Re: [squid-users] Transparent proxy. router + dedicated server

Rafal Ramocki wrote:
> Amos Jeffries pisze:
>> Rafal Ramocki wrote:
>>> Amos Jeffries wrote:
>>>>> Hello,
>>>>>
>>>>> I have problem with my squid setup. For quite long time I've been
>>>>> using
>>>>> Squid 2.6 STABLE-17. I decidet to switch to squid 3.0 but there is
>>>>> problem.
>>>>>
>>>>> My configuration is:
>>>>>
>>>>> large network -> nat router (linux) -> router (hardware ATM) ->
>>>>> internet
>>>>> \ /
>>>>> squid
>>>>>
>>>>> Most of traffic is nat'ed on nat router, and forwarded to border
>>>>> hardware atm router. HTTP traffic (port 80) is DNAT'ed to machine with
>>>>> squid. And that setup worked fine for now. But after switching to
>>>>> 3.0 I
>>>>> have following error message:
>>>>>
>>>>> ERROR
>>>>> The requested URL could not be retrieved
>>>>>
>>>>> While trying to retrieve the URL: /
>>>>>
>>>>> The following error was encountered:
>>>>>
>>>>> * Invalid URL
>>>>>
>>>>> Here are few directives from my configuration file.
>>>>>
>>>>> http_port 80 transparent
>>>>> icp_port 0
>>>>> htcp_port 0
>>>>> tcp_outgoing_address X.X.X.X
>>>>> dns_nameservers X.X.X.X
>>>>>
>>>>>
>>>>> I have been working on it for a quite long time. I have been googling
>>>>> but i have found information about one server setups. Even in squid
>>>>> faq
>>>>> there is only that configuration.
>>>>>
>>>>> Please help ;)
>>>>
>>>> What you have is in no way transparent. As long as DNAT was used
>>>> never has
>>>> been.
>>>
>>> That setup worked for me for something about 4 years. Transparent for
>>> me menas with no configuration in browsers.
>>>
>>>> Transparent interception is done with REDIRECT (netfilter) or TPROXY-2
>>>> when squid sits on the NAT box with the full NAT tables available to
>>>> it.
>>>
>>> It is not possilble in my case. My network is 3000+ nodes. Both
>>> machines are under heavy load. And i just cant place squid, filtering
>>> and traffic controll on one single machine. I also don't want to
>>> place squid after router as long as that setup is less fail proof.
>>>
>>>> Using DNAT to another box isolates squid from the information it
>>>> needs to
>>>> work transparently,
>>>
>>> Funny is that squid never needed that information ;)
>>>
>>>> but it can still be faked with an semi-open proxy
>>>> config.
>>> >
>>>> You need the following for starters:
>>>>
>>>> # cope with standard web requests ...
>>>> http_port 80 vhost
>>>> # SECURE the access!!!!
>>>> acl localnet src 10.0.0.0/8
>>>> http_access deny !localnet
>>>>
>>>> ** alter the ACL to contain the IP ranges you are intercepting.
>>>
>>> I've already tried that similar configuration. And I've tried once
>>> more. The reslt is:
>>>
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> While trying to retrieve the URL: http://www.debian.org/
>>>
>>> The following error was encountered:
>>>
>>> * Unable to forward this request at this time.
>>>
>>> This request could not be forwarded to the origin server or to any
>>> parent caches. The most likely cause for this error is that:
>>>
>>> * The cache administrator does not allow this cache to make
>>> direct connections to origin servers, and
>>> * All configured parent caches are currently unreachable.
>>>
>>> In cache.log I have:
>>>
>>> 2008/03/10 09:16:53| Failed to select source for
>>> 'http://www.debian.org/'
>>> 2008/03/10 09:16:53| always_direct = 0
>>> 2008/03/10 09:16:53| never_direct = 0
>>> 2008/03/10 09:16:53| timedout = 0
>>>
>>>
>>> I think in that setup directives cache_peer* are mandatory. But I
>>> cant't define in that way whole internet ;)
>>
>> No not mandatory. The semi-open-proxy config should be lettign
>> internal requests out in your setup.
>>
>>>
>>>> NP: broken non-HTTP-compliant client software will still get that error
>>>> page, but compliant software like most browsers will get through okay.
>>>
>>> That is OK for me. I also want to ensure that by port 80 is
>>> transmited only http traffic and not for example p2p.
>>>
>>> Any ideas? Because I'm running out. :)
>>
>> This second problem you are now hitting (Unable to forward) shows a
>> problem making general web requests.
>>
>> - check that the squid box is able to make outbound port-80 requests.
>> (particularly without looping back through itself!)
>
> Yes it can. When i configure proxy in browser it works fine. I have
> similar test environment. In the same configuration when I'm redirecting
> it works fine, when I'm configuring browser to use squid it works fine.
> It doesn't work when I'm dnating from other machine.
>
>> - check that the squid box can resolve the domain its fetching
>
> Squid box can resolve DNS. Squid it self should resolbe to.
> Configuration is the same like in squid i'm currently using (2.6 Stable
> 17).
>

In which case it looks like either something else in the config blocking
that request or a transport-layer problem.

If you set: debug_options ALL,5

What shows up as the preceeding 150 or so cache.log lines to the "Failed
to select source for" entry?

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.