[squid-users] ISSUE accssing content

Mike mcsnv96 at afo.net
Fri Jul 24 18:57:20 UTC 2015


I see a few issues.

1. The report from the log shows a 192.168.*.* address, common LAN IP

Then in the squid.conf:
2. You have wvdial destination as 10.1.*.* addresses, which is a 
completely different internal network.
Typically there will be no internal routing or communication from a 
192.168..*.* address to/from a 10.*.*.* address without a custom routing 
server with 2 network connections, one from each IP set and to act as 
the DNS intermediary for routing. Otherwise for network/internet 
connections, the computer/browser sees its own IP as local network, and 
everything else including 10.*.*.* as an external address out on the 
internet. I would suggest getting both the browsing computer and the 
server on the same IP subset, as in 192.168.122.x or 10.1.4.x, otherwise 
these issues are likely to continue.

3. Next in the squid.conf is http_port which should be port number only, 
no IP address, especially 0.0.0.0 which can cause conflicts with squid 
3.x versions. Best bet is use just port only, as in: "http_port 3128" or 
in your case "http_port 8080", which is the port (with server IP found 
in ifconfig) the browser will use to connect through the squid server.
4. The bypass local network means any IP connection attempt to a local 
network IP will not use the proxy. This goes back to the 2 different IP 
subsets. One option is to enter a proxy exception as 10.*.*.* (if the 
websense server is using 10.x.x.x IP address).


Mike


On 7/24/2015 10:35 AM, Jagannath Naidu wrote:
> Dear List,
>
> I have been working on this for last two weeks, but never got it 
> resolved.
>
> We have a application server (SERVER) in our local network and a 
> desktop  application (CLIENT). The application picks proxy settings 
> from IE. And we also have a wensense proxy server
>
> case 1: when there is no proxy set
> application works. No logs in squid server access.log
>
> case 2: when proxy ip address set and checked "bypass local network"
> application works. No logs in squid server access.log
>
> case 3: when proxy ip address is set to wensense proxy server. 
> UNCHECKED "bypass local network"
> application works. We dont have access to websense server and hence we 
> can not check logs
>
>
> case 4: when proxy ip address is set to proxy server ip address. 
> UNCHECKED "bypass local network"
> application does not work :-(. Below are the logs.
>
>
> 1437751240.149      7 192.168.122.1 TCP_MISS/404 579 GET 
> http://dlwvdialce.htmedia.net/UADInstall/UADPresentationLayer.application 
> - HIER_DIRECT/10.1.4.46 <http://10.1.4.46> text/html
> 1437751240.992     94 192.168.122.1 TCP_DENIED/407 3757 CONNECT 
> 0.client-channel.google.com:443 
> <http://0.client-channel.google.com:443> - HIER_NONE/- text/html
> 1437751240.996      0 192.168.122.1 TCP_DENIED/407 4059 CONNECT 
> 0.client-channel.google.com:443 
> <http://0.client-channel.google.com:443> - HIER_NONE/- text/html
> 1437751242.327      5 192.168.122.1 TCP_MISS/404 579 GET 
> http://dlwvdialce.htmedia.net/UADInstall/uadprop.htm - 
> HIER_DIRECT/10.1.4.46 <http://10.1.4.46> text/html
> 1437751244.777      1 192.168.122.1 TCP_MISS/503 4048 POST 
> http://cs-711-core.htmedia.net:8180/ConcertoAgentPortal/services/ConcertoAgentPortal 
> - HIER_NONE/- text/html
>
> squid -v
> Squid Cache: Version 3.3.8
> configure options:  '--build=x86_64-redhat-linux-gnu' 
> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
> '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
> '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
> '--infodir=/usr/share/info' '--disable-strict-error-checking' 
> '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' 
> '--localstatedir=/var' '--datadir=/usr/share/squid' 
> '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' 
> '--with-pidfile=$(localstatedir)/run/squid.pid' 
> '--disable-dependency-tracking' '--enable-eui' 
> '--enable-follow-x-forwarded-for' '--enable-auth' 
> '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' 
> '--enable-auth-ntlm=smb_lm,fake' 
> '--enable-auth-digest=file,LDAP,eDirectory' 
> '--enable-auth-negotiate=kerberos' 
> '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' 
> '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
> '--enable-ident-lookups' '--enable-linux-netfilter' 
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' 
> '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' 
> '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' 
> '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' 
> '--with-openssl' '--with-pthreads' 
> 'build_alias=x86_64-redhat-linux-gnu' 
> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong 
> --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic 
> -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 
> 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
> -fstack-protector-strong --param=ssp-buffer-size=4 
> -grecord-gcc-switches   -m64 -mtune=generic -fpie' 
> 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>
>
> squid.conf
>
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>     # RFC1918 possible 
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  # RFC1918 
> possible internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918 
> possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly 
> plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8180
> acl CONNECT method CONNECT
> acl wvdial dst 10.1.4.45 10.1.4.50 10.1.4.53 10.1.4.48 10.1.4.54 
> 10.1.4.46 10.1.4.51 10.1.4.47 10.1.4.55 10.1.4.49 10.1.4.52 10.1.2.4
> http_access allow wvdial
> acl dialer dstdomain .htmedia.net <http://htmedia.net>
> http_access allow dialer
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> visible_hostname = NOIDAPROXY01.MYDOMAIN.NET 
> <http://NOIDAPROXY01.MYDOMAIN.NET>
> append_domain  .mydomain.net <http://mydomain.net>
> ignore_expect_100 on
> dns_v4_first on
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
> --helper-protocol=squid-2.5-ntlmssp --domain=HTMEDIA.NET 
> <http://HTMEDIA.NET>
> auth_param ntlm children 1000
> auth_param ntlm keep_alive off
> auth_param basic program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic
> auth_param basic children 100
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> acl auth proxy_auth REQUIRED
> http_access allow all auth
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 0.0.0.0:8080 <http://0.0.0.0:8080>
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
>
> It was the same behavior with squid-3.1.10-19. I thought, upgrading to 
> squid 3.3 would help. Please help me resolving this mystery.
>
>
> -- 
> Thanks & Regards
>
> Jagannath Naidu
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150724/eb73c1ce/attachment.html>


More information about the squid-users mailing list