On 23 January 2015 at 17:33, Amos Jeffries <squ...@treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24/01/2015 3:11 a.m., Odhiambo Washington wrote: > > On 23 January 2015 at 16:53, Amos Jeffries <squ...@treenet.co.nz> > > wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote: > >>> On 23 January 2015 at 16:40, Amos Jeffries > >>> <squ...@treenet.co.nz> wrote: > >>> > >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>> > >>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: > >>>>> On 23 January 2015 at 16:07, Amos Jeffries > >>>>> <squ...@treenet.co.nz> wrote: > >>>>> > >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>> > >>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > >>>>>>> > >>>>>>> Once more. You CANNOT have neither web-server nor > >>>>>>> other service with listening port 80 on the same host > >>>>>>> as transparent Squid proxy. This is one and only reason > >>>>>>> you have looping. > >>>>>>> > >>>>>> > >>>>>> That is not correct. It can be done, but depends on how > >>>>>> the firewall operates and what ruleset is used. > >>>>>> > >>>>>> One has to intercept traffic transiting the machine, but > >>>>>> ignore traffic destined *to* or *from* the local > >>>>>> machines running processes. > >>>>>> > >>>>>>> Look. On my transparent 3.4.11 (which was early 2.7) > >>>>>>> IPFilter redirects 80 port to proxy. My web server on > >>>>>>> the same host listens only 8080, 8088 and 8888 ports. > >>>>>>> No one service except NAT is using 80 port. > >>>>>>> > >>>>>>> And finally I have no looping 4 years. > >>>>>>> > >>>>>>> Obvious, is it? > >>>>>>> > >>>>>> > >>>>>> Maybe there was, maybe there wasn't. > >>>>>> > >>>>>> Squid-2.7 ignored a lot of NAT related errors and even > >>>>>> silently did some Very Bad Things(tm) - none of which > >>>>>> Squid-3.2+ will allow to happen anymore. > >>>>>> > >>>>>> > >>>>>> Odhiambo: I suspect it might be related to your use of > >>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do > >>>>>> not work properly and divert-to rules needs to be used > >>>>>> instead (divert-to can be used for either TPROXY or NAT > >>>>>> Squid listening ports on BSD). > >>>>>> > >>>>> > >>>>> > >>>>> I am thinking Squid-3.2+ is evil :-) > >>>>> > >>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v > >>>>> And my IPFilter rules are here: > >>>>> http://pastebin.com/JQ77X01H > >>>>> > >>>>> I need to figure out why squid is DENYing all access .. > >>>>> > >>>> > >>>> Can you update me on what the squid -v output is from the > >>>> Squid build you are having issues with pleae? > >>>> > >>>> Amos > >>>> > >>> > >>> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: > >>> Version 3.5.1-20150120-r13736 Service Name: squid configure > >>> options: '--prefix=/opt/squid35' > >>> '--enable-removal-policies=lru heap' '--disable-epoll' > >>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI' > >>> '--enable-external-acl-helpers=session unix_group file_userip' > >>> '--enable-auth-negotiate=kerberos' '--with-pthreads' > >>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools' > >>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db' > >>> '--enable-cache-digests' '--enable-wccpv2' > >>> '--enable-follow-x-forwarded-for' '--with-large-files' > >>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' > >>> '--enable-icap-client' '--enable-kill-parent-hack' > >>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd' > >>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' > >>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' > >>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' > >>> --enable-ltdl-convenience > >>> > >> > >> Okay. Can you explicitly add --disable-ipf-transparent - > >> --disable-ipfw-transparent and see if that helps. > >> > >> Also in squid.conf adding debugs_options ALL,1 89,9 will show > >> just the NAT lookup results where things are going wrong. > >> > > > > So, before I recompile, we can look at the debug output: > > > > 2015/01/23 17:07:45| storeLateRelease: released 0 objects > > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: > > me/client= 192.168.2.254:13128, destination/me= > > 192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293) > > PfInterception: address NAT divert-to: local=192.168.2.254:13128 > > remote=192.168.2.115:58632 FD 14 flag s=33 > > > Arggg.. Add --with-nat-devpf to your build options in FreeBSD. > > http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4 > > Amos > > Done that and now, debug shows: 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58541 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 remote=192.168.2.2:58541 FD 35 flags=33 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58542 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 remote=192.168.2.2:58542 FD 37 flags=33 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58543 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 remote=192.168.2.2:58543 FD 39 flags=33 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58544 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=196.0.3.114:80 remote=192.168.2.2:58544 FD 51 flags=33 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58545 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 remote=192.168.2.2:58545 FD 52 flags=33 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58546 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 remote=192.168.2.2:58546 FD 53 flags=33 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58547 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 remote=192.168.2.2:58547 FD 54 flags=33 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58548 2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 remote=192.168.2.2:58548 FD 55 flags=33 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58549 And the good news is that squid-3.5.1 is now allowing client PCs to browse. Thank you for that. I still have issues to raise (though my small brain is now so saturated): Here is what I use: ./configure --prefix=/opt/squid35 \ --enable-removal-policies="lru heap" \ --disable-epoll \ --enable-auth \ --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \ --enable-external-acl-helpers="session unix_group file_userip" \ --enable-auth-negotiate="kerberos" \ --with-pthreads \ --enable-storeio="ufs diskd rock aufs" \ --enable-delay-pools \ --enable-snmp \ --with-openssl=/usr \ --enable-forw-via-db \ --enable-cache-digests \ --enable-wccpv2 \ --enable-follow-x-forwarded-for \ --with-large-files \ --enable-large-cache-files \ --enable-esi \ --enable-kqueue \ --enable-icap-client \ --enable-kill-parent-hack \ --enable-ssl \ --enable-leakfinder \ --enable-ssl-crtd \ --enable-url-rewrite-helpers \ --enable-xmalloc-statistics \ --enable-stacktraces \ --enable-zph-qos \ --enable-eui \ --with-nat-devpf \ --enable-pf-transparent \ --enable-ipf-transparent It seems I have to remove --enable-ipf-transparent otherwise the build fails. I was thinking I could have both of --enable-ipf-transparent and --enable-ipf-transparent so that I can be able to use either PF or IPFilter - whichever I want. Are those two mutually exclusive? When I have the two, the build fails with: root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake Making all in compat gmake[1]: Entering directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat' depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ /bin/sh ../libtool --tag=CXX --mode=compile clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc &&\ mv -f $depbase.Tpo $depbase.Plo libtool: compile: clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC -DPIC -o .libs/assert.o In file included from assert.cc:9: In file included from ../include/squid.h:43: ../compat/compat.h:49:57: error: expected value in expression #if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK ^ 1 error generated. Makefile:921: recipe for target 'assert.lo' failed gmake[1]: *** [assert.lo] Error 1 gmake[1]: Leaving directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat' Makefile:567: recipe for target 'all-recursive' failed gmake: *** [all-recursive] Error 1 root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
