部分解决方案
事实证明,端口 3128 上的流量在前往我的 VPS 的途中丢失了。我不确定这是因为 Linode 阻止了这个端口,还是两者之间有什么关系。(我在其他云上使用过同样的代理,而且成功了。)
将端口改为 53128 就可以了。
但是,我该如何探测端口 3128 来检查数据包被丢弃到哪里?这肯定是在它们到达我的 VPS 之前。
问题
我在运行 CentOS 6.7 的 VPS 中设置了 squid 代理,以便允许我跨多个集群节点共享 Web 会话。
该代理在云中工作,当所有节点都在同一个私有网络内时,192.168.0.0/24一切都正常运行。
本周我在家里部署了几台服务器来执行一些非常长的批处理作业,我需要通过代理进行连接。但是,Squid 在我的公共接口上超时了。
我squid.conf几乎允许每个传入连接,因为我通过 进行了限制iptables。但是,即使防火墙已停止,我也无法通过 Internet 连接到我的代理。
测试来自 VPS 集群的连接
注意:故意省略了公共 IP 和主机名。
$ curl --proxy PUBLIC_HOSTNAME:3128 -v google.com.br
* About to connect() to proxy PUBLIC_HOSTNAME port 3128 (#0)
* Trying PUBLIC_IP... connected
* Connected to PUBLIC_HOSTNAME (PUBLIC_IP) port 3128 (#0)
[ OUTPUT OMITTED ]
* Connection #0 to host PUBLIC_HOSTNAME left intact
* Closing connection #0
$ curl --proxy PRIVATE_HOSTNAME:3128 -v google.com.br
* About to connect() to proxy PRIVATE_HOSTNAME port 3128 (#0)
* Trying PRIVATE_IP... connected
* Connected to PRIVATE_HOSTNAME (PRIVATE_IP) port 3128 (#0)
[ OUTPUT OMITTED ]
* Connection #0 to host PRIVATE_HOSTNAME left intact
* Closing connection #0
从家里测试连接(互联网)
注意:故意省略了公共 IP 和主机名。
端口 3128 上的数据包确实超时。端口 53128 上的数据包确实可以工作。
$ curl --proxy HOSTNAME:3128 -v google.com.br
* About to connect() to proxy HOSTNAME port 3128 (#0)
* Trying PUBLIC_IP... Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
$ curl --proxy PUBLIC_HOSTNAME:53128 -v google.com.br
* About to connect() to proxy PUBLIC_HOSTNAME port 53128 (#0)
* Trying PUBLIC_IP... connected
* Connected to PUBLIC_HOSTNAME (PUBLIC_IP) port 53128 (#0)
[ OUTPUT OMITTED ]
* Connection #0 to host PUBLIC_HOSTNAME left intact
* Closing connection #0
顺便说一句,正如您从上面的输出中看到的,即使在云内部也可以通过公共接口建立连接。
我的 VPS 托管在 Linode 上,他们的私有网络是通过虚拟接口建立的,所有流量都通过公共接口路由。无论如何,我不认为这是问题所在。
squid配置文件
Squid 正在监听其默认端口。
$ sudo netstat -ntlp | grep 3128
tcp 0 0 :::53128 :::* LISTEN 19282/(squid)
tcp 0 0 :::3128 :::* LISTEN 19282/(squid)
我的配置文件非常标准,最后添加了一个斗篷。
Squid 是通过安装的yum,这是适用于 CentOS 6.7 的软件包。
$ sudo cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
visible_hostname cluster.proxy
dns_nameservers 8.8.8.8 8.8.4.4
#hosts_file none
hosts_file /etc/hosts
# quick_abort_min 0 KB
# quick_abort_max 0 KB
strip_query_terms off
log_icp_queries off
client_db off
buffered_logs on
# half_closed_clients off
connect_timeout 30 seconds
forward_timeout 60 seconds
request_timeout 60 seconds
dns_timeout 30 seconds
# positive_dns_ttl 8 hours
# negative_dns_ttl 30 seconds
acl localnet src all # Intentionally left open. Not sure if this is valid.
acl ghome src OMITTED.ddns.net # Dynamic DNS for my home address
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow ghome # Tried this rule for my home
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all # Tried this rule for world
# Squid normally listens to port 3128
http_port 3128
http_port 53128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache deny all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Hide Proxy from destination server
# Needed to share sessions
via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
有没有办法检查我的连接是否到达 VPS?
