Hi.
Yes, you are sure. Squid was build with parameter '--disable-ipv6'. Below you could see the full list of compile options:
# squid -v
Squid Cache: Version 3.5.21
Service Name: squid
configure options: '--prefix=/usr' '--with-logdir=/var/log/squid/' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-default-user=squid' '--disable-ipv6' '--with-filedescriptors=32768' '--enable-default-err-language=Russian' '--enable-err-languages=Russian' '--enable-delay-pools' --enable-ltdl-convenience
Also you could see my hosts-file and configuration file (Thanks Antony Stone for interesting command!):
# more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.177.98 uis-proxy-rop.office.***.corp uis-proxy-rop UIS-PROXY-ROP
# grep ^[^#] /etc/squid/squid.conf
visible_hostname uis-proxy-rop.office.***.corp
httpd_suppress_version_string on
cache_mgr admins@usk.***.ru
error_directory /usr/share/errors/ru
max_filedesc 32768
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
http_port 3128
cache deny all
coredump_dir /var/cache/squid
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=OFFICE --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/uis-proxy-rop.office.***.corp@OFFICE.***.CORP
auth_param negotiate children 500 startup=250 idle=50
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=OFFICE
auth_param ntlm children 80 startup=55 idle=25
auth_param ntlm keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -D squidreader@office.***.corp -w *** -b "DC=office,DC=***,DC=corp" -f "sAMAccountName=%s" -H ldap://UISDC3.office.***.corp -Z -d
auth_param basic children 40 startup=15 idle=10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
external_acl_type memberof children-max=500 children-startup=250 %LOGIN /usr/lib/squid/ext_ldap_group_acl -R -K -b "dc=office,dc=***,dc=corp" -D squidreader@office.***.corp -w Qq123456 -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=internet,ou=Универсальные_группы,ou=groups,ou=lpk,dc=office,dc=***,dc=corp))" -H ldap://UISDC3.office.***.corp -Z
acl auth proxy_auth REQUIRED
acl FullAccess external memberof Proxy-access-enable-full
acl SupportAccess external memberof Proxy-access-enable-support
acl UsersAccess external memberof Proxy-access-enable-users
acl JobSearchAccess external memberof Proxy-access-enable-job-search
acl MailAccess external memberof Proxy-access-enable-mail
acl PRMAccess external memberof Proxy-access-enable-PRM
acl unauthorized-elite src "/etc/squid/unauthorized-elite.list"
acl unauthorized src "/etc/squid/unauthorized.list"
acl local_domains dstdomain "/etc/squid/local_domains.list"
acl local_network dst 10.0.0.0/8 # RFC1918 possible internal network
acl local_network dst 172.16.0.0/12 # RFC1918 possible internal network
acl local_network dst 192.168.0.0/16 # RFC1918 possible internal network
acl servers_network src 192.168.177.0/24 192.168.180.0/24
deny_info Error_Terminal.html servers_network
acl Passport_quality url_regex 82.200.22.53/*
acl SKAUT_ADDR dst 193.33.232.232 217.148.217.170
acl SKAUT_PORT port 22424-22436 81
acl VED-declarant_DOMAIN dstdomain .ed2inteh.ctm.ru .nposapfir.ru
acl AutoGraph_DOMAIN dstdomain .m.tk-chel.ru
acl UIS-AUDITMODERN_ADDR src 192.168.177.40
acl clicksys_ru_ADDR dstdomain clicksys.ru
acl miflib_ru_DOMAIN dstdomain .***.miflib.ru
acl education_PRM_DOMAIN dstdomain .***.ispringonline.com
acl webmail_domains dstdomain "/etc/squid/banlist/webmail_domains.list"
acl webmail_urls url_regex "/etc/squid/banlist/webmail_urls.list"
acl mail_domains dstdomain "/etc/squid/banlist/mail_domains.list"
acl mail_urls url_regex "/etc/squid/banlist/mail_urls.list"
deny_info Error_Webmail.html webmail_domains webmail_urls mail_domains mail_urls
acl jobsearch_domains dstdomain "/etc/squid/banlist/jobsearch_domains.list"
deny_info Error_Job.html jobsearch_domains
acl remote dstdomain "/etc/squid/banlist/remote.list"
deny_info Error_Remote.html remote
acl vari dstdomain "/etc/squid/banlist/vari.list"
deny_info Error_Vari.html vari
acl porno dstdomain "/etc/squid/banlist/porno.list"
deny_info Error_Vari.html porno
