RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

From: RicardoCh <racham_at_hotmail.com>
Date: Sun, 6 Sep 2009 16:56:41 -0300

Hi Henrik, thanks for your help. All right now.
I have done as you suggested: a bash script, which first captures the
dynamic IP with "ipofif", it saving in a log and in a file (wich contains
the "include" with the http_port). Then, from time to time (configured in
crontab), again the script take the IP, compared with the previous one and
if equal, nothing, but if is different rebuild the include, so every 15
minutes (cron).

Now I have a weird problem.
I can only access some domains (runon the same server where Squid and
Apache2). That is, YES I can access mydomain.com, but NOT I can not
www.mydomain.com.

In Squid I have a line acl myweb dstdomain "/usr/squid/domain".
Where "domain" save a list:

*.mydomain.com
www.mydomain.com
*.otherdomain.com
www.otherdomain.com

In Apache2 each virtualhost is setting: *. midominio.com www.midominio.com
etc ...

I have seen in other forums of years ago that had problems with Squid acl
dstdomain When you add multiple URLs to the same ...
Any ideas?
Regards
Ricardo

-----Mensaje original-----
De: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Enviado el: viernes, 04 de septiembre de 2009 01:12 a.m.
Para: Ricardo A
CC: crobertson_at_gci.net; squid-users_at_squid-cache.org
Asunto: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or
CONNECTION REFUSED or ACCESS DENIED

Ricardo A wrote:
>
> Yes, you're right, you told me. But there is one detail that I did not
comment then, to not lengthen the thing (and because I figured it did not
matter): the public IP is dynamic and is routed using a script to ZoneEdit.
> Then, because Amos told me to leave http_port 80 bind to all...

Right, back when you were only speaking of Squid alone. That method is
used with dynamic IPs to make Squid listen to every single IP the box
has now and ever.
Adding apache on the same box means either the IP has to be pre-known or
apache listening on a strange port.

>
> About this, do you have any trick to set the dynamic IP in this Squid
sentence?
> I have a small script, "Ipofif", inserted between variables in iptables,
and when running shows the IP of the NIC... Could I "embedded" in some way
in this line of http_port to display the IP?
>
> Any solution? Or, if the problem is caused by dynamic IP in accelerator
mode, will I have to remove it?

You could make a script that gets called whenever the IP changes (I'm
not sure jhow, maybe an ifupdown hook) generate a file, say
/etc/squid/ports containing the http_port lines (only). And call
reconfigure on squid whenever the IP changes.

You would also need to have "include /etc/squid/ports" set in squid.conf
to load the generated ports file.

Amos

> ----------------------------------------
>> Date: Thu, 3 Sep 2009 11:39:27 -0800
>> From: crobertson_at_gci.net
>> To: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD
or CONNECTION REFUSED or ACCESS DENIED
>>
>> Ricardo A wrote:
>>> Dear Chris and Henrik,
>>> I'm sorry, but now cannot access webpages from outside...
>>> Yes I can from LAN...
>>>
>>> I repeat that is a debian Lenny webserver-fileserver-firewall
(iptables-Squid 2.7-Samba 3-Apache 2, all in the same machine).
>>>
>>> The setting:
>>>
>>> Squid 2.7
>>>
>>> http_port 192.168.000.1:3128 transparent
>>> http_port 80 accel defaultsite=mysite.com vhost
>>>
>> As I stated in my first email, this line should be...
>>
>> http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost
>>
>> ...because just using the port tells Squid to bind to all interfaces.
>> You need to limit it to the public interface so Apache can bind to the
>> loopback.
>>
>>> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
>>> cache_peer_access Ricardo mysite.com allow MyWeb
>>> cache_peer_access Ricardo mysite.com deny all
>>>
>>> Where the acl "MyWeb" is:> acl myweb dstdomain mysite.com mysite1.com
mysite2.com.ar
>>>
>>> (The sites are all on the same Apache, Virtual directory)
>>>
>>> Iptables:
>>>
>>> $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed
>>>
>>> $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d !
$LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT> -to-ports 3128
>>>
>>> Apache 2:
>>>
>>> port.conf
>>>
>>> LISTEN 127.0.0.1:80
>>> ------------
>>> With these settings, Apache 2 again warn:
>>>
>>> apache2(98)Address already in use: make_sock: could not> bind to address
[::]:80> (98)Address already in use: make_sock: could not bind to address
0.0.0.0:80> no listening sockets available, shutting down> Unable to open
logs
>>>
>>> Thanks in advance...
>>> Ricardo
>>>
>> Chris
>>
> _________________________________________________________________
> Learn how to add other email accounts to Hotmail in 3 easy steps.
> http://clk.atdmt.com/UKM/go/167688463/direct/01/

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13
Received on Sun Sep 06 2009 - 19:56:51 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 07 2009 - 12:00:02 MDT