Re: Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Ricardo A wrote:
>  
> Yes, you're right, you told me. But there is one detail that I did not comment then, to not lengthen the thing (and because I figured it did not matter): the public IP is dynamic and is routed using a script to ZoneEdit. 
> Then, because Amos told me to leave http_port 80 bind to all... 

Right, back when you were only speaking of Squid alone. That method is 
used with dynamic IPs to make Squid listen to every single IP the box 
has now and ever.
Adding apache on the same box means either the IP has to be pre-known or 
apache listening on a strange port.

> About this, do you have any trick to set the dynamic IP in this Squid sentence? 
> I have a small script, "Ipofif", inserted between variables in iptables, and when running shows the IP of the NIC... Could I "embedded" in some way in this line of http_port to display the IP?
>  
> Any solution? Or, if the problem is caused by dynamic IP in accelerator mode, will I have to remove it?

You could make a script that gets called whenever the IP changes (I'm 
not sure jhow, maybe an ifupdown hook) generate a file, say 
/etc/squid/ports containing the http_port lines (only). And call 
reconfigure on squid whenever the IP changes.

You would also need to have "include /etc/squid/ports" set in squid.conf 
to load the generated ports file.

Amos


> ----------------------------------------
> > Date: Thu, 3 Sep 2009 11:39:27 -0800
> > From: crobertson@xxxxxxx
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject: Re:  Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED
> >
> > Ricardo A wrote:
> > > Dear Chris and Henrik,
> > > I'm sorry, but now cannot access webpages from outside...
> > > Yes I can from LAN...
> > >
> > > I repeat that is a debian Lenny webserver-fileserver-firewall (iptables-Squid 2.7-Samba 3-Apache 2, all in the same machine).
> > >
> > > The setting:
> > >
> > > Squid 2.7
> > >
> > > http_port 192.168.000.1:3128 transparent
> > > http_port 80 accel defaultsite=mysite.com vhost
> > As I stated in my first email, this line should be...
> >
> > http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost
> >
> > ...because just using the port tells Squid to bind to all interfaces.
> > You need to limit it to the public interface so Apache can bind to the
> > loopback.
> >
> > > cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
> > > cache_peer_access Ricardo mysite.com allow MyWeb
> > > cache_peer_access Ricardo mysite.com deny all
> > >
> > > Where the acl "MyWeb" is:> acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar
> > >
> > > (The sites are all on the same Apache, Virtual directory)
> > >
> > > Iptables:
> > >
> > > $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed
> > >
> > > $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT> -to-ports 3128
> > >
> > > Apache 2:
> > >
> > > port.conf
> > >
> > > LISTEN 127.0.0.1:80
> > > ------------
> > > With these settings, Apache 2 again warn:
> > >
> > > apache2(98)Address already in use: make_sock: could not> bind to address [::]:80> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80> no listening sockets available, shutting down> Unable to open logs
> > >
> > > Thanks in advance...
> > > Ricardo
> > Chris
> _________________________________________________________________
> Learn how to add other email accounts to Hotmail in 3 easy steps.
> http://clk.atdmt.com/UKM/go/167688463/direct/01/


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13