On Mon, 7 Sep 2009 12:19:19 -0300, "RicardoCh" <racham@xxxxxxxxxxx> wrote: > Oh... Sorry, I yesterday send this message to Amos, but I mistakenly, in > the > original pasted below, I thanked to Henrik... My apologies, I thank you > all, > but that message was for you, Amos... There goes back as it should be :-) > > Hi Amos, > > thanks for your help. All right now. > > > I have done as you suggested: a bash script, which first captures the > dynamic IP with "ipofif", it saving in a log and in a file (wich contains > the "include" with the http_port). Then, from time to time (configured in > crontab), again the script take the IP, compared with the previous one and > if equal, nothing, but if is different rebuild the include, so every 15 > minutes (cron). > > Now I have a weird problem. > I can only access some domains (runon the same server where Squid and > Apache2). That is, YES I can access mydomain.com, but NOT I can not > www.mydomain.com. > > In Squid I have a line acl myweb dstdomain "/usr/squid/domain". > Where "domain" save a list: > > *.mydomain.com > www.mydomain.com > *.otherdomain.com > www.otherdomain.com > > In Apache2 each virtualhost is setting: *. midominio.com www.midominio.com > etc ... > > I have seen in other forums of years ago that had problems with Squid acl > dstdomain When you add multiple URLs to the same ... > Any ideas? Remove the '*'. Wildcards are done with just a dot at the start of the domain name. http://www.squid-cache.org/Doc/config/acl/ Squid thinks its a full FQDN text " *.mydomain.com " which will never match since * is never sent by the browser. Amos > Regards > Ricardo > > -----Mensaje original----- > De: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Enviado el: viernes, 04 de septiembre de 2009 01:12 a.m. > Para: Ricardo A > CC: crobertson@xxxxxxx; squid-users@xxxxxxxxxxxxxxx > Asunto: Re: Squid 2.7: Request from LAN UNABLE to FORWARD or > CONNECTION REFUSED or ACCESS DENIED > > Ricardo A wrote: >> >> Yes, you're right, you told me. But there is one detail that I did not > comment then, to not lengthen the thing (and because I figured it did not > matter): the public IP is dynamic and is routed using a script to ZoneEdit. > >> Then, because Amos told me to leave http_port 80 bind to all... > > Right, back when you were only speaking of Squid alone. That method is > used with dynamic IPs to make Squid listen to every single IP the box > has now and ever. > Adding apache on the same box means either the IP has to be pre-known or > apache listening on a strange port. > >> >> About this, do you have any trick to set the dynamic IP in this Squid > sentence? >> I have a small script, "Ipofif", inserted between variables in iptables, > and when running shows the IP of the NIC... Could I "embedded" in some way > in this line of http_port to display the IP? >> >> Any solution? Or, if the problem is caused by dynamic IP in accelerator > mode, will I have to remove it? > > You could make a script that gets called whenever the IP changes (I'm > not sure jhow, maybe an ifupdown hook) generate a file, say > /etc/squid/ports containing the http_port lines (only). And call > reconfigure on squid whenever the IP changes. > > You would also need to have "include /etc/squid/ports" set in squid.conf > to load the generated ports file. > > Amos > > >> ---------------------------------------- >>> Date: Thu, 3 Sep 2009 11:39:27 -0800 >>> From: crobertson@xxxxxxx >>> To: squid-users@xxxxxxxxxxxxxxx >>> Subject: Re: Squid 2.7: Request from LAN UNABLE to FORWARD > or CONNECTION REFUSED or ACCESS DENIED >>> >>> Ricardo A wrote: >>>> Dear Chris and Henrik, >>>> I'm sorry, but now cannot access webpages from outside... >>>> Yes I can from LAN... >>>> >>>> I repeat that is a debian Lenny webserver-fileserver-firewall > (iptables-Squid 2.7-Samba 3-Apache 2, all in the same machine). >>>> >>>> The setting: >>>> >>>> Squid 2.7 >>>> >>>> http_port 192.168.000.1:3128 transparent >>>> http_port 80 accel defaultsite=mysite.com vhost >>>> >>> As I stated in my first email, this line should be... >>> >>> http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost >>> >>> ...because just using the port tells Squid to bind to all interfaces. >>> You need to limit it to the public interface so Apache can bind to the >>> loopback. >>> >>>> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo >>>> cache_peer_access Ricardo mysite.com allow MyWeb >>>> cache_peer_access Ricardo mysite.com deny all >>>> >>>> Where the acl "MyWeb" is:> acl myweb dstdomain mysite.com mysite1.com > mysite2.com.ar >>>> >>>> (The sites are all on the same Apache, Virtual directory) >>>> >>>> Iptables: >>>> >>>> $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed >>>> >>>> $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d ! > $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT> -to-ports 3128 >>>> >>>> Apache 2: >>>> >>>> port.conf >>>> >>>> LISTEN 127.0.0.1:80 >>>> ------------ >>>> With these settings, Apache 2 again warn: >>>> >>>> apache2(98)Address already in use: make_sock: could not> bind to >>>> address > [::]:80> (98)Address already in use: make_sock: could not bind to address > 0.0.0.0:80> no listening sockets available, shutting down> Unable to open > logs >>>> >>>> Thanks in advance... >>>> Ricardo >>>> >>> Chris >>> >> _________________________________________________________________ >> Learn how to add other email accounts to Hotmail in 3 easy steps. >> http://clk.atdmt.com/UKM/go/167688463/direct/01/
