Hello Carlos,
Could you help me to configure Squid+TPROXY ?
Thursday, August 13, 2009, 5:59:27 AM, you wrote:
> problem solved.
> in squid.conf
> x_forwarded deny localhost ;)
> regards
> 2009/8/12 Carlos Botejara <cbotejara_at_gmail.com>:
>> The problem is the http header.
>> check the traffic and saw that x_forwarded header has the following format:
>> x_forwarded: client-ip, ip-proxy1, ip-proxy2.
>> In my header, the client ip is there, but there is also the ip of the squid.
>> the question is: How do I only see the ip of the client and remove the
>> ip of the squid form header?
>>
>> 2009/8/10 Amos Jeffries <squid3_at_treenet.co.nz>:
>>> On Mon, 10 Aug 2009 20:30:05 -0300, Carlos Botejara <cbotejara_at_gmail.com>
>>> wrote:
>>>> OK.
>>>>
>>>> Ok. I did what you told me, modify the rule, but nothing happened ..
>>>> everything remains the same
>>>> Rule amended
>>>> iptables-t mangle-A PREROUTING-p tcp - dport 80-j TPROXY - tproxy-mark
>>>> 0x1/0x1 - on-port 3129
>>>
>>> Hm, okay. Then you need to find out exactly how the clients are connecting
>>> to that site and why its not working.
>>>
>>> Amos
>>>
>>>>
>>>> 2009/8/9 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>> On Sun, 9 Aug 2009 10:58:23 -0300, Carlos Botejara <cbotejara_at_gmail.com>
>>>>> wrote:
>>>>>> hi, this is my first post here.
>>>>>> I have a problem, but first I describe the scenario
>>>>>> I have clients with public IP
>>>>>> Mikrotik router redirecting traffic to SQUID
>>>>>> Squid 3.1 with support for TPROXY
>>>>>> Iptables 1.4.4 with support for TPROXY
>>>>>> Debian Lenny / Kernel 2.6.28 with support for TPROXY
>>>>>>
>>>>>> well.
>>>>>> The proxy works as well, and when I made some test pages whatismyip,
>>>>>> shows that the ip is the CLIENT.
>>>>>> However. I can not get my clients with public IP address
>>>>>> simultaneously downloading from RapidShare / Megaupload ETC. The error
>>>>>> shown within these pages is the typical already are downloading from
>>>>>> that ip, so if viewing RapidShare IP SQUID in reality and not the
>>>>>> client. How fix this?
>>>>>>
>>>>>> the configuration file of squid in the harbor is well
>>>>>>
>>>>>> http_port 81 tproxy
>>>>>>
>>>>>> Iptables:
>>>>>>
>>>>>> iptables -t mangle -N DIVERT
>>>>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>>> iptables -t mangle -A DIVERT -j ACCEPT
>>>>>> iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j TPROXY
>>>>>> --tproxy-mark 0x1/0x1 --on-port 81
>>>>>
>>>>> You have this rule ass-backwards.
>>>>>
>>>>> TPROXY is intended to intercept port 80 traffic, not port 3128 traffic.
>>>>> When the client is NOT configured to use the proxy. The HTTP request
>>>>> formats are noticeably different. It's trivially easy to detect those
>>>>> differences and probably what rapidshare is doing.
>>>>>
>>>>> Please go back and use the http://wiki.squid-cache.org/Features/Tproxy4
>>>>> documentation and configuration example.
>>>>>
>>>>>>
>>>>>> ip rule add fwmark 1 lookup 100
>>>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>>>>
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>>
>>>>>>
>>>>>> Mikrotik:
>>>>>> Have a rule in the firewall to redirect all traffic to port 80 of the
>>>>>> SQUID to the IP, port 3128
>>>>>>
>>>>>> All clients create sessions PPPOE in Router Mikrotik
>>>>>>
>>>>>> May help?
>>>>>>
>>>>>> Regards
>>>>>
>>>>> Amos
>>>>>
>>>
>>
>>
>>
>> --
>> Carlos Botejara
>> Area Sistemas
>> cbotejara_at_gmail.com
>> NEUQUEN - ARGENTINA
>> C: 0299-154060127
>> MSN:carlos.botejara_at_hotmail.com
>> http://www.linkedin.com/in/carlosbotejara
>>
>> Este correo está dirigido únicamente a la persona o entidad que figura
>> en el destinatario y puede contener información confidencial y/o
>> privilegiada.
>> La copia, reenvío, o distribución de este mensaje por personas o
>> entidades diferentes al destinatario está prohibido.
>> Si Ud. ha recibido este correo por error, por favor contáctese con el
>> remitente inmediatamente y borre el material de cualquier computadora.
>> Este correo puede estar siendo monitoreado en cumplimiento de esta política.
>>
-- Best regards, Farhad mailto:inara.ibragimova_at_gmail.comReceived on Fri Aug 28 2009 - 18:54:57 MDT
This archive was generated by hypermail 2.2.0 : Sat Aug 29 2009 - 12:00:04 MDT