RE: [squid-users] Squid + WCCP + TProxy

From: Roth, Joe <jroth_at_binghamton.edu>
Date: Mon, 2 Nov 2009 09:23:15 -0500

I compiled 3.1.0.14 with the --enable-linux-netfilter option and
installed.

Everything starts and it is listening on 3129, however still nothing
arrives.

Is there any way for me to check that squid is properly enabling the
kernel option?

Thanks,

--Joe

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Sunday, November 01, 2009 5:33 PM
To: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Squid + WCCP + TProxy

On Sun, 1 Nov 2009 17:02:52 -0500, "Roth, Joe" <jroth_at_binghamton.edu>
wrote:
> Ahhhh... I will upgrade on Mon.
>
> But will that also make a difference in the box itself seeing the
> connections coming in on 3129? i.e. when I do a "netstat -an | grep
3129",
> I see the box listening on 3129 but I do not see any connections on
the
> port.

It makes a difference. The old TPROXYv2 used a kernel lookup similar to
the way NAT does to figure out what the client and destination IPs were
and use them. The new TPROXYv4 kernels send the IPs directly on the
accept()'d connection without being asked. The IPs arrive in reverse
order
to usual ( local 'me' == real client IP, and remote 'client' == real
client
destination IP) and can cause unsuspecting software to go badly.

The new Squid have to configure a special kernel option to indicate they
can handle this type of warped IP operations safely before the kernel
will
permit connections to arrive.

Amos

>
> Thanks for the response!
>
> --Joe
>
> ________________________________
>
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Sun 11/1/2009 4:37 PM
> To: Roth, Joe
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid + WCCP + TProxy
>
>
>
> On Sun, 1 Nov 2009 08:09:52 -0500, "Roth, Joe" <jroth_at_binghamton.edu>
> wrote:
>> I followed the guide here to set up squid to do transparent cacheing
> using
>> wccpv2, and it works quite well. So I took the next step to use
tproxy.
>>
>> I followed this page to introduce tproxy into the mix:
>>
>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
>>
>> The kernel is compiled with tproxy, as is iptables and squid
2.7Stable7.
>>
>> I have set up iptables, the ip rule and ip route according to the
guide.
>>
>> I'm running Ubuntu with kernel 2.6.28, iptables 1.4.3, squid
> 2.7.Stable7.
>>
>> For some reason the traffic never makes it to port 3129. Do I need to
>> leave the iptables nat config for 3128 even though I am using tproxy?
Am
> I
>> missing something here?
>
> The native TPROXY that comes in kernel 2.6.28 is TPROXYv4.
> Support for that version of TPROXY is only in Squid-3.1 and later.
>
> Amos
Received on Mon Nov 02 2009 - 14:25:06 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST