Squid parando [RESOLVIDO]

viniciusmathias
(usa CentOS)

Enviado em 12/08/2013 - 17:16h

Boa tarde, estou tendo problema com meu squid aqui na empresa apos um tempo ele para de trafegar as informações isso é o estado dele aparece como ativo mas da erro na internet como se ele parasse, só voltando ao executar o dar um restart no serviço, não sei oque está acontecendo começou na semana passada
já troquei de pc para testar mas está acontecendo a mesma coisas depois de um tempo ele para.

Quando parou e deu um service squid status isso é oque apareceu :

linux:/scripts # service squid status
squid.service - Squid caching proxy
Loaded: loaded (/lib/systemd/system/squid.service; enabled)
Active: active (running) since Mon, 12 Aug 2013 16:36:33 -0300; 27min ago
Process: 16116 ExecStop=/usr/sbin/squid -F -N -k shutdown -f /etc/squid/squid.conf (code=exited, status=0/SUCCESS)
Process: 1918 ExecReload=/usr/sbin/squid -F -N $SQUID_START_OPTIONS -k reconfigure -f /etc/squid/squid.conf (code=exited, status=0/SUCCESS)
Process: 16119 ExecStartPre=/usr/sbin/squid_cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 16126 (squid)
CGroup: name=systemd:/system/squid.service
â 16126 /usr/sbin/squid -F -N -sY -f /etc/squid/squid.conf
â 16127 (unlinkd)

Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 32: (2) No such file or directory
Aug 12 17:04:20 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 33: (2) No such file or directory
Aug 12 17:04:24 linux squid[16126]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 20: (2) No such file or directory


Abaixo o meu squid config:

http_port 3128 intercept

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl redelocal src 192.168.6.0/24

acl supervisor src "/etc/squid/acessototal"

acl acessoyoutube src "/etc/squid/acessoyoutube"

acl acessorestrito src "/etc/squid/acessorestrito"

acl acessonegado src "/etc/squid/acessodeny"

acl youtube dstdom_regex -i "/etc/squid/youtube.urlregex"

acl excessoes dstdom_regex -i "/etc/squid/excessoes.urlregex"

acl proibirsempre dstdom_regex -i "/etc/squid/proibirsempre.urlregex"

acl proibirexpediente dstdom_regex -i "/etc/squid/proibirexpediente.urlregex"

acl negadownload urlpath_regex -i "/etc/squid/negadownload.urlregex"

acl conectividade src "/etc/squid/conectividade"

acl conectividade1 dstdomain "/etc/squid/conectividade1"

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl expediente time MTWHF 7:42-17:30

acl turno2 time MTWHF 18:00-22:00

acl almoco time MTWHF 12:30-13:40

acl CONNECT method CONNECT

http_access deny acessonegado

http_access allow supervisor

http_access allow excessoes

http_access allow youtube acessoyoutube

#Horarios

http_access allow proibirexpediente almoco

http_access deny proibirexpediente expediente

http_access deny proibirexpediente turno2

http_access allow acessorestrito turno2

#---

http_access deny proibirsempre

http_access deny negadownload

http_access allow acessorestrito almoco

http_access deny acessorestrito expediente

http_access allow conectividade

http_access allow conectividade1

http_access allow manager localhost

http_access allow redelocal

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all



cache_dir aufs /squid 1024 16 256



coredump_dir /squid

#-------------------------------------------------

# tamanho de objetos em memoria e disco



maximum_object_size_in_memory 512 KB

maximum_object_size 64 MB

minimum_object_size 0 KB



# quais o rate para objetos devem serem swapados

cache_swap_low 90

cache_swap_high 95



# Ajuste Memoria otimizacao

memory_pools on

memory_pools_limit 64 MB



memory_replacement_policy heap GDSF



cache_replacement_policy heap LFUDA



error_directory /etc/squid/errors/

cache_mgr ti@agristar.com.br

visible_hostname serv-spo-fwl.agristar.com.br

access_log /etc/squid/log/access.log



# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320



 

signout
(usa Slackware)

Enviado em 12/08/2013 - 19:41h

Boas....
Achei isto na net...

>> getsockopt(SO_ORIGINAL_DST) failed on FD 12: (2) No such file or
>> directory


This is a major problem. Either your NAT system is broken or the
connection did not traverse the NAT system at all (direct use of port
3128 as forward proxy port).

When you move up to the next Squid versions with Host: security
supported this will reject every one of these connections instead of
just warning.

The current Squid 3.1 and older _assume_ that the IPs given by the OS
connection setup were real and a forward-proxy connection made. This
could be filling your logs with garbage IP addresses.

Particularly, the incoming packets can be seen by Squid as coming
from the box the NAT was performed on. I suspect this is why you are
placing "http_access allow proxy" at the top of your config. Essentially
allowing a blanket free access to anyone who can figure out how to avoid
your NAT and contact the proxy directly.
(NP: the "allow localhost" rule should also go down next to "allow
clientes_registrados" if you actually need it after fixing the NAT).

The recommended config is to have two http_port entries, one for
forward-proxy requests (3128) and another (secret random port) for NAT
intercepted connections. The NAT receiving port should be firewalled
such that nothing coming from outside the firewall software can reach it
(iptables mangle table DROP).
See the recently updated config at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Segue o link da discussão. espero que ajude.

http://squid-web-proxy-cache.1019090.n4.nabble.com/Facebook-page-very-slow-to-respond-td3885728.html

Buckminster
(usa Debian)

Enviado em 12/08/2013 - 20:45h

Execute squid -v (para ver a versão do Squid) e posta aqui a saída desse comando.

andrecanhadas
(usa Debian)

Enviado em 12/08/2013 - 20:52h

Aparentemente ele não esta usando o squid3 e o parametro intercept é apenas usado no squid3

se estiver usando o squid 2.xxx troque #http_port 3128 intercept por http_port 3128 transparent

Buckminster
(usa Debian)

Enviado em 12/08/2013 - 23:56h

Não.

No Squid 3.0 ainda é transparent, a partir do Squid 3.1 é intercept.

viniciusmathias
(usa CentOS)

Enviado em 14/08/2013 - 15:08h

Boa tarde desculpe a demora, sim é Squid 3 eu usava o intercept mas para teste coloquei o transparente, mas acreditem ou não o erro estava dando por causa do bloqueio no firewall do Facebook onde tinha a porta 80 tbem eu deixei apenas o 443 e parou de me apresentar problema, abaixo a linhas:

hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1359" ] && [ "$hora" -lt "1729" ] || [ "$hora" -gt "1800" ] && [ "$hora" -lt "2200" ] `;then
op=1;
else
op=2;
fi

sucesso && printf "Sites HTTPS...."
permitidos=$(egrep -v "(^#|^$)" /etc/squid/acessototal)
permface=$(egrep -v "(^#|^$)" /etc/squid/acessoface)
permitidos="$permitidos $permface"

##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK
## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
#iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done
FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO
for MSR_LIBERADO in $FACEBOOK_ALLOW; do
iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done

if [ $op -eq "1" ];then
echo "Bloqueando"
iptables -A FACEBOOK -j REJECT
fi

if [ $op -eq "2" ];then
echo "Liberando"
iptables -A FACEBOOK -j ACCEPT


fi

Observem que deixei comentado o 80 agora.

andrecanhadas
(usa Debian)

Enviado em 14/08/2013 - 20:52h

Resolveu ok marque como resolvido para ajudar que procura por uma solução para o mesmo problema