Search squid archive

Re: Fwd: New to FreeBSD, Squid experiencing request loops

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25/08/2014 12:37 p.m., orientalsniper wrote:
> Hello all, I'm having the same problem as this guy:
> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html
> 
> When I try to access a website I get a Access Denied by Squid message
> and in the access.log I see I'm getting a forwarding loop error.
> 
> But we have different network setup and he's using Ubuntu. I'm running Squid 3.4
> 
> I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid)
> 
> I have the following network:
> WAN1 + WAN2 in pfSense
> 10.0.0.1/24 (LAN1 in pfSense)
> 10.1.0.1/24 (LAN2 in pfSense)
> 10.2.0.1/24 (LAN3 in pfSense) ----> (connecting to nginx+squid[10.2.0.2] VM)
> 

What is nginx in the mix for?
 and what is pfSense doing?
 where are the NATs happening? **


** you must have at least three layers of NAT for that described setup
to work:
  clients-->10.2.0.2 (for delivery to nginx)
  10.2.0.2:80 -> 10.2.0.2:3128 (nginx outgoing MITM capture to Squid)
  127.0.0.1 -> 10.2.0.2
  10.2.0.2 -> Internet

> My squid.conf:

(elided the comments for you so we can read it easier.)

> 
> acl whatismyip dstdomain whatismyip.cc
> http_access allow whatismyip
> 
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl WORK-PC srcdomain 10.1.0.3

10.1.0.3 is not a domain name. It is an IP address. Use src ACL type.

> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> 
> http_access allow localnet
> http_access allow localhost
> 
> http_port 10.2.0.2:3128 intercept
> 
> cache_dir ufs /var/squid/cache/squid 100 16 256
> coredump_dir /var/squid/cache/squid
> 
> refresh_pattern ^ftp:      1440   20%   10080
> refresh_pattern ^gopher:   1440   0%   1440
> refresh_pattern -i (/cgi-bin/|\?) 0   0%   0
> refresh_pattern .      0   20%   4320
> cache_effective_user squid
> cache_effective_group squid
> check_hostnames off
> unique_hostname squidcache
> dns_nameservers 8.8.8.8
> tcp_outgoing_address   127.0.0.1
> 

127.0.0.1 is not a globally routable IP address. Nor can it be NAT'ed to
one. Outgoing traffic from Squid to any other host is guaranteed to fail
delivery.


Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux