Squid configuration not working to set up connection between local and remote hosts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid configuration not working to set up connection between local and remote hosts

tappdint
This post was updated on .
For some context I have a squid proxy  container
<https://hub.docker.com/r/datadog/squid/>   running on my local computer as
well as my app. There is another "app" (Selenium) on another host that runs
test on my local app and needs to be on the same network to access the app.
This is what I use squid for, to have both the remote an local apps on the
same docker network.

With my current default configuration, the remote app starts up a chrome
browser to run the tests but then gives a ERR_PROXY_CONNECTION_FAILED error
message when trying to access the app host. This leads me to believe that my
squid proxy's configuration is not set up correctly. The docker hub states
that /"the configuration available with the container is set for local
access, you may need to tweak it if your network scenario is different."/.
I'm not sure exactly what I should be looking into to tweak the config. When
I had the external app running in a vm locally the proxy was able to set up
the connection between the two properly but this remote host does not have
the same results.

Here is my configuration, its just the basic config provided with the image
with all the extra clutter/comments removed.
/
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Recommended minimum Access Permission configuration:
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access deny to_localhost

http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all


# Squid normally listens to port 3128
http_port 3128

debug_options rotate=1 ALL,2/

Any ideas what I should look at for more information? Thanks!

EDIT: I think this might be important, when I was running the second app on the VM locally, it was accessed using HTTP. Now the app on the remote host uses HTTPS

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration not working to set up connection between local and remote hosts

Amos Jeffries
Administrator
On 19/12/17 08:26, tappdint wrote:

> For some context I have a squid proxy  container
> <https://hub.docker.com/r/datadog/squid/>   running on my local computer as
> well as my app. There is another "app" (Selenium) on another host that runs
> test on my local app and needs to be on the same network to access the app.
> This is what I use squid for, to have both the remote an local apps on the
> same docker network.
>
> With my current default configuration, the remote app starts up a chrome
> browser to run the tests but then gives a ERR_PROXY_CONNECTION_FAILED error
> message when trying to access the app host. This leads me to believe that my
> squid proxy's configuration is not set up correctly. The docker hub states
> that /"the configuration available with the container is set for local
> access, you may need to tweak it if your network scenario is different."/.
> I'm not sure exactly what I should be looking into to tweak the config. When
> I had the external app running in a vm locally the proxy was able to set up
> the connection between the two properly but this remote host does not have
> the same results.
>
> Here is my configuration, its just the basic config provided with the image
> with all the extra clutter/comments removed.
> /
...
>
> http_access allow localnet
> http_access allow localhost

^^ localnet and localhost are permitted, nothing else.

You need to find out what other access Selenium requires and how it can
reliably be identified. Then add http_access rules here to allow it.


> # And finally deny all other access to this proxy
> http_access deny all
>
>
> # Squid normally listens to port 3128
> http_port 3128
>
> debug_options rotate=1 ALL,2/
>
> Any ideas what I should look at for more information? Thanks!
>


The access.log records the connection details for the failed requests.
You should usually be able to find most of the details necessary there.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration not working to set up connection between local and remote hosts

tappdint
Amos Jeffries wrote

> ^^ localnet and localhost are permitted, nothing else.
>
> You need to find out what other access Selenium requires and how it can
> reliably be identified. Then add http_access rules here to allow it.
>
>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>>
>> debug_options rotate=1 ALL,2/
>>
>> Any ideas what I should look at for more information? Thanks!
>>
>
>
> The access.log records the connection details for the failed requests.
> You should usually be able to find most of the details necessary there.

Sorry could you clarify what is meant by /what other access Selenium
requires and how it can
reliably be identified/? In order for Selenium to run the tests I have to
set up the proxy address in the java code that creates the driver.  In that
code I use my inet address that I get from ifconfig. So the proxy address is
"INET_IP:3128". The script that runs the test requires the host and port
where Selenium is located (external_host_address with port 443 since it is
https). As for the logs, I tried to look at the access logs after the tests
failed to run but unfortunately access.log was empty.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration not working to set up connection between local and remote hosts

Amos Jeffries
Administrator
On 19/12/17 09:45, tappdint wrote:

> Amos Jeffries wrote
>> ^^ localnet and localhost are permitted, nothing else.
>>
>> You need to find out what other access Selenium requires and how it can
>> reliably be identified. Then add http_access rules here to allow it.
>>
>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>>
>>> # Squid normally listens to port 3128
>>> http_port 3128
>>>
>>> debug_options rotate=1 ALL,2/
>>>
>>> Any ideas what I should look at for more information? Thanks!
>>>
>>
>>
>> The access.log records the connection details for the failed requests.
>> You should usually be able to find most of the details necessary there.
>
> Sorry could you clarify what is meant by /what other access Selenium
> requires and how it can
> reliably be identified/?

To let something through the proxy, you need to know what that thing is
and either what its TCP connections or HTTP messages look like when it
contacts the proxy.

Whatever those details are is what you need to find out before you can
make any meaningful squid.conf changes.

(I don't know that test system to be any more specific.)


> In order for Selenium to run the tests I have to
> set up the proxy address in the java code that creates the driver.  In that
> code I use my inet address that I get from ifconfig. So the proxy address is
> "INET_IP:3128". The script that runs the test requires the host and port
> where Selenium is located (external_host_address with port 443 since it is
> https). As for the logs, I tried to look at the access logs after the tests
> failed to run but unfortunately access.log was empty.

Empty access.log means it is not going through the proxy. Or maybe using
a CONNECT tunnel which is still open when you checked.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid configuration not working to set up connection between local and remote hosts

Yuri Voinov
Most probably firewall issues. ALso not fact virtualized invironments
permit TCP exchange between apps/instances without special settings.


19.12.2017 04:28, Amos Jeffries пишет:

> On 19/12/17 09:45, tappdint wrote:
>> Amos Jeffries wrote
>>> ^^ localnet and localhost are permitted, nothing else.
>>>
>>> You need to find out what other access Selenium requires and how it can
>>> reliably be identified. Then add http_access rules here to allow it.
>>>
>>>
>>>> # And finally deny all other access to this proxy
>>>> http_access deny all
>>>>
>>>>
>>>> # Squid normally listens to port 3128
>>>> http_port 3128
>>>>
>>>> debug_options rotate=1 ALL,2/
>>>>
>>>> Any ideas what I should look at for more information? Thanks!
>>>>
>>>
>>>
>>> The access.log records the connection details for the failed requests.
>>> You should usually be able to find most of the details necessary there.
>>
>> Sorry could you clarify what is meant by /what other access Selenium
>> requires and how it can
>> reliably be identified/?
>
> To let something through the proxy, you need to know what that thing
> is and either what its TCP connections or HTTP messages look like when
> it contacts the proxy.
>
> Whatever those details are is what you need to find out before you can
> make any meaningful squid.conf changes.
>
> (I don't know that test system to be any more specific.)
>
>
>> In order for Selenium to run the tests I have to
>> set up the proxy address in the java code that creates the driver. 
>> In that
>> code I use my inet address that I get from ifconfig. So the proxy
>> address is
>> "INET_IP:3128". The script that runs the test requires the host and port
>> where Selenium is located (external_host_address with port 443 since
>> it is
>> https). As for the logs, I tried to look at the access logs after the
>> tests
>> failed to run but unfortunately access.log was empty.
>
> Empty access.log means it is not going through the proxy. Or maybe
> using a CONNECT tunnel which is still open when you checked.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment