Re[2]: [squid-users] TPROXY Problem

From: Farhad Ibragimov <inara.ibragimova_at_gmail.com>
Date: Thu, 27 Aug 2009 14:10:51 +0500

Hello Amos,
Thanks for your response . I think that the problem is with my
IPTABLES . My squid configuration is follow

Squid with single interface and single global ip address (not behind
NAT). maybe i need reconfigure IPTABLES rules ? What are u recomend me
?

Monday, August 24, 2009, 11:05:04 AM, you wrote:

> Farhad Ibragimov wrote:
>> Hi squid guru
>>
>> My server was configured with the following instruction
>> http://wiki.squid-cache.org/Features/Tproxy4
>> but not working. Please help me to resolve my problem
>>
>> Squid version 3.1.0.13
>> iptables 1.4.3
>> 2.6.30.5-second #1 SMP Sun Aug 23 03:36:29 AZST 2009 x86_64 x86_64 x86_64 GNU/Linu
>>
>> my squid configuration
> <snip defaults>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access allow localhost
>> http_access allow all

> I hope that was only for testing. 'allow all' makes your squid a wide
> open proxy.
> TPROXY retains the correct concepts Internally of Squid for which IP
> ranges are clients and which destinations. 'allow localnet' should have
> been sufficient to let your clients out to the web with minimal
> restrictions.

>> http_port 3128
>> http_port 3129 tproxy
> <snip defaults>
>>
>> ACCESS LOGS
>> 1250983412.365 132598 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/uk/2009/08/090822_uk_cars_scrappagescheme.shtml - DIRECT/www.bbc.co.uk -
>> 1250983461.913 181020 85.132.47.219 TCP_MISS/504 4136 GET http://ru.fxfeeds.mozilla.com/ru/firefox/headlines.xml - DIRECT/63.245.209.93 text/html
>> 1250983545.928 60793 85.132.47.219 TCP_MISS/503 0 CONNECT sb-ssl.google.com:443 - DIRECT/216.239.59.136 -
>> 1250983596.266 110348 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/russia/2009/08/090822_russia_nationalflag_denisov.shtml - DIRECT/www.bbc.co.uk -
> <snip>

> Hmm, what those access lines show is that Squid is receiving a set of
> HTTP requests and passing them to some external web servers.

> The ones saying MISS/000 to bbc etc are where Squid has sent the whole
> HTTP request outward to the server. But the TCP link is closed by the
> far end before anything comes back.
> The 5xx seems to be Squid timeout out past is maximum allowed wait
> before anything comes back.

> The two things to look at closely with TPROXY when this happens are:

> 1) the firewall rules. Both on the Squid box doing TPROXY and on any
> machines between Squid and the Internet.

> 2) the routing rules. How are theres requests reaching Squid and what
> is happening to the passed-on request.
> Secondly on routing what happens to replies coming back from the
> web server to the client IP and why do they not arrive at Squid?

> Also, are you sure libcap support was built into Squid and is also
> available on the box its currently running on? Tproxy support will turn
> itself off inside Squid if libcap fails.

> Amos

-- 
Best regards,
 Farhad                            mailto:inara.ibragimova_at_gmail.com
Received on Thu Aug 27 2009 - 09:11:04 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 27 2009 - 12:00:04 MDT