Hi All,
Installed squid on CentOS 6.6 and it's working, but mY access.log shows all TCP_MISS and no TCP_HIT. The following config:# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
# Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
*nat
:PREROUTING ACCEPT [10:2031]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.0.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 147.245.252.13/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Mar 13 16:04:02 2015
# Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1818:649971]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3129 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Mar 13 16:04:02 2015
# Generated by iptables-save v1.4.7 on Fri Mar 13 16:04:02 2015
*mangle
:PREROUTING ACCEPT [68:6199]
:INPUT ACCEPT [68:6199]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3064]
:POSTROUTING ACCEPT [26:3064]
-A PREROUTING -p tcp -m tcp --dport 3129 -j DROP
COMMIT
# Completed on Fri Mar 13 16:04:02 2015
Accessing sites, shows the IP address of the proxy 147.245.252.13.
Am I missing something in IPTables that it is not caching?
Thanks
Monah
On Fri, Mar 6, 2015 at 11:26 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
If you omit the -p entirely squidclient assumes "-p 3128" (the proxyOn 6/03/2015 1:19 a.m., Monah Baki wrote:
> Hi all, can anyone verify if this is correct, need to make ure that users
> will be able to access the internet via the squid.
>
> Running FreeBSD with a single interface with Squid-3.5.2
>
> Policy based routing on Cisco with the following:
>
>
> interface GigabitEthernet0/0/1.1
>
> encapsulation dot1Q 1 native
>
> ip address 10.0.0.9 255.255.255.0
>
> no ip redirects
>
> no ip unreachables
>
> ip nat inside
>
> standby 1 ip 10.0.0.10
>
> standby 1 priority 120
>
> standby 1 preempt
>
> standby 1 name HSRP
>
> ip policy route-map CFLOW
>
>
>
> ip access-list extended REDIRECT
>
> deny tcp host 10.0.0.24 any eq www
>
> permit tcp host 10.0.0.23 any eq www
>
>
>
> route-map CFLOW permit 10
>
> match ip address REDIRECT
> set ip next-hop 10.0.0.24
>
> In my /etc/pf.conf
> rdr pass inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 port
> 3129
>
> # block in
> pass in log quick on bge0
> pass out log quick on bge0
> pass out keep state
>
> and finally in my squid.conf:
> http_port 3128
> http_port 3129 intercept
>
>
>
> And for testing purposes from the squid server:
> ./squidclient -h 10.0.0.24 -p 3128 http://www.freebsd.org/
>
> If I replace -p 3128 with -p 80, I get a access denied, and if I omit the
> -p 3128 completely, I can access the websites.
default listening port), so it works exactly the same as if you had used
-p 3128 explicitly.
If you use -p 80 you also need to change the pther parameters so they
generate port-80 syntax message:
- the -h with IP or hostname of the remote web server, and
- the URL parameters being a relative URL, and
- the -j parameter with Host: header domain name of the server
...
eg.
squidclient -h www.freebsd.org -j www.freebsd.org -p 80 /
NP: if your squidclient is too old to support -j, use this instead:
-H 'Host: www.freebsd.org\n'
** this test should work from the squid box without having gone through
the proxy. Only from the client machine should it work *with* NAT
passing it through the proxy.
Using a proxy syntax message sent directly to the proxy receiving port,
or with the proxy as receiving IP on port 80 (NAT'ed to Squid) is a
guaranted forwarding loop failure.
That doesn't fix your clients issue, but hopefully makes it clear that
the above desribed test is broken enough to prevent you identifying when
the client issue is fixed if that happens on some change.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
