RE: [squid-users] whitelisted IP problem

From: Vijay <vijay_at_reactmedia.com>
Date: Tue, 20 Mar 2012 11:23:54 +0530

Hi Everyone

Thanks for your help, I got it working now. but now a new problem has come
up when I use squidclient it works perfectly whereas when I try using the
php it does not..

If anybody can help me decode the below cache.log it will be of great help

2012/03/20 10:14:23.889| aclCheckFast: list: 0x175c860
2012/03/20 10:14:23.889| ACLChecklist::preCheck: 0xbfccd8b4 checking
'ident_lookup_access deny all'
2012/03/20 10:14:23.889| ACLList::matches: checking all
2012/03/20 10:14:23.889| ACL::checklistMatches: checking 'all'
2012/03/20 10:14:23.889| aclIpAddrNetworkCompare: compare:
122.166.1.184:48347/[::] ([::]:48347) vs [::]-[::]/[::]
2012/03/20 10:14:23.890| aclIpMatchIp: '122.166.1.184:48347' found
2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'all' is 1
2012/03/20 10:14:23.890| ACLList::matches: result is true
2012/03/20 10:14:23.890| aclmatchAclList: 0xbfccd8b4 returning true (AND
list satisfied)
2012/03/20 10:14:23.890| ACLChecklist::markFinished: 0xbfccd8b4 checklist
processing finished
2012/03/20 10:14:23.890| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0xbfccd8b4
2012/03/20 10:14:23.890| ACLChecklist::~ACLChecklist: destroyed 0xbfccd8b4
2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
'http_access allow manager localhost server'
2012/03/20 10:14:23.890| ACLList::matches: checking manager
2012/03/20 10:14:23.890| ACL::checklistMatches: checking 'manager'
2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'manager' is 0
2012/03/20 10:14:23.890| ACLList::matches: result is false
2012/03/20 10:14:23.890| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.890| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny manager'
2012/03/20 10:14:23.890| ACLList::matches: checking manager
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'manager'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'manager' is 0
2012/03/20 10:14:23.891| ACLList::matches: result is false
2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny !Safe_ports'
2012/03/20 10:14:23.891| ACLList::matches: checking !Safe_ports
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'Safe_ports'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2012/03/20 10:14:23.891| ACLList::matches: result is false
2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny CONNECT !SSL_ports'
2012/03/20 10:14:23.891| ACLList::matches: checking CONNECT
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'CONNECT'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'CONNECT' is 1
2012/03/20 10:14:23.891| ACLList::matches: result is true
2012/03/20 10:14:23.891| ACLList::matches: checking !SSL_ports
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'SSL_ports'
2012/03/20 10:14:23.892| ACL::ChecklistMatches: result for 'SSL_ports' is 0
2012/03/20 10:14:23.892| ACLList::matches: result is true
2012/03/20 10:14:23.892| aclmatchAclList: 0x19f0128 returning true (AND list
satisfied)
2012/03/20 10:14:23.892| ACLChecklist::markFinished: 0x19f0128 checklist
processing finished
2012/03/20 10:14:23.892| ACLChecklist::check: 0x19f0128 match found, calling
back with 0
2012/03/20 10:14:23.892| ACLFilledChecklist::checkCallback: 0x19f0128
answer=0
2012/03/20 10:14:23.892| ACLChecklist::checkCallback: 0x19f0128 answer=0
2012/03/20 10:14:23.892| aclIsProxyAuth: called for SSL_ports
2012/03/20 10:14:23.892| ACL::FindByName 'SSL_ports'
2012/03/20 10:14:23.892| aclIsProxyAuth: returning 0
2012/03/20 10:14:23.892| Gadgets.cc(57) aclGetDenyInfoPage: got called for
SSL_ports
2012/03/20 10:14:23.892| aclGetDenyInfoPage: no match
2012/03/20 10:14:23.892| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x19f0128
2012/03/20 10:14:23.892| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
2012/03/20 10:14:23.893| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x19f0128
2012/03/20 10:14:23.893| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
2012/03/20 10:14:23.893| ConnStateData::swanSong: FD 11

Thanks & Regards
Vijay

-----Original Message-----
From: Vishal Agarwal [mailto:vishal_at_norpknit.com]
Sent: Tuesday, March 20, 2012 10:14 AM
To: 'Vijay S'; namasenda_at_gmail.com
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] whitelisted IP problem

The LAN network should be 192.168.1.0/24 , not /32.

Thanks/regards,
Vishal Agarwal

-----Original Message-----
From: Vijay S [mailto:vijay_at_reactmedia.com]
Sent: Tuesday, March 20, 2012 12:02 AM
To: namasenda_at_gmail.com
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] whitelisted IP problem

I have mentioned my LAN network as 192.168.1.0/32 was that not enough, am i
missing something in below configuration?

On Mon, Mar 19, 2012 at 11:28 PM, Edmonds Namasenda <namasenda_at_gmail.com>
wrote:
> You might need a firewall of sorts.
> And, you need to specify your LAN's network (s) in Squid conf.
>
> I.P.N Edmonds
> Systems | Networks | ICTs
> UgM: +256 71 227 3374 | TzM: +255 68 422 1561 # 22249, Kampala Uganda.
>
> -----Original Message-----
> From: Vijay S <vijay_at_reactmedia.com>
> Date: Mon, 19 Mar 2012 23:22:30
> To: <namasenda_at_gmail.com>; <squid-users_at_squid-cache.org>
> Subject: Re: [squid-users] whitelisted IP problem
>
> DO i have to do any IP tables configurations for this as well?
>
> On Mon, Mar 19, 2012 at 10:57 PM, Vijay <vijay_at_reactmedia.com> wrote:
>> I am still a beginner, I googled some site and found this
>> configuration initially it was this
>>
>>
>> #
>> # Recommended minimum configuration:
>> #
>> acl manager proto cache_object
>> acl server src 192.168.1.10
>> acl localhost src 192.168.1.0/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing #
>> should be allowed acl localnet src 10.0.0.0/8     # RFC1918 possible
>> internal network acl localnet src 172.16.0.0/12  # RFC1918 possible
>> internal network acl localnet src 192.168.0.0/16 # RFC1918 possible
>> internal network acl localnet src fc00::/7       # RFC 4193 local
>> private network range acl localnet src fe80::/10      # RFC 4291
>> link-local (directly plugged) machines
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http acl Safe_ports port 21          
>> # ftp acl Safe_ports port 443         # https acl Safe_ports port 70    
     
>> # gopher acl Safe_ports port 210         # wais acl Safe_ports port
>> 1025-65535  # unregistered ports acl Safe_ports port 280         #
>> http-mgmt acl Safe_ports port 488         # gss-http acl Safe_ports
>> port 591         # filemaker acl Safe_ports port 777         #
>> multiling http acl CONNECT method CONNECT
>>
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Only allow cachemgr access from localhost http_access allow manager
>> localhost server http_access deny manager
>>
>> # Deny requests to certain unsafe ports http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports http_access deny
>> CONNECT !SSL_ports
>>
>> # We strongly recommend the following be uncommented to protect
>> innocent # web applications running on the proxy server who think the
>> only # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP
>> networks # from where browsing should be allowed http_access allow
>> localnet http_access allow localhost server
>>
>> # And finally deny all other access to this proxy http_access deny
>> all
>>
>> # Squid normally listens to port 3128 http_port 3128
>>
>> # We recommend you to use at least the following line.
>> hierarchy_stoplist cgi-bin ?
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> #cache_dir ufs /var/spool/squid 100 16 256
>>
>> # Leave coredumps in the first cache dir coredump_dir
>> /var/spool/squid
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp:           1440    20%     10080 refresh_pattern
>> ^gopher:        1440    0%      1440 refresh_pattern -i
>> (/cgi-bin/|\?) 0     0%      0 refresh_pattern .               0      
>> 20%     4320
>>
>>
>> visible_hostname reactmedia.com
>>
>> debug_options ALL,1 33,2 28,9
>>
>> tcp_outgoing_address 122.166.1.184
>>
>>
>>
>> Thanks & Regards
>> Vijay
>>
>>
>> -----Original Message-----
>> From: Edmonds Namasenda [mailto:namasenda_at_gmail.com]
>> Sent: Monday, March 19, 2012 10:33 PM
>> To: Vijay S; squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] whitelisted IP problem
>>
>> Vijay,
>> Just a quick look has shown me you did not specify your network and
>> there are a few typo errors.
>> Re-adjust, test, and fill us in some more.
>>
>> I.P.N Edmonds
>> Systems | Networks | ICTs
>> UgM: +256 71 227 3374 | TzM: +255 68 422 1561 # 22249, Kampala Uganda.
>>
>> -----Original Message-----
>> From: Vijay S <vijay_at_reactmedia.com>
>> Date: Mon, 19 Mar 2012 22:28:03
>> To: <squid-users_at_squid-cache.org>
>> Subject: [squid-users] whitelisted IP problem Hi
>>
>> I have a my server box hosting apache and squid on centos machine.
>> When I send my request for clients feeds it works as they have
whitelisted
>> my IP address, and when I make the call via squid its give me invalid IP.
I
>> checked the access log for more information and found out instead of
sending
>> my IP address its sending the localhost IP address (127.0.0.1).
>>
>> I googled a little and found that using tcp_outgoing_address
>> directive I
can
>> control the outgoing IP address  and to my bad luck this didn't work
>>
>> My configuration file is as follows
>>
>> acl all src all
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst
>> 127.0.0.0/32 acl SSL_ports port 443
>> acl Safe_ports port 80          # http acl Safe_ports port 21          
>> # ftp acl Safe_ports port 443         # https acl Safe_ports port 70    
     
>> # gopher acl Safe_ports port 210         # wais acl Safe_ports port
>> 1025-65535  # unregistered ports acl Safe_ports port 280         #
>> http-mgmt acl Safe_ports port 488         # gss-http acl Safe_ports
>> port 591         # filemaker acl Safe_ports port 777         #
>> multiling http acl CONNECT method CONNECT
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> http_access allow localhost
>> http_access deny all
>>
>> icp_access allow all
>>
>> http_port 3128
>>
>> visible_hostname loclahost
>> debug_options ALL,1 33,2 28,9
>> tcp_outgoing_address 122.166.1.184
>>
>> Can somebody help me with configuration for the my servers. It will
>> be of great help.
>>
>> Thanks & Regards
>> Vijay
>>
Received on Tue Mar 20 2012 - 05:59:03 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT