LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-23-2009, 08:33 AM   #1
stefanolima
Member
 
Registered: Jul 2008
Location: Dar-es-Salaam
Distribution: Fedora,CentOS,Ubuntu
Posts: 60

Rep: Reputation: 15
squid accepts connections only from localhost


Hi!

I'm implementing squid using centos 5.3 and the problem I'm getting is that when I setup proxy on local machine's browser, it works fine, but remote machines displays error message: proxy server refused connection, and when I consult tcpdump for traffic btn remote machine and squid server it shows that
15:36:44.629415 IP 10.10.10.5.dzdaemon > 10.10.10.6.squid: S 3132289525:3132289525(0) win 65535 <mss 1460,nop,nop,sackOK>
15:36:44.629498 IP 10.10.10.6 > 10.10.10.5: ICMP host 10.10.10.6 unreachable - admin prohibited, length 56
15:36:44.629503 IP 10.10.10.6 > 10.10.10.5: ICMP host 10.10.10.6 unreachable - admin prohibited, length 56

After seeing that tcpdump output I did turn on 'httpd_accel_no_pmtu_disc on'

What configuration could be missing in squid.conf? I did add access list to allow our_network, localhost and deny all

Stefano
 
Old 06-23-2009, 03:46 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,825

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
You need at least the following acls and rules:
Code:
acl localnet src 10.10.0.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
...
http_access allow localnet
http_access allow localhost
http_access deny all
You might need to change the netmask 10.10.0.0/255.255.255.0 to suit your network settings

Regards
 
Old 06-24-2009, 02:53 AM   #3
stefanolima
Member
 
Registered: Jul 2008
Location: Dar-es-Salaam
Distribution: Fedora,CentOS,Ubuntu
Posts: 60

Original Poster
Rep: Reputation: 15
The minimum acls are ok, I've defined them. Can it be auth_param settings? the first configuration option in squid.conf, I did left all setings for auth_param commented. I think I've to change some configurations either on OPTIONS FOR AUTHENTICATION or ACCESS CONTROL, I'm peruzzing thru those options to find possible settings to be done, but please if u may've idea where might be the problem, please advice,

Cheers,
Stefano

# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------

# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order in which authentication schemes are presented to the client is
# dependent on the order the scheme first appears in config file. IE
# has a bug (it's not RFC 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognize the schemes offered even if you are using basic) either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authentication you must in addition make use of ACLs based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be re-challenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# WARNING: authentication can't be used in a transparently intercepting
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.

# === Parameters for the basic scheme follow. ===
.
.
.
.
.
.
.
.
#Recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour

# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in user cache
# since their last request. When the garbage interval passes, all user
# credentials that have passed their TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour

# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL, this
# directive controls how long Squid remembers the IP addresses
# associated with each user. Use a small value (e.g., 60 seconds) if
# your users might change addresses quickly, as is the case with
# dialups. You might be safe using a larger value (e.g., 2 hours) in a
# corporate LAN environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds
 
Old 06-24-2009, 04:49 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,825

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
Are you sure squid listens on its public interface and not only on 127.0.0.1?
What do you have in the "http_port" line in squid.conf and what is the output of:
Code:
netstat -tanpl|grep squid
If it listens on every interface, then it's probably a firewall issue.
 
Old 06-26-2009, 12:52 AM   #5
stefanolima
Member
 
Registered: Jul 2008
Location: Dar-es-Salaam
Distribution: Fedora,CentOS,Ubuntu
Posts: 60

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bathory View Post
Are you sure squid listens on its public interface and not only on 127.0.0.1?
What do you have in the "http_port" line in squid.conf and what is the output of:
Code:
netstat -tanpl|grep squid
If it listens on every interface, then it's probably a firewall issue.
Ok, the outputs are:

[root@monserveur squid]# netstat -tanpl |grep squid
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 28511/(squid)


and

# Squid normally listens to port 3128
http_port 3128


How to verify if it's listening on all interfaces? I flushed my firewall, but still clients PCs couldn't connect, couldn't see any configuration on squid.conf which explains interfaces to listen...maybe it's listening only on loopback??...
 
Old 06-26-2009, 02:33 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,825

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
The output "0 0.0.0.0:3128" means that squid is listening on all available interfaces.
Review the ACLs in squid conf and check the logs to see why squid denies access. Since you're running Centos, make sure it's not a SELinux problem.
Also you can check connectivity between your clients and the box running squid, either using ping or by telneting on port 3128
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables ext access to service that only accepts localhost Vinnie-NZ Linux - Networking 1 11-23-2008 09:49 PM
Post rejecting connections on 127.0.0.1 on localhost flashingcurser Linux - Server 2 04-26-2007 12:48 PM
Impossible outside connections to localhost [apache, ssh] introuble Ubuntu 3 09-24-2006 02:01 PM
Apache won't accept or reject incoming internet connections but accepts on local lan zenchess Linux - Networking 3 06-10-2006 09:06 AM
Connections to localhost responding very slowly walmartshopper Linux - Networking 3 04-20-2006 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration