cache not working is squid

davimint · 09-22-2007, 05:13 PM

I was trying to setup squid (transparent) to learn and later on set up dansguardian. My PC is hardwired to a router (linksys ) and the linksys is connected to a cable modem. I'm understand that I only can cache stuff on this computer and not the entire LAN due to the way I have it wired.

I don't get any errors in the cache.log but theres no address listed after "accepting transparently proxied http connections" which concerns me.

Code:

2007/09/22 16:43:35| Starting Squid Cache version 2.6.STABLE14 for i486-slackware-linux-gnu...
2007/09/22 16:43:35| Process ID 18017
2007/09/22 16:43:35| With 1024 file descriptors available
2007/09/22 16:43:35| Using epoll for the IO loop
2007/09/22 16:43:35| Performing DNS Tests...
2007/09/22 16:43:35| Successful DNS name lookup tests...
2007/09/22 16:43:35| DNS Socket created at 0.0.0.0, port 32872, FD 5
2007/09/22 16:43:35| Adding domain hsd1.ms.comcast.net. from /etc/resolv.conf
2007/09/22 16:43:35| Adding nameserver 68.87.68.162 from /etc/resolv.conf
2007/09/22 16:43:35| Adding nameserver 68.87.74.162 from /etc/resolv.conf
2007/09/22 16:43:35| Unlinkd pipe opened on FD 10
2007/09/22 16:43:35| Swap maxSize 102400 KB, estimated 7876 objects
2007/09/22 16:43:35| Target number of buckets: 393
2007/09/22 16:43:35| Using 8192 Store buckets
2007/09/22 16:43:35| Max Mem  size: 8192 KB
2007/09/22 16:43:35| Max Swap size: 102400 KB
2007/09/22 16:43:35| Rebuilding storage in /var/log/squid/cache (CLEAN)
2007/09/22 16:43:35| Using Least Load store dir selection
2007/09/22 16:43:35| Set Current Directory to /var/log/squid/cache
2007/09/22 16:43:35| Loaded Icons.
2007/09/22 16:43:35| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12.
2007/09/22 16:43:35| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2007/09/22 16:43:35| Accepting SNMP messages on port 3401, FD 14.
2007/09/22 16:43:35| WCCP Disabled.
2007/09/22 16:43:35| Ready to serve requests.
2007/09/22 16:43:35| Done reading /var/log/squid/cache swaplog (0 entries)
2007/09/22 16:43:35| Finished rebuilding storage from disk.
2007/09/22 16:43:35|         0 Entries scanned
2007/09/22 16:43:35|         0 Invalid entries.
2007/09/22 16:43:35|         0 With invalid flags.
2007/09/22 16:43:35|         0 Objects loaded.
2007/09/22 16:43:35|         0 Objects expired.
2007/09/22 16:43:35|         0 Objects cancelled.
2007/09/22 16:43:35|         0 Duplicate URLs purged.
2007/09/22 16:43:35|         0 Swapfile clashes avoided.
2007/09/22 16:43:35|   Took 0.3 seconds (   0.0 objects/sec).
2007/09/22 16:43:35| Beginning Validation Procedure
2007/09/22 16:43:35|   Completed Validation Procedure
2007/09/22 16:43:35|   Validated 0 Entries
2007/09/22 16:43:35|   store_swap_size = 0k
2007/09/22 16:43:36| storeLateRelease: released 0 objects
2007/09/22 16:54:33| Preparing for shutdown after 0 requests
2007/09/22 16:54:33| Waiting 0 seconds for active connections to finish
2007/09/22 16:54:33| FD 12 Closing HTTP connection
2007/09/22 16:54:33| Shutting down...
2007/09/22 16:54:33| FD 13 Closing ICP connection
2007/09/22 16:54:33| FD 14 Closing SNMP socket
2007/09/22 16:54:33| Closing unlinkd pipe on FD 10
2007/09/22 16:54:33| storeDirWriteCleanLogs: Starting...
2007/09/22 16:54:33|   Finished.  Wrote 0 entries.
2007/09/22 16:54:33|   Took 0.0 seconds (   0.0 entries/sec).
CPU Usage: 0.012 seconds = 0.008 user + 0.004 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
        total space in arena:    2124 KB
        Ordinary blocks:         1991 KB      5 blks
        Small blocks:               0 KB      5 blks
        Holding blocks:           232 KB      1 blks
        Free Small blocks:          0 KB
        Free Ordinary blocks:     132 KB
        Total in use:            2223 KB 94%
        Total free:               132 KB 6%
2007/09/22 16:54:33| Squid Cache (Version 2.6.STABLE14): Exiting normally.

I set up the squid.conf the best I could but don't understand this file very much.

Code:

bash-3.1# cat squid.conf
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir ufs /var/log/squid/cache 100 16 256
access_log /var/log/squid/logs/access.log squid
cache_log /var/log/squid/logs/cache.log
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl My_Network src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow My_Network
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/log/squid/cache

I added this rule to rc.firewall to redirect the tcp 80 to 3128 which Is what I told squid to listen to.

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Now, I start the firewall then start squid.. I open a terminal and tail -f the access.log as I understand things I should be able to open a web page in my brower and see it listed in the access.log but don't get anything.

So, if there's someone willing to read through this an point me in the right direction it would be greatly appreciated.

Thanks in advance for any help.

slimm609 · 09-22-2007, 10:25 PM

you just using the browser on the same machine is not going to cache anything because the source port is not 80 so it will never proxy or cache anything on that machine in transparent mode. While in transparent mode you can still use it as an explicit proxy. Normally you have a L4 switch or a cisco switch that you can redirect traffic based on port numbers or on cisco using wccp. Unless you have the network hardware to support a transparent proxy i would only use it as an explicit proxy.

davimint · 09-23-2007, 08:40 AM

slimm609,
I did as you suggested and set squid up as a normal proxy and it worked just like it was suppose to. Of course since this is a learning exercise I'm not done yet. You total lost me with the "explicit proxy" so now I've got to try to understand proxy types.
I was under the impression that if I used iptables correctly to redirect port 80 to 3128 which is the squid port that it would work in transparent mode. Any Idea's on if that is possible.

Thanks again.

slimm609 · 09-23-2007, 12:50 PM

an explicit proxy is when you configure the browser to use that as a proxy. for a transparent proxy you need some where to get the users traffic to the proxy server.

mbmx · 10-06-2007, 05:55 PM

Quote:

Originally Posted by davimint

slimm609,
I was under the impression that if I used iptables correctly to redirect port 80 to 3128 which is the squid port that it would work in ransparent mode. Any Idea's on if that is possible.
Thanks again.

Sorry, my english is not good, but i'll try.

You are using iptables to redirect traffic to squid, but this command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

will not redirect local (generated by local process) traffic to squid, because squid is local process too. Chain PREROUTING is placed after network interface, but before local processes. But you are need to redirect traffic from local process (browser) to local process (squid). You can do this by setting proxy settings in your browser. Or you can try to redirect traffic by this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

All requests on port 80 will go to port 3128 on local machine. But it is not all. If you will do so, all requests from squid to port 80 will go back to squid on port 3128. And it will be cycle.

You will need to think about ports that uses squid to send requests. If browser, for example, sends requests from local ports 1000-2000, but squid uses for this another range of ports, let it be for example, 5000-10000, you can use this to split requests by this:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m multiport --sport 1000:2000 -j REDIRECT --to-port 3128

I'm not sure that browser and squid using different port to send requests, but you can try.

If short - your trouble is in iptables.

For complete information on iptables you're better to go here: h t t p : / / i p t a b l e s - t u t o r i a l . f r o z e n t u x . n e t /

Hope i was useful

mbmx · 10-06-2007, 06:07 PM

And some more... In your squid cache.log there is a string:

Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12.

This is tells that squid is listening on all interfaces available in your system. By security reasons you'll need to change IP on which squid is listening for connections. If there is 0.0.0.0 - squid is listening on all interfaces!!! If your machine will be in the internet all users from internet can access to squid and use it for their own needs. I've already tryed to do this mistake - 180Mb of my own (i'm paying by megabytes to my provider) traffic was used by somebody from Cali

They were used my squid as an anonymous proxy to hide their ip or something like that. So change listen address to private your network, for example 192.168.0.1 or something like this.

davimint · 10-16-2007, 12:05 AM

mbmx:
Thanks for you reply, was reading over some old post when I seen it. I did manage to get squid working with the following iptables rules.

Code:

iptables -t nat -A OUTPUT -p TCP --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p TCP --dport 80 -j REDIRECT --to-ports 3128

Reading you post helped me better understand not to mention I've spent some time learning more about iptables.