| View previous topic :: View next topic |
| Author |
Message |
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
 Posted: Sat Aug 11, 2012 10:52 pm Post subject: [solved] squid: some addresses are unreachable |
 |
|
Hey there,
I have been running squid as a transparent proxy for some months. This morning, I tried to set up squidclamav, but after a while I recognized, that some addresses like www.google.de where unreachable. So I revoked all changes, but all attempts to reach www.google.de with my browser led to timeouts. Nevertheless, the address is resolved, as I found out with various pings. Additionally, everything works fine, when I disable squid completely and let al http-traffic reach the internet directly.
My conclusion:
- dns works
- browsers work
This is my squid.conf:
| Code: | http_port 10.0.0.1:3128 transparent
cache_dir aufs /var/cache/squid/ 10000 1 1
cache_mem 128 MB
minimum_object_size 0 KB
maximum_object_size 0 KB
maximum_object_size_in_memory 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
shutdown_lifetime 3 seconds
access_log /var/log/squid/access.log
emulate_httpd_log on
acl Safe_ports port 80
acl purge method PURGE
acl clients src 10.0.0.1-10.0.0.50
acl wlanap src 10.0.0.100
acl url_ads url_regex -i "/etc/squid/banner-ads.acl"
http_access allow clients !url_ads
http_access allow wlanap
http_access deny all |
I use squid-3.1.19. This setup worked well for a few months, but now I just can't find the reason for this behavior. Any help would be really appreciated.
Best regards,
Jimini
Solution: reinstalled squid without ipv6-support.
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Last edited by Jimini on Sun Aug 12, 2012 10:13 am; edited 1 time in total |
|
| Back to top |
|
 |
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Sun Aug 12, 2012 3:20 am Post subject: |
|
|
- check cache.log & access.log
- check with and without explicit proxy settings in your browser
- if you need help, then help us helping you(give some logs and everything related you can think of)
_________________
The End of the Internet!
Last edited by truc on Sun Aug 12, 2012 9:42 am; edited 1 time in total |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Sun Aug 12, 2012 6:41 am Post subject: |
|
|
Thank you for your reply.
Now I reactived the following iptables rule:
| Code: | | iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128 |
cache.log when I stop squid:
| Code: | 2012/08/12 07:57:26| basic/auth_basic.cc(97) done: Basic authentication Shutdown.
CPU Usage: 0.120 seconds = 0.090 user + 0.030 sys
Maximum Resident Size: 33440 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena: 2538 KB
Ordinary blocks: 2442 KB 8 blks
Small blocks: 0 KB 6 blks
Holding blocks: 820 KB 3 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 95 KB
Total in use: 3262 KB 129%
Total free: 96 KB 4% |
cache.log when I start squid:
| Code: | | 2012/08/12 07:57:32| Starting Squid Cache version 3.1.19 for i686-pc-linux-gnu... |
access.log when I access www.gentoo.org:
| Code: | 10.0.0.4 - - [12/Aug/2012:08:04:20 +0200] "GET http://www.gentoo.org/ HTTP/1.1" 200 10759 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/css/main.css HTTP/1.1" 200 2893 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gtop-www.jpg HTTP/1.1" 200 5068 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gentoo-new.gif HTTP/1.1" 200 5305 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/gridtest.gif HTTP/1.1" 200 3714 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-gentoo.png HTTP/1.1" 200 10876 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-clock.png HTTP/1.1" 200 14232 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/G-Earth.png HTTP/1.1" 200 20100 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/favicon.ico HTTP/1.1" 200 5370 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://www.gentoo.org/images/icon-cow.png HTTP/1.1" 200 11074 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:21 +0200] "GET http://images.paypal.com/images/x-click-but21.gif HTTP/1.1" 200 951 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:28 +0200] "GET http://sidebar.gentoo.org/ HTTP/1.1" 200 3200 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:29 +0200] "GET http://www.gentoo.org/images/osuosl.png HTTP/1.1" 200 9099 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://images.paypal.com/images/x-click-but21.gif HTTP/1.1" 200 946 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://www.gentoo.org/images/G-Earth.png HTTP/1.1" 200 4474 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:32 +0200] "GET http://www.gentoo.org/images/gentoo-new.gif HTTP/1.1" 200 4474 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/gridtest.gif HTTP/1.1" 200 3709 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/gtop-www.jpg HTTP/1.1" 200 5041 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-clock.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-cow.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:04:33 +0200] "GET http://www.gentoo.org/images/icon-gentoo.png HTTP/1.1" 200 5674 TCP_MISS:DIRECT
10.0.0.4 - - [12/Aug/2012:08:05:41 +0200] "GET http://www.gentoo.org/images/osuosl.png HTTP/1.1" 200 5673 TCP_MISS:DIRECT |
When I want to access www.google.de, nothing is logged, until I get a timeout after ~2 minutes and the following appears in access.log:
| Code: | | 10.0.0.4 - - [12/Aug/2012:08:07:07 +0200] "GET http://www.google.de/ HTTP/1.1" 504 4618 TCP_MISS:DIRECT |
I also get the following error in my browser:
| Code: | The following error was encountered while trying to retrieve the URL: http://www.google.de/
Connection to 2a00:1450:4016:801::101f failed.
The system returned: (110) Connection timed out
The remote host or network may be down. Please try the request again.
Your cache administrator is root. |
With our without explicit proxy settings in firefox - it makes no difference. Google is always unreachable.
If you need additional information, please let me know.
Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Sun Aug 12, 2012 8:24 am Post subject: |
|
|
| Jimini wrote: |
| Code: |
Connection to 2a00:1450:4016:801::101f failed.
|
|
this is an ipv6 address. something in the chain, be it client, or proxy, is missing ipv6 support.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Sun Aug 12, 2012 8:45 am Post subject: |
|
|
I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.
Best regards,
Jimini
Edit: I rebuilt squid without ipv6-support - seems, as if everything works again.
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Sun Aug 12, 2012 9:52 am Post subject: |
|
|
| Jimini wrote: | I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.
Best regards,
Jimini
Edit: I rebuilt squid without ipv6-support - seems, as if everything works again. |
Damn! I should have bet on an IPv6 problem! I was almost sure:)
You're certainly not forced to enable Ipv6 but you definitely should.
You can still do transparent proxy with IPv6 using TPROXY, it's really not that hard.
Please do what you have to! The more we are using IPv6, the better it is for everybody 
_________________
The End of the Internet! |
|
| Back to top |
|
|
Jimini
l33t
Joined: 31 Oct 2006
Posts: 605
Location: Germany
|
| Posted: Sun Aug 12, 2012 10:12 am Post subject: |
|
|
| truc wrote: | You're certainly not forced to enable Ipv6 but you definitely should.
You can still do transparent proxy with IPv6 using TPROXY, it's really not that hard.
Please do what you have to! The more we are using IPv6, the better it is for everybody :D |
You are absolutely right. I've got that point on my to-do-list since many many months, but at the moment, I simply do not have enough free time to reconfigure my network (5 clients, 1 server, 1 router, traffic-shaping- and iptables-scripts and so on...) - this project will be done this winter - I promise ;)
Best regards and thanks for your (and cach0rr0, too!) help,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Mon Aug 13, 2012 5:11 am Post subject: |
|
|
| Jimini wrote: | I have absolutely no idea why this should all of a sudden be a problem. I use exactly the same config as two days ago, when everything went fine. I have not set up any support for ipv6 yet - and I hope, I am not forced to change this by now.
Best regards,
Jimini
Edit: I rebuilt squid without ipv6-support - seems, as if everything works again. |
looks like the ebuilds for Squid 3 enable ipv6 by default
| Code: |
# grep IUSE.*ipv6 /usr/portage/net-proxy/squid/squid-3*.ebuild
/usr/portage/net-proxy/squid/squid-3.1.15.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test
/usr/portage/net-proxy/squid/squid-3.1.16.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test
/usr/portage/net-proxy/squid/squid-3.1.18.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test
/usr/portage/net-proxy/squid/squid-3.1.19.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test
/usr/portage/net-proxy/squid/squid-3.1.20.ebuild:IUSE="caps ipv6 pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test
|
so unless you explicitly disable ipv6 in make.conf or package.use, it would be enabled. Dunno when your last Squid update was, or when this might have been enabled by default, though.
I've just USE="-ipv6" in make.conf for a while for precisely this reason; I have 5 static ipv4 addresses, and will not be able to get ipv6 addresses without paying extra money. I have no intention of using a tunnel broker either so for now this avoids the sort of annoying ipv6 problems that seem to pop up everywhere unexpectedly 
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