deny_info Error_Users.html all
http_access allow localhost manager
http_access deny manager
http_access allow local_domains
http_access allow local_network
http_access allow unauthorized-elite
http_access allow Passport_quality
http_access allow SKAUT_ADDR SKAUT_PORT
http_access allow VED-declarant_DOMAIN
http_access allow AutoGraph_DOMAIN
http_access allow UIS-AUDITMODERN_ADDR clicksys_ru_ADDR
http_access allow miflib_ru_DOMAIN
http_access deny unauthorized webmail_domains
http_access deny unauthorized webmail_urls
http_access deny unauthorized mail_domains
http_access deny unauthorized mail_urls
http_access deny unauthorized jobsearch_domains
http_access deny unauthorized remote
http_access deny unauthorized vari
http_access deny unauthorized porno
http_access allow unauthorized
http_access deny servers_network
http_access deny !auth
http_access allow FullAccess
http_access allow MailAccess webmail_domains
http_access allow MailAccess webmail_urls
http_access allow MailAccess mail_domains
http_access allow MailAccess mail_urls
http_access deny all webmail_domains
http_access deny all webmail_urls
http_access deny all mail_domains
http_access deny all mail_urls
http_access allow JobSearchAccess jobsearch_domains
http_access deny all jobsearch_domains
http_access allow SupportAccess vari
http_access deny all vari
http_access allow PRMAccess education_PRM_DOMAIN
http_access deny all remote
http_access deny all porno
http_access allow UsersAccess
http_access deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
I don't use IPv6 on my server and localhost resolve normally.
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:5d:b1:d9:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.177.98/25 brd 192.168.177.127 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:feb1:d900/64 scope link
valid_lft forever preferred_lft forever
# nslookup localhost
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: localhost
Address: 127.0.0.1
# ping -c 1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.051 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.051/0.051/0.051/0.000 ms
And I tried to execute squidclient without specifying localhost. But I got a mistake again:
# squidclient mgr:info
stub time| WARNING: BCP 177 violation. IPv6 transport forced OFF by build parameters.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Thu, 13 Oct 2016 02:09:02 GMT
....
Best regards, Misha.
11.10.2016, 14:59, "Amos Jeffries" <squid3@xxxxxxxxxxxxx>:
On 11/10/2016 4:54 p.m., Михаил wrote:
I check version of squid 3.5.21 with my configuration and I faced with a
problem. Early I used in version 3.5.12 this line for connect localhost, but now
it doesn't work.
Order is important. Where you place the rules in squid.conf matters a
lot with regards to whether they are actually useful and do what you
want, or not.
# squid.conf
...
http_access allow localhost manager
http_access deny manager
...
# squidclient -p 3128 -h localhost mgr:info
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Tue, 11 Oct 2016 03:42:54 GMT
...
If I set a full access I could connect to localhost.
# squid.conf
...
http_access allow all
http_access deny manager
...
So what IP address(es) does 'localhost' resolve to?
# squidclient -p 3128 -h localhost mgr:info
stub time| WARNING: BCP 177 violation. IPv6 transport forced OFF by build
parameters.
I know you said in a followup to ignore this. But it may be important.
It shows that squidclient was built with --disable-ipv6, and yet your
system is IPv6-enabled.
The name "localhost" for IPv6-enabled systems is ::1.
A squid binary that is built with --disable-ipv6 will not permit ::1
since it is non-IP4. But it will be recognized as part of "all" IP space.
HTTP/1.1 200 OK
Server: squid
Mime-Version: 1.0
Date: Tue, 11 Oct 2016 03:47:36 GMT
...
What is happend? And what is the right way to connect to cache_management from
localhost?
squidclient defaults to localhost and port 3128 for management access to
Squid. Just use:
squidclient mgr:info
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
