Re: [squid-users] problem whith squid 3.3.1 in transparent mode

From: Antony Stone <Antony.Stone_at_squid.open.source.it>
Date: Thu, 12 Jun 2014 16:30:09 +0200

On Thursday 12 June 2014 at 16:26:19, Дмитрий Шиленко wrote:

> in /var/log/squid/cache.log i find: "kid1| WARNING: Forwarding loop
> detected for:"

That was probably due to my suggestion of redirecting to 192.168.0.97 instead
of 127.0.0.1

You may as well put that back to what it was, and at least get rid of the new
problem :)

> help me out guys =(

Has anyone else got more experience than me of transparent interception, and
can see what might be the problem here?

> Дмитрий Шиленко писал 12.06.2014 16:56:
> > you guessed it right)))))))
> > i try use 192.168.0.97 instead of 127.0.0.1 - the same problem: Access
> > Denied =(
> >
> > Antony Stone писал 12.06.2014 16:16:
> >> On Thursday 12 June 2014 at 14:59:24, Дмитрий Шиленко wrote:
> >>> my network 192.168.0.0/24
> >>
> >> I was looking for rather more detail than that :)
> >>
> >> Let me guess - do I have the following correct?
> >>
> >> You have a single network range 192.168.0.0/24.
> >>
> >> All clients, plus the Squid proxy, are on that network.
> >>
> >> The Squid proxy has two interfaces.
> >>
> >> Its internal interface has address 192.168.0.97
> >>
> >> It has an external interface connected to, and able to reach, the
> >> Internet.
> >>
> >> There is no other router of firewall on your network.
> >>
> >> The default gateway address for all the clients is 192.168.0.97
> >>
> >> Tell us whether the above is correct or not.
> >>
> >>> requests getting transparently sent to the proxy via rule in "ipnat" ->
> >>> rdr
> >>> bge0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3129
> >>> to switch in transparent mode i add "http_port 127.0.0.1:3129" string
> >>> in squid.conf
> >>
> >> Try using the address of the interface (which I believe to be
> >> 192.168.0.97) instead of 127.0.0.1.
> >>
> >>> Antony Stone писал 12.06.2014 15:52:
> >>> > On Thursday 12 June 2014 at 14:43:33, Дмитрий Шиленко wrote:
> >>> >> When I switch squid transparent proxy mode - it blocks access to all
> >>> >> sites:
> >>> >>
> >>> >> "When you receive a URL http://putty.org/ following error occurred
> >>> >> Access denied.
> >>> >> Access control system does not allow to fulfill your request now.
> >>> >> Contact your administrator.
> >>> >> Your cache administrator: webmaster. "
> >>> >>
> >>> >> switch to normal mode - everything works fine.
> >>> >
> >>> > What's your networking setup? How are the requests getting
> >>> > transparently sent
> >>> > to the proxy?
> >>> >
> >>> > What are you doing to switch between normal and transparent mode:
> >>> > - on the proxy server
> >>> > - on any firewall / router
> >>> > - on the client/s
> >>> > - anywhere else
> >>> >
> >>> >> SQUID 3,3,11
> >>> >> config here:
> >>> >> acl localnet src 192.168.0.0/24 # RFC1918 possible internal
> >>> >> network #
> >>> >> acl SSL_ports port 443
> >>> >> acl Safe_ports port 80 # http
> >>> >> acl Safe_ports port 21 # ftp
> >>> >> acl Safe_ports port 443 # https
> >>> >> acl Safe_ports port 70 # gopher
> >>> >> acl Safe_ports port 210 # wais
> >>> >> acl Safe_ports port 1025-65535 # unregistered ports
> >>> >> acl Safe_ports port 280 # http-mgmt
> >>> >> acl Safe_ports port 488 # gss-http
> >>> >> acl Safe_ports port 591 # filemaker
> >>> >> acl Safe_ports port 777 # multiling http
> >>> >> acl CONNECT method CONNECT
> >>> >>
> >>> >> acl AdminsIP src "/usr/local/etc/squid/AccessLists/AdminsIP.txt"
> >>> >> acl RestrictedDomains dstdomain
> >>> >> "/usr/local/etc/squid/AccessLists/RestrictedDomains.txt"
> >>> >> acl ad_group_rassh urlpath_regex -i
> >>> >> "/usr/local/etc/squid/AccessLists/rasshirenie.txt"
> >>> >>
> >>> >> http_access allow localhost
> >>> >> http_access deny !Safe_ports
> >>> >> # Deny CONNECT to other than SSL ports
> >>> >> http_access deny CONNECT !SSL_ports
> >>> >>
> >>> >> http_access allow localhost
> >>> >> http_access allow AdminsIP
> >>> >> http_access deny RestrictedDomains
> >>> >> http_access deny ad_group_rassh
> >>> >> http_access allow localnet
> >>> >> http_access deny all
> >>> >> icp_access allow localnet
> >>> >> icp_access deny all
> >>> >> htcp_access allow localnet
> >>> >> htcp_access deny all
> >>> >>
> >>> >> http_port 192.168.0.97:3128
> >>> >> http_port 127.0.0.1:3129 intercept
> >>> >> cache deny all
> >>> >> access_log /var/log/squid/access.log squid
> >>> >>
> >>> >> In access.log i fand "TCP_MISS"
> >>> >
> >>> > Regards,
> >>> >
> >>> >
> >>> > Antony.

-- 
"A person lives in the UK, but commutes to France daily for work.
He belongs in the UK."
 - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1
 - http://tinyurl.com/o7gnm4
                                                     Please reply to the list;
                                                           please don't CC me.
Received on Thu Jun 12 2014 - 14:30:18 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2014 - 12:00:06 MDT