我没有找到超出其范围的鱿鱼日志access.log,这与我的家庭连接无关;
答案1
事实证明这是 Linode 数据中心的问题。
traceroute指出数据包在抵达 Linode 亚特兰大数据中心时被丢弃。
注意:服务器公共 IP 和主机名故意省略
$ sudo traceroute -p 3128 HOSTNAME --tcp
traceroute to HOSTNAME (PUBLIC_IP), 30 hops max, 60 byte packets
1 192.168.0.254 (192.168.0.254) 0.922 ms 1.337 ms 2.016 ms
2 200.150.94.3 (200.150.94.3) 11.970 ms 12.337 ms 12.699 ms
3 trunk11-src1km3a-src1cos.copel.net (200.150.92.107) 11.980 ms 12.928 ms 12.962 ms
4 177.84.164.33 (177.84.164.33) 14.230 ms 15.943 ms 16.306 ms
5 149.3.181.42 (149.3.181.42) 17.045 ms 17.889 ms 18.127 ms
6 xe-7-2-1.ashburn2.ash.seabone.net (195.22.199.187) 171.647 ms xe-0-1-2.ashburn2.ash.seabone.net (89.221.40.3) 163.118 ms 161.458 ms
7 xe-7-0-1.ashburn2.ash.seabone.net (195.22.199.189) 163.412 ms xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 159.763 ms xe-7-0-1.ashburn2.ash.seabone.net (195.22.199.189) 162.821 ms
8 ae13.er2.iad10.us.zip.zayo.com (64.125.12.1) 161.005 ms 160.879 ms 161.481 ms
9 ae7.er1.iad10.us.zip.zayo.com (64.125.25.49) 146.142 ms 144.668 ms 146.361 ms
10 ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 147.399 ms 147.831 ms 148.792 ms
11 ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 150.200 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 144.751 ms ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 146.808 ms
12 ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 143.534 ms 143.451 ms 146.218 ms
13 * * *
...
30 * * *
如前所述,它在端口 53128 上通过。
$ sudo traceroute -p 53128 HOSTNAME --tcp
traceroute to HOSTNAME (PUBLIC_IP), 30 hops max, 60 byte packets
1 192.168.0.254 (192.168.0.254) 0.931 ms 1.458 ms 1.968 ms
2 200.150.94.3 (200.150.94.3) 12.079 ms 12.222 ms 12.362 ms
3 trunk11-src1km3a-src1cos.copel.net (200.150.92.107) 51.764 ms 52.274 ms 52.466 ms
4 177.84.164.33 (177.84.164.33) 14.533 ms 14.910 ms 15.449 ms
5 149.3.181.42 (149.3.181.42) 16.408 ms 17.265 ms 17.720 ms
6 xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 171.688 ms xe-7-2-1.ashburn2.ash.seabone.net (195.22.199.187) 161.815 ms xe-0-1-2.ashburn2.ash.seabone.net (89.221.40.3) 162.661 ms
7 xe-2-3-1.ashburn2.ash.seabone.net (195.22.199.181) 163.044 ms xe-2-2-2.ashburn2.ash.seabone.net (195.22.199.183) 160.476 ms xe-7-0-2.ashburn2.ash.seabone.net (195.22.199.185) 161.247 ms
8 ae13.er2.iad10.us.zip.zayo.com (64.125.12.1) 162.917 ms 162.569 ms 164.899 ms
9 ae7.er1.iad10.us.zip.zayo.com (64.125.25.49) 149.290 ms 147.938 ms ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 150.054 ms
10 ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 150.416 ms ae6.cr1.dca2.us.zip.zayo.com (64.125.20.117) 145.685 ms 146.062 ms
11 ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 145.271 ms ae2.mpr4.atl6.us.zip.zayo.com (64.125.25.46) 146.286 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 143.456 ms
12 128.177.104.134.IPYX-092136-ZYO.zip.zayo.com (128.177.104.134) 143.646 ms ae4.mpr3.atl6.us.zip.zayo.com (64.125.31.197) 145.377 ms 143.066 ms
13 128.177.104.134.IPYX-092136-ZYO.zip.zayo.com (128.177.104.134) 147.494 ms 148.962 ms 148.619 ms
14 router1-atl.linode.com (64.22.106.10) 148.807 ms 146.101 ms PRIVATE_HOSTNAME.members.linode.com (PUBLIC_IP) 145.706 ms
这样我就可以打开支持单并得到肯定的答复。我很高兴这不是我的服务器的问题。
你好呀,
我们进行了进一步调查,结果发现这实际上是我们亚特兰大数据中心的一个持续存在的问题,因此我们很抱歉没能尽快给您答复。目前我们正在努力解除此端口的阻塞,但我们无法给出时间估计。
与此同时,那个不同的端口对你有用吗?如果你愿意,我还可以将你迁移到其他数据中心,使用 3128 端口工作——也许是加利福尼亚州弗里蒙特或新泽西州纽瓦克?:
https://www.linode.com/speedtest让我们知道。
问候,Roland Linode 支持团队