Search squid archive

Re: Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ricardo A wrote:
Yes, you're right, you told me. But there is one detail that I did not comment then, to not lengthen the thing (and because I figured it did not matter): the public IP is dynamic and is routed using a script to ZoneEdit. Then, because Amos told me to leave http_port 80 bind to all...

Right, back when you were only speaking of Squid alone. That method is used with dynamic IPs to make Squid listen to every single IP the box has now and ever. Adding apache on the same box means either the IP has to be pre-known or apache listening on a strange port.


About this, do you have any trick to set the dynamic IP in this Squid sentence? I have a small script, "Ipofif", inserted between variables in iptables, and when running shows the IP of the NIC... Could I "embedded" in some way in this line of http_port to display the IP? Any solution? Or, if the problem is caused by dynamic IP in accelerator mode, will I have to remove it?

You could make a script that gets called whenever the IP changes (I'm not sure jhow, maybe an ifupdown hook) generate a file, say /etc/squid/ports containing the http_port lines (only). And call reconfigure on squid whenever the IP changes.

You would also need to have "include /etc/squid/ports" set in squid.conf to load the generated ports file.

Amos


----------------------------------------
Date: Thu, 3 Sep 2009 11:39:27 -0800
From: crobertson@xxxxxxx
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

Ricardo A wrote:
Dear Chris and Henrik,
I'm sorry, but now cannot access webpages from outside...
Yes I can from LAN...

I repeat that is a debian Lenny webserver-fileserver-firewall (iptables-Squid 2.7-Samba 3-Apache 2, all in the same machine).

The setting:

Squid 2.7

http_port 192.168.000.1:3128 transparent
http_port 80 accel defaultsite=mysite.com vhost

As I stated in my first email, this line should be...

http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost

...because just using the port tells Squid to bind to all interfaces.
You need to limit it to the public interface so Apache can bind to the
loopback.

cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
cache_peer_access Ricardo mysite.com allow MyWeb
cache_peer_access Ricardo mysite.com deny all

Where the acl "MyWeb" is:> acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar

(The sites are all on the same Apache, Virtual directory)

Iptables:

$IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed

$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT> -to-ports 3128

Apache 2:

port.conf

LISTEN 127.0.0.1:80
------------
With these settings, Apache 2 again warn:

apache2(98)Address already in use: make_sock: could not> bind to address [::]:80> (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80> no listening sockets available, shutting down> Unable to open logs

Thanks in advance...
Ricardo

Chris

_________________________________________________________________
Learn how to add other email accounts to Hotmail in 3 easy steps.
http://clk.atdmt.com/UKM/go/167688463/direct/01/


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux