Народ айнид ХЕЛП!
есть FreeBSD 6.1 и SQUID 2.5.STABLE14
Помогите! :) я чегото недопонимаю как сделать выход в инет
физически я дозваниваюсь до инета через SkyLink и ip динамический (ppp и тд)
если надо я скину конфиг ipfwВ краце скуид недает выход в инет :) пишет в браузере (настроен на 192.168.0.14 3128 (на нем squid стоит))
ERROR
The requested URL could not be retrieved
--------------------------------------------------------------------------------
While trying to retrieve the URL: http://mail.ru/The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service providerif you feel this is incorrect.
Your cache administrator is test@mail.ru.
--------------------------------------------------------------------------------
Generated Mon, 04 Dec 2006 11:53:29 GMT by XZ.LOCAL (squid/2.5.STABLE14)Конфиг таков
http_port 3128
icp_port 0
hierarchy_stoplist cqi-bin ?
#acl QUERY urlpath_reqex cqi-bin /?
#no_cache deny QUERY
cache_mem 128 MB
maximum_object_size 8092KB
maximum_object_size_in_memory 512 KB
cache_dir ufs /usr/local/squid/cache 2048 64 256cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.logcache_mgr test@mail.ru
visible_hostname XZ.LOCAL#tcp_outgoing_address 212.129.112.33
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^qopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
redirect_program /usr/local/etc/squid/redirector.pl
redirect_children 10acl all src 0.0.0.0/0.0.0.0
acl allowed_sites dstdomain "/usr/local/etc/squid/allowed_sites.conf"
acl limited_IP src "/usr/local/etc/squid/limited_IP.conf"
acl localhost src 127.0.0.0/8
acl LocalNet src 192.168.0.0/24
#acl denied_sites dstdomain "/usr/local/etc/squid/denied_ext.conf"#http_access deny denied_sites
http_access allow allowed_sites
http_access deny limited_IP
http_access allow LocalNet
http_access allow localhost
#http_access deny allhttpd_accel_host virtual
httpd_accel_port 80
httpd_accel_uses_host_header oncoredump_dir /usr/local/squid/cache
pid_filename /usr/local/squid/logs/squid.pid================
В allowed_sites.conf
www.mail.ru
http://www.rambler.ru
www.yandex.ruВ limited_IP.conf
192.168.0.1
192.168.0.14
================
В access.log пишет
1165227449.990 0 192.168.0.1 TCP_DENIED/403 1356 GET http://www.rambler.ru/ - NONE/- text/html
1165227451.494 0 192.168.0.1 TCP_DENIED/403 1350 GET http://www.mail.ru/ - NONE/- text/html
1165227453.001 0 192.168.0.1 TCP_DENIED/403 1392 GET http://www.thg.ru/howto/index/index.html - NONE/- text/html
1165228196.323 0 192.168.0.1 TCP_DENIED/403 1350 GET http://www.mail.ru/ - NONE/- text/html
1165228198.459 0 192.168.0.1 TCP_DENIED/403 1356 GET http://www.rambler.ru/ - NONE/- text/html
1165228869.050 0 192.168.0.1 TCP_DENIED/403 1356 GET http://www.rambler.ru/ - NONE/- text/htmlВ store.log
1165229847.436 RELEASE -1 FFFFFFFF CAF10E944A31768ECA3E59E0B5BF1687 403 1165229847 0 1165229847 text/html1079/1312 GET http://www.funcow.ru/page/14/
1165229849.159 RELEASE -1 FFFFFFFF 66E0928590934BBB6A242149C5069A13 403 1165229849 0 1165229849 text/html1059/1292 GET http://www.mail.ru/
1165229849.918 RELEASE -1 FFFFFFFF A0B25915D87D115AF065B481A464DCEB 403 1165229849 0 1165229849 text/html1059/1292 GET http://www.mail.ru/
1165230002.788 RELEASE -1 FFFFFFFF DA701AE080689D0238DCDB8EF7EEDC5F 403 1165230002 0 1165230002 text/html1059/1292 GET http://www.mail.ru/
1165230005.214 RELEASE -1 FFFFFFFF 28C19C503C05CAF1E60EB12B7312764B 403 1165230005 0 1165230005 text/html1065/1298 GET http://www.rambler.ru/
1165231102.075 RELEASE -1 FFFFFFFF 1BD67213959E5D7EFC8DC31658AE95CE 403 1165231102 0 1165231102 text/html1051/1284 GET http://mail.ru/
1165231106.645 RELEASE -1 FFFFFFFF 69A4A806873D518ACDD047F894E278A5 403 1165231106 0 1165231106 text/html1051/1284 GET http://mail.ru/
В cache.log
2006/12/04 14:20:39| Accepting HTTP connections at 0.0.0.0, port 3128, FD 9.
2006/12/04 14:20:39| WCCP Disabled.
2006/12/04 14:20:39| Loaded Icons.
2006/12/04 14:20:39| eventCleanup
2006/12/04 14:20:39| Ready to serve requests.
2006/12/04 14:21:00| clientAccessCheck: proxy request denied in accel_only mode
2006/12/04 14:21:02| clientAccessCheck: proxy request denied in accel_only mode
2006/12/04 14:21:05| clientAccessCheck: proxy request denied in accel_only mode
2006/12/04 14:21:06| clientAccessCheck: proxy request denied in accel_only modeВопрос че делать и как быть :(
httpd_accel_with_proxy on
добавить
http_access deny limited_IP !allowed_sites
http_access allow LocalNet
http_access allow localhost
http_access deny all
httpd_accel_with_proxy on #добавилнабрал http://87.242.103.18/
ERROR
The requested URL could not be retrieved--------------------------------------------------------------------------------
While trying to retrieve the URL: http://87.242.103.18/
The following error was encountered:
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.Your cache administrator is xxx@mail.ru.
--------------------------------------------------------------------------------
Generated Mon, 04 Dec 2006 12:54:16 GMT by xxx.LOCAL (squid/2.5.STABLE14)
И тишина :?
>http_access deny limited_IP !allowed_sitesВ limited_IP.conf
192.168.0.1
192.168.0.14
================
В access.log пишет
1165227449.990 0 192.168.0.1 TCP_DENIED/403 1356 GET http://www.rambler.ru/ - NONE/- text/htmlИ что удивляет? Не надо меня на внимательность проверять.
я прописал
http_access allow localhost
http_access allow mynetworkи все заработало
>acl allowed_sites dstdomain "/usr/local/etc/squid/allowed_sites.conf"
>================
>В allowed_sites.conf
>www.mail.ru
>http://www.rambler.ru
>www.yandex.ru
>
это некорректно!
в dstdomain синтаксис совсем другой !
acl allowed_sites dstdomain mail.ru. yandex.ru. rambler.ru.proxy on - убери совсем и проверь порядок акселей на запрет и на доступ!
>>acl allowed_sites dstdomain "/usr/local/etc/squid/allowed_sites.conf"
В сделал allowed_sites.conf
mail.ru
rambler.ru
yandex.ru
>proxy on
убрал
>проверь порядок акселей на запрет и на доступ!В limited_IP.conf
192.168.0.12
192.168.0.16
к примеруи опять денайд :(
мне бы хоть с любого ip пошло бы
>>proxy on
>убралipmanyak человек авторитетный, к его мнению стоит прислушаться.
Но если в cache.log-е опять
2006/12/04 14:21:06| clientAccessCheck: proxy request denied in accel_only mode
то может всё-таки httpd_accel_with_proxy on?А вообще нужно читать логи: cache.log и access.log при выставленных debug_options
>httpd_accel_host virtual
>httpd_accel_port 80
>httpd_accel_uses_host_header on
эти опции и httpd_accel_with_proxy on - нужны для прозрачного режима ! ты именно такой режим хочешь? если до то на firewall завернул трафик на порт сквида? для начала добейся работы сквида без прозрачности ! сделай такие правилаacl all src 0.0.0.0/0.0.0.0
acl LocalNet src 192.168.0.0/24
http_access allow LocalNet
http_access deny allи проверь работу сквида, потом будешь менять/добавлять правила
Все работает :P
Вот конфиг + логи неподскажете как можно добится чтоб при запросе (если нет в кеше сгуид сам звонил в инет через ppp и тд) и можно ли что нибудь улучшить в конфиге?
==========
squid.conf
http_port 192.168.0.14:3128
icp_port 0
hierarchy_stoplist cqi-bin ?
cache_mem 128 MB
maximum_object_size 8092 KB
maximum_object_size_in_memory 512 KB
cache_dir ufs /usr/local/squid/cache 2048 64 256cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.logcache_mgr xxx@mail.ru
visible_hostname xx.LOCAL
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^qopher: 1440 0% 1440
refresh_pattern . 0 20% 4320acl all src 0.0.0.0/0.0.0.0
acl allowed_sites dstdomain "/usr/local/etc/squid/allowed_sites.conf"
acl limited_IP src "/usr/local/etc/squid/limited_IP.conf"
acl localhost src 127.0.0.0/8
acl LocalNet src 192.168.0.0/24
#acl denied_sites dstdomain "/usr/local/etc/squid/denied_ext.conf"#http_access deny denied_sites
http_access allow allowed_sites
http_access deny limited_IP !allowed_sites
http_access allow LocalNet
http_access allow localhost
http_access deny allcoredump_dir /usr/local/squid/cache
pid_filename /usr/local/squid/logs/squid.pid
=====================
cache.log
2006/12/05 10:50:51| Starting Squid Cache version 2.5.STABLE14 for i386-portbld-freebsd6.1...
2006/12/05 10:50:51| Process ID 1343
2006/12/05 10:50:51| With 7296 file descriptors available
2006/12/05 10:50:51| DNS Socket created at 0.0.0.0, port 51156, FD 5
2006/12/05 10:50:51| Adding nameserver 212.129.96.13 from /etc/resolv.conf
2006/12/05 10:50:51| Adding nameserver 212.129.101.1 from /etc/resolv.conf
2006/12/05 10:50:51| Unlinkd pipe opened on FD 10
2006/12/05 10:50:51| Swap maxSize 2097152 KB, estimated 161319 objects
2006/12/05 10:50:51| Target number of buckets: 8065
2006/12/05 10:50:51| Using 8192 Store buckets
2006/12/05 10:50:51| Max Mem size: 131072 KB
2006/12/05 10:50:51| Max Swap size: 2097152 KB
2006/12/05 10:50:51| Rebuilding storage in /usr/local/squid/cache (CLEAN)
2006/12/05 10:50:51| Using Least Load store dir selection
2006/12/05 10:50:51| Set Current Directory to /usr/local/squid/cache
2006/12/05 10:50:51| Loaded Icons.
2006/12/05 10:50:51| Accepting HTTP connections at 192.168.0.14, port 3128, FD 12.
2006/12/05 10:50:51| WCCP Disabled.
2006/12/05 10:50:51| Ready to serve requests.
2006/12/05 10:50:52| Done reading /usr/local/squid/cache swaplog (265 entries)
2006/12/05 10:50:52| Finished rebuilding storage from disk.
2006/12/05 10:50:52| 265 Entries scanned
2006/12/05 10:50:52| 0 Invalid entries.
2006/12/05 10:50:52| 0 With invalid flags.
2006/12/05 10:50:52| 265 Objects loaded.
2006/12/05 10:50:52| 0 Objects expired.
2006/12/05 10:50:52| 0 Objects cancelled.
2006/12/05 10:50:52| 0 Duplicate URLs purged.
2006/12/05 10:50:52| 0 Swapfile clashes avoided.
2006/12/05 10:50:52| Took 0.3 seconds ( 948.2 objects/sec).
2006/12/05 10:50:52| Beginning Validation Procedure
2006/12/05 10:50:52| Completed Validation Procedure
2006/12/05 10:50:52| Validated 265 Entries
2006/12/05 10:50:52| store_swap_size = 2074k
2006/12/05 10:50:52| storeLateRelease: released 0 objectsaccess.log
1165305075.456 2831 192.168.0.1 TCP_MISS/200 228 GET http://counter.rambler.ru/top100.cnt? - DIRECT/81.19.66.19 image/gif
1165305076.984 7706 192.168.0.1 TCP_MISS/200 68085 GET http://www.rambler.ru/ - DIRECT/81.19.70.1 text/html
1165305077.000 4342 192.168.0.1 TCP_MISS/302 237 GET http://top.list.ru/counter? - DIRECT/194.67.45.123 -
1165305077.048 4383 192.168.0.1 TCP_MISS/200 899 GET http://engine.awaps.net/8/144/728090.? - DIRECT/213.59.0.100 text/plain
1165305077.786 0 192.168.0.1 TCP_IMS_HIT/304 211 GET http://www.rambler.ru/news/images/photobanner/2006/12/04/116... - NONE/- image/jpeg
1165305077.809 23 192.168.0.1 TCP_IMS_HIT/304 211 GET http://www.rambler.ru/news/images/photobanner/2006/12/03/116... - NONE/- image/jpeg
1165305079.305 2282 192.168.0.1 TCP_MISS/200 288 GET http://top3.list.ru/counter? - DIRECT/194.67.45.129 image/gif
1165305081.466 4417 192.168.0.1 TCP_MISS/200 16279 GET http://engine.awaps.net/0/144/07280090.gif? - DIRECT/213.59.0.100 image/gifstore.log
1165305075.456 RELEASE -1 FFFFFFFF 2CA660F63A8F42E9339A5DCF37E72D74 200 1165304628 -1 1 image/gif -1/49 GET http://counter.rambler.ru/top100.cnt?
1165305076.984 RELEASE -1 FFFFFFFF 25863F64183C2C3BB86BD0B710AA2642 200 1165304624 -1 1165304924 text/html -1/67847 GET http://www.rambler.ru/
1165305077.000 RELEASE -1 FFFFFFFF 51BA96E53E1315A7E15BBCDF9CBEB74F 302 1165304630 -1 -1 unknown -1/0 GET http://top.list.ru/counter?
1165305077.048 RELEASE -1 FFFFFFFF C371B43C2A1A69FD260191102EF16318 200 -1 -1 1165305077 text/plain 382/382 GET http://engine.awaps.net/8/144/728090.?
1165305077.786 RELEASE -1 FFFFFFFF C8C42935278846DC8C1F1D5B23764643 304 1165303520 1165241020 -1 image/jpeg -1/0 GET http://www.rambler.ru/news/images/photobanner/2006/12/04/116...
1165305077.809 RELEASE -1 FFFFFFFF 5AD7F391C491989BEEB9D18BD568C624 304 1165303521 1165171002 -1 image/jpeg -1/0 GET http://www.rambler.ru/news/images/photobanner/2006/12/03/116...
1165305079.305 RELEASE -1 FFFFFFFF F98B93F83D49F704E3398C615B8D8F52 200 1165304632 -1 -1 image/gif 43/43 GET http://top3.list.ru/counter?
1165305081.466 RELEASE -1 FFFFFFFF 6D83A2D11892CA1EA554E244698262C4 200 -1 -1 1165305078 image/gif 15736/15736 GET http://engine.awaps.net/0/144/07280090.gif?