[squid-users] Squid None Aborted problem

secoonder secoonder at mynet.com
Wed Feb 24 10:10:26 UTC 2016


Antony thank you very much for your answer.i reinstall ubuntu and squid.and i
removed ssl bump configuration.but the problem is not solved .
i write answer the down.Can you help me ?



Antony Stone wrote
> On Sunday 21 February 2016 at 12:56:03, secoonder wrote:
> 
>> My Firewall eth0: 192.168.1.180
>>                   eth1:192.168.2.180
> 
> I'm guessing that eth0 is your route to the Internet, and eth1 points
> towards 
> the clients trying to use Squid?
> 
>> ip_forwarding enable and more /proc/sys/net/ipv4/ip_forward =1
>> iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth0 -j
>> MASQUERADE
> 
> So, there's at least one more router (connecting 192.168.2.180 to 
> 192.168.5.0/24) between the clients and Squid...? /// im so sorry .i was
> writing wrong this area.
>  iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth1 -j
>> MASQUERADE
> 
>> This is no problem above it.The cilents could connect internet.
> 
> You mean, they can connect directly without using Squid at all.  Okay, so 
> network routing is working, at least. ///Yes.
> 
>> And then i install squid 3.2.11.
> 
> Why?  That's nearly 3 years old - it dates from April 2013. // i reinstall
> ubuntu 14.04 i reinstall squid 3.3.8
> 
>> i added iptables -t nat -A PREROUTING -i eth1-p tcp --dport 80 -j
>> REDIRECT
>> --to-ports 3128 and save it.
> 
> Okay, so you are correctly doing the NAT on the machine running Squid.
> ///Yes
> 
> Just out of interest, which distribution of Linux are you running on this 
> machine, and which version of it?
> VERSION="14.04.4 LTS, Trusty Tahr"
> 
> 
>> i redirect succesfully 80 port.i see it at tailf
>> /var/log/squid3/access.log
> 
> Please show us what gets logged in access.log when a client tries to
> connect, 
> and make sure you tell us what they were trying to connect to.
> 
> 1456309556.564    196 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178
> application/octet-stream
> 1456309562.527  35947 192.168.80.4 TCP_MISS/200 73551 GET
> http://www.hurriyet.com.tr/trafik-sigortasinda-yasanan-kaosun-sonuna-gelindi-40059215?
> - HIER_DIRECT/83.66.162.3 text/html
> 1456309586.928    514 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
> 1456309598.768     45 192.168.80.4 TCP_MISS/200 5407 GET
> http://www.hurriyet.com.tr/_includes/HurriyetTVWidgetEmbedVideoStart.html
> - HIER_DIRECT/83.66.162.3 text/html
> 1456309604.236   3997 192.168.80.4 NONE_ABORTED/000 0 OPTIONS
> http://clicks.hurriyet.com.tr/request - HIER_NONE/- -
> 1456309616.975    513 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
> 1456309636.461  37994 192.168.80.4 TCP_MISS/200 1881 GET
> http://simg.hurriyet.com.tr/img/16/feq/profile_40.jpg? -
> HIER_DIRECT/83.66.162.127 image/jpeg
> 1456309636.473  38005 192.168.80.4 TCP_MISS/200 2023 GET
> http://simg.hurriyet.com.tr/img/ll/3p/profile_40.jpg? -
> HIER_DIRECT/83.66.162.127 image/jpeg
> 1456309646.877    204 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.178
> application/octet-stream
> 1456309676.578    195 192.168.80.4 TCP_MISS/200 299 POST
> http://vl.ff.avast.com/v1/touch - HIER_DIRECT/5.45.58.177
> application/octet-stream
> 1456309706.928    591 192.168.80.4 NONE_ABORTED/000 0 POST
> http://vl.ff.avast.com/v1/touch - HIER_NONE/- -
> 
> 
> Also, it would be a good idea to make sure that Squid itself is working
> before 
> trying to add the interception - configure one client to explicitly use
> the 
> proxy on IP 192.168.2.180, and make some requests from that client and
> make 
> sure both that they work, and they show up in Squid's access.log.
> 
>> But clients can not internet .
>> My squid3 -k parse...
> 
> Please show us your squid.conf file without comments or blank lines.
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> http_access allow localhost
> acl sec src 192.168.80.0/24
> http_access allow sec
> # And finally deny all other access to this proxy
> http_access deny all
> http_port 3128 intercept
> cache_dir ufs /var/spool/squid3 10000 16 256
> 
> 
> 
>> 2016/02/21 14:20:56| Processing: http_port 3128 intercept ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem
> 
> I strongly recommend that you keep things simple and avoid any SSL bumping 
> until the basics are working.  Let's get HTTP intercept working first, and
> then 
> you can think about SSL later (oh, and by the way, I saw no NAT rule to 
> incercept SSL traffic on port 443 earlier, so I strongly suspect there's
> nothing 
> to get bumped anyway, unless you have explicit proxy configuration in your 
> clients).
> 
> /// i removed ssl bumping.But the problem was not solved.
> cache.log is
> 
> 2016/02/24 12:27:16| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:27:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:27:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:28:29| Logfile: opening log
> stdio:/var/log/squid3/netdb.state
> 2016/02/24 12:28:29| Logfile: closing log
> stdio:/var/log/squid3/netdb.state
> 2016/02/24 12:28:29| NETDB state saved; 0 entries, 0 msec
> 2016/02/24 12:29:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:29:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:31:56| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:33:26| ERROR: No forward-proxy ports configured.
> 2016/02/24 12:33:56| ERROR: No forward-proxy ports configured.
> 
> Regards,
> 
> 
> Antony.
> 
> -- 
> "In fact I wanted to be John Cleese and it took me some time to realise
> that 
> the job was already taken."
> 
>  - Douglas Adams
> 
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Quoted from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676090.html




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-None-Aborted-problem-tp4675901p4676167.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list