0.4.2 + Apache = Good, but + Squid = Bad?

Support section for FREESCO v0.4.x

0.4.2 + Apache = Good, but + Squid = Bad?

Postby Kalist Shawxo » Thu Dec 03, 2009 6:03 am

I swear I am almost done, I am 2/3rds of the way there!

ok... I got 0.4.2 and Apache working perfectly on port 1080. (yay!)

I add in Squid and it stops the Apache... it says it loads and runs, but does not display the page anymore.

Code: Select all
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://10.0.0.1/

The following error was encountered:

    * Access Denied.

      Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.


So I uninstall Squid a few times trying configuring it as a transparent proxy.... no luck.

I change Apache and Freesco to port 80, install Squid and the web is working normally. I put in the commands to make the transparent proxy, and it kills of the website again.

Apache Status:
Code: Select all
                   Apache Server Status for APU.Springfield
                                       
   Server Version: Apache/1.3.27 (Unix) mod_perl/1.27 PHP/4.3.1
   mod_ssl/2.8.12 OpenSSL/0.9.6b mod_mp3/0.39
   Server Built: Apr 13 2003 12:43:15
     _________________________________________________________________
   
   Current Time: Thursday, 03-Dec-2009 05:58:37 EST
   Restart Time: Saturday, 03-Dec-1994 00:48:13 EST
   Parent Server Generation: 0
   Server uptime: 5479 days 5 hours 10 minutes 24 seconds
   Total accesses: 0 - Total Traffic: 0 kB
   CPU Usage: u0 s0 cu0 cs0
   0 requests/sec - 0 B/second -
   1 requests currently being processed, 4 idle servers
W____...........................................................
................................................................
................................................................
................................................................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "L" Logging, "G" Gracefully finishing, "." Open slot with no current
   process




Squid status
Code: Select all
Running squid
  3170    S   1      squid   /usr/local/squid/sbin/squid-sD
  3175    S   3170      squid   (squid)-sD



Squid config
Code: Select all
http_port 127.0.0.1:3128
http_port 10.0.0.1:3128
ssl_unclean_shutdown off
icp_port 3130
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
icp_query_timeout 0
maximum_icp_query_timeout 2000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin
hierarchy_stoplist ?
hierarchy_stoplist cgi
hierarchy_stoplist ?
no_cache Deny QUERY
cache_mem 8388608 bytes
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4194304 bytes
minimum_object_size 0 bytes
maximum_object_size_in_memory 8192 bytes
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs off
pid_filename /usr/local/squid/var/logs/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.0
ftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
dns_retransmit_interval 5 seconds
dns_timeout 120 seconds
dns_nameservers 10.0.0.1
dns_nameservers #
dns_nameservers none
hosts_file /etc/hosts
diskd_program /usr/local/squid/libexec/diskd
unlinkd_program /usr/local/squid/libexec/unlinkd
pinger_program /usr/local/squid/libexec/pinger
redirect_children 5
redirect_rewrites_host_header on
authenticate_cache_garbage_interval 3600 seconds
authenticate_ttl 3600 seconds
authenticate_ip_ttl 0 seconds
wais_relay_port 0
request_header_max_size 20480 bytes
request_body_max_size 0 bytes
refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 300 seconds
positive_dns_ttl 21600 seconds
negative_dns_ttl 60 seconds
range_offset_limit 0 bytes
forward_timeout 240 seconds
connect_timeout 60 seconds
peer_connect_timeout 30 seconds
read_timeout 900 seconds
request_timeout 300 seconds
persistent_request_timeout 60 seconds
client_lifetime 86400 seconds
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 30 seconds
acl QUERY urlpath_regex cgi-bin
acl QUERY urlpath_regex \?
acl QUERY urlpath_regex cgi
acl QUERY urlpath_regex \?
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/255.0.0.0
acl SSL_ports port 443
acl SSL_ports port 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl freesco_networks src 10.0.0.0/255.255.255.0
http_access Allow all
http_access Allow manager localhost
http_access Deny manager
http_access Deny !Safe_ports
http_access Deny CONNECT !SSL_ports
http_access Allow freesco_networks
http_access Deny all
http_reply_access Allow all
icp_access Allow all
ident_lookup_access Deny all
reply_header_max_size 20480 bytes
reply_body_max_size 0 Allow all
cache_mgr squid@bulletandphantom.net
mail_program mail
cache_effective_user nobody
visible_hostname APU.Springfield
announce_period 31536000 seconds
announce_host tracker.ircache.net
announce_port 3131
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_no_pmtu_disc off
dns_testnames netscape.com
dns_testnames internic.net
dns_testnames nlanr.net
dns_testnames microsoft.com
logfile_rotate 10
tcp_recv_bufsize 0 bytes
err_html_text
memory_pools on
memory_pools_limit 5242880 bytes
forwarded_for on
log_icp_queries on
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
cachemgr_passwd XXXXXXXXXX all
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 900
netdb_high 1000
netdb_ping_period 300 seconds
query_icmp off
test_reachability off
buffered_logs off
reload_into_ims off
icon_directory /usr/local/squid/share/icons
global_internal_static on
short_icon_urls off
error_directory /usr/local/squid/share/errors/English
maximum_single_addr_tries 1
retry_on_error off
as_whois_server whois.ra.net
wccp_router 0.0.0.0
wccp_version 4
wccp_incoming_address 0.0.0.0
wccp_outgoing_address 255.255.255.255
delay_pools 0
delay_initial_bucket_level 50
incoming_icp_average 6
incoming_http_average 4
incoming_dns_average 4
min_icp_poll_cnt 8
min_dns_poll_cnt 8
min_http_poll_cnt 8
max_open_disk_fds 0
offline_mode off
uri_whitespace strip
nonhierarchical_direct on
prefer_direct off
strip_query_terms on
coredump_dir /usr/local/squid/var/cache
redirector_bypass off
ignore_unknown_nameservers on
client_persistent_connections on
server_persistent_connections on
detect_broken_pconn off
balance_on_multiple_ip on
pipeline_prefetch off
request_entities off
high_response_time_warning 0
high_page_fault_warning 0
high_memory_warning 0 bytes
store_dir_select_algorithm least-load
ie_refresh off
vary_ignore_expire off
sleep_after_fork 0
relaxed_header_parser on


I swear that if I can get this done, I am done with modifying the router. I just want the transparent proxy to work with the webserver.
Thanks in advance!
Kalist Shawxo
Junior Member
 
Posts: 25
Joined: Sun Nov 22, 2009 3:17 am

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby phillipsjk256 » Thu Dec 03, 2009 3:27 pm

I think your squid configuration needs cleaning up. (I have never used it)
Code: Select all
http_access Allow all
http_access Allow manager localhost
http_access Deny manager
http_access Deny !Safe_ports
http_access Deny CONNECT !SSL_ports
http_access Allow freesco_networks
http_access Deny all
http_reply_access Allow all
icp_access Allow all


First you say "Allow all", then you add a more specific "Allow manager localhost". In the next line you seem to change your mind about allowing manager. After that, you block any "weird" ports like 1080 and require SSL ports for doing a "CONNECT". You then allow freesco_networks (set to: "10.0.0.0/255.255.255.0"). You then pull a 180 from your opening statement and "Deny all". I have not read the squid documentation, but I assume later directives override earlier ones.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Kalist Shawxo » Thu Dec 03, 2009 6:31 pm

Ueah... that's a problem... problem is the defaults for Squid are supposed to work "out the box" for thd pkg install... and it does, it just doesn't do anything that I can see. when i try to folow the instuctions to make it a transparent proxy is where i get the errors.
Kalist Shawxo
Junior Member
 
Posts: 25
Joined: Sun Nov 22, 2009 3:17 am

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Lightning » Thu Dec 03, 2009 9:27 pm

The default rule set is fine and should NOT be changed unless you really know what you are doing.
The problem you are having is in the port assignment and the way you are configuring the proxy. To start with you will be much better off not configuring anything different for either Apache or for Squid and leave all of the standard ports and settings. Then make one change in the /pkg/rc/rc_squid file which is to change the upper paragraph for your network to enable the transparent proxy with firewall rules instead of any configuration changes in the programs them selves. What this does on the router is redirect internally anything on port 80 to the squid port 3128. If you are using all of the standard network ranges for your network then I recommend adding TWO rules into the rc_squid file even though it just shows one
Code: Select all
 ipfwadm -I -a accept -P tcp -S 192.168.1.0/24 -D 192.168.1.1 80
 ipfwadm -I -a accept -P tcp -S 192.168.1.0/24 -D 0/0 80 -r 3128


What this type of configuration does for you is it makes disabling or changing things in the future very easy and it makes each configuration much simpler. It also keeps all external traffic off of your proxy. However I will say this as ONLY a recommendation and an opinion. I suspect that you may not be completely satisfied with the systems performance running these two aplications on a 486 even though it is a fast 486 and you should consider putting a LOT of memory in this system as well because it can make a huge difference in how well Squid runs even on a faster machine.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Kalist Shawxo » Fri Dec 04, 2009 3:16 am

well, currently... all the settings are default. Freesco web, Apache Web, and Squid. the only change i was making really isthe port change to 1080 instead of 80.

so, I will make the following changes, and I should be good for transparent proxy ?
ipfwadm -I -a accept -P tcp -S 10.0.0.0/24 -D 10.0.0.1 80
ipfwadm -I -a accept -P tcp -S 10.0.0.0/24 -D 0/0 80 -r 3128


should there be any UDP rules added as well as the TCP rules?

*** update *** I did the above changes, now I can not access any websites with ports.. like my email uses port 2095) and I can't even access the control panel on 10.0.0.1.

Oh, and I reset my wireless to use only access point and enabled the DHCP in Freesco to handle the laptop IPs... per your suggestion. working good!

I am looking at the various spare memory I have, I already upgraded the box from 32M to 64M... and looking to see if I can up it any higher. The board only has 2 memory slots.
Kalist Shawxo
Junior Member
 
Posts: 25
Joined: Sun Nov 22, 2009 3:17 am

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Lightning » Fri Dec 04, 2009 5:55 pm

*** update *** I did the above changes, now I can not access any websites with ports.. like my email uses port 2095) and I can't even access the control panel on 10.0.0.1.

The above changes will only effect web traffic on port 80, so if the control panel, mail, or FTP or anything else is not working it has nothing to do with the servers them selves. Also if web traffic stops when the above change is enabled then it is a problem with the squid install and it wouold be good to make sure that it is running. You should also double check all of the various log files to make sure everything is configured correctly. I strongly suggest installing the "mc-4.6.0-lightning.pkg" for checking and modifying the server configuration files along with changing the default editor in the main setup to /usr/bin/mcedit after the mc package is installed.
If the above suggestions are not enough help then please post your full configuration files to us to look at and find where the problem is.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Kalist Shawxo » Fri Dec 04, 2009 10:23 pm

well, after I made the changes to the squid file, (which was a fresh reinstall), and I could not access my webmail or the freesco control panel, I went back into the squid conf and commented out those two lines, and everything went back to normal.

I rechecked the apache conf, and I did not have anything changed in it.... but I am going to uninstall squid and apache, reboot, re-install apache and squid with all defaults, add in the routes you defined and then see what happens.

if that does not work, I will get all of the config files posted.
Kalist Shawxo
Junior Member
 
Posts: 25
Joined: Sun Nov 22, 2009 3:17 am

Re: 0.4.2 + Apache = Good, but + Squid = Bad?

Postby Lightning » Sat Dec 05, 2009 3:42 am

If the main system is now working as it should and the problems are now just related to the apache and Squid packages then this thread should be stopped and a new thread created in "Third party package support for v0.4.x".
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 3 guests

cron