EPz/3vIiOQZFWrZLt9zZdtIlHqPA0ucBi5U5 > cfHwlOhAXWMihM0gUYCATWit6c+cY9bvFS9wHzav9RJK8aRFWGczBhPLfFMGV8/y > WTgnCh3ViR3ZjilLhM3MB1nd4pNzn01BM9X3rteGu5d1zh6hznyEIqMAzUXFcBeF > cnsWPnXkhU/r13X7zk0K6nF9tSaSIvbYJQaTWRl5DvkYVwQgCcPUwQ5yleWh70Ex > MycgylzjEqCAO4rqpYwV/v8/meb8+QzgK3e1KFRXDz91/zUz8LGO0ns7LzhAKFM= > =ZRtj > -END PGP SIGNATURE- > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Sure, here it is, very simple # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl snmpcheck snmp_community public acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow manager localhost http_access allow manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost snmp_access allow snmpcheck localhost # And finally deny all other access to this proxy http_access deny all snmp_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept snmp_port 3401 # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /cache/squid/var/cache/squid 35 16 256 # Leave coredumps in the first cache dir coredump_dir /cache/squid/var/cache/squid strip_query_terms off # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 half_closed_clients off quick_abort_min 0 KB quick_abort_max 0 KB vary_ignore_expire on reload_into_ims on memory_pools off cache_mem 4096 MB memory_cache_shared on minimum_object_size 0 bytes maximum_object_size 512 MB maximum_object_size 512 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_swap_low 98 cache_swap_high 100 fqdncache_size 16384 retry_on_error on offline_mode off pipeline_prefetch on logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 On Thu, Mar 5, 2015 at 8:54 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Looking good. > > Can I take look onto your squid.conf? Without comment lines and > sensitive info? > > 05.03.15 19:51, Monah Baki пишет: > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 > > port 3129 > > > > # block in pass in log quick on bge0 pass out log quick on bge0 > > pass out keep state > > > > > > Thanks > > > > On Thu, Mar 5, 2015 at 8:50 AM, Yuri Voinov > > wrote: > > > > Show complete pf.conf, please. > > > > 05.03.15 19:45, Monah Baki пишет: > >>>> In my squid.conf > >>>> > >>>> http_port 3128 http_port 3129 intercept > >>>> > >>>> Thanks > >>>> > >>>> On Thu, Mar 5, 2015 at 8:44 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> Squid access denied? > >>>> > >>>> Look at this: > >>>> > >>>> In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to > >>>> any > >>>>>>>> port 80 -> 10.0.0.24 port 3129 > >>>> > >>>> Which port configured in Squid as intercept? > >>>> > >>>> 3129? > >>>> > >>>> and 3128 is forwarding? > >>>> > >>>> 05.03.15 19:36, monahb...@gmail.com пишет: > >>>>>>> Yes that's what I followed and user is getting a > >>>>>>> "access denied&q
Re: [squid-users] squid intercept config
'--prefix=/cache/squid' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-ssl' '--disable-ipv6' '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' '--with-pthreads' '--with-filedescriptors=65535' '--enable-cachemgr-hostname=hostname' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' --enable-ltdl-convenience On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > This looking good too. > > Stupid question: > > With witch interception option squid builed? > > I.e, squid -v? > > 05.03.15 18:19, Monah Baki пишет: > > Hi all, can anyone verify if this is correct, need to make ure that > > users will be able to access the internet via the squid. > > > > Running FreeBSD with a single interface with Squid-3.5.2 > > > > Policy based routing on Cisco with the following: > > > > > > interface GigabitEthernet0/0/1.1 > > > > encapsulation dot1Q 1 native > > > > ip address 10.0.0.9 255.255.255.0 > > > > no ip redirects > > > > no ip unreachables > > > > ip nat inside > > > > standby 1 ip 10.0.0.10 > > > > standby 1 priority 120 > > > > standby 1 preempt > > > > standby 1 name HSRP > > > > ip policy route-map CFLOW > > > > > > > > ip access-list extended REDIRECT > > > > deny tcp host 10.0.0.24 any eq www > > > > permit tcp host 10.0.0.23 any eq www > > > > > > > > route-map CFLOW permit 10 > > > > match ip address REDIRECT set ip next-hop 10.0.0.24 > > > > In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any > > port 80 -> 10.0.0.24 port 3129 > > > > # block in pass in log quick on bge0 pass out log quick on bge0 > > pass out keep state > > > > and finally in my squid.conf: http_port 3128 http_port 3129 > > intercept > > > > > > > > And for testing purposes from the squid server: ./squidclient -h > > 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > > If I replace -p 3128 with -p 80, I get a access denied, and if I > > omit the -p 3128 completely, I can access the websites. > > > > tcpdump with (-p 3128) > > > > 13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: > > Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 > > ecr 1054387720], length 0 13:15:02.681421 IP > > wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq > > 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 > > ecr 985588501], length 1448 13:15:02.681575 IP > > wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq > > 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 > > ecr 985588501], length 1448 > > > > > > > > Did I miss anything? > > > > Thanks Monah > > > > > > > > ___ squid-users mailing > > list squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+GS+AAoJENNXIZxhPexGb+8H/R/S58piXzwHUnfmDWEiBD1H > 8qID7tliv+MaY2AEGKwr/vCU5d6z2wknXGL/kTk5QV+O4fvdVW9iftSDLfu+jL4F > FKXn38yT+ALUiKeb3239Pd16Z1c/sdhjELDuY6zN7EmQ1Bhw2hW+48UUFptASNJ4 > RDAGrKhhwj5l5j8TFn9U25PKgAr7+W4PWgVcQiYW+sYaKTjmr5YYBhOkH7zLIB3G > ZRYb6pJFzLzDTX3NSrwVip1i1k4yRtxVvVjkoEkG042f+q8hX4CI4hGC7NloIuoa > qTIGXVJTzD912p9UBsBJsDgG/tyb/MlTrC0SWcrDOp2SZcfo29bNExSYxeQATQI= > =MZ5a > -END PGP SIGNATURE- > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Randomized Service Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > What is Cisco model and iOS version? > > 05.03.15 20:25, Monah Baki пишет: > > Yes, correct > > > > On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov > > wrote: > > > > 10.0.0.23 is your host? And 10.0.0.24 is proxy box? > > > > 05.03.15 20:15, Monah Baki пишет: > >>>> '--prefix=/cache/squid' '--enable-follow-x-forwarded-for' > >>>> '--with-large-files' '--enable-ssl' '--disable-ipv6' > >>>> '--enable-esi' '--enable-kill-parent-hack' '--enable-snmp' > >>>> '--with-pthreads' '--with-filedescriptors=65535' > >>>> '--enable-cachemgr-hostname=hostname' > >>>> '--enable-storeio=ufs,aufs,diskd,rock' > >>>> '--enable-ipfw-transparent' '--enable-pf-transparent' > >>>> '--with-nat-devpf' --enable-ltdl-convenience > >>>> > >>>> > >>>> > >>>> > >>>> On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> This looking good too. > >>>> > >>>> Stupid question: > >>>> > >>>> With witch interception option squid builed? > >>>> > >>>> I.e, squid -v? > >>>> > >>>> 05.03.15 18:19, Monah Baki пишет: > >>>>>>> Hi all, can anyone verify if this is correct, need to > >>>>>>> make ure that users will be able to access the internet > >>>>>>> via the squid. > >>>>>>> > >>>>>>> Running FreeBSD with a single interface with > >>>>>>> Squid-3.5.2 > >>>>>>> > >>>>>>> Policy based routing on Cisco with the following: > >>>>>>> > >>>>>>> > >>>>>>> interface GigabitEthernet0/0/1.1 > >>>>>>> > >>>>>>> encapsulation dot1Q 1 native > >>>>>>> > >>>>>>> ip address 10.0.0.9 255.255.255.0 > >>>>>>> > >>>>>>> no ip redirects > >>>>>>> > >>>>>>> no ip unreachables > >>>>>>> > >>>>>>> ip nat inside > >>>>>>> > >>>>>>> standby 1 ip 10.0.0.10 > >>>>>>> > >>>>>>> standby 1 priority 120 > >>>>>>> > >>>>>>> standby 1 preempt > >>>>>>> > >>>>>>> standby 1 name HSRP > >>>>>>> > >>>>>>> ip policy route-map CFLOW > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> ip access-list extended REDIRECT > >>>>>>> > >>>>>>> deny tcp host 10.0.0.24 any eq www > >>>>>>> > >>>>>>> permit tcp host 10.0.0.23 any eq www > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> route-map CFLOW permit 10 > >>>>>>> > >>>>>>> match ip address REDIRECT set ip next-hop 10.0.0.24 > >>>>>>> > >>>>>>> In my /etc/pf.conf rdr pass inet proto tcp from > >>>>>>> 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 > >>>>>>> > >>>>>>> # block in pass in log quick on bge0 pass out log quick > >>>>>>> on bge0 pass out keep state > >>>>>>> > >>>>>>> and finally in my squid.conf: http_port 3128 http_port > >>>>>>> 3129 intercept > >>>>>>> > >>>>>>> > >&
Re: [squid-users] squid intercept config
Not sure why the client is running old hard/soft ware, could it be cause of the hardware? Is FreeBSD an issue, should I switch to linux? On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Wow, 7600! > > But why is so antique iOS?! Current is 15.4 > > 05.03.15 21:09, Monah Baki пишет: > > PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS > > telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: router > > Running: Cisco IOS 12.X OS CPE: cpe:/h:cisco:7600_router > > cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 router (IOS 12.2) > > Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 > > (Good luck!) IP ID Sequence Generation: Randomized Service Info: > > OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios > > > > > > On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov > > wrote: > > > > What is Cisco model and iOS version? > > > > 05.03.15 20:25, Monah Baki пишет: > >>>> Yes, correct > >>>> > >>>> On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> 10.0.0.23 is your host? And 10.0.0.24 is proxy box? > >>>> > >>>> 05.03.15 20:15, Monah Baki пишет: > >>>>>>> '--prefix=/cache/squid' > >>>>>>> '--enable-follow-x-forwarded-for' '--with-large-files' > >>>>>>> '--enable-ssl' '--disable-ipv6' '--enable-esi' > >>>>>>> '--enable-kill-parent-hack' '--enable-snmp' > >>>>>>> '--with-pthreads' '--with-filedescriptors=65535' > >>>>>>> '--enable-cachemgr-hostname=hostname' > >>>>>>> '--enable-storeio=ufs,aufs,diskd,rock' > >>>>>>> '--enable-ipfw-transparent' '--enable-pf-transparent' > >>>>>>> '--with-nat-devpf' --enable-ltdl-convenience > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov > >>>>>>> wrote: > >>>>>>> > >>>>>>> This looking good too. > >>>>>>> > >>>>>>> Stupid question: > >>>>>>> > >>>>>>> With witch interception option squid builed? > >>>>>>> > >>>>>>> I.e, squid -v? > >>>>>>> > >>>>>>> 05.03.15 18:19, Monah Baki пишет: > >>>>>>>>>> Hi all, can anyone verify if this is correct, > >>>>>>>>>> need to make ure that users will be able to > >>>>>>>>>> access the internet via the squid. > >>>>>>>>>> > >>>>>>>>>> Running FreeBSD with a single interface with > >>>>>>>>>> Squid-3.5.2 > >>>>>>>>>> > >>>>>>>>>> Policy based routing on Cisco with the > >>>>>>>>>> following: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> interface GigabitEthernet0/0/1.1 > >>>>>>>>>> > >>>>>>>>>> encapsulation dot1Q 1 native > >>>>>>>>>> > >>>>>>>>>> ip address 10.0.0.9 255.255.255.0 > >>>>>>>>>> > >>>>>>>>>> no ip redirects > >>>>>>>>>> > >>>>>>>>>> no ip unreachables > >>>>>>>>>> > >>>>>>>>>> ip nat inside > >>>>>>>>>> > >>>>>>>>>> standby 1 ip 10.0.0.10 > >>>>>>>>>> > >>>>>>>>>> standby 1 priority 120 > >>>>>>>>>> > >>>>>>>>>> standby 1 preempt > >>>>>>>>>> > >>>>>>>>>> standby 1 name HSRP > >>>>>>>>>> > >>>>>>>>>> ip policy route-map CFLOW > >>>>>>>>>> > >>>>&
Re: [squid-users] squid intercept config
root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes capability mode sandbox enabled 00:00:00.00 rule 0..16777216/0(match): pass in on bge0: 10.0.0.106.5678 > 255.255.255.255.5678: UDP, length 88 00:00:08.342860 rule 0..16777216/0(match): pass in on bge0: 10.0.0.14.54264 > 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hm. No. > > We not checked only OS. > > Does your BSD really loads PF module? > > 05.03.15 21:16, Monah Baki пишет: > > Not sure why the client is running old hard/soft ware, could it be > > cause of the hardware? Is FreeBSD an issue, should I switch to > > linux? > > > > On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov > > wrote: > > > > Wow, 7600! > > > > But why is so antique iOS?! Current is 15.4 > > > > 05.03.15 21:09, Monah Baki пишет: > >>>> PORT STATE SERVICE VERSION 23/tcp open telnet Cisco IOS > >>>> telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) Device type: > >>>> router Running: Cisco IOS 12.X OS CPE: > >>>> cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS details: > >>>> Cisco 7600 router (IOS 12.2) Network Distance: 1 hop TCP > >>>> Sequence Prediction: Difficulty=258 (Good luck!) IP ID > >>>> Sequence Generation: Randomized Service Info: OS: IOS; > >>>> Device: switch; CPE: cpe:/o:cisco:ios > >>>> > >>>> > >>>> On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> What is Cisco model and iOS version? > >>>> > >>>> 05.03.15 20:25, Monah Baki пишет: > >>>>>>> Yes, correct > >>>>>>> > >>>>>>> On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov > >>>>>>> wrote: > >>>>>>> > >>>>>>> 10.0.0.23 is your host? And 10.0.0.24 is proxy box? > >>>>>>> > >>>>>>> 05.03.15 20:15, Monah Baki пишет: > >>>>>>>>>> '--prefix=/cache/squid' > >>>>>>>>>> '--enable-follow-x-forwarded-for' > >>>>>>>>>> '--with-large-files' '--enable-ssl' > >>>>>>>>>> '--disable-ipv6' '--enable-esi' > >>>>>>>>>> '--enable-kill-parent-hack' '--enable-snmp' > >>>>>>>>>> '--with-pthreads' '--with-filedescriptors=65535' > >>>>>>>>>> '--enable-cachemgr-hostname=hostname' > >>>>>>>>>> '--enable-storeio=ufs,aufs,diskd,rock' > >>>>>>>>>> '--enable-ipfw-transparent' > >>>>>>>>>> '--enable-pf-transparent' '--with-nat-devpf' > >>>>>>>>>> --enable-ltdl-convenience > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On Thu, Mar 5, 2015 at 9:14 AM, Yuri Voinov > >>>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> This looking good too. > >>>>>>>>>> > >>>>>>>>>> Stupid question: > >>>>>>>>>> > >>>>>>>>>> With witch interception option squid builed? > >>>>>>>>>> > >>>>>>>>>> I.e, squid -v? > >>>>>>>>>> > >>>>>>>>>> 05.03.15 18:19, Monah Baki пишет: > >>>>>>>>>>>>> Hi all, can anyone verify if this is > >>>>>>>>>>>>> correct, need to make ure that users will > >>>>>>>>>>>>> be able to access the internet via the > >>>>>>>>>>>>> squid. > >>>>>>>>>>>>> > >>>
Re: [squid-users] squid intercept config
How can I confirm, I have access only to the BSD box Thanks On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Does 80 port outside BSD-box listens? > > 05.03.15 21:25, Monah Baki пишет: > > root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i pflog0 > > tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose > > output suppressed, use -v or -vv for full protocol decode listening > > on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 > > bytes capability mode sandbox enabled 00:00:00.00 rule > > 0..16777216/0(match): pass in on bge0: 10.0.0.106.5678 > >> 255.255.255.255.5678: UDP, length 88 > > 00:00:08.342860 rule 0..16777216/0(match): pass in on bge0: > > 10.0.0.14.54264 > >> 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options [mss > > 1460,nop,wscale 2,nop,nop,sackOK], length 0 > > > > > > > > On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov > > wrote: > > > > Hm. No. > > > > We not checked only OS. > > > > Does your BSD really loads PF module? > > > > 05.03.15 21:16, Monah Baki пишет: > >>>> Not sure why the client is running old hard/soft ware, could > >>>> it be cause of the hardware? Is FreeBSD an issue, should I > >>>> switch to linux? > >>>> > >>>> On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> Wow, 7600! > >>>> > >>>> But why is so antique iOS?! Current is 15.4 > >>>> > >>>> 05.03.15 21:09, Monah Baki пишет: > >>>>>>> PORT STATE SERVICE VERSION 23/tcp open telnet Cisco > >>>>>>> IOS telnetd MAC Address: 88:5A:92:63:77:81 (Cisco) > >>>>>>> Device type: router Running: Cisco IOS 12.X OS CPE: > >>>>>>> cpe:/h:cisco:7600_router cpe:/o:cisco:ios:12.2 OS > >>>>>>> details: Cisco 7600 router (IOS 12.2) Network Distance: > >>>>>>> 1 hop TCP Sequence Prediction: Difficulty=258 (Good > >>>>>>> luck!) IP ID Sequence Generation: Randomized Service > >>>>>>> Info: OS: IOS; Device: switch; CPE: cpe:/o:cisco:ios > >>>>>>> > >>>>>>> > >>>>>>> On Thu, Mar 5, 2015 at 9:31 AM, Yuri Voinov > >>>>>>> wrote: > >>>>>>> > >>>>>>> What is Cisco model and iOS version? > >>>>>>> > >>>>>>> 05.03.15 20:25, Monah Baki пишет: > >>>>>>>>>> Yes, correct > >>>>>>>>>> > >>>>>>>>>> On Thu, Mar 5, 2015 at 9:23 AM, Yuri Voinov > >>>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> 10.0.0.23 is your host? And 10.0.0.24 is proxy > >>>>>>>>>> box? > >>>>>>>>>> > >>>>>>>>>> 05.03.15 20:15, Monah Baki пишет: > >>>>>>>>>>>>> '--prefix=/cache/squid' > >>>>>>>>>>>>> '--enable-follow-x-forwarded-for' > >>>>>>>>>>>>> '--with-large-files' '--enable-ssl' > >>>>>>>>>>>>> '--disable-ipv6' '--enable-esi' > >>>>>>>>>>>>> '--enable-kill-parent-hack' > >>>>>>>>>>>>> '--enable-snmp' '--with-pthreads' > >>>>>>>>>>>>> '--with-filedescriptors=65535' > >>>>>>>>>>>>> '--enable-cachemgr-hostname=hostname' > >>>>>>>>>>>>> '--enable-storeio=ufs,aufs,diskd,rock' > >>>>>>>>>>>>> '--enable-ipfw-transparent' > >>>>>>>>>>>>> '--enable-pf-transparent' > >>>>>>>>>>>>> '--with-nat-devpf' > >>>>>>>>>>>>> --enable-ltdl-convenience > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>
Re: [squid-users] squid intercept config
Ok let me ask the client tomorrow to run telnet 10.0.0.24 80 from a workstation Thanks for he help Yuri On Thu, Mar 5, 2015 at 1:02 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Sorry, I'm wrong. Netstat on host can't show redirected listeners. > > Need to check it externally. > > 05.03.15 23:59, Monah Baki пишет: > > On 10.0.0.24 > > > > root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet > > connections (including servers) Proto Recv-Q Send-Q Local Address > > Foreign Address(state) tcp4 0 52 10.0.0.24.22 > > 96.255.8.226.50911 ESTABLISHED tcp4 0 0 *.3129 > > *.*LISTEN tcp4 0 0 *.3128 > > *.*LISTEN tcp4 0 0 *.81 > > *.*LISTEN tcp6 0 0 *.81 > > *.*LISTEN tcp4 0 0 *.22 > > *.*LISTEN tcp6 0 0 *.22 > > *.*LISTEN tcp6 0 0 ::1.562 > > ::1.40066 ESTABLISHED tcp6 0 0 ::1.40066 > > ::1.562 ESTABLISHED tcp6 0 0 *.561 *.* > > LISTEN tcp6 0 0 *.562 *.* > > LISTEN tcp4 0 0 *.199 *.* > > LISTEN tcp4 0 0 *.1*.* > > LISTEN udp4 0 0 *.3401 *.* udp4 0 > > 0 *.34985*.* udp4 0 0 *.* > > *.* udp4 0 0 *.161 *.* udp4 0 > > 0 *.162 *.* udp4 0 0 *.1 > > *.* udp4 0 0 127.0.0.1.123 *.* udp6 0 > > 0 fe80::1%lo0.123*.* udp6 0 0 ::1.123 > > *.* udp4 0 0 10.0.0.24.123 *.* udp6 0 > > 0 *.123 *.* udp4 0 0 *.123 > > *.* udp4 0 0 *.514 *.* udp6 0 > > 0 *.514 *.* > > > > > > > > On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov > > wrote: > > > > - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket > > opens. > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
root@ISN-PHC-CACHE:/home/support # pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled rdr pass inet proto tcp from 10.0.0.0/8 to any port = http -> 10.0.0.24 port 3129 On Thu, Mar 5, 2015 at 1:08 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Can you run pfctl -s nat state on proxy box? > > 06.03.15 0:05, Monah Baki пишет: > > Ok let me ask the client tomorrow to run telnet 10.0.0.24 80 from > > a workstation > > > > Thanks for he help Yuri > > > > On Thu, Mar 5, 2015 at 1:02 PM, Yuri Voinov > > wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > >> > >> Sorry, I'm wrong. Netstat on host can't show redirected > >> listeners. > >> > >> Need to check it externally. > >> > >> 05.03.15 23:59, Monah Baki пишет: > >>> On 10.0.0.24 > >>> > >>> root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet > >>> connections (including servers) Proto Recv-Q Send-Q Local > >>> Address Foreign Address(state) tcp4 0 52 > >>> 10.0.0.24.22 96.255.8.226.50911 ESTABLISHED tcp4 0 0 > >>> *.3129 *.*LISTEN tcp4 0 0 > >>> *.3128 *.*LISTEN tcp4 0 0 *.81 > >>> *.*LISTEN tcp6 0 0 *.81 *.* > >>> LISTEN tcp4 0 0 *.22 *.*LISTEN > >>> tcp6 0 0 *.22 *.*LISTEN tcp6 > >>> 0 0 ::1.562 ::1.40066 ESTABLISHED tcp6 0 0 > >>> ::1.40066 ::1.562 ESTABLISHED tcp6 0 0 *.561 > >>> *.* LISTEN tcp6 0 0 *.562 *.* > >>> LISTEN tcp4 0 0 *.199 *.* LISTEN > >>> tcp4 0 0 *.1*.* LISTEN udp4 > >>> 0 0 *.3401 *.* udp4 0 0 *.34985 > >>> *.* udp4 0 0 *.* *.* udp4 0 0 *.161 > >>> *.* udp4 0 0 *.162 *.* udp4 0 > >>> 0 *.1 *.* udp4 0 0 127.0.0.1.123 *.* > >>> udp6 0 0 fe80::1%lo0.123*.* udp6 0 0 > >>> ::1.123 *.* udp4 0 0 10.0.0.24.123 *.* udp6 > >>> 0 0 *.123 *.* udp4 0 0 *.123 *.* > >>> udp4 0 0 *.514 *.* udp6 0 0 > >>> *.514 *.* > >>> > >>> > >>> > >>> On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov > >>> wrote: > >>> > >>> - From your PC run telnet 10.0.0.24 80. You've seen if TCP > >>> socket opens. > >> > >> > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+JuSAAoJENNXIZxhPexGmkMIAJQNjE4TwhTnO1hI+jqWgG06 > XmPpDOkpv6xiMezh4NrgMNA3YRDysjEXHBywMlBop92/iLAehv1nyadMhIdWmPj0 > im9RFuHVgTiEz9Fr7llc6jyz6oEkp4Ne3//FilvII0X2M8tnSknhiMhYliuloX8p > 98IjTJPWDsYeEqURcwbxtGCz431GrpLmKTZkxQuw43a1hIQha4570prmbvcwU1xP > TLgv/WhltGRJyXszr3pwh1R/6cM8UYCK8iNgxn6KJvh2x+8hyc5avyttEbmyQDz+ > JfuZoOyCyNU321yiONFS4EaPRWZsoUv+s59mS37m8gSuGIED6aKWlgceRE4OOgQ= > =t9CZ > -END PGP SIGNATURE- > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
