[squid-users] Squid None Aborted problem
secoonder
secoonder at mynet.com
Wed Feb 24 10:10:26 UTC 2016
Antony thank you very much for your answer.i reinstall ubuntu and squid.and i
removed ssl bump configuration.but the problem is not solved .
i write answer the down.Can you help me ?
Antony Stone wrote
> On Sunday 21 February 2016 at 12:56:03, secoonder wrote:
>
>> My Firewall eth0: 192.168.1.180
>> eth1:192.168.2.180
>
> I'm guessing that eth0 is your route to the Internet, and eth1 points
> towards
> the clients trying to use Squid?
>
>> ip_forwarding enable and more /proc/sys/net/ipv4/ip_forward =1
>> iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth0 -j
>> MASQUERADE
>
> So, there's at least one more router (connecting 192.168.2.180 to
> 192.168.5.0/24) between the clients and Squid...? /// im so sorry .i was
> writing wrong this area.
> iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth1 -j
>> MASQUERADE
>
>> This is no problem above it.The cilents could connect internet.
>
> You mean, they can connect directly without using Squid at all. Okay, so
> network routing is working, at least. ///Yes.
>
>> And then i install squid 3.2.11.
>
> Why? That's nearly 3 years old - it dates from April 2013. // i reinstall
> ubuntu 14.04 i reinstall squid 3.3.8
>
>> i added iptables -t nat -A PREROUTING -i eth1-p tcp --dport 80 -j
>> REDIRECT
>> --to-ports 3128 and save it.
>
> Okay, so you are correctly doing the NAT on the machine running Squid.
> ///Yes
>
> Just out of interest, which distribution of Linux are you running on this
> machine, and which version of it?
> VERSION="14.04.4 LTS, Trusty Tahr"
>
>
>> i redirect succesfully 80 port.i see it at tailf
>> /var/log/squid3/access.log
>
> Please show us what gets logged in access.log when a client tries to
> connect,
> and make sure you tell us what they were trying to connect to.
>
> 1456309556.564 196 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178
> application/octet-stream
> 1456309562.527 35947 192.168.80.4 TCP_MISS/200 73551 GET
> http://www.hurriyet.com.tr/trafik-sigortasinda-yasanan-kaosun-sonuna-gelindi-40059215?
> - HIER_DIRECT/83.66.162.3 text/html
> 1456309586.928 514 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
> 1456309598.768 45 192.168.80.4 TCP_MISS/200 5407 GET
> http://www.hurriyet.com.tr/_includes/HurriyetTVWidgetEmbedVideoStart.html
> - HIER_DIRECT/83.66.162.3 text/html
> 1456309604.236 3997 192.168.80.4 NONE_ABORTED/000 0 OPTIONS
> http://clicks.hurriyet.com.tr/request - HIER_NONE/- -
> 1456309616.975 513 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
> 1456309636.461 37994 192.168.80.4 TCP_MISS/200 1881 GET
> http://simg.hurriyet.com.tr/img/16/feq/profile_40.jpg? -
> HIER_DIRECT/83.66.162.127 image/jpeg
> 1456309636.473 38005 192.168.80.4 TCP_MISS/200 2023 GET
> http://simg.hurriyet.com.tr/img/ll/3p/profile_40.jpg? -
> HIER_DIRECT/83.66.162.127 image/jpeg
> 1456309646.877 204 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178
> application/octet-stream
> 1456309676.578 195 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.177
> application/octet-stream
> 1456309706.928 591 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
>
>
> Also, it would be a good idea to make sure that Squid itself is working
> before
> trying to add the interception - configure one client to explicitly use
> the
> proxy on IP 192.168.2.180, and make some requests from that client and
> make
> sure both that they work, and they show up in Squid's access.log.
>
>> But clients can not internet .
>> My squid3 -k parse...
>
> Please show us your squid.conf file without comments or blank lines.
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localhost
> acl sec src 192.168.80.0/24
> http_access allow sec
> # And finally deny all other access to this proxy
> http_access deny all
> http_port 3128 intercept
> cache_dir ufs /var/spool/squid3 10000 16 256
>
>
>
>> 2016/02/21 14:20:56| Processing: http_port 3128 intercept ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
>
> I strongly recommend that you keep things simple and avoid any SSL bumping
> until the basics are working. Let's get HTTP intercept working first, and
> then
> you can think about SSL later (oh, and by the way, I saw no NAT rule to
> incercept SSL traffic on port 443 earlier, so I strongly suspect there's
> nothing
> to get bumped anyway, unless you have explicit proxy configuration in your
> clients).
>
> /// i removed ssl bumping.But the problem was not solved.
> cache.log is
>
> 2016/02/24 12:27:16| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:27:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:27:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:28:29| Logfile: opening log
> stdio:/var/log/squid3/netdb.state
> 2016/02/24 12:28:29| Logfile: closing log
> stdio:/var/log/squid3/netdb.state
> 2016/02/24 12:28:29| NETDB state saved; 0 entries, 0 msec
> 2016/02/24 12:29:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:29:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:31:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:33:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:33:56| ERROR: No forward-proxy ports configured.
>
> Regards,
>
>
> Antony.
>
> --
> "In fact I wanted to be John Cleese and it took me some time to realise
> that
> the job was already taken."
>
> - Douglas Adams
>
> Please reply to the
> list;
> please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Quoted from:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676090.html
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676167.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list