Re: [squid-users] Squid-3 + Tproxy4 clarification

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 06 Nov 2008 00:39:36 +1300

Arun Srinivasan wrote:
> Thanks for the response.
>
> " - does the client IP have access to use the hidden peer proxy?"
> Yes. To ensure this I tried it out with an 'nc' utility instead of peer proxy.
>
> "- do the connections between peers go over lo interface? I'm not sure
> what the special kernel behavior with public IPs on localhost
> interface would be."
> Yes. I could see the connections go over lo interface. However, it is
> not getting handled by the stack.

Aha, there is the problem then.
Henriks other post described the problem clearly, so I won't repeat.

To get this to work you will likely need to try having both squid
instances listening on different ports of the machines public IP.
You will still loose the spoofing ability within the second-hop proxy,
but the traffic should at least flow properly.

Amos

>
> 2008/11/4 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Arun Srinivasan wrote:
>>> Hi List,
>>>
>>> Has anyone successfully used cache_peer support with tproxy4 enabled?
>> Not that I'm aware of at this point.
>>
>>> The scenario is running Squid proxy with tproxy4 enabled and another
>>> http proxy (no tproxy4) on the same box.
>>>
>>> First Squid would receive the request from the user, then connects to
>>> its cache_peer which is the other http proxy.
>>>
>>> With tproxy enabled, am not able to establish connection between Squid
>>> and the other proxy. However, in interception mode, am able to do
>>> this.
>>>
>>> Please advise if I am missing out anything.
>>>
>>> Following are the packages and its versions used:
>>> Kernel version: 2.6.26
>>> Tproxy version: tproxy4-2.6.26-200809262032
>>> iptables version: tproxy-iptables-1.4.0-20080521-113954-1211362794
>>> Squid version: squid-3.HEAD-20081021
>> The new TPROXY/Squid interaction is that it natively spoofs the client IP on
>> all outbound links made newly for that request.
>>
>> Two things to check are:
>> - does the client IP have access to use the hidden peer proxy?
>>
>> - do the connections between peers go over lo interface? I'm not sure what
>> the special kernel behavior with public IPs on localhost interface would be.
>>
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
>> Current Beta Squid 3.1.0.1
>>
>
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.1
Received on Wed Nov 05 2008 - 11:39:41 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 05 2008 - 12:00:02 MST