Mark Adams wrote:
> Here's an odd thing: I ran updates on my server after a rather lengthy
> period of not updating -- I hate it when the lying bastage mirrors stop
> working, but anyway...
>
> After this lengthy upgrade, Squid stopped working. The process was
> still up, but when I configured the browser to use the proxy, it claimed
> it couldn't find the proxy I had configured.
>
> I looked at the config files and everything seemed okay. I checked the
> logs and it looked like there was a failure related to how it was
> resolving http. I'd like to be more articulate about that error, but I
> punted and uninstalled/reinstalled squid and squidGuard from the
> main_update repositories.
>
> The reinstall went okay, but now I'm getting these in the cache.log:
>
> 2007/04/04 16:33:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
> 2007/04/04 16:33:08| Accepting HTCP messages on port 4827, FD 20.
> 2007/04/04 16:33:08| Accepting SNMP messages on port 3401, FD 21.
> 2007/04/04 16:33:08| WCCP Disabled.
> 2007/04/04 16:33:08| Pinger socket opened on FD 22
> 2007/04/04 16:33:08| Ready to serve requests.
> 2007/04/04 16:33:08| WARNING: url_rewriter #5 (FD 10) exited
> 2007/04/04 16:33:08| WARNING: url_rewriter #4 (FD 9) exited
> 2007/04/04 16:33:08| WARNING: url_rewriter #3 (FD 8) exited
> 2007/04/04 16:33:08| Too few url_rewriter processes are running
> FATAL: The url_rewriter helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 2.6.STABLE1): Terminated abnormally.

Your url_rewrite_program is failing.

Comment out url_rewrite_program and maybe url_rewrite_children
and see if squid works.

Looks like squidGuard is broken.

What does 'squidGuard -d -c /path/to/your/squidguard.conf' show ?
Anything interesting in /var/log/squidGuard/squidGuard.{error,log} ?

Mark Adams wrote:
> Here's an odd thing: I ran updates on my server after a rather lengthy
> period of not updating -- I hate it when the lying bastage mirrors stop
> working, but anyway...
>
> After this lengthy upgrade, Squid stopped working. The process was
> still up, but when I configured the browser to use the proxy, it claimed
> it couldn't find the proxy I had configured.
>
> I looked at the config files and everything seemed okay. I checked the
> logs and it looked like there was a failure related to how it was
> resolving http. I'd like to be more articulate about that error, but I
> punted and uninstalled/reinstalled squid and squidGuard from the
> main_update repositories.
>
> The reinstall went okay, but now I'm getting these in the cache.log:
>
> 2007/04/04 16:33:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 19.
> 2007/04/04 16:33:08| Accepting HTCP messages on port 4827, FD 20.
> 2007/04/04 16:33:08| Accepting SNMP messages on port 3401, FD 21.
> 2007/04/04 16:33:08| WCCP Disabled.
> 2007/04/04 16:33:08| Pinger socket opened on FD 22
> 2007/04/04 16:33:08| Ready to serve requests.
> 2007/04/04 16:33:08| WARNING: url_rewriter #5 (FD 10) exited
> 2007/04/04 16:33:08| WARNING: url_rewriter #4 (FD 9) exited
> 2007/04/04 16:33:08| WARNING: url_rewriter #3 (FD 8) exited
> 2007/04/04 16:33:08| Too few url_rewriter processes are running
> FATAL: The url_rewriter helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 2.6.STABLE1): Terminated abnormally.
>
> I think I've seen that before, but I can't for the life of me find it in
> Google.
>
> Anybody remember what this is about?
>
> Thanks.
>
Okay, I've overcome the above problem and squid/squidGuard are now up
and running. Problem is, the proxy isn't working.

There's nothing in any of the logs concerning the problem, it just sits
there and the web page you are trying to browse times out instead of
loading.

And oh joy, the new 2.6 version of Squid is not compatible with Webmin.
There is no gui to help configure this mess.

Aye carumba.

Any ideas?

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
You humans are all alike.

--
Posted via a free Usenet account from http://www.teranews.com

Mark Adams wrote:
>
> Okay, I've overcome the above problem and squid/squidGuard are now up
> and running. Problem is, the proxy isn't working.
>
> There's nothing in any of the logs concerning the problem, it just sits
> there and the web page you are trying to browse times out instead of
> loading.
>
> And oh joy, the new 2.6 version of Squid is not compatible with Webmin.
> There is no gui to help configure this mess.

I find 'gvim' is a nice GUI for setting up text files.

>
> Aye carumba.
>
> Any ideas?

Are you using your old squid.conf (with the redirect_program /
url_rewrite_program change) or did you modify the new squid.conf
to suit your purposes ?

As you probably know, out of the box squid only allows access
to localhost.

What does the following show ?

sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf


Anything interesting in /var/log/squid/... logs ?

foo wrote:
> Mark Adams wrote:
>>
>> Okay, I've overcome the above problem and squid/squidGuard are now up
>> and running. Problem is, the proxy isn't working.
>>
>> There's nothing in any of the logs concerning the problem, it just
>> sits there and the web page you are trying to browse times out instead
>> of loading.
>>
>> And oh joy, the new 2.6 version of Squid is not compatible with
>> Webmin. There is no gui to help configure this mess.
>
> I find 'gvim' is a nice GUI for setting up text files.
>

I can use vi to edit text just fine, but Webmin makes it much easier to
see what you actually have going on.

>>
>> Aye carumba.
>>
>> Any ideas?
>
> Are you using your old squid.conf (with the redirect_program /
> url_rewrite_program change) or did you modify the new squid.conf
> to suit your purposes ?

I'm modifying the new config file.

>
> As you probably know, out of the box squid only allows access
> to localhost.

I think I've covered all that in the new config file. The only glaring
discrepancy I found was the change in nomenclature for
"url_rewrite_program".

>
> What does the following show ?
>
> sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf

http_port 3128
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl Apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
url_rewrite_program /usr/bin/squidGuard -d -c /etc/squid/squidGuard.conf
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl mynetwork src 192.168.1.0/255.255.255.0
acl alexa src "/etc/squid/bad_1s"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow mynetwork
acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_access allow localhost
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname shuttle.adams-lan.local
deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
coredump_dir /var/spool/squid

See anything obvious in there?

> Anything interesting in /var/log/squid/... logs ?
>
# tail cache.log
2007-04-05 03:03:13 [23521] init urllist
/usr/share/squidGuard-1.2.0/db/custom/local-block/urls
2007-04-05 03:03:13 [23521] loading dbfile
/usr/share/squidGuard-1.2.0/db/custom/local-block/urls.db
2007-04-05 03:03:13 [23521] squidGuard 1.2.0 started (1175763793.731)
2007-04-05 03:03:13 [23521] squidGuard ready for requests (1175763793.765)
2007/04/05 03:31:33| NETDB state saved; 0 entries, 0 msec
2007/04/05 04:47:43| NETDB state saved; 0 entries, 0 msec
2007/04/05 05:45:24| NETDB state saved; 0 entries, 0 msec
2007/04/05 06:26:32| icmpSend: send: (111) Connection refused
2007/04/05 06:26:32| Closing Pinger socket on FD 21
2007/04/05 06:52:13| NETDB state saved; 0 entries, 0 msec


# tail store.log
1175775995.543 RELEASE -1 FFFFFFFF 3EEAC5A822E56A486957BB03BC0F6DA2 302
1175775995 -1 -1 unknown 0/0 GET
http://global.msads.net/ads/pronws/im.png
1175775995.543 RELEASE -1 FFFFFFFF 0AE2D19C3E79685A94C9C78972303A9B 302
1175775995 -1 -1 unknown 0/0 GET
http://rad.msn.com/ADSAdClient31.dll?
1175775995.564 RELEASE -1 FFFFFFFF 5B42B5E049715ABC82CFA2E7EFC275B4 302
1175775995 -1 -1 unknown 0/0 GET
http://rad.msn.com/ADSAdClient31.dll?
1175775995.593 RELEASE -1 FFFFFFFF 47C61FB2132D4855E30060028FAC4CFA 302
1175775995 -1 -1 unknown 0/0 GET
http://rad.msn.com/ADSAdClient31.dll?
1175775995.685 RELEASE -1 FFFFFFFF D415BA7F91C798E138358EA85C1AF776 503
1175775995 0 1175775995 text/html 1084/1084 GET
http://192.168.1.105/ads.shtml
1175775995.690 RELEASE -1 FFFFFFFF 968B40EB890C97906B7C8A56C68ABB34 503
1175775995 0 1175775995 text/html 1084/1084 GET
http://192.168.1.105/ads.shtml
1175775995.690 RELEASE -1 FFFFFFFF F10D73891891C14F796EBB8917859637 503
1175775995 0 1175775995 text/html 1084/1084 GET
http://192.168.1.105/ads.shtml
1175775995.718 RELEASE -1 FFFFFFFF 769A5181BCD7D349375F223163220CB9 503
1175775995 0 1175775995 text/html 1084/1084 GET
http://192.168.1.105/ads.shtml
1175775995.805 RELEASE -1 FFFFFFFF 91744EBBC427014DBD8F7B2E6C91BF8C 503
1175775995 0 1175775995 text/html 1084/1084 GET
http://192.168.1.105/ads.shtml
1175775996.333 RELEASE -1 FFFFFFFF CCA984DF1BE2C638982283B955CB19A4 200
1175775995 -1 1175775995 text/xml 4995/4995 POST
http://storage.msn.com/storageservic...izedstore.asmx

# tail access.log
1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
http://global.msads.net/ads/pronws/im.png - NONE/- -
1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
http://storage.msn.com/storageservic...izedstore.asmx -
DIRECT/207.46.219.35 text/xml


I'm no expert on this, but I don't see anything in any log (I checked
syslog too) that indicates a problem -- the proxy just isn't accepting
connections.

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
Many a wife thinks her husband is the world's greatest lover.
But she can never catch him at it.

--
Posted via a free Usenet account from http://www.teranews.com

Mark Adams wrote:
>>
>> sed '/^[[:space:]]*#/d;/^[[:space:]]*$/d' /etc/squid/squid.conf
>
> http_port 3128
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl Apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> url_rewrite_program /usr/bin/squidGuard -d -c /etc/squid/squidGuard.conf

The '-d' should be removed so errors go to log files instead of stderr.

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl mynetwork src 192.168.1.0/255.255.255.0
> acl alexa src "/etc/squid/bad_1s"

The alexa acl is not used.

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow mynetwork
> acl our_networks src 192.168.1.0/24
> http_access allow our_networks

2 acl's for the same subnet, mynetwork and our_networks.

> http_access allow localhost
> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname shuttle.adams-lan.local
> deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
> coredump_dir /var/spool/squid
>
> See anything obvious in there?

Nothing real obvious.

Try removing the acl and access for the duplicate
our_networks and alexa.

Comment out url_rewrite_program.
When squid is working, add squidGuard and you'll know
if squidGuard or squid is the problem.

I have a vague memory of squidGuard causing me problems
in the distant past and it being not obvious to fix.

>
>> Anything interesting in /var/log/squid/... logs ?
>>
>
> # tail access.log
> 1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
> http://global.msads.net/ads/pronws/im.png - NONE/- -
> 1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
> 1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
> 1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
> 1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
> 1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
> 1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
> 1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
> 1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
> 1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
> http://storage.msn.com/storageservic...izedstore.asmx -
> DIRECT/207.46.219.35 text/xml

I wonder if this is new or old log entries, try 'tail -f access.log'
when using the proxy.
Does "ads.shtml" work OK on your local web server ?

foo wrote:
> Mark Adams wrote:
>>>
snip!

Before we get started, I tinkered with the config enough to get the
proxy to work from the server -- I can configure Firefox to use the
proxy and browse as expected. Here are the lines I inserted/altered to
get it to work:

http_access allow manager localhost
http_access allow Safe_ports
######http_access deny manager <<<<<<< commented out
# Deny requests to unknown ports
######http_access deny !Safe_ports
http_access allow !Safe_ports <<<<<<<<< Changed it to allow
# Deny CONNECT to other than SSL ports
######http_access deny CONNECT !SSL_ports
http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
http_access allow mynetwork

Still can't browse through the proxy from the client.

