Hello Amos, <Also, are you sure libcap support was built into Squid and is also <ailable on the box its currently running on? Tproxy support will turn <itself off inside Squid if libcap fails How can i built libcap support to squid ? Did u test http://wiki.squid-cache.org/Features/Tproxy4 with CentOs 5.3 ? Best regards Monday, August 24, 2009, 11:05:04 AM, you wrote: > Farhad Ibragimov wrote: >> Hi squid guru >> >> My server was configured with the following instruction >> http://wiki.squid-cache.org/Features/Tproxy4 >> but not working. Please help me to resolve my problem >> >> Squid version 3.1.0.13 >> iptables 1.4.3 >> 2.6.30.5-second #1 SMP Sun Aug 23 03:36:29 AZST 2009 x86_64 x86_64 x86_64 GNU/Linu >> >> my squid configuration > <snip defaults> >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localnet >> http_access allow localhost >> http_access allow all > I hope that was only for testing. 'allow all' makes your squid a wide > open proxy. > TPROXY retains the correct concepts Internally of Squid for which IP > ranges are clients and which destinations. 'allow localnet' should have > been sufficient to let your clients out to the web with minimal > restrictions. >> http_port 3128 >> http_port 3129 tproxy > <snip defaults> >> >> ACCESS LOGS >> 1250983412.365 132598 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/uk/2009/08/090822_uk_cars_scrappagescheme.shtml - DIRECT/www.bbc.co.uk - >> 1250983461.913 181020 85.132.47.219 TCP_MISS/504 4136 GET http://ru.fxfeeds.mozilla.com/ru/firefox/headlines.xml - DIRECT/63.245.209.93 text/html >> 1250983545.928 60793 85.132.47.219 TCP_MISS/503 0 CONNECT sb-ssl.google.com:443 - DIRECT/216.239.59.136 - >> 1250983596.266 110348 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/russia/2009/08/090822_russia_nationalflag_denisov.shtml - DIRECT/www.bbc.co.uk - > <snip> > Hmm, what those access lines show is that Squid is receiving a set of > HTTP requests and passing them to some external web servers. > The ones saying MISS/000 to bbc etc are where Squid has sent the whole > HTTP request outward to the server. But the TCP link is closed by the > far end before anything comes back. > The 5xx seems to be Squid timeout out past is maximum allowed wait > before anything comes back. > The two things to look at closely with TPROXY when this happens are: > 1) the firewall rules. Both on the Squid box doing TPROXY and on any > machines between Squid and the Internet. > 2) the routing rules. How are theres requests reaching Squid and what > is happening to the passed-on request. > Secondly on routing what happens to replies coming back from the > web server to the client IP and why do they not arrive at Squid? > Also, are you sure libcap support was built into Squid and is also > available on the box its currently running on? Tproxy support will turn > itself off inside Squid if libcap fails. > Amos -- Best regards, Farhad mailto:inara.ibragimova@xxxxxxxxx
