Re: [squid-users] Re: Client timing out when using squid as tproxy from Amos Jeffries on 2011-03-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 04 Mar 2011 05:20:10 +1300

On 04/03/11 04:58, mbruell wrote:
>
> Amos Jeffries-2 wrote:
>>
>> On Wed, 2 Mar 2011 14:29:01 -0800 (PST), mbruell wrote:
>>
>>> Firewall policy grabs traffic from the client based on IP address,
>>> and
>>> forces it to our proxy through the wccp tunnel.
>>
>> "based on IP address" is very bad. Working TPROXY traffic coming out of
>> squid will have the client IP address.
>>
>> Manipulation of the traffic MUST use measures other than IP to
>> filter/route the traffic if both streams are possibly handled. The
>> easiest ways are to use interface name or machine MAC/EUI address on the
>> firewall and router. Packet MARKs, TOS or VPN marks are also available,
>> but more complex to handle.
>>
>>
>
> Okay - though I thought our wccp tunnel was taking care of that. The
> firewall rule that grabs the machine's IP traffic only does so on the
> interface facing the client. Once it's been grabbed, it's getting sent down
> the gre tunnel.

Okay. Good.

>
>> The following error crops up after about a minute of launching squid,
>> and
>> repeats every 10 sec:
>> Unknown record type in WCCPv2 Packet (6)
>
> Is this error meaningful?
>

Nope. There is a patch to silence it here:
http://bugs.squid-cache.org/show_bug.cgi?id=3122

>
> Amos Jeffries-2 wrote:
>>
>>
>> This is NAT interception, not TPROXY interception.
>>
>> The two are not compatible. NAT being obsoleted by TPROXY. Remove this
>> rule.
>>
>>
>
> Okay - I removed the rule, but there are still some other issues (it's still
> not working).
>
> So are the ip rules in mangle table all that is needed here?
>

Yes.

>
> Amos Jeffries-2 wrote:
>>
>> Since you have a mixup with NAT/TPROXY earlier also check that your
>> http_port 3129 line only has the "tproxy" flag on it.
>>
>
> Double checked this - it was not misconfigured.
>
> Should we be seeing traffic on the lo interface when it's all working
> correctly? The packet count on lo is very low, and doesn't change when
> trying to proxy the traffic.
>

Okay, try adding the special route table to eth0 as well. If that still
fails try adding it to wccp0.
I'd like to know the results here. It works on lo for some but seems
not everyone, though I have not yet had concrete confirmation that it
matters.

> Also - it looks like the tunnel is sending the traffic to the computer
> running squid (wccp rx = 3.7 KB, but tx = o), but it's not getting anything
> back from it to send to the client.
>

looks that way yes.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Thu Mar 03 2011 - 16:20:16 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 03 2011 - 12:00:02 MST