Re: [squid-users] TProxy Issues from Amos Jeffries on 2009-03-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Mar 2009 14:29:04 +1300 (NZDT)

> Try define tcp_outgoing_address.
> AFAIK I'm using squid 2.7 should define tcp_outgoing for tproxy
> working properly.

This is not 2.7. This is 3.1.0.x.
Tproxy works very,very differently in 3.1.

Amos

>
> Johan
>
> On Thu, Mar 12, 2009 at 6:31 AM, Jamie Orzechowski <admin_at_ripnet.com>
> wrote:
>> Here is the config ... it does work fine in "transparent" mode just not
>> tproxy mode
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>>
>> acl localnet src 66.78.96.0/19
>> acl localnet src 64.235.192.0/19
>> acl localnet src 72.0.192.0/19
>> acl localnet src 192.168.1.0/24
>> acl localnet src 192.168.254.0/24
>>
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>>
>> hierarchy_stoplist cgi-bin ?
>>
>> acl directurls url_regex -i "/etc/squid3/direct-urls"
>> cache deny directurls
>> cache deny localnet
>> always_direct allow directurls
>> always_direct allow localnet
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny to_localhost
>> http_access allow localnet http_access allow localhost http_access deny
>> all
>> icp_access allow localnet
>> htcp_access allow localnet
>> icp_access deny all
>> htcp_access deny all
>> htcp_clr_access deny all
>> ident_lookup_access deny all
>>
>> http_port 66.78.102.2:3128
>> http_port 66.78.102.2:3129 tproxy
>>
>> cache_mgr support_at_ripnet.com
>>
>> acl snmp snmp_community s64hf2
>> snmp_access allow snmp all
>>
>> snmp_port 3401
>> snmp_incoming_address 192.168.1.8
>> snmp_outgoing_address 192.168.1.8
>>
>> shutdown_lifetime 10 seconds
>> pid_filename /var/run/squid3.pid
>> mime_table /usr/share/squid3/mime.conf
>> icon_directory /usr/share/squid3/icons
>> error_directory /usr/share/squid3/errors/en
>> cache_effective_user proxy
>> ignore_unknown_nameservers on
>> dns_nameservers 66.78.99.4 66.78.99.5
>>
>> max_open_disk_fds 0
>> cache_mem 1024 MB minimum_object_size 0 KB
>> maximum_object_size 4 GB
>> maximum_object_size_in_memory 512 KB
>> memory_replacement_policy heap LFUDA
>> cache_replacement_policy heap LFUDA
>> cache_swap_low 90
>> cache_swap_high 95
>>
>> quick_abort_min -1 KB
>> quick_abort_max 16 KB
>> quick_abort_pct 95
>> access_log /var/log/squid3/access.log squid
>> cache_log /var/log/squid3/cache.log
>> cache_store_log none
>>
>> log_fqdn off
>> half_closed_clients off
>> server_persistent_connections on
>> client_persistent_connections on
>>
>> ipcache_size 16384
>> ipcache_low 90
>> ipcache_high 95
>>
>> fqdncache_size 8192
>> client_db off
>> pipeline_prefetch on
>> forwarded_for on
>>
>> store_dir_select_algorithm least-load
>>
>> cache_dir aufs /cache0/cache0 10000 16 256
>> cache_dir aufs /cache0/cache1 10000 16 256
>> cache_dir aufs /cache0/cache2 10000 16 256
>> cache_dir aufs /cache0/cache3 10000 16 256
>> cache_dir aufs /cache0/cache4 10000 16 256
>> cache_dir aufs /cache0/cache5 10000 16 256
>> cache_dir aufs /cache0/cache6 10000 16 256
>> cache_dir aufs /cache0/cache7 10000 16 256
>> cache_dir aufs /cache0/cache8 10000 16 256
>> cache_dir aufs /cache0/cache9 10000 16 256
>> cache_dir aufs /cache0/cache10 10000 16 256
>>
>> cache_dir aufs /cache1/cache0 10000 16 256
>> cache_dir aufs /cache1/cache1 10000 16 256
>> cache_dir aufs /cache1/cache2 10000 16 256
>> cache_dir aufs /cache1/cache3 10000 16 256
>> cache_dir aufs /cache1/cache4 10000 16 256
>> cache_dir aufs /cache1/cache5 10000 16 256
>> cache_dir aufs /cache1/cache6 10000 16 256
>> cache_dir aufs /cache1/cache7 10000 16 256
>> cache_dir aufs /cache1/cache8 10000 16 256
>> cache_dir aufs /cache1/cache9 10000 16 256
>> cache_dir aufs /cache1/cache10 10000 16 256
>>
>> cache_dir aufs /cache2/cache0 10000 16 256
>> cache_dir aufs /cache2/cache1 10000 16 256
>> cache_dir aufs /cache2/cache2 10000 16 256
>> cache_dir aufs /cache2/cache3 10000 16 256
>> cache_dir aufs /cache2/cache4 10000 16 256
>> cache_dir aufs /cache2/cache5 10000 16 256
>> cache_dir aufs /cache2/cache6 10000 16 256
>> cache_dir aufs /cache2/cache7 10000 16 256
>> cache_dir aufs /cache2/cache8 10000 16 256
>> cache_dir aufs /cache2/cache9 10000 16 256
>> cache_dir aufs /cache2/cache10 10000 16 256
>>
>> cache_dir aufs /cache3/cache0 20000 16 256
>> cache_dir aufs /cache3/cache1 20000 16 256
>> cache_dir aufs /cache3/cache2 20000 16 256
>> cache_dir aufs /cache3/cache3 20000 16 256
>> cache_dir aufs /cache3/cache4 20000 16 256
>> cache_dir aufs /cache3/cache5 20000 16 256
>> cache_dir aufs /cache3/cache6 20000 16 256
>> cache_dir aufs /cache3/cache7 20000 16 256
>> cache_dir aufs /cache3/cache8 20000 16 256
>> cache_dir aufs /cache3/cache9 20000 16 256
>> cache_dir aufs /cache3/cache10 20000 16 256
>> cache_dir aufs /cache3/cache11 20000 16 256
>> cache_dir aufs /cache3/cache12 20000 16 256
>> cache_dir aufs /cache3/cache13 20000 16 256
>> cache_dir aufs /cache3/cache14 20000 16 256
>> cache_dir aufs /cache3/cache15 20000 16 256
>> cache_dir aufs /cache3/cache16 20000 16 256
>> cache_dir aufs /cache3/cache17 20000 16 256
>> cache_dir aufs /cache3/cache18 20000 16 256
>> cache_dir aufs /cache3/cache19 20000 16 256
>> cache_dir aufs /cache3/cache20 20000 16 256
>> cache_dir aufs /cache3/cache21 20000 16 256
>>
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
>> override-expire
>> ignore-no-cache ignore-no-store ignore-private
>> refresh_pattern -i
>> \.(iso|img|avi|wav|mp3|mp4|mpg|mpeg|swf|flv|x-flv|wma|wmv)$ 43200 90%
>> 432000
>> override-expire ignore-no-cache ign
>> refresh_pattern -i
>> \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$
>> 10080 90% 43200 override-expire ignore-no-cache ignore
>> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
>> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 40% 40320
>>
>>
>>
>> Amos Jeffries wrote:
>>>>
>>>> I am using squid 3.1.0.6
>>>>
>>>> If I check the disk free while the cache is running I do not see any
>>>> of
>>>> my cache directories incrementing at all.
>>>>
>>>> Any ideas?
>>>>
>>>
>>> Okay, so much for the easy answer. We will have to see your config to
>>> tell
>>> why its not caching.
>>>
>>> Amos
>>>
>>>
>>>>
>>>> Amos Jeffries wrote:
>>>>
>>>>>
>>>>> Jamie Orzechowski wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> My post does not seem to be going to the list. Wondering if you
>>>>>> have
>>>>>> any ideas?
>>>>>>
>>>>>> I think I have TPROXY working but running into some issues.
>>>>>> Checking my logs all my traffic shows up as a TCP_MISS
>>>>>>
>>>>>
>>>>> Squid 3.1.0.3? it has a storage problem that can show like this.
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> 1236698452.579 79 66.78.98.194 TCP_MISS/200 542 GET
>>>>>> http://l1.zedo.com//log/p.gif? - DIRECT/72.247.244.10 image/gif
>>>>>> 1236698452.634 293 66.78.98.194 TCP_MISS/200 4972 GET
>>>>>> http://blstb.msn.com/i/9B/DDD13A38CB8B34F4DFA3F7BFFF71.jpg -
>>>>>> DIRECT/192.221.114.124 image/jpeg
>>>>>> 1236698452.878 100 66.78.98.194 TCP_MISS/200 1076 GET
>>>>>> http://h.foxsports.com/HG? - DIRECT/64.154.81.231 image/gif
>>>>>> 1236698453.367 252 66.78.98.194 TCP_MISS/200 1368 GET
>>>>>> http://www.myinternetservices.com/live/visitor/index.php? -
>>>>>> DIRECT/72.232.167.111 image/gif
>>>>>> 1236698454.087 13 66.78.98.194 TCP_MISS/200 812 GET
>>>>>> http://weyedata.pelmorex.com/WeatherEye/ObsData/CAON0090.xml -
>>>>>> DIRECT/207.96.160.37 text/xml
>>>>>> 1236698455.251 116 66.78.98.194 TCP_MISS/200 1368 GET
>>>>>> http://www.myinternetservices.com/live/visitor/index.php? -
>>>>>> DIRECT/72.232.167.111 image/gif
>>>>>> 1236698456.570 6451 66.78.98.194 TCP_MISS/200 45898 GET
>>>>>> http://www.facebook.com/profile.php? - DIRECT/69.63.176.140
>>>>>> text/html
>>>>>> 1236698456.876 77 66.78.98.194 TCP_MISS/200 2765 GET
>>>>>> http://profile.ak.facebook.com/v227/2005/50/q638320646_36.jpg -
>>>>>> DIRECT/209.170.91.178 image/jpeg
>>>>>>
>>>>>> My iptables is the following
>>>>>>
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>> /sbin/iptables -t mangle -N DIVERT
>>>>>> /sbin/iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>>> /sbin/iptables -t mangle -A DIVERT -j ACCEPT
>>>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>>> /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>>>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>>>> //
>>>>>> any idea why I am not getting any TCP_HITS? ...
>>>>>>
>>>>>>
>>>>>
>>>>> Amos
>>>>>
>>>>
>>>> --
>>>> =-=-=-=-=-=-=-=-=-=-=-=-=
>>>> Jamie Orzechowski - CCNA
>>>> RipNET Ltd. System/Network Administrator
>>>> Tel.: 613-342-3946 x294
>>>>
>>>>
>>>> THIS MESSAGE IS INTENDED ONLY FOR THE ADDRESSEE,
>>>> IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION.
>>>> ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED.
>>>> IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR,
>>>> PLEASE NOTIFY ME IMMEDIATELY SO THAT I MAY CORRECT MY
>>>> INTERNAL RECORDS. PLEASE THEN DELETE THE ORIGINAL MESSAGE.
>>>> =-=-=-=-=-=-=-=-=-=-=-=-=
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
Received on Thu Mar 12 2009 - 01:29:09 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT