Re: [squid-users] squid 3.2 intercept and upstream proxy not working

2012-08-13 Thread Davide Alberani 
On Thu, Aug 9, 2012 at 9:36 PM, Davide Alberani
davide.alber...@gmail.com wrote:

 Maybe we have a bug in FIRSTUP_PARENT selection not checking the
 cache_peer_access properly.

 I'll do some tests in the next days, and let you know the results.

After a test with squid-3.2.0.19-20120813-r11646, I can confirm that
the problem is no longer present for HTTP traffic, thank you very much!

Now, I have a different issue: HTTP is passed to the upstream proxy,
but - after I've enabled ssl-bump - HTTPS is not (it's handled directly
by squid itself).
Is this expected?


Thank you again!


-- 
Davide Alberani davide.alber...@gmail.com  [PGP KeyID: 0x465BFD47]
http://www.mimante.net/

Re: [squid-users] squid 3.2 intercept and upstream proxy not working

2012-08-09 Thread Davide Alberani 
On Thu, Aug 9, 2012 at 1:16 AM, Amos Jeffries squ...@treenet.co.nz wrote:

 I'm trying squid 3.2 (since I'll need some of the new features), but I'm
 having troubles using it in intercept mode, when used along with an
 upstream proxy.

 Which 3.2 release number please? that matters a LOT.

Pardon; it was a 3.2.0.18; I'll try with the latest version as soon
as possible and I'll post the results.

 BUT, ... checking your config file there is a bigger problem, and a
 relatively large amount of useless ACL checks ...

Thank you very much for all the hints about the configuration!

 In 3.2 the default action when no cache_peer_access at all is configured, is
 to attempt to use the peer.

I see.

 Maybe we have a bug in FIRSTUP_PARENT selection not checking the
 cache_peer_access properly.

I'll do some tests in the next days, and let you know the results.
What's the best debug_options to use, to analyze the FIRSTUP_PARENT
selection?

Thank you again.


-- 
Davide Alberani davide.alber...@gmail.com  [PGP KeyID: 0x465BFD47]
http://www.mimante.net/

[squid-users] squid 3.2 intercept and upstream proxy not working

2012-08-08 Thread Davide Alberani 
Hi,
I'm trying squid 3.2 (since I'll need some of the new features), but I'm
having troubles using it in intercept mode, when used along with an upstream
proxy.

Requests are forwarded to squid, but never sent to the upstream proxy;
using squid directly (setting it into the browser), the requests are forwarded
to the upstream.
Notice that I'm sure enough that my iptables rules are correct, and that
the upstream proxy is correctly configured (simply, there's no traffic to it,
when squid is used in transparent mode).
Using the same configuration with squid 3.1, also the requests handled
in intercept mode are forwarded to the upstream.

Any idea?  Thanks!


These are the more meaningful parts of the configuration:

==
http_port 172.30.0.16:18080 intercept
http_port 0.0.0.0:8080

server_persistent_connections off
half_closed_clients off

forwarded_for on

acl from_allsrc all
acl to_all  dst all
acl from_localhost  src 127.0.0.1/32
acl CONNECT method CONNECT
acl to_http_portport 80
acl to_proxy_port   port 8080
acl to_internal_network dst 172.30.0.16

cache deny  from_localhost
cache deny  CONNECT
cache allow from_all

http_access allow   from_localhost
http_access denyto_internal_network to_proxy_port
http_access denyfrom_all

http_reply_access allow from_localhost
http_reply_access deny from_all

visible_hostname off

# Dansguardian or an upstream proxy.
cache_peer 127.0.0.1 parent  0 no-query no-digest
no-netdb-exchange name=default login=*:password
cache_peer_access defaultdenyfrom_localhost
cache_peer_access default   denyfrom_all

never_direct deny   from_localhost
never_direct allow  from_all
==


When used in intercept mode, squid handles the request by itself:
== /var/log/squid/cache.log ==
2012/08/06 13:01:46.477 kid1| forward.cc(273) fwdStart: 'http://www.cnn.com/'
2012/08/06 13:01:46.477 kid1| forward.cc(101) FwdState: Forwarding
client request local=157.166.255.18:80 remote=172.30.0.252:44700 FD 68
flags=33, url=http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| forward.cc(160)
selectPeerForIntercepted: opening a new conn: local=0.0.0.0
remote=157.166.255.18:80 flags=1
2012/08/06 13:01:46.478 kid1| forward.cc(317) startConnectionOrFail:
http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| fwdConnectStart: http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| fwdConnectStart: got outgoing addr
0.0.0.0, tos 0, netfilter mark 0
2012/08/06 13:01:46.478 kid1| The AsyncCall fwdConnectDoneWrapper
constructed, this=0xb81354a8 [call5533]


On the other hand, when set in the browser, the upstream is also used:
Aug  6 13:04:25 myname (squid-1): 1344251065.036301 172.30.0.252
TCP_MISS/200 2565 GET http://www.cnn.com/ - FIRSTUP_PARENT/127.0.0.1
text/html



-- 
Davide Alberani davide.alber...@gmail.com  [PGP KeyID: 0x465BFD47]
http://www.mimante.net/