On Tue, 25 Apr 2000, Russell Mosemann wrote:
> Is it possible for Squid running as a transparent proxy to connect to
> Apache running on the same machine? No one on the squid-users group has
> responded to this question. Since you guys know about the guts of Squid,
> you should be able to tell me if this is at least conceptually possible.
>
> We use squidGuard with Squid. When a site is blocked and the user is
> redirected to a "Not Available" web page, we would like it to be served by
> Apache running on the same machine instead of going out to the network.
> What we have
>
> Linux 2.2.14 with ipchains
> Squid 2.4.DEVEL2
> squidGuard 1.1.4
> Apache 1.3.x
>
> Squid is set up as a transparent proxy according to the FAQ. It is
> accelerating port 80 and listening on port 3128. Apache is running on
> port 80. Squid and squidGuard work wonderfully when connecting to some
> place on the Internet. Apache works wonderfully when connecting directly
> to the Linux machine. Squid times out when trying to talk to Apache.
>
> A Cabletron SmartSwitch router redirects all traffic to the Internet
> headed for port 80 to the Linux machine. Ipchains redirects the packets
> to port 3128 for Squid. Squid sends the packet to squidGuard, squidGuard
> redirects it to the same machine (supposedly to Apache running on port
> 80), Squid tries to make the connection, but it eventually times out.
>
> I have tried moving Apache to various ports and to the internal loopback
> interface. I have tried various incantations of ipchains. The problem
> is, I can't tell what Squid is actually trying to connect to when it is
> redirected. So, I don't know if this is a Squid problem or not, but I
> suspect it is.
>
> Some people have mentioned that Squid has code in it to prevent it from
> connecting to itself. If that is the case and the code is over zealous,
> it could be preventing all connections back to the same machine instead of
> just preventing connections to port 3128 on the same machine. Any
> thoughts or ideas? Thanks.
I bet it is more likely that the ipchains rules are preventing
Squid's packets from reaching the apache server. I would try
telling Squid to connect to localhost, port 80, and then add
an IP chains rule that specifically allows it.
/sbin/ipchains -A input -p tcp -s 127.0.0.1 -d 127.0.0.1 80 -j ACCEPT
?
You can test it yourself. If you can telnet to port 80, then
squid should certainly be able to connect to apache as well.
Duane W.
Received on Tue Apr 25 2000 - 19:26:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:24 MST