Search squid archive

Re: Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

RicardoCh wrote:

When I try, from the internal LAN, to load any page of my website running on
server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME SERVER),
the Squid launches some of this 3 pages error warn: 
1) Unable to forward this request at this time
2) (111) Conection refused
3) Access denied
In Squid.conf I have these lines: 
http_port 192.168.000.1:3128 transparent
http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo

cache_peer_access mysite.com allow MyWeb
cache_peer_access mysite.com deny all Where the acl "MyWeb" is: acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar (The sites are all on the same Apache, Virtual directory) In iptables I have only these lines to the webserver: # WWW $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed 
$IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT
-to-ports 3128
Any idea? Thanks in advance
Wow... You are intercepting ALL port 80 traffic and passing it to Squid on port 3128. You have Squid in accelerator mode passing traffic to itself. Finally, you have a cache_peer_access setup that doesn't match any peers.
First, I would advise not redirecting traffic destined for the accelerated site. Assuming mysite.com (and its variants) resolves to 192.168.0.1, replace your iptables redirection rule with...
$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -d !192.168.0.1 -p tcp -dport 80 -j REDIRECT -to-ports 3128
Next, don't have Squid listen on localhost port 80. That's where Apache should be listening. Instead have Squid listen to the "publicly" accessible IP address... 

  http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost
Finally, the first argument to cache_peer_access should match SOMETHING about the defined cache_peer. With the peer defined as... 

  cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo

...use either the IP...

  cache_peer_access 127.0.0.1 allow MyWeb

...or the name...

  cache_peer_access Ricardo allow MyWeb

...in the cache_peer_access definition.

Chris
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux