Squid: Nie akceptuje połączeń zewnętrznych

2

Klienci w sieci 172.16.0.0/12 nie mogą korzystać z proxy SQUID. . Masz pojęcie, co może być tego przyczyną?

$ curl --proxy 172.20.0.20:3128 www.google.com -I
curl: (56) Recv failure: Connection reset by peer

To samo polecenie z serwera kałamarnicy działa dobrze.

root@SQUID-SRV01:# curl --proxy 172.20.0.20:3128 www.google.com -I
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8

Konfiguracja:

acl localhost src 127.0.0.1/32 ::1
acl localnet src 172.16.0.0/12
acl Safe_ports port 80
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access allow localhost
http_access allow localnet
http_access deny all

http_port 172.20.0.20:3128

access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

Zrzut TCP i Netstat:

root@SQUID-SRV01:# netstat -naop | grep :3128
tcp        0      0 172.20.0.20:3128       0.0.0.0:*               LISTEN      17454/(squid-1)  off (0.00/0/0)

root@SQUID-SRV01:# tcpdump port 3128 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
14:30:53.463935 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [S], seq 2612553964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:30:53.464031 IP SQUID-SRV01.3128 > 172.26.0.11.58301: Flags [S.], seq 4099169320, ack 2612553965, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:30:53.464453 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [.], ack 1, win 256, length 0
14:30:53.465041 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [R.], seq 1, ack 1, win 256, length 0

Dziennik pamięci podręcznej:

2016/08/15 14:23:56 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2016/08/15 14:23:56 kid1| Service Name: squid
2016/08/15 14:23:56 kid1| Process ID 17454
2016/08/15 14:23:56 kid1| Process Roles: worker
2016/08/15 14:23:56 kid1| With 65535 file descriptors available
2016/08/15 14:23:56 kid1| Initializing IP Cache...
2016/08/15 14:23:56 kid1| DNS Socket created at [::], FD 6
2016/08/15 14:23:56 kid1| DNS Socket created at 0.0.0.0, FD 8
2016/08/15 14:23:56 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2016/08/15 14:23:56 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2016/08/15 14:23:56 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2016/08/15 14:23:56 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2016/08/15 14:23:56 kid1| Store logging disabled
2016/08/15 14:23:56 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2016/08/15 14:23:56 kid1| Target number of buckets: 1008
2016/08/15 14:23:56 kid1| Using 8192 Store buckets
2016/08/15 14:23:56 kid1| Max Mem  size: 262144 KB
2016/08/15 14:23:56 kid1| Max Swap size: 0 KB
2016/08/15 14:23:56 kid1| Using Least Load store dir selection
2016/08/15 14:23:56 kid1| Current Directory is /
2016/08/15 14:23:56 kid1| Finished loading MIME types and icons.
2016/08/15 14:23:56 kid1| HTCP Disabled.
2016/08/15 14:23:56 kid1| Pinger socket opened on FD 13
2016/08/15 14:23:56 kid1| Squid plugin modules loaded: 0
2016/08/15 14:23:56 kid1| Adaptation support is off.
2016/08/15 14:23:56 kid1| Accepting HTTP Socket connections at local=172.20.0.20:3128 remote=[::] FD 11 flags=9
2016/08/15 14:23:56| pinger: Initialising ICMP pinger ...
2016/08/15 14:23:56| pinger: ICMP socket opened.
2016/08/15 14:23:56| pinger: ICMPv6 socket opened
2016/08/15 14:23:57 kid1| storeLateRelease: released 0 objects

access.log nie ma informacji o klientach.

Eplox
źródło

Odpowiedzi:

0

Odpowiedź: Zapora ogniowa IPS w warstwie 7 między klientem a serwerem SQUID resetuje połączenia, ponieważ przeglądanie stron internetowych nie było domyślnie powiązane z portem TCP 3128. Naprawiono problem, zmieniając filtr aplikacji.

Eplox
źródło