[squid-users] Squid - Can't visit (government site and Banking Site) - Please help
I am having a problem on my squid proxy this settings is allow all but i can't visit sites like bancnetonline, rcbc, philhealth (govt and bank site) sometimes it can be visited, sometimes not... (weird???) Please Help thank you. here is my squid conf... max_filedesc 4096 request_header_access X-Forwarded-For allow all via off httpd_suppress_version_string on http_port icp_port 3535 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 32 MB maximum_object_size 5480 KB cache_dir ufs /home/squidcache 6000 16 256 #cache_dir ufs /home/squidcache2 6000 16 256 cache_access_log /home/squidcache/access.log cache_log /dev/null cache_store_log none ftp_user sq...@mds.com.sg dns_defnames on request_body_max_size 1 MB refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 negative_ttl 1 minute negative_dns_ttl 5 minute connect_timeout 60 minute read_timeout 5 minute request_timeout 60 second client_lifetime 4 hour half_closed_clients off pconn_timeout 240 second shutdown_lifetime 5 second #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053 acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl PURGE method purge acl manager proto cache_object acl apache src 10.20.0.245 acl QUERY urlpath_regex -i owa acl QUERY2 urlpath_regex cgi-bin \? acl QUERY3 urlpath_regex -i php acl dontcache dstdomain "/etc/squid/dontcache" no_cache deny QUERY no_cache deny QUERY2 no_cache deny QUERY3 always_direct allow dontcache #allowed sites acl blockedsites dstdomain "/etc/squid/blockedsites" acl allowedsites dstdomain "/etc/squid/authorizedsites" acl tahiti src 172.16.20.254/32 acl elmo src 10.20.0.254/32 acl mnlnet2 src "/etc/squid/authorized" http_access allow dontcache http_access allow manager apache http_access allow all http_access allow elmo #http_access allow localhost #http_access allow purge localhost #http_access allow manager localhost http_access allow mnlnet2 http_access allow tahiti http_access deny !Safe_ports #http_access deny manager http_access deny CONNECT !SSL_ports http_access deny purge http_access deny blockedsites #icp_access allow localhost icp_access allow all icp_access allow elmo icp_access allow tahiti icp_access allow mnlnet2 miss_access allow all cache_mgr xx cache_effective_user squid cache_effective_group squid visible_hostname xx append_domain .globalsources.com memory_pools off log_icp_queries off client_db off check_hostnames off -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi, upon checking I am using squid version 3.1 on CentOS 6.10 -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
okay will try to upgarde... our goal is to have a squid proxy that will allow all website (without any restriction) reason: I only need the squid proxy to monitor the website visit of the user via sqstat and SARG (squid analyze report generator) Problem: all website is okay only government site and banking sites is having a problem... upon checking on the access.log (HTTP 200 0 Connect) that is the result of the website if i can't connect to to it. weird problem: sometimes the website can be visited and sometimes not -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
I made a new Config and upgrade to CentOS 8.1xxx and Squid 4.4 STILL CAN'T VISIT THE WEBSITE (GOVT SITE AND BANKING SITES) This is my Squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow all http_access allow localhost manager http_access allow localnet http_access allow localhost http_access deny !Safe_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access deny CONNECT !SSL_ports http_access deny manager http_access deny all http_port # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 cache_dir ufs /home/squidcache 100 16 256 cache_access_log /home/squidcache/access.log # Leave coredumps in the first cache dir coredump_dir /home/squidcache # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi again... sorry i was not shouting just making the message capitalize. the message on my logs is... TCP_TUNNEL/200 39 CONNECT www.bancnetonline.com:443 - HIER_DIRECT/203.131.77.194 - but still i can't visit the site... weird problem: sometimes the website can be visited but rarely happen, most of the time its not.. upon pinging the server i can't ping the said server.. also (www.rcbc.com) i can't visit the said site but i can ping the website, weird right? note: we don't have any configuration of the browser (just default only) -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi again... sorry the browser has a configuration, we already static the browser to our server 10.20.X.X to port about on the message of error: This site can’t be reached (on the browser error) www.bancnetonline.com took too long to respond. Try: Checking the connection Checking the proxy and the firewall Running Windows Network Diagnostics ERR_TIMED_OUT note: sometimes it can be visited and sometimes not. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi again sir, deep is kinda deep to absorb on what you said about TLS, handshake and tcp connection will try to research about this and trace the using tcp packet dump, wireshark or cache.log of squid. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi again, as per checking using wireshark on my client-pc This are my error messages Client PC - Proxy ServerTCP 54 [TCP Retransmission] 49804 -> [FIN, ACK] Seq=1 Ack=2 Win=1020 Len=0 Client PC - Proxy ServerTCP 55 [TCP Keep-Alive] 49847 -> [ACK] Seq=0 Ack=1 Win=65536 Len=1 -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi, I already resolved my problem my problem is on PATH MTU discovery may eth0 is set to have a MTU = 1500 and I read on another forums that he set the MTU to 1400.. and it works... Thank you all for the comments, advise and suggestion, really helpful. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help
Hi, Actually I didn't understand the problem but will take a look into it and study it about that. IP encapsulation layers somewhere in the network(s). Probably 4-in-4 or 6-in-4 tunnels. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
