Re: Transparent Proxy

On Fri, 16 Oct 1998, George Ellenburg wrote:

> I have two Squid servers, both running Squid-2.0.PATCH2, one on a
> dedicated FreeBSD 2.2.6 machine, the other sibling on a Sparc20 (Solaris
> 2.6). I can't upgrade my Cisco AGS+ router to 11.1 (never could get the
> loaded, new, image to be saved to NVRAM) but hey, it's been working just
> fine for years now so I'm not too worried.

[snip]

> <FAQ> 1. Getting the packets to your cache machine. If your proxy machine
> is already in the path of the packets (i.e. it is routing between your
> dialup users and the Internet) then you don't have to worry about this
> step.</FAQ>
>
> My dial-up users all use 3Com and Livingston Network Access Devices, which
> have the ability to specify a default gateway. Am I correct in my
> assumption that I would simply need to change the default gateway to
> specify my Squid server?

Currently they will most likely be pointing to your router. You will need
to either selectively redirect the web requests (tcp port 80) to the
transparent proxy from your router. Or, setup your transparent proxy
between the access servers and the router so that all traffic is routed by
it.

I currently do the first method, using policy routing on a 4500. Depending
on how much traffic you are talking and how much grunt your router has
this is a pretty tidy setup. But the second method should work just as
well, with the down side being that you introduce another point of failure
into your network.

In theory you shouldn't need two ethernet cards in the FreeBSD machine if
you move the router is on a seperate subnet to the rest of your net. Once
you have your FreeBSD machine running as a router between your access
servers and your router (forget the proxy stuff at first) your set.

After that you just need to enable the redirect rules in ip-filter to
capture the web requests and let it pass the rest through untouched.

And in an emergency, should your machine die for whatever reason, all you
need to do is move its ether address onto the router, add a few routes and
traffic will continue to flow. (Well that's the theory) :)

> safe than sorry. I'm specifically concerned about the line in FreeBSD's
> /etc/rc.conf 'gateway_enable'. Currently this variable is set to "NO" and
> my initial assumptions are to set this to "YES", but since I can't find

If you are configuring your machine as a router then set to YES, if you
use policy routing you won't need it.

> mention of it in the FAQ, I'm a little apprehensive. The rc.conf variable
> 'router_enable' is also set to "NO", too.

This just enables 'routed' which is only useful if your using RIP on your
routers to publish route tables.

> Also, how does this affect sibling caches? Currently my users are
> connecting to squid.sundial.net, which has a round-robin DNS entry
> specifying both of my cache servers. Will I then have to revert back to a
> single cache?

If they are already using a cache then it will just pass through as normal
(assuming the cache doesn't use port 80). Your only interested in any
tcp/80 packets.

>
> <FAQ> 3.Finally, you have to configure Squid to recognize the hijacked
> connections and discern the destination addresses. For linux this seems to
> work automatically. For FreeBSD you probably have to configure squid with
> the --enable-ipf-transparent option.</FAQ>
>
> No problem, I've had to do numerous recompiles the past couple of days,
> what with ASYNC I/O failing to compile, and CARP causing assertion
> errors... how stable is this code, however?

Async io is only useful if you have kernel threads, ala Linux. FreeBSD 2.2
doesn't have kernel threads, although I think 3.0-RELEASE might. (Which
was just release BTW)

> Also, Section 17.1 of the FAQ mentions the ipnat.rules file which I'm also
> a little unclear (ok, very unclear):
>
> <FAQ>Put these lines in /etc/ipnat.rules:
>
> # Redirect direct web traffic to local web server.
> rdr de0 1.2.3.4/32 port 80 -> 127.0.0.1 port 80 tcp
>
> # Redirect everything else to squid on port 8080
> rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp
> </FAQ>
>
> I guess I should mention that my dial-ups share several different subnets:
> 204.181.151.0, 207.43.116.0, 207.43.117.0, 207.43.118.0, 207.43.119.0, and
> that I only want to transparently proxy WWW requests (port 80) everything
> else go direct (or go through squid if their browser's are configured).
>
> Those lines above make little sense to me. What would be the
> configuration to only proxy port 80, and redirect everything else to my
> Cisco Router?

You don't need to "redirect everything else", it should be routed there by
the machine as normal. These rules get applied before routing is done,
that way you can redirect or rewrite things before passing them on. The
whole point of the above 'rdr' rules is to hijack the web requests.

> Finally, has anyone succeeded in actually getting this to work on a
> similar setup as mine? I'd appreciate hearing any suggestions, traps,
> horror stories which you went through - and possibly maybe seeing a copy of
> your /etc/rc.conf, your ipnat rules, etc. for diff'ing? I could always
> just switch to LiNUX I guess, but gosh-darnit, I *like* FreeBSD too much to
> want to switch. ;-)

Get your FreeBSD machine running as a router with a single ethernet on two
subnets first. If you want to use two ethernet cards the setup is exactly
the same just cabled differently.

It should look something like this

  Subnet A Subnet B
  -------------- -----------
  Access Servers Router
  FreeBSD addr 1 FreeBSD addr 2

Seeya...Q

               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                        
                          _____ / Quinton Dolan - q@fan.net.au
  __ __/ / / __/ / / Systems Administrator
     / __ / _/ / / Fast Access Network
  __/ __/ __/ ____/ / - / Gold Coast, QLD, Australia
                    _______ / Ph: +61 7 5574 1050
                           \_\ SAGE-AU Member
Received on Fri Oct 16 1998 - 19:52:13 MDT