Re: [squid-users] Upgrade of SQUID from 3.1 to 3.2 on Freebsd 8.3

From: Leslie Jensen <leslie_at_eskk.nu>
Date: Mon, 14 Jan 2013 17:00:01 +0100

2013-01-14 16:05, Eliezer Croitoru skrev:
> On 1/14/2013 1:48 PM, Leslie Jensen wrote:
>>
>> I've now upgraded squid to 3.2 and rewritten the firewall rule that
>> resulted in a forwarding loop.
>>
>> Unfortunately I've got no access now and I can't see where I've made the
>> error.
>>
>> The browser says squid is rejecting the requests:
>> Access control configuration prevents your request from being allowed at
>> this time.
>>
>>
>> 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET
>> http://www.skatteverket.se/ - HIER_NONE/- text/html
>> 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET
>> http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html
>> 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET
>> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
>> 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET
>> http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1
>> text/html
>> 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET
>> http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
>> 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET
>> http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html
>> 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET
>> http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
>> 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET
>> http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1 text/html
>>
>
> Look closly.. it's not squid.
> if it was squid you would have seen TCP_DENIED.
> you get a TCP_MISS which squid is ok with but a remote server DENIES you
> with a 403 response.
>
> I would say it looks pretty bad since every request seems to go into
> squid from two IP addresses which is like a loop.. but one which squid
> can not recognize from an unknown reason.
>
> What have you done in the firewall to prevent the forwarding loop?
>
> By the way did you tried to have a rule that allows all web requests
> from the local machine of the proxy to not be intercepted?
>
> Regards,
> Eliezer

I've tried two things.

First I disabled the rule that redirects the web traffic so that it goes
directly to the Internet.

It works.

Then with the above rule still disabled I made the browser aware of the
proxy by setting it manually in the browser settings.

Then I get the same behaviour.

I'm aware that tcp_miss should not be squid but with the redirecting
rule disabled I do not quite understand where it goes wrong.

I'll look into your suggestion and see if it helps.

Thanks :-)

/Leslie
Received on Mon Jan 14 2013 - 16:00:29 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 15 2013 - 12:00:04 MST