Search squid archive

RES: New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Using intercept mode with 3129 port :

[root@prd-rbs-squid01-poa squid]# cat /etc/squid/squid.conf | egrep -v "^#|^$"
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
…
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_port 3128
http_port 3129 intercept
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
[root@prd-rbs-squid01-poa squid]#

[root@prd-rbs-squid01-poa ~]# systemctl restart squid
[root@prd-rbs-squid01-poa squid]# systemctl start squid
[root@prd-rbs-squid01-poa squid]# cat cache.log
2017/05/18 15:22:29 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:22:29 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/05/18 15:22:29 kid1| Service Name: squid
2017/05/18 15:22:29 kid1| Process ID 6592
2017/05/18 15:22:29 kid1| Process Roles: worker
2017/05/18 15:22:29 kid1| With 16384 file descriptors available
2017/05/18 15:22:29 kid1| Initializing IP Cache...
2017/05/18 15:22:29 kid1| DNS Socket created at [::], FD 6
2017/05/18 15:22:29 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/05/18 15:22:29 kid1| Adding domain RBS.NET from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding domain rbs.com.br from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding nameserver 10.236.68.62 from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Adding nameserver 10.1.1.40 from /etc/resolv.conf
2017/05/18 15:22:29 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/18 15:22:29 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/18 15:22:29 kid1| Unlinkd pipe opened on FD 14
2017/05/18 15:22:29 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/18 15:22:29 kid1| Store logging disabled
2017/05/18 15:22:29 kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2017/05/18 15:22:29 kid1| Target number of buckets: 1402
2017/05/18 15:22:29 kid1| Using 8192 Store buckets
2017/05/18 15:22:29 kid1| Max Mem  size: 262144 KB
2017/05/18 15:22:29 kid1| Max Swap size: 102400 KB
2017/05/18 15:22:29 kid1| Rebuilding storage in /var/spool/squid (dirty log)
2017/05/18 15:22:29 kid1| Using Least Load store dir selection
2017/05/18 15:22:29 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:22:29 kid1| Finished loading MIME types and icons.
2017/05/18 15:22:29 kid1| HTCP Disabled.
2017/05/18 15:22:29 kid1| Squid plugin modules loaded: 0
2017/05/18 15:22:29 kid1| Adaptation support is off.
2017/05/18 15:22:29 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=9
2017/05/18 15:22:29 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 18 flags=41
2017/05/18 15:22:29 kid1| Done reading /var/spool/squid swaplog (3 entries)
2017/05/18 15:22:29 kid1| Finished rebuilding storage from disk.
2017/05/18 15:22:29 kid1|         2 Entries scanned
2017/05/18 15:22:29 kid1|         0 Invalid entries.
2017/05/18 15:22:29 kid1|         0 With invalid flags.
2017/05/18 15:22:29 kid1|         1 Objects loaded.
2017/05/18 15:22:29 kid1|         0 Objects expired.
2017/05/18 15:22:29 kid1|         0 Objects cancelled.
2017/05/18 15:22:29 kid1|         0 Duplicate URLs purged.
2017/05/18 15:22:29 kid1|         1 Swapfile clashes avoided.
2017/05/18 15:22:29 kid1|   Took 0.01 seconds ( 91.36 objects/sec).
2017/05/18 15:22:29 kid1| Beginning Validation Procedure
2017/05/18 15:22:29 kid1|   Completed Validation Procedure
2017/05/18 15:22:29 kid1|   Validated 1 Entries
2017/05/18 15:22:29 kid1|   store_swap_size = 12.00 KB
2017/05/18 15:22:30 kid1| storeLateRelease: released 0 objects

[root@prd-rbs-squid01-poa squid]# netstat -nap | grep -i squid
tcp6       0      0 :::3128                 :::*                    LISTEN      6592/(squid-1)
tcp6       0      0 :::3129                 :::*                    LISTEN      6592/(squid-1)
udp        0      0 0.0.0.0:50868           0.0.0.0:*                           6592/(squid-1)
udp6       0      0 :::55754                :::*                                6592/(squid-1)
unix  3      [ ]         STREAM     CONNECTED     73819    6592/(squid-1)
unix  2      [ ]         DGRAM                    72824    6590/squid
[root@prd-rbs-squid01-poa squid]#

[root@prd-rbs-squid02-poa ~]# /mnt/bin/Linux/proxy3520_3129.sh
…
[root@prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 27 packets, 1754 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4 packets, 240 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            to:10.240.64.11:3129
[root@prd-rbs-squid02-poa ~]# rm zabbix-release-3.0-1.el7.noarch.rpm*
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.1’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.2’? y
rm: remove regular file ‘zabbix-release-3.0-1.el7.noarch.rpm.3’? y
…
[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm -e use_proxy=yes -e http_proxy=10.240.64.11:3128
--2017-05-18 15:23:57--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Connecting to 10.240.64.11:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 11416 (11K) [application/x-redhat-package-manager]
Saving to: ‘zabbix-release-3.0-1.el7.noarch.rpm’

100%[=======================================================================================================================================>] 11,416      --.-K/s   in 0s

2017-05-18 15:23:58 (194 MB/s) - ‘zabbix-release-3.0-1.el7.noarch.rpm’ saved [11416/11416]
…

[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
--2017-05-18 15:24:16--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Resolving repo.zabbix.com (repo.zabbix.com)... 162.243.159.138
Connecting to repo.zabbix.com (repo.zabbix.com)|162.243.159.138|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-05-18 15:24:16 ERROR 403: Forbidden.
…

[root@prd-rbs-squid02-poa ~]# curl -v http://www.google.com
* About to connect() to www.google.com port 80 (#0)
*   Trying 216.58.222.68...
* Connected to www.google.com (216.58.222.68) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 18 May 2017 18:24:23 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3707
< X-Squid-Error: ERR_ACCESS_DENIED 0
…
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< Via: 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20), 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)
< Connection: keep-alive
…
</head><body id=ERR_ACCESS_DENIED>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://www.google.com/";>http://www.google.com/</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>

<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_ACCESS_DENIED&amp;body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_ACCESS_DENIED%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A24%3A23%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.11%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.29.0%0D%0AAccept%3A%20*%2F*%0D%0AVia%3A%201.1%20prd-rbs-squid01-poa.rbs.com.br%20(squid%2F3.5.20)%0D%0AX-Forwarded-For%3A%2010.240.64.12%0D%0ACache-Control%3A%20max-age%3D259200%0D%0AConnection%3A%20keep-alive%0D%0AHost%3A%20www.google.com%0D%0A%0D%0A%0D%0A">root</a>.</p>
…
<br>
</div>

<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:24:23 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>
…
* Connection #0 to host www.google.com left intact
[root@prd-rbs-squid02-poa ~]#
…
[root@prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 238 packets, 21830 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 48 packets, 4956 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 257 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
    2   120 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
…
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain POSTROUTING (policy ACCEPT 6 packets, 377 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    2   120 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            to:10.240.64.11:3129
[root@prd-rbs-squid02-poa ~]#

[root@prd-rbs-squid01-poa squid]# tail -f /var/log/squid/access.log
1495131838.333    470 10.240.64.12 TCP_SWAPFAIL_MISS/200 11868 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_DIRECT/162.243.159.138 application/x-redhat-package-manager

1495131856.340      0 10.240.64.11 TCP_MISS/403 4352 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_NONE/- text/html
1495131856.340      0 10.240.64.12 TCP_MISS/403 4517 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - ORIGINAL_DST/10.240.64.11 text/html
1495131863.177      0 10.240.64.11 TCP_MISS/403 4147 GET http://www.google.com/ - HIER_NONE/- text/html
1495131863.177      3 10.240.64.12 TCP_MISS/403 4312 GET http://www.google.com/ - ORIGINAL_DST/10.240.64.11 text/html





When i add iptables nat rules on Squid Server i get Service Unavailable / ERR_CONNECT_FAIL 111 .

[root@prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 11682 packets, 1002K bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2631 packets, 243K bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 150 packets, 11353 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 150 packets, 11353 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
[root@prd-rbs-squid01-poa ~]# cat /root/squid.sh
#!/bin/bash

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route

iptables -F -t nat
iptables -X -t nat

# your proxy IP
SQUIDIP=10.240.64.11

# your proxy listening port
SQUIDPORT=3129

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
[root@prd-rbs-squid01-poa ~]# /root/squid.sh
[root@prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 13 packets, 1777 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       10.240.64.11         0.0.0.0/0            tcp dpt:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.240.64.11:3129

Chain INPUT (policy ACCEPT 6 packets, 885 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

[root@prd-rbs-squid01-poa ~]# netstat -nap | grep -i squid
tcp6       0      0 :::3128                 :::*                    LISTEN      6592/(squid-1)
tcp6       0      0 :::3129                 :::*                    LISTEN      6592/(squid-1)
udp        0      0 0.0.0.0:50868           0.0.0.0:*                           6592/(squid-1)
udp6       0      0 :::55754                :::*                                6592/(squid-1)
unix  3      [ ]         STREAM     CONNECTED     73819    6592/(squid-1)
unix  2      [ ]         DGRAM                    72824    6590/squid
[root@prd-rbs-squid01-poa ~]# systemctl stop squid
[root@prd-rbs-squid01-poa ~]# rm /var/log/squid/* -f
…
[root@prd-rbs-squid01-poa ~]# systemctl start squid
[root@prd-rbs-squid01-poa ~]# cat /var/log/squid/cache.log
2017/05/18 15:34:48 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:34:48 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/05/18 15:34:48 kid1| Service Name: squid
2017/05/18 15:34:48 kid1| Process ID 8435
2017/05/18 15:34:48 kid1| Process Roles: worker
2017/05/18 15:34:48 kid1| With 16384 file descriptors available
2017/05/18 15:34:48 kid1| Initializing IP Cache...
2017/05/18 15:34:48 kid1| DNS Socket created at [::], FD 6
2017/05/18 15:34:48 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/05/18 15:34:48 kid1| Adding domain RBS.NET from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding domain rbs.com.br from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding nameserver 10.236.68.62 from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Adding nameserver 10.1.1.40 from /etc/resolv.conf
2017/05/18 15:34:48 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/18 15:34:48 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/18 15:34:48 kid1| Unlinkd pipe opened on FD 14
2017/05/18 15:34:48 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/18 15:34:48 kid1| Store logging disabled
2017/05/18 15:34:48 kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2017/05/18 15:34:48 kid1| Target number of buckets: 1402
2017/05/18 15:34:48 kid1| Using 8192 Store buckets
2017/05/18 15:34:48 kid1| Max Mem  size: 262144 KB
2017/05/18 15:34:48 kid1| Max Swap size: 102400 KB
2017/05/18 15:34:48 kid1| Rebuilding storage in /var/spool/squid (dirty log)
2017/05/18 15:34:48 kid1| Using Least Load store dir selection
2017/05/18 15:34:48 kid1| Set Current Directory to /var/spool/squid
2017/05/18 15:34:48 kid1| Finished loading MIME types and icons.
2017/05/18 15:34:48 kid1| HTCP Disabled.
2017/05/18 15:34:48 kid1| Squid plugin modules loaded: 0
2017/05/18 15:34:48 kid1| Adaptation support is off.
2017/05/18 15:34:48 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=9
2017/05/18 15:34:48 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 18 flags=41
2017/05/18 15:34:48 kid1| Done reading /var/spool/squid swaplog (4 entries)
2017/05/18 15:34:48 kid1| Finished rebuilding storage from disk.
2017/05/18 15:34:48 kid1|         2 Entries scanned
2017/05/18 15:34:48 kid1|         0 Invalid entries.
2017/05/18 15:34:48 kid1|         0 With invalid flags.
2017/05/18 15:34:48 kid1|         1 Objects loaded.
2017/05/18 15:34:48 kid1|         0 Objects expired.
2017/05/18 15:34:48 kid1|         0 Objects cancelled.
2017/05/18 15:34:48 kid1|         0 Duplicate URLs purged.
2017/05/18 15:34:48 kid1|         1 Swapfile clashes avoided.
2017/05/18 15:34:48 kid1|   Took 0.01 seconds ( 91.74 objects/sec).
2017/05/18 15:34:48 kid1| Beginning Validation Procedure
2017/05/18 15:34:48 kid1|   Completed Validation Procedure
2017/05/18 15:34:48 kid1|   Validated 1 Entries
2017/05/18 15:34:48 kid1|   store_swap_size = 12.00 KB
2017/05/18 15:34:49 kid1| storeLateRelease: released 0 objects


[root@prd-rbs-squid02-poa ~]# /mnt/bin/Linux/proxy3520_80.sh
…
[root@prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 8 packets, 594 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            to:10.240.64.11:80
…

[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm -e use_proxy=yes -e http_proxy=10.240.64.11:3128
--2017-05-18 15:35:16--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Connecting to 10.240.64.11:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 11416 (11K) [application/x-redhat-package-manager]
Saving to: ‘zabbix-release-3.0-1.el7.noarch.rpm.1’
…

100%[=======================================================================================================================================>] 11,416      --.-K/s   in 0s

2017-05-18 15:35:16 (193 MB/s) - ‘zabbix-release-3.0-1.el7.noarch.rpm.1’ saved [11416/11416]
…

[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
--2017-05-18 15:35:25--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
…
Resolving repo.zabbix.com (repo.zabbix.com)... 162.243.159.138
Connecting to repo.zabbix.com (repo.zabbix.com)|162.243.159.138|:80... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2017-05-18 15:35:25 ERROR 503: Service Unavailable.
…

[root@prd-rbs-squid02-poa ~]# curl -v http://www.google.com
* About to connect() to www.google.com port 80 (#0)
*   Trying 216.58.222.68...
* Connected to www.google.com (216.58.222.68) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 18 May 2017 18:35:42 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3586
< X-Squid-Error: ERR_CONNECT_FAIL 111
…
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br
< X-Cache-Lookup: MISS from prd-rbs-squid01-poa.rbs.com.br:3128
< Via: 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)
< Connection: keep-alive
…
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";>
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2016 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
…
</head><body id=ERR_CONNECT_FAIL>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://www.google.com/";>http://www.google.com/</a></p>

<blockquote id="error">
<p><b>Connection to 10.240.64.11 failed.</b></p>
</blockquote>

<p id="sysmsg">The system returned: <i>(111) Connection refused</i></p>

<p>The remote host or network may be down. Please try the request again.</p>

<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_CONNECT_FAIL&amp;body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_CONNECT_FAIL%0D%0AErr%3A%20(111)%20Connection%20refused%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A35%3A42%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.12%0D%0AServerIP%3A%20www.google.com%0D%0A%0D%0AHTTP%20Request%3A%0D%0AGET%20%2F%20HTTP%2F1.1%0AUser-Agent%3A%20curl%2F7.29.0%0D%0AAccept%3A%20*%2F*%0D%0AHost%3A%20www.google.com%0D%0A%0D%0A%0D%0A">root</a>.</p>
…

<br>
</div>

<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:35:42 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_CONNECT_FAIL -->
</div>
</body></html>
…
* Connection #0 to host www.google.com left intact
[root@prd-rbs-squid02-poa ~]# telnet 10.240.64.11 80
Trying 10.240.64.11...
Connected to 10.240.64.11.
Escape character is '^]'.
www.google.com.br
…
HTTP/1.1 400 Bad Request
Server: squid/3.5.20
Mime-Version: 1.0
Date: Thu, 18 May 2017 18:36:12 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 4083
X-Squid-Error: ERR_INVALID_REQ 0
…
</head><body id=ERR_INVALID_REQ>
…
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p><b>Invalid Request</b> error was encountered while trying to process the request:</p>

<blockquote id="data">
<pre>www.google.com.br
</pre>
</blockquote>
…

<p>Some possible problems are:</p>
<ul>
<li id="missing-method"><p>Missing or unknown request method.</p></li>
<li id="missing-url"><p>Missing URL.</p></li>
<li id="missing-protocol"><p>Missing HTTP Identifier (HTTP/1.0).</p></li>
<li><p>Request is too large.</p></li>
<li><p>Content-Length missing for POST or PUT requests.</p></li>
…
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
<li><p>HTTP/1.1 <q>Expect:</q> feature is being asked from an HTTP/1.0 software.</p></li>
</ul>

<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_INVALID_REQ&amp;body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_INVALID_REQ%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A36%3A12%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.12%0D%0A%0D%0AHTTP%20Request%3A%0D%0A%0D%0A%0D%0A";>root</a>.</p>
<br>
</div>

<script language="javascript">
if ('[unknown method]' != '[unknown method]') document.getElementById('missing-method').style.display = 'none';
if ('error:invalid-request' != '[no URL]') document.getElementById('missing-url').style.display = 'none';
if ('[unknown protocol]' != '[unknown protocol]') document.getElementById('missing-protocol').style.display = 'none';
</script>

<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:36:12 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_INVALID_REQ -->
</div>
</body></html>
Connection closed by foreign host.
…
[root@prd-rbs-squid02-poa ~]#


[root@prd-rbs-squid01-poa ~]# tail -f /var/log/squid/access.log



1495132516.589    414 10.240.64.12 TCP_SWAPFAIL_MISS/200 11868 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_DIRECT/162.243.159.138 application/x-redhat-package-manager
1495132525.592      1 10.240.64.12 TCP_MISS/503 4275 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - ORIGINAL_DST/10.240.64.11 text/html
1495132542.412      4 10.240.64.12 TCP_MISS/503 4037 GET http://www.google.com/ - ORIGINAL_DST/10.240.64.11 text/html
1495132572.097      0 10.240.64.12 TAG_NONE/400 4518 NONE error:invalid-request - HIER_NONE/- text/html
^[[A^[[A^C
[root@prd-rbs-squid01-poa ~]#
[root@prd-rbs-squid01-poa ~]#
[root@prd-rbs-squid01-poa ~]#
[root@prd-rbs-squid01-poa ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 1302 packets, 114K bytes)
…
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       10.240.64.11         0.0.0.0/0            tcp dpt:80
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.240.64.11:3129

Chain INPUT (policy ACCEPT 300 packets, 26683 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 14 packets, 983 bytes)
…
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
…
 pkts bytes target     prot opt in     out     source               destination
   14   983 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
[root@prd-rbs-squid01-poa ~]#

[root@prd-rbs-squid01-poa ~]# curl -v http://www.google.com
…
* About to connect() to www.google.com port 80 (#0)
*   Trying 172.217.30.4...
* Connected to www.google.com (172.217.30.4) port 80 (#0)
…
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Location: http://www.google.com.br/?gws_rd=cr&ei=wuodWZinJcmZwgTciKb4Bg
…
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Date: Thu, 18 May 2017 18:41:06 GMT
…
< Server: gws
< Content-Length: 262
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=103=WzsmeICIbXNm_Pvj9tvsdijmqA-NgEXXDYt9Oiso971cJhOyXiM3GEjVwZNUxKs4QorVs9P_07jwWkPk6LhbODbhNPdchdTiTpMXh_ZIFpRKDPERbxD3w46bOVl_CngR; expires=Fri, 17-Nov-2017 18:41:06 GMT; path=/; domain=.google.com; HttpOnly
…
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com.br/?gws_rd=cr&amp;ei=wuodWZinJcmZwgTciKb4Bg";>here</A>.
…


I am missing something on this ... Please help !!!

Thanks.



Rogério Ceni Coelho
Engenheiro de Infraestrutura – Infrastructure Engineer
Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
rogerio.coelho@xxxxxxxxxxxxxxx
http://www.gruporbs.com.br



Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem  e quaisquer anexos a ela de seu sistema.



-----Mensagem original-----
De: Rogerio Coelho
Enviada em: quarta-feira, 24 de maio de 2017 17:11
Para: 'squid-users@xxxxxxxxxxxxxxxxxxxxx' <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Assunto: RES: New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

On my new Squid Server running 3.5.20 on Centos 7 a try to use in many different ways.

When i use wget or firefox using http_proxy conf web access go ok. But when i try to access web using iptables redirect from Linux Server i got bad request / Invalid URL.

When i use http_port 3329 intercept mode i got forbbiden.

[root@prd-rbs-squid01-poa ~]# yum install squid -y Loaded plugins: fastestmirror
base                                                                                                                                                      | 3.6 kB  00:00:00
epel/x86_64/metalink                                                                                                                                      |  38 kB  00:00:00
epel                                                                                                                                                      | 4.3 kB  00:00:00
extras                                                                                                                                                    | 3.4 kB  00:00:00
updates                                                                                                                                                   | 3.4 kB  00:00:00
zabbix                                                                                                                                                    |  951 B  00:00:00
zabbix-non-supported                                                                                                                                      |  951 B  00:00:00
(1/2): epel/x86_64/updateinfo                                                                                                                             | 798 kB  00:00:05
(2/2): epel/x86_64/primary_db                                                                                                                             | 4.7 MB  00:00:25
Loading mirror speeds from cached hostfile
 * base: centos.brnet.net.br
 * epel: mirror.globo.com
 * extras: centos.brnet.net.br
 * updates: centos.xpg.com.br
Resolving Dependencies
--> Running transaction check
---> Package squid.x86_64 7:3.5.20-2.el7_3.3 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================================
 Package                               Arch                                   Version                                              Repository                               Size
=================================================================================================================================================================================
Installing:
 squid                                 x86_64                                 7:3.5.20-2.el7_3.3                                   updates                                 3.1 M

Transaction Summary
=================================================================================================================================================================================
Install  1 Package

Total download size: 3.1 M
Installed size: 10 M
Downloading packages:
squid-3.5.20-2.el7_3.3.x86_64.rpm                                                                                                                         | 3.1 MB  00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 7:squid-3.5.20-2.el7_3.3.x86_64                                                                                                                               1/1
  Verifying  : 7:squid-3.5.20-2.el7_3.3.x86_64                                                                                                                               1/1

Installed:
  squid.x86_64 7:3.5.20-2.el7_3.3

Complete!
[root@prd-rbs-squid01-poa ~]# systemctl enable squid Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
[root@prd-rbs-squid01-poa ~]# systemctl start squid [root@prd-rbs-squid01-poa ~]# cat /var/log/squid/cache.log
2017/05/18 14:59:57 kid1| Set Current Directory to /var/spool/squid
2017/05/18 14:59:57 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2017/05/18 14:59:57 kid1| Service Name: squid
2017/05/18 14:59:57 kid1| Process ID 3051
2017/05/18 14:59:57 kid1| Process Roles: worker
2017/05/18 14:59:57 kid1| With 16384 file descriptors available
2017/05/18 14:59:57 kid1| Initializing IP Cache...
2017/05/18 14:59:57 kid1| DNS Socket created at [::], FD 6
2017/05/18 14:59:57 kid1| DNS Socket created at 0.0.0.0, FD 8
2017/05/18 14:59:57 kid1| Adding domain RBS.NET from /etc/resolv.conf
2017/05/18 14:59:57 kid1| Adding domain rbs.com.br from /etc/resolv.conf
2017/05/18 14:59:57 kid1| Adding nameserver 10.236.68.62 from /etc/resolv.conf
2017/05/18 14:59:57 kid1| Adding nameserver 10.1.1.40 from /etc/resolv.conf
2017/05/18 14:59:57 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2017/05/18 14:59:57 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2017/05/18 14:59:57 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/05/18 14:59:57 kid1| Store logging disabled
2017/05/18 14:59:57 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/05/18 14:59:57 kid1| Target number of buckets: 1008
2017/05/18 14:59:57 kid1| Using 8192 Store buckets
2017/05/18 14:59:57 kid1| Max Mem  size: 262144 KB
2017/05/18 14:59:57 kid1| Max Swap size: 0 KB
2017/05/18 14:59:57 kid1| Using Least Load store dir selection
2017/05/18 14:59:57 kid1| Set Current Directory to /var/spool/squid
2017/05/18 14:59:57 kid1| Finished loading MIME types and icons.
2017/05/18 14:59:57 kid1| HTCP Disabled.
2017/05/18 14:59:57 kid1| Squid plugin modules loaded: 0
2017/05/18 14:59:57 kid1| Adaptation support is off.
2017/05/18 14:59:57 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 11 flags=9
2017/05/18 14:59:58 kid1| storeLateRelease: released 0 objects

Linux Server Client ( Centos 7 ) ( Same Network of Squid Server ) :

[root@prd-rbs-squid02-poa ~]# /mnt/bin/Linux/proxy3520.sh [root@prd-rbs-squid02-poa ~]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 32 packets, 2146 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 7 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            to:10.240.64.11:3128

[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm -e use_proxy=yes -e http_proxy=10.240.64.11:3128
--2017-05-18 15:03:18--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
Connecting to 10.240.64.11:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: 11416 (11K) [application/x-redhat-package-manager]
Saving to: ‘zabbix-release-3.0-1.el7.noarch.rpm’

100%[=======================================================================================================================================>] 11,416      --.-K/s   in 0s

2017-05-18 15:03:18 (297 MB/s) - ‘zabbix-release-3.0-1.el7.noarch.rpm’ saved [11416/11416]

[root@prd-rbs-squid02-poa ~]# wget http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
--2017-05-18 15:03:27--  http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
Resolving repo.zabbix.com (repo.zabbix.com)... 162.243.159.138 Connecting to repo.zabbix.com (repo.zabbix.com)|162.243.159.138|:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2017-05-18 15:03:27 ERROR 400: Bad Request.

[root@prd-rbs-squid02-poa ~]# curl -v http://www.google.com
* About to connect() to www.google.com port 80 (#0)
*   Trying 216.58.222.68...
* Connected to www.google.com (216.58.222.68) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: squid/3.5.20
< Mime-Version: 1.0
< Date: Thu, 18 May 2017 18:03:37 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3556
< X-Squid-Error: ERR_INVALID_URL 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from prd-rbs-squid01-poa.rbs.com.br < X-Cache-Lookup: NONE from prd-rbs-squid01-poa.rbs.com.br:3128
< Via: 1.1 prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20) < Connection: close < <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";>
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2016 The Squid Software Foundation and contributors"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title> <style type="text/css"><!--
 /*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 Stylesheet for Squid Error pages
 Adapted from design by Free CSS Templates  http://www.freecsstemplates.org  Released for free under a Creative Commons Attribution 2.5 License */

/* Page basics */
* {
        font-family: verdana, sans-serif; }

html body {
        margin: 0;
        padding: 0;
        background: #efefef;
        font-size: 12px;
        color: #1e1e1e;
}

/* Page displayed title area */
#titles {
        margin-left: 15px;
        padding: 10px;
        padding-left: 100px;
        background: url('/squid-internal-static/icons/SN.png') no-repeat left; }

/* initial title */
#titles h1 {
        color: #000000;
}
#titles h2 {
        color: #000000;
}

/* special event: FTP success page titles */ #titles ftpsuccess {
        background-color:#00ff00;
        width:100%;
}

/* Page displayed body content area */
#content {
        padding: 10px;
        background: #ffffff;
}

/* General text */
p {
}

/* error brief description */
#error p {
}

/* some data which may have caused the problem */ #data { }

/* the error message received from the system or other software */ #sysmsg { }

pre {
    font-family:sans-serif;
}

/* special event: FTP / Gopher directory listing */ #dirmsg {
    font-family: courier;
    color: black;
    font-size: 10pt;
}
#dirlisting {
    margin-left: 2%;
    margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
    border-bottom: groove;
}
#dirlisting td.size {
    width: 50px;
    text-align: right;
    padding-right: 5px;
}

/* horizontal lines */
hr {
        margin: 0;
}

/* page displayed footer area */
#footer {
        font-size: 9px;
        padding-left: 10px;
}


body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
:lang(he) { direction: rtl; }
 --></style>
</head><body id=ERR_INVALID_URL>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2> </div> <hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li> <li><p>Missing hostname</p></li> <li><p>Illegal double-escape in the URL-Path</p></li> <li><p>Illegal character in hostname; underscores are not allowed.</p></li> </ul>

<p>Your cache administrator is <a href="mailto:root?subject=CacheErrorInfo%20-%20ERR_INVALID_URL&amp;body=CacheHost%3A%20prd-rbs-squid01-poa.rbs.com.br%0D%0AErrPage%3A%20ERR_INVALID_URL%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Thu,%2018%20May%202017%2018%3A03%3A37%20GMT%0D%0A%0D%0AClientIP%3A%2010.240.64.12%0D%0A%0D%0AHTTP%20Request%3A%0D%0A%0D%0A%0D%0A";>root</a>.</p>
<br>
</div>

<hr>
<div id="footer">
<p>Generated Thu, 18 May 2017 18:03:37 GMT by prd-rbs-squid01-poa.rbs.com.br (squid/3.5.20)</p>
<!-- ERR_INVALID_URL -->
</div>
</body></html>
* Closing connection 0
[root@prd-rbs-squid02-poa ~]#

[root@prd-rbs-squid01-poa ~]# tail -f /var/log/squid/access.log



1495130446.581    439 10.240.64.12 TCP_MISS/200 11869 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_DIRECT/162.243.159.138 application/x-redhat-package-manager
1495130598.008      0 10.240.64.12 TCP_MEM_HIT/200 11877 GET http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_NONE/- application/x-redhat-package-manager
1495130607.437      0 10.240.64.12 TAG_NONE/400 4111 GET /zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm - HIER_NONE/- text/html
1495130617.581      0 10.240.64.12 TAG_NONE/400 3991 GET / - HIER_NONE/- text/html

I will send more on reply to this email because of the size of this email.

Rogério Ceni Coelho
Engenheiro de Infraestrutura – Infrastructure Engineer Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
rogerio.coelho@xxxxxxxxxxxxxxx
http://www.gruporbs.com.br



Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem  e quaisquer anexos a ela de seu sistema.



-----Mensagem original-----
De: Rogerio Coelho
Enviada em: quarta-feira, 24 de maio de 2017 17:03
Para: squid-users@xxxxxxxxxxxxxxxxxxxxx
Assunto: New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

Hi Squid Jedi´s,

I am just a little stuck tryng to replace an old Squid 3.1.23 Server on Centos 6 that i use to redirect local web access to port 80 on linux servers to Squid Server.

On my Squid 3.1.23 Server on Centos 6 i use http_port 3128 transparent mode and on my Linux servers clients i use iptables to redirect Web traffic as below ( this config works ):

Squid Server 3.1.23 :

[root@leli squid]# cat squid.conf | egrep -v "^#|^$"
acl default_ip req_header x-forward -i "/ipt/SQUID/default/ip"
acl default_url dstdom_regex -i "/ipt/SQUID/default/url"
acl default_ip2 srcdom_regex -i "/ipt/SQUID/default/ip"
http_access allow default_ip default_url acl endereco  req_header x-forward -i "/ipt/SQUID/libera/ip"
http_access allow endereco
acl all_ip req_header x-forward -i "/ipt/SQUID/all/ip"
acl all_url dstdom_regex -i "/ipt/SQUID/all/url"
acl all_ip2 srcdom_regex -i "/ipt/SQUID/all/ip"
http_access allow all_url
acl all src all
acl manager proto cache_object
acl from_localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443
acl GIT_PORT port 9418         # git
acl CONNECT method CONNECT
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21 # ftp
acl GIT_PORT2 port 9418 # git
http_access allow manager from_localhost http_access deny manager http_access allow GIT_PORT2 http_access deny !Safe_ports http_access allow CONNECT GIT_PORT http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow from_localhost http_access deny all http_port 3128 transparent https_port 3129 transparent intercept cert=/ipt/SQUID/https/squid.crt key=/ipt/SQUID/https/squid.key hierarchy_stoplist cgi-bin ?
emulate_httpd_log on
logformat squid %tg %6tr %>a %{x-forward}>h %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /var/log/squid/access.log squid access_log syslog:local0.info  squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /etc/squid/mime.conf pid_filename /var/run/squid.pid acl QUERY urlpath_regex .* cache deny QUERY acl apache rep_header Server ^Apache acl FS_TESTE srcdom_regex -i "/ipt/SQUID/puppet/ip2"
cache_mgr tecnologiaseguranca@xxxxxxxxxxxxxxx
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
maximum_object_size 0 KB
minimum_object_size 0 KB
no_cache deny all
deny_info 172.20.63.73 webapp_ip

[root@leli ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 46M packets, 3068M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@leli ~]#

Linux Server Clients ( Centos 5, 6 e 7 ) :

[root@montana rules]# cat proxy2.sh
#!/bin/bash

IPTBIN=$(which iptables)

$IPTBIN -t nat -F
$IPTBIN -t nat -X

#SQUID
$IPTBIN -A OUTPUT -s 10.240.68.68 -p tcp --sport 3128 -j ACCEPT

#PROXY
$IPTBIN -t nat -N PROXYSQUID
$IPTBIN -t nat -A OUTPUT -p tcp --dport 80 -j PROXYSQUID $IPTBIN -t nat -A OUTPUT -p tcp --dport 443 -j PROXYSQUID $IPTBIN -t nat -A PROXYSQUID -d 192.168.0.0/16 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 189.76.144.0/20 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 189.76.156.190 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 172.16.0.0/12 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 10.0.0.0/8 -j RETURN $IPTBIN -t nat -A PROXYSQUID -p tcp -j DNAT --to-destination=10.240.68.68:3128


[root@montana rules]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           to:10.240.68.68:3128
[root@montana rules]# curl -v www.google.com
* About to connect() to www.google.com port 80
*   Trying 216.58.222.68... * connected
* Connected to www.google.com (216.58.222.68) port 80
> GET / HTTP/1.1
User-Agent: curl/7.12.1 (i686-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: www.google.com
Pragma: no-cache
Accept: */*

< HTTP/1.0 302 Moved Temporarily
< Location: http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8 < P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Date: Thu, 18 May 2017 17:38:30 GMT
< Server: gws
< Content-Length: 262
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=103=Vdks002SayhLjRhSWr_ETgZR2-0Hngh7ci-McE8fBhw6vDhAENt6JxWkTKtPKWen7HL-KYjiSNg9lwXnjSCejhv1va4yIUhPpMDYZ-mK4uDb9FQldR1zp3Y1RiOwx4jX; expires=Fri, 17-Nov-2017 17:38:30 GMT; path=/; domain=.google.com; HttpOnly < X-Cache: MISS from leli.rbs.com.br < X-Cache-Lookup: MISS from leli.rbs.com.br:3128 < Via: 1.0 leli.rbs.com.br (squid/3.1.23)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com.br/?gws_rd=cr&amp;ei=FtwdWdaDMYm0wQSWwZ24Ag";>here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
* Closing connection #0
[root@montana rules]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           to:10.240.68.68:3128
[root@montana rules]#

On my new Squid Server running 3.5.20 on Centos 7 a try to use in many different ways but have no success.

I will send my steps on a new reply email in few minutes because the email size.

Sorry about all this log of information.



Rogério Ceni Coelho
Engenheiro de Infraestrutura – Infrastructure Engineer Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
rogerio.coelho@xxxxxxxxxxxxxxx
http://www.gruporbs.com.br



Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem  e quaisquer anexos a ela de seu sistema.



O Grupo RBS pauta sua atuação por seu Código de Ética e Conduta, em conformidade com a Legislação Brasileira. Qualquer situação irregular deve ser informada via Canal de Ética pelo site https://www.contatoseguro.com.br/gruporbs ou 0800 602 1831. Este e-mail e seus anexos podem conter informações confidenciais. Se você recebeu esta mensagem por engano, por favor apague-a e notifique o remetente imediatamente.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux