RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

Hi Chris, thanks for your support... I did everything you recommended, but
when I make a request to the website (running on the same server), this
error now in browser:

•Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent
caches. The most likely cause for this error is that:

•The cache administrator does not allow this cache to make direct
connections to origin servers, and
•All configured parent caches are currently unreachable.

And the Apache2 webserver (I repeat: ON THE SAME SERVER THAT SQUID 2.7)
launch this error:

Starting web server: apache2(98)Address already in use: make_sock: could not
bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
 failed!

But if I comment the line in the squid.conf, both errors (the browser and
Apache2) disappear completely ...

http_port 80 accel defaultsite=mysite.com vhost

Besides, I can access the site from the internal network and from outside,
it is clear that without Accelerator mode ...

Ricardo

-----Mensaje original-----
De: Chris Robertson [mailto:crobertson_at_gci.net]
Enviado el: miércoles, 02 de septiembre de 2009 05:11 p.m.
Para: squid-users_at_squid-cache.org
Asunto: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or
CONNECTION REFUSED or ACCESS DENIED

RicardoCh wrote:
> When I try, from the internal LAN, to load any page of my website running
on
> server (Debian Lenny iptables-apache2-Squid2.7-samba3, ALL ON SAME
SERVER),
> the Squid launches some of this 3 pages error warn:
>
> 1) Unable to forward this request at this time
> 2) (111) Conection refused
> 3) Access denied
>
> In Squid.conf I have these lines:
>
> http_port 192.168.000.1:3128 transparent
> http_port 127.0.0.1:80 accel defaultsite=mysite.com vhost
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
>
> cache_peer_access mysite.com allow MyWeb
> cache_peer_access mysite.com deny all
>
> Where the acl "MyWeb" is:
> acl myweb dstdomain mysite.com mysite1.com mysite2.com.ar
> (The sites are all on the same Apache, Virtual directory)
>
> In iptables I have only these lines to the webserver:
>
> # WWW
> $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed
>
> $IPTABLES-t nat-A PREROUTING -s $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT
> -to-ports 3128
>
>
> Any idea?
> Thanks in advance
>

Wow... You are intercepting ALL port 80 traffic and passing it to Squid
on port 3128. You have Squid in accelerator mode passing traffic to
itself. Finally, you have a cache_peer_access setup that doesn't match
any peers.

First, I would advise not redirecting traffic destined for the
accelerated site. Assuming mysite.com (and its variants) resolves to
192.168.0.1, replace your iptables redirection rule with...

   $IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -d !192.168.0.1 -p
tcp -dport 80 -j REDIRECT -to-ports 3128

Next, don't have Squid listen on localhost port 80. That's where Apache
should be listening. Instead have Squid listen to the "publicly"
accessible IP address...

   http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost

Finally, the first argument to cache_peer_access should match SOMETHING
about the defined cache_peer. With the peer defined as...

   cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo

...use either the IP...

   cache_peer_access 127.0.0.1 allow MyWeb

...or the name...

   cache_peer_access Ricardo allow MyWeb

...in the cache_peer_access definition.

Chris
Received on Thu Sep 03 2009 - 03:32:50 MDT