Re: [squid-users] Problem with Squid + Tproxy and Rapdishare from Carlos Botejara on 2009-08-12 (squid-users)

From: Carlos Botejara <cbotejara_at_gmail.com>
Date: Wed, 12 Aug 2009 21:59:27 -0300

problem solved.
in squid.conf
x_forwarded deny localhost ;)

regards

2009/8/12 Carlos Botejara <cbotejara_at_gmail.com>:
> The problem is the http header.
> check the traffic and saw that x_forwarded header has the following format:
> x_forwarded: client-ip, ip-proxy1, ip-proxy2.
> In my header, the client ip is there, but there is also the ip of the squid.
> the question is: How do I only see the ip of the client and remove the
> ip of the squid form header?
>
> 2009/8/10 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On Mon, 10 Aug 2009 20:30:05 -0300, Carlos Botejara <cbotejara_at_gmail.com>
>> wrote:
>>> OK.
>>>
>>> Ok. I did what you told me, modify the rule, but nothing happened ..
>>> everything remains the same
>>> Rule amended
>>> iptables-t mangle-A PREROUTING-p tcp - dport 80-j TPROXY - tproxy-mark
>>> 0x1/0x1 - on-port 3129
>>
>> Hm, okay. Then you need to find out exactly how the clients are connecting
>> to that site and why its not working.
>>
>> Amos
>>
>>>
>>> 2009/8/9 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>> On Sun, 9 Aug 2009 10:58:23 -0300, Carlos Botejara <cbotejara_at_gmail.com>
>>>> wrote:
>>>>> hi, this is my first post here.
>>>>> I have a problem, but first I describe the scenario
>>>>> I have clients with public IP
>>>>> Mikrotik router redirecting traffic to SQUID
>>>>> Squid 3.1 with support for TPROXY
>>>>> Iptables 1.4.4 with support for TPROXY
>>>>> Debian Lenny / Kernel 2.6.28 with support for TPROXY
>>>>>
>>>>> well.
>>>>> The proxy works as well, and when I made some test pages whatismyip,
>>>>> shows that the ip is the CLIENT.
>>>>> However. I can not get my clients with public IP address
>>>>> simultaneously downloading from RapidShare / Megaupload ETC. The error
>>>>> shown within these pages is the typical already are downloading from
>>>>> that ip, so if viewing RapidShare IP SQUID in reality and not the
>>>>> client. How fix this?
>>>>>
>>>>> the configuration file of squid in the harbor is well
>>>>>
>>>>> http_port 81 tproxy
>>>>>
>>>>> Iptables:
>>>>>
>>>>> iptables -t mangle -N DIVERT
>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j TPROXY
>>>>> --tproxy-mark 0x1/0x1 --on-port 81
>>>>
>>>> You have this rule ass-backwards.
>>>>
>>>> TPROXY is intended to intercept port 80 traffic, not port 3128 traffic.
>>>> When the client is NOT configured to use the proxy. The HTTP request
>>>> formats are noticeably different. It's trivially easy to detect those
>>>> differences and probably what rapidshare is doing.
>>>>
>>>> Please go back and use the http://wiki.squid-cache.org/Features/Tproxy4
>>>> documentation and configuration example.
>>>>
>>>>>
>>>>> ip rule add fwmark 1 lookup 100
>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>>
>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>
>>>>>
>>>>> Mikrotik:
>>>>> Have a rule in the firewall to redirect all traffic to port 80 of the
>>>>> SQUID to the IP, port 3128
>>>>>
>>>>> All clients create sessions PPPOE in Router Mikrotik
>>>>>
>>>>> May help?
>>>>>
>>>>> Regards
>>>>
>>>> Amos
>>>>
>>
>
>
>
> --
> Carlos Botejara
> Area Sistemas
> cbotejara_at_gmail.com
> NEUQUEN - ARGENTINA
> C: 0299-154060127
> MSN:carlos.botejara_at_hotmail.com
> http://www.linkedin.com/in/carlosbotejara
>
> Este correo está dirigido únicamente a la persona o entidad que figura
> en el destinatario y puede contener información confidencial y/o
> privilegiada.
> La copia, reenvío, o distribución de este mensaje por personas o
> entidades diferentes al destinatario está prohibido.
> Si Ud. ha recibido este correo por error, por favor contáctese con el
> remitente inmediatamente y borre el material de cualquier computadora.
> Este correo puede estar siendo monitoreado en cumplimiento de esta política.
>

-- 
Carlos Botejara
Area Sistemas
cbotejara_at_gmail.com
NEUQUEN - ARGENTINA
C: 0299-154060127
MSN:carlos.botejara_at_hotmail.com
http://www.linkedin.com/in/carlosbotejara
Este correo está dirigido únicamente a la persona o entidad que figura
en el destinatario y puede contener información confidencial y/o
privilegiada.
La copia, reenvío, o distribución de este mensaje por personas o
entidades diferentes al destinatario está prohibido.
Si Ud. ha recibido este correo por error, por favor contáctese con el
remitente inmediatamente y borre el material de cualquier computadora.
Este correo puede estar siendo monitoreado en cumplimiento de esta política.

Received on Thu Aug 13 2009 - 00:59:36 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 29 2009 - 12:00:04 MDT