Re: [squid-users] Trying to combine two 50K GPRS connections with Squid on a Windows LAN for an Internet Cafe in Ghana
DEMETRIO MARTINEZ wrote: Hello I'm an Italian engineer working in the North of Ghana setting up small internet points. I would like to combine two 50Kbps GPRS connections on a Internet point LAN using a Squid hierarchy. I have set up the two connections separately on two WinXP SP3 PC (Let's call them PC1 PC2) on my LAN and on each one a Squid server is running. Both PC1 and PC2 now works great as separate forward proxy for itself or for the other machines on the LAN. But I would like to use both internet connections at the same time from any machine. I have installed a Squid server also on a third machine (PCkid) on the network, this machine is not connected directly to the internet but uses its Squid as a kid server to his parents in order to forward web pages requests in a round robin fashion. cache_peer PC1.mshome.net parent 3228 3230 no-query round-robin cache_peer PC2.mshome.net parent 3328 3330 no-query round-robin ... never_direct allow all You do realize I hope that mshome.net is a domain owned by Microsoft. You should not be using it in your configurations. The parent have a sibling relationship between them and the their ACLs are set up in order that they accept request from PC3. It looks like is working when on any pc on the lan I use PC3 as a forward proxy server, but it is still much slower than if I'd just use directly one of the parents as forward proxy server. Is still something I can do it make it work better? Enable ICP? (ie remove the no-query option) Not much can be offered without seeing anything you might have tried optimizing already. On all three Squid. Squid have difficulties to recognize DNS names inside the network so most of time I use ip adresses to redefine the parents: may it be part of the problem? If you need to use DNS and Squid is unable to easily resolves DNS name, then yes you can expect slowness to happen. You have two problems then, one is that Squid is depending on DNS. For a simple child-parent gateway link it should not be needed. As you said IPs can/should be configured directly into squid.conf and bypass any issues there. The other is DNS being flakey. It may be causing issues to other things than Squid. It should be checked and fixed as well. The Lan is just set up as a windows workgroup sharing an landline Internet Connection that is not working. If your ink to the Internet is not working, that can also lead to slowness bordering on non-service. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
[squid-users] squid + wccp
I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything [r...@mail ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat inside ip nbar protocol-discovery ip route-cache flow duplex auto speed auto gatekeeper#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.114.250 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:30 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0
Re: [squid-users] squid + wccp
Ramzi Abdallah wrote: I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything iptables by default shows -t filter try: iptables -t nat -L squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat inside ip nbar protocol-discovery ip route-cache flow duplex auto speed auto gatekeeper#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.114.250 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:30 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 gatekeeper#sh ip wccp web-cache detail WCCP Cache-Engine information: Web Cache ID: 192.168.114.15 Protocol Version: 2.0 State: Usable
Re: [squid-users] squid + wccp
Try this: iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination On Sun, Feb 8, 2009 at 1:39 PM, Amos Jeffries squ...@treenet.co.nz wrote: Ramzi Abdallah wrote: I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything iptables by default shows -t filter try: iptables -t nat -L squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat inside ip nbar protocol-discovery ip route-cache flow duplex auto speed auto gatekeeper#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.114.250 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:30 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied
RE: [squid-users] squid + wccp
Thank you for your reply. iptables -t nat -L now shows the entry Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywheretcp dpt:http redir ports 3128 Cache.log is showing wccp2 configured properly 2009/02/08 09:10:00| Accepting transparently proxied HTTP connections at 192.168.114.15, port 3128, FD 14. 2009/02/08 09:10:00| HTCP Disabled. 2009/02/08 09:10:00| Accepting WCCPv2 messages on port 2048, FD 15. 2009/02/08 09:10:00| Initialising all WCCPv2 lists 2009/02/08 09:10:00| Ready to serve requests. Regards, Ramzi -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Sunday, February 08, 2009 2:39 PM To: rabdal...@pobox.com Cc: squid-users@squid-cache.org Subject: Re: [squid-users] squid + wccp Ramzi Abdallah wrote: I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything iptables by default shows -t filter try: iptables -t nat -L squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat
RE: [squid-users] squid + wccp
Thanks david still no luck From: David Rodríguez Fernández [mailto:davi...@gmail.com] Sent: Sunday, February 08, 2009 3:17 PM To: Amos Jeffries Cc: rabdal...@pobox.com; squid-users@squid-cache.org Subject: Re: [squid-users] squid + wccp Try this: iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 On Sun, Feb 8, 2009 at 1:39 PM, Amos Jeffries squ...@treenet.co.nz wrote: Ramzi Abdallah wrote: I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything iptables by default shows -t filter try: iptables -t nat -L squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat inside ip nbar protocol-discovery ip route-cache flow duplex auto speed auto gatekeeper#sh ip wccp Global WCCP information: Router information: Router Identifier: 192.168.114.250 Protocol Version: 2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected: 30 Redirect access-list: -none- Total Packets
RE: [squid-users] forward and reverse through one system
Amos, See responses to your questions below. Thanks. I have one instance of squid is configured for forward web proxy and accelerator for OWA (per the wiki). In order for users to avoid changing their proxy settings, I need the forward proxy to be able to access OWA going out and back in as follows: Host on internal net - forward proxy - accelerator - OWA server on internal net It seems like this should work. When I try to access OWA from an internal host, the browser hangs and the following eventually appears in access.log: 1233516965.141 12567 [internal host IP] TCP_MISS/000 0 CONNECT owa.domain.com:443 - FIRST_UP_PARENT/[owa server IP] - Any ideas would be most appreciated. Thanks, Alan (Assuming you have squid-2.6 or later) 3.1.0.3 The basic config: You can multi-mode squid. Ensure that the reverse-proxy settings are all at the top of the squid.conf and any forward-proxy settings are following at the bottom. Also, the http_access deny all detailed to finish the reverse-proxy config gets removed so that on non-reversed requests squid can drop through and run the forward-proxy settings. Yup. That's the way it is. My complete config is posted on bug 2572. Specific to your loop-back problem: You need to adjust your reverse-proxy configuration to block the CONNECT method being used to access the peers. Sorry, but can you elaborate on this? Then check that the domain IP Squid resolves owa.domain.com to is its own listening https_port. It does: a.b.c.96 Amos CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
[squid-users] Build patch fails to apply on Squid 2.7 stable6
Hi, I have been trying to compile squid 2.7-stable6 on Fedora Core 9 x86-64 system. I have already done all the changes I need in the spec file in order to create my system rpms but I noticed that when the rpmbuild try to build the rpm it fails when it tries to apply the squid2.6Stable2 build patch with the following errors. I have even tried to do the compile process manually but also the same error appears when I manually try to apply the same patch. All other patches have been installed successfully only the build patch fails to apply. Below are the error messages I get from the build patching process + echo 'Patch #201 (squid-2.5.STABLE11-config.patch):' Patch #201 (squid-2.5.STABLE11-config.patch): + patch -p1 -b --suffix .config -s + echo 'Patch #202 (squid-2.5.STABLE4-location.patch):' Patch #202 (squid-2.5.STABLE4-location.patch): + patch -p1 -b --suffix .location -s + echo 'Patch #203 (squid-2.6.STABLE2-build.patch):' Patch #203 (squid-2.6.STABLE2-build.patch): + patch -p1 -b --suffix .build -s 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej error: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) D: May free Score board((nil)) Now these are the errors I get from the manual application of the build patch patching file errors/Makefile.in Hunk #1 succeeded at 235 with fuzz 1 (offset 14 lines). Hunk #2 succeeded at 417 (offset 4 lines). Hunk #3 succeeded at 450 (offset 14 lines). patching file icons/Makefile.in Hunk #1 succeeded at 272 (offset 14 lines). patching file src/Makefile.in Hunk #1 FAILED at 586. Hunk #2 succeeded at 926 (offset 84 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej Here are the contents of the src/Makefile.in.rej *** *** 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_LOG_PREFIX = $(localstatedir)/logs DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log - DEFAULT_PID_FILE = $(DEFAULT_LOG_PREFIX)/squid.pid - DEFAULT_SWAP_DIR = $(localstatedir)/cache DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_ICON_DIR = $(datadir)/icons - DEFAULT_ERROR_DIR = $(datadir)/errors/@ERR_DEFAULT_LANGUAGE@ - DEFAULT_MIB_PATH = $(datadir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files --- 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_LOG_PREFIX = $(localstatedir)/log/squid DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log + DEFAULT_PID_FILE = $(localstatedir)/run/squid.pid + DEFAULT_SWAP_DIR = $(localstatedir)/spool/squid DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_ICON_DIR = $(pkgdatadir)/icons + DEFAULT_ERROR_DIR = $(pkgdatadir)/errors/@ERR_DEFAULT_LANGUAGE@ + DEFAULT_MIB_PATH = $(sysconfdir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files From what I could see is that the above changes are not being done to the src/Makefile.in but I cannot understand why this is happening. I would really appreciate your help guys on this. Sincerely, Ragheb Rustom
