Hi everybody!
I have Squid 3.1 running on Debian 7 from the Wheezy repos.
Users can authenticate and requests sent but pages were not displayed in browser, which sits with white screen loading forever. :(
My log file gives:
Stackoverflow won't let me post this because it thinks I'm posting links, and I lack reputation points.
And my config is:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 8443 563 22 # https, snews, ssh
acl SSL_ports port 4443 # rsync
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 81 82 800 8119 # http
acl Safe_ports port 4443 873 # rsync
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl purge method PURGE
acl CONNECT method CONNECT
auth_param digest program /usr/lib/squid3/digest_pw_auth -c /etc/squid3/passwords
auth_param digest realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow manager localhost
http_access allow authenticated
http_access deny manager
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 3128 transparent
forwarded_for delete
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
I removed the denys for ports for testing:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Maybe this has something to do with IP6 resolution, because my DNS will resolve IP6 addresses, but ping won't ping!
In squid log file: DIRECT/2a01:111:f400:9814::6
And failing ip5 ping.
# ping6 -n ipv6.google.com
PING ipv6.google.com(2607:f8b0:4005:802::1000) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
I'd be so grateful if somebody just gave me some help?
Kind regards,
Sophie
The problem was DNS resolves IP6 address but my VPS server did not have an IP6 address, so squid uses IP6 and won't fall back to IP4.
IP4 can be forced by adding this my squid.conf:
tcp_outgoing_address 123.123.123.123
where 123.123.123.123 is your outgoing IP4 addresss you would like to use.
Squid now works.
Related
I have a droplet on DigitalOcean with IPv4 and IPv6 enabled. The droplet is behind a digital ocean network firewall with the following rules:
Inbound:
SSH TCP 22 All IPv4, All IPv6
HTTP TCP 80 All IPv4, All IPv6
HTTP TCP 443 All IPv4, All IPv6
Outbound:
ICMP ICMP All IPv4 All IPv6
All TCP TCP All ports All IPv4 All IPv6
All UDP UDP All ports All IPv4
My understanding and expectation is that will block all ssh attempts on ports other than port 22. However when checking the sshd unit in systemd journal. I see the following entries:
2022-12-29 03:00:32 Disconnected from invalid user antonio 43.153.179.44 port 45614 [preauth]
2022-12-29 03:00:32 Received disconnect from 43.153.179.44 port 45614:11: Bye Bye [preauth]
2022-12-29 03:00:31 Invalid user antonio from 43.153.179.44 port 45614
2022-12-29 02:58:37 Disconnected from invalid user desliga 190.129.122.3 port 1199 [preauth]
2022-12-29 02:58:37 Received disconnect from 190.129.122.3 port 1199:11: Bye Bye [preauth]
2022-12-29 02:58:37 Invalid user desliga from 190.129.122.3 port 1199
and many more of these lines, which means the firewall is not blocking ssh connections on ports other than 22.
The following graph shows the number of ssh connections to ports other than 22 in the last hour. The connections are reduced with enabling the Network Filter, but they not diminished.
Could it be that the Network Firewall of DigitalOcean is broken?
What am I missing?
Anyone is seeing the same situation on their infrastructure?
The ports being shown in the log are the remote ports that the connections are coming from on the remote IPs, and not indicating that those ports are listening on your server or through the firewall. The firewall is configured from your description to allow for any remote IP and port to connect to your droplet on local ports 22, 80, and 443.
I want that in the HAProxy server,
when the client sends a request to the server with port 8080, the HAProxy server redirects the port that the client requested with to the IP of the same HAProxy server with port 2095.
I use the following code but it doesn't work.
please guide me
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 500s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen http80new
bind *:8080
mode http
acl path_check1 path
server webserver1 ip:2095
I am running my node server on ubuntu with sudo node index.js
Running curl http://localhost/health-check gives a response but if I use the public IP, it does not get any response
Running sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
59739/node
Running nmap -A -T4 myDomainName
Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-22 12:32 UTC
Nmap scan report for myDomainName (IP address)
Host is up (0.0011s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
...
80/tcp closed http
443/tcp closed https
Running nmap localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-22 12:28 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000062s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Lastly sudo ufw status
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
80/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Port 80 is open on localhost but not open on the domain name/ public ip
I'm using a Linux VM (Ubuntu 15.10) to spin up a Postgres Database, and as far as I can tell, everything should be configured right.
My firewall is disabled:
user#UBUNTUMACHINE:~$ sudo ufw status numbered Status: inactive
But it's only listening on port 22
user#UBUNTUMACHINE:~$ netstat -an | grep "LISTEN "
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
If I enable the firewall, and tell it to listen to 5432, it shows up in the rules:
user#UBUNTUMACHINE:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
5432/tcp ALLOW IN Anywhere
5432 ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
5432/tcp (v6) ALLOW IN Anywhere (v6)
5432 (v6) ALLOW IN Anywhere (v6)
But I get the same results as above for netstat.
As far as I can tell from researching the issue, I have the correct values in my postgresql.conf file:
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
and I've tried both IP ranges and specific IPs as trusted in the pg_hba.conf file.
# Database administrative login by Unix domain socket
local all postgres ident sameuser
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
host all all 10.0.0.0/255 trust
host all all 10.11.0.0/255 trust
host all all 0.0.0.0/0 trust
Lastly, Postgres is running, per
user#UBUNTUMACHINE:~$ sudo service postgresql status
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2017-03-08 11:09:57 CST; 57min ago
Process: 787 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 787 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/postgresql.service
Mar 08 11:09:57 UBUNTUMACHINEsystemd[1]: Starting PostgreSQL RDBMS...
Mar 08 11:09:57 UBUNTUMACHINEsystemd[1]: Started PostgreSQL RDBMS.
Mar 08 11:32:21 UBUNTUMACHINEsystemd[1]: Started PostgreSQL RDBMS.
Mar 08 11:32:26 UBUNTUMACHINEsystemd[1]: Started PostgreSQL RDBMS.
The log is telling me invalid CIDR mask in address 10.0.0.0/255
:: 255 might be larger than 32
Postgres refuses to start, because it refuses the netmask /255 which islarger than the possible number of bits in the (32 bits) IP-address. You could consider this to be a bit picky for the .hba parser, but it could also be considerered a configuration error.
In any case: replace the /255 by something sensible, like /24 (or /16, since you have two of these entries) And: replace the trust by something more safe, after it appears to work.
I have a HAProxy + NodeJS + Rails Setup, I use the NodeJS Server for file upload purposes.
The problem I'm facing is that if I'm uploading through haproxy to nodejs and a "TCP (Fast) Retransmission" occurs because of a lost packet the TX rate on the client drops to zero for about 5-10 secs and gets flooded with TCP Retransmissions.
This does not occur if I upload to NodeJS directly (TCP Retransmission happens too but it doesn't get stuck with dozens of retransmission attempts).
My test setup is a simple HTML4 FORM (method POST) with a single file input field.
The NodeJS Server only reads the incoming data and does nothing else.
I've tested this on multiple machines, networks, browsers, always the same issue.
Here's a TCP Traffic Dump from the client while uploading a file:
.....
TCP 1506 [TCP segment of a reassembled PDU]
>> everything is uploading fine until:
TCP 1506 [TCP Fast Retransmission] [TCP segment of a reassembled PDU]
TCP 66 [TCP Dup ACK 7392#1] 63265 > http [ACK] Seq=4844161 Ack=1 Win=524280 Len=0 TSval=657047088 TSecr=79373730
TCP 1506 [TCP Retransmission] [TCP segment of a reassembled PDU]
>> the last message is repeated about 50 times for >>5-10 secs<< (TX drops to 0 on client, RX drops to 0 on server)
TCP 1506 [TCP segment of a reassembled PDU]
>> upload continues until the next TCP Fast Retransmission and the same thing happens again
The haproxy.conf (haproxy v1.4.18 stable) is the following:
global
log 127.0.0.1 local1 debug
maxconn 4096 # Total Max Connections. This is dependent on ulimit
nbproc 2
defaults
log global
mode http
option httplog
option tcplog
frontend http-in
bind *:80
timeout client 6000
acl is_websocket path_beg /node/
use_backend node_backend if is_websocket
default_backend app_backend
# Rails Server (via nginx+passenger)
backend app_backend
option httpclose
option forwardfor
timeout server 30000
timeout connect 4000
server app1 127.0.0.1:3000
# node.js
backend node_backend
reqrep ^([^\ ]*)\ /node/(.*) \1\ /\2
option httpclose
option forwardfor
timeout queue 5000
timeout server 6000
timeout connect 5000
server node1 127.0.0.1:3200 weight 1 maxconn 4096
Thanks for reading! :)
Simon
Try setting "timeout http-request" to 6 seconds globally. It can typically be too low to pickup re-transmits and while it won't explain the cause it might solve your problem.
Try using https://github.com/nodejitsu/node-http-proxy. I am not sure if it will fit in your overall architecture requirement but it would be worth a try.