webserver behind firewall and squid

ultraav · 06-17-2004, 04:25 AM

i have a webserver behind firewall and squid, but i cannot access it from the computers in the lan. (the webserver is accesible from the outside)

what can i do to make it accesible from local computers?

tk u

tanmaya · 06-17-2004, 06:02 AM

hi,

please make the position of webserver clear.
is it on the local LAN or it is connected to local LAN via the squid pc?

If on local LAN then check if u can ping the server.

Tanmay

ultraav · 06-17-2004, 06:50 AM

The gateway is doing firewall+nat+proxy(squid) for the local network. It has a routable IP associated with a domain from no-ip.org. Incoming traffic from the internet to port 80 on my gateway is directed via iptables to the webserver inside the local network. (this works just fine)
The webserver runs on a computer within LAN :192.168.0.x
It responds to queries like "http://192.168.0.x" from computers within LAN (but only if the browsers are configured to "bypass proxy for local addresses")

My problem is that squid running on the gateway is blocking queries like "http://xxxxxx.no-ip.org" from the computers within LAN.

Is there any solution to this problem other than configuring each browser to bypass proxy for domain xxxxxx.no-ip.org and running a nameserver for the lan?

linuxxed · 06-17-2004, 07:45 AM

Quote:

Originally posted by ultraav
The gateway is doing firewall+nat+proxy(squid) for the local network. It has a routable IP associated with a domain from no-ip.org. Incoming traffic from the internet to port 80 on my gateway is directed via iptables to the webserver inside the local network. (this works just fine)
The webserver runs on a computer within LAN :192.168.0.x
It responds to queries like "http://192.168.0.x" from computers within LAN (but only if the browsers are configured to "bypass proxy for local addresses")

My problem is that squid running on the gateway is blocking queries like "http://xxxxxx.no-ip.org" from the computers within LAN.

Is there any solution to this problem other than configuring each browser to bypass proxy for domain xxxxxx.no-ip.org and running a nameserver for the lan?

have you looked at the ACLs in squid.conf? You can do almost anything there .. even regular expressions are allowed.

BTW are you sure it is the squid blocking it? Can you see it in the logs? Have you increased the squid logging to check (squid -k debug)? Can you ping your gateway?

It may be that www.no-ip.org is resolving to the external address and your internal machines cannot ping that address.

ultraav · 06-17-2004, 08:10 AM

i have no experience working with squid, but the browser says
"
The following error was encountered:

* Connection Failed

The system returned:

(111) Connection refused

The remote host or network may be down. Please try the request again.

Your cache administrator is root. "

so....

tibby · 06-17-2004, 08:40 AM

You can't go from the private LAN, out through Squid, then back in through Squid to the webserver, infact I know no proxy/firewall that allows this. What you do is create a stub zone in your internal DNS and reference www.no-ip.org with the local IP. This will tell your internal clients to go directly to the machine.

HTH,
Tibby

peter_robb · 06-17-2004, 05:08 PM

You've got a classic routing loop..

A lan client resolves http://xxx.no-ip.org to your external address
Packets go from the client to the external interface which forwards by iptables rules to the www server in the LAN, however the source address is still a local client...
so the www server replies locally to the client , from it's local address.
The client expects replies from the resolved external address and ignores the local replies...

Install a lightweight dns proxy eg dnsmasq on the gateway, and create an entry resolving www.xxx.no-ip.org to the internal ip of the www server.
It's the same problem as browsing a dmz with internal numbers..
(Make the dns proxy listen on only the internal LAN interface)