> > Hi Amos, > > Thanks for your reply. Ill try to explain better what im trying to do > here. > > | You don't appear to have a: > | Squid1->DG->Squid2 setup > | > | you do appear to have a: > | Squid1 -> Internet or DG -> Squid1 -> Internet setup. > | > | Is there any particular reason you need to have two squid? > | The current feedback config appears to be needlessly complicated for any > | use I can think of right now for having two instances of squid running. > > In the scenario DG(port 8081) --> Squid(port 3128) > Clients are using the proxy on proxy_ip:8081 > > Since Dansguardian cant handle NTML auth if I don't use 2 Squid instances > then > it will show on DG access log only the IP of the client and not the > username. > > DG access log will look like this (only IP is logged): > 2009.2.4 15:12:01 - 192.168.20.11 > http://adimgs.sapo.pt/2009/odisseias/massagem.jpg *SCANNED* GET 1956 > > and on the Squid access log it will always show the localhost since the > connenction comes from DG: > 1233760323.286 8 127.0.0.1 TCP_MISS/200 1597 GET > http://h.s.sl.pt/pub/botao.html?rand=&tile=36871 - DIRECT/213.13.146.180 > text/html > > This would prevent me of doing reports on users usage and use I think > delay pools. I would have thought Squid->DG->Internet would be sufficient to meet those needs. With the front squid doing cache+auth of stuff that gets past the DG filtering. (and DG doing less work on cacheable things its already scanned once). Oh well. Lets get rid of your loop anyways. > > In the scenario Squid1(port 3128 for ntml_auth) -> DG(port 8081) --> > Squid2(port 8080 for cache) > Clients are using the proxy on proxy_ip:3128 > > DG access log will look like this (now user and IP are logged): > 2009.2.4 16:01:12 rnuno 192.168.20.11 > http://imgs.sapo.pt/images/footer/pt.gif *SCANNED* GET 804 > > and on the Squid access log: > 1233763558.911 0 192.168.20.11 TCP_DENIED/407 2169 GET > http://cache02.stormap.sapo.pt/vidstore02/thumbnais/66/91/02/15666_eDQus.jpg > - NONE/- text/html > 1233763558.917 21 127.0.0.1 TCP_MISS/200 2860 GET > http://cache01.stormap.sapo.pt/vidstore02/thumbnais/05/64/67/ma_swing.jpg > - DIRECT/212.55.154.131 image/jpeg > > So basically this setup is working in a way that allows me to do my > reports and use delay pools > but the error keeps on my log I thought that I has doing something wrong > on the cache_peer line. > > 2009/02/04 16:09:15| WARNING: Forwarding loop detected for: > Client: 127.0.0.1 http_port: 127.0.0.1:8080 > GET > http://cache03.stormap.sapo.pt/vidstore03/thumbnais/57/ed/03/731347_L4An1.jpg > HTTP/1.0 > Accept: */* > Referer: http://videos.sapo.pt/ > Accept-Language: en-US > UA-CPU: x86 > Accept-Encoding: identity,gzip,deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR > 1.1.4322; .NET CLR 2.0.50727) > Host: cache03.stormap.sapo.pt > Cookie: _swa_v=158287575757761020; _swa_uv=3752565023748371500 > Via: 1.1 squid-ntml:8080 (squid/2.7.STABLE3) > X-Forwarded-For: 192.168.20.11 > Proxy-Authorization: Basic cm51bm86bm9wYXNzd29yZA== > Cache-Control: max-age=259200 > X-Forwarded-For: 192.168.20.11 > > I made some changes according to your advice but i still get the error. Do > you have any suggestion > on how to fix it or maybe another way to do what i want? > > Below is the conf's files im using now. > > Thank you once more. > > regards, > -- Ricardo > > > > My changes in dansguardian.conf: > filterip = 127.0.0.1 > filterport = 8081 > proxyip = 127.0.0.1 > proxyport = 8080 > usernameidmethodproxyauth = on Great DG goes (DG)8081 -> (Squid2):8080 > > # SQUID.CONF > # > ----------------------------------------------------------------------------- > unique_hostname squid-cache > http_port 8080 > This is Squid2 then? > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > > cache_mem 1024 MB > maximum_object_size 8096 KB > > cache_dir ufs /cache/squid 20000 16 256 > access_log /var/log/squid/access.log squid > > cache_peer 127.0.0.1 parent 8081 0 no-digest no-netdb-exchange > name=squid-cache no-query login=*:nopassword > > acl localhost src 127.0.0.1 > #cache_peer_access squid-cache deny localhost > NP: Squid2 in your setup must NOT do any peering. Remember this is the EXIT. All access is direct to the Internet. It's one and only client is DG. > include /etc/squid/squid-ntml.conf Don't include any unique stuff into both configs. If you need usernames logged at Squid2 at all use the fakeauth helper and LoggingOnly setup on that squid: http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly > > #Suggested default: > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 # https > acl SSL_ports port 563 # snews > acl SSL_ports port 873 # rsync > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 631 # cups > acl Safe_ports port 873 # rsync > acl Safe_ports port 901 # SWAT > acl purge method PURGE > acl CONNECT method CONNECT > > acl NTLMUsers proxy_auth REQUIRED > acl rede_interna src 192.168.20.0/24 > acl h_trabalho time MTWHF 08:00-18:00 > acl downloads url_regex -i .exe .mp3 .vqf .zip .rar .avi .mpeg .mpe .mpg > .qt .ram .rm .iso .raw .wav .mov .iso > > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > http_access allow localhost > http_access allow NTLMUsers > > http_access deny all > http_reply_access allow all > icp_access allow all > > coredump_dir /var/spool/squid > > > # SQUID-NTML.CONF > # > ----------------------------------------------------------------------------- > > unique_hostname squid-ntml > http_port 3128 > This is Squid1 right? _this_ is the config which needs to contain the cache_peer settings pointing at DG as a parent, using "never_direct allow all", and the local network ranges that are allowed as clients etc. The INPUT acts like a funnel, taking everything and forcing it down to a single stream through to DG. > cache_dir null /dev/null > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 15 > auth_param ntlm keep_alive on > > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Moonlight Proxy Server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > > pid_filename /var/run/squid-ntml.pid >
