Amos Jeffries pisze:
> Rafal Ramocki wrote:
>> Amos Jeffries wrote:
>>>> Hello,
>>>>
>>>> I have problem with my squid setup. For quite long time I've been using
>>>> Squid 2.6 STABLE-17. I decidet to switch to squid 3.0 but there is
>>>> problem.
>>>>
>>>> My configuration is:
>>>>
>>>> large network -> nat router (linux) -> router (hardware ATM) ->
>>>> internet
>>>> \ /
>>>> squid
>>>>
>>>> Most of traffic is nat'ed on nat router, and forwarded to border
>>>> hardware atm router. HTTP traffic (port 80) is DNAT'ed to machine with
>>>> squid. And that setup worked fine for now. But after switching to 3.0 I
>>>> have following error message:
>>>>
>>>> ERROR
>>>> The requested URL could not be retrieved
>>>>
>>>> While trying to retrieve the URL: /
>>>>
>>>> The following error was encountered:
>>>>
>>>> * Invalid URL
>>>>
>>>> Here are few directives from my configuration file.
>>>>
>>>> http_port 80 transparent
>>>> icp_port 0
>>>> htcp_port 0
>>>> tcp_outgoing_address X.X.X.X
>>>> dns_nameservers X.X.X.X
>>>>
>>>>
>>>> I have been working on it for a quite long time. I have been googling
>>>> but i have found information about one server setups. Even in squid faq
>>>> there is only that configuration.
>>>>
>>>> Please help ;)
>>>
>>> What you have is in no way transparent. As long as DNAT was used
>>> never has
>>> been.
>>
>> That setup worked for me for something about 4 years. Transparent for
>> me menas with no configuration in browsers.
>>
>>> Transparent interception is done with REDIRECT (netfilter) or TPROXY-2
>>> when squid sits on the NAT box with the full NAT tables available to it.
>>
>> It is not possilble in my case. My network is 3000+ nodes. Both
>> machines are under heavy load. And i just cant place squid, filtering
>> and traffic controll on one single machine. I also don't want to place
>> squid after router as long as that setup is less fail proof.
>>
>>> Using DNAT to another box isolates squid from the information it
>>> needs to
>>> work transparently,
>>
>> Funny is that squid never needed that information ;)
>>
>>> but it can still be faked with an semi-open proxy
>>> config.
>> >
>>> You need the following for starters:
>>>
>>> # cope with standard web requests ...
>>> http_port 80 vhost
>>> # SECURE the access!!!!
>>> acl localnet src 10.0.0.0/8
>>> http_access deny !localnet
>>>
>>> ** alter the ACL to contain the IP ranges you are intercepting.
>>
>> I've already tried that similar configuration. And I've tried once
>> more. The reslt is:
>>
>> ERROR
>> The requested URL could not be retrieved
>>
>> While trying to retrieve the URL: http://www.debian.org/
>>
>> The following error was encountered:
>>
>> * Unable to forward this request at this time.
>>
>> This request could not be forwarded to the origin server or to any
>> parent caches. The most likely cause for this error is that:
>>
>> * The cache administrator does not allow this cache to make direct
>> connections to origin servers, and
>> * All configured parent caches are currently unreachable.
>>
>> In cache.log I have:
>>
>> 2008/03/10 09:16:53| Failed to select source for 'http://www.debian.org/'
>> 2008/03/10 09:16:53| always_direct = 0
>> 2008/03/10 09:16:53| never_direct = 0
>> 2008/03/10 09:16:53| timedout = 0
>>
>>
>> I think in that setup directives cache_peer* are mandatory. But I
>> cant't define in that way whole internet ;)
>
> No not mandatory. The semi-open-proxy config should be lettign internal
> requests out in your setup.
>
>>
>>> NP: broken non-HTTP-compliant client software will still get that error
>>> page, but compliant software like most browsers will get through okay.
>>
>> That is OK for me. I also want to ensure that by port 80 is transmited
>> only http traffic and not for example p2p.
>>
>> Any ideas? Because I'm running out. :)
>
> This second problem you are now hitting (Unable to forward) shows a
> problem making general web requests.
>
> - check that the squid box is able to make outbound port-80 requests.
> (particularly without looping back through itself!)
Yes it can. When i configure proxy in browser it works fine. I have
similar test environment. In the same configuration when I'm redirecting
it works fine, when I'm configuring browser to use squid it works fine.
It doesn't work when I'm dnating from other machine.
> - check that the squid box can resolve the domain its fetching
Squid box can resolve DNS. Squid it self should resolbe to.
Configuration is the same like in squid i'm currently using (2.6 Stable 17).
-- Rafal RamockiReceived on Mon Mar 10 2008 - 09:21:15 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT