Hi
I am trying to make Squid working on FreeBSD 11
I have two NIC's internal INT_IF and external EXT_IF.
My NAT is working but I am not sure if this is redirection issue or squid.conf
--- /etc/pf.conf
---
-- squid.conf---
---
---
I am trying to make Squid working on FreeBSD 11
I have two NIC's internal INT_IF and external EXT_IF.
My NAT is working but I am not sure if this is redirection issue or squid.conf
--- /etc/pf.conf
Code:
nat on $EXT_IF from !($EXT_IF)->($EXT_IF:0)
rdr on $INT_IF inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $INT_IF inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $EXT_IF inet proto tcp from any to any port www keep state
pass in quick on { lo0 $INT_IF } all
pass out quick on $EXT_IF inet proto {tcp,udp} from any to any keep state
pass out quick on $EXT_IF inet proto { tcp,udp,icmp} all
---
pfctl -s s
---
Code:
nat on em0 from ! (em0) to any -> (em0:0)
rdr on bge0 inet proto tcp from any to any port = http -> 127.0.0.1 port 3128
pass in on bge0 inet proto tcp from any to 127.0.0.1 port = 3128 flags S/SA keep state
pass out on em0 inet proto tcp from any to any port = http flags S/SA keep state
pass out quick on em0 inet proto tcp all flags S/SA keep state
pass out quick on em0 inet proto udp all keep state
pass out quick on em0 inet proto icmp all keep state
pass in quick on lo0 all flags S/SA keep state
pass in quick on bge0 all flags S/SA keep state
-- squid.conf---
Code:
maximum_object_size 30000 KB
maximum_object_size_in_memory 40 KB
acl localnet src 10.1.0.0/24
acl localnet src 172.16.15.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
cache_peer 172.16.15.15 parent 3128 3130 no-netdb-exchange
cache_mem 1000 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 45000 16 256
coredump_dir /var/squid/cache
access_log stdio:/var/log/squid/access.log squid
cache_log stdio:/var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logfile_rotate 0
debug_options ALL,2
log_mime_hdrs on
strip_query_terms off
visible_hostname www.imservicesgroup.internal.com
---
tail -f /var/log/squid/access.log
---
Code:
1488305300.734 1 10.1.0.5 TCP_MISS/403 4361 GET http://wwordpress.com/ - HIER_NONE/- text/html [Accept: text/html, application/xhtml+xml, image/jxr, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nX-Forwarded-For: 10.1.0.100\r\nCache-Control: max-age=259200\r\nConnection: keep-alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3915\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\n\r]
1488305300.734 3 10.1.0.100 TCP_MISS/403 4529 GET http://wwordpress.com/ - ORIGINAL_DST/10.1.0.5 text/html [Accept: text/html, application/xhtml+xml, image/jxr, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3915\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\nX-Cache: MISS from www.imservicesgroup.internal.com\r\nX-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nConnection: keep-alive\r\n\r]
1488305300.741 1 10.1.0.100 TCP_DENIED/403 4432 GET http://www.imservicesgroup.internal.com:0/squid-internal-static/icons/SN.png - HIER_NONE/- text/html [Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5\r\nReferer: http://wwordpress.com/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3986\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\n\r]
1488305300.744 1 10.1.0.5 TCP_MISS/403 4406 GET http://wwordpress.com/favicon.ico - HIER_NONE/- text/html [Accept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nDNT: 1\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nX-Forwarded-For: 10.1.0.100\r\nCache-Control: max-age=259200\r\nConnection: keep-alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3963\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en\r\n\r]
1488305300.745 2 10.1.0.100 TCP_MISS/403 4574 GET http://wwordpress.com/favicon.ico - ORIGINAL_DST/10.1.0.5 text/html [Accept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nDNT: 1\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3963\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en\r\nX-Cache: MISS from www.imservicesgroup.internal.com\r\nX-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nConnection: keep-alive\r\n\r]
---
tail cache.log
-----
Code:
</head><body id="ERR_ACCESS_DENIED">
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://wwordpress.com/">http://wwordpress.com/</a></p>
<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>
<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
<hr>
<div id="footer">
<p>Generated Tue, 28 Feb 2017 18:12:43 GMT by www.imservicesgroup.internal.com (squid/3.5.24)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>
----------
2017/02/28 12:12:43.460 kid1| ctx: exit level 0
2017/02/28 12:12:43.460 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.460 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.460 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.460 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://wwordpress.com/ is ALLOWED, because it matched (access_log stdio:/var/log/squid/access.log line)
2017/02/28 12:12:43.460 kid1| 11,2| client_side.cc(1408) sendStartOfMessage: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.460 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.24
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 18:12:43 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3915
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24), 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
Connection: keep-alive
----------
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.467 kid1| 11,2| client_side.cc(2364) parseHttpRequest: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.467 kid1| 11,2| client_side.cc(2365) parseHttpRequest: HTTP Client REQUEST:
---------
GET /squid-internal-static/icons/SN.png HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: http://wwordpress.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Accept-Encoding: gzip, deflate
Host: wwordpress.com
Connection: Keep-Alive
----------
2017/02/28 12:12:43.467 kid1| 33,2| client_side.cc(2741) clientProcessRequest: internal URL found: http://wwordpress.com:80 (global_internal_static on)
2017/02/28 12:12:43.467 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.467 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://wwordpress.com/squid-internal-static/icons/SN.png is DENIED; last ACL checked: Safe_ports
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.468 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://www.imservicesgroup.internal.com:0/squid-internal-static/icons/SN.png is ALLOWED, because it matched Safe_ports
2017/02/28 12:12:43.468 kid1| 11,2| client_side.cc(1408) sendStartOfMessage: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.468 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.24
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 18:12:43 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3986
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: NONE from www.imservicesgroup.internal.com:0
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
Connection: keep-alive
----------
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.490 kid1| 33,2| client_side.cc(3345) clientReadRequest: local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33: got flag -1; (54) Connection reset by peer
2017/02/28 12:12:43.490 kid1| 33,2| client_side.cc(832) swanSong: local=10.1.0.5:3128 remote=10.1.0.102:61124 flags=33