On Tue, 14 Sep 2010 14:09:52 -0400, "Chris Abel" <cabel@xxxxxxxxxxxx> wrote: > Amos Jeffries <squid3@xxxxxxxxxxxxx> writes: >> >>I'm trying to remember how we debugged these issues previously. >> * It sounds a lot like rp_filter deleting the packets in its >>anti-spoofing security. A cache.log trace with debug_options 5,9 89,9 >>should show the connections arriving at Squid. > I've used the following commands to disable rp_filter: > echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter K. Good for testing. And IIRC you said ipv4 "ip_forward" was set to 1 too. > > When I use the debug_options 5,9 89,9 I get nothing but this in my > cache.log: > 2010/09/14 13:42:51| comm_call_handlers(): got fd=14 read_event=8 > write_event=8 F->read_handler=0x80d9f40 F->write_handler=(nil) > 2010/09/14 13:42:51| comm_call_handlers(): Calling read handler on fd=14 > 2010/09/14 13:42:51| commSetSelect: FD 14 type 1 > 2010/09/14 13:42:51| commSetEvents(fd=14) > 2010/09/14 13:42:51| comm_select: timeout 423 <snip> Hmm, okay opening the port but no packets arriving. This means the problem is down in the OS iptables area somewhere. In the wiki our example sets routing table 100 only on "lo". Does changing that to "eth0" or "wccp0" make any difference? You can test by creating a table 100 on all of them individually. >> >> * Sometimes it's also due to the wrong libcap version being used, Squid >>requires libcap2.09 or later to set the socket spoofing privileges. The >>latest libcap2.x you can get your hands on anyway would be good. > > Libcap loks good: > ii libcap1 1:1.10-14 support > for getting/setting POSIX.1e capabilities > ii libcap2 2.11-2 support > for getting/setting POSIX.1e capabilities That looks fine, assuming that 1.x is still there for other software and that Squid was built against the 2.x. >> >> >> * I don't think so but there is a chance that any other NAT rules or >>mangle tables rules might be doing things? either before TPROXY matches, >>or >>to the return packets setting up the connection? > I literally don't have any iptables rules on the proxy server except the > one's in the tutorial on the squid wiki. The proxy server hangs directly Good. > off of the cisco 2811 router. The router sits behind a sonicwall connected > to our isp with a firewall and NAT rules in place, but that shouldn't > matter should it? As long as the sonicwall is on the "outside" away from Squid it should be a non-issue. > > Not sure if this means anything, but I'm not able to use the proxy when I > specify it in my browsers preferences anymore. I used to be able to fine > before I followed the squid tutorial, but now I get a Access Denied page > from squid. Thats good in its own way. Means Squid still received the request. You can configure two http_port, with one doing the tproxy the other for regular proxied connections. Amos