LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-06-2014, 07:30 PM   #1
igoryonya
LQ Newbie
 
Registered: Jul 2012
Posts: 9

Rep: Reputation: Disabled
Question squid drops connections to ip addresses, but allows connections to domain names


when some program tries to connect to some address by using ip instead of a domain name, it gives me this in the log file:

Code:
1414709903.045      0 192.168.0.82 TCP_MISS/500 4429 GET http://213.59.3.178/xmlzone/release/1000/windows/versions.xml - HIER_NONE/- text/html "-"
1414709927.237      0 192.168.0.144 TCP_MISS/500 4565 GET http://192.168.24.1:2869/upnphost/udhisapi.dll? - HIER_NONE/- text/html "-"
When it connects by using a domain name, everything is working fine. When I get HIER_NONE, it doesn't even try to download anything, just drops. How can I solve this problem.
 
Old 11-06-2014, 09:41 PM   #2
ember1205
Member
 
Registered: Oct 2014
Posts: 176

Rep: Reputation: 16
The "MISS" entry seems to imply that Squid sees that the content is not in the cache and that it should be retrieved. Are you using a secondary filter like squidGuard? Or do you have ACLs that are specifically designed to block URLs composed with an IP Address instead of a host name?

Post your Squid config file.
 
Old 11-06-2014, 10:23 PM   #3
igoryonya
LQ Newbie
 
Registered: Jul 2012
Posts: 9

Original Poster
Rep: Reputation: Disabled
Exactly, the miss should start downloading it from the internet, but instead, it says HIER_NONE.
No, I don't have any external filteres and no ip blocking in the squid conf, unles I am missing something.
I disabled direct access and everything goes through parent proxies.

squid.conf
Code:
acl all_IPs dst 195.239.111.0/24	#I've tried to explicitly enable access to certain ip addresses, when I noticed the problem, but it didn't help
acl Reroute_filtered_sites dstdomain .adesk.com .download.virtualbox.org .ubuntuforums.org .rusnoc.ru
acl Slow_sites dstdomain .mail.ru .imgsmail.ru
acl Slow_sites_problem dstdomain .dnevnik.ru
acl Load_ballance_sites dstdomain .chukotnet.ru
acl Deny_sites url_regex -i \bblob\.core\.windows\.net\b|\bmc\.yandex\.ru(/(metrika|clmap|watch|webvisor)|\:443)\b|bar-navig\.yandex\.ru\:443|ocsp\.comodoca\.com|(autoupdate|sitecheck)\.opera\.com

acl LAN src 192.168.0.0/24
acl LAN_servers src 192.168.254.0/24
acl LAN_3_214 src 192.168.24.0/24
acl LAN_1_203 src 192.168.23.0/24
acl LAN_1_205 src 192.168.25.0/24
acl LAN_1_303 src 192.168.33.0/24

acl dLAN dst 192.168.0.0/24

acl SSL_ports port 443
acl SSL_ports port 8443         # acquiring.platbox.com - Оплата карт
acl SSL_ports port 2096         # cPanel webmail
acl SSL_ports port 6665         # IRC channel
acl SSL_ports port 6667         # IRC channel
acl SSL_ports port 7000         # IRC channel
acl SSL_ports port 7779         # rusfinance.ru
acl SSL_ports port 8001         # IRC channel

acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

acl CONNECT method CONNECT

acl U_vip arp 20:cf:30:b4:90:62 bc:5f:f4:3a:8b:a7 10:78:D2:DA:71:BF 10:78:D2:DA:71:1A 00:15:58:8c:56:80 00:25:22:c7:7d:fb bc:5f:f4:53:ab:68
acl U_vip arp 10:78:d2:da:71:35	#Паксюткина

http_access deny Deny_sites
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow LAN
http_access allow LAN_servers
http_access allow LAN_3_214
http_access allow LAN_1_203
http_access allow LAN_1_205
http_access allow LAN_1_303
http_access allow localhost
http_access allow all_IPs
http_access allow all_IPs CONNECT
http_access deny all

icp_access allow LAN_servers
icp_access allow localhost
icp_access deny all

http_port 192.168.0.237:8080
http_port 192.168.23.254:8080
http_port 192.168.24.254:8080
http_port 192.168.25.254:8080
http_port 192.168.33.254:8080
http_port 192.168.254.253:8080

cache_peer 192.168.0.15 parent 8080 0 login=admin:obslujivanie no-query round-robin
cache_peer 192.168.254.254 parent 3128 3130 round-robin

cache_peer_access 192.168.0.15 deny Reroute_filtered_sites
cache_peer_access 192.168.0.15 deny Slow_sites
cache_peer_access 192.168.0.15 allow Slow_sites_problem
cache_peer_access 192.168.0.15 allow Load_ballance_sites
cache_peer_access 192.168.0.15 deny U_vip
cache_peer_access 192.168.0.15 allow LAN_servers
cache_peer_access 192.168.0.15 allow LAN
cache_peer_access 192.168.0.15 allow LAN_3_214
cache_peer_access 192.168.0.15 allow LAN_1_203
cache_peer_access 192.168.0.15 allow LAN_1_205
cache_peer_access 192.168.0.15 allow LAN_1_303
cache_peer_access 192.168.0.15 deny all

cache_peer_access 192.168.254.254 allow Reroute_filtered_sites
cache_peer_access 192.168.254.254 allow Slow_sites
cache_peer_access 192.168.254.254 allow Slow_sites_problem
cache_peer_access 192.168.254.254 allow Load_ballance_sites
cache_peer_access 192.168.254.254 allow U_vip
cache_peer_access 192.168.254.254 allow LAN_servers
cache_peer_access 192.168.254.254 deny LAN
cache_peer_access 192.168.254.254 deny LAN_3_214
cache_peer_access 192.168.254.254 deny LAN_1_203
cache_peer_access 192.168.254.254 deny LAN_1_205
cache_peer_access 192.168.254.254 deny LAN_1_303
cache_peer_access 192.168.254.254 deny all

never_direct deny dLAN
never_direct allow all

cache_dir ufs /var/spool/squid3 40000 16 256
logformat squid-referrer	%ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt "%{Referer}>h"
access_log daemon:/var/log/squid3/access.log squid-referrer
coredump_dir /var/spool/squid3

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .		0	20%	4320

icp_port 3130
log_icp_queries off

always_direct allow dLAN
always_direct deny all

dns_v4_first on
 
Old 11-07-2014, 09:52 AM   #4
ember1205
Member
 
Registered: Oct 2014
Posts: 176

Rep: Reputation: 16
Have you checked the logs on the peers to see if it is being handed off but blocked there?
 
Old 11-07-2014, 05:10 PM   #5
igoryonya
LQ Newbie
 
Registered: Jul 2012
Posts: 9

Original Poster
Rep: Reputation: Disabled
As far as I remember, I did check for traversal, but since I've tried so much, I don't reember for sure. I've been already trying to figure this problem out for over a month now. I will test to make sure and post a followup.
 
  


Reply

Tags
squid3, squidconf, squidproxy


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Limiting connections from ip addresses alexjohnson Linux - Server 1 12-28-2011 01:26 AM
IPCop OpenVPN drops connections sdouglaspe Linux - Networking 0 03-27-2009 07:46 AM
Server drops (initial) connections marcussmit Linux - Networking 3 08-03-2007 12:49 AM
using domain names on cable connections Tezdread Linux - Networking 2 11-14-2003 02:59 PM
Non-existing IP addresses making connections? J_Szucs Linux - Networking 9 11-05-2003 09:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration