Re: [squid-users] TProxy Issues from Jamie Orzechowski on 2009-03-11 (squid-users)

From: Jamie Orzechowski <admin_at_ripnet.com>
Date: Wed, 11 Mar 2009 19:31:45 -0400

Here is the config ... it does work fine in "transparent" mode just not
tproxy mode

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 66.78.96.0/19
acl localnet src 64.235.192.0/19
acl localnet src 72.0.192.0/19
acl localnet src 192.168.1.0/24
acl localnet src 192.168.254.0/24

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

hierarchy_stoplist cgi-bin ?

acl directurls url_regex -i "/etc/squid3/direct-urls"
cache deny directurls
cache deny localnet
always_direct allow directurls
always_direct allow localnet

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
htcp_access allow localnet
icp_access deny all
htcp_access deny all
htcp_clr_access deny all
ident_lookup_access deny all

http_port 66.78.102.2:3128
http_port 66.78.102.2:3129 tproxy

cache_mgr support_at_ripnet.com

acl snmp snmp_community s64hf2
snmp_access allow snmp all

snmp_port 3401
snmp_incoming_address 192.168.1.8
snmp_outgoing_address 192.168.1.8

shutdown_lifetime 10 seconds
pid_filename /var/run/squid3.pid
mime_table /usr/share/squid3/mime.conf
icon_directory /usr/share/squid3/icons
error_directory /usr/share/squid3/errors/en
cache_effective_user proxy
ignore_unknown_nameservers on
dns_nameservers 66.78.99.4 66.78.99.5

max_open_disk_fds 0
cache_mem 1024 MB
minimum_object_size 0 KB
maximum_object_size 4 GB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap LFUDA
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95

quick_abort_min -1 KB
quick_abort_max 16 KB
quick_abort_pct 95

access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log none

log_fqdn off
half_closed_clients off
server_persistent_connections on
client_persistent_connections on

ipcache_size 16384
ipcache_low 90
ipcache_high 95

fqdncache_size 8192
client_db off
pipeline_prefetch on
forwarded_for on

store_dir_select_algorithm least-load

cache_dir aufs /cache0/cache0 10000 16 256
cache_dir aufs /cache0/cache1 10000 16 256
cache_dir aufs /cache0/cache2 10000 16 256
cache_dir aufs /cache0/cache3 10000 16 256
cache_dir aufs /cache0/cache4 10000 16 256
cache_dir aufs /cache0/cache5 10000 16 256
cache_dir aufs /cache0/cache6 10000 16 256
cache_dir aufs /cache0/cache7 10000 16 256
cache_dir aufs /cache0/cache8 10000 16 256
cache_dir aufs /cache0/cache9 10000 16 256
cache_dir aufs /cache0/cache10 10000 16 256

cache_dir aufs /cache1/cache0 10000 16 256
cache_dir aufs /cache1/cache1 10000 16 256
cache_dir aufs /cache1/cache2 10000 16 256
cache_dir aufs /cache1/cache3 10000 16 256
cache_dir aufs /cache1/cache4 10000 16 256
cache_dir aufs /cache1/cache5 10000 16 256
cache_dir aufs /cache1/cache6 10000 16 256
cache_dir aufs /cache1/cache7 10000 16 256
cache_dir aufs /cache1/cache8 10000 16 256
cache_dir aufs /cache1/cache9 10000 16 256
cache_dir aufs /cache1/cache10 10000 16 256

cache_dir aufs /cache2/cache0 10000 16 256
cache_dir aufs /cache2/cache1 10000 16 256
cache_dir aufs /cache2/cache2 10000 16 256
cache_dir aufs /cache2/cache3 10000 16 256
cache_dir aufs /cache2/cache4 10000 16 256
cache_dir aufs /cache2/cache5 10000 16 256
cache_dir aufs /cache2/cache6 10000 16 256
cache_dir aufs /cache2/cache7 10000 16 256
cache_dir aufs /cache2/cache8 10000 16 256
cache_dir aufs /cache2/cache9 10000 16 256
cache_dir aufs /cache2/cache10 10000 16 256

cache_dir aufs /cache3/cache0 20000 16 256
cache_dir aufs /cache3/cache1 20000 16 256
cache_dir aufs /cache3/cache2 20000 16 256
cache_dir aufs /cache3/cache3 20000 16 256
cache_dir aufs /cache3/cache4 20000 16 256
cache_dir aufs /cache3/cache5 20000 16 256
cache_dir aufs /cache3/cache6 20000 16 256
cache_dir aufs /cache3/cache7 20000 16 256
cache_dir aufs /cache3/cache8 20000 16 256
cache_dir aufs /cache3/cache9 20000 16 256
cache_dir aufs /cache3/cache10 20000 16 256
cache_dir aufs /cache3/cache11 20000 16 256
cache_dir aufs /cache3/cache12 20000 16 256
cache_dir aufs /cache3/cache13 20000 16 256
cache_dir aufs /cache3/cache14 20000 16 256
cache_dir aufs /cache3/cache15 20000 16 256
cache_dir aufs /cache3/cache16 20000 16 256
cache_dir aufs /cache3/cache17 20000 16 256
cache_dir aufs /cache3/cache18 20000 16 256
cache_dir aufs /cache3/cache19 20000 16 256
cache_dir aufs /cache3/cache20 20000 16 256
cache_dir aufs /cache3/cache21 20000 16 256

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i
\.(iso|img|avi|wav|mp3|mp4|mpg|mpeg|swf|flv|x-flv|wma|wmv)$ 43200 90%
432000 override-expire ignore-no-cache ign
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90%
43200 override-expire ignore-no-cache ignore
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 40% 40320

Amos Jeffries wrote:
>> I am using squid 3.1.0.6
>>
>> If I check the disk free while the cache is running I do not see any of
>> my cache directories incrementing at all.
>>
>> Any ideas?
>>
>
> Okay, so much for the easy answer. We will have to see your config to tell
> why its not caching.
>
> Amos
>
>
>> Amos Jeffries wrote:
>>
>>> Jamie Orzechowski wrote:
>>>
>>>> Hi,
>>>>
>>>> My post does not seem to be going to the list. Wondering if you have
>>>> any ideas?
>>>>
>>>> I think I have TPROXY working but running into some issues.
>>>> Checking my logs all my traffic shows up as a TCP_MISS
>>>>
>>> Squid 3.1.0.3? it has a storage problem that can show like this.
>>>
>>>
>>>
>>>> 1236698452.579 79 66.78.98.194 TCP_MISS/200 542 GET
>>>> http://l1.zedo.com//log/p.gif? - DIRECT/72.247.244.10 image/gif
>>>> 1236698452.634 293 66.78.98.194 TCP_MISS/200 4972 GET
>>>> http://blstb.msn.com/i/9B/DDD13A38CB8B34F4DFA3F7BFFF71.jpg -
>>>> DIRECT/192.221.114.124 image/jpeg
>>>> 1236698452.878 100 66.78.98.194 TCP_MISS/200 1076 GET
>>>> http://h.foxsports.com/HG? - DIRECT/64.154.81.231 image/gif
>>>> 1236698453.367 252 66.78.98.194 TCP_MISS/200 1368 GET
>>>> http://www.myinternetservices.com/live/visitor/index.php? -
>>>> DIRECT/72.232.167.111 image/gif
>>>> 1236698454.087 13 66.78.98.194 TCP_MISS/200 812 GET
>>>> http://weyedata.pelmorex.com/WeatherEye/ObsData/CAON0090.xml -
>>>> DIRECT/207.96.160.37 text/xml
>>>> 1236698455.251 116 66.78.98.194 TCP_MISS/200 1368 GET
>>>> http://www.myinternetservices.com/live/visitor/index.php? -
>>>> DIRECT/72.232.167.111 image/gif
>>>> 1236698456.570 6451 66.78.98.194 TCP_MISS/200 45898 GET
>>>> http://www.facebook.com/profile.php? - DIRECT/69.63.176.140 text/html
>>>> 1236698456.876 77 66.78.98.194 TCP_MISS/200 2765 GET
>>>> http://profile.ak.facebook.com/v227/2005/50/q638320646_36.jpg -
>>>> DIRECT/209.170.91.178 image/jpeg
>>>>
>>>> My iptables is the following
>>>>
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>> /sbin/iptables -t mangle -N DIVERT
>>>> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>> //
>>>> any idea why I am not getting any TCP_HITS? ...
>>>>
>>>>
>>> Amos
>>>
>> --
>> =-=-=-=-=-=-=-=-=-=-=-=-=
>> Jamie Orzechowski - CCNA
>> RipNET Ltd. System/Network Administrator
>> Tel.: 613-342-3946 x294
>>
>>
>> THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE,
>> IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION.
>> ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED.
>> IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR,
>> PLEASE NOTIFY ME IMMEDIATELY SO THAT I MAY CORRECT MY
>> INTERNAL RECORDS. PLEASE THEN DELETE THE ORIGINAL MESSAGE.
>> =-=-=-=-=-=-=-=-=-=-=-=-=
>>
>>
>>
>
>
>
Received on Wed Mar 11 2009 - 23:31:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT