One little problem has emerged while setting up two squid boxes on Linux
2.4 kernels using iptables. Squid version is 2.3 with netfilter config
option enabled.
Our cache farm sits behind a layer 4 switch, and is primarily used as a
purely "transparent" proxy. However, some clients use our "virtual server"
address of wwwcache.ox.ac.uk. This is hosted on the L4 switch, which
forwards traffic into one of the cache machines. We support both ports 80
and 8080 on the virtual server. The former is simple, as it is merely
caught by the port 80 intercept at our router. The latter is maintained
for historical reasons and still used by a handful of clients.
Requests to wwwcache.ox.ac.uk 8080 are handled fine by our existing Solaris
8/ipfilter and Linux 2.2/ipchains servers. However, under Linux 2.4 they
don't work, although intercepted traffic is working fine. Running tcpdump
on both client and server reveals why:
As seen by server:
client 15635 > server 8080 SYN
server 8080 > client 15635 SYN,ACK
client 15635 > server 8080 RST
client 15365 > server 8080 SYN [retries conversation]
Looks reasonable at first, but why is the client resetting? A look at the
client end reveals why (where wwwcache is the _virtual_ server's IP):
client 3762 > wwwcache 8080 SYN
server 8080 > client 15635 SYN,ACK
client 15635 > server 8080 RST
client 3762 > wwwcache 8080 SYN [retries conversation]
Evidently something's up with the network address translation when the
server sends its SYN,ACK to the client: the client should receive a packet
to client 3762 from source wwwcache 8080, but doesn't.
The server is configured for interception caching as described at
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.4 but I'm guessing
that some additional rule is needed. Unfortunately I'm no iptables expert:
can anyone suggest a fix?
Thanks,
Robin
-- --------------- Robin Stevens <robin.stevens@oucs.ox.ac.uk> ----------------- Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/ ------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 235326 -------Received on Mon Jun 18 2001 - 09:51:49 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:47 MST