>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl mynetwork src 192.168.1.0/255.255.255.0
>> acl alexa src "/etc/squid/bad_1s"
>
> The alexa acl is not used.
>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow mynetwork
>> acl our_networks src 192.168.1.0/24
>> http_access allow our_networks
>
> 2 acl's for the same subnet, mynetwork and our_networks.
>
>> http_access allow localhost
>> http_reply_access allow all
>> icp_access allow all
>> cache_effective_user squid
>> cache_effective_group squid
>> visible_hostname shuttle.adams-lan.local
>> deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
>> coredump_dir /var/spool/squid
>>
>> See anything obvious in there?
>
> Nothing real obvious.
>
> Try removing the acl and access for the duplicate
> our_networks and alexa.
>

Done. It made no difference.

> Comment out url_rewrite_program.
> When squid is working, add squidGuard and you'll know
> if squidGuard or squid is the problem.
>
> I have a vague memory of squidGuard causing me problems
> in the distant past and it being not obvious to fix.

I've had it commented out all day.

>
>>
>>> Anything interesting in /var/log/squid/... logs ?
>>>
>>
>> # tail access.log
>> 1175775995.543 7 192.168.1.101 TCP_MISS/302 159 GET
>> http://global.msads.net/ads/pronws/im.png - NONE/- -
>> 1175775995.543 0 192.168.1.101 TCP_MISS/302 159 GET
>> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
>> 1175775995.564 6 192.168.1.101 TCP_MISS/302 159 GET
>> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
>> 1175775995.593 3 192.168.1.101 TCP_MISS/302 159 GET
>> http://rad.msn.com/ADSAdClient31.dll? - NONE/- -
>> 1175775995.685 110 192.168.1.101 TCP_MISS/503 1436 GET
>> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
>> 1175775995.690 109 192.168.1.101 TCP_MISS/503 1436 GET
>> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
>> 1175775995.690 105 192.168.1.101 TCP_MISS/503 1436 GET
>> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
>> 1175775995.718 107 192.168.1.101 TCP_MISS/503 1436 GET
>> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
>> 1175775995.805 112 192.168.1.101 TCP_MISS/503 1436 GET
>> http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
>> 1175775996.333 630 192.168.1.101 TCP_MISS/200 5441 POST
>> http://storage.msn.com/storageservic...izedstore.asmx -
>> DIRECT/207.46.219.35 text/xml
>
> I wonder if this is new or old log entries, try 'tail -f access.log'
> when using the proxy.

It doesn't change -- doesn't register anything new when I attempt to go
to Google on a client machine configured to use the proxy. I'm pretty
sure that means it's an old log, but it's stamped

-rw-r----- 1 squid squid 533009 Apr 5 20:00 access.log

Looks to me as if it's logging browsing activity on the server, but not
the client.

Currently says:

# tail -f access.log
1175823733.255 0 192.168.1.105 TCP_MISS/503 1581 GET
http://www.shuttle.adams-lan.local/favicon.ico -
DIRECT/www.shuttle.adams-lan.local text/html
1175823757.060 105 192.168.1.105 TCP_MISS/503 1436 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html
1175823837.594 120419 192.168.1.105 TCP_MISS/503 1428 GET
http://www.localhost.com/ - DIRECT/10.11.12.13 text/html
1175824274.609 105 192.168.1.105 TCP_MISS/503 1428 GET
http://192.168.1.105/10000 - DIRECT/192.168.1.105 text/html
1175824553.666 0 192.168.1.105 TCP_MISS/503 0 CONNECT
192.168.1.105:443 - DIRECT/192.168.1.105 -
1175824553.835 0 192.168.1.105 TCP_MISS/503 0 CONNECT
192.168.1.105:443 - DIRECT/192.168.1.105 -
1175824569.617 0 192.168.1.105 TCP_MISS/503 0 CONNECT
192.168.1.105:443 - DIRECT/192.168.1.105 -
1175824841.419 146 192.168.1.105 TCP_MISS/503 1547 GET
http://www.192.168.1.105/ads.shtml - DIRECT/www.192.168.1.105 text/html
1175824841.507 0 192.168.1.105 TCP_MISS/503 1551 GET
http://www.192.168.1.105/favicon.ico - DIRECT/www.192.168.1.105 text/html
1175824854.021 50 192.168.1.105 TCP_MISS/200 1298 GET
http://192.168.1.105/ads.shtml - DIRECT/192.168.1.105 text/html

Notice the reference to ads.shtml.

BTW, it looks as if the client is getting into the proxy, then the proxy
is reporting back that the website is taking too long to respond. Now,
does that mean that the proxy just isn't allowing information back into
the client? I'm getting really confused here.

> Does "ads.shtml" work OK on your local web server ?

Browsing to 192.168.1.105/ads.shtml from a browser on the server gets me
my custom blocked page. From the client, it times out.

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
Remember to say hello to your bank teller.

--
Posted via a free Usenet account from http://www.teranews.com

Mark Adams wrote:
> foo wrote:
>> Mark Adams wrote:
>>>>
> snip!
>
> Before we get started, I tinkered with the config enough to get the
> proxy to work from the server -- I can configure Firefox to use the
> proxy and browse as expected. Here are the lines I inserted/altered to
> get it to work:
>
> http_access allow manager localhost
> http_access allow Safe_ports
> ######http_access deny manager <<<<<<< commented out

Weird, I wonder if everyone agrees on who localhost is.

> # Deny requests to unknown ports
> ######http_access deny !Safe_ports
> http_access allow !Safe_ports <<<<<<<<< Changed it to allow

Your Safe_ports looked OK, I would think "deny !Safe_ports" is correct.

> # Deny CONNECT to other than SSL ports
> ######http_access deny CONNECT !SSL_ports
> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow

Again, I would think "deny CONNECT !SSL_ports" is correct.

> BTW, it looks as if the client is getting into the proxy, then the proxy
> is reporting back that the website is taking too long to respond. Now,
> does that mean that the proxy just isn't allowing information back into
> the client? I'm getting really confused here.
>
>> Does "ads.shtml" work OK on your local web server ?
>
> Browsing to 192.168.1.105/ads.shtml from a browser on the server gets me
> my custom blocked page. From the client, it times out.

So a browser on the same system as squid works, but browsers on external
systems do not contact squid at all.

Are you using explicit proxy settings in the external browsers
or are you redirecting port 80 to 3128 (or 8080) via iptables
on your internal interface.
(redirecting via iptables makes it a transparent proxy).

If your old config used the httpd_accel.... settings, this has
also changed. You now use the "transparent" option on http_port.

You may need also "httpd_accel_no_pmtu_disc on"

Mark Adams wrote:
> foo wrote:
>> Mark Adams wrote:
>>>>
> snip!
>
> Before we get started, I tinkered with the config enough to get the
> proxy to work from the server -- I can configure Firefox to use the
> proxy and browse as expected. Here are the lines I inserted/altered to
> get it to work:
>
> http_access allow manager localhost
> http_access allow Safe_ports
> ######http_access deny manager <<<<<<< commented out
> # Deny requests to unknown ports
> ######http_access deny !Safe_ports
> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
> # Deny CONNECT to other than SSL ports
> ######http_access deny CONNECT !SSL_ports
> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
> http_access allow mynetwork
>
> Still can't browse through the proxy from the client.
>

One more thing, try "always_direct allow all".
I forgot about that one.

foo wrote:
> Mark Adams wrote:
>> foo wrote:
>>> Mark Adams wrote:
>>>>>
>> snip!
>>
>> Before we get started, I tinkered with the config enough to get the
>> proxy to work from the server -- I can configure Firefox to use the
>> proxy and browse as expected. Here are the lines I inserted/altered
>> to get it to work:
>>
>> http_access allow manager localhost# ping localhost
PING shuttle.adams-lan.local (127.0.0.1) 56(84) bytes of data.
64 bytes from shuttle.adams-lan.local (127.0.0.1): icmp_seq=1 ttl=64
time=0.058 ms

>> http_access allow Safe_ports
>> ######http_access deny manager <<<<<<< commented out
>
> Weird, I wonder if everyone agrees on who localhost is.
>

Is there a test? The hosts file on the server includes this line:


127.0.0.1 shuttle.adams-lan.local shuttle localhost

Pinging localhost looks good:

# ping localhost
PING shuttle.adams-lan.local (127.0.0.1) 56(84) bytes of data.
64 bytes from shuttle.adams-lan.local (127.0.0.1): icmp_seq=1 ttl=64
time=0.058 ms


>> # Deny requests to unknown ports
>> ######http_access deny !Safe_ports
>> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
>
> Your Safe_ports looked OK, I would think "deny !Safe_ports" is correct.
>
>> # Deny CONNECT to other than SSL ports
>> ######http_access deny CONNECT !SSL_ports
>> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
>
> Again, I would think "deny CONNECT !SSL_ports" is correct.

Okay, on a whim I went back in and changed those two lines back to their
defaults (deny). After "squid -k reconfigure" it seems the browser on
the server still works as it is supposed to. So disregard this --
denying those ports has no effect on the proxies functioning. Needless
to say, the client machine still can't get through the proxy.

>
>> BTW, it looks as if the client is getting into the proxy, then the
>> proxy is reporting back that the website is taking too long to
>> respond. Now, does that mean that the proxy just isn't allowing
>> information back into the client? I'm getting really confused here.
>>
>>> Does "ads.shtml" work OK on your local web server ?
>>
>> Browsing to 192.168.1.105/ads.shtml from a browser on the server gets
>> me my custom blocked page. From the client, it times out.
>
> So a browser on the same system as squid works, but browsers on external
> systems do not contact squid at all.

That is correct -- clients receive a time out.

>
> Are you using explicit proxy settings in the external browsers
> or are you redirecting port 80 to 3128 (or 8080) via iptables
> on your internal interface.
> (redirecting via iptables makes it a transparent proxy).

I am configuring the connection settings in the browser to connect to
the proxy on port 8080. I am identifying the proxy server by IP address.
I've tried it by hostname and that hostname does appear in the
client's hosts file, but it makes no difference. I'm sticking with IP
just because I have a wee bit more faith in it.

>
> If your old config used the httpd_accel.... settings, this has

The httpd_accel option was set to off in the old config and is currently
off by default in the new config.

>> also changed. You now use the "transparent" option on http_port.
>>
> You may need also "httpd_accel_no_pmtu_disc on"

I just tried that. It made no difference.

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
The cost of living is going up, and the chance of living is going down.

--
Posted via a free Usenet account from http://www.teranews.com

Mark Adams wrote:
>>
>> So a browser on the same system as squid works, but browsers on external
>> systems do not contact squid at all.
>
> That is correct -- clients receive a time out.
>
>>
>> Are you using explicit proxy settings in the external browsers
>> or are you redirecting port 80 to 3128 (or 8080) via iptables
>> on your internal interface.
>> (redirecting via iptables makes it a transparent proxy).
>
> I am configuring the connection settings in the browser to connect to
> the proxy on port 8080. I am identifying the proxy server by IP address.
> I've tried it by hostname and that hostname does appear in the client's
> hosts file, but it makes no difference. I'm sticking with IP just
> because I have a wee bit more faith in it.

Does 'netstat -an | grep -i listen | grep 8080' show your squid
listening on the correct IP address.

If not, you should use iport for http_port (instead of just port).

foo wrote:
> Mark Adams wrote:
>> foo wrote:
>>> Mark Adams wrote:
>>>>>
>> snip!
>>
>> Before we get started, I tinkered with the config enough to get the
>> proxy to work from the server -- I can configure Firefox to use the
>> proxy and browse as expected. Here are the lines I inserted/altered
>> to get it to work:
>>
>> http_access allow manager localhost
>> http_access allow Safe_ports
>> ######http_access deny manager <<<<<<< commented out
>> # Deny requests to unknown ports
>> ######http_access deny !Safe_ports
>> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
>> # Deny CONNECT to other than SSL ports
>> ######http_access deny CONNECT !SSL_ports
>> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
>> http_access allow mynetwork
>>
>> Still can't browse through the proxy from the client.
>>
>
> One more thing, try "always_direct allow all".
> I forgot about that one.

