# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /usr/local/squid/var/cache/squid 350000 16 256 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 half_closed_clients off quick_abort_min 0 KB quick_abort_max 0 KB vary_ignore_expire on reload_into_ims on memory_pools off cache_mem 4096 MB visible_hostname isn-phc-cache minimum_object_size 0 bytes maximum_object_size 512 MB maximum_object_size 512 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_swap_low 98 cache_swap_high 100 fqdncache_size 16384 retry_on_error on offline_mode off logfile_rotate 10 dns_nameservers 8.8.8.8 41.78.211.30 access.log: 1426267535.210 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.211 198 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.223 301 10.0.0.23 TCP_MISS/200 222 GET http://rma-api.gravity.com/v1/beacons/log? - ORIGINAL_DST/80.239.148.18 text/html 1426267535.244 195 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.333 423 10.0.0.23 TCP_MISS/200 1420 GET http://hpr.outbrain.com/utils/get? - ORIGINAL_DST/50.31.185.42 text/x-json 1426267535.345 412 10.0.0.23 TCP_MISS/200 11179 GET http://p.visualrevenue.com/? - ORIGINAL_DST/50.31.185.40 text/javascript 1426267535.346 411 10.0.0.23 TCP_MISS/200 423 GET http://t1.visualrevenue.com/? - ORIGINAL_DST/64.74.232.44 image/gif 1426267535.363 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/js/vendor/jquery.ba-bbq.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.381 193 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.406 189 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.408 190 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.408 191 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.418 200 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.437 188 10.0.0.23 TCP_MISS/200 431 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.464 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/player/CNNAPIVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.494 128 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 327 GET http://z.cdn.turner.com/cnn/.element/widget/video/videoapi/api/1.3.4/js/legacy/CNNVideoPlayer.js - ORIGINAL_DST/80.239.152.153 application/x-javascript 1426267535.604 217 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.609 256 10.0.0.23 TCP_REFRESH_UNMODIFIED/200 41017 GET http://cdn.gigya.com/js/gigya.js? - ORIGINAL_DST/80.239.148.17 text/javascript 1426267535.619 206 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.622 208 10.0.0.23 TCP_MISS/200 412 GET http://jadserve.postrelease.com/trk.gif? - ORIGINAL_DST/54.225.133.227 image/gif 1426267535.696 129 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 312 GET http://z.cdn.turner.com/cnn/.element/img/3.0/video/cnn_embedDefault.png - ORIGINAL_DST/80.239.152.153 image/png 1426267536.071 656 10.0.0.23 TCP_MISS/302 849 GET http://metrics.cnn.com/b/ss/cnn-adbp-domestic/1/H.26.1/s11300422861240? - ORIGINAL_DST/66.235.141.144 text/plain 1426267536.075 257 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 348 GET http://cdn.gigya.com/js/gigya.services.plugins.base.min.js? - ORIGINAL_DST/ 80.239.148.17 text/javascript 1426267536.203 128 10.0.0.23 TCP_MISS/200 381 GET http://b.scorecardresearch.com/r? - ORIGINAL_DST/80.239.148.16 image/gif 1426267536.570 393 10.0.0.23 TCP_MISS/304 338 GET http://cdn3.gigya.com/js/gigya.services.socialize.plugins.simpleshare.min.js - ORIGINAL_DST/80.239.148.32 text/javascript 1426267536.746 125 10.0.0.23 TCP_MISS/304 340 GET http://static.chartbeat.com/js/chartbeat.js - ORIGINAL_DST/23.67.1.243 application/x-javascript 1426267536.819 199 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 233 GET http://data.cnn.com/jsonp/video/nowPlayingSchedule.json? - ORIGINAL_DST/ 157.166.238.237 - 1426267536.942 260 10.0.0.23 TCP_MISS/200 677 GET http://beacon.krxd.net/optout_check? - ORIGINAL_DST/176.34.190.30 text/javascript 1426267537.027 236 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.146 362 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.171 388 10.0.0.23 TCP_MISS/200 758 GET http://t.co/i/adsct? - ORIGINAL_DST/199.16.156.11 image/gif 1426267537.230 432 10.0.0.23 TCP_MISS/302 481 GET http://apiservices.krxd.net/um? - ORIGINAL_DST/54.243.83.18 text/html 1426267537.603 173 10.0.0.23 TCP_MISS/204 676 GET http://beacon.krxd.net/pixel.gif? - ORIGINAL_DST/176.34.190.30 image/gif 1426267537.618 247 10.0.0.23 TCP_MISS/200 322 GET http://ping.chartbeat.net/ping? - ORIGINAL_DST/54.235.85.218 image/gif 1426267537.892 388 10.0.0.23 TCP_MISS/200 68649 GET http://z.cdn.turner.com/xslo/cvp/core/base/0/CVPBase.swf? - ORIGINAL_DST/ 80.239.152.153 application/x-shockwave-flash 1426267538.024 130 10.0.0.23 TCP_REFRESH_UNMODIFIED/304 329 GET http://js.moatads.com/turner763610601596/moatad.js - ORIGINAL_DST/ 80.239.148.9 application/x-javascript On Fri, Mar 13, 2015 at 12:18 PM, Yuri Voinov <yvoi...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > 13.03.15 21:58, Monah Baki пишет: > > Hi All, > > > > Installed squid on CentOS 6.6 and it's working, but mY access.log > > shows all TCP_MISS and no TCP_HIT. The following config: > > > > squid.conf # Squid normally listens to port 3128 http_port 3128 > > http_port 3129 intercept > > And that's all???? > > > > > > > > > iptables > > > > # Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015 > > *nat :PREROUTING ACCEPT [10:2031] :POSTROUTING ACCEPT [0:0] :OUTPUT > > ACCEPT [0:0] -A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp > > --dport 80 -j ACCEPT -A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp > > --dport 80 -j ACCEPT -A PREROUTING -s 147.245.252.13/32 -p tcp -m > > tcp --dport 80 -j ACCEPT -A PREROUTING -p tcp -m tcp --dport 80 -j > > REDIRECT --to-ports 3129 -A POSTROUTING -j MASQUERADE COMMIT # > > Completed on Fri Mar 13 16:04:02 2015 # Generated by iptables-save > > v1.4.7 on Fri Mar 13 16:04:02 2015 *filter :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1818:649971] -A INPUT -m > > state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j > > REJECT --reject-with icmp-port-unreachable -A INPUT -i lo -j > > ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j > > ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state > > --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp > > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -j > > REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT > > --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 13 > > 16:04:02 2015 # Generated by iptables-save v1.4.7 on Fri Mar 13 > > 16:04:02 2015 *mangle :PREROUTING ACCEPT [68:6199] :INPUT ACCEPT > > [68:6199] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26:3064] > > :POSTROUTING ACCEPT [26:3064] -A PREROUTING -p tcp -m tcp --dport > > 3129 -j DROP COMMIT # Completed on Fri Mar 13 16:04:02 2015 > > > > > > Accessing sites, shows the IP address of the proxy 147.245.252.13. > > > > Am I missing something in IPTables that it is not caching? > > > > > > Thanks Monah > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
