Re: [squid-users] Tproxy

From: Nyamul Hassan <mnhassan_at_usa.net>
Date: Mon, 2 Mar 2009 01:28:55 +0600

I think you cannot have both the following lines:

http_port 3128
http_port 8080 tproxy

Which version of Squid are you using?

Just as a test, can you browse from your clients if you set manual proxy
settings?

Regards
HASSAN

----- Original Message -----
From: "vivian t" <vivijant_at_gmail.com>
To: <squid-users_at_squid-cache.org>
Sent: Sunday, March 01, 2009 17:42
Subject: [squid-users] Tproxy

hello

[root_at_squid ~]# dmesg |grep TPROXY
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

kernel is 2.6.28
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m

my squid.conf is

cache_dir aufs /var/spool/squid 20000 130 256
cache_mem 128 MB
maximum_object_size 5 MB
maximum_object_size_in_memory 32 kb
cache_swap_low 98%
cache_swap_high 99%
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
high_memory_warning 1500 MB
ipcache_high 99
ipcache_low 98
ipcache_size 4096
cache_store_log none
logfile_rotate 7
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl 1 src "/usr/local/squid/etc/net"

http_access allow 1
http_access allow localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all

http_port 3128
http_port 8080 tproxy
coredump_dir /var/spool/squid
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
cache_effective_user squid
cache_effective_group squid
visible_hostname squid

half_closed_clients off
memory_pools off
shutdown_lifetime 10 seconds
store_dir_select_algorithm round-robin

[root_at_squid ~]# service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DIVERT tcp -- 0.0.0.0/0 0.0.0.0/0 socket
2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Chain DIVERT (1 references)
num target prot opt source destination
1 MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set
0x1
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

the squid server is running i can browse site from it
but the users couldn't surf any thing
e.g:
when try to open www.google.com
he got (110) connection timed out
in my access.log
1235902268.931 180883 172.25.10.110 TCP_MISS/504 3929 GET
http://www.google.com/ - DIRECT/64.233.183.99 text/html

note: idon't use bridge or wccp

what the wrong ?
Received on Sun Mar 01 2009 - 19:33:37 MST

This archive was generated by hypermail 2.2.0 : Mon Mar 02 2009 - 12:00:01 MST