Okay, hold the phone:

In an effort to do SOMETHING on my end, I exported the proxy into my
environment (export http_proxy="http://192.168.1.105:8080") on the
client and fired up Lynx just to see what would happen.

Guess what -- Lynx had no problem browsing the Internet.

Given this, I suspected Firefox as the culprit. I fired up Mozilla
Seamonkey and configured the proxy connection in it. Surely the fact
that these are both built around the Gecko engine (at least I think they
still are) will tell the tale. It worked just fine. Grrr.

Same thing with Konqueror. Grrr, grrr.

Back to Firefox. I disabled Foxyproxy -- and lo, the angels did smile
and it worketh like the most slippery of owl mucous.

So what we appear to have here is a bug in a Firefox add-on. I'm
tempted to complain somewhere, but I'm too tired. I've fought this thing
all day and I'm just done.

Foo, thanks for holding my hand through this. I appreciate your
patience. The suggestions you made were good ones. It's been more than a
year since I set Squid/squidGuard up and I learned a little by
revisiting them today. Bottom line: Squid is caching and squidGuard is
redirect... er rewriting urls.

Have a good one, and thanks again.

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
The biggest difference between time and space is that you can't reuse time.
-- Merrick Furst

--
Posted via a free Usenet account from http://www.teranews.com

foo wrote:
> Mark Adams wrote:
>>>
>>> So a browser on the same system as squid works, but browsers on external
>>> systems do not contact squid at all.
>>
>> That is correct -- clients receive a time out.
>>
>>>
>>> Are you using explicit proxy settings in the external browsers
>>> or are you redirecting port 80 to 3128 (or 8080) via iptables
>>> on your internal interface.
>>> (redirecting via iptables makes it a transparent proxy).
>>
>> I am configuring the connection settings in the browser to connect to
>> the proxy on port 8080. I am identifying the proxy server by IP
>> address. I've tried it by hostname and that hostname does appear in
>> the client's hosts file, but it makes no difference. I'm sticking
>> with IP just because I have a wee bit more faith in it.
>
> Does 'netstat -an | grep -i listen | grep 8080' show your squid
> listening on the correct IP address.
>
> If not, you should use iport for http_port (instead of just port).
>

No, I checked that earlier -- squid is listening on 8080.

BTW, it's resolved. See my other message.

--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
"I don't mind going nowhere as long as it's an interesting path."
-- Ronald Mabbitt

--
Posted via a free Usenet account from http://www.teranews.com

This is just a bump because I forgot to put "RESOLVED" in the subject.

Sorry to waste the space.

Mark Adams wrote:
> foo wrote:
>> Mark Adams wrote:
>>> foo wrote:
>>>> Mark Adams wrote:
>>>>>>
>>> snip!
>>>
>>> Before we get started, I tinkered with the config enough to get the
>>> proxy to work from the server -- I can configure Firefox to use the
>>> proxy and browse as expected. Here are the lines I inserted/altered
>>> to get it to work:
>>>
>>> http_access allow manager localhost
>>> http_access allow Safe_ports
>>> ######http_access deny manager <<<<<<< commented out
>>> # Deny requests to unknown ports
>>> ######http_access deny !Safe_ports
>>> http_access allow !Safe_ports <<<<<<<<< Changed it to allow
>>> # Deny CONNECT to other than SSL ports
>>> ######http_access deny CONNECT !SSL_ports
>>> http_access allow CONNECT !SSL_ports <<<<<<<<< Changed it to allow
>>> http_access allow mynetwork
>>>
>>> Still can't browse through the proxy from the client.
>>>
>>
>> One more thing, try "always_direct allow all".
>> I forgot about that one.
>
> Okay, hold the phone:
>
> In an effort to do SOMETHING on my end, I exported the proxy into my
> environment (export http_proxy="http://192.168.1.105:8080") on the
> client and fired up Lynx just to see what would happen.
>
> Guess what -- Lynx had no problem browsing the Internet.
>
> Given this, I suspected Firefox as the culprit. I fired up Mozilla
> Seamonkey and configured the proxy connection in it. Surely the fact
> that these are both built around the Gecko engine (at least I think they
> still are) will tell the tale. It worked just fine. Grrr.
>
> Same thing with Konqueror. Grrr, grrr.
>
> Back to Firefox. I disabled Foxyproxy -- and lo, the angels did smile
> and it worketh like the most slippery of owl mucous.
>
> So what we appear to have here is a bug in a Firefox add-on. I'm
> tempted to complain somewhere, but I'm too tired. I've fought this thing
> all day and I'm just done.
>
> Foo, thanks for holding my hand through this. I appreciate your
> patience. The suggestions you made were good ones. It's been more than a
> year since I set Squid/squidGuard up and I learned a little by
> revisiting them today. Bottom line: Squid is caching and squidGuard is
> redirect... er rewriting urls.
>
> Have a good one, and thanks again.
>


--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
My life is a patio of fun!

--
Posted via a free Usenet account from http://www.teranews.com

Mark Adams wrote:
> # squidGuard -d -c /etc/squid/squidGuard.conf
> 2007-04-04 21:18:07 [13163] init iplist
> /usr/share/squidGuard-1.2.0/db/privilegedsource/ips
> 2007-04-04 21:18:07 [13163] init domainlist
> /usr/share/squidGuard-1.2.0/db/ads/domains
> 2007-04-04 21:18:07 [13163] loading dbfile
> /usr/share/squidGuard-1.2.0/db/ads/domains.db
> 2007-04-04 21:18:07 [13163] init urllist
> /usr/share/squidGuard-1.2.0/db/ads/urls
> 2007-04-04 21:18:07 [13163] loading dbfile
> /usr/share/squidGuard-1.2.0/db/ads/urls.db
> 2007-04-04 21:18:07 [13163] init domainlist
> /usr/share/squidGuard-1.2.0/db/aggressive/domains
> 2007-04-04 21:18:07 [13163] loading dbfile
> /usr/share/squidGuard-1.2.0/db/aggressive/domains.db

It looks like you are using the blacklist from



These haven't been updated since 2005-11-19, so may not be much use any
more! I've changed over to



Mark Atherton

Mark Atherton wrote:
> Mark Adams wrote:
>> # squidGuard -d -c /etc/squid/squidGuard.conf
>> 2007-04-04 21:18:07 [13163] init iplist
>> /usr/share/squidGuard-1.2.0/db/privilegedsource/ips
>> 2007-04-04 21:18:07 [13163] init domainlist
>> /usr/share/squidGuard-1.2.0/db/ads/domains
>> 2007-04-04 21:18:07 [13163] loading dbfile
>> /usr/share/squidGuard-1.2.0/db/ads/domains.db
>> 2007-04-04 21:18:07 [13163] init urllist
>> /usr/share/squidGuard-1.2.0/db/ads/urls
>> 2007-04-04 21:18:07 [13163] loading dbfile
>> /usr/share/squidGuard-1.2.0/db/ads/urls.db
>> 2007-04-04 21:18:07 [13163] init domainlist
>> /usr/share/squidGuard-1.2.0/db/aggressive/domains
>> 2007-04-04 21:18:07 [13163] loading dbfile
>> /usr/share/squidGuard-1.2.0/db/aggressive/domains.db
>
> It looks like you are using the blacklist from
>
>
>
>
> These haven't been updated since 2005-11-19, so may not be much use any
> more! I've changed over to
>
>
>
> Mark Atherton

Ah, thanks for the tip. I have made that change in my script.


--
Mark E. Adams, 2004 -- drop the "dot" to email me.
http://adamslan.shyper.com -*- Mandriva User# 263042

CONSIDER: ===========---------,,,,,,,,,............. . . . . .
A man does not look behind the door unless he has stood there himself.
-- Du Bois

--
Posted via a free Usenet account from http://www.teranews.com