[CentOS-es] Squid Upgrade 3.3.8
Federico Don
federico.don13 en gmail.com
Mar Ago 13 15:40:51 UTC 2013
Buenas,
Necesito su ayuda.
Tengo funcionando un Squid Version 2.6.STABLE21 en un CentOS release 5.5
(Final)
La configuracion de mi squid es la siguiente:
[root en eze1-proxy02 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
visible_hostname eze1-proxy02
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
acl sp-download-grant src 172.17.197.148/32 #
acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
acl sp-download-grant src 172.17.201.63/32 #Fede_git
acl sp-download-grant src 172.17.193.38/32 #request for it-team
acl sp-download-grant src 172.17.193.197/32 #request for it-team
acl sp-download-grant src 172.17.193.6/32 #request for it-team
acl sp-download-grant src 172.17.193.5/32 #request for it-team
acl sp-download-grant src 172.17.193.4/32 #request for it-team
acl sp-download-grant src 172.17.193.7/32 #request for it-team
acl sp-download-grant src 172.17.193.85/32 #request for Mauro
acl sp-download-grant src 172.17.195.42/32 #request for it-team
acl sp-download-grant src 172.17.195.200/32 #request for it-team
acl sp-download-grant src 172.17.195.37/32 #request for it-team
acl sp-download-grant src 172.17.195.38/32 #request for it-team
acl sp-download-grant src 172.17.195.112/32 #request for it-team
acl sp-download-grant src 172.17.195.122/32 #fede for it-team
acl sp-download-grant src 172.17.195.240/32 #request for it-team
acl sp-download-grant src 172.17.195.242/32 #request for it-team
acl sp-download-grant src 172.17.195.67/32 #request for it-team
acl sp-download-grant src 172.17.195.208/32 #request for it-team
acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
acl sp-download-grant src 172.17.201.59/32 #request for fededon
acl sp-download-grant src 172.17.195.24/32 #request for fededon
acl sp-download-grant src 172.17.195.144/32 #request for fededon
acl sp-download-grant src 172.17.195.59/32 #request for fededon
reply_body_max_size 0 allow sp-download-grant
acl downloadhours time D 9:00-18:00
reply_body_max_size 504900000 allow downloadhours all
acl allow_url dstdomain "/etc/squid/allow_url"
http_access allow all allow_url
acl facebook_list src "/etc/squid/facebook_allow.squid"
acl facebook dstdomain .facebook.com
http_access allow facebook facebook_list
acl WorkingHours time D 09:00-13:00
acl WorkingHours2 time D 14:00-18:00
acl youtube_list src "/etc/squid/youtube_allow.squid"
acl youtube dstdomain .youtube.com
http_access allow youtube youtube_list
http_access deny youtube WorkingHours all
http_access deny youtube WorkingHours2 all
http_access allow youtube all
acl taringa_list src "/etc/squid/taringa_allow.squid"
acl taringa dstdomain .taringa.net
http_access allow taringa taringa_list
acl WorkingHours time D 09:00-13:00
acl WorkingHours2 time D 14:00-18:00
acl vimeo_list src "/etc/squid/vimeo_allow.squid"
acl vimeo dstdomain .vimeo.com
http_access allow vimeo vimeo_list
http_access deny vimeo WorkingHours all
http_access deny vimeo WorkingHours2 all
http_access allow vimeo all
http_access allow all
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
default
max_filedesc 4096
Ahora bien, quiero pasar a la version Squid Cache: Version 3.3.8 en un
CentOS release 6.4 (Final).
Realize una instalacion nueva en otro host y la configuracion en squid.con
es la siguiente:
[root en eze1-proxy3 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
visible_hostname eze1-proxy03
acl localnet src 17.17.192.0/20
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
icp_access allow all
http_port 3128 intercept
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
acl sp-download-grant src 172.17.197.148/32 #
acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
acl sp-download-grant src 172.17.201.63/32 #Fede_git
acl sp-download-grant src 172.17.193.38/32 #request for it-team
acl sp-download-grant src 172.17.193.197/32 #request for it-team
acl sp-download-grant src 172.17.193.6/32 #request for it-team
acl sp-download-grant src 172.17.193.5/32 #request for it-team
acl sp-download-grant src 172.17.193.4/32 #request for it-team
acl sp-download-grant src 172.17.193.7/32 #request for it-team
acl sp-download-grant src 172.17.193.85/32 #request for Mauro
acl sp-download-grant src 172.17.195.42/32 #request for it-team
acl sp-download-grant src 172.17.195.200/32 #request for it-team
acl sp-download-grant src 172.17.195.37/32 #request for it-team
acl sp-download-grant src 172.17.195.38/32 #request for it-team
acl sp-download-grant src 172.17.195.112/32 #request for it-team
acl sp-download-grant src 172.17.195.122/32 #fede for it-team
acl sp-download-grant src 172.17.195.240/32 #request for it-team
acl sp-download-grant src 172.17.195.242/32 #request for it-team
acl sp-download-grant src 172.17.195.67/32 #request for it-team
acl sp-download-grant src 172.17.195.208/32 #request for it-team
acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
acl sp-download-grant src 172.17.201.59/32 #request for fededon
acl sp-download-grant src 172.17.195.24/32 #request for fededon
acl sp-download-grant src 172.17.195.144/32 #request for fededon
acl sp-download-grant src 172.17.195.59/32 #request for fededon
reply_body_max_size 1000 MB sp-download-grant
acl downloadhours time D 9:00-18:00
reply_body_max_size 500 MB downloadhours all
acl allow_url dstdomain "/etc/squid/allow_url"
http_access allow all allow_url
acl facebook_list src "/etc/squid/facebook_allow.squid"
acl facebook dstdomain .facebook.com
http_access allow facebook facebook_list
acl WorkingHours time D 09:00-13:00
acl WorkingHours2 time D 14:00-18:00
acl youtube_list src "/etc/squid/youtube_allow.squid"
acl youtube dstdomain .youtube.com
http_access allow youtube youtube_list
http_access deny youtube WorkingHours all
http_access deny youtube WorkingHours2 all
http_access allow youtube all
acl taringa_list src "/etc/squid/taringa_allow.squid"
acl taringa dstdomain .taringa.net
http_access allow taringa taringa_list
acl WorkingHours time D 09:00-13:00
acl WorkingHours2 time D 14:00-18:00
acl vimeo_list src "/etc/squid/vimeo_allow.squid"
acl vimeo dstdomain .vimeo.com
http_access allow vimeo vimeo_list
http_access deny vimeo WorkingHours all
http_access deny vimeo WorkingHours2 all
http_access allow vimeo all
http_access allow all
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
default
max_filedesc 4096
Tengo la misma configuracion de firewall en los dos servidores, las mismas
rutas, Per no puedo navegar por ninguna web en el browser, me hace un deny
a todo!
Estos son los logs:
[root en eze1-proxy3 ~]# service squid start
Starting squid: . [ OK ]
[root en eze1-proxy3 ~]# tail -f /var/log/squid/squid.out
2013/08/13 09:07:32| WARNING: You should probably remove '::/0' from the
ACL named 'all'
2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
'127.0.0.1'
2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
keep splay tree searching predictable
2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
the ACL named 'localhost'
2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
'127.0.0.1'
2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
keep splay tree searching predictable
2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
the ACL named 'localhost'
2013/08/13 09:07:32| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '
127.0.0.0/8'
2013/08/13 09:07:32| WARNING: because of this '127.0.0.0/8' is ignored to
keep splay tree searching predictable
2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.0/8' from
the ACL named 'to_localhost'
^C
[root en eze1-proxy3 ~]# tail -f /var/log/squid/access.log
1376395692.119 0 172.17.195.6 TCP_MISS/403 4386 GET
http://www.infobae.com/ - HIER_NONE/- text/html
1376395692.120 5004 172.17.193.7 TCP_MISS/403 4493 GET
http://www.infobae.com/ - HIER_DIRECT/172.17.195.6 text/html
1376395692.358 0 172.17.195.6 TCP_MISS/403 3985 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1376395692.359 148 172.17.193.7 TCP_MISS/403 4092 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.17.195.6text/html
Pueden ayudarme a encontrar la falla....ya no busque por todos lados y
realize cambios como se puede ver en los dos archivos de squid.conf, pero
ya no se que hacer...
Agradesco mucho su tiempo!!
Saludos,
Más información sobre la lista de distribución CentOS-es