[squid-users] intercept vs. accel vhost allow-direct
sknz
sakibnizam at gmail.com
Thu Sep 12 08:43:20 UTC 2019
I'm running a hotspot(CoovaChilli, Freeradius, etc.) server where
Squid-3.4.8(SSL enabled) for caching and logging. My machine is running on
Debian 8.1.1 with 2 NIC card. One for WAN and another for LAN to manage
hotspot AP(s).
ERROR
The requested URL could not be retrieved
Below configuration is throwing this above error page :
http_port 3128
http_port 3127 intercept
Instead, I have to use this :
http_port 3128 accel vhost allow-direct
Now it works! Squid is not throwing any error log for both cases. Why
INTERCEPT is not working?
I've attached my iptables rules below for a deeper look.
====================
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -j DROP
-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP
====================
Chain INPUT (policy ACCEPT 693 packets, 123K bytes)
pkts bytes target prot opt in out source
destination
652 80697 DROP all -- eth1 any anywhere anywhere
2 702 ACCEPT icmp -- tun0 any anywhere 10.1.0.1
95 6428 ACCEPT udp -- tun0 any anywhere 10.1.0.1
udp dpt:domain
0 0 ACCEPT udp -- tun0 any anywhere 10.1.0.1
udp dpts:bootps:bootpc
0 0 ACCEPT udp -- tun0 any anywhere
255.255.255.255 udp dpts:bootps:bootpc
191 29716 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:3128
200 22838 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:3990
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:domain
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:2812
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:ssh
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:https
239 25386 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:http
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:4990
0 0 ACCEPT tcp -- tun0 any anywhere 10.1.0.1
tcp dpt:3990
0 0 DROP all -- tun0 any anywhere 10.1.0.1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1259 191K ACCEPT all -- tun0 eth0 anywhere anywhere
0 0 DROP all -- tun0 !eth0 anywhere anywhere
274 16408 TCPMSS tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
1127 1186K ACCEPT all -- any tun0 anywhere anywhere
0 0 ACCEPT all -- tun0 any anywhere anywhere
0 0 DROP all -- any eth1 anywhere anywhere
1503 228K DROP all -- eth1 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 1192 packets, 490K bytes)
pkts bytes target prot opt in out source
destination
====================
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list