|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yep, they are mutually exclusive. 23.01.2015 21:29, Odhiambo Washington пишет: > > > On 23 January 2015 at 17:33, Amos Jeffries <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24/01/2015 3:11 a.m., Odhiambo Washington wrote: > > On 23 January 2015 at 16:53, Amos Jeffries <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>> > > wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote: > >>> On 23 January 2015 at 16:40, Amos Jeffries > >>> <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>> wrote: > >>> > >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>> > >>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: > >>>>> On 23 January 2015 at 16:07, Amos Jeffries > >>>>> <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>> wrote: > >>>>> > >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>>>> > >>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > >>>>>>> > >>>>>>> Once more. You CANNOT have neither web-server nor > >>>>>>> other service with listening port 80 on the same host > >>>>>>> as transparent Squid proxy. This is one and only reason > >>>>>>> you have looping. > >>>>>>> > >>>>>> > >>>>>> That is not correct. It can be done, but depends on how > >>>>>> the firewall operates and what ruleset is used. > >>>>>> > >>>>>> One has to intercept traffic transiting the machine, but > >>>>>> ignore traffic destined *to* or *from* the local > >>>>>> machines running processes. > >>>>>> > >>>>>>> Look. On my transparent 3.4.11 (which was early 2.7) > >>>>>>> IPFilter redirects 80 port to proxy. My web server on > >>>>>>> the same host listens only 8080, 8088 and 8888 ports. > >>>>>>> No one service except NAT is using 80 port. > >>>>>>> > >>>>>>> And finally I have no looping 4 years. > >>>>>>> > >>>>>>> Obvious, is it? > >>>>>>> > >>>>>> > >>>>>> Maybe there was, maybe there wasn't. > >>>>>> > >>>>>> Squid-2.7 ignored a lot of NAT related errors and even > >>>>>> silently did some Very Bad Things(tm) - none of which > >>>>>> Squid-3.2+ will allow to happen anymore. > >>>>>> > >>>>>> > >>>>>> Odhiambo: I suspect it might be related to your use of > >>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do > >>>>>> not work properly and divert-to rules needs to be used > >>>>>> instead (divert-to can be used for either TPROXY or NAT > >>>>>> Squid listening ports on BSD). > >>>>>> > >>>>> > >>>>> > >>>>> I am thinking Squid-3.2+ is evil :-) > >>>>> > >>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v > >>>>> And my IPFilter rules are here: > >>>>> http://pastebin.com/JQ77X01H > >>>>> > >>>>> I need to figure out why squid is DENYing all access .. > >>>>> > >>>> > >>>> Can you update me on what the squid -v output is from the > >>>> Squid build you are having issues with pleae? > >>>> > >>>> Amos > >>>> > >>> > >>> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: > >>> Version 3.5.1-20150120-r13736 Service Name: squid configure > >>> options: '--prefix=/opt/squid35' > >>> '--enable-removal-policies=lru heap' '--disable-epoll' > >>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI' > >>> '--enable-external-acl-helpers=session unix_group file_userip' > >>> '--enable-auth-negotiate=kerberos' '--with-pthreads' > >>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools' > >>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db' > >>> '--enable-cache-digests' '--enable-wccpv2' > >>> '--enable-follow-x-forwarded-for' '--with-large-files' > >>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' > >>> '--enable-icap-client' '--enable-kill-parent-hack' > >>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd' > >>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' > >>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' > >>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' > >>> --enable-ltdl-convenience > >>> > >> > >> Okay. Can you explicitly add --disable-ipf-transparent - > >> --disable-ipfw-transparent and see if that helps. > >> > >> Also in squid.conf adding debugs_options ALL,1 89,9 will show > >> just the NAT lookup results where things are going wrong. > >> > > > > So, before I recompile, we can look at the debug output: > > > > 2015/01/23 17:07:45| storeLateRelease: released 0 objects > > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: > > me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= > > 192.168.2.115:58632 <http://192.168.2.115:58632> 2015/01/23 17:07:46.959| Intercept.cc(293) > > PfInterception: address NAT divert-to: local=192.168.2.254:13128 <http://192.168.2.254:13128> > > remote=192.168.2.115:58632 <http://192.168.2.115:58632> FD 14 flag s=33 > > > Arggg.. Add --with-nat-devpf to your build options in FreeBSD. > > http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4 > > Amos > > > > Done that and now, debug shows: > > 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58541 <http://192.168.2.2:58541> > 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 <http://190.93.244.112:80> remote=192.168.2.2:58541 <http://192.168.2.2:58541> FD 35 flags=33 > 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58542 <http://192.168.2.2:58542> > 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 <http://190.93.244.112:80> remote=192.168.2.2:58542 <http://192.168.2.2:58542> FD 37 flags=33 > 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58543 <http://192.168.2.2:58543> > 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT: local=190.93.244.112:80 <http://190.93.244.112:80> remote=192.168.2.2:58543 <http://192.168.2.2:58543> FD 39 flags=33 > 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58544 <http://192.168.2.2:58544> > 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=196.0.3.114:80 <http://196.0.3.114:80> remote=192.168.2.2:58544 <http://192.168.2.2:58544> FD 51 flags=33 > 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58545 <http://192.168.2.2:58545> > 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 <http://108.168.145.227:80> remote=192.168.2.2:58545 <http://192.168.2.2:58545> FD 52 flags=33 > 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58546 <http://192.168.2.2:58546> > 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 <http://108.168.145.227:80> remote=192.168.2.2:58546 <http://192.168.2.2:58546> FD 53 flags=33 > 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58547 <http://192.168.2.2:58547> > 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 <http://108.168.145.227:80> remote=192.168.2.2:58547 <http://192.168.2.2:58547> FD 54 flags=33 > 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58548 <http://192.168.2.2:58548> > 2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception: address NAT: local=108.168.145.227:80 <http://108.168.145.227:80> remote=192.168.2.2:58548 <http://192.168.2.2:58548> FD 55 flags=33 > 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>, destination/me= 192.168.2.2:58549 <http://192.168.2.2:58549> > > And the good news is that squid-3.5.1 is now allowing client PCs to browse. Thank you for that. > > I still have issues to raise (though my small brain is now so saturated): > > > Here is what I use: > > ./configure --prefix=/opt/squid35 \ > --enable-removal-policies="lru heap" \ > --disable-epoll \ > --enable-auth \ > --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \ > --enable-external-acl-helpers="session unix_group file_userip" \ > --enable-auth-negotiate="kerberos" \ > --with-pthreads \ > --enable-storeio="ufs diskd rock aufs" \ > --enable-delay-pools \ > --enable-snmp \ > --with-openssl=/usr \ > --enable-forw-via-db \ > --enable-cache-digests \ > --enable-wccpv2 \ > --enable-follow-x-forwarded-for \ > --with-large-files \ > --enable-large-cache-files \ > --enable-esi \ > --enable-kqueue \ > --enable-icap-client \ > --enable-kill-parent-hack \ > --enable-ssl \ > --enable-leakfinder \ > --enable-ssl-crtd \ > --enable-url-rewrite-helpers \ > --enable-xmalloc-statistics \ > --enable-stacktraces \ > --enable-zph-qos \ > --enable-eui \ > --with-nat-devpf \ > --enable-pf-transparent \ > --enable-ipf-transparent > > > It seems I have to remove --enable-ipf-transparent otherwise the build fails. I was thinking I could have both of --enable-ipf-transparent and --enable-ipf-transparent so that I can be able to use either PF or IPFilter - whichever I want. > > > Are those two mutually exclusive? When I have the two, the build fails with: > > root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake > Making all in compat > gmake[1]: Entering directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat' > depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ > /bin/sh ../libtool --tag=CXX --mode=compile clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc &&\ > mv -f $depbase.Tpo $depbase.Plo > libtool: compile: clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC -DPIC -o .libs/assert.o > In file included from assert.cc:9: > In file included from ../include/squid.h:43: > ../compat/compat.h:49:57: error: expected value in _expression_ > #if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK > ^ > 1 error generated. > Makefile:921: recipe for target 'assert.lo' failed > gmake[1]: *** [assert.lo] Error 1 > gmake[1]: Leaving directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat' > Makefile:567: recipe for target 'all-recursive' failed > gmake: *** [all-recursive] Error 1 > root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 > > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254733744121/+254722743223 > "I can't hear you -- I'm using the scrambler." > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUwmvoAAoJENNXIZxhPexGJ60IAKh1nJoRU2Q7gHHy6lFt+j0S kA5tlDf4elneoUYzQPvbI5Uofs89ShfSVn94sfOxg4m9w9Wcsl4BODvU2XoNZ6v/ J1rh/Lxqz0hu7f3O53GEMI136g/T1Vfff9SQr25E15kj9c47SJdYvbvnuIthECTM orpsPTjgYikgvB6uRKqDpX5ikaTzHcTfB9xMDVf5mDonE3FVUEjcPoMkLXKJO89S wCEsg3PlGLv64zVJVzUaFLM6BvSa+ua4lZ9n6KnCAcWKzVXClIvHUXLe7YL5nKKp e5osUdaeoXmyOWyWkvdnsKPb3Qad6OZ6mezH+uKBVVTd66IMen39+As1oF7EfqM= =UCjZ -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
