Здравствуйте, я к Вам с очередным бояном! Сквид не обрабатывает отправленный на 3128 порт трафик, соответственно не открываются http ресурсы.
Раньше на дебиане стоял squid3.Х, все работало отлично. Сейчас беру свой старый конфиг:
# Recommended minimum configuration:
#
acl managers proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl LocalNet src 192.168.111.0/24
acl MAC arp "/etc/squid3/mac_allow"
acl PARK arp "/etc/squid3/mac_park"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 666 # RDP Moscow
acl Safe_ports port 1723 # VPN
acl Safe_ports port 2004 # MyChat
acl CONNECT method CONNECT
# Полный доступ
acl admin arp "/etc/squid3/mac_vip"
acl exe_torrent arp "/etc/squid3/mac_vip_exe_torrent"
# Блокируем скачку файлов
acl media urlpath_regex -i \.mp3$ \.wav$ \.avi$ \.mpeg$ \.aiff$ \.ape$ \.ogg$ \.flv$ \.3g2$ \.3gp$ \.divx$ \.flc$ \.mkv$ \.mov$ \.mp4$ \.swf$ \.wmv$ \.avi$
acl exe urlpath_regex -i \.exe$ \.dll$
acl torrent urlpath_regex -i \.torrent$
acl torrent_mime rep_mime_type -i ^application/x-bittorrent$
acl torrent_mime rep_mime_type -i application/x-bittorrent
acl youtube rep_mime_type -i video/mp4
acl youtube2 req_mime_type -i video/mp4
acl youtube rep_mime_type -i ^video\*
acl youtube rep_mime_type -i ^audio\*
acl youtube rep_mime_type -i ^audio/mp4$
acl youtube rep_mime_type -i ^video/mp4$
acl youtube rep_mime_type -i ^audio/swf$
acl youtube rep_mime_type -i ^video/swf$
acl youtube rep_mime_type -i ^video/x-swf$
acl youtube rep_mime_type -i ^video/x-f4f$
acl youtube rep_mime_type -i ^audio/mp3$
acl youtube rep_mime_type -i ^audio/wav$
acl youtube rep_mime_type -i ^audio/ogg$
acl youtube rep_mime_type Content-Type video
acl youtube rep_mime_type Content-Type audio
acl youtube rep_mime_type ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv$
acl youtube2 req_mime_type ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv$
acl youtube2 req_mime_type -i ^video/x-ms-asf$
acl youtube2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl youtube2 req_mime_type -i ^application/x-mms-framed$
acl youtube rep_mime_type -i ^video/x-ms-asf$
acl youtube rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl youtube rep_mime_type -i ^application/x-mms-framed$
acl youtube3 browser Windows-Media-Player/*
acl inetradio_rep rep_mime_type ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv$
acl inetradio_req req_mime_type ^application/x-mms-framed$ ^application/vnd.ms.wms-hdr.asfv$
acl StreamMedia rep_mime_type ^.*video.*
acl StreamMedia rep_mime_type ^.*audio.*
acl media2 rep_mime_type -i ^audio/.*$
acl media2 rep_mime_type -i ^video/.*$
acl media2 rep_mime_type -i ^video/x-flv$
acl media2 rep_mime_type -i ^application/x-shockwave-flash$
acl media2 rep_mime_type -i ^application/octet-stream$
http_reply_access deny torrent_mime !exe_torrent
http_reply_access deny youtube !admin
http_reply_access deny youtube2 !admin
http_reply_access deny youtube3 !admin
http_reply_access deny media2 !admin
http_access deny youtube2 !admin
http_access deny youtube3 !admin
http_access deny torrent !exe_torrent
http_access deny exe !exe_torrent
http_access deny media !admin
http_access deny inetradio_req !admin
http_reply_access deny inetradio_rep !admin
http_reply_access deny StreamMedia !admin
# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost
http_access allow managers localhost
http_access deny managers
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# from where browsing should be allowed
http_access allow localhost
# Доступ для локальной сети
http_access allow LocalNet !PARK
# Ведра
delay_pools 1
delay_class 1 1
delay_parameters 1 128000/10000000
delay_access 1 allow LocalNet !MAC
delay_access 1 deny all
# Резалка контента
redirector_bypass on
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_children 1
# Доступ только по MAC адресу
# acl MAC arp "/etc/squid3/mac_allow"
# http_access allow all MAC
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 192.168.111.1:3128 intercept
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
При запуске получаю ругань на ACL manager, src локалхоста, мол это дубли. Думаю, ок, наверно в новой версии эти переменные заложены по дефолту. Пишу простейший конфиг такого вида:
acl LocalNet src 192.168.111.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 8080
acl Safe_ports port 20
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow LocalNet
http_port 192.168.111.1:3128 intercept
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
Далее:
service squid3 stop
squid3 -z
service squid3 start
Сквид запускается без каких либо ошибок:
/usr/sbin/squid3 -N -YC -f /etc/squid3/squid.confПроброс http трафика в iptables присутствует, но не одна страница на 80 порту не открывается.
iptables-save прилагаю:
# Generated by iptables-save v1.4.21 on Fri Feb 20 10:32:25 2015
*mangle
:PREROUTING ACCEPT [144:22546]
:INPUT ACCEPT [27:2228]
:FORWARD ACCEPT [117:20318]
:OUTPUT ACCEPT [15:1576]
:POSTROUTING ACCEPT [132:21894]
COMMIT
# Completed on Fri Feb 20 10:32:25 2015
# Generated by iptables-save v1.4.21 on Fri Feb 20 10:32:25 2015
*nat
:PREROUTING ACCEPT [21:1347]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 192.168.111.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.111.0/24 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.111.2:3389
-A PREROUTING -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.111.2:1723
-A POSTROUTING -s 192.168.111.0/24 ! -d 192.168.111.0/24 -j SNAT --to-source INET_IP
COMMIT
# Completed on Fri Feb 20 10:32:25 2015
# Generated by iptables-save v1.4.21 on Fri Feb 20 10:32:25 2015
*filter
:INPUT DROP [8:572]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [23:2808]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.111.1/32 -j ACCEPT
-A INPUT -s 192.168.111.0/24 -i eth1 -p tcp -m multiport --dports 53 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.111.0/24 -i eth1 -p icmp -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT
-A INPUT -s 192.168.111.0/24 -p tcp -m multiport --dports 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name radiator --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 60 --hitcount 3 --name radiator --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -j ULOG
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m multiport --dports 20,21,25,80,110,123,465,515 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 20,21,25,80,110,123,465,515 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m multiport --dports 631,666,993,995,443,5222,5223,8080 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 631,666,993,995,443,5222,5223,8080 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m multiport --dports 53,123,137,138,465,995 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -p udp -m multiport --dports 53,123,137,138,465,995 -j ACCEPT
-A FORWARD -s 192.168.111.101/32 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.111.101/32 -o eth0 -j ACCEPT
-A FORWARD -j ULOG
COMMIT
# Completed on Fri Feb 20 10:32:25 2015
Не могли бы Вы подсказать какие еще инструменты диагностики можно применить для выявления причины данной проблемы?
Тема: Проблема с прозрачным squid3 (Прочитано 1186 раз)
