RE: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD or CONNECTION REFUSED or ACCESS DENIED

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Sep 2009 10:42:00 +1200

On Mon, 7 Sep 2009 12:19:19 -0300, "RicardoCh" <racham_at_hotmail.com> wrote:
> Oh... Sorry, I yesterday send this message to Amos, but I mistakenly, in
> the
> original pasted below, I thanked to Henrik... My apologies, I thank you
> all,
> but that message was for you, Amos... There goes back as it should be :-)
>
> Hi Amos,
>
> thanks for your help. All right now.
>
>
> I have done as you suggested: a bash script, which first captures the
> dynamic IP with "ipofif", it saving in a log and in a file (wich contains
> the "include" with the http_port). Then, from time to time (configured in
> crontab), again the script take the IP, compared with the previous one
and
> if equal, nothing, but if is different rebuild the include, so every 15
> minutes (cron).
>
> Now I have a weird problem.
> I can only access some domains (runon the same server where Squid and
> Apache2). That is, YES I can access mydomain.com, but NOT I can not
> www.mydomain.com.
>
> In Squid I have a line acl myweb dstdomain "/usr/squid/domain".
> Where "domain" save a list:
>
> *.mydomain.com
> www.mydomain.com
> *.otherdomain.com
> www.otherdomain.com
>
> In Apache2 each virtualhost is setting: *. midominio.com
www.midominio.com
> etc ...
>
> I have seen in other forums of years ago that had problems with Squid acl
> dstdomain When you add multiple URLs to the same ...
> Any ideas?

Remove the '*'. Wildcards are done with just a dot at the start of the
domain name.
http://www.squid-cache.org/Doc/config/acl/

Squid thinks its a full FQDN text " *.mydomain.com " which will never match
since * is never sent by the browser.

Amos

> Regards
> Ricardo
>
> -----Mensaje original-----
> De: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Enviado el: viernes, 04 de septiembre de 2009 01:12 a.m.
> Para: Ricardo A
> CC: crobertson_at_gci.net; squid-users_at_squid-cache.org
> Asunto: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to FORWARD
or
> CONNECTION REFUSED or ACCESS DENIED
>
> Ricardo A wrote:
>>
>> Yes, you're right, you told me. But there is one detail that I did not
> comment then, to not lengthen the thing (and because I figured it did not
> matter): the public IP is dynamic and is routed using a script to
ZoneEdit.
>
>> Then, because Amos told me to leave http_port 80 bind to all...
>
> Right, back when you were only speaking of Squid alone. That method is
> used with dynamic IPs to make Squid listen to every single IP the box
> has now and ever.
> Adding apache on the same box means either the IP has to be pre-known or
> apache listening on a strange port.
>
>>
>> About this, do you have any trick to set the dynamic IP in this Squid
> sentence?
>> I have a small script, "Ipofif", inserted between variables in iptables,
> and when running shows the IP of the NIC... Could I "embedded" in some
way
> in this line of http_port to display the IP?
>>
>> Any solution? Or, if the problem is caused by dynamic IP in accelerator
> mode, will I have to remove it?
>
> You could make a script that gets called whenever the IP changes (I'm
> not sure jhow, maybe an ifupdown hook) generate a file, say
> /etc/squid/ports containing the http_port lines (only). And call
> reconfigure on squid whenever the IP changes.
>
> You would also need to have "include /etc/squid/ports" set in squid.conf
> to load the generated ports file.
>
> Amos
>
>
>> ----------------------------------------
>>> Date: Thu, 3 Sep 2009 11:39:27 -0800
>>> From: crobertson_at_gci.net
>>> To: squid-users_at_squid-cache.org
>>> Subject: Re: [squid-users] Squid 2.7: Request from LAN UNABLE to
FORWARD
> or CONNECTION REFUSED or ACCESS DENIED
>>>
>>> Ricardo A wrote:
>>>> Dear Chris and Henrik,
>>>> I'm sorry, but now cannot access webpages from outside...
>>>> Yes I can from LAN...
>>>>
>>>> I repeat that is a debian Lenny webserver-fileserver-firewall
> (iptables-Squid 2.7-Samba 3-Apache 2, all in the same machine).
>>>>
>>>> The setting:
>>>>
>>>> Squid 2.7
>>>>
>>>> http_port 192.168.000.1:3128 transparent
>>>> http_port 80 accel defaultsite=mysite.com vhost
>>>>
>>> As I stated in my first email, this line should be...
>>>
>>> http_port 192.168.0.1:80 accel defaultsite=mysite.com vhost
>>>
>>> ...because just using the port tells Squid to bind to all interfaces.
>>> You need to limit it to the public interface so Apache can bind to the
>>> loopback.
>>>
>>>> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Ricardo
>>>> cache_peer_access Ricardo mysite.com allow MyWeb
>>>> cache_peer_access Ricardo mysite.com deny all
>>>>
>>>> Where the acl "MyWeb" is:> acl myweb dstdomain mysite.com mysite1.com
> mysite2.com.ar
>>>>
>>>> (The sites are all on the same Apache, Virtual directory)
>>>>
>>>> Iptables:
>>>>
>>>> $IPTABLES -A tcp_packets -p TCP -s 0/0 -dport 80 -j allowed
>>>>
>>>> $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d !
> $LAN_IP_RANGE -p tcp -dport 80 -j REDIRECT> -to-ports 3128
>>>>
>>>> Apache 2:
>>>>
>>>> port.conf
>>>>
>>>> LISTEN 127.0.0.1:80
>>>> ------------
>>>> With these settings, Apache 2 again warn:
>>>>
>>>> apache2(98)Address already in use: make_sock: could not> bind to
>>>> address
> [::]:80> (98)Address already in use: make_sock: could not bind to address
> 0.0.0.0:80> no listening sockets available, shutting down> Unable to open
> logs
>>>>
>>>> Thanks in advance...
>>>> Ricardo
>>>>
>>> Chris
>>>
>> _________________________________________________________________
>> Learn how to add other email accounts to Hotmail in 3 easy steps.
>> http://clk.atdmt.com/UKM/go/167688463/direct/01/
Received on Mon Sep 07 2009 - 22:42:07 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 12:00:02 MDT