Re: [squid-users] Squid not working for me

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 08 Jan 2008 03:32:43 +1300

Dave Coventry wrote:
> AAaaargh! Sorry, I meant to reply to the list, but that doesn't seem
> to be the default. Sorry.
>
>
> Amos,
>
> Many thanks for the reply; I had almost given up!
>
> On Jan 7, 2008 12:52 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>> So this is a webserver accelerator too?
>> Think about adding defaultsite= option to cope with the many broken web
>> clients that may be accessing your server.
>
> The main requirement is for some kind of control over the user's
> browsing habits.
>
>> This port is also the cause of your problem. You are running squid as a
>> non-privileged user. To access a special port <1024 you MUST run squid
>> as root and let it drop down to unprivileged by itself at the right times.
>
> Yes it is being started as root with /etc/init.d/squid restart, or by
> the boot sequence.
>
>
> The line http_port 192.168.60:80 vhost vport=8080 has a typo, which I
> have since corrected.
>
> In fact I have been researching this quite extensively and have tried
> a number of different configurations of squid.conf without success so
> far.
>
> My squid.conf now looks like this:
>
> visible_hostname Base
> acl IQNetwork src 192.168.60.0/24
> acl all src 0.0.0.0/0.0.0.0
> http_access allow IQNetwork
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
>> Please use Squid 2.6STABLE17 or 3.0STABLE1.
>> There are serious security advisories out on all earlier releases.
>
> I have downloaded and recompiled Squid2.6.STABLE17 as part of the
> ongoing effort to get it working, but still no joy.
>
> My iptables look like this:
>
> root@Base:/home/dave# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere anywhere tcp
> dpt:www to:192.168.60.254:3128

> DNAT tcp -- anywhere anywhere tcp
> dpt:https to:192.168.60.254:3128

The current releases of squid do not support HTTPS transparently.
There is only an experimental patch waiting for 3.1 called SSLBump which
is supposed to handle that sort of thing.

> DNAT tcp -- anywhere anywhere tcp
> dpt:3128 to:192.168.60.254:3128
> DNAT tcp -- anywhere anywhere tcp
> dpt:webcache to:192.168.60.254:3128
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE 0 -- 192.168.60.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> But still no joy....

Does squid have port 80 outbound without going through the redirect?
what does cache.log say? (usually .../logs/cache.log)

Amos

-- 
Please use Squid 2.6STABLE17 or 3.0STABLE1.
There are serious security advisories out on all earlier releases.
Received on Mon Jan 07 2008 - 07:32:29 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST