Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 02 Sep 2009 12:11:00 -0800

RicardoCh wrote:
> When I try, from the internal LAN, to load any page of my website running on
> server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME SERVER),
> the Squid launches some of this 3 pages error warn:
>
> 1) Unable to forward this request at this time
> 2) (111) Conection refused
> 3) Access denied
>
> In Squid.conf I have these lines:
>
> http_port 192.168.000.1:3128 transparent
> http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
>
> cache_peer_access mysite.com allow MyWeb
> cache_peer_access mysite.com deny all
>
> Where the acl "MyWeb" is:
> acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar
> (The sites are all on the same Apache, Virtual directory)
>
> In iptables I have only these lines to the webserver:
>
> # WWW
> $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed
>
> $IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT
> -to-ports 3128
>
>
> Any idea?
> Thanks in advance
>

Wow... You are intercepting ALL port 80 traffic and passing it to Squid
on port 3128. You have Squid in accelerator mode passing traffic to
itself. Finally, you have a cache_peer_access setup that doesn't match
any peers.

First, I would advise not redirecting traffic destined for the
accelerated site. Assuming mysite.com (and its variants) resolves to
192.168.0.1, replace your iptables redirection rule with...

   $IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -d !192.168.0.1 -p
tcp -dport 80 -j REDIRECT -to-ports 3128

Next, don't have Squid listen on localhost port 80. That's where Apache
should be listening. Instead have Squid listen to the "publicly"
accessible IP address...

   http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost

Finally, the first argument to cache_peer_access should match SOMETHING
about the defined cache_peer. With the peer defined as...

   cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo

...use either the IP...

   cache_peer_access 127.0.0.1 allow MyWeb

...or the name...

   cache_peer_access Ricardo allow MyWeb

...in the cache_peer_access definition.

Chris
Received on Wed Sep 02 2009 - 20:11:22 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 03 2009 - 12:00:02 MDT