Henrik Nordstrom disse na ultima mensagem:
> lör 2007-01-20 klockan 01:11 -0200 skrev Michel Santos:
>
>> > Then post
>> >
>> > * iptables ruleset
>> > * http_port + cache_peer + visible_hostname settings of each Squid
>> > * cache.log output of ALL,1 (no extra debugging enabled) from each
>> > Squid.
>>
>>
>> it is FreeBSD and IPFW
>
> Then post your ipfw rules instead of iptables.
>
oook, here it is
fwd 127.0.0.1,8080 tcp from _IP_ to any dst-port 80 in via WIP1
allow ip from any to any
for not looking any more on the wrong side:
# ping -S 127.0.0.3 127.0.0.1
PING 127.0.0.1 (127.0.0.1) from 127.0.0.3: 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.051 ms
# ping -S 127.0.0.2 127.0.0.1
PING 127.0.0.1 (127.0.0.1) from 127.0.0.2: 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.048 ms
# ping -S 127.0.0.2 127.0.0.3
PING 127.0.0.3 (127.0.0.3) from 127.0.0.2: 56 data bytes
64 bytes from 127.0.0.3: icmp_seq=0 ttl=64 time=0.045 ms
# ping -S 127.0.0.3 127.0.0.2
PING 127.0.0.2 (127.0.0.2) from 127.0.0.3: 56 data bytes
64 bytes from 127.0.0.2: icmp_seq=0 ttl=64 time=0.049 ms
# ping -S 127.0.0.1 127.0.0.2
PING 127.0.0.2 (127.0.0.2) from 127.0.0.1: 56 data bytes
64 bytes from 127.0.0.2: icmp_seq=0 ttl=64 time=0.047 ms
and any other possible combination is equally true.
also, to complete this part:
tcp4 0 0 200.152.81.2.50859 12.160.37.9.80 TIME_WAIT
tcp4 0 0 200.152.81.2.59209 12.160.37.9.80
ESTABLISHED
tcp4 0 0 127.0.0.3.3133 127.0.0.3.64240
ESTABLISHED
tcp4 0 0 127.0.0.3.64240 127.0.0.3.3133
ESTABLISHED
tcp4 0 0 127.0.0.2.3132 127.0.0.2.54063
ESTABLISHED
tcp4 0 0 127.0.0.2.54063 127.0.0.2.3132
ESTABLISHED
tcp4 0 0 12.160.37.9.80 200.152.83.36.53674
ESTABLISHED
tcp4 0 0 200.152.81.2.53863 12.160.37.9.80
ESTABLISHED
tcp4 0 0 127.0.0.3.3133 127.0.0.3.62291
ESTABLISHED
tcp4 0 0 127.0.0.3.62291 127.0.0.3.3133
ESTABLISHED
tcp4 0 0 200.152.81.2.57554 12.160.37.9.80 TIME_WAIT
tcp4 0 0 127.0.0.2.3132 127.0.0.2.51591
ESTABLISHED
tcp4 0 0 127.0.0.2.51591 127.0.0.2.3132
ESTABLISHED
tcp4 0 0 12.160.37.9.80 200.152.83.36.60380
ESTABLISHED
tcp4 0 0 200.152.81.2.61884 12.160.37.9.80
ESTABLISHED
tcp4 0 0 127.0.0.3.3133 127.0.0.3.49361
ESTABLISHED
tcp4 0 0 127.0.0.3.49361 127.0.0.3.3133
ESTABLISHED
tcp4 0 0 12.160.37.9.80 200.152.83.36.63253
ESTABLISHED
tcp4 0 0 127.0.0.2.3132 127.0.0.2.57914 TIME_WAIT
tcp4 0 0 12.160.37.9.80 200.152.83.36.52915 TIME_WAIT
where .83.36 is my IP, .81.2 squid's external IP address, the dest Ip is
squid.nlanr.net
>> but it seems you have overseen some important things, I write it again
>
> Maybe, maybe not.
>
>> squid0 is the transparent proxy and it *IS* forwarding correctly because
>> the access denied is coming from squid1 or squid2
>
> Then you probably either have an access control problem on squid1/2, or
> unique_hostname isn't set proper. Which one can be seen from the error
> and/or access.log.
>
ok, like I answered before, each instance has it's unique name set in it's
squid.conf, to be more specific
cachemaster (squid0)
squid1 (squid1)
squid2 (squid2)
also, remember please, I said in an former email I set
acl all 0.0.0.0
acl peers 0.0.0.0
I guess there is nothing to add since there is no wider expression for
IPv4 and saying "pass all through", so certainly there is nothing to deny
at all - but squid1|2 denies ...
>> for me it seems that there is something wrong in 2.6 that when it gets
>> xforwarded packets from clients from peer 127.0.0.1 it does not
>> understand
>> it
>
> Are you using the x-forwarded-for stuff? Or what are you trying to say
> here?
sure not
squid when running transparent mode is marking "x-forwarded request-IP,
my-outgoing-IP" isn't it?
so it seems that squid1 or squid2, when running on 127*, do NOT understand
when my-outgoing-IP is 127.0.0.1 but does when it is any other
or is it possible that squid assumes getting just forwarded packages by
the OS when running on 127* but not already forwarded packages from a
peer?
>
>> because I tried with one instance on the local machine and another 2.6
>> parent on another machine and it works as it should
>
> To Squid it's the exact same thing.
>
>> also please remember that this scenario works perfect with 2.5, I do not
>> change anything else but the squid version (and of course the different
>> transparent configs for 2.6 on squid0 instance)
>
> Maybe, maybe not. Squid-2.5 hides some configuration errors in peering
> relations by falling back on direct on error. This is not done by
> default in 2.6.
>
nono, here is no maybe.
2.5 works perfect and get it's stuff perfectly from either squid1 or
squid2 like you saw above.
squid0 do *NOT* go direct since I have
never_direct allow all
always_direct deny all
set, that means, if either squid1 or squid2 is down or denying access I
would get the cannot select parent error and no http access would be
possible
>> in order getting you the cache.logs I need to wait for an early hour on
>> a
>> workday to set it up, actually - if interested - I can send you them
>> from
>> the working 2.5 setup but please tell me what you need from them, the
>> startup? because else there is only this kind of stuff in what probably
>> does not help anything here:
>
> Only if there is any messages logged at the time you see the error about
> the request which errors. Other messages can be ignored.
>
ok, I will do it this days, but may be you like to look meanwhile where
squid get confused here because you said this should be the same on all
squid versions. Since there are no extra configurations for this case in
2.6, my 2.5 config should work I guess.
thank's
Michel
...
****************************************************
Datacenter Matik http://datacenter.matik.com.br
E-Mail e Data Hosting Service para Profissionais.
****************************************************
Received on Sat Jan 20 2007 - 01:50:31 MST
This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST