Проблема с прозрачным прокси.

[profil]

Здравствуйте уважаемые.
У меня возникла одна проблема с прокси сервером squid
Решил я настроит SAMS+SQUID вроде настроил но вот не как не хочет работать прозрачность
вот конфиги
pf.conf

Код: Выделить всё

int_if="xl0"
ext_tun="tun0"
 
set skip on lo0
set skip on $int_if
set block-policy return
scrub in all
 
nat on $ext_tun from !($ext_tun) -> ($ext_tun:0)
rdr on $int_if inet proto tcp from any to any port 80 -> 192.168.30.1 port 8081
 
block all
pass out inet keep state

pass quick on $int_if keep state
antispoof quick for { lo $int_if }
 
pass in on $ext_tun proto tcp to ($ext_tun) port ssh
pass in on $ext_tun proto tcp to ($ext_tun) port ftp
pass out log on $ext_tun proto tcp from ($ext_tun) to port smtp

squid.conf

Код: Выделить всё

acl _sams_default src "/usr/local/etc/squid/default.sams"
acl _sams_default_time time MTWHFAS 00:00-23:00
acl _sams_4f151dff393de src "/usr/local/etc/squid/4f151dff393de.sams"
acl _sams_4f151dff393de_time time MTWHFAS 00:00-23:59
acl _sams_4f1519230b5b6 urlpath_regex -i "/usr/local/etc/squid/4f1519230b5b6.sams"
acl _sams_chat url_regex "/usr/local/etc/squid/chat.sams"
acl _sams_porno url_regex "/usr/local/etc/squid/porno.sams"
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow _sams_default  !_sams_4f1519230b5b6 !_sams_chat !_sams_porno _sams_default_time
http_access allow _sams_4f151dff393de  _sams_4f151dff393de_time
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 8081 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/squid/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

delay_pools 2
delay_class 1 2
delay_class 2 2
delay_access 1 allow _sams_4f151dff393de
delay_access 1 deny all
delay_parameters 1 2097152/2097152 1048576/1048576
delay_access 2 allow _sams_default
delay_access 2 deny all
delay_parameters 2 1048576/1048576 512000/512000

coredump_dir /var/squid/cache

sams.conf

Код: Выделить всё

[client]
SQUID_DB=squidlog
SAMS_DB=squidctrl
MYSQLHOSTNAME=127.0.0.1
MYSQLUSER=sams
MYSQLPASSWORD=qwerty
MYSQLVERSION=5.1
SQUIDCACHEFILE=access.log
SQUIDROOTDIR=/usr/local/etc/squid
SQUIDLOGDIR=/var/squid/logs
SQUIDCACHEDIR=/var/squid/cache
SAMSPATH=/usr/local
SQUIDPATH=/usr/local/sbin
#SQUIDGUARDLOGPATH=/var/log
#SQUIDGUARDDBPATH=/var/db/squidGuard
RECODECOMMAND=iconv -f KOI8-R -t 866 %finp > %fout.
#LDAPSERVER=servername_or_ipadress
#LDAPBASEDN=your.domain
#LDAPUSER=DomainAdministrator
#LDAPUSERPASSWD=passwd
#LDAPUSERSGROUP=Users
REJIKPATH=/usr/local/rejik
SHUTDOWNCOMMAND=/sbin/shutdown -h now
CACHENUM=0

логи squid

cache.log

Код: Выделить всё

CPU Usage: 0.064 seconds = 0.021 user + 0.042 sys
Maximum Resident Size: 4700 KB
Page faults with physical i/o: 0
2012/01/19 16:48:47| logfileClose: closing log /var/squid/logs/store.log
2012/01/19 16:48:47| logfileClose: closing log /var/squid/logs/access.log
2012/01/19 16:48:47| Squid Cache (Version 2.7.STABLE9): Exiting normally.
2012/01/19 16:48:47| Starting Squid Cache version 2.7.STABLE9 for i386-portbld-freebsd8.2...
2012/01/19 16:48:47| Process ID 23991
2012/01/19 16:48:47| With 11095 file descriptors available
2012/01/19 16:48:47| Using kqueue for the IO loop
2012/01/19 16:48:47| DNS Socket created at 0.0.0.0, port 23781, FD 6
2012/01/19 16:48:47| Adding domain rbs.loc from /etc/resolv.conf
2012/01/19 16:48:47| Adding nameserver xxx.xxx.xxx.1 from /etc/resolv.conf
2012/01/19 16:48:47| Adding nameserver xxx.xxx.xxx.3 from /etc/resolv.conf
2012/01/19 16:48:47| Adding nameserver xx.xx.xx.xx from /etc/resolv.conf
2012/01/19 16:48:47| logfileOpen: opening log /var/squid/logs/access.log
2012/01/19 16:48:47| Unlinkd pipe opened on FD 11
2012/01/19 16:48:47| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2012/01/19 16:48:47| Target number of buckets: 425
2012/01/19 16:48:47| Using 8192 Store buckets
2012/01/19 16:48:47| Max Mem  size: 8192 KB
2012/01/19 16:48:47| Max Swap size: 102400 KB
2012/01/19 16:48:47| logfileOpen: opening log /var/squid/logs/store.log
2012/01/19 16:48:47| Rebuilding storage in /var/squid/cache (CLEAN)
2012/01/19 16:48:47| Using Least Load store dir selection
2012/01/19 16:48:47| Set Current Directory to /var/squid/cache
2012/01/19 16:48:47| Loaded Icons.
2012/01/19 16:48:48| Accepting transparently proxied HTTP connections at 0.0.0.0, port 8081, FD 13.
2012/01/19 16:48:48| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2012/01/19 16:48:48| WCCP Disabled.
2012/01/19 16:48:48| Ready to serve requests.
2012/01/19 16:48:48| Done reading /var/squid/cache swaplog (26 entries)
2012/01/19 16:48:48| Finished rebuilding storage from disk.
2012/01/19 16:48:48|        26 Entries scanned
2012/01/19 16:48:48|         0 Invalid entries.
2012/01/19 16:48:48|         0 With invalid flags.
2012/01/19 16:48:48|        26 Objects loaded.
2012/01/19 16:48:48|         0 Objects expired.
2012/01/19 16:48:48|         0 Objects cancelled.
2012/01/19 16:48:48|         0 Duplicate URLs purged.
2012/01/19 16:48:48|         0 Swapfile clashes avoided.
2012/01/19 16:48:48|   Took 0.3 seconds (  77.8 objects/sec).
2012/01/19 16:48:48| Beginning Validation Procedure
2012/01/19 16:48:48|   Completed Validation Procedure
2012/01/19 16:48:48|   Validated 26 Entries
2012/01/19 16:48:48|   store_swap_size = 224k
2012/01/19 16:48:48| storeLateRelease: released 0 objects

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[skeletor]

а с чего взяли, что не работает? cache.log - вообще смысла приводить нету, нужно access.log, да и заодно
pfct -sn

[profil]

а с чего взяли, что не работает

Нет SQUID Работает если в ручную указать а вот прозрачным не хочет
access.log

Код: Выделить всё

1326965122.356    742 192.168.30.9 TCP_MISS/200 11280 GET http://r2.mail.ru/b14463253.png - DIRECT/94.100.191.214 image/png
1326965124.431   2171 192.168.30.9 TCP_MISS/200 581 GET http://rs.mail.ru/un? - DIRECT/94.100.187.191 image/gif
1326965124.446   1922 192.168.30.9 TCP_MISS/200 348 GET http://rs.mail.ru/d523187.gif - DIRECT/94.100.187.191 image/gif
1326965125.378   4357 192.168.30.9 TCP_MISS/200 392 GET http://mail.radar.imgsmail.ru/update? - DIRECT/217.69.129.191 image/gif
1326965125.380   2858 192.168.30.9 TCP_MISS/200 392 GET http://mail.radar.imgsmail.ru/update? - DIRECT/217.69.129.191 image/gif
1326965125.400   3643 192.168.30.9 TCP_MISS/200 392 GET http://mail.radar.imgsmail.ru/update? - DIRECT/217.69.129.191 image/gif
1326965125.414   4287 192.168.30.9 TCP_MISS/200 383 GET http://counter.yadro.ru/hit;mail-splash? - DIRECT/88.212.196.101 image/gif
1326965125.454   4351 192.168.30.9 TCP_MISS/200 692 GET http://swa.mail.ru/cgi-bin/counters? - DIRECT/94.100.187.70 application/x-javascript
1326965130.588      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/ - DIRECT/192.168.30.1 -
1326965130.826    178 192.168.30.9 TCP_MISS/200 1438 GET http://192.168.30.1:8080/sams/main.php? - DIRECT/192.168.30.1 text/html
1326965130.826     66 192.168.30.9 TCP_MISS/200 2827 GET http://192.168.30.1:8080/sams/tray.php? - DIRECT/192.168.30.1 text/html
1326965130.826    186 192.168.30.9 TCP_MISS/200 48229 GET http://192.168.30.1:8080/sams/lframe.php - DIRECT/192.168.30.1 text/html
1326965130.828      2 192.168.30.9 TCP_MISS/304 339 GET http://192.168.30.1:8080/sams/icon/classic/sams.gif - DIRECT/192.168.30.1 -
1326965130.828      2 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/tree.css - DIRECT/192.168.30.1 -
1326965131.020      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/user.jpg - DIRECT/192.168.30.1 -
1326965131.022      1 192.168.30.9 TCP_MISS/304 339 GET http://192.168.30.1:8080/sams/icon/classic/lframe.jpg - DIRECT/192.168.30.1 -
1326965131.023      2 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/usergroup_32.jpg - DIRECT/192.168.30.1 -
1326965131.024      2 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/user_32.jpg - DIRECT/192.168.30.1 -
1326965131.024      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/userpasswd_32.jpg - DIRECT/192.168.30.1 -
1326965131.029      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/trash_32.jpg - DIRECT/192.168.30.1 -
1326965131.035      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/logoff_32.jpg - DIRECT/192.168.30.1 -
1326965131.124      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2vertline.gif - DIRECT/192.168.30.1 -
1326965131.127      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2mlastnode.gif - DIRECT/192.168.30.1 -
1326965131.154      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2mnode.gif - DIRECT/192.168.30.1 -
1326965131.164      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2plastnode.gif - DIRECT/192.168.30.1 -
1326965131.214      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2pnode.gif - DIRECT/192.168.30.1 -
1326965131.214      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2blank.gif - DIRECT/192.168.30.1 -
1326965131.251      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2lastnode.gif - DIRECT/192.168.30.1 -
1326965131.252      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2node.gif - DIRECT/192.168.30.1 -
1326965131.253      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2folderclosed.gif - DIRECT/192.168.30.1 -
1326965131.257      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2folderopen.gif - DIRECT/192.168.30.1 -
1326965131.266      0 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/ftv2doc.gif - DIRECT/192.168.30.1 -
1326965131.270      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/earth.gif - DIRECT/192.168.30.1 -
1326965131.271      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/paddressbook.gif - DIRECT/192.168.30.1 -
1326965131.272      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/proxy.gif - DIRECT/192.168.30.1 -
1326965131.273      1 192.168.30.9 TCP_MISS/304 337 GET http://192.168.30.1:8080/sams/icon/classic/webinterface.gif - DIRECT/192.168.30.1 -
1326965131.296      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/ident.gif - DIRECT/192.168.30.1 -
1326965131.302      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/logoff_20.gif - DIRECT/192.168.30.1 -
1326965131.305      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/help.jpg - DIRECT/192.168.30.1 -
1326965131.308      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/floppy.gif - DIRECT/192.168.30.1 -
1326965131.308      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/log.gif - DIRECT/192.168.30.1 -
1326965131.309      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/monit.gif - DIRECT/192.168.30.1 -
1326965131.373      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/pfile.gif - DIRECT/192.168.30.1 -
1326965131.389      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/adir.gif - DIRECT/192.168.30.1 -
1326965131.389      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/stop.gif - DIRECT/192.168.30.1 -
1326965131.414      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/redirect.gif - DIRECT/192.168.30.1 -
1326965131.415      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/db.gif - DIRECT/192.168.30.1 -
1326965131.416      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/pobject.gif - DIRECT/192.168.30.1 -
1326965131.416      1 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/config_20.jpg - DIRECT/192.168.30.1 -
1326965131.419      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/pgroup.gif - DIRECT/192.168.30.1 -
1326965131.420      0 192.168.30.9 TCP_MISS/304 338 GET http://192.168.30.1:8080/sams/icon/classic/puser.gif - DIRECT/192.168.30.1 -

На этой машине прокси указан в ручную.
pfctl -sn

Код: Выделить всё

nat on tun0 inet from 192.168.30.1 to any -> (tun0) round-robin
rdr on xl0 inet proto tcp from any to any port = http -> 192.168.30.1 port 8081

[skeletor]

А что если заменить правило

Код: Выделить всё

rdr on $int_if inet proto tcp from any to any port 80 -> 192.168.30.1 port 8081

на такое

Код: Выделить всё

rdr on $int_if inet proto tcp from 192.168.0.0/24 to any port 80 -> 127.0.0.1 port 8081

[profil]

Я и так попробовал не в какую короче не знаю что и ковырять

[profil]

Проблема решилась тогда когда я убрал секцию

Код: Выделить всё

set skip on $int_if

Я как то не думал что если убрать проверку на внутреннем интерфейсе будет такое.

[noname]

TCP_MISS/304

>TCP_MISS/304 means is that it isn't in the Squid cache, but it
>is in your browser's cache. Your browser will submit a If-Modified-Since
>request to Squid, which will forward it on to the origin
>server. If the object hasn't been modified, it'll get a 304,
>which Squid will pass on to your browser. However, Squid doesn't
>have a copy itself, therefore TCP_MISS.