Hi All, Installed squid on CentOS 6.6 and it's working, but mY access.log shows all TCP_MISS and no TCP_HIT. The following config:
squid.conf # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept iptables # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064] :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015 Accessing sites, shows the IP address of the proxy 147.245.252.13. Am I missing something in IPTables that it is not caching? Thanks Monah On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 6/03/2015 1:19 a.m., Monah Baki wrote: > > Hi all, can anyone verify if this is correct, need to make ure that users > > will be able to access the internet via the squid. > > > > Running FreeBSD with a single interface with Squid-3.5.2 > > > > Policy based routing on Cisco with the following: > > > > > > interface GigabitEthernet0/0/1.1 > > > > encapsulation dot1Q 1 native > > > > ip address 10.0.0.9 255.255.255.0 > > > > no ip redirects > > > > no ip unreachables > > > > ip nat inside > > > > standby 1 ip 10.0.0.10 > > > > standby 1 priority 120 > > > > standby 1 preempt > > > > standby 1 name HSRP > > > > ip policy route-map CFLOW > > > > > > > > ip access-list extended REDIRECT > > > > deny tcp host 10.0.0.24 any eq www > > > > permit tcp host 10.0.0.23 any eq www > > > > > > > > route-map CFLOW permit 10 > > > > match ip address REDIRECT > > set ip next-hop 10.0.0.24 > > > > In my /etc/pf.conf > > rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port > > 3129 > > > > # block in > > pass in log quick on bge0 > > pass out log quick on bge0 > > pass out keep state > > > > and finally in my squid.conf: > > http_port 3128 > > http_port 3129 intercept > > > > > > > > And for testing purposes from the squid server: > > ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/ > > > > If I replace -p 3128 with -p 80, I get a access denied, and if I omit the > > -p 3128 completely, I can access the websites. > > If you omit the -p entirely squidclient assumes "-p 3128" (the proxy > default listening port), so it works exactly the same as if you had used > -p 3128 explicitly. > > If you use -p 80 you also need to change the pther parameters so they > generate port-80 syntax message: > - the -h with IP or hostname of the remote web server, and > - the URL parameters being a relative URL, and > - the -j parameter with Host: header domain name of the server > ... > eg. > squidclient -h www.freebsd.org -j www.freebsd.org -p 80 / > > NP: if your squidclient is too old to support -j, use this instead: > -H 'Host: www.freebsd.org\n' > > ** this test should work from the squid box without having gone through > the proxy. Only from the client machine should it work *with* NAT > passing it through the proxy. > > > > Using a proxy syntax message sent directly to the proxy receiving port, > or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a > guaranted forwarding loop failure. > > > That doesn't fix your clients issue, but hopefully makes it clear that > the above desribed test is broken enough to prevent you identifying when > the client issue is fixed if that happens on some change. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
