Problem in working of Squid Proxy server with apache websever
Hi ,
I m trying to setup a squid proxy server for my client in order to achieve caching functionality. But I could not able to make it working . Please find my topology and configuration details below. Topology ____________ eth0 eth0 eth1 eth1 10.1.1.1 ---- 10.1.1.2 ------ 20.1.1.2 ---------- 20.1.1.1 10.1.1.1 ---- > Client 10.1.1.2 and 20.1.1.2 -----> PC running Squid proxy server on port 3128 20.1.1.1 ------> Webserver Initially I have not started squid and tried connecting webserver from my client using http://20.1.1.1, I could able to connect and see http request and response in my Client. And then I configured squid and redirected my http traffic to squid port.. The client is not getting response from webserver after squid has configured.I shared below my squid and webserver configurations for reference. I need experts help to make this happen. iptables rule in squid server ______________________________ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 tcpdump in webserver during problem scenario ____________________________________________ 14:23:19:034008 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39) 14:23:19:034008 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39) 14:23:19:034452 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39) 14:23:19:034558 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39) 14:23:19:034842 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39) 14:23:19:034921 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39) 14:23:19:035100 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39) 14:23:19:035272 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39) 14:23:19:0365 ARP, Request who-has 20.1.1.1 tell 20.1.1.2, length 46 14:23:19:0365 ARP, Reply 20.1.1. is-at 00:13:95:27:38:49 (oui unknown), length 28 What kinda packets is this? What happened to tcp packets coming from my client? squid.conf ____________ acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow PURGE localhost http_access deny PURGE http_access allow manager localhost http_access deny manager http_access allow all http_access allow localhost icp_access allow all http_port 3128 tcp_outgoing_address 20.1.1.2 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log webserver configuration and resolv.conf __________________________________________ <VirtualHost *:80> ServerAdmin root@localhost ServerName localhost ServerAlias /acpu2 DocumentRoot /home/sample/acpu2 ErrorLog /home/sample/acpu2/logs/error.log CustomLog /home/sample/acpu2/logs/access.log combined </VirtualHost> resolv.conf ____________ search testserver.com nameserver 8.8.8.8 nameserver 172.16.0.173 Please help me |
well I am unaware of this error;
Quote:
you didn't added a rule to ACCEPT the traffic coming from squid(3128) to destination port 80. do you ? unless you open the connections being accepted for pot 3128 the redirect will happen but refused from squid. if I am correct from above, you can try something like that; Code:
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT |
Now I could able to see the packets logging in "access.log" of squid with the below configurations. But I have some issues and doubts on the below configurations even its working
Why we need the below ip rule configurations? IP rules _________ # IPv4-only ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev eth0 table 100 Iptables Rules ______________________ iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 My another concern is like even its working the browser is taking long time to respond. I could able to see the packets coming continuously on port 80 and count is getting increased in iptable rules. I really don't know what is happening and why its taking lot of time to respond. I have pasted below tcpdump and squid access log for your reference. I think the packets are looping. Please provide your expert views on this. tail -f /var/log/squid3/access.log 1376315965.142 182774 172.30.11.122 TCP_REFRESH_FAIL/200 676 GET http://172.30.11.124/logs/sample.txt - DIRECT/172.30.11.124 text/plain [Host: 172.30.11.124\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20130109 Firefox/10.0.12\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nIf-Modified-Since: Fri, 26 Jul 2013 12:28:28 GMT\r\nIf-None-Match: "100007-32-4e26947a4e855"\r\n] [HTTP/1.1 200 OK\r\nDate: Fri, 02 Aug 2013 10:57:24 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nLast-Modified: Fri, 26 Jul 2013 12:28:28 GMT\r\nETag: "100007-32-4e26947a4e855"\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 63\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/plain\r\n\r] root@debian:~# tcpdump -i eth0 "port 80" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:26:22.368227 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [S], seq 440858109, win 14600, options [mss 1460,s ackOK,TS val 1116309460 ecr 0,nop,wscale 6], length 0 19:26:22.368272 IP 172.30.11.124.http > 172.30.11.122.44827: Flags [S.], seq 840821239, ack 440858110, win 14480, opt ions [mss 1460,sackOK,TS val 2951944 ecr 1116309460,nop,wscale 5], length 0 19:26:22.368393 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 11163 09461 ecr 2951944], length 0 19:26:22.368525 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [P.], seq 1:395, ack 1, win 229, options [nop,nop, TS val 1116309461 ecr 2951944], length 394 19:26:22.368547 IP 172.30.11.124.http > 172.30.11.122.44827: Flags [.], ack 395, win 486, options [nop,nop,TS val 295 1944 ecr 1116309461], length 0 19:26:22.369129 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2465572647, ack 1855512778, win 14480, o ptions [mss 1460,sackOK,TS val 2951944 ecr 2951944,nop,wscale 5], length 0 19:26:22.369250 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:26:23.365767 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2481145134, ack 1855512778, win 14480, o ptions [mss 1460,sackOK,TS val 2952194 ecr 2952194,nop,wscale 5], length 0 19:26:23.365883 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:26:25.369769 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2512457658, ack 1855512778, win 14480, o ptions [mss 1460,sackOK,TS val 2952695 ecr 2952695,nop,wscale 5], length 0 19:26:25.369887 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:26:29.373765 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2575020098, ack 1855512778, win 14480, o ptions [mss 1460,sackOK,TS val 2953696 ecr 2953696,nop,wscale 5], length 0 19:26:29.373888 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:26:37.389769 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2700270130, ack 1855512778, win 14480, o ptions [mss 1460,sackOK,TS val 2955700 ecr 2955700,nop,wscale 5], length 0 19:26:37.389889 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:26:53.437773 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2951020205, ack 1855512778, win 14480, options [mss 1460,sackOK,TS val 2959712 ecr 2959712,nop,wscale 5], length 0 19:26:53.437893 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0 19:27:23.954235 IP 172.30.11.124.http > 172.30.11.122.34517: Flags [S.], seq 4191664604, ack 1175097171, win 14480, options [mss 1460,sackOK,TS val 2967341 ecr 2967341,nop,wscale 5], length 0 19:27:23.954360 IP 172.30.11.122.34517 > 172.30.11.124.http: Flags [R], seq 1175097171, win 0, length 0 19:27:24.953761 IP 172.30.11.124.http > 172.30.11.122.34517: Flags [S.], seq 4207282257, ack 1175097171, win 14480, options [mss 1460,sackOK,TS val 2967591 ecr 2967591,nop,wscale 5], length 0 19:27:24.953880 IP 172.30.11.122.34517 > 172.30.11.124.http: Flags [R], seq 1175097171, win 0, length 0 |
All times are GMT -5. The time now is 11:01 PM. |