Resposta: Um firewall IPS de Camada 7 entre o cliente e o servidor SQUID estava redefinindo as conexões porque a navegação na Web não estava relacionada à porta tcp 3128 por padrão. Corrigido o problema alterando o filtro do aplicativo.
Os clientes na rede 172.16.0.0/12 não podem usar o proxy SQUID. . Alguma ideia do que poderia estar causando isso?
$ curl --proxy 172.20.0.20:3128 www.google.com -I
curl: (56) Recv failure: Connection reset by peer
O mesmo comando do servidor squid funciona bem.
root@SQUID-SRV01:# curl --proxy 172.20.0.20:3128 www.google.com -I
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Configuração:
acl localhost src 127.0.0.1/32 ::1
acl localnet src 172.16.0.0/12
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access allow localhost
http_access allow localnet
http_access deny all
http_port 172.20.0.20:3128
access_log daemon:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
TCP dump & Netstat:
root@SQUID-SRV01:# netstat -naop | grep :3128
tcp 0 0 172.20.0.20:3128 0.0.0.0:* LISTEN 17454/(squid-1) off (0.00/0/0)
root@SQUID-SRV01:# tcpdump port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
14:30:53.463935 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [S], seq 2612553964, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:30:53.464031 IP SQUID-SRV01.3128 > 172.26.0.11.58301: Flags [S.], seq 4099169320, ack 2612553965, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:30:53.464453 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [.], ack 1, win 256, length 0
14:30:53.465041 IP 172.26.0.11.58301 > SQUID-SRV01.3128: Flags [R.], seq 1, ack 1, win 256, length 0
Log de cache:
2016/08/15 14:23:56 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2016/08/15 14:23:56 kid1| Service Name: squid
2016/08/15 14:23:56 kid1| Process ID 17454
2016/08/15 14:23:56 kid1| Process Roles: worker
2016/08/15 14:23:56 kid1| With 65535 file descriptors available
2016/08/15 14:23:56 kid1| Initializing IP Cache...
2016/08/15 14:23:56 kid1| DNS Socket created at [::], FD 6
2016/08/15 14:23:56 kid1| DNS Socket created at 0.0.0.0, FD 8
2016/08/15 14:23:56 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2016/08/15 14:23:56 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2016/08/15 14:23:56 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2016/08/15 14:23:56 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2016/08/15 14:23:56 kid1| Store logging disabled
2016/08/15 14:23:56 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2016/08/15 14:23:56 kid1| Target number of buckets: 1008
2016/08/15 14:23:56 kid1| Using 8192 Store buckets
2016/08/15 14:23:56 kid1| Max Mem size: 262144 KB
2016/08/15 14:23:56 kid1| Max Swap size: 0 KB
2016/08/15 14:23:56 kid1| Using Least Load store dir selection
2016/08/15 14:23:56 kid1| Current Directory is /
2016/08/15 14:23:56 kid1| Finished loading MIME types and icons.
2016/08/15 14:23:56 kid1| HTCP Disabled.
2016/08/15 14:23:56 kid1| Pinger socket opened on FD 13
2016/08/15 14:23:56 kid1| Squid plugin modules loaded: 0
2016/08/15 14:23:56 kid1| Adaptation support is off.
2016/08/15 14:23:56 kid1| Accepting HTTP Socket connections at local=172.20.0.20:3128 remote=[::] FD 11 flags=9
2016/08/15 14:23:56| pinger: Initialising ICMP pinger ...
2016/08/15 14:23:56| pinger: ICMP socket opened.
2016/08/15 14:23:56| pinger: ICMPv6 socket opened
2016/08/15 14:23:57 kid1| storeLateRelease: released 0 objects
access.log não tem informações sobre os clientes.
Resposta: Um firewall IPS de Camada 7 entre o cliente e o servidor SQUID estava redefinindo as conexões porque a navegação na Web não estava relacionada à porta tcp 3128 por padrão. Corrigido o problema alterando o filtro do aplicativo.