Re: [squid-users] TPROXY general problems because...I just don't know... from Amos Jeffries on 2009-07-17 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 18 Jul 2009 02:30:16 +1200

ivan zivkovic wrote:
> This is what I got from *access.log.1*
>
> 1247569933.948 2355 192.168.1.0 TCP_MISS/200 6541 GET
> http://www.google.hr/ - DIRECT/74.125.87.99 <http://74.125.87.99> text/html
> 1247569938.386 4309 192.168.1.0 TCP_MISS/200 17592 GET
> http://www.google.hr/extern_js/f/CgJlbhICaHIrMAo4GywrMA44BSwrMBY4DiwrMBc4AywrMBg4BCwrMBk4BCwrMCU4yYgBLCswJjgFLCswJzgCLA/n2_RYniADdU.js
> - DIRECT/74.125.87.104 <http://74.125.87.104> text/javascript
> 1247569940.604 2189 192.168.1.0 TCP_MISS/204 267 GET
> http://clients1.google.hr/generate_204 - DIRECT/74.125.87.101
> <http://74.125.87.101> text/html
> 1247569942.311 1697 192.168.1.0 TCP_MISS/204 357 GET
> http://www.google.hr/csi? - DIRECT/74.125.87.103 <http://74.125.87.103>
> text/html
> 1247569951.263 1684 192.168.1.0 TCP_MISS/200 6541 GET
> http://www.google.hr/ - DIRECT/74.125.87.147 <http://74.125.87.147>
> text/html
> 1247569951.396 0 192.168.1.0 TCP_NEGATIVE_HIT/204 274 GET
> http://clients1.google.hr/generate_204 - NONE/- text/html
> 1247569953.001 1603 192.168.1.0 TCP_MISS/204 357 GET
> http://www.google.hr/csi? - DIRECT/74.125.87.99 <http://74.125.87.99>
> text/html
>
> Ok, sorry for TPROXY... But one thing I dont understand - /NAT needs to
> be happening on the Squid box/. I have NAT (AirLive Security Gateway
> MW2000-S) which controls access to network, but to configure NAT on my
> PC. If I got you correctly here is the problem I think.

I think so too. If you notice the NAT lines in the tutorial I pointed
your way, there are two of them. The first prevents packets from Squid
box being NATed. The second does the NAT for everything else.

Make sure the AirLive is able to do that and some of the problems will
disappear. If not you will have to find some other way to bypass it for
the Squid box outbound messages.

If you have access to the AirLive routing and enough control to policy
route just the port-80 packets at Squid. That would be the best
solution. I'm not sure if its possible though. Most plug-n-play consumer
boxes don't allow enough control.

Good luck with it. Sorry I can't be of more or detailed help.

> And I did change acl localnet src to 192.168.1.0/24
> <http://192.168.1.0/24>!
>
> Everything else is default! I want web caching server that everybody from
> 192.168.1.0/99 <http://192.168.1.0/99> network can access. Idea is to
> get Internet to work faster!
>
> What I meant here is all from 192.168.1.0 - 192.168.1.99! Sorry...
>

Ah, okay. For odd start/end numbers like this its just the first-last range:

acl localnet src 192.168.1.0-192.168.1.99

> I have shorewall firewall. Holy shit I have so much to learn but it is
> interesting! O, I have Squid 3.0 stable 8

Okay. I can't provide much help there I'm afraid. I found shorewall too
tricky and limited when I tried it. So I have an idea how its
configured, but the details you need are unknown to me.

IIRC there is a nat table file somewhere. You need to figure out which
order to write the columns. But the details to enter in are the same as
those seen in the iptables NAT lines of the tutorial.

