Amos,
Hi
The packet counter on -j TPROXY does not increment. So, why clients
are able to surf the web?
Warm Regards,
Ali Majdzadeh Kohbanani
2011/6/6 Ali Majdzadeh <ali.majdzadeh_at_gmail.com>
>
> Amos,
> Hi
> Thanks for your reply. Ragarding the documentation, I have inserted
> the following routing rules:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> Now, access.log is populated with proper logs, but clients can not
> surf the web, I mean the proxy server is unable to forward http
> responses to clients' browsers. When the client enters for example
> www.google.com, the connection to the http server is established but
> the process halts at Waiting for www.google.com and after a while
> Squid reports the unablility to retreive the requested URL.
> By the way, we have disabled selinux.
> Any ideas?
>
> Warm Regards,
> Ali Majdzadeh Kohbanani
>
> 2011/6/6 Amos Jeffries <squid3_at_treenet.co.nz>:
> > On 06/06/11 06:32, Ali Majdzadeh wrote:
> >>
> >> Hello All,
> >> I have setup the following configuration:
> >> Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
> >> configure option)
> >> Kernel (2.6.38.3)
> >> iptables (1.4.11)
> >>
> >> I have added the following two directives in squid.conf:
> >> http_port 3128
> >> http_port 3129 tproxy
> >>
> >> Also, I have configured iptables with the following rules:
> >> iptables -t mangle -N DIVERT
> >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> >> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> >> iptables -t mangle -A DIVERT -j ACCEPT
> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> >> --tproxy-mark 0x1/0x1 --on-port 3129
> >>
> >> Everything work as expected, I mean, the users can surf the web and
> >> the proxy server is transparent. The problem is that actually there is
> >> no caching. I mean, both cache.log and access.log files are empty. On
> >
> > That would be transparency to the point of not going through the proxy.
> > access.log should have entries for each request.
> >
> >> the other hand, if I manually set the proxy configuration in clients'
> >> browsers (the IP address of the squid server and port number 3128)
> >> everything is OK; the log files are incremented and objects are
> >> cached.
> >>
> >> Have anyone faced the same issue?
> >
> > Some. Its usually boiled down to missing out some details omitted. building
> > against libcap2 or routing packets to the squid box for example.
> >
> > Are the packet counters on that -j TPROXY rule showing captures?
> >
> > Did you follow the rest of the feature config?
> > ie the special sub-routing table? OS packet filtering toggles? selinux
> > updated to allow tproxy?
> >
> > Is this box even routing or bridging port 80 traffic for the network?
> >
> > Amos
> > --
> > Please be using
> > Current Stable Squid 2.7.STABLE9 or 3.1.12
> > Beta testers wanted for 3.2.0.8 and 3.1.12.2
> >
Received on Mon Jun 06 2011 - 10:38:35 MDT
This archive was generated by hypermail 2.2.0 : Mon Jun 06 2011 - 12:00:02 MDT