Re: [squid-users] Re: [squid-users] HTTPS & transparent proxy from James Steele on 2006-03-30 (squid-users)

From: James Steele <james9s@dont-contact.us>
Date: Thu, 30 Mar 2006 06:27:42 -0800 (PST)

I'm still looking for advice on how to get Transparent
working.
I'm using a brand new install of Fedora Core 5 on a
formatted HDD. I think of it as a "vanilla" install. I
picked "development" as the server type, selected no
to the Firewall, and hard coded the single ethernet
NIC. I then let YUM update my system.

I fired up the default Squid (which YUM had updated to
squid-2.5.STABLE13-1.FC5) with the normal squid lines
of:
  http_port 3128
  httpd_accel_host virtual
  httpd_accel_port 80
  httpd_accel_with_proxy on
  httpd_accel_uses_host_header on

My router was configured too and it is seeing the
cache and sending GRE to it.

Fedora was configured with:
/etc/sysctl.conf:
   net.ipv4.ip_forward = 1
   net.ipv4.conf.default.rp_filter = 0
   net.ipv4.conf.default.accept_source_route = 0
   kernel.sysrq = 0
   kernel.core_uses_pid = 1
   net.ipv4.tcp_syncookies = 1

and:
  ip tunnel add wccp mode gre remote <my router> dev
eth0
  ifconfig wccp 127.0.0.2 up
  iptables -t nat -F
  iptables -t nat -A PREROUTING -i wccp -p tcp --dport
80 -j REDIRET --to-ports 3128

tcpdump -vvi any -n ip <-- shows the UDP chatter plus
a GRE packet from the router, followed by the apparent
decode of the GRE packet (showing the browser source
and webserver destination)

However, nothing else occurs. I am expecting to see a
SYN-ACK back to the workstation and either Squid
fetching the target or serving it up from cache.
Nothing. Just the two packets, the GRE and the decode
of it (SYN)

The workstation/browser tries 6 times before giving up
and I see the 6 GRE packets, the 6 decodes and the UDP
chatter.

iptables -vnt nat -L <-- shows 6 REDIRECTs, but
log/squid/access.log shows no entries.
iptables -t nat -A PREROUTING -i wccp -p tcp --dport
80 -j LOG <-- add this and log/messages shows the
REDIRECT'd traffic:
Mar 30 06:14:35 squidsrv kernel: IN=wccp OUT=
MAC=45:00:00:48:01:70:00:00:ff:2f:36:94:c0:a8:01:0a:c0:a8:01:28:00:00:88:3e:45:00:00:30:a7:85:40:00:7f:06:7e:9e:c0:a8
SRC=172.16.1.133 DST=72.14.203.104 LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=42885 DF PROTO=TCP SPT=3831
DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

Any advice on where to look? Any way to see what
happens with the redirected packet?

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Thu Mar 30 2006 - 07:27:48 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:05 MST