Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm implementing squid using centos 5.3 and the problem I'm getting is that when I setup proxy on local machine's browser, it works fine, but remote machines displays error message: proxy server refused connection, and when I consult tcpdump for traffic btn remote machine and squid server it shows that
15:36:44.629415 IP 10.10.10.5.dzdaemon > 10.10.10.6.squid: S 3132289525:3132289525(0) win 65535 <mss 1460,nop,nop,sackOK>
15:36:44.629498 IP 10.10.10.6 > 10.10.10.5: ICMP host 10.10.10.6 unreachable - admin prohibited, length 56
15:36:44.629503 IP 10.10.10.6 > 10.10.10.5: ICMP host 10.10.10.6 unreachable - admin prohibited, length 56
After seeing that tcpdump output I did turn on 'httpd_accel_no_pmtu_disc on'
What configuration could be missing in squid.conf? I did add access list to allow our_network, localhost and deny all
The minimum acls are ok, I've defined them. Can it be auth_param settings? the first configuration option in squid.conf, I did left all setings for auth_param commented. I think I've to change some configurations either on OPTIONS FOR AUTHENTICATION or ACCESS CONTROL, I'm peruzzing thru those options to find possible settings to be done, but please if u may've idea where might be the problem, please advice,
Cheers,
Stefano
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order in which authentication schemes are presented to the client is
# dependent on the order the scheme first appears in config file. IE
# has a bug (it's not RFC 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognize the schemes offered even if you are using basic) either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authentication you must in addition make use of ACLs based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be re-challenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# WARNING: authentication can't be used in a transparently intercepting
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.
# === Parameters for the basic scheme follow. ===
.
.
.
.
.
.
.
.
#Recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour
# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in user cache
# since their last request. When the garbage interval passes, all user
# credentials that have passed their TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour
# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL, this
# directive controls how long Squid remembers the IP addresses
# associated with each user. Use a small value (e.g., 60 seconds) if
# your users might change addresses quickly, as is the case with
# dialups. You might be safe using a larger value (e.g., 2 hours) in a
# corporate LAN environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds
Are you sure squid listens on its public interface and not only on 127.0.0.1?
What do you have in the "http_port" line in squid.conf and what is the output of:
Code:
netstat -tanpl|grep squid
If it listens on every interface, then it's probably a firewall issue.
Are you sure squid listens on its public interface and not only on 127.0.0.1?
What do you have in the "http_port" line in squid.conf and what is the output of:
Code:
netstat -tanpl|grep squid
If it listens on every interface, then it's probably a firewall issue.
# Squid normally listens to port 3128
http_port 3128
How to verify if it's listening on all interfaces? I flushed my firewall, but still clients PCs couldn't connect, couldn't see any configuration on squid.conf which explains interfaces to listen...maybe it's listening only on loopback??...
The output "0 0.0.0.0:3128" means that squid is listening on all available interfaces.
Review the ACLs in squid conf and check the logs to see why squid denies access. Since you're running Centos, make sure it's not a SELinux problem.
Also you can check connectivity between your clients and the box running squid, either using ping or by telneting on port 3128
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.