RE: [squid-users] squid + wccp
Thanks david still no luck From: David Rodríguez Fernández [mailto:davi...@gmail.com] Sent: Sunday, February 08, 2009 3:17 PM To: Amos Jeffries Cc: rabdal...@pobox.com; squid-users@squid-cache.org Subject: Re: [squid-users] squid + wccp Try this: iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128 Using 127.0.0.1 is not such a good idea here. It uses NAT to break the kernel security layer around localhost preventing public packets on localhost IP. Configuration assumptions that public packets don't flow through localhost can cause a security breach. Amos On Sun, Feb 8, 2009 at 1:39 PM, Amos Jeffries squ...@treenet.co.nz wrote: Ramzi Abdallah wrote: I am trying with no luck to setup squid Version 3.0.STABLE10 (Fedora core 9) with wccp2. The configuration seems to be ok at least this is what the debug logs are showing however squid does not receive any traffic. I tested squid by pointing the browser to its IP and it works fine. GRE tunnel and iptables configuration: -- ip tunnel add wccp0 mode gre remote 192.168.114.250 local 192.168.114.15 dev eth0 ip addr add 192.168.114.15/32 dev wccp0 ip link set wccp0 up iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 for some reason iptables -L is not showing anything iptables by default shows -t filter try: iptables -t nat -L squid configuration: --- http_port 192.168.114.15:3128 transparent wccp2_router 192.168.114.250 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 GRE tunnel on the squid server --- wccp0 Link encap:UNSPEC HWaddr C0-A8-72-0F-62-00-F4-3F-00-00-00-00-00-00-00-00 inet addr:192.168.114.15 P-t-P:192.168.114.15 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:898 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:36632 (35.7 KiB) TX bytes:0 (0.0 b) tcpdump output -- [r...@mail ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 12:55:08.548572 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:11.528111 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:17.530878 IP 192.168.114.24.58324 216.239.59.99.http: S 1289957374:1289957374(0) win 8192 mss 1460,nop,nop,sackOK 12:55:29.537282 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:32.530428 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:38.535350 IP 192.168.114.24.58325 216.239.59.103.http: S 3738044508:3738044508(0) win 8192 mss 1460,nop,nop,sackOK 12:55:50.547796 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:53.558196 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:55:59.580059 IP 192.168.114.24.58326 216.239.59.104.http: S 1946578578:1946578578(0) win 8192 mss 1460,nop,nop,sackOK 12:56:11.576625 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK 12:56:14.587049 IP 192.168.114.24.58334 gv-in-f147.google.com.http: S 2444367043:2444367043(0) win 8192 mss 1460,nop,wscale 2,nop,nop,sackOK Cisco Router configuration -- gatekeeper#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Wed 15-Mar-06 14:16 by dchih Image text-base: 0x80008098, data-base: 0x81A0888C ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3) gatekeeper uptime is 10 hours, 43 minutes System returned to ROM by reload at 02:43:47 GMT Sun Feb 8 2009 System restarted at 02:46:30 GMT Sun Feb 8 2009 System image file is flash:c2600-ik9o3s3-mz.123-18.bin interface FastEthernet0/0 description Office LAN ip address 192.168.114.250 255.255.255.0 ip wccp web-cache redirect in ip nat inside ip nbar protocol-discovery ip route-cache flow duplex auto speed auto gatekeeper#sh ip wccp Global WCCP information:
Re: [squid-users] Build patch fails to apply on Squid 2.7 stable6
Hi, I have been trying to compile squid 2.7-stable6 on Fedora Core 9 x86-64 system. I have already done all the changes I need in the spec file in order to create my system rpms but I noticed that when the rpmbuild try to build the rpm it fails when it tries to apply the squid2.6Stable2 build patch with the following errors. I have even tried to do the compile process manually but also the same error appears when I manually try to apply the same patch. All other patches have been installed successfully only the build patch fails to apply. Below are the error messages I get from the build patching process + echo 'Patch #201 (squid-2.5.STABLE11-config.patch):' Patch #201 (squid-2.5.STABLE11-config.patch): + patch -p1 -b --suffix .config -s + echo 'Patch #202 (squid-2.5.STABLE4-location.patch):' Patch #202 (squid-2.5.STABLE4-location.patch): + patch -p1 -b --suffix .location -s + echo 'Patch #203 (squid-2.6.STABLE2-build.patch):' Patch #203 (squid-2.6.STABLE2-build.patch): + patch -p1 -b --suffix .build -s 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej error: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.93888 (%prep) D: May free Score board((nil)) Now these are the errors I get from the manual application of the build patch patching file errors/Makefile.in Hunk #1 succeeded at 235 with fuzz 1 (offset 14 lines). Hunk #2 succeeded at 417 (offset 4 lines). Hunk #3 succeeded at 450 (offset 14 lines). patching file icons/Makefile.in Hunk #1 succeeded at 272 (offset 14 lines). patching file src/Makefile.in Hunk #1 FAILED at 586. Hunk #2 succeeded at 926 (offset 84 lines). 1 out of 2 hunks FAILED -- saving rejects to file src/Makefile.in.rej Here are the contents of the src/Makefile.in.rej *** *** 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_LOG_PREFIX = $(localstatedir)/logs DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log - DEFAULT_PID_FILE = $(DEFAULT_LOG_PREFIX)/squid.pid - DEFAULT_SWAP_DIR = $(localstatedir)/cache DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` - DEFAULT_ICON_DIR = $(datadir)/icons - DEFAULT_ERROR_DIR = $(datadir)/errors/@ERR_DEFAULT_LANGUAGE@ - DEFAULT_MIB_PATH = $(datadir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files --- 586,603 DEFAULT_CONFIG_FILE = $(sysconfdir)/squid.conf DEFAULT_MIME_TABLE = $(sysconfdir)/mime.conf DEFAULT_DNSSERVER = $(libexecdir)/`echo dnsserver | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_LOG_PREFIX = $(localstatedir)/log/squid DEFAULT_CACHE_LOG = $(DEFAULT_LOG_PREFIX)/cache.log DEFAULT_ACCESS_LOG = $(DEFAULT_LOG_PREFIX)/access.log DEFAULT_STORE_LOG = $(DEFAULT_LOG_PREFIX)/store.log + DEFAULT_PID_FILE = $(localstatedir)/run/squid.pid + DEFAULT_SWAP_DIR = $(localstatedir)/spool/squid DEFAULT_PINGER = $(libexecdir)/`echo pinger | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_UNLINKD = $(libexecdir)/`echo unlinkd | sed '$(transform);s/$$/$(EXEEXT)/'` DEFAULT_DISKD = $(libexecdir)/`echo diskd-daemon | sed '$(transform);s/$$/$(EXEEXT)/'` + DEFAULT_ICON_DIR = $(pkgdatadir)/icons + DEFAULT_ERROR_DIR = $(pkgdatadir)/errors/@ERR_DEFAULT_LANGUAGE@ + DEFAULT_MIB_PATH = $(sysconfdir)/mib.txt DEFAULT_HOSTS = @OPT_DEFAULT_HOSTS@ # Don't automatically uninstall config files From what I could see is that the above changes are not being done to the src/Makefile.in but I cannot understand why this is happening. I would really appreciate your help guys on this. We have recently upgraded the autoconf toolchain used to generate Makefile.in and configure scripts. The Makefile.in files are quite different. If you are the maintainer you will need to regenerate the patches. If you are just trying to build the prepared package, then please contact the maintainer to get the package updated. Amos
RE: [squid-users] forward and reverse through one system
Amos, See responses to your questions below. Thanks. I have one instance of squid is configured for forward web proxy and accelerator for OWA (per the wiki). In order for users to avoid changing their proxy settings, I need the forward proxy to be able to access OWA going out and back in as follows: Host on internal net - forward proxy - accelerator - OWA server on internal net It seems like this should work. When I try to access OWA from an internal host, the browser hangs and the following eventually appears in access.log: 1233516965.141 12567 [internal host IP] TCP_MISS/000 0 CONNECT owa.domain.com:443 - FIRST_UP_PARENT/[owa server IP] - Any ideas would be most appreciated. Thanks, Alan (Assuming you have squid-2.6 or later) 3.1.0.3 The basic config: You can multi-mode squid. Ensure that the reverse-proxy settings are all at the top of the squid.conf and any forward-proxy settings are following at the bottom. Also, the http_access deny all detailed to finish the reverse-proxy config gets removed so that on non-reversed requests squid can drop through and run the forward-proxy settings. Yup. That's the way it is. My complete config is posted on bug 2572. Specific to your loop-back problem: You need to adjust your reverse-proxy configuration to block the CONNECT method being used to access the peers. Sorry, but can you elaborate on this? The internal net - forward proxy step of the chain uses a CONNECT request. cache_peer BLAH deny CONNECT is needed to force internal net - forward proxy - accelerator(self) Otherwise requests like CONNECT owa:443 will be optimized as internal net - accelerator - OWA . Even though OWA does not handle CONNECT. Blocking CONNECT to peer, forces config down to the forward-proxy config which _is_ allowed to do the looping back bit an de-tunneling the CONNECT. Then check that the domain IP Squid resolves owa.domain.com to is its own listening https_port. It does: a.b.c.96 Amos
[squid-users] TProxy4 and Squid 3.1.0.5 client address spoofing problem !
Hi, Here is my situation : * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2) * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 ) * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : '--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable- linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for' '--enable-cache-digests' '--enable-delay-pools' '--enable-truncate' '--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\ * with following iptables rules : [r...@cache1 squid-3.1.0.5]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1DIVERT tcp -- 0.0.0.0/00.0.0.0/0 socket 2TPROXY tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain DIVERT (1 references) num target prot opt source destination 1MARK all -- 0.0.0.0/00.0.0.0/0 MARK xset 0x1/0x 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 [r...@cache1 squid-3.1.0.5]# * With following iproute2 rules : [r...@cache1 squid-3.1.0.5]# ip ru list 0: from all lookup 255 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default [r...@cache1 squid-3.1.0.5]# ip ro list table 100 local default dev lo scope host [r...@cache1 squid-3.1.0.5]# * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log : 2009/02/07 22:22:43| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16. my requests seems to be redirected to port 3129 as I expected and the pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests : [r...@cache1 ~]# tethereal host 213.171.218.15 -n Running as user root and group root. This could be dangerous. Capturing on eth1 0.00 85.247.162.18 - 213.171.218.15 HTTP GET / HTTP/1.1 0.04 213.171.218.15 - 85.247.162.18 TCP 80 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261 0.06 85.247.162.2 - 213.171.218.15 TCP 35330 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7 0.199523 213.171.218.15 - 85.247.162.2 TCP 80 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 0.199533 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0 0.199603 85.247.162.2 - 213.171.218.15 HTTP GET / HTTP/1.0 0.504191 213.171.218.15 - 85.247.162.2 TCP [TCP segment of a reassembled PDU] 0.504199 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830 0.504241 213.171.218.15 - 85.247.162.2 HTTP HTTP/1.1 200 OK (text/html) 0.504246 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830 0.504359 213.171.218.15 - 85.247.162.18 HTTP HTTP/1.0 200 OK (text/html) 0.504364 213.171.218.15 - 85.247.162.18 HTTP Continuation or non-HTTP traffic 0.504402 213.171.218.15 - 85.247.162.18 HTTP Continuation or non-HTTP traffic 0.514428 85.247.162.18 - 213.171.218.15 TCP 39571 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570 0.514577 85.247.162.18 - 213.171.218.15 TCP 39571 80 [ACK] Seq=386 Ack=1579 Win=3386 Len=0 TSV=2135390 TSER=11294570 0.517022
Re: [squid-users] TProxy4 and Squid 3.1.0.5 client address spoofing problem !
Hi, Here is my situation : * CentOS 5.2 ( my own built kernel 2.6.25.11-TProxy-ReiserFS with this patch : http://www.balabit.com/ downloads/files/tproxy/tproxy- kernel-2.6.25-20080519-165031- 1211208631.tar.bz2) * iptables v1.4.3-rc1( ftp://ftp.netfilter.org/pub/ iptables/snapshot/iptables- 20090206.tar.bz2 ) * squid 3.1.0.5 RC ( http://www.squid-cache.org/ Versions/v3/3.1/squid-3.1.0.5. tar.bz2 ) and compiled with these options : '--enable-poll' '--enable-storeio=aufs,diskd, ufs' '--with-pthreads' '--enable-removal-policies= heap,lru' '--enable- linux-netfilter' '--enable-useragent-log' '--enable-referer-log' '--enable-underscores' '--disable-dependency- tracking' '--disable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded- for' '--enable-cache-digests' '--enable-delay-pools' '--enable-truncate' '--prefix=/usr' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--enable-wccpv2' '--enable-wccp' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--with-filedescriptors=8192' --with-squid=/usr/src/squid-3. 1.0.5 --enable-ltdl-convenience\ * with following iptables rules : [r...@cache1 squid-3.1.0.5]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1DIVERT tcp -- 0.0.0.0/00.0.0.0/0 socket 2TPROXY tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain DIVERT (1 references) num target prot opt source destination 1MARK all -- 0.0.0.0/00.0.0.0/0 MARK xset 0x1/0x I'm suspecting the mark of 0x1/0x originally in the tutorial was a typo. Does it work any better when you change that to 0x1/0x1 ? Amos 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 [r...@cache1 squid-3.1.0.5]# * With following iproute2 rules : [r...@cache1 squid-3.1.0.5]# ip ru list 0: from all lookup 255 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default [r...@cache1 squid-3.1.0.5]# ip ro list table 100 local default dev lo scope host [r...@cache1 squid-3.1.0.5]# * with following http_port line in squid : http_port 3129 tproxyeverything seems to be working and squid run with these messages in cache.log : 2009/02/07 22:22:43| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16. my requests seems to be redirected to port 3129 as I expected and the pages are loading propertly. But the problem is that when I go to site http://myipaddress.co.uk/ it gives me the cache ip address instead of my own client ip address. here is the tethereal output for one of my requests : [r...@cache1 ~]# tethereal host 213.171.218.15 -n Running as user root and group root. This could be dangerous. Capturing on eth1 0.00 85.247.162.18 - 213.171.218.15 HTTP GET / HTTP/1.1 0.04 213.171.218.15 - 85.247.162.18 TCP 80 39571 [ACK] Seq=1 Ack=386 Win=62 Len=0 TSV=11294071 TSER=2135261 0.06 85.247.162.2 - 213.171.218.15 TCP 35330 80 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=11294071 TSER=0 WS=7 0.199523 213.171.218.15 - 85.247.162.2 TCP 80 35330 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 0.199533 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=11294268 TSER=0 0.199603 85.247.162.2 - 213.171.218.15 HTTP GET / HTTP/1.0 0.504191 213.171.218.15 - 85.247.162.2 TCP [TCP segment of a reassembled PDU] 0.504199 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=451 Ack=1449 Win=8832 Len=0 TSV=11294570 TSER=52303830 0.504241 213.171.218.15 - 85.247.162.2 HTTP HTTP/1.1 200 OK (text/html) 0.504246 85.247.162.2 - 213.171.218.15 TCP 35330 80 [ACK] Seq=451 Ack=2083 Win=11648 Len=0 TSV=11294570 TSER=52303830 0.504359 213.171.218.15 - 85.247.162.18 HTTP HTTP/1.0 200 OK (text/html) 0.504364 213.171.218.15 - 85.247.162.18 HTTP Continuation or non-HTTP traffic 0.504402 213.171.218.15 - 85.247.162.18 HTTP Continuation or non-HTTP traffic 0.514428 85.247.162.18 - 213.171.218.15 TCP 39571 80 [ACK] Seq=386 Ack=1449 Win=3386 Len=0 TSV=2135390 TSER=11294570 0.514577
[squid-users] Squid-2.7-STABLE6 dns.median_svc_time is always 0
Hello, I am currently in the process of moving from 2.6 to 2.7 and I am seeing an issue on 2 of the servers that I just installed 2.7-STABLE6 on. The dns.median_svc_time = 0.00 seconds is always 0 now matter and squid is processing request just fine. I an running Linux 2.6.9 kernel and did not have this issue on 2.6-STABLE22 and I am using squids internal DNS with out any issues. I just want to make sure that I don't have any issue before rolling out 2.7 to the rest of my squid servers. Here is an example from one of the 2.7-STABLE6 servers: Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 0.03066 0.03241 Cache Misses: 0.10857 0.10857 Cache Hits:0.0 0.0 Near Hits: 0.06286 0.06286 Not-Modified Replies: 0.0 0.0 DNS Lookups: 0.0 0.0 ICP Queries: 0.0 0.0 Regards, Q
[squid-users] Squid SSL problem with OWA
Hi, I have squid V3 PRE5 running RHL for 2 years without any problem for https access to OWA. As the ssl certificate was expiring we received a new ssl certificate and since then I have problem. I have installed a new box with Squid3.0.STABLE12. When I start squid with -DYNCD3 option I can do https to OWA but squid aborts after some time. And when I start squid without any option, I can not access OWA and get page cannot be displayed and cache.log registers following error when I do first time: https://owa 2009/02/08 16:52:27| httpsAccept: Error allocating handle: error:0906A068:PEM routines:PEM_do_header:bad password read 2009/02/08 16:52:27| httpsAccept: Error allocating handle: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib On refreshing the screen - 2009/02/08 16:52:37| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/02/08 16:52:37| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx What could be the problem? Please help. Thanks, Rakesh Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. --- Burgan Bank S.A.K www.burgan.com
[squid-users] Squid 3.0 STABLE7 -- deny all ??
Dear All, Recently I have installed FC9 and squid 3.0 STABLE 2.0 (Which has installed along with that). I was trying using NCSA authentication. After a day long try I was unable to setup NCSA auth. At the end through googeling I found that STABLE 2 has the bug in auth. I updated squid to 3.0 STABLE 7 Authentication is working fine, deny all is not working. When I add acl all src 0.0.0.0/0.0.0.0 it gives following error 2009/02/10 11:35:21| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2009/02/10 11:35:21| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0' 2009/02/10 11:35:21| WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree searching predictable 2009/02/10 11:35:21| WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named 'all' 2009/02/10 11:35:21| Initializing https proxy context through google I found that src all is now inbuilt, but I could not restrict the users from surfing some sites through conditions. Can some body help me. Arun
Re: [squid-users] Squid 3.0 STABLE7 -- deny all ??
Arun Shrimali wrote: Dear All, Recently I have installed FC9 and squid 3.0 STABLE 2.0 (Which has installed along with that). I was trying using NCSA authentication. After a day long try I was unable to setup NCSA auth. At the end through googeling I found that STABLE 2 has the bug in auth. I updated squid to 3.0 STABLE 7 Authentication is working fine, deny all is not working. When I add acl all src 0.0.0.0/0.0.0.0 it gives following error 2009/02/10 11:35:21| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2009/02/10 11:35:21| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0' 2009/02/10 11:35:21| WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree searching predictable 2009/02/10 11:35:21| WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named 'all' 2009/02/10 11:35:21| Initializing https proxy context through google I found that src all is now inbuilt, but I could not restrict the users from surfing some sites through conditions. Can some body help me. Arun Probably. deny all does work. Please display your configured access lines and we'll audit them. PS: please also be aware of: http://www.squid-cache.org/Advisories/SQUID-2009_1.txt Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
Re: [squid-users] Squid SSL problem with OWA
Rakesh Jha wrote: Hi, I have squid V3 PRE5 running RHL for 2 years without any problem for https access to OWA. As the ssl certificate was expiring we received a new ssl certificate and since then I have problem. I have installed a new box with Squid3.0.STABLE12. When I start squid with -DYNCD3 option I can do https to OWA but squid aborts after some time. And when I start squid without any option, I can not access OWA and get page cannot be displayed and cache.log registers following error when I do first time: https://owa 2009/02/08 16:52:27| httpsAccept: Error allocating handle: error:0906A068:PEM routines:PEM_do_header:bad password read 2009/02/08 16:52:27| httpsAccept: Error allocating handle: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib On refreshing the screen - 2009/02/08 16:52:37| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx 2009/02/08 16:52:37| httpsAccept: Error allocating handle: error:140BA0C3:SSL routines:SSL_new:null ssl ctx What could be the problem? Please help. Squid by default runs as a daemon mode. Setting up a parent process that monitors several child processes to make sure the service is never down for long in the event of a fatal crash. When started like that (no special options) there may be no way for the child process or recovered process to ask for the certificate password. You have two options: * ALWAYS do the manual start with options preventing daemon and recovery mode. * use PEM certificate that is signed but not password encrypted. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
