[squid-users] Squid versions and FreeBSD-10.1 headache

Yuri Voinov yvoinov at gmail.com
Fri Jan 23 15:42:32 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Yep, they are mutually exclusive.
23.01.2015 21:29, Odhiambo Washington пишет:
>
>
> On 23 January 2015 at 17:33, Amos Jeffries <squid3 at treenet.co.nz
<mailto:squid3 at treenet.co.nz>> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>     On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:
>     > On 23 January 2015 at 16:53, Amos Jeffries <squid3 at treenet.co.nz
<mailto:squid3 at treenet.co.nz>>
>     > wrote:
>     >
>     >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>     >>
>     >> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
>     >>> On 23 January 2015 at 16:40, Amos Jeffries
>     >>> <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>> wrote:
>     >>>
>     >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>     >>>>
>     >>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
>     >>>>> On 23 January 2015 at 16:07, Amos Jeffries
>     >>>>> <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>> wrote:
>     >>>>>
>     >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>     >>>>>>
>     >>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>     >>>>>>>
>     >>>>>>> Once more. You CANNOT have neither web-server nor
>     >>>>>>> other service with listening port 80 on the same host
>     >>>>>>> as transparent Squid proxy. This is one and only reason
>     >>>>>>> you have looping.
>     >>>>>>>
>     >>>>>>
>     >>>>>> That is not correct. It can be done, but depends on how
>     >>>>>> the firewall operates and what ruleset is used.
>     >>>>>>
>     >>>>>> One has to intercept traffic transiting the machine, but
>     >>>>>> ignore traffic destined *to* or *from* the local
>     >>>>>> machines running processes.
>     >>>>>>
>     >>>>>>> Look. On my transparent 3.4.11 (which was early 2.7)
>     >>>>>>> IPFilter redirects 80 port to proxy. My web server on
>     >>>>>>> the same host listens only 8080, 8088 and 8888 ports.
>     >>>>>>> No one service except NAT is using 80 port.
>     >>>>>>>
>     >>>>>>> And finally I have no looping 4 years.
>     >>>>>>>
>     >>>>>>> Obvious, is it?
>     >>>>>>>
>     >>>>>>
>     >>>>>> Maybe there was, maybe there wasn't.
>     >>>>>>
>     >>>>>> Squid-2.7 ignored a lot of NAT related errors and even
>     >>>>>> silently did some Very Bad Things(tm) - none of which
>     >>>>>> Squid-3.2+ will allow to happen anymore.
>     >>>>>>
>     >>>>>>
>     >>>>>> Odhiambo: I suspect it might be related to your use of
>     >>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do
>     >>>>>> not work properly and divert-to rules needs to be used
>     >>>>>> instead (divert-to can be used for either TPROXY or NAT
>     >>>>>> Squid listening ports on BSD).
>     >>>>>>
>     >>>>>
>     >>>>>
>     >>>>> I am thinking Squid-3.2+ is evil :-)
>     >>>>>
>     >>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
>     >>>>> And my IPFilter rules are here:
>     >>>>> http://pastebin.com/JQ77X01H
>     >>>>>
>     >>>>> I need to figure out why squid is DENYing all access ..
>     >>>>>
>     >>>>
>     >>>> Can you update me on what the squid -v output is from the
>     >>>> Squid build you are having issues with pleae?
>     >>>>
>     >>>> Amos
>     >>>>
>     >>>
>     >>> root at mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
>     >>> Version 3.5.1-20150120-r13736 Service Name: squid configure
>     >>> options:  '--prefix=/opt/squid35'
>     >>> '--enable-removal-policies=lru heap' '--disable-epoll'
>     >>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
>     >>> '--enable-external-acl-helpers=session unix_group file_userip'
>     >>> '--enable-auth-negotiate=kerberos' '--with-pthreads'
>     >>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
>     >>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
>     >>> '--enable-cache-digests' '--enable-wccpv2'
>     >>> '--enable-follow-x-forwarded-for' '--with-large-files'
>     >>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
>     >>> '--enable-icap-client' '--enable-kill-parent-hack'
>     >>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd'
>     >>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
>     >>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
>     >>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
>     >>> --enable-ltdl-convenience
>     >>>
>     >>
>     >> Okay. Can you explicitly add --disable-ipf-transparent -
>     >> --disable-ipfw-transparent and see if that helps.
>     >>
>     >> Also in squid.conf adding debugs_options ALL,1 89,9  will show
>     >> just the NAT lookup results where things are going wrong.
>     >>
>     >
>     > So, before I recompile, we can look at the debug output:
>     >
>     > 2015/01/23 17:07:45| storeLateRelease: released 0 objects
>     > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
>     > me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me=
>     > 192.168.2.115:58632 <http://192.168.2.115:58632> 2015/01/23
17:07:46.959| Intercept.cc(293)
>     > PfInterception: address NAT divert-to: local=192.168.2.254:13128
<http://192.168.2.254:13128>
>     > remote=192.168.2.115:58632 <http://192.168.2.115:58632> FD 14
flag s=33
>
>
>     Arggg..   Add --with-nat-devpf to your build options in FreeBSD.
