Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 26

Thread: Problems With SQUID Proxy

  1. #1
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default Problems With SQUID Proxy

    Hi All.
    I'm a researcher at a telecom institute on our university campus, being served internet through our university proxy.
    What I need to do is to set up our own internal proxy to forward all our port 80 connections to port 3128, making it a transparent proxy.
    I've been on tldp and on other posts from nixcraft and they all talk about direct connections, not proxy to proxy connections.

    this is my current squid.conf output:
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    hosts_file /etc/hosts
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    acl lan src 192.168.7.0/255.255.255.0
    http_access allow localhost
    http_access allow lan
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    visible_hostname hng.av.it.pt
    coredump_dir /var/spool/squid
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    acl lan src 192.168.1.1 192.168.2.0/24
    http_access allow localhost
    http_access allow lan


    Thanks, just dont know what to do anymore
    Rick

  2. #2
    Senior Member monk's Avatar
    Join Date
    Jan 2005
    Location
    Tibet
    Posts
    643
    Thanks
    5
    Thanked 43 Times in 38 Posts
    Rep Power
    15

    Default

    It seems that you want to use nearby proxy (ISP proxy) to save bandwidth or to improve speed. If so.. then you need to setup cache peer for hierarchy configuration.
    For example consider following option (squid.conf):

    Code:
    cache_peer cache.isp.cache.com parent 3128 3130 default
    Where,
    cache.isp.cache.com ISP cache
    parent (see url for more info http://squid.visolve.com/squid/squid24s1/neighbour.htm)
    3128 Proxy port
    3130 ICMP port
    proxy-only (options can be found at above url or in squid.conf)

    But your ISP must provide the access to ICMP port 3130 (or whatever used on that squid proxy).

    If you have more questions reply back.

  3. #3
    Is that all you got? rockdalinux's Avatar
    Join Date
    May 2005
    Location
    Planet Vegeta
    Posts
    987
    Thanks
    27
    Thanked 71 Times in 62 Posts
    Rep Power
    20

    Default

    Hi there,

    My original article topic was only single proxy server. Nevertheless, setting up peering is not a big issue.

    Assuming that:
    a) Your Linux Squid proxy1 hostname is proxy1.av.it.pt
    b) Your Linux Squid proxy2 hostname is proxy2.av.it.pt

    Open squid.conf on proxy1.av.it.pt and type (append) following:
    Code:
    icp_access allow all
    cache_peer proxy2.av.it.pt sibling 3128 3130
    Save the file and Open squid.conf on proxy2.av.it.pt and type (append) following:
    Code:
    icp_access allow all
    cache_peer proxy2.av.it.pt  sibling 3128 3130
    Adjust port 3128 (if you changed) for your setup.

    Restart both proxy and the servers should start to checking each other's caches before connecting to Internet/ISP network. Please note that if you want to access ISP squid proxy, then you need to ask them for ports and settings (may be username and password too).
    Rocky Jr.
    What's wrong? I hope I am not making you uncomfortable...

    Never send a boy to do a mans job.

  4. #4
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default problems

    hi, thanks for the reply,
    my major problem here is that nothing will show in access.log.
    no access at all,i could only get some entries on store.log and cache.log
    dont know what the problem is

  5. #5
    Senior Member monk's Avatar
    Join Date
    Jan 2005
    Location
    Tibet
    Posts
    643
    Thanks
    5
    Thanked 43 Times in 38 Posts
    Rep Power
    15

    Default

    If you are not getting anything in log file it means either squid is not running at all or if you are using a Transparent Linux Squid, then your iptables rules not correct one.

    Find out if squid is running or not
    Code:
    netstat  -vat
    Look for port 3128 in open state.

    Paste your iptables rules here so that we can verify your rules

  6. #6
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    root@stan:/var/log/squid# netstat -vat
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 *:smux *:* LISTEN
    tcp 0 0 localhost.localdo:zebra *:* LISTEN
    tcp 0 0 localhost.localdom:ripd *:* LISTEN
    tcp 0 0 *:3128 *:* LISTEN
    tcp6 0 0 ip6-localhost:ripngd *:* LISTEN
    tcp6 0 0 *:ssh *:* LISTEN
    tcp6 0 0 stan-eth1-8f:ssh piper-eth0-70:4512 ESTABLISHED
    root@stan:/var/log/squid#


    and my iptables:
    root@stan:/var/log/squid# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- itav113.av.it.pt anywhere tcp dpt:www to:10.10.1.1:3128
    (this line is so i dont disturb other users on the network while proxy testing, only affects my laptop)
    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- 10.0.0.0/8 anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

  7. #7
    Contributors
    Join Date
    Jun 2005
    Location
    London, UK
    Posts
    208
    Thanks
    0
    Thanked 1 Time in 1 Post
    Rep Power
    10

    Default

    Are you sure firewall is not blocking your access?

    Type the following command at squid-proxy server shell prompt to verify the problem:
    tail –f /var/log/message

    Goto laptop and try to connect, see what error you get also can you telnet from laptop to port 3128 or 80 (if redirecting)
    Code:
    telnet  squid-server-ip 3128
    OR
    Code:
    telnet  squid-server-ip 80

  8. #8
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    piper is my laptop, and it seems it cant get to the squid server..
    although i can ping it..
    root@piper:~# telnet 10.10.1.1 3128
    Trying 10.10.1.1...

    root@piper:~# telnet 10.10.1.1 80
    Trying 10.10.1.1...


    and here is the messeges log
    root@stan:/var/log/squid# tail –f /var/log/messages
    tail: cannot open `–f' for reading: No such file or directory
    ==> /var/log/messages <==
    Jun 16 15:45:32 localhost -- MARK --
    Jun 16 16:03:27 localhost kernel: [345347.793942] ip_conntrack: table full, dropping packet.
    Jun 16 16:03:36 localhost kernel: [345356.900819] ip_conntrack: table full, dropping packet.
    Jun 16 16:03:37 localhost kernel: [345357.637898] ip_conntrack: table full, dropping packet.
    Jun 16 16:03:38 localhost kernel: [345358.388780] ip_conntrack: table full, dropping packet.
    Jun 16 16:20:11 localhost squid[16069]: Squid Parent: child process 16071 exited with status 0
    Jun 16 16:20:12 localhost squid[16222]: Squid Parent: child process 16224 started
    Jun 16 16:45:33 localhost -- MARK --
    Jun 16 17:03:28 localhost kernel: [348948.681508] ip_conntrack: table full, dropping packet.
    Jun 16 17:03:29 localhost kernel: [348949.431507] ip_conntrack: table full, dropping packet.


  9. #9
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default sorry last message

    well sorry for the last message, one of the problems was pure stupidity by my part, i was bound to a public ip and not a network ip so thats why it wouldnt connect, so this is the latest i get:

    root@piper:~# telnet 10.10.1.1 3128
    Trying 10.10.1.1...
    Connected to 10.10.1.1.
    Escape character is '^]'.
    ^X
    Connection closed by foreign host.
    root@piper:~#

    root@piper:~# telnet 10.10.1.1 80
    Trying 10.10.1.1...
    telnet: Unable to connect to remote host: Connection refused
    root@piper:~#

    and the message log:
    daidalos@stan:~$ tail /var/log/messages
    Jun 16 15:45:32 localhost -- MARK --
    Jun 16 16:03:27 localhost kernel: [345347.793942] ip_conntrack: table full, drop ping packet.
    Jun 16 16:03:36 localhost kernel: [345356.900819] ip_conntrack: table full, drop ping packet.
    Jun 16 16:03:37 localhost kernel: [345357.637898] ip_conntrack: table full, drop ping packet.
    Jun 16 16:03:38 localhost kernel: [345358.388780] ip_conntrack: table full, drop ping packet.
    Jun 16 16:20:11 localhost squid[16069]: Squid Parent: child process 16071 exited with status 0
    Jun 16 16:20:12 localhost squid[16222]: Squid Parent: child process 16224 starte d
    Jun 16 16:45:33 localhost -- MARK --
    Jun 16 17:03:28 localhost kernel: [348948.681508] ip_conntrack: table full, drop ping packet.
    Jun 16 17:03:29 localhost kernel: [348949.431507] ip_conntrack: table full, drop ping packet.
    daidalos@stan:~$

  10. #10
    Member
    Join Date
    Jun 2006
    Location
    Aveiro, Portugal
    Posts
    37
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default LATEST !!!

    ok, so after i changed my proxy definitions to my squid proxy server i could now see data in my access.log file.

    it seems to be working fine.

    my last problem is that i dont want to need to configure the proxy on my browser to access the web.

    here goes my latest squid.conf file
    http_port 3128
    cache_peer proxy.ua.pt parent 3128 3130 proxy-only no-netdb-exchange default no-query no-digest
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    cache_access_log /var/log/squid/access.log
    emulate_httpd_log on
    log_fqdn on
    hosts_file /etc/hosts
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl ruilaa src 193.136.82.194/255.255.255.255
    acl tux src 193.137.86.170/255.255.255.255
    acl it src 193.136.92.0/255.255.255.0
    acl it1 src 193.136.93.0/255.255.255.0
    acl vpn src 192.168.140.0/255.255.255.0
    acl vpn1 src 192.168.120.0/255.255.255.0
    acl vpn2 src 192.168.1.0/255.255.255.0
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563 873 1863 5222 # https, snews
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl Safe_ports port 1863 # MSN
    acl MSN port 1863 # MSN
    acl JABBER port 5222 # Jabber / Google Talk
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow all
    http_access allow localhost
    http_access allow localhost
    http_access allow it
    http_access allow it1
    http_access allow vpn
    http_access allow vpn1
    http_access allow vpn2
    http_access allow ruilaa
    http_access allow tux
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    visible_hostname hng.av.it.pt
    always_direct allow MSN
    always_direct allow JABBER
    never_direct deny MSN
    never_direct deny JABBER
    never_direct allow all
    coredump_dir /var/spool/squid
    client_persistent_connections on
    server_persistent_connections on
    pipeline_prefetch on
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to Squid 2.6 transparent proxy?
    By alex.inoa in forum Networking, Firewalls and Security
    Replies: 5
    Last Post: 30th October 2007, 03:41 AM
  2. Restrict number of simultaneous proxy connections in SQUID proxy
    By pkvmreddy in forum Getting started tutorials
    Replies: 1
    Last Post: 15th June 2007, 03:52 PM
  3. How to allow MSN messenger through squid proxy
    By bubloob_13 in forum Linux software
    Replies: 4
    Last Post: 8th April 2007, 09:37 AM
  4. Squid Proxy
    By bubloob_13 in forum Linux software
    Replies: 4
    Last Post: 3rd December 2006, 11:26 PM
  5. problems starting squid for a rank newbie
    By scarletlancer in forum Linux software
    Replies: 1
    Last Post: 2nd November 2006, 04:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •