Antony thank you very much for your answer.i reinstall ubuntu and squid.and i removed ssl bump configuration.but the problem is not solved . i write answer the down.Can you help me ? Antony Stone wrote > On Sunday 21 February 2016 at 12:56:03, secoonder wrote: > >> My Firewall eth0: 192.168.1.180 >> eth1:192.168.2.180 > > I'm guessing that eth0 is your route to the Internet, and eth1 points > towards > the clients trying to use Squid? > >> ip_forwarding enable and more /proc/sys/net/ipv4/ip_forward =1 >> iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth0 -j >> MASQUERADE > > So, there's at least one more router (connecting 192.168.2.180 to > 192.168.5.0/24) between the clients and Squid...? /// im so sorry .i was > writing wrong this area. > iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth1 -j >> MASQUERADE > >> This is no problem above it.The cilents could connect internet. > > You mean, they can connect directly without using Squid at all. Okay, so > network routing is working, at least. ///Yes. > >> And then i install squid 3.2.11. > > Why? That's nearly 3 years old - it dates from April 2013. // i reinstall > ubuntu 14.04 i reinstall squid 3.3.8 > >> i added iptables -t nat -A PREROUTING -i eth1-p tcp --dport 80 -j >> REDIRECT >> --to-ports 3128 and save it. > > Okay, so you are correctly doing the NAT on the machine running Squid. > ///Yes > > Just out of interest, which distribution of Linux are you running on this > machine, and which version of it? > VERSION="14.04.4 LTS, Trusty Tahr" > > >> i redirect succesfully 80 port.i see it at tailf >> /var/log/squid3/access.log > > Please show us what gets logged in access.log when a client tries to > connect, > and make sure you tell us what they were trying to connect to. > > 1456309556.564 196 192.168.80.4 TCP_MISS/200 299 POST > http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178 > application/octet-stream > 1456309562.527 35947 192.168.80.4 TCP_MISS/200 73551 GET > http://www.hurriyet.com.tr/trafik-sigortasinda-yasanan-kaosun-sonuna-gelindi-40059215? > - HIER_DIRECT/83.66.162.3 text/html > 1456309586.928 514 192.168.80.4 NONE_ABORTED/000 0 POST > http://vl.ff.avast.com/v1/touch - HIER_NONE/- - > 1456309598.768 45 192.168.80.4 TCP_MISS/200 5407 GET > http://www.hurriyet.com.tr/_includes/HurriyetTVWidgetEmbedVideoStart.html > - HIER_DIRECT/83.66.162.3 text/html > 1456309604.236 3997 192.168.80.4 NONE_ABORTED/000 0 OPTIONS > http://clicks.hurriyet.com.tr/request - HIER_NONE/- - > 1456309616.975 513 192.168.80.4 NONE_ABORTED/000 0 POST > http://vl.ff.avast.com/v1/touch - HIER_NONE/- - > 1456309636.461 37994 192.168.80.4 TCP_MISS/200 1881 GET > http://simg.hurriyet.com.tr/img/16/feq/profile_40.jpg? - > HIER_DIRECT/83.66.162.127 image/jpeg > 1456309636.473 38005 192.168.80.4 TCP_MISS/200 2023 GET > http://simg.hurriyet.com.tr/img/ll/3p/profile_40.jpg? - > HIER_DIRECT/83.66.162.127 image/jpeg > 1456309646.877 204 192.168.80.4 TCP_MISS/200 299 POST > http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178 > application/octet-stream > 1456309676.578 195 192.168.80.4 TCP_MISS/200 299 POST > http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.177 > application/octet-stream > 1456309706.928 591 192.168.80.4 NONE_ABORTED/000 0 POST > http://vl.ff.avast.com/v1/touch - HIER_NONE/- - > > > Also, it would be a good idea to make sure that Squid itself is working > before > trying to add the interception - configure one client to explicitly use > the > proxy on IP 192.168.2.180, and make some requests from that client and > make > sure both that they work, and they show up in Squid's access.log. > >> But clients can not internet . >> My squid3 -k parse... > > Please show us your squid.conf file without comments or blank lines. > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > http_access allow localhost > acl sec src 192.168.80.0/24 > http_access allow sec > # And finally deny all other access to this proxy > http_access deny all > http_port 3128 intercept > cache_dir ufs /var/spool/squid3 10000 16 256 > > > >> 2016/02/21 14:20:56| Processing: http_port 3128 intercept ssl-bump >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem > > I strongly recommend that you keep things simple and avoid any SSL bumping > until the basics are working. Let's get HTTP intercept working first, and > then > you can think about SSL later (oh, and by the way, I saw no NAT rule to > incercept SSL traffic on port 443 earlier, so I strongly suspect there's > nothing > to get bumped anyway, unless you have explicit proxy configuration in your > clients). > > /// i removed ssl bumping.But the problem was not solved. > cache.log is > > 2016/02/24 12:27:16| ERROR: No forward-proxy ports configured. > 2016/02/24 12:27:26| ERROR: No forward-proxy ports configured. > 2016/02/24 12:27:56| ERROR: No forward-proxy ports configured. > 2016/02/24 12:28:29| Logfile: opening log > stdio:/var/log/squid3/netdb.state > 2016/02/24 12:28:29| Logfile: closing log > stdio:/var/log/squid3/netdb.state > 2016/02/24 12:28:29| NETDB state saved; 0 entries, 0 msec > 2016/02/24 12:29:26| ERROR: No forward-proxy ports configured. > 2016/02/24 12:29:56| ERROR: No forward-proxy ports configured. > 2016/02/24 12:31:56| ERROR: No forward-proxy ports configured. > 2016/02/24 12:33:26| ERROR: No forward-proxy ports configured. > 2016/02/24 12:33:56| ERROR: No forward-proxy ports configured. > > Regards, > > > Antony. > > -- > "In fact I wanted to be John Cleese and it took me some time to realise > that > the job was already taken." > > - Douglas Adams > > Please reply to the > list; > please *don't* CC > me. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Quoted from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676090.html -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676167.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
