Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: > >I'm trying to remember how we debugged these issues previously. > * It sounds a lot like rp_filter deleting the packets in its >anti-spoofing security. A cache.log trace with debug_options 5,9 89,9 >should show the connections arriving at Squid. I've used the following commands to disable rp_filter: echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter When I use the debug_options 5,9 89,9 I get nothing but this in my cache.log: 2010/09/14 13:42:51| comm_call_handlers(): got fd=14 read_event=8 write_event=8 F->read_handler=0x80d9f40 F->write_handler=(nil) 2010/09/14 13:42:51| comm_call_handlers(): Calling read handler on fd=14 2010/09/14 13:42:51| commSetSelect: FD 14 type 1 2010/09/14 13:42:51| commSetEvents(fd=14) 2010/09/14 13:42:51| comm_select: timeout 423 2010/09/14 13:42:51| comm_select: time out 2010/09/14 13:42:51| comm_select: timeout 389 2010/09/14 13:42:52| comm_select: time out 2010/09/14 13:42:52| comm_select: timeout 1000 2010/09/14 13:42:52| comm_select: time out 2010/09/14 13:42:52| comm_select: timeout 392 2010/09/14 13:42:53| comm_select: time out 2010/09/14 13:42:53| comm_select: timeout 1000 2010/09/14 13:42:53| comm_select: time out 2010/09/14 13:42:53| comm_select: timeout 392 2010/09/14 13:42:54| comm_select: time out 2010/09/14 13:42:54| comm_select: timeout 1 2010/09/14 13:42:54| comm_select: time out 2010/09/14 13:42:54| comm_select: timeout 1000 2010/09/14 13:42:54| comm_select: time out 2010/09/14 13:42:54| comm_select: timeout 396 2010/09/14 13:42:55| comm_select: time out 2010/09/14 13:42:55| comm_select: timeout 588 2010/09/14 13:42:55| comm_select: time out 2010/09/14 13:42:55| comm_select: timeout 1 2010/09/14 13:42:55| comm_select: time out 2010/09/14 13:42:55| comm_select: timeout 409 2010/09/14 13:42:55| comm_select: time out 2010/09/14 13:42:55| comm_select: timeout 397 2010/09/14 13:42:56| comm_select: time out 2010/09/14 13:42:56| comm_select: timeout 1000 2010/09/14 13:42:56| comm_select: time out 2010/09/14 13:42:56| comm_select: timeout 401 2010/09/14 13:42:57| comm_select: time out 2010/09/14 13:42:57| comm_select: timeout 1000 2010/09/14 13:42:57| comm_select: time out 2010/09/14 13:42:57| comm_select: timeout 405 2010/09/14 13:42:58| comm_select: time out 2010/09/14 13:42:58| comm_select: timeout 1000 2010/09/14 13:42:58| comm_select: time out 2010/09/14 13:42:58| comm_select: timeout 409 2010/09/14 13:42:59| comm_select: time out 2010/09/14 13:42:59| comm_select: timeout 1000 2010/09/14 13:42:59| comm_select: time out 2010/09/14 13:42:59| comm_select: timeout 413 2010/09/14 13:43:00| comm_select: time out 2010/09/14 13:43:00| comm_select: timeout 585 2010/09/14 13:43:00| comm_select: time out 2010/09/14 13:43:00| comm_select: timeout 1 2010/09/14 13:43:00| comm_select: time out 2010/09/14 13:43:00| comm_select: timeout 412 2010/09/14 13:43:01| comm_select: time out 2010/09/14 13:43:01| comm_select: timeout 548 2010/09/14 13:43:01| comm_select: time out 2010/09/14 13:43:01| comm_select: timeout 452 > > > * Sometimes it's also due to the wrong libcap version being used, Squid >requires libcap2.09 or later to set the socket spoofing privileges. The >latest libcap2.x you can get your hands on anyway would be good. Libcap loks good: ii libcap1 1:1.10-14 support for getting/setting POSIX.1e capabilities ii libcap2 2.11-2 support for getting/setting POSIX.1e capabilities > > > * I don't think so but there is a chance that any other NAT rules or >mangle tables rules might be doing things? either before TPROXY matches, >or >to the return packets setting up the connection? I literally don't have any iptables rules on the proxy server except the one's in the tutorial on the squid wiki. The proxy server hangs directly off of the cisco 2811 router. The router sits behind a sonicwall connected to our isp with a firewall and NAT rules in place, but that shouldn't matter should it? Not sure if this means anything, but I'm not able to use the proxy when I specify it in my browsers preferences anymore. I used to be able to fine before I followed the squid tutorial, but now I get a Access Denied page from squid. > > >Amos Thanks for the help thus far. I'm gonna keep looking into it. Do you have any other ideas? -Chris ___________________________ Chris Abel Systems and Network Administrator Wildwood Programs 2995 Curry Road Extension Schenectady, NY 12303 518-836-2341
