seems like amos gave you many things to see the result in...
Eliezer
On 04/06/2011 12:08, Amos Jeffries wrote:
On 04/06/11 09:16, MrNicholsB wrote:
Ok Ive had squid3 running rock solid for months, I recently migrated
from Ubuntu 9 to 10.04 and now Squid is clearly not caching, but traffic
IS passing through it, my conf is the same as it was before but now im
getting an error on cache.log every time squid gets a request, any help
would be great, im sure its something simple Im just not seeing..THANK
YOU!!
ERRORs from cache.log
==============================
2011/06/03 13:57:32| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST)
failed: (92) Protocol not available
You have a http_port configured with "transparent" or "intercept".
Tellign Squid to lookup NAT for the IP details.
It is being sent traffic which apparently never went through NAT.
Your access.log will contain lies about what client IP was making the
request. *THIS IS BAD*. Your squid.conf is making you vulnerable to
security attack CVE-2009-0801
Solution:
* pick a random port number for the NAT-to-Squid packet arrival. Use
a second port for regular proxy requests.
* follow the config details for iptables "mangle" table:
http://wiki.squid-cache.org/ConfigExamples/LinuxDnat
=======================
#squid..conf
visible_hostname central.server
http_port 3128 transparent
icp_port 0
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 127.0.0.1
cache_swap_low 95
cache_swap_high 98
access_log /var/log/squid3/access.log
cache_mem 2048 MB
memory_pools on
maximum_object_size_in_memory 50 MB
log_icp_queries off
cache_mgr Admin@xxxxxxxxxxxx
cache_dir ufs /var/spool/squid3 20000 32 256
acl localhost src 127.0.0.1/32
acl manager proto cache_object
acl our_networks src 10.10.1.0/24
acl localnet src 127.0.0.1/255.255.255.255
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl SSL_ports port 443
acl Safe_ports port 21 # ftp
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
http_access allow our_networks
http_access allow localnet
"our_networks" and "localnet" both means "LAN" in Squid terminology.
They are the same, one is the Squid-2 default ACL name, one is the
Squid-3 default naming.
Though you have configured "localnet" to means IPv4-only localhost.
You could alter the localhost definition to mean that.
http_access allow CONNECT wuCONNECT our_networks
http_access allow windowsupdate our_networks
The windows update config is only necessary when you have enabled
features such as authentication which Windows update cannot handle.
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access deny manager
http_access allow all
"allow all" is a proxy which intercepts traffic is amazingly unsafe.
Since I'm tired of repeating myself day after day about what these
default ACL actually mean and why breaking the defaults is BAD...
Please read http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls
In short:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_networks
http_access allow localhost
http_access deny all
Notice how this is almost exactly the upstream default configuration.
The only change you have needed is to define the LAN IP range ACL.
Amos
