|
Hello I'm looking solutions of my problem but I can't find. I have Squid + dansguardian installation as transparent proxy and in this configuration must be something wrong. This is a Debian 7 and working in local network as router (local address 10.0.0.4, 10.99.0.1). In dansguardian log file I have good IP client address, but in squid log file this address is equal to the router address (10.0.0.4). # tailf /var/log/dansguardian/access.log 2016.11.25 13:52:16 - 10.99.0.98 http://businessclick.b... 10.99.0.98 is real client address ~# tailf /var/log/squid/access.log 25/Nov/2016:13:34:08 +0100 1480077248.293 170 10.0.0.4 10.0.0.4 TCP_MISS/200 1004 POST http://ocsp.digic... 10.0.0.4 is not a real client address, it's look like dansguardian IP. Second address is a '%>a' parameter, I try also with '%>A' I try change squid and dansguardian listen address to 0.0.0.0 but this not help. I don't know what is the reason of that. I have same older installation in Debian 6 and there it works fine. My clients is: 10.0.0.0/24 10.99.0.0/24 # squid -v Squid Cache: Version 2.7.STABLE9 configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--with-pthreads' '--enable-async-io' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' # dansguardian -v DansGuardian 2.10.1.1 Built with: '--prefix=/usr' '--enable-clamav=yes' '--enable-clamd=yes' '--with-proxyuser=dansguardian' '--with-proxygroup=dansguardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' ~# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name ... tcp 0 0 10.99.0.1:8080 0.0.0.0:* LISTEN 8478/dansguardian tcp 0 0 10.0.0.4:8080 0.0.0.0:* LISTEN 8478/dansguardian ... tcp 0 0 10.99.0.1:3128 0.0.0.0:* LISTEN 9952/(squid) tcp 0 0 10.0.0.4:3128 0.0.0.0:* LISTEN 9952/(squid) ... # grep -v '^$\|^\s*\#' /etc/squid/squid.conf acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl LAN src 10.0.0.0/24 acl LAN2 src 10.99.0.0/24 acl SSL_ports port 443 # https acl Safe_ports port 80 # http acl purge method PURGE acl CONNECT method CONNECT http_access allow LAN http_access allow LAN2 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access allow localhost http_access deny all icp_access deny all follow_x_forwarded_for allow localhost http_port 10.0.0.4:3128 transparent http_port 10.99.0.1:3128 transparent tcp_outgoing_address 79.188.96.14 hierarchy_stoplist cgi-bin ? cache_mem 64 MB cache_dir ufs /tmp/squid 100 16 256 logformat squid %tl %ts.%03tu %6tr %la %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt "%{User-Agent}>h" access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT hosts_file /etc/hosts coredump_dir /tmp/squid # grep -v '^$\|^\s*\#' /etc/dansguardian/dansguardian.conf reportinglevel = 3 languagedir = '/etc/dansguardian/languages' language = 'polish' loglevel = 2 logexceptionhits = 2 logfileformat = 1 filterip = 10.0.0.4 filterip = 10.99.0.1 filterport = 8080 proxyip = 10.0.0.4 proxyip = 10.99.0.1 proxyport = 3128 accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' nonstandarddelimiter = on usecustombannedimage = on custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif' filtergroups = 1 filtergroupslist = '/etc/dansguardian/lists/filtergroupslist' bannediplist = '/etc/dansguardian/lists/bannediplist' exceptioniplist = '/etc/dansguardian/lists/exceptioniplist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 scancleancache = on phrasefiltermode = 2 preservecase = 0 hexdecodecontent = off forcequicksearch = off reverseaddresslookups = off reverseclientiplookups = off logclienthostnames = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 filecachedir = '/tmp' deletedownloadedtempfiles = on initialtrickledelay = 20 trickledelay = 10 downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf' downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf' contentscannertimeout = 60 contentscanexceptions = off recheckreplacedurls = off forwardedfor = off usexforwardedfor = off logconnectionhandlingerrors = on logchildprocesshandling = off maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 maxips = 0 ipcfilename = '/tmp/.dguardianipc' urlipcfilename = '/tmp/.dguardianurlipc' ipipcfilename = '/tmp/.dguardianipipc' nodaemon = off nologger = off logadblocks = off loguseragent = off softrestart = off mailer = '/usr/sbin/sendmail -t' # iptables -L -nv -t nat Chain PREROUTING (policy ACCEPT 51435 packets, 3996K bytes) pkts bytes target prot opt in out source destination 11951 590K REDIRECT tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 state NEW redir ports 8080 8453 425K REDIRECT tcp -- * * 10.99.0.0/24 0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 state NEW redir ports 8080 Chain INPUT (policy ACCEPT 57817 packets, 3748K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 54832 packets, 3473K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 21292 packets, 1338K bytes) pkts bytes target prot opt in out source destination 11M 990M MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 Thanks for any help -- Grzegorz Kuczyński |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
