[CentOS-es] Squid Upgrade 3.3.8
David González Romero
dgrvedado en gmail.com
Mie Ago 14 12:35:29 UTC 2013
SeLinux?
2013/8/13 César C. <arvegas21 en hotmail.com>
> hola
>
> a mi me pasó esto pero con la version 3.1
>
> lo solucioné colocalndo esto,
>
>
>
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
>
>
> pruebas y nos comentas.
>
>
>
>
>
> saludos
>
>
> > Date: Tue, 13 Aug 2013 12:40:51 -0300
> > From: federico.don13 en gmail.com
> > To: centos-es en centos.org
> > Subject: [CentOS-es] Squid Upgrade 3.3.8
> >
> > Buenas,
> >
> > Necesito su ayuda.
> >
> > Tengo funcionando un Squid Version 2.6.STABLE21 en un CentOS release 5.5
> > (Final)
> >
> > La configuracion de mi squid es la siguiente:
> >
> > [root en eze1-proxy02 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e
> '/^$/d'
> > visible_hostname eze1-proxy02
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > icp_access allow all
> > http_port 3128 transparent
> > hierarchy_stoplist cgi-bin ?
> > access_log /var/log/squid/access.log squid
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> > acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
> > acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
> > acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
> > acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
> > acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
> > acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
> > acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
> > acl sp-download-grant src 172.17.197.148/32 #
> > acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
> > acl sp-download-grant src 172.17.201.63/32 #Fede_git
> > acl sp-download-grant src 172.17.193.38/32 #request for it-team
> > acl sp-download-grant src 172.17.193.197/32 #request for it-team
> > acl sp-download-grant src 172.17.193.6/32 #request for it-team
> > acl sp-download-grant src 172.17.193.5/32 #request for it-team
> > acl sp-download-grant src 172.17.193.4/32 #request for it-team
> > acl sp-download-grant src 172.17.193.7/32 #request for it-team
> > acl sp-download-grant src 172.17.193.85/32 #request for Mauro
> > acl sp-download-grant src 172.17.195.42/32 #request for it-team
> > acl sp-download-grant src 172.17.195.200/32 #request for it-team
> > acl sp-download-grant src 172.17.195.37/32 #request for it-team
> > acl sp-download-grant src 172.17.195.38/32 #request for it-team
> > acl sp-download-grant src 172.17.195.112/32 #request for it-team
> > acl sp-download-grant src 172.17.195.122/32 #fede for it-team
> > acl sp-download-grant src 172.17.195.240/32 #request for it-team
> > acl sp-download-grant src 172.17.195.242/32 #request for it-team
> > acl sp-download-grant src 172.17.195.67/32 #request for it-team
> > acl sp-download-grant src 172.17.195.208/32 #request for it-team
> > acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
> > acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
> > acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
> > acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
> > acl sp-download-grant src 172.17.201.59/32 #request for fededon
> > acl sp-download-grant src 172.17.195.24/32 #request for fededon
> > acl sp-download-grant src 172.17.195.144/32 #request for fededon
> > acl sp-download-grant src 172.17.195.59/32 #request for fededon
> > reply_body_max_size 0 allow sp-download-grant
> > acl downloadhours time D 9:00-18:00
> > reply_body_max_size 504900000 allow downloadhours all
> > acl allow_url dstdomain "/etc/squid/allow_url"
> > http_access allow all allow_url
> > acl facebook_list src "/etc/squid/facebook_allow.squid"
> > acl facebook dstdomain .facebook.com
> > http_access allow facebook facebook_list
> > acl WorkingHours time D 09:00-13:00
> > acl WorkingHours2 time D 14:00-18:00
> > acl youtube_list src "/etc/squid/youtube_allow.squid"
> > acl youtube dstdomain .youtube.com
> > http_access allow youtube youtube_list
> > http_access deny youtube WorkingHours all
> > http_access deny youtube WorkingHours2 all
> > http_access allow youtube all
> > acl taringa_list src "/etc/squid/taringa_allow.squid"
> > acl taringa dstdomain .taringa.net
> > http_access allow taringa taringa_list
> > acl WorkingHours time D 09:00-13:00
> > acl WorkingHours2 time D 14:00-18:00
> > acl vimeo_list src "/etc/squid/vimeo_allow.squid"
> > acl vimeo dstdomain .vimeo.com
> > http_access allow vimeo vimeo_list
> > http_access deny vimeo WorkingHours all
> > http_access deny vimeo WorkingHours2 all
> > http_access allow vimeo all
> > http_access allow all
> > cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
> > default
> > max_filedesc 4096
> >
> > Ahora bien, quiero pasar a la version Squid Cache: Version 3.3.8 en un
> > CentOS release 6.4 (Final).
> >
> > Realize una instalacion nueva en otro host y la configuracion en
> squid.con
> > es la siguiente:
> >
> > [root en eze1-proxy3 ~]# grep -v "^#" /etc/squid/squid.conf | sed -e
> '/^$/d'
> > visible_hostname eze1-proxy03
> > acl localnet src 17.17.192.0/20
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > http_access allow manager localhost localnet
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > icp_access allow all
> > http_port 3128 intercept
> > hierarchy_stoplist cgi-bin ?
> > access_log /var/log/squid/access.log squid
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl apache rep_header Server ^Apache
> > acl sp-download-grant src 172.17.193.25/32 #NOC-14473#
> > acl sp-download-grant src 172.17.196.7/32 #NOC-14473#
> > acl sp-download-grant src 172.17.196.30/32 #NOC-?????#
> > acl sp-download-grant src 172.17.196.55/32 #Pablo Resniski#
> > acl sp-download-grant src 172.17.196.136/32 #Damian Ferrai
> > acl sp-download-grant src 172.17.193.218/32 #NOC-14473#
> > acl sp-download-grant src 172.17.193.171/32 #adrian_bosi#
> > acl sp-download-grant src 172.17.197.148/32 #
> > acl sp-download-grant src 172.17.198.94/32 #Monitores-NOC
> > acl sp-download-grant src 172.17.201.63/32 #Fede_git
> > acl sp-download-grant src 172.17.193.38/32 #request for it-team
> > acl sp-download-grant src 172.17.193.197/32 #request for it-team
> > acl sp-download-grant src 172.17.193.6/32 #request for it-team
> > acl sp-download-grant src 172.17.193.5/32 #request for it-team
> > acl sp-download-grant src 172.17.193.4/32 #request for it-team
> > acl sp-download-grant src 172.17.193.7/32 #request for it-team
> > acl sp-download-grant src 172.17.193.85/32 #request for Mauro
> > acl sp-download-grant src 172.17.195.42/32 #request for it-team
> > acl sp-download-grant src 172.17.195.200/32 #request for it-team
> > acl sp-download-grant src 172.17.195.37/32 #request for it-team
> > acl sp-download-grant src 172.17.195.38/32 #request for it-team
> > acl sp-download-grant src 172.17.195.112/32 #request for it-team
> > acl sp-download-grant src 172.17.195.122/32 #fede for it-team
> > acl sp-download-grant src 172.17.195.240/32 #request for it-team
> > acl sp-download-grant src 172.17.195.242/32 #request for it-team
> > acl sp-download-grant src 172.17.195.67/32 #request for it-team
> > acl sp-download-grant src 172.17.195.208/32 #request for it-team
> > acl sp-download-grant src 172.17.193.175/32 #request for damian ferrai
> > acl sp-download-grant src 172.17.193.230/32 #request for Juan Ferraris
> > acl sp-download-grant src 172.17.196.26/32 #request for Juan Ferraris
> > acl sp-download-grant src 172.17.196.25/32 #request for gaston pereyra
> > acl sp-download-grant src 172.17.201.59/32 #request for fededon
> > acl sp-download-grant src 172.17.195.24/32 #request for fededon
> > acl sp-download-grant src 172.17.195.144/32 #request for fededon
> > acl sp-download-grant src 172.17.195.59/32 #request for fededon
> > reply_body_max_size 1000 MB sp-download-grant
> > acl downloadhours time D 9:00-18:00
> > reply_body_max_size 500 MB downloadhours all
> > acl allow_url dstdomain "/etc/squid/allow_url"
> > http_access allow all allow_url
> > acl facebook_list src "/etc/squid/facebook_allow.squid"
> > acl facebook dstdomain .facebook.com
> > http_access allow facebook facebook_list
> > acl WorkingHours time D 09:00-13:00
> > acl WorkingHours2 time D 14:00-18:00
> > acl youtube_list src "/etc/squid/youtube_allow.squid"
> > acl youtube dstdomain .youtube.com
> > http_access allow youtube youtube_list
> > http_access deny youtube WorkingHours all
> > http_access deny youtube WorkingHours2 all
> > http_access allow youtube all
> > acl taringa_list src "/etc/squid/taringa_allow.squid"
> > acl taringa dstdomain .taringa.net
> > http_access allow taringa taringa_list
> > acl WorkingHours time D 09:00-13:00
> > acl WorkingHours2 time D 14:00-18:00
> > acl vimeo_list src "/etc/squid/vimeo_allow.squid"
> > acl vimeo dstdomain .vimeo.com
> > http_access allow vimeo vimeo_list
> > http_access deny vimeo WorkingHours all
> > http_access deny vimeo WorkingHours2 all
> > http_access allow vimeo all
> > http_access allow all
> > cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange
> > default
> > max_filedesc 4096
> >
> > Tengo la misma configuracion de firewall en los dos servidores, las
> mismas
> > rutas, Per no puedo navegar por ninguna web en el browser, me hace un
> deny
> > a todo!
> >
> > Estos son los logs:
> >
> > [root en eze1-proxy3 ~]# service squid start
> > Starting squid: . [ OK ]
> > [root en eze1-proxy3 ~]# tail -f /var/log/squid/squid.out
> > 2013/08/13 09:07:32| WARNING: You should probably remove '::/0' from the
> > ACL named 'all'
> > 2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
> > '127.0.0.1'
> > 2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
> > keep splay tree searching predictable
> > 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
> > the ACL named 'localhost'
> > 2013/08/13 09:07:32| WARNING: (B) '127.0.0.1' is a subnetwork of (A)
> > '127.0.0.1'
> > 2013/08/13 09:07:32| WARNING: because of this '127.0.0.1' is ignored to
> > keep splay tree searching predictable
> > 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.1' from
> > the ACL named 'localhost'
> > 2013/08/13 09:07:32| WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '
> > 127.0.0.0/8'
> > 2013/08/13 09:07:32| WARNING: because of this '127.0.0.0/8' is ignored
> to
> > keep splay tree searching predictable
> > 2013/08/13 09:07:32| WARNING: You should probably remove '127.0.0.0/8'
> from
> > the ACL named 'to_localhost'
> > ^C
> > [root en eze1-proxy3 ~]# tail -f /var/log/squid/access.log
> >
> > 1376395692.119 0 172.17.195.6 TCP_MISS/403 4386 GET
> > http://www.infobae.com/ - HIER_NONE/- text/html
> > 1376395692.120 5004 172.17.193.7 TCP_MISS/403 4493 GET
> > http://www.infobae.com/ - HIER_DIRECT/172.17.195.6 text/html
> > 1376395692.358 0 172.17.195.6 TCP_MISS/403 3985 GET
> > http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
> > 1376395692.359 148 172.17.193.7 TCP_MISS/403 4092 GET
> > http://www.squid-cache.org/Artwork/SN.png -
> HIER_DIRECT/172.17.195.6text/html
> >
> >
> > Pueden ayudarme a encontrar la falla....ya no busque por todos lados y
> > realize cambios como se puede ver en los dos archivos de squid.conf, pero
> > ya no se que hacer...
> >
> > Agradesco mucho su tiempo!!
> >
> > Saludos,
> > _______________________________________________
> > CentOS-es mailing list
> > CentOS-es en centos.org
> > http://lists.centos.org/mailman/listinfo/centos-es
>
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>
Más información sobre la lista de distribución CentOS-es