>
> On Fri, Jul 17, 2009 at 1:10 PM, Amos Jeffries <squid3_at_treenet.co.nz
> <mailto:squid3_at_treenet.co.nz>> wrote:
>
>
> Thing to note before starting:
> none of your text below has anything to do with the TPROXY feature.
> Current Ubuntu official releases are not even TPROXYv2 or TPROXYv4
> enabled.
>
> You are discussing an NAT interception proxy (aka transparent proxy
> to some people).
>
>
>
> hardin369 wrote:
>
> Been through lots of guides and I did manage to set up a proxy
> web caching
> server. But when I activate it everything goes to hell. First
> problem I have
> is that when I start it it says "unrockognized....vhost"! Ok,
> but my main
>
>
> Hmm, one thing to check here. I've heard of a firewall (SonicForge
> or something like that) which does interception and can send traffic
> to Squid. Uses a proxy of its own which attempts to get around
> CVE-2009-0801 interception flaw by adding the destination IP address
> as the Host: header entry. This screws up many virtual hosted web
> servers.
>
>
>
> problem is that I have NAT device connected to computer on which
> proxy is
> installed. I'm running ubuntu latest, squid3. NAT device is actually
> security gateway for wifi network. In NAT I enter proxy address
> 192.168.1.99 <http://192.168.1.99>: 3128 and thats all.
>
>
> For interception to log accurate visitor IP addresses with Squid the
> NAT needs to be happening on the Squid box. That is an absolute
> requirement.
>
> DNAT is possible to seem operating properly on a different box, but
> you loose all hope of accurate IP information about requests.
>
> Two things you need to check is that the requests leaving squid box
> are NOT. Absolutely NOT being caught by the NAT rules again and sent
> back at Squid.
>
>
>
> All settings in my squid.conf are
> configured through internet guides. It is simply slow, very slow, my
> computer is not fast but this is for 20 users max. So that
> should not be any
> problem...
>
>
> * Check the above looping problem.
> * Check that the Squid box has fast DNS access.
> * check that enough memory is available (NOTE: cache_mem is the
> amount of RAM allocated for storage of recently used objects. Thus
> the _minimum_ Squid will need. Indexes and in-transit stuff needs a
> lot more on top)
> * check that NAT functionality is loaded and running on the Squid
> box. Even if unused, it will prevent the OS timing out trying to
> locate NAT data on every request.
>
>
>
> http_access allow localnet
> http_access allow localhost
> http_access allow all
>
>
> This "allow all" is severely dangerous.
>
>
> acl localnet src 192.168.1.0 192.168.1.99/32
> <http://192.168.1.99/32>
>
>
> The two IP addresses 192.168.1.0/32 <http://192.168.1.0/32> and
> 192.168.1.99/32 <http://192.168.1.99/32> are the only two computers
> on the network? I think you mean 192.168.1.0/24 <http://192.168.1.0/24>.
>
> Which makes it work without needing "allow all", which is downright
> dangerous. "all" means exactly that: 'all the entire Internet' has
> access through your Squid box if they can get there.
>
>
>
> http_port 192.168.1.99:3128 <http://192.168.1.99:3128> transparent
> (these lines up are not in this order)
>
>
> Order is important in squid.conf:
> acl must come before http_access,
> order of specific http_access determines which if the individual
> lines has privilege and is used.
>
> other default settings may or may not affect this depending on
> where they are above or below these.
>
>
>
>
> Everything else is default! I want web caching server that
> everybody from
> 192.168.1.0/99 <http://192.168.1.0/99> network can access. Idea
> is to get Internet to work faster!
>
>
> /99 ?? Please look up the meaning of the technical term CIDR.
>
>
> To do that change your ACL line to this:
>
> acl localnet src 192.168.1.0/24 <http://192.168.1.0/24>
>
>
> To conclude:
> The best guide you will find for Ubuntu Squid-3 interception proxy
> setup is this one:
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> It contains everything different from the default system settings
> that needs changing to operate interception. All you need do is add
> your internal network ranges to the squid.conf localnet ACL, and
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9

Received on Fri Jul 17 2009 - 14:30:24 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 17 2009 - 12:00:03 MDT