[CentOS-es] Squid Upgrade 3.3.8
César C.
arvegas21 en hotmail.com
Mar Ago 13 16:58:27 UTC 2013
hola
a mi me pasó esto pero con la version 3.1
lo solucioné colocalndo esto,
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
pruebas y nos comentas.
saludos
> Date: Tue, 13 Aug 2013 12:40:51 -0300
> From: federico.don13 en gmail.com
> To: centos-es en centos.org
> Subject: [CentOS-es] Squid Upgrade 3.3.8
>
> Buenas,
>
> Necesito su ayuda.
>
> Tengo funcionando un Squid Version 2.6.STABLE21 en un CentOS release 5.5
> (Final)
>
> La configuracion de mi squid es la siguiente:
>
> [root en eze1-proxy02 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
> visible_hostname eze1-proxy02
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> icp_access allow all
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
> acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
> acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
> acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
> acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
> acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
> acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
> acl sp-download-grant src 172.17.197.148/32 #
> acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
> acl sp-download-grant src 172.17.201.63/32 #Fede_git
> acl sp-download-grant src 172.17.193.38/32 #request for it-team
> acl sp-download-grant src 172.17.193.197/32 #request for it-team
> acl sp-download-grant src 172.17.193.6/32 #request for it-team
> acl sp-download-grant src 172.17.193.5/32 #request for it-team
> acl sp-download-grant src 172.17.193.4/32 #request for it-team
> acl sp-download-grant src 172.17.193.7/32 #request for it-team
> acl sp-download-grant src 172.17.193.85/32 #request for Mauro
> acl sp-download-grant src 172.17.195.42/32 #request for it-team
> acl sp-download-grant src 172.17.195.200/32 #request for it-team
> acl sp-download-grant src 172.17.195.37/32 #request for it-team
> acl sp-download-grant src 172.17.195.38/32 #request for it-team
> acl sp-download-grant src 172.17.195.112/32 #request for it-team
> acl sp-download-grant src 172.17.195.122/32 #fede for it-team
> acl sp-download-grant src 172.17.195.240/32 #request for it-team
> acl sp-download-grant src 172.17.195.242/32 #request for it-team
> acl sp-download-grant src 172.17.195.67/32 #request for it-team
> acl sp-download-grant src 172.17.195.208/32 #request for it-team
> acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
> acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
> acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
> acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
> acl sp-download-grant src 172.17.201.59/32 #request for fededon
> acl sp-download-grant src 172.17.195.24/32 #request for fededon
> acl sp-download-grant src 172.17.195.144/32 #request for fededon
> acl sp-download-grant src 172.17.195.59/32 #request for fededon
> reply_body_max_size 0 allow sp-download-grant
> acl downloadhours time D 9:00-18:00
> reply_body_max_size 504900000 allow downloadhours all
> acl allow_url dstdomain "/etc/squid/allow_url"
> http_access allow all allow_url
> acl facebook_list src "/etc/squid/facebook_allow.squid"
> acl facebook dstdomain .facebook.com
> http_access allow facebook facebook_list
> acl WorkingHours time D 09:00-13:00
> acl WorkingHours2 time D 14:00-18:00
> acl youtube_list src "/etc/squid/youtube_allow.squid"
> acl youtube dstdomain .youtube.com
> http_access allow youtube youtube_list
> http_access deny youtube WorkingHours all
> http_access deny youtube WorkingHours2 all
> http_access allow youtube all
> acl taringa_list src "/etc/squid/taringa_allow.squid"
> acl taringa dstdomain .taringa.net
> http_access allow taringa taringa_list
> acl WorkingHours time D 09:00-13:00
> acl WorkingHours2 time D 14:00-18:00
> acl vimeo_list src "/etc/squid/vimeo_allow.squid"
> acl vimeo dstdomain .vimeo.com
> http_access allow vimeo vimeo_list
> http_access deny vimeo WorkingHours all
> http_access deny vimeo WorkingHours2 all
> http_access allow vimeo all
> http_access allow all
> cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
> default
> max_filedesc 4096
>
> Ahora bien, quiero pasar a la version Squid Cache: Version 3.3.8 en un
> CentOS release 6.4 (Final).
>
> Realize una instalacion nueva en otro host y la configuracion en squid.con
> es la siguiente:
>
> [root en eze1-proxy3 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
> visible_hostname eze1-proxy03
> acl localnet src 17.17.192.0/20
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost localnet
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> icp_access allow all
> http_port 3128 intercept
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
> acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
> acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
> acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
> acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
> acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
> acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
> acl sp-download-grant src 172.17.197.148/32 #
> acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
> acl sp-download-grant src 172.17.201.63/32 #Fede_git
> acl sp-download-grant src 172.17.193.38/32 #request for it-team
> acl sp-download-grant src 172.17.193.197/32 #request for it-team
> acl sp-download-grant src 172.17.193.6/32 #request for it-team
> acl sp-download-grant src 172.17.193.5/32 #request for it-team
> acl sp-download-grant src 172.17.193.4/32 #request for it-team
> acl sp-download-grant src 172.17.193.7/32 #request for it-team
> acl sp-download-grant src 172.17.193.85/32 #request for Mauro
> acl sp-download-grant src 172.17.195.42/32 #request for it-team
> acl sp-download-grant src 172.17.195.200/32 #request for it-team
> acl sp-download-grant src 172.17.195.37/32 #request for it-team
> acl sp-download-grant src 172.17.195.38/32 #request for it-team
> acl sp-download-grant src 172.17.195.112/32 #request for it-team
> acl sp-download-grant src 172.17.195.122/32 #fede for it-team
> acl sp-download-grant src 172.17.195.240/32 #request for it-team
> acl sp-download-grant src 172.17.195.242/32 #request for it-team
> acl sp-download-grant src 172.17.195.67/32 #request for it-team
> acl sp-download-grant src 172.17.195.208/32 #request for it-team
> acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
> acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
> acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
> acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
> acl sp-download-grant src 172.17.201.59/32 #request for fededon
> acl sp-download-grant src 172.17.195.24/32 #request for fededon
> acl sp-download-grant src 172.17.195.144/32 #request for fededon
> acl sp-download-grant src 172.17.195.59/32 #request for fededon
> reply_body_max_size 1000 MB sp-download-grant
> acl downloadhours time D 9:00-18:00
> reply_body_max_size 500 MB downloadhours all
> acl allow_url dstdomain "/etc/squid/allow_url"
> http_access allow all allow_url
> acl facebook_list src "/etc/squid/facebook_allow.squid"
> acl facebook dstdomain .facebook.com
> http_access allow facebook facebook_list
> acl WorkingHours time D 09:00-13:00
> acl WorkingHours2 time D 14:00-18:00
> acl youtube_list src "/etc/squid/youtube_allow.squid"
> acl youtube dstdomain .youtube.com
> http_access allow youtube youtube_list
> http_access deny youtube WorkingHours all
> http_access deny youtube WorkingHours2 all
> http_access allow youtube all
> acl taringa_list src "/etc/squid/taringa_allow.squid"
> acl taringa dstdomain .taringa.net
> http_access allow taringa taringa_list
> acl WorkingHours time D 09:00-13:00
> acl WorkingHours2 time D 14:00-18:00
> acl vimeo_list src "/etc/squid/vimeo_allow.squid"
> acl vimeo dstdomain .vimeo.com
> http_access allow vimeo vimeo_list
> http_access deny vimeo WorkingHours all
> http_access deny vimeo WorkingHours2 all
> http_access allow vimeo all
> http_access allow all
> cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
> default
> max_filedesc 4096
>
> Tengo la misma configuracion de firewall en los dos servidores, las mismas
> rutas, Per no puedo navegar por ninguna web en el browser, me hace un deny
> a todo!
>
> Estos son los logs:
>
> [root en eze1-proxy3 ~]# service squid start
> Starting squid: . [ OK ]
> [root en eze1-proxy3 ~]# tail -f /var/log/squid/squid.out
> 2013/08/13 09:07:32| WARNING: You should probably remove '::/0' from the
> ACL named 'all'
> 2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
> '127.0.0.1'
> 2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
> keep splay tree searching predictable
> 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
> the ACL named 'localhost'
> 2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
> '127.0.0.1'
> 2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
> keep splay tree searching predictable
> 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
> the ACL named 'localhost'
> 2013/08/13 09:07:32| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '
> 127.0.0.0/8'
> 2013/08/13 09:07:32| WARNING: because of this '127.0.0.0/8' is ignored to
> keep splay tree searching predictable
> 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.0/8' from
> the ACL named 'to_localhost'
> ^C
> [root en eze1-proxy3 ~]# tail -f /var/log/squid/access.log
>
> 1376395692.119 0 172.17.195.6 TCP_MISS/403 4386 GET
> http://www.infobae.com/ - HIER_NONE/- text/html
> 1376395692.120 5004 172.17.193.7 TCP_MISS/403 4493 GET
> http://www.infobae.com/ - HIER_DIRECT/172.17.195.6 text/html
> 1376395692.358 0 172.17.195.6 TCP_MISS/403 3985 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
> 1376395692.359 148 172.17.193.7 TCP_MISS/403 4092 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.17.195.6text/html
>
>
> Pueden ayudarme a encontrar la falla....ya no busque por todos lados y
> realize cambios como se puede ver en los dos archivos de squid.conf, pero
> ya no se que hacer...
>
> Agradesco mucho su tiempo!!
>
> Saludos,
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
Más información sobre la lista de distribución CentOS-es