Henrik Nordstrom disse na ultima mensagem: > lör 2007-01-20 klockan 01:11 -0200 skrev Michel Santos: > >> > Then post >> > >> > * iptables ruleset >> > * http_port + cache_peer + visible_hostname settings of each Squid >> > * cache.log output of ALL,1 (no extra debugging enabled) from each >> > Squid. >> >> >> it is FreeBSD and IPFW > > Then post your ipfw rules instead of iptables. > oook, here it is fwd 127.0.0.1,8080 tcp from _IP_ to any dst-port 80 in via WIP1 allow ip from any to any for not looking any more on the wrong side: # ping -S 127.0.0.3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) from 127.0.0.3: 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.051 ms # ping -S 127.0.0.2 127.0.0.1 PING 127.0.0.1 (127.0.0.1) from 127.0.0.2: 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.048 ms # ping -S 127.0.0.2 127.0.0.3 PING 127.0.0.3 (127.0.0.3) from 127.0.0.2: 56 data bytes 64 bytes from 127.0.0.3: icmp_seq=0 ttl=64 time=0.045 ms # ping -S 127.0.0.3 127.0.0.2 PING 127.0.0.2 (127.0.0.2) from 127.0.0.3: 56 data bytes 64 bytes from 127.0.0.2: icmp_seq=0 ttl=64 time=0.049 ms # ping -S 127.0.0.1 127.0.0.2 PING 127.0.0.2 (127.0.0.2) from 127.0.0.1: 56 data bytes 64 bytes from 127.0.0.2: icmp_seq=0 ttl=64 time=0.047 ms and any other possible combination is equally true. also, to complete this part: tcp4 0 0 200.152.81.2.50859 12.160.37.9.80 TIME_WAIT tcp4 0 0 200.152.81.2.59209 12.160.37.9.80 ESTABLISHED tcp4 0 0 127.0.0.3.3133 127.0.0.3.64240 ESTABLISHED tcp4 0 0 127.0.0.3.64240 127.0.0.3.3133 ESTABLISHED tcp4 0 0 127.0.0.2.3132 127.0.0.2.54063 ESTABLISHED tcp4 0 0 127.0.0.2.54063 127.0.0.2.3132 ESTABLISHED tcp4 0 0 12.160.37.9.80 200.152.83.36.53674 ESTABLISHED tcp4 0 0 200.152.81.2.53863 12.160.37.9.80 ESTABLISHED tcp4 0 0 127.0.0.3.3133 127.0.0.3.62291 ESTABLISHED tcp4 0 0 127.0.0.3.62291 127.0.0.3.3133 ESTABLISHED tcp4 0 0 200.152.81.2.57554 12.160.37.9.80 TIME_WAIT tcp4 0 0 127.0.0.2.3132 127.0.0.2.51591 ESTABLISHED tcp4 0 0 127.0.0.2.51591 127.0.0.2.3132 ESTABLISHED tcp4 0 0 12.160.37.9.80 200.152.83.36.60380 ESTABLISHED tcp4 0 0 200.152.81.2.61884 12.160.37.9.80 ESTABLISHED tcp4 0 0 127.0.0.3.3133 127.0.0.3.49361 ESTABLISHED tcp4 0 0 127.0.0.3.49361 127.0.0.3.3133 ESTABLISHED tcp4 0 0 12.160.37.9.80 200.152.83.36.63253 ESTABLISHED tcp4 0 0 127.0.0.2.3132 127.0.0.2.57914 TIME_WAIT tcp4 0 0 12.160.37.9.80 200.152.83.36.52915 TIME_WAIT where .83.36 is my IP, .81.2 squid's external IP address, the dest Ip is squid.nlanr.net >> but it seems you have overseen some important things, I write it again > > Maybe, maybe not. > >> squid0 is the transparent proxy and it *IS* forwarding correctly because >> the access denied is coming from squid1 or squid2 > > Then you probably either have an access control problem on squid1/2, or > unique_hostname isn't set proper. Which one can be seen from the error > and/or access.log. > ok, like I answered before, each instance has it's unique name set in it's squid.conf, to be more specific cachemaster (squid0) squid1 (squid1) squid2 (squid2) also, remember please, I said in an former email I set acl all 0.0.0.0 acl peers 0.0.0.0 I guess there is nothing to add since there is no wider expression for IPv4 and saying "pass all through", so certainly there is nothing to deny at all - but squid1|2 denies ... >> for me it seems that there is something wrong in 2.6 that when it gets >> xforwarded packets from clients from peer 127.0.0.1 it does not >> understand >> it > > Are you using the x-forwarded-for stuff? Or what are you trying to say > here? sure not squid when running transparent mode is marking "x-forwarded request-IP, my-outgoing-IP" isn't it? so it seems that squid1 or squid2, when running on 127*, do NOT understand when my-outgoing-IP is 127.0.0.1 but does when it is any other or is it possible that squid assumes getting just forwarded packages by the OS when running on 127* but not already forwarded packages from a peer? > >> because I tried with one instance on the local machine and another 2.6 >> parent on another machine and it works as it should > > To Squid it's the exact same thing. > >> also please remember that this scenario works perfect with 2.5, I do not >> change anything else but the squid version (and of course the different >> transparent configs for 2.6 on squid0 instance) > > Maybe, maybe not. Squid-2.5 hides some configuration errors in peering > relations by falling back on direct on error. This is not done by > default in 2.6. > nono, here is no maybe. 2.5 works perfect and get it's stuff perfectly from either squid1 or squid2 like you saw above. squid0 do *NOT* go direct since I have never_direct allow all always_direct deny all set, that means, if either squid1 or squid2 is down or denying access I would get the cannot select parent error and no http access would be possible >> in order getting you the cache.logs I need to wait for an early hour on >> a >> workday to set it up, actually - if interested - I can send you them >> from >> the working 2.5 setup but please tell me what you need from them, the >> startup? because else there is only this kind of stuff in what probably >> does not help anything here: > > Only if there is any messages logged at the time you see the error about > the request which errors. Other messages can be ignored. > ok, I will do it this days, but may be you like to look meanwhile where squid get confused here because you said this should be the same on all squid versions. Since there are no extra configurations for this case in 2.6, my 2.5 config should work I guess. thank's Michel ... **************************************************** Datacenter Matik http://datacenter.matik.com.br E-Mail e Data Hosting Service para Profissionais. ****************************************************
