Squid parando [RESOLVIDO]

1. Squid parando [RESOLVIDO]

Vinicius Mathias
viniciusmathias

(usa CentOS)

Enviado em 12/08/2013 - 17:16h

Boa tarde, estou tendo problema com meu squid aqui na empresa apos um tempo ele para de trafegar as informações isso é o estado dele aparece como ativo mas da erro na internet como se ele parasse, só voltando ao executar o dar um restart no serviço, não sei oque está acontecendo começou na semana passada
já troquei de pc para testar mas está acontecendo a mesma coisas depois de um tempo ele para.

Quando parou e deu um service squid status isso é oque apareceu :

linux:/scripts # service squid status
squid.service - Squid caching proxy
Loaded: loaded (/lib/systemd/system/squid.service; enabled)
Active: active (running) since Mon, 12 Aug 2013 16:36:33 -0300; 27min ago
Process: 16116 ExecStop=/usr/sbin/squid -F -N -k shutdown -f /etc/squid/squid.conf (code=exited, status=0/SUCCESS)
Process: 1918 ExecReload=/usr/sbin/squid -F -N $SQUID_START_OPTIONS -k reconfigure -f /etc/squid/squid.conf (code=exited, status=0/SUCCESS)
Process: 16119 ExecStartPre=/usr/sbin/squid_cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 16126 (squid)
CGroup: name=systemd:/system/squid.service
â 16126 /usr/sbin/squid -F -N -sY -f /etc/squid/squid.conf
â 16127 (unlinkd)

Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:24 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 20: (2) No such file or directory


Abaixo o meu squid config:

http_port 3128 intercept
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl redelocal src 192.168.6.0/24
acl supervisor src "/etc/squid/acessototal"
acl acessoyoutube src "/etc/squid/acessoyoutube"
acl acessorestrito src "/etc/squid/acessorestrito"
acl acessonegado src "/etc/squid/acessodeny"
acl youtube dstdom_regex -i "/etc/squid/youtube.urlregex"
acl excessoes dstdom_regex -i "/etc/squid/excessoes.urlregex"
acl proibirsempre dstdom_regex -i "/etc/squid/proibirsempre.urlregex"
acl proibirexpediente dstdom_regex -i "/etc/squid/proibirexpediente.urlregex"
acl negadownload urlpath_regex -i "/etc/squid/negadownload.urlregex"
acl conectividade src "/etc/squid/conectividade"
acl conectividade1 dstdomain "/etc/squid/conectividade1"
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl expediente time MTWHF 7:42-17:30
acl turno2 time MTWHF 18:00-22:00
acl almoco time MTWHF 12:30-13:40
acl CONNECT method CONNECT
http_access deny acessonegado
http_access allow supervisor
http_access allow excessoes
http_access allow youtube acessoyoutube
#Horarios
http_access allow proibirexpediente almoco
http_access deny proibirexpediente expediente
http_access deny proibirexpediente turno2
http_access allow acessorestrito turno2
#---
http_access deny proibirsempre
http_access deny negadownload
http_access allow acessorestrito almoco
http_access deny acessorestrito expediente
http_access allow conectividade
http_access allow conectividade1
http_access allow manager localhost
http_access allow redelocal
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

cache_dir aufs /squid 1024 16 256

coredump_dir /squid
#-------------------------------------------------
# tamanho de objetos em memoria e disco

maximum_object_size_in_memory 512 KB
maximum_object_size 64 MB
minimum_object_size 0 KB

# quais o rate para objetos devem serem swapados
cache_swap_low 90
cache_swap_high 95

# Ajuste Memoria otimizacao
memory_pools on
memory_pools_limit 64 MB

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

error_directory /etc/squid/errors/
cache_mgr [email protected]
visible_hostname serv-spo-fwl.agristar.com.br
access_log /etc/squid/log/access.log

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320




  


2. Re: Squid parando [RESOLVIDO]

Takahashi
signout

(usa Slackware)

Enviado em 12/08/2013 - 19:41h

Boas....
Achei isto na net...

>> getsockopt(SO_ORIGINAL_DST) failed on FD 12: (2) No such file or
>> directory


This is a major problem. Either your NAT system is broken or the
connection did not traverse the NAT system at all (direct use of port
3128 as forward proxy port).

When you move up to the next Squid versions with Host: security
supported this will reject every one of these connections instead of
just warning.

The current Squid 3.1 and older _assume_ that the IPs given by the OS
connection setup were real and a forward-proxy connection made. This
could be filling your logs with garbage IP addresses.

Particularly, the incoming packets can be seen by Squid as coming
from the box the NAT was performed on. I suspect this is why you are
placing "http_access allow proxy" at the top of your config. Essentially
allowing a blanket free access to anyone who can figure out how to avoid
your NAT and contact the proxy directly.
(NP: the "allow localhost" rule should also go down next to "allow
clientes_registrados" if you actually need it after fixing the NAT).

The recommended config is to have two http_port entries, one for
forward-proxy requests (3128) and another (secret random port) for NAT
intercepted connections. The NAT receiving port should be firewalled
such that nothing coming from outside the firewall software can reach it
(iptables mangle table DROP).
See the recently updated config at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Segue o link da discussão. espero que ajude.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Facebook-page-very-slow-to-respond-td3885728.html


3. Re: Squid parando [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 12/08/2013 - 20:45h

Execute squid -v (para ver a versão do Squid) e posta aqui a saída desse comando.


4. Re: Squid parando [RESOLVIDO]

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 12/08/2013 - 20:52h

Buckminster escreveu:

Execute squid -v (para ver a versão do Squid) e posta aqui a saída desse comando.


Aparentemente ele não esta usando o squid3 e o parametro intercept é apenas usado no squid3

se estiver usando o squid 2.xxx troque #http_port 3128 intercept por http_port 3128 transparent


5. Re: Squid parando [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 12/08/2013 - 23:56h

andrecanhadas escreveu:

Buckminster escreveu:

Execute squid -v (para ver a versão do Squid) e posta aqui a saída desse comando.


Aparentemente ele não esta usando o squid3 e o parametro intercept é apenas usado no squid3

se estiver usando o squid 2.xxx troque #http_port 3128 intercept por http_port 3128 transparent


Não.

No Squid 3.0 ainda é transparent, a partir do Squid 3.1 é intercept.


6. Re: Squid parando [RESOLVIDO]

Vinicius Mathias
viniciusmathias

(usa CentOS)

Enviado em 14/08/2013 - 15:08h

Boa tarde desculpe a demora, sim é Squid 3 eu usava o intercept mas para teste coloquei o transparente, mas acreditem ou não o erro estava dando por causa do bloqueio no firewall do Facebook onde tinha a porta 80 tbem eu deixei apenas o 443 e parou de me apresentar problema, abaixo a linhas:

hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1359" ] && [ "$hora" -lt "1729" ] || [ "$hora" -gt "1800" ] && [ "$hora" -lt "2200" ] `;then
op=1;
else
op=2;
fi

sucesso && printf "Sites HTTPS...."
permitidos=$(egrep -v "(^#|^$)" /etc/squid/acessototal)
permface=$(egrep -v "(^#|^$)" /etc/squid/acessoface)
permitidos="$permitidos $permface"

##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK
## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
#iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done
FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO
for MSR_LIBERADO in $FACEBOOK_ALLOW; do
iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done

if [ $op -eq "1" ];then
echo "Bloqueando"
iptables -A FACEBOOK -j REJECT
fi

if [ $op -eq "2" ];then
echo "Liberando"
iptables -A FACEBOOK -j ACCEPT


fi

Observem que deixei comentado o 80 agora.


7. Re: Squid parando [RESOLVIDO]

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 14/08/2013 - 20:52h

Resolveu ok marque como resolvido para ajudar que procura por uma solução para o mesmo problema






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts