LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Problem with configuration of Squid server behind a squid (http://www.linuxquestions.org/questions/linux-server-73/problem-with-configuration-of-squid-server-behind-a-squid-746618/)

ajitup 08-10-2009 11:43 PM

Problem with configuration of Squid server behind a squid
 
Problem with configuration of Squid-1 server that has an "authenticated Squid-2 parent".

Squid-2 parent's Proxy detail: 10.31.31.10 port-3128 + userid/passwd

Squid-1 server IP :
eth0 -- 10.126.2.101 (connected to Squid-2)
eth1 -- 192.168.1.1 (connected to LAN through ethernet switch , DHCP configured, LAN PCs take IP from 192.168.1..2 - 198.168.1..254)

I am trying to access internet on LAN PCs, but all efforts have gone in vain.
OS: SuSE 11.0 64 bit
--------------------------
The detail of squid.conf is listed below:

cache_peer 10.31.31.10 parent 3128 3130 no-query
prefer_direct off
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.1
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Saf_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl purge method PURGE
acl CONNECT method CONNECT
access_log /var/log/squid/access.log
acl plasma_net src 192.168.1.2
acl plasma_net src 192.168.1.3
acl plasma_net src 192.168.1.4
acl plasma_net src 192.168.1.5
http_access allow plasma_net
acl lan src 10.126.2.101 192.168.1.1
http_access allow localhost
http_access allow lan
http_access allow all
http_access allow localnet
http_access deny all
acl ftp proto FTP
http_access allow ftp
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
icp_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 192.168.1.1:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern (cgi-bin|\?) 0 0 0
refresh_pattern . 0 20 4320
always_direct allow all
connect_timeout 2 minutes
client_lifetime 1 days
cache_mgr webmaster
visible_hostname plasma1
icp_port 3130
error_directory /usr/share/squid/errors/English
coredump_dir /var/cache/squid
cache_swap_high 95

-

When any LAN - PC tries to use internet, I get following error in my access.log and

1249380237.766 294 192.168.1.4 TCP_MISS/503 2419 GET ........
1249380328.894 290 192.168.1.4 TCP_MISS/503 2468 GET ........
-
the user gets following error:

while trying to retrieve the URL.............. The following error was encountered: Connection to 69.147.76.15 Failed. The system returned: (101) Network is unreachable

[whereas, i am able to access above url / ip from server at same time]

Also, I have disabled firewall, as of now (MY ISP is highly secure / protected).

PLEASE, HELP me resolve this issue.

chitambira 08-11-2009 03:00 AM

Your squid.conf is not sane at all, and i guess you need a great deal of studying squid access controls, but i will not go into that now. I just wanted to point out that while you are requesting help with parenting, you still need great help with the whole of squid.

Well that being said, you need to supply the username and password for the parent. You also need to makesure that you can reach port 3128 of the parent from this child.
Try;
Quote:

cache_peer 10.31.31.10 parent 3128 3130 no-query no-digest login=userid: passwd
never_direct allow all

ajitup 08-11-2009 04:12 AM

Quote:

Originally Posted by chitambira (Post 3638858)
Your squid.conf is not sane at all, and i guess you need a great deal of studying squid access controls, but i will not go into that now. I just wanted to point out that while you are requesting help with parenting, you still need great help with the whole of squid.

Well that being said, you need to supply the username and password for the parent. You also need to makesure that you can reach port 3128 of the parent from this child.
Try;


Thanks for your reply!

I agree that I am a Linux newbie and have to learn a lot regarding squid. I did change the squid.conf as suggested but the problem remains the same. I again get the same errors in access.log

thanks again.

chitambira 08-11-2009 05:55 AM

you have got other directives which are working against your goal e.g.
Quote:

always_direct allow all
so its better to sanitise your conf first. I suggest you start with a clean minimalist config file. remove all unnecessary directives and acls, post that conf file here, then we can help you from bottom up.

ajitup 08-11-2009 11:49 PM

thanks for your reply. I changed squid.conf and now on the LAN PCs (with proxy set to 192.168.1.1:3128) I get the authentication window with following caption:

------------------------------------------
The proxy 192.168.1.1:3128 is requesting a a username and password. The site says: "RRCAT proxy-caching web server"
------------------------------------------


Once, I fill userid/passwd, it gives the same error. I get a similar caption when I connect to internet from my server. The difference is that it gives IP address 10.31.31.10 instead of 192....; and after giving uid/passwd i get to internet from server.


Now my squid.conf is as:
---------------
cache_peer 10.31.31.10 parent 3128 3130 no-query no-digest login=userid:passwd
never_direct allow all
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
acl lan src 10.126.2.101 192.168.1.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname plasma1
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
http_port 3128 transparent
cache_mem 8 MB

coredump_dir /var/spool/squid
cache_mem 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 100 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
cache_swap_low 90
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
ftp_passive on
connect_timeout 2 minutes
client_lifetime 1 days
cache_mgr webmaster
visible_hostname plasma1
icp_port 3130
error_directory /usr/share/squid/errors/English
coredump_dir /var/cache/squid
cache_swap_high 95
---------------------

Thanks again.

Previously the access.log was shwoing like this
--------------------------------------
1249981609.704 288 192.168.1.4 TCP_MISS/503 2455 GET http://www.google.com/ - DIRECT/209.85.231.147 text/html
1249981679.435 282 192.168.1.4 TCP_MISS/503 2468 GET http://www.google.com/ - DIRECT/209.85.231.147 text/html
----------------------------------------
but I did some changes and now the access log shows:
----------------------------------------
1250052501.170 23 192.168.1.4 TCP_MISS/407 1840 GET http://www.google.com/ - FIRST_UP_PARENT/10.31.31.10 text/html
1250052669.096 11 192.168.1.4 TCP_MISS/407 1840 GET http://www.google.com/ - FIRST_UP_PARENT/10.31.31.10 text/html
1250052678.326 12 192.168.1.4 TCP_MISS/407 1840 GET http://www.google.com/ - FIRST_UP_PARENT/10.31.31.10 text/html

ajitup 08-12-2009 01:40 AM

Quote:

"but I did some changes and now the access log shows:"
I installed "gadmin-squid-0.1.1.tar.gz" thinking that it might help me in configuration but since it did not help I removed it.

Now, even that useid/passwd window is not appearing on LAN PCs and the access.log has changed as per previous post.

chitambira 08-12-2009 03:37 AM

you have shambled up things and its hard for me to tell since i dont know what exactly you did. You also need to know fully what installing gadmin-squid-0.1.1.tar.gz did to the squid install.
Quote:

1250052501.170 23 192.168.1.4 TCP_MISS/407 1840 GET http://www.google.com/ - FIRST_UP_PARENT/10.31.31.10 text/html
you were on track, but i guess there wasnt any auth configured on this parent proxy
Quote:

cache_peer 10.31.31.10 parent 3128 3130 no-query no-digest login=username:password
Are you substituting username and password with your real credentials here?? if you are, you should not be prompted for these.
Quote:

never_direct allow all
Another note: any ACLs in squid.conf must be defined before where they are used, you needed to define acl "all" before this directive.
Quote:

acl lan src 10.126.2.101 192.168.1.0/24
was this a mistake or what? the syntax is wrong.

ajitup 08-12-2009 05:03 AM

Quote:

"but I did some changes and now the access log shows:"
I installed "gadmin-squid-0.1.1.tar.gz" thinking that it might help me in configuration but since it did not help I removed it.

Now, even that useid/passwd window is not appearing on LAN PCs and the access.log has changed as per previous post.

ajitup 08-12-2009 05:44 AM

Quote:

Originally Posted by chitambira (Post 3640169)
you have shambled up things and its hard for me to tell since i dont know what exactly you did. You also need to know fully what installing gadmin-squid-0.1.1.tar.gz did to the squid install.

I have uninstalled gadmin-squid. also my firewall is disabled.

Quote:

you were on track, but i guess there wasnt any auth configured on this parent proxy

Are you substituting username and password with your real credentials here?? if you are, you should not be prompted for these.
no I am not substituting username and password.

Quote:

Another note: any ACLs in squid.conf must be defined before where they are used, you needed to define acl "all" before this directive.

was this a mistake or what? the syntax is wrong.
I have taken the hints from
What is the right syntax?

Thanks for your replies and guidance.

chitambira 08-12-2009 06:39 AM

Quote:

Originally Posted by ajitup (Post 3640301)
no I am not substituting username and password.

You were mearnt to put your actual username and password which have access to the parent proxy, eg login=ajitup:yoPasswd123
Quote:

What is the right syntax?
acl lan src 192.168.1.0/24 is adequate

correct all errors i have indicated and post the updated conf here let's see.

chitambira 08-12-2009 07:01 AM

try a minimalist config like:
Quote:

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 16 MB
fqdncache_size 1024
cache_mgr webmaster
visible_hostname plasma1
cache_peer 10.31.31.10 parent 3128 3130 no-query no-digest login=ajitup:yoPass123

cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

acl all src 0.0.0.0/0.0.0.0
acl ftpdr proto FTP
acl localhost src 127.0.0.1/32
acl lan src 192.168.1.0/24

never_direct allow all
always_direct allow ftpdr # we dont want to cache ftp
http_access allow localhost
http_access allow lan
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly
The rest are just defaults not necessary to put them here

ajitup 08-12-2009 07:11 AM

Thanks Chitambira !! for your kind help and guidance.

After removing gadmin-squid completely, I changed squid.conf as per your post and rebooted the system. Restarted squid and now my LAN PCs are able to access internet.

I ran the following edited script from the post mentioned in the quote:
Quote:

#!/bin/sh
------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-...uid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
-------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="10.126.2.101"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"


The final squid.conf is listed below for reference of others:

Quote:

cache_peer 10.31.31.10 parent 3128 3130 no-query no-digest login=userid:passwd

# here I gave actual username and password

never_direct allow all
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl lan src 10.126.2.101 192.168.1.1/24
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname plasma1
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128 transparent
icp_port 3130
visible_hostname plasma1

coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
error_directory /usr/share/squid/errors/English

cache_mgr webmaster

chitambira 08-12-2009 08:41 AM

Quote:

Originally Posted by ajitup (Post 3640380)
Thanks Chitambira !! for your kind help and guidance.
The final squid.conf is listed below for reference of others:

Glad to have helped :)
However, I must point out that whilist you server is now working, it has its config is still not cleaned up. it has ghosts and bugs.
Like I mentioned earlier on, squid.conf respects order (which greatly lacks in your conf)
A good example will be what i said about never_direct allow all This access directive is defined before the acl "all2 is defined. [REMEMBER "all" is NOT an inbuilt phrase] so its meaningless unless/until it meets an acl "acl all src 0.0.0.0/0.0.0.0"
So in your config that never_direct line is not being used (dummy) This might surprise you later, when you realise some websites wont be served from parent (your child proxy will attempt to query directly)

That being said, I had put a squid.conf to guide you on how to separate and order various sections. If you look at that post, you will realise how orderly the different directives have been arranged, like, globals, perfomance, logging, acls, access directives, etc. you can put most of these where you want, but acls and access directives have to be ordered right. [REMEMBER: (rule of thumb) anything with "allow" or "deny" is an acess directive and has to come AFTER its acl has been defined]

ajitup 08-12-2009 10:55 PM

Thanks again for your guidance. In fact I looked at your post when I had success in accessing internet from LAN PCs. I have incorporated changes suggested by you i.e. the squid.conf has been edited as per your suggestion.

Thanks again.


All times are GMT -5. The time now is 02:13 AM.