>
>     http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4
>
>     Amos
>
>
>
> Done that and now, debug shows:
>
> 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58541 <http://192.168.2.2:58541>
> 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address
NAT: local=190.93.244.112:80 <http://190.93.244.112:80>
remote=192.168.2.2:58541 <http://192.168.2.2:58541> FD 35 flags=33
> 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58542 <http://192.168.2.2:58542>
> 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address
NAT: local=190.93.244.112:80 <http://190.93.244.112:80>
remote=192.168.2.2:58542 <http://192.168.2.2:58542> FD 37 flags=33
> 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58543 <http://192.168.2.2:58543>
> 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address
NAT: local=190.93.244.112:80 <http://190.93.244.112:80>
remote=192.168.2.2:58543 <http://192.168.2.2:58543> FD 39 flags=33
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58544 <http://192.168.2.2:58544>
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address
NAT: local=196.0.3.114:80 <http://196.0.3.114:80>
remote=192.168.2.2:58544 <http://192.168.2.2:58544> FD 51 flags=33
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58545 <http://192.168.2.2:58545>
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address
NAT: local=108.168.145.227:80 <http://108.168.145.227:80>
remote=192.168.2.2:58545 <http://192.168.2.2:58545> FD 52 flags=33
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58546 <http://192.168.2.2:58546>
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address
NAT: local=108.168.145.227:80 <http://108.168.145.227:80>
remote=192.168.2.2:58546 <http://192.168.2.2:58546> FD 53 flags=33
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58547 <http://192.168.2.2:58547>
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address
NAT: local=108.168.145.227:80 <http://108.168.145.227:80>
remote=192.168.2.2:58547 <http://192.168.2.2:58547> FD 54 flags=33
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58548 <http://192.168.2.2:58548>
> 2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception: address
NAT: local=108.168.145.227:80 <http://108.168.145.227:80>
remote=192.168.2.2:58548 <http://192.168.2.2:58548> FD 55 flags=33
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128 <http://192.168.2.254:13128>,
destination/me= 192.168.2.2:58549 <http://192.168.2.2:58549>
>
> And the good news is that squid-3.5.1 is now allowing client PCs to
browse. Thank you for that.
>
> I still have issues to raise (though my small brain is now so saturated):
>
>
> Here is what I use:
>
> ./configure --prefix=/opt/squid35 \
>         --enable-removal-policies="lru heap" \
>         --disable-epoll \
>         --enable-auth \
>         --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \
>         --enable-external-acl-helpers="session unix_group file_userip" \
>         --enable-auth-negotiate="kerberos" \
>         --with-pthreads \
>         --enable-storeio="ufs diskd rock aufs" \
>         --enable-delay-pools \
>         --enable-snmp  \
>         --with-openssl=/usr \
>         --enable-forw-via-db \
>         --enable-cache-digests \
>         --enable-wccpv2 \
>         --enable-follow-x-forwarded-for \
>         --with-large-files \
>         --enable-large-cache-files \
>         --enable-esi \
>         --enable-kqueue \
>         --enable-icap-client \
>         --enable-kill-parent-hack \
>         --enable-ssl \
>         --enable-leakfinder \
>         --enable-ssl-crtd \
>         --enable-url-rewrite-helpers \
>         --enable-xmalloc-statistics \
>         --enable-stacktraces \
>         --enable-zph-qos \
>         --enable-eui \
>         --with-nat-devpf \
>         --enable-pf-transparent \
>         --enable-ipf-transparent
>
>
> It seems I have to remove --enable-ipf-transparent otherwise the build
fails. I was thinking I could have both of --enable-ipf-transparent and 
--enable-ipf-transparent so that I can be able to use either PF or
IPFilter - whichever I want.
>
>
> Are those two mutually exclusive? When I have the two, the build fails
with:
>
> root at mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake
> Making all in compat
> gmake[1]: Entering directory
'/usr/home/wash/squid-3.5.1-20150120-r13736/compat'
> depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
> /bin/sh ../libtool  --tag=CXX   --mode=compile clang++
-DHAVE_CONFIG_H   -I.. -I../include -I../lib -I../src -I../include 
-I/usr/include  -I/usr/include  -I../libltdl -I/usr/include
-I/usr/local/include/libxml2  -I/usr/local/include/libxml2  -Werror
-Qunused-arguments  -D_REENTRANT -g -O2  -march=native
-I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o
assert.lo assert.cc &&\
> mv -f $depbase.Tpo $depbase.Plo
> libtool: compile:  clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
-I../src -I../include -I/usr/include -I/usr/include -I../libltdl
-I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2
-Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native
-I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c
assert.cc  -fPIC -DPIC -o .libs/assert.o
> In file included from assert.cc:9:
> In file included from ../include/squid.h:43:
> ../compat/compat.h:49:57: error: expected value in expression
> #if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK
>                                                         ^
> 1 error generated.
> Makefile:921: recipe for target 'assert.lo' failed
> gmake[1]: *** [assert.lo] Error 1
> gmake[1]: Leaving directory
'/usr/home/wash/squid-3.5.1-20150120-r13736/compat'
> Makefile:567: recipe for target 'all-recursive' failed
> gmake: *** [all-recursive] Error 1
> root at mail:/usr/home/wash/squid-3.5.1-20150120-r13736
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> "I can't hear you -- I'm using the scrambler."
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUwmvoAAoJENNXIZxhPexGJ60IAKh1nJoRU2Q7gHHy6lFt+j0S
kA5tlDf4elneoUYzQPvbI5Uofs89ShfSVn94sfOxg4m9w9Wcsl4BODvU2XoNZ6v/
J1rh/Lxqz0hu7f3O53GEMI136g/T1Vfff9SQr25E15kj9c47SJdYvbvnuIthECTM
orpsPTjgYikgvB6uRKqDpX5ikaTzHcTfB9xMDVf5mDonE3FVUEjcPoMkLXKJO89S
wCEsg3PlGLv64zVJVzUaFLM6BvSa+ua4lZ9n6KnCAcWKzVXClIvHUXLe7YL5nKKp
e5osUdaeoXmyOWyWkvdnsKPb3Qad6OZ6mezH+uKBVVTd66IMen39+As1oF7EfqM=
=UCjZ
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150123/4d8fc1ed/attachment-0001.html>


More information about the squid-users mailing list