[squid-users] Squid versions and FreeBSD-10.1 headache
Odhiambo Washington
odhiambo at gmail.com
Fri Jan 23 13:47:07 UTC 2015
On 23 January 2015 at 16:40, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
> > On 23 January 2015 at 16:07, Amos Jeffries <squid3 at treenet.co.nz>
> > wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
> >>>
> >>> Once more. You CANNOT have neither web-server nor other
> >>> service with listening port 80 on the same host as transparent
> >>> Squid proxy. This is one and only reason you have looping.
> >>>
> >>
> >> That is not correct. It can be done, but depends on how the
> >> firewall operates and what ruleset is used.
> >>
> >> One has to intercept traffic transiting the machine, but ignore
> >> traffic destined *to* or *from* the local machines running
> >> processes.
> >>
> >>> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
> >>> redirects 80 port to proxy. My web server on the same host
> >>> listens only 8080, 8088 and 8888 ports. No one service except
> >>> NAT is using 80 port.
> >>>
> >>> And finally I have no looping 4 years.
> >>>
> >>> Obvious, is it?
> >>>
> >>
> >> Maybe there was, maybe there wasn't.
> >>
> >> Squid-2.7 ignored a lot of NAT related errors and even silently
> >> did some Very Bad Things(tm) - none of which Squid-3.2+ will
> >> allow to happen anymore.
> >>
> >>
> >> Odhiambo: I suspect it might be related to your use of "rdr"
> >> firewall rules. In OpenBSD PF at least rdr rules do not work
> >> properly and divert-to rules needs to be used instead (divert-to
> >> can be used for either TPROXY or NAT Squid listening ports on
> >> BSD).
> >>
> >
> >
> > I am thinking Squid-3.2+ is evil :-)
> >
> > Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my
> > IPFilter rules are here: http://pastebin.com/JQ77X01H
> >
> > I need to figure out why squid is DENYing all access ..
> >
>
> Can you update me on what the squid -v output is from the Squid build
> you are having issues with pleae?
>
> Amos
>
root at mail:/usr/src # /opt/squid35/sbin/squid -v
Squid Cache: Version 3.5.1-20150120-r13736
Service Name: squid
configure options: '--prefix=/opt/squid35' '--enable-removal-policies=lru
heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB NCSA PAM
PAM POP3 SSPI' '--enable-external-acl-helpers=session unix_group
file_userip' '--enable-auth-negotiate=kerberos' '--with-pthreads'
'--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
'--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
'--enable-cache-digests' '--enable-wccpv2'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
'--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
'--enable-leakfinder' '--enable-ssl-crtd' '--enable-url-rewrite-helpers'
'--enable-xmalloc-statistics' '--enable-stacktraces' '--enable-zph-qos'
'--enable-eui' '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
--enable-ltdl-convenience
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150123/2623cb85/attachment-0001.html>
More information about the squid-users
mailing list