[squid-users] Squid None Aborted problem

Antony Stone Antony.Stone at squid.open.source.it
Sun Feb 21 12:47:00 UTC 2016


On Sunday 21 February 2016 at 12:56:03, secoonder wrote:

> My Firewall eth0: 192.168.1.180
>                   eth1:192.168.2.180

I'm guessing that eth0 is your route to the Internet, and eth1 points towards 
the clients trying to use Squid?

> ip_forwarding enable and more /proc/sys/net/ipv4/ip_forward =1
> iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth0 -j
> MASQUERADE

So, there's at least one more router (connecting 192.168.2.180 to 
192.168.5.0/24) between the clients and Squid...?

> This is no problem above it.The cilents could connect internet.

You mean, they can connect directly without using Squid at all.  Okay, so 
network routing is working, at least.

> And then i install squid 3.2.11.

Why?  That's nearly 3 years old - it dates from April 2013.

> i added iptables -t nat -A PREROUTING -i eth1-p tcp --dport 80 -j REDIRECT
> --to-ports 3128 and save it.

Okay, so you are correctly doing the NAT on the machine running Squid.

Just out of interest, which distribution of Linux are you running on this 
machine, and which version of it?

> i redirect succesfully 80 port.i see it at tailf /var/log/squid3/access.log

Please show us what gets logged in access.log when a client tries to connect, 
and make sure you tell us what they were trying to connect to.

Also, it would be a good idea to make sure that Squid itself is working before 
trying to add the interception - configure one client to explicitly use the 
proxy on IP 192.168.2.180, and make some requests from that client and make 
sure both that they work, and they show up in Squid's access.log.

> But clients can not internet .
> My squid3 -k parse...

Please show us your squid.conf file without comments or blank lines.

> 2016/02/21 14:20:56| Processing: http_port 3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem

I strongly recommend that you keep things simple and avoid any SSL bumping 
until the basics are working.  Let's get HTTP intercept working first, and then 
you can think about SSL later (oh, and by the way, I saw no NAT rule to 
incercept SSL traffic on port 443 earlier, so I strongly suspect there's nothing 
to get bumped anyway, unless you have explicit proxy configuration in your 
clients).


Regards,


Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list