Re: [squid-users] TPROXY general problems because...I just don't know...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 17 Jul 2009 23:10:15 +1200

Thing to note before starting:
  none of your text below has anything to do with the TPROXY feature.
Current Ubuntu official releases are not even TPROXYv2 or TPROXYv4 enabled.

  You are discussing an NAT interception proxy (aka transparent proxy to
some people).

hardin369 wrote:
> Been through lots of guides and I did manage to set up a proxy web caching
> server. But when I activate it everything goes to hell. First problem I have
> is that when I start it it says "unrockognized....vhost"! Ok, but my main

Hmm, one thing to check here. I've heard of a firewall (SonicForge or
something like that) which does interception and can send traffic to
Squid. Uses a proxy of its own which attempts to get around
CVE-2009-0801 interception flaw by adding the destination IP address as
the Host: header entry. This screws up many virtual hosted web servers.

> problem is that I have NAT device connected to computer on which proxy is
> installed. I'm running ubuntu latest, squid3. NAT device is actually
> security gateway for wifi network. In NAT I enter proxy address
> 192.168.1.99: 3128 and thats all.

For interception to log accurate visitor IP addresses with Squid the NAT
needs to be happening on the Squid box. That is an absolute requirement.

DNAT is possible to seem operating properly on a different box, but you
loose all hope of accurate IP information about requests.

Two things you need to check is that the requests leaving squid box are
NOT. Absolutely NOT being caught by the NAT rules again and sent back at
Squid.

> All settings in my squid.conf are
> configured through internet guides. It is simply slow, very slow, my
> computer is not fast but this is for 20 users max. So that should not be any
> problem...

  * Check the above looping problem.
  * Check that the Squid box has fast DNS access.
  * check that enough memory is available (NOTE: cache_mem is the amount
of RAM allocated for storage of recently used objects. Thus the
_minimum_ Squid will need. Indexes and in-transit stuff needs a lot more
on top)
  * check that NAT functionality is loaded and running on the Squid box.
Even if unused, it will prevent the OS timing out trying to locate NAT
data on every request.

>
> http_access allow localnet
> http_access allow localhost
> http_access allow all

This "allow all" is severely dangerous.

> acl localnet src 192.168.1.0 192.168.1.99/32

The two IP addresses 192.168.1.0/32 and 192.168.1.99/32 are the only two
computers on the network? I think you mean 192.168.1.0/24.

Which makes it work without needing "allow all", which is downright
dangerous. "all" means exactly that: 'all the entire Internet' has
access through your Squid box if they can get there.

> http_port 192.168.1.99:3128 transparent
> (these lines up are not in this order)

Order is important in squid.conf:
   acl must come before http_access,
   order of specific http_access determines which if the individual
lines has privilege and is used.

   other default settings may or may not affect this depending on where
they are above or below these.

>
> Everything else is default! I want web caching server that everybody from
> 192.168.1.0/99 network can access. Idea is to get Internet to work faster!

/99 ?? Please look up the meaning of the technical term CIDR.

To do that change your ACL line to this:
   acl localnet src 192.168.1.0/24

To conclude:
   The best guide you will find for Ubuntu Squid-3 interception proxy
setup is this one:
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

It contains everything different from the default system settings that
needs changing to operate interception. All you need do is add your
internal network ranges to the squid.conf localnet ACL, and

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Fri Jul 17 2009 - 11:10:22 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 17 2009 - 12:00:03 MDT