So from my proxy server, everything looks good? On Thu, Mar 5, 2015 at 1:12 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Looks good too. > > Damn. > > Will think. > > Need to run some external checks. > > 06.03.15 0:10, Monah Baki пишет: > > root@ISN-PHC-CACHE:/home/support # pfctl -s nat No ALTQ support in > > kernel ALTQ related functions disabled rdr pass inet proto tcp from > > 10.0.0.0/8 to any port = http -> 10.0.0.24 port 3129 > > > > On Thu, Mar 5, 2015 at 1:08 PM, Yuri Voinov > > wrote: > > > > Can you run pfctl -s nat state on proxy box? > > > > 06.03.15 0:05, Monah Baki пишет: > >>>> Ok let me ask the client tomorrow to run telnet 10.0.0.24 80 > >>>> from a workstation > >>>> > >>>> Thanks for he help Yuri > >>>> > >>>> On Thu, Mar 5, 2015 at 1:02 PM, Yuri Voinov > >>>> wrote: > >>>> > >>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > >>>>> > >>>>> Sorry, I'm wrong. Netstat on host can't show redirected > >>>>> listeners. > >>>>> > >>>>> Need to check it externally. > >>>>> > >>>>> 05.03.15 23:59, Monah Baki пишет: > >>>>>> On 10.0.0.24 > >>>>>> > >>>>>> root@ISN-PHC-CACHE:/home/support # netstat -an Active > >>>>>> Internet connections (including servers) Proto Recv-Q > >>>>>> Send-Q Local Address Foreign Address(state) tcp4 > >>>>>> 0 52 10.0.0.24.22 96.255.8.226.50911 ESTABLISHED tcp4 > >>>>>> 0 0 *.3129 *.*LISTEN tcp4 > >>>>>> 0 0 *.3128 *.*LISTEN tcp4 > >>>>>> 0 0 *.81 *.*LISTEN tcp6 0 > >>>>>> 0 *.81 *.* LISTEN tcp4 0 0 *.22 *.* > >>>>>> LISTEN tcp6 0 0 *.22 *.* > >>>>>> LISTEN tcp6 0 0 ::1.562 ::1.40066 ESTABLISHED tcp6 > >>>>>> 0 0 ::1.40066 ::1.562 ESTABLISHED tcp6 0 > >>>>>> 0 *.561 *.* LISTEN tcp6 0 0 *.562 > >>>>>> *.* LISTEN tcp4 0 0 *.199 *.* > >>>>>> LISTEN tcp4 0 0 *.1*.* > >>>>>> LISTEN udp4 0 0 *.3401 *.* udp4 > >>>>>> 0 0 *.34985 *.* udp4 0 0 *.* *.* udp4 0 > >>>>>> 0 *.161 *.* udp4 0 0 *.162 *.* > >>>>>> udp4 0 0 *.1 *.* udp4 0 0 > >>>>>> 127.0.0.1.123 *.* udp6 0 0 fe80::1%lo0.123 > >>>>>> *.* udp6 0 0 ::1.123 *.* udp4 0 0 > >>>>>> 10.0.0.24.123 *.* udp6 0 0 *.123 > >>>>>> *.* udp4 0 0 *.123 *.* udp4 0 0 > >>>>>> *.514 *.* udp6 0 0 *.514 > >>>>>> *.* > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov > >>>>>> wrote: > >>>>>> > >>>>>> - From your PC run telnet 10.0.0.24 80. You've seen if > >>>>>> TCP socket opens. > >>>>> > >>>>> > >>>> > >> > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJU+JyWAAoJENNXIZxhPexGUc4IAJmS4DMs6Kf2D8Klm2GsKiDD > pHJsAk7XKPJ2oL97lQwPZs8vfDPB5AFJRSHS9BMxT5Y5q2tMbkuC8vh8w1uxG1rD > QercldJCcw4Rwxlq4nJUxEp8Hj82tPrCoMIiedSwCPBzka3OBEZfGHXMJAsGsvO0 > FnmPJ5PXyen9OycBbe/bWVmt3aypi3ZA5/T+5yTS2dU49jDY2Wg47RJEsWmd3DsV > DU9js4Wz5woqzZerSkGizXSG9IZMBE8svR5X3l3nejy8NPwVc1ku2I7dAPcfCe9C > Fcuww85x2PpYfMNEnzgzzSdXx2oxfeeUMtO++zK3CaNCQxm1veTrwbrlu5sY8z4= > =diIu > -END PGP SIGNATURE- > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Fwd: squid intercept config
Hi All, As an addition to my yesterday's issue, Tail -f cache.log, I am getting the following: 015/03/06 13:54:02| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org Accept: image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Referer: http://www.openbsd.org/ Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,ar;q=0.6 Via: 1.1 ISN-PHC-CACHE (squid/3.5.2) X-Forwarded-For: 10.0.0.23 Cache-Control: max-age=0 Connection: keep-alive 2015/03/06 13:54:02| WARNING: Forwarding loop detected for: GET /favicon.ico HTTP/1.1 Host: www.openbsd.org Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,ar;q=0.6 Via: 1.1 ISN-PHC-CACHE (squid/3.5.2) X-Forwarded-For: 10.0.0.23 Cache-Control: max-age=259200 Connection: keep-alive Any ideas? -- Forwarded message -- From: Monah Baki Date: Thu, Mar 5, 2015 at 7:19 AM Subject: squid intercept config To: Squid Users Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid. Running FreeBSD with a single interface with Squid-3.5.2 Policy based routing on Cisco with the following: interface GigabitEthernet0/0/1.1 encapsulation dot1Q 1 native ip address 10.0.0.9 255.255.255.0 no ip redirects no ip unreachables ip nat inside standby 1 ip 10.0.0.10 standby 1 priority 120 standby 1 preempt standby 1 name HSRP ip policy route-map CFLOW ip access-list extended REDIRECT deny tcp host 10.0.0.24 any eq www permit tcp host 10.0.0.23 any eq www route-map CFLOW permit 10 match ip address REDIRECT set ip next-hop 10.0.0.24 In my /etc/pf.conf rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port 3129 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state and finally in my squid.conf: http_port 3128 http_port 3129 intercept And for testing purposes from the squid server: ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites. tcpdump with (-p 3128) 13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0 13:15:02.681421 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 13:15:02.681575 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448 Did I miss anything? Thanks Monah ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client station we are testing on, same results. Forward loop detected Thanks On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote: > > > Hi All, > > > > As an addition to my yesterday's issue, > > > > Tail -f cache.log, I am getting the following: > > > > 015/03/06 13:54:02| WARNING: Forwarding loop detected for: > > > Any ideas? > > Is your NAT rule catching the HTTP requests from the proxy itself (as well > as > the requests from the clients) and sending *everything* to the proxy > (including the requests the proxy is trying to make out to the Internet)? > > I'm not an expert on Cisco or BSD, but it does strike me that your rule: > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port > 3129 > > looks like it will match requests from the proxy's address 10.0.0.24 as > well > as all the clients... > > Try adding an exception in before the NAT rule, saying "traffic from > 10.0.0.24 > should not be NATted". > > > Regards, > > > Antony. > > -- > "Once you have a panic, things tend to become rather undefined." > > - murble > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
No other process on 80 is on the server. I also confirmed from the client side if he runs "telnet www.openbsd.org 80" on his desktop, he gets a response. Thanks On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov wrote: > Did you have another listening process on 80 port on your proxy box? > > I.e., web-server? > > 06.03.15 19:26, Monah Baki пишет: > > I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client > station we are testing on, same results. Forward loop detected > > Thanks > > On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone < > antony.st...@squid.open.source.it> wrote: > >> On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote: >> >> > Hi All, >> > >> > As an addition to my yesterday's issue, >> > >> > Tail -f cache.log, I am getting the following: >> > >> > 015/03/06 13:54:02| WARNING: Forwarding loop detected for: >> >> > Any ideas? >> >> Is your NAT rule catching the HTTP requests from the proxy itself (as >> well as >> the requests from the clients) and sending *everything* to the proxy >> (including the requests the proxy is trying to make out to the Internet)? >> >> I'm not an expert on Cisco or BSD, but it does strike me that your rule: >> >> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port >> 3129 >> >> looks like it will match requests from the proxy's address 10.0.0.24 as >> well >> as all the clients... >> >> Try adding an exception in before the NAT rule, saying "traffic from >> 10.0.0.24 >> should not be NATted". >> >> >> Regards, >> >> >> Antony. >> >> -- >> "Once you have a panic, things tend to become rather undefined." >> >> - murble >> >>Please reply to the >> list; >> please *don't* >> CC me. >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > > ___ > squid-users mailing > listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf So something else is missing? On Fri, Mar 6, 2015 at 8:47 AM, Yuri Voinov wrote: > On proxy box. > > 06.03.15 19:47, monahb...@gmail.com пишет: > > From squid or router? > > Thanks > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE > network. >*From: *Yuri Voinov > *Sent: *Friday, March 6, 2015 8:44 AM > *To: *Monah Baki > *Cc: *squid-users@lists.squid-cache.org > *Subject: *Re: [squid-users] Fwd: squid intercept config > > Ok. > > In this case this is NAT misconfiguration. > > You need to check it carefully. > > 06.03.15 19:43, Monah Baki пишет: > > No other process on 80 is on the server. I also confirmed from the > client side if he runs "telnet www.openbsd.org 80" on his desktop, he > gets a response. > > Thanks > > On Fri, Mar 6, 2015 at 8:28 AM, Yuri Voinov wrote: > >> Did you have another listening process on 80 port on your proxy box? >> >> I.e., web-server? >> >> 06.03.15 19:26, Monah Baki пишет: >> >> I went and changed the 10.0.0.0/8 to 10.0.0.23, which is the client >> station we are testing on, same results. Forward loop detected >> >> Thanks >> >> On Fri, Mar 6, 2015 at 8:14 AM, Antony Stone < >> antony.st...@squid.open.source.it> wrote: >> >>> On Friday 06 March 2015 at 14:03:28 (EU time), Monah Baki wrote: >>> >>> > Hi All, >>> > >>> > As an addition to my yesterday's issue, >>> > >>> > Tail -f cache.log, I am getting the following: >>> > >>> > 015/03/06 13:54:02| WARNING: Forwarding loop detected for: >>> >>> > Any ideas? >>> >>> Is your NAT rule catching the HTTP requests from the proxy itself (as >>> well as >>> the requests from the clients) and sending *everything* to the proxy >>> (including the requests the proxy is trying to make out to the Internet)? >>> >>> I'm not an expert on Cisco or BSD, but it does strike me that your rule: >>> >>> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 >>> port 3129 >>> >>> looks like it will match requests from the proxy's address 10.0.0.24 as >>> well >>> as all the clients... >>> >>> Try adding an exception in before the NAT rule, saying "traffic from >>> 10.0.0.24 >>> should not be NATted". >>> >>> >>> Regards, >>> >>> >>> Antony. >>> >>> -- >>> "Once you have a panic, things tend to become rather undefined." >>> >>> - murble >>> >>>Please reply to the >>> list; >>> please *don't* >>> CC me. >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> >> >> >> ___ >> squid-users mailing >> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users >> >> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> >> > > > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Fwd: squid intercept config
nce or first frame: 0.508835000 seconds] Frame Number: 9 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update] Ethernet II, Src: Cisco_63:77:81 (88:5a:92:63:77:81), Dst: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Destination: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Source: Cisco_63:77:81 (88:5a:92:63:77:81) Type: IP (0x0800) Padding: Internet Protocol Version 4, Src: 10.0.0.23 (10.0.0.23), Dst: 68.71.212.158 (68.71.212.158) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 40 Identification: 0x572a (22314) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 127 Protocol: TCP (6) Header checksum: 0x81a9 [validation disabled] Source: 10.0.0.23 (10.0.0.23) Destination: 68.71.212.158 (68.71.212.158) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 42794 (42794), Dst Port: 80 (80), Seq: 401, Ack: 3332, Len: 0 On Fri, Mar 6, 2015 at 8:57 AM, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Friday 06 March 2015 at 14:50:50 (EU time), Monah Baki wrote: > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > > > > So something else is missing? > > Can you run a packet sniffer on the proxy, to see what packets come in > (noting > the MAC address of the previous hop), what packets go out (to what > address/es), and whether they then seem to come back in again (and if so, > from > which MAC address)? > > That might give you a clue as to where the forwarding loop is being > created. > > > Regards, > > > Antony. > > -- > How I want a drink, alcoholic of course, after the heavy chapters involving > quantum mechanics. > > - mnemonic for 3.14159265358979 > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Hi Amos, Thanks for the assist. So basically from my end, the squid proxy which I am responsible for, I shouldn't concentrate on changing any of it's configuration, but instead tell them to try to solve on their end? If yes, what are we looking at, their router setup? Thanks On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries wrote: > On 6/03/2015 1:19 a.m., Monah Baki wrote: > > Hi all, can anyone verify if this is correct, need to make ure that users > > will be able to access the internet via the squid. > > > > Running FreeBSD with a single interface with Squid-3.5.2 > > > > Policy based routing on Cisco with the following: > > > > > > interface GigabitEthernet0/0/1.1 > > > > encapsulation dot1Q 1 native > > > > ip address 10.0.0.9 255.255.255.0 > > > > no ip redirects > > > > no ip unreachables > > > > ip nat inside > > > > standby 1 ip 10.0.0.10 > > > > standby 1 priority 120 > > > > standby 1 preempt > > > > standby 1 name HSRP > > > > ip policy route-map CFLOW > > > > > > > > ip access-list extended REDIRECT > > > > deny tcp host 10.0.0.24 any eq www > > > > permit tcp host 10.0.0.23 any eq www > > > > > > > > route-map CFLOW permit 10 > > > > match ip address REDIRECT > > set ip next-hop 10.0.0.24 > > > > In my /etc/pf.conf > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port > > 3129 > > > > # block in > > pass in log quick on bge0 > > pass out log quick on bge0 > > pass out keep state > > > > and finally in my squid.conf: > > http_port 3128 > > http_port 3129 intercept > > > > > > > > And for testing purposes from the squid server: > > ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > > If I replace -p 3128 with -p 80, I get a access denied, and if I omit the > > -p 3128 completely, I can access the websites. > > If you omit the -p entirely squidclient assumes "-p 3128" (the proxy > default listening port), so it works exactly the same as if you had used > -p 3128 explicitly. > > If you use -p 80 you also need to change the pther parameters so they > generate port-80 syntax message: > - the -h with IP or hostname of the remote web server, and > - the URL parameters being a relative URL, and > - the -j parameter with Host: header domain name of the server > ... > eg. > squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / > > NP: if your squidclient is too old to support -j, use this instead: > -H 'Host: www.freebsd.org\n' > > ** this test should work from the squid box without having gone through > the proxy. Only from the client machine should it work *with* NAT > passing it through the proxy. > > > > Using a proxy syntax message sent directly to the proxy receiving port, > or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a > guaranted forwarding loop failure. > > > That doesn't fix your clients issue, but hopefully makes it clear that > the above desribed test is broken enough to prevent you identifying when > the client issue is fixed if that happens on some change. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Forgot to paste my test. Basically from my squid server: root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H 'Host: www.cnn.com\n' -p 80 HTTP/1.1 302 Found Server: Varnish Retry-After: 0 Content-Length: 0 Location: http://edition.cnn.com80 Accept-Ranges: bytes Date: Sat, 07 Mar 2015 12:08:21 GMT Via: 1.1 varnish Connection: close X-Served-By: cache-lhr6328-LHR X-Cache: MISS X-Cache-Hits: 0 Thanks Monah On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries wrote: > On 6/03/2015 1:19 a.m., Monah Baki wrote: > > Hi all, can anyone verify if this is correct, need to make ure that users > > will be able to access the internet via the squid. > > > > Running FreeBSD with a single interface with Squid-3.5.2 > > > > Policy based routing on Cisco with the following: > > > > > > interface GigabitEthernet0/0/1.1 > > > > encapsulation dot1Q 1 native > > > > ip address 10.0.0.9 255.255.255.0 > > > > no ip redirects > > > > no ip unreachables > > > > ip nat inside > > > > standby 1 ip 10.0.0.10 > > > > standby 1 priority 120 > > > > standby 1 preempt > > > > standby 1 name HSRP > > > > ip policy route-map CFLOW > > > > > > > > ip access-list extended REDIRECT > > > > deny tcp host 10.0.0.24 any eq www > > > > permit tcp host 10.0.0.23 any eq www > > > > > > > > route-map CFLOW permit 10 > > > > match ip address REDIRECT > > set ip next-hop 10.0.0.24 > > > > In my /etc/pf.conf > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port > > 3129 > > > > # block in > > pass in log quick on bge0 > > pass out log quick on bge0 > > pass out keep state > > > > and finally in my squid.conf: > > http_port 3128 > > http_port 3129 intercept > > > > > > > > And for testing purposes from the squid server: > > ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > > If I replace -p 3128 with -p 80, I get a access denied, and if I omit the > > -p 3128 completely, I can access the websites. > > If you omit the -p entirely squidclient assumes "-p 3128" (the proxy > default listening port), so it works exactly the same as if you had used > -p 3128 explicitly. > > If you use -p 80 you also need to change the pther parameters so they > generate port-80 syntax message: > - the -h with IP or hostname of the remote web server, and > - the URL parameters being a relative URL, and > - the -j parameter with Host: header domain name of the server > ... > eg. > squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / > > NP: if your squidclient is too old to support -j, use this instead: > -H 'Host: www.freebsd.org\n' > > ** this test should work from the squid box without having gone through > the proxy. Only from the client machine should it work *with* NAT > passing it through the proxy. > > > > Using a proxy syntax message sent directly to the proxy receiving port, > or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a > guaranted forwarding loop failure. > > > That doesn't fix your clients issue, but hopefully makes it clear that > the above desribed test is broken enough to prevent you identifying when > the client issue is fixed if that happens on some change. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Thanks Amos and everyone who helped me, Will revert to client to check his Cisco device, I been banging my head for days now troubleshooting the proxy. He's running an old cisco hardware and IOS too. On Sat, Mar 7, 2015 at 8:24 AM, Amos Jeffries wrote: > On 8/03/2015 1:09 a.m., Monah Baki wrote: > > Forgot to paste my test. > > > > Basically from my squid server: > > root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H > > 'Host: www.cnn.com\n' -p 80 > > HTTP/1.1 302 Found > > Server: Varnish > > Retry-After: 0 > > Content-Length: 0 > > Location: http://edition.cnn.com80 > > Um, that redirect URL is invalid. This Varnish is outputting garbage. > > > However, this test result does prove that output traffic from your Squid > should be fine. The test connecting to your port 3128 should confirm > that by getting the same or very similar result for normal traffic. > > > So the problem is on the input. It could still be at the client end, or > in the NAT redirection. > > One thing I've not seen clarified in the discussion is which machine the > NAT rules have been placed (Squid box? or router?). Sorry if I missed that. > The NAT operation MUST be done on the Squid box or the local machines > NAT system tells it the client was connecting to connect to > itself/Squid:3129 (which is the forwarding loop). > > The router looks liek a Cisco device, so it must do L2 routing > redirection or WCCP to deliver packets to the Squid machine without > having altered their IP:port details in any way. > > Amos > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
I forgot to paste my pf.conf # rdr pass inet proto tcp from 10.0.0.9/32 to any port 80 -> 10.0.0.24 port 3128 # nat on bge0 inet from any to port 80 -> bge0 rdr pass inet proto tcp from 10.0.0.23 to any port 80 -> 10.0.0.24 port 3129 # pass on bge0 inet proto tcp from bge0 to bge0 port 3128 # block in pass in log quick on bge0 pass out log quick on bge0 pass out keep state On Sat, Mar 7, 2015 at 8:24 AM, Amos Jeffries wrote: > On 8/03/2015 1:09 a.m., Monah Baki wrote: > > Forgot to paste my test. > > > > Basically from my squid server: > > root@ISN-PHC-CACHE:/cache/squid/bin # ./squidclient -h www.cnn.com -H > > 'Host: www.cnn.com\n' -p 80 > > HTTP/1.1 302 Found > > Server: Varnish > > Retry-After: 0 > > Content-Length: 0 > > Location: http://edition.cnn.com80 > > Um, that redirect URL is invalid. This Varnish is outputting garbage. > > > However, this test result does prove that output traffic from your Squid > should be fine. The test connecting to your port 3128 should confirm > that by getting the same or very similar result for normal traffic. > > > So the problem is on the input. It could still be at the client end, or > in the NAT redirection. > > One thing I've not seen clarified in the discussion is which machine the > NAT rules have been placed (Squid box? or router?). Sorry if I missed that. > The NAT operation MUST be done on the Squid box or the local machines > NAT system tells it the client was connecting to connect to > itself/Squid:3129 (which is the forwarding loop). > > The router looks liek a Cisco device, so it must do L2 routing > redirection or WCCP to deliver packets to the Squid machine without > having altered their IP:port details in any way. > > Amos > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
Hi All, Installed squid on CentOS 6.6 and it's working, but mY access.log shows all TCP_MISS and no TCP_HIT. The following config: squid.conf # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept iptables # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064] :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015 Accessing sites, shows the IP address of the proxy 147.245.252.13. Am I missing something in IPTables that it is not caching? Thanks Monah On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries wrote: > On 6/03/2015 1:19 a.m., Monah Baki wrote: > > Hi all, can anyone verify if this is correct, need to make ure that users > > will be able to access the internet via the squid. > > > > Running FreeBSD with a single interface with Squid-3.5.2 > > > > Policy based routing on Cisco with the following: > > > > > > interface GigabitEthernet0/0/1.1 > > > > encapsulation dot1Q 1 native > > > > ip address 10.0.0.9 255.255.255.0 > > > > no ip redirects > > > > no ip unreachables > > > > ip nat inside > > > > standby 1 ip 10.0.0.10 > > > > standby 1 priority 120 > > > > standby 1 preempt > > > > standby 1 name HSRP > > > > ip policy route-map CFLOW > > > > > > > > ip access-list extended REDIRECT > > > > deny tcp host 10.0.0.24 any eq www > > > > permit tcp host 10.0.0.23 any eq www > > > > > > > > route-map CFLOW permit 10 > > > > match ip address REDIRECT > > set ip next-hop 10.0.0.24 > > > > In my /etc/pf.conf > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port > > 3129 > > > > # block in > > pass in log quick on bge0 > > pass out log quick on bge0 > > pass out keep state > > > > and finally in my squid.conf: > > http_port 3128 > > http_port 3129 intercept > > > > > > > > And for testing purposes from the squid server: > > ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > > If I replace -p 3128 with -p 80, I get a access denied, and if I omit the > > -p 3128 completely, I can access the websites. > > If you omit the -p entirely squidclient assumes "-p 3128" (the proxy > default listening port), so it works exactly the same as if you had used > -p 3128 explicitly. > > If you use -p 80 you also need to change the pther parameters so they > generate port-80 syntax message: > - the -h with IP or hostname of the remote web server, and > - the URL parameters being a relative URL, and > - the -j parameter with Host: header domain name of the server > ... > eg. > squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / > > NP: if your squidclient is too old to support -j, use this instead: > -H 'Host: www.freebsd.org\n' > > ** this test should work from the squid box without having gone through > the proxy. Only from the client machine should it work *with* NAT > passing it through the proxy. > > > > Using a proxy syntax message sent directly to the proxy receiving port, > or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a > guaranted forwarding loop failure. > > > That doesn't fix your clients issue, but hopefully makes it clear that > the above desribed test is broken enough to prevent you identifying when > the client issue is fixed if that happens on some change. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
04 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.494128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.604217 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.609256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17 text/javascript 1426267535.619206 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.622208 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.696129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png - ORIGINAL_DST/80.239.152.153 image/png 1426267536.071656 10.0.0.23 TCP_MISS/302 849 GET http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? - ORIGINAL_DST/66.235.141.144 text/plain 1426267536.075257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/ 80.239.148.17 text/javascript 1426267536.203128 10.0.0.23 TCP_MISS/200 381 GET http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif 1426267536.570393 10.0.0.23 TCP_MISS/304 338 GET http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js - ORIGINAL_DST/80.239.148.32 text/javascript 1426267536.746125 10.0.0.23 TCP_MISS/304 340 GET http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243 application/x-javascript 1426267536.819199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/ 157.166.238.237 - 1426267536.942260 10.0.0.23 TCP_MISS/200 677 GET http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30 text/javascript 1426267537.027236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.146362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.171388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.230432 10.0.0.23 TCP_MISS/302 481 GET http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html 1426267537.603173 10.0.0.23 TCP_MISS/204 676 GET http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif 1426267537.618247 10.0.0.23 TCP_MISS/200 322 GET http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif 1426267537.892388 10.0.0.23 TCP_MISS/200 68649 GET http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/ 80.239.152.153 application/x-shockwave-flash 1426267538.024130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/ 80.239.148.9 application/x-javascript On Fri, Mar 13, 2015 at 12:18 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > 13.03.15 21:58, Monah Baki пишет: > > Hi All, > > > > Installed squid on CentOS 6.6 and it's working, but mY access.log > > shows all TCP_MISS and no TCP_HIT. The following config: > > > > squid.conf # Squid normally listens to port 3128 http_port 3128 > > http_port 3129 intercept > > And that's all > > > > > > > > > iptables > > > > # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 > > *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT > > ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp > > --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp > > --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m > > tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j > > REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # > > Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save > > v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m > > state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j > > REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j > > ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > > ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state > > --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp > > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j &
Re: [squid-users] squid intercept config
It's working now, all I did is rem'd the following: # half_closed_clients off # quick_abort_min 0 KB # quick_abort_max 0 KB # vary_ignore_expire on # reload_into_ims on # memory_pools off # cache_mem 4096 MB # # memory_cache_shared on visible_hostname isn-phc-cache minimum_object_size 0 bytes maximum_object_size 512 MB maximum_object_size 512 KB ipcache_size 1024 # ipcache_low 90 # ipcache_high 95 cache_swap_low 98 cache_swap_high 100 # fqdncache_size 16384 # retry_on_error on # offline_mode off logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 I can see tcp_hits. Note to self, something I do not know, don't add it. On Fri, Mar 13, 2015 at 1:23 PM, Amos Jeffries wrote: > On 14/03/2015 6:15 a.m., Antony Stone wrote: > > On Friday 13 March 2015 at 17:47:44 (EU time), Monah Baki wrote: > >> > >> http_access allow localhost manager > >> http_access deny manager > >> > >> #http_access deny to_localhost > >> > >> http_access allow localnet > >> http_access allow localhost > > > > You've got the standard references here (and above, for cache manager > access) > > for localhost, and yet I don't see it defined anywhere - have you > deliberately > > removed it? > > Current Squid versions define those ACLs automatically. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] How to run squidclient
Hi all, I am running CentOS 6.6 64 bit, and need to get some information from the command line. Compiled squid as: ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock [root@ISN-PHC-Cache bin]# ./squidclient mgr:info HTTP/1.1 403 Forbidden Server: squid/3.5.2 Mime-Version: 1.0 Date: Fri, 20 Mar 2015 02:29:53 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3552 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from isn-phc-cache Via: 1.1 isn-phc-cache (squid/3.5.2) Connection: close # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_reply_access allow all http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 cache_dir ufs /home/cache/var/cache/squid 35 16 256 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to run squidclient
Hi Amos,
[root@ISN-PHC-Cache bin]# ./squidclient -V
Version: 3.5.2
[root@ISN-PHC-Cache bin]# ./squidclient -vv mgr:info
verbosity level set to 2
Request:
GET cache_object://localhost/info HTTP/1.0
Host: localhost
User-Agent: squidclient/3.5.2
Accept: */*
Connection: close
.
Transport detected: IPv4-only
Resolving localhost ...
Connecting... localhost (127.0.0.1:3128)
Connected to: localhost (127.0.0.1:3128)
Sending HTTP request ...
done.
HTTP/1.1 403 Forbidden
Server: squid/3.5.2
Mime-Version: 1.0
Date: Fri, 20 Mar 2015 17:29:54 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3549
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from isn-phc-cache
Via: 1.1 isn-phc-cache (squid/3.5.2)
Connection: close
http://www.w3.org/TR/html4/strict.dtd";>
ERROR: The requested URL could not be retrieved
<!--
/*
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
<a rel="nofollow" href="http://www.freecsstemplates.org">http://www.freecsstemplates.org</a>
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('<a rel="nofollow" href="http://www.squid-cache.org/Artwork/SN.png">http://www.squid-cache.org/Artwork/SN.png</a>') no-repeat
left;
}
/* initial title */
#titles h1 {
color: #00;
}
#titles h2 {
color: #00;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
sans-serif; float: right; }
:lang(he) { direction: rtl; }
-->
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: cache_object://localhost/info
Access Denied.
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.
Your cache administrator is mailto:webmaster
?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20isn-phc-cache%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2020%20Mar%202015%2017%3A29%3A54%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.24%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2Finfo%20HTTP%2F1.0%0AHost%3A%20localhost%0D%0AUser-Agent%3A%20squidclient%2F3.5.2%0D%0AAccept%3A%20*%2F*%0D%0AConnection%3A%20close%0D%0A%0D%0A%0D%0A">webmaster.
Generated Fri, 20 Mar 2015 17:29:54 GMT by isn-phc-cache
(squid/3.5.2)
On Fri, Mar 20, 2015 at 12:13 PM, Amos Jeffries
wrote:
> On 20/03/2015 11:04 p.m., Monah Baki wrote:
> > Hi all,
> >
> > I am running CentOS 6.6 64 bit, and need to get some information from the
> > command line.
> >
> > Compiled squid as:
> > ./configure --prefix=/home/cache --enable-follow-x-forwarded-for
> > --with-large-files --enable-ssl --disable-ipv6 --enable-esi
> > --enable-kill-parent-hack --enable-snmp --with-pthreads
> > --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname
> > --enable-storeio=ufs,aufs,diskd,rock
> >
> >
> > [root@ISN-PHC-Cache bin]# ./squidclient mgr:info
> > HTTP/1.1 403 Forbidden
> > Server: squid/3.5.2
> > Mime-Version: 1.0
> > Date: Fri, 20 Mar 2015 02:29:53 GMT
> > Content-Type: text/html;charset=utf-8
> > Content-Length: 3552
> > X-Squid-Error: ERR_ACCESS_DENIED 0
> > Vary: Accep
Re: [squid-users] How to run squidclient
Regarding DNS lookup, if I type nslookup 10.0.0.24 or nslookup isn-phc-cache, Our nameservers in /etc/resolv.conf are google's name server Do I need to resolve first to use squidclient??? [root@ISN-PHC-Cache bin]# ./squidclient -vv -j isn-phc-cache mgr:info verbosity level set to 2 Request: GET cache_object://localhost/info HTTP/1.0 Host: isn-phc-cache User-Agent: squidclient/3.5.2 Accept: */* Connection: close . Transport detected: IPv4-only Resolving localhost ... Connecting... localhost (127.0.0.1:3128) Connected to: localhost (127.0.0.1:3128) Sending HTTP request ... done. HTTP/1.1 403 Forbidden Server: squid/3.5.2 Mime-Version: 1.0 Date: Fri, 20 Mar 2015 18:11:21 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3553 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from isn-phc-cache Via: 1.1 isn-phc-cache (squid/3.5.2) Connection: close http://www.w3.org/TR/html4/strict.dtd";> ERROR: The requested URL could not be retrieved ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: cache_object://localhost/info Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is mailto:webmaster ?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20isn-phc-cache%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2020%20Mar%202015%2018%3A11%3A21%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.24%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2Finfo%20HTTP%2F1.0%0AHost%3A%20isn-phc-cache%0D%0AUser-Agent%3A%20squidclient%2F3.5.2%0D%0AAccept%3A%20*%2F*%0D%0AConnection%3A%20close%0D%0A%0D%0A%0D%0A">webmaster. Generated Fri, 20 Mar 2015 18:11:21 GMT by isn-phc-cache (squid/3.5.2) On Fri, Mar 20, 2015 at 1:00 PM, Amos Jeffries wrote: > Interesting. > > I wonder if your Squid is resolving "localhost" domain name as ::1 and > rejecting it because IPv6 is disabled, therefore not permitted. Or if > its the domain name not matching the proxy name. > > Try adding "-j isn-phc-cache" which sets the Host: header to match what > the cache thinks its public domain name is. > > Amos > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to run squidclient
{
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
sans-serif; float: right; }
:lang(he) { direction: rtl; }
-->
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: http://isn-phc-cache/squid-internal-mgr/info";>
http://isn-phc-cache/squid-internal-mgr/info
Access Denied.
Access control configuration prevents your request from being allowed at
this time. Please contact your service provider if you feel this is
incorrect.
Your cache administrator is mailto:webmaster
?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&body=CacheHost%3A%20isn-phc-cache%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Fri,%2020%20Mar%202015%2019%3A48%3A05%20GMT%0D%0A%0D%0AClientIP%3A%2010.0.0.24%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2Fsquid-internal-mgr%2Finfo%20HTTP%2F1.0%0AHost%3A%20isn-phc-cache%3A3128%0D%0AUser-Agent%3A%20squidclient%2F3.5.2%0D%0AAccept%3A%20*%2F*%0D%0AConnection%3A%20close%0D%0A%0D%0A%0D%0A">webmaster.
Generated Fri, 20 Mar 2015 19:48:05 GMT by isn-phc-cache
(squid/3.5.2)
On Fri, Mar 20, 2015 at 2:25 PM, Amos Jeffries wrote:
> On 21/03/2015 6:15 a.m., Monah Baki wrote:
> > Regarding DNS lookup, if I type nslookup 10.0.0.24 or nslookup
> > isn-phc-cache,
> > Our nameservers in /etc/resolv.conf are google's name server
> >
> > Do I need to resolve first to use squidclient???
> >
>
> No, the squidclient resolving is done as you saw in its output and gets
> the right IPv4-only and 127.0.0.1.
>
> The problem will appear later when you view error messages or directory
> listings generated by Squid. All the icons and generated URLs will be
> using that "isn-phc-cache" as their domain.
>
>
> I'm not exactly sure what the problem is. Your config is pretty much
> default and I dont hit this on my test proxies.
>
> Please try these (mind the wrap):
>
> squidclient -j isn-phc-cache:3128 cache_object://isn-phc-cache:3128/info
>
> squidclient -j isn-phc-cache:3128
> http://isn-phc-cache:3128/squid-internal-mgr/info
>
> squidclient -j isn-phc-cache:3128
> http://isn-phc-cache/squid-internal-mgr/info
>
> Amos
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] I am seeing the following in my cache.log
Running squid 3.5.2 on Centos 6.6 ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock We have around 50 users. I am seeing hundreds of thousands of the following: 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery detected on local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not match any domain IP) Then after 2 hours, I get the message in my cacahe.log: 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could not parse headers from on disk object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without Date: 2015/03/24 16:41:42.478| StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478| StoreEntry->next: 0 2015/03/24 16:41:42.478| StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| StoreEntry->expires: -1 2015/03/24 16:41:42.478| StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| StoreEntry->refcount: 1 2015/03/24 16:41:42.478| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24 16:41:42.478| StoreEntry->store_status: 1 2015/03/24 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| SECURITY ALERT: Host header forgery detected on local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20 flags=33 (local IP does not match any domain IP) 2015/03/24 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY ALERT: on URL: us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY ALERT: Host header forgery detected on local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20 flags=33 (local IP does not match any domain IP) 2015/03/24 16:41:42.772| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.772| SECURITY ALERT: on URL: csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY ALERT: Host header forgery detected on local=85.115.33.158:80 remote=197.255.252.34:13505 FD 20 flags=33 (local IP does not match any domain IP) 2015/03/24 16:41:42.800| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:43.115| SECURITY ALERT: Host header forgery detected on local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33 (local IP does not match any domain IP) 2015/03/24 16:41:43.115| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:43.115| SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:43.115| assertion failed: store.cc:1885: "isEmpty()" Then I get a message "running out of file descriptors", for that I did the following: echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range echo 8192 > /proc/sys/net/ipv4/tcp_max_syn_backlog In my /etc/security/limits.conf, added the following: * - nofile 65535 My squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl blockeddomain dstdomain "/home/cache/etc/blocked.domain.acl" acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591
Re: [squid-users] I am seeing the following in my cache.log
Thanks Yuri for the URL. The company is a small ISP using policy based routing, so using WPAD or GPO isn't feasible. If the cause of the server running out of file descriptions and giving the "assertion failed: store.cc:1885: "isEmpty()" error, I prefer to inform the enduser to fix his computer. Thanks Monah On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Feel free fo look at this: > > http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery > > > 25.03.15 1:18, Monah Baki пишет: >> Running squid 3.5.2 on Centos 6.6 >> >> ./configure --prefix=/home/cache --enable-follow-x-forwarded-for >> --with-large-files --enable-ssl --disable-ipv6 --enable-esi >> --enable-kill-parent-hack --enable-snmp --with-pthreads >> --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname >> --enable-storeio=ufs,aufs,diskd,rock >> >> We have around 50 users. I am seeing hundreds of thousands of the >> following: >> >> >> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: >> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 14:57:34.910| SECURITY >> ALERT: on URL: www.facebook.com:443 2015/03/24 14:57:34.946| >> SECURITY ALERT: Host header forgery detected on >> local=85.115.52.158:80 remote=196.245.252.34:36732 FD 49 flags=33 >> (local IP does not match any domain IP) >> >> >> Then after 2 hours, I get the message in my cacahe.log: >> >> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: >> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like Gecko) >> Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.478| SECURITY >> ALERT: on URL: www.facebook.com:443 2015/03/24 16:41:42.478| >> WARNING: 1 swapin MD5 mismatches 2015/03/24 16:41:42.478| Could not >> parse headers from on disk object 2015/03/24 16:41:42.478| BUG >> 3279: HTTP reply without Date: 2015/03/24 16:41:42.478| >> StoreEntry->key: 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 >> 16:41:42.478| StoreEntry->next: 0 2015/03/24 16:41:42.478| >> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| >> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| >> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| >> StoreEntry->expires: -1 2015/03/24 16:41:42.478| >> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| >> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| >> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| StoreEntry->flags: >> PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 16:41:42.478| >> StoreEntry->swap_dirn: -1 2015/03/24 16:41:42.478| >> StoreEntry->swap_filen: -1 2015/03/24 16:41:42.478| >> StoreEntry->lock_count: 2 2015/03/24 16:41:42.478| >> StoreEntry->mem_status: 0 2015/03/24 16:41:42.478| >> StoreEntry->ping_status: 2 2015/03/24 16:41:42.478| >> StoreEntry->store_status: 1 2015/03/24 16:41:42.478| >> StoreEntry->swap_status: 0 2015/03/24 16:41:42.747| SECURITY ALERT: >> Host header forgery detected on local=85.115.52.158:80 >> remote=197.255.252.34:44348 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.747| SECURITY ALERT: By user >> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.747| SECURITY ALERT: on >> URL: us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY >> ALERT: Host header forgery detected on local=85.115.52.158:80 >> remote=197.255.252.34:44349 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.772| SECURITY ALERT: By user >> agent: WNetCore/0.1.1.1 2015/03/24 16:41:42.772| SECURITY ALERT: on >> URL: csync.flickr.com:443 2015/03/24 16:41:42.800| SECURITY ALERT: >> Host header forgery detected on local=85.115.33.158:80 >> remote=197.255.252.34:13505 FD 20 flags=33 (local IP does not match >> any domain IP) 2015/03/24 16:41:42.800| SECURITY ALERT: By user >> agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 16:41:42.800| >> SECURITY ALERT: on URL: www.facebook.com:443 2015/03/24 >> 16:41:43.115| SECURITY ALERT: Host header forgery detected on >> local=85.115.33.158:80 remote=197.255.252.34:13506 FD 31 flags=33 >> (local IP does not match any domain IP) 2015/03/24 16:41:43.115| >> SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 6.1) >> AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 >> Safari/536.6 2015/03/24 16:41:43.115| SECURITY ALERT: on URL: >> www.facebook.com:443 2015/03/24 16:41:43.115| assertion failed: >> store.cc:1885: "
Re: [squid-users] I am seeing the following in my cache.log
I compiled it with --with-filedescriptors=65535, anything else that can help? Thanks On Tue, Mar 24, 2015 at 4:07 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Running out of filedescriptors is another problem. You probably can > re-build your squid with higher value of corresponding parameter. > > > 25.03.15 2:05, Monah Baki пишет: >> Thanks Yuri for the URL. The company is a small ISP using policy >> based routing, so using WPAD or GPO isn't feasible. >> >> If the cause of the server running out of file descriptions and >> giving the "assertion failed: store.cc:1885: "isEmpty()" error, I >> prefer to inform the enduser to fix his computer. >> >> Thanks Monah >> >> >> On Tue, Mar 24, 2015 at 3:24 PM, Yuri Voinov >> wrote: Feel free fo look at this: >> >> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery >> >> >> 25.03.15 1:18, Monah Baki пишет: >>>>> Running squid 3.5.2 on Centos 6.6 >>>>> >>>>> ./configure --prefix=/home/cache >>>>> --enable-follow-x-forwarded-for --with-large-files >>>>> --enable-ssl --disable-ipv6 --enable-esi >>>>> --enable-kill-parent-hack --enable-snmp --with-pthreads >>>>> --with-filedescriptors=65535 >>>>> --enable-cachemgr-hostname=hostname >>>>> --enable-storeio=ufs,aufs,diskd,rock >>>>> >>>>> We have around 50 users. I am seeing hundreds of thousands of >>>>> the following: >>>>> >>>>> >>>>> 2015/03/24 14:57:34.910| SECURITY ALERT: By user agent: >>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>> 14:57:34.910| SECURITY ALERT: on URL: www.facebook.com:443 >>>>> 2015/03/24 14:57:34.946| SECURITY ALERT: Host header forgery >>>>> detected on local=85.115.52.158:80 >>>>> remote=196.245.252.34:36732 FD 49 flags=33 (local IP does not >>>>> match any domain IP) >>>>> >>>>> >>>>> Then after 2 hours, I get the message in my cacahe.log: >>>>> >>>>> 2015/03/24 16:41:42.478| SECURITY ALERT: By user agent: >>>>> Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.6 (KHTML, like >>>>> Gecko) Chrome/20.0.1092.0 Safari/536.6 2015/03/24 >>>>> 16:41:42.478| SECURITY ALERT: on URL: www.facebook.com:443 >>>>> 2015/03/24 16:41:42.478| WARNING: 1 swapin MD5 mismatches >>>>> 2015/03/24 16:41:42.478| Could not parse headers from on disk >>>>> object 2015/03/24 16:41:42.478| BUG 3279: HTTP reply without >>>>> Date: 2015/03/24 16:41:42.478| StoreEntry->key: >>>>> 23F0D6046AB8FE86440CAD447524FCBC 2015/03/24 16:41:42.478| >>>>> StoreEntry->next: 0 2015/03/24 16:41:42.478| >>>>> StoreEntry->mem_obj: 0x1d56470 2015/03/24 16:41:42.478| >>>>> StoreEntry->timestamp: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->lastref: 1427211702 2015/03/24 16:41:42.478| >>>>> StoreEntry->expires: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->lastmod: -1 2015/03/24 16:41:42.478| >>>>> StoreEntry->swap_file_sz: 0 2015/03/24 16:41:42.478| >>>>> StoreEntry->refcount: 1 2015/03/24 16:41:42.478| >>>>> StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_dirn: -1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_filen: -1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->lock_count: 2 2015/03/24 >>>>> 16:41:42.478| StoreEntry->mem_status: 0 2015/03/24 >>>>> 16:41:42.478| StoreEntry->ping_status: 2 2015/03/24 >>>>> 16:41:42.478| StoreEntry->store_status: 1 2015/03/24 >>>>> 16:41:42.478| StoreEntry->swap_status: 0 2015/03/24 >>>>> 16:41:42.747| SECURITY ALERT: Host header forgery detected on >>>>> local=85.115.52.158:80 remote=197.255.252.34:44348 FD 20 >>>>> flags=33 (local IP does not match any domain IP) 2015/03/24 >>>>> 16:41:42.747| SECURITY ALERT: By user agent: WNetCore/0.1.1.1 >>>>> 2015/03/24 16:41:42.747| SECURITY ALERT: on URL: >>>>> us-mg5.mail.yahoo.com:443 2015/03/24 16:41:42.772| SECURITY >>>>> ALERT: Host header forgery detected on >>>>> local=85.115.52.158:80 remote=197.255.252.34:44349 FD 20 >
Re: [squid-users] I am seeing the following in my cache.log
Thanks Amos, My problem is I only have control over the squid server. I can only tell the ISP to take the client offline and run some AntiVirus or better reimage the device. Within 2 hours my cache.log grew to 50MB in size and it was repeating the error mentioned over and over again till my squid server started complaining about running out of file descriptors, and stopped working. Thanks On Tue, Mar 24, 2015 at 8:58 PM, Amos Jeffries wrote: > On 25/03/2015 9:05 a.m., Monah Baki wrote: >> Thanks Yuri for the URL. The company is a small ISP using policy based >> routing, so using WPAD or GPO isn't feasible. > > > Did you start reading with the problem explanation? > the bit about whats Squid's testing for and how to interpret the log lines? > > Your log is saying that there is a client sending requests on port 80 > which claim to be requests *on port 443*. Even if the IP matches > facebook the port dont. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid intercept config
On 10.0.0.24 root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 52 10.0.0.24.22 96.255.8.226.50911 ESTABLISHED tcp4 0 0 *.3129 *.*LISTEN tcp4 0 0 *.3128 *.*LISTEN tcp4 0 0 *.81 *.*LISTEN tcp6 0 0 *.81 *.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN tcp6 0 0 ::1.562::1.40066 ESTABLISHED tcp6 0 0 ::1.40066 ::1.562 ESTABLISHED tcp6 0 0 *.561 *.*LISTEN tcp6 0 0 *.562 *.*LISTEN tcp4 0 0 *.199 *.*LISTEN tcp4 0 0 *.1*.*LISTEN udp4 0 0 *.3401 *.* udp4 0 0 *.34985*.* udp4 0 0 *.**.* udp4 0 0 *.161 *.* udp4 0 0 *.162 *.* udp4 0 0 *.1*.* udp4 0 0 127.0.0.1.123 *.* udp6 0 0 fe80::1%lo0.123*.* udp6 0 0 ::1.123*.* udp4 0 0 10.0.0.24.123 *.* udp6 0 0 *.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.514 *.* udp6 0 0 *.514 *.* On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket opens. > > 05.03.15 23:10, Monah Baki пишет: > > How can I confirm, I have access only to the BSD box > > > > Thanks > > > > On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov > > wrote: > > > > Does 80 port outside BSD-box listens? > > > > 05.03.15 21:25, Monah Baki пишет: > >>>> root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e -ttt -i > >>>> pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned > >>>> tcpdump: verbose output suppressed, use -v or -vv for full > >>>> protocol decode listening on pflog0, link-type PFLOG (OpenBSD > >>>> pflog file), capture size 65535 bytes capability mode sandbox > >>>> enabled 00:00:00.00 rule 0..16777216/0(match): pass in on > >>>> bge0: 10.0.0.106.5678 > >>>>> 255.255.255.255.5678: UDP, length 88 > >>>> 00:00:08.342860 rule 0..16777216/0(match): pass in on bge0: > >>>> 10.0.0.14.54264 > >>>>> 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, options > >>>>> [mss > >>>> 1460,nop,wscale 2,nop,nop,sackOK], length 0 > >>>> > >>>> > >>>> > >>>> On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov > >>>> wrote: > >>>> > >>>> Hm. No. > >>>> > >>>> We not checked only OS. > >>>> > >>>> Does your BSD really loads PF module? > >>>> > >>>> 05.03.15 21:16, Monah Baki пишет: > >>>>>>> Not sure why the client is running old hard/soft ware, > >>>>>>> could it be cause of the hardware? Is FreeBSD an issue, > >>>>>>> should I switch to linux? > >>>>>>> > >>>>>>> On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov > >>>>>>> wrote: > >>>>>>> > >>>>>>> Wow, 7600! > >>>>>>> > >>>>>>> But why is so antique iOS?! Current is 15.4 > >>>>>>> > >>>>>>> 05.03.15 21:09, Monah Baki пишет: > >>>>>>>>>> PORT STATE SERVICE VERSION 23/tcp open telnet > >>>>>>>>>> Cisco IOS telnetd MAC Address: 88:5A:92:63:77:81 > >>>>>>>>>> (Cisco) Device type: router Running: Cisco IOS > >>>>>>>>>> 12.X OS CPE: cpe:/h:cisco:7600_router > >>>>>>>>>> cpe:/o:cisco:ios:12.2 OS details: Cisco 7600 > >>>>>>>>>> router (IOS 12.2) Network Distance: 1 hop TCP > >>>>>>>>>> Sequence Prediction: Difficulty=258 (Good luck!) > >
Re: [squid-users] Fwd: squid intercept config
Frame Number: 9 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update] Ethernet II, Src: Cisco_63:77:81 (88:5a:92:63:77:81), Dst: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Destination: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Source: Cisco_63:77:81 (88:5a:92:63:77:81) Type: IP (0x0800) Padding: Internet Protocol Version 4, Src: 10.0.0.23 (10.0.0.23), Dst: 68.71.212.158 (68.71.212.158) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 40 Identification: 0x572a (22314) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 127 Protocol: TCP (6) Header checksum: 0x81a9 [validation disabled] Source: 10.0.0.23 (10.0.0.23) Destination: 68.71.212.158 (68.71.212.158) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 42794 (42794), Dst Port: 80 (80), Seq: 401, Ack: 3332, Len: 0 On Fri, Mar 6, 2015 at 8:57 AM, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Friday 06 March 2015 at 14:50:50 (EU time), Monah Baki wrote: > > > http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf > > > > So something else is missing? > > Can you run a packet sniffer on the proxy, to see what packets come in > (noting > the MAC address of the previous hop), what packets go out (to what > address/es), and whether they then seem to come back in again (and if so, > from > which MAC address)? > > That might give you a clue as to where the forwarding loop is being > created. > > > Regards, > > > Antony. > > -- > How I want a drink, alcoholic of course, after the heavy chapters involving > quantum mechanics. > > - mnemonic for 3.14159265358979 > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > No. TimeSourceDestination Protocol Length Info 1 0.0010.0.0.23 68.71.212.158 TCP 66 42794→80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Mar 6, 2015 09:41:40.945881000 Eastern Standard Time [Time shift for this packet: 0.0 seconds] Epoch Time: 1425652900.945881000 seconds [Time delta from previous captured frame: 0.0 seconds] [Time delta from previous displayed frame: 0.0 seconds] [Time since reference or first frame: 0.0 seconds] Frame Number: 1 Frame Length: 66 bytes (528 bits) Capture Length: 66 bytes (528 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: HTTP] [Coloring Rule String: http || tcp.port == 80 || http2] Ethernet II, Src: Cisco_63:77:81 (88:5a:92:63:77:81), Dst: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Destination: HewlettP_06:a5:c4 (a0:d3:c1:06:a5:c4) Source: Cisco_63:77:81 (88:5a:92:63:77:81) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.0.0.23 (10.0.0.23), Dst: 68.71.212.158 (68.71.212.158) Version: 4 Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) Total Length: 52 Identification: 0x5725 (22309) Flags: 0x02 (Don't Fragment) Fragment offset: 0 Time to live: 127 Protocol: TCP (6) Header checksum: 0x81a2 [validation disabled] Source: 10.0.0.23 (10.0.0.23) Destination: 68.71.212.158 (68.71.212.158) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 42794 (42794), Dst Port: 80 (80), Seq: 0, Len: 0 No. TimeSourceDestination Protocol Length Info 2 0.3368.71.212.158 10.0.0.23 TCP 66 80→42794 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=64 SACK_PERM=1 Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) Encapsulation type: Ethernet (1) Arrival Time: Mar 6, 2015 09:41:40.945914000 Eastern Standard Time [Time shift for this packet: 0.0 seconds] Epoch Time: 1425652900.945914000 seconds [Time delta from previous captured frame: 0.00
[squid-users] BUG 3279: HTTP reply without Date:
Hi all, Compiled squid 3.5.2 on CentOS 6.6 as follows: $ ./configure --prefix=/home/cache --enable-follow-x-forwarded-for --with-large-files --enable-ssl --disable-ipv6 --enable-esi --enable-kill-parent-hack --enable-snmp --with-pthreads --with-filedescriptors=65535 --enable-cachemgr-hostname=hostname --enable-storeio=ufs,aufs,diskd,rock After approx 24 hours I am seeing this error on my squid 3.5.2 with one user connected for testing: 2015/04/11 15:02:58| Logfile: closing log daemon:/home/cache/var/logs/access.log 2015/04/11 15:02:58| Logfile Daemon: closing log daemon:/home/cache/var/logs/access.log 2015/04/11 15:02:58| Open FD UNSTARTED 0 stdin 2015/04/11 15:02:58| Open FD UNSTARTED 1 stdout 2015/04/11 15:02:58| Open FD UNSTARTED 2 stderr 2015/04/11 15:02:58| Open FD UNSTARTED 8 DNS Socket IPv4 2015/04/11 15:02:58| Open FD UNSTARTED 9 IPC UNIX STREAM Parent 2015/04/11 15:02:58| Squid Cache (Version 3.5.2): Exiting normally. 2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid 2015/04/11 15:06:52| Starting Squid Cache version 3.5.2 for x86_64-unknown-linux-gnu... 2015/04/11 15:06:52| Service Name: squid 2015/04/11 15:06:52| Process ID 2005 2015/04/11 15:06:52| Process Roles: master worker 2015/04/11 15:06:52| With 65536 file descriptors available 2015/04/11 15:06:52| Initializing IP Cache... 2015/04/11 15:06:52| DNS Socket created at 0.0.0.0, FD 8 2015/04/11 15:06:52| Adding nameserver 8.8.8.8 from squid.conf 2015/04/11 15:06:52| Adding nameserver 41.78.211.30 from squid.conf 2015/04/11 15:06:52| Logfile: opening log daemon:/home/cache/var/logs/access.log 2015/04/11 15:06:52| Logfile Daemon: opening log /home/cache/var/logs/access.log 2015/04/11 15:06:52| Store logging disabled 2015/04/11 15:06:52| Swap maxSize 35840 + 9437184 KB, estimated 28295168 objects 2015/04/11 15:06:52| Target number of buckets: 1414758 2015/04/11 15:06:52| Using 2097152 Store buckets 2015/04/11 15:06:52| Max Mem size: 9437184 KB 2015/04/11 15:06:52| Max Swap size: 35840 KB 2015/04/11 15:06:52| Rebuilding storage in /home/cache/var/cache/squid (clean log) 2015/04/11 15:06:52| Using Least Load store dir selection 2015/04/11 15:06:52| Set Current Directory to /usr/local/squid/var/cache/squid 2015/04/11 15:06:52| Finished loading MIME types and icons. 2015/04/11 15:06:52| HTCP Disabled. 2015/04/11 15:06:52| Sending SNMP messages from 0.0.0.0:3401 2015/04/11 15:06:52| Squid plugin modules loaded: 0 2015/04/11 15:06:52| Adaptation support is off. 2015/04/11 15:06:52| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13 flags=9 2015/04/11 15:06:52| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 14 flags=41 2015/04/11 15:06:52| Accepting SNMP messages on 0.0.0.0:3401 2015/04/11 15:06:52| Done reading /home/cache/var/cache/squid swaplog (94 entries) 2015/04/11 15:06:52| Finished rebuilding storage from disk. 2015/04/11 15:06:52|94 Entries scanned 2015/04/11 15:06:52| 0 Invalid entries. 2015/04/11 15:06:52| 0 With invalid flags. 2015/04/11 15:06:52|94 Objects loaded. 2015/04/11 15:06:52| 0 Objects expired. 2015/04/11 15:06:52| 0 Objects cancelled. 2015/04/11 15:06:52| 0 Duplicate URLs purged. 2015/04/11 15:06:52| 0 Swapfile clashes avoided. 2015/04/11 15:06:52| Took 0.05 seconds (2036.97 objects/sec). 2015/04/11 15:06:52| Beginning Validation Procedure 2015/04/11 15:06:52| Completed Validation Procedure 2015/04/11 15:06:52| Validated 94 Entries 2015/04/11 15:06:52| store_swap_size = 2000.00 KB 2015/04/11 15:06:53| storeLateRelease: released 0 objects 2015/04/11 15:48:51| WARNING: 1 swapin MD5 mismatches 2015/04/11 15:48:51| Could not parse headers from on disk object 2015/04/11 15:48:51| BUG 3279: HTTP reply without Date: 2015/04/11 15:48:51| StoreEntry->key: 039CA6C6725D0A9F31B498354995DE50 2015/04/11 15:48:51| StoreEntry->next: 0 2015/04/11 15:48:51| StoreEntry->mem_obj: 0x21ecd40 2015/04/11 15:48:51| StoreEntry->timestamp: -1 2015/04/11 15:48:51| StoreEntry->lastref: 1428763731 2015/04/11 15:48:51| StoreEntry->expires: -1 2015/04/11 15:48:51| StoreEntry->lastmod: -1 2015/04/11 15:48:51| StoreEntry->swap_file_sz: 0 2015/04/11 15:48:51| StoreEntry->refcount: 1 2015/04/11 15:48:51| StoreEntry->flags: PRIVATE,FWD_HDR_WAIT,VALIDATED 2015/04/11 15:48:51| StoreEntry->swap_dirn: -1 2015/04/11 15:48:51| StoreEntry->swap_filen: -1 2015/04/11 15:48:51| StoreEntry->lock_count: 2 2015/04/11 15:48:51| StoreEntry->mem_status: 0 2015/04/11 15:48:51| StoreEntry->ping_status: 2 2015/04/11 15:48:51| StoreEntry->store_status: 1 2015/04/11 15:48:51| StoreEntry->swap_status: 0 2015/04/11 15:49:55| Could not parse headers from on disk object 2015/04/11 20:10:06| BUG 3279: HTTP reply without Date: 2015/04/11 20:10:06| StoreEntry->key: 8749EF6C14DB515AA7E09A4ED2019298 2015/04/11 20:10:06| StoreEntry->next: 0 2015/04/11 20:10:06| StoreEntry->mem_obj: 0x224f3f0 2015/04/11 20
