Search squid archive

Re: Squid versions and FreeBSD-10.1 headache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 16:53, Amos Jeffries <squid3@xxxxxxxxxxxxx>
> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
>>> On 23 January 2015 at 16:40, Amos Jeffries
>>> <squid3@xxxxxxxxxxxxx> wrote:
>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
>>>>> On 23 January 2015 at 16:07, Amos Jeffries 
>>>>> <squid3@xxxxxxxxxxxxx> wrote:
>>>>> 
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>> 
>>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>>>>>>> 
>>>>>>> Once more. You CANNOT have neither web-server nor
>>>>>>> other service with listening port 80 on the same host
>>>>>>> as transparent Squid proxy. This is one and only reason
>>>>>>> you have looping.
>>>>>>> 
>>>>>> 
>>>>>> That is not correct. It can be done, but depends on how
>>>>>> the firewall operates and what ruleset is used.
>>>>>> 
>>>>>> One has to intercept traffic transiting the machine, but 
>>>>>> ignore traffic destined *to* or *from* the local
>>>>>> machines running processes.
>>>>>> 
>>>>>>> Look. On my transparent 3.4.11 (which was early 2.7) 
>>>>>>> IPFilter redirects 80 port to proxy. My web server on
>>>>>>> the same host listens only 8080, 8088 and 8888 ports.
>>>>>>> No one service except NAT is using 80 port.
>>>>>>> 
>>>>>>> And finally I have no looping 4 years.
>>>>>>> 
>>>>>>> Obvious, is it?
>>>>>>> 
>>>>>> 
>>>>>> Maybe there was, maybe there wasn't.
>>>>>> 
>>>>>> Squid-2.7 ignored a lot of NAT related errors and even 
>>>>>> silently did some Very Bad Things(tm) - none of which 
>>>>>> Squid-3.2+ will allow to happen anymore.
>>>>>> 
>>>>>> 
>>>>>> Odhiambo: I suspect it might be related to your use of
>>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do
>>>>>> not work properly and divert-to rules needs to be used
>>>>>> instead (divert-to can be used for either TPROXY or NAT
>>>>>> Squid listening ports on BSD).
>>>>>> 
>>>>> 
>>>>> 
>>>>> I am thinking Squid-3.2+ is evil :-)
>>>>> 
>>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
>>>>> And my IPFilter rules are here:
>>>>> http://pastebin.com/JQ77X01H
>>>>> 
>>>>> I need to figure out why squid is DENYing all access ..
>>>>> 
>>>> 
>>>> Can you update me on what the squid -v output is from the
>>>> Squid build you are having issues with pleae?
>>>> 
>>>> Amos
>>>> 
>>> 
>>> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: 
>>> Version 3.5.1-20150120-r13736 Service Name: squid configure 
>>> options:  '--prefix=/opt/squid35'
>>> '--enable-removal-policies=lru heap' '--disable-epoll'
>>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
>>> '--enable-external-acl-helpers=session unix_group file_userip'
>>> '--enable-auth-negotiate=kerberos' '--with-pthreads'
>>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
>>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
>>> '--enable-cache-digests' '--enable-wccpv2' 
>>> '--enable-follow-x-forwarded-for' '--with-large-files' 
>>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' 
>>> '--enable-icap-client' '--enable-kill-parent-hack'
>>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd' 
>>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' 
>>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' 
>>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' 
>>> --enable-ltdl-convenience
>>> 
>> 
>> Okay. Can you explicitly add --disable-ipf-transparent -
>> --disable-ipfw-transparent and see if that helps.
>> 
>> Also in squid.conf adding debugs_options ALL,1 89,9  will show
>> just the NAT lookup results where things are going wrong.
>> 
> 
> So, before I recompile, we can look at the debug output:
> 
> 2015/01/23 17:07:45| storeLateRelease: released 0 objects 
> 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: 
> me/client= 192.168.2.254:13128, destination/me=
> 192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293)
> PfInterception: address NAT divert-to: local=192.168.2.254:13128
> remote=192.168.2.115:58632 FD 14 flag s=33


Arggg..   Add --with-nat-devpf to your build options in FreeBSD.

http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwlu0AAoJELJo5wb/XPRjUnIH/3Y60zIs+2VCRy5SBONGopQa
lYn+c735DrbL8bgeyNiWHzRL+Uo6djE8ou9tqBeAaoJ0mrNJ7znONPib65Y9gcSD
fv3apNi59GL+U5/lUK7dSF3zBYwx9CVVg0CFeVzb9hbrHGFPMtt8qtKK553861kL
BWTXWVt3zHJo9RIsrPdyZxvPu0QcW3l+IM5zMDpPX6jTesCZjtEfr6x30j5VPDzF
CWSj1OA1gYX2j9O+aoQwMc2X72J55XbZNtBhtRJNEFVO71NDKd2h2mGHbp0e3qaf
BI8Ki0GEEofWHizk40Bw3obCVwLwjGn6+UdoxAZqzn4AcXDTT75dzCQBfTdqFgs=
=nKS1
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux