Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

From: Francisco André Barbosa Neto <fneto_at_networkexplorer.com.br>
Date: Fri, 01 Jul 2011 00:05:01 -0300

Hi Amos!

I will verify if the squidguard are returning the 3xx status tomorrow for
sure, but about the tcp port 90, I've tried to is on port 80 too but the
problem persists.

Is it the same behavior in this case?

Thanks!
------------------------------------------------------
Francisco André Barbosa Neto
fneto_at_getsmart.com.br <mailto:fneto_at_networkexplorer.com.br>
Get Smart IT Solutions
http://www.getsmart.com.br <http://www.getsmart.com.br/>
Fone: 55-11-4655-2232
------------------------------------------------------

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 01 Jul 2011 13:26:10 +1200
To: <squid-users_at_squid-cache.org>
Subject: Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

>On 01/07/11 05:57, Francisco André Barbosa Neto wrote:
>>Hi all I'm new to the list and I decided to write here because I'm with a
>>big trouble!
>>
>>I have installed an squid in bridge mode with tproxy support.
>>
>>Everything is working ok, but I'm using in the same squid proxy
>>squidguard
>>as an redirector.
>>
>>The problem is when the client try to access an url that is blocked squid
>>can't receive the redirect header and page stay loading for a long time
>>until squid return an error telling that is impossible to access the site
>>http://<ip of my bridge interface>/negado.html
>>
>>If I click on the link the page opens normally!!
>>
>>Does anybody have any clue about this problem???
>
>Yes. Think about what TPROXY does....
>
> It makes outgoing requests from Squid have the IP of the remote client
>which connected inwards.
>
>When you "redirect" to http://192.168.10.61:90/negado.html with a 3xx
>HTTP status the client makes a new request. Retrieving the URL directly
>(port 90 not caught into Squid).
>
> When you "rewrite" AKA send Squid a URL without HTTP status. Squid
>will contact the new URLs server without informing the client.
>
> The server at 192.168.10.61:90 sees a connection coming from the
>client (faked by Squid) and sends its TCP SYNACK messages back to the
>client. Squid never gets them. The client sees unexpected TCP packets
>from a strange source and drops them for security reasons. Everything
>hangs.
>
>Run SquidGuard on the command line and ensure it is producing 3xx status
>on redirected URLs.
>
>Amos
>
>>
>>Below is my server information:
>>
>>CentOS 5.6
>>Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
>>Iptables 1.4.10 with iptables supporte
>>Libcap 2.19 installed
>>Squid 3.1.8 with Tproxy support ok!
>>
>>Routes.sh script (called from /etc/rc.d/rc.local
>>#!/bin/sh
>>
>>ip route flush table 100
>>ip rule del fwmark 1 lookup 100
>>ip rule add fwmark 1 lookup 100
>>ip -f inet route add local 0.0.0.0/0 dev lo table 100
>>
>>iptables -t mangle -F
>>iptables -t mangle -X DIVERT
>>iptables -t mangle -N DIVERT
>>iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>iptables -t mangle -A DIVERT -j ACCEPT
>>iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>--tproxy-mark
>>0x1/0x1 --on-port 3129
>>
>>##!/bin/sh
>>CLIENT_IFACE="eth0"
>>INET_IFACE="eth1"
>>
>>ebtables -t broute -F
>>ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
>>--ip-dport 80 -j redirect --redirect-target ACCEPT
>>ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
>>--ip-sport 80 -j redirect --redirect-target ACCEPT
>>
>>cd /proc/sys/net/bridge/
>>
>>for i in *
>> do
>> echo 0> $i
>> done
>>unset i
>>
>>
>>Changes in /etc/sysctl.conf
>>
>>net.ipv4.ip_forward = 1
>>net.netfilter.nf_conntrack_acct = 1
>>net.ipv4.conf.lo.rp_filter = 0
>>
>>
>>Squidguard.conf
>>dbhome /var/lib/squidguard
>>logdir /var/log/squidguard
>>
>>src admin {
>> ip 192.168.10.96
>>}
>>
>>dest negados {
>> domainlist negados
>>}
>>
>>acl {
>> admin {
>> pass !negados all
>> redirect http://192.168.10.61:90/negado.html
>> }
>>
>> default {
>> pass none
>> redirect http://192.168.10.61:90/negado.html
>> }
>>}
>>
>>
>>Apache is listening on port 90, I've already tried in port 80 without
>>success too
>>
>>Squid.conf (relevant part only)
>>http_port 3128
>>http_port 3129 tproxy
>>tcp_outgoing_address 192.168.10.61
>>icp_port 3130
>>
>>url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
>>url_rewrite_children 5
>>
>>
>>acl manager proto cache_object
>>acl localhost src 127.0.0.1
>>acl to_localhost dst 127.0.0.1
>>acl SSL_ports port 443 563
>>acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
>>acl CONNECT method CONNECT
>>#acl msn url_regex -i /gateway/gateway.dll
>>#acl autenticado proxy_auth REQUIRED
>>http_access allow manager localhost
>>http_access deny manager
>>http_access deny !Safe_ports
>>http_access deny CONNECT !SSL_ports
>>#acl liberados src 192.168.0.71 192.168.0.99
>>acl our_networks src 192.168.10.0/24
>>#http_access allow liberados
>>#http_access deny msn
>>#http_access allow autenticado
>>http_access allow our_networks
>>http_access deny all
>>http_reply_access allow our_networks
>>icp_access allow all
>>miss_access allow all
>>
>>
>>Thanks!!
>>
>>
>>
>>------------------------------------------------------
>>Francisco André Barbosa Neto
>>fneto_at_getsmart.com.br<mailto:fneto_at_networkexplorer.com.br>
>>Get Smart IT Solutions
>>http://www.getsmart.com.br<http://www.getsmart.com.br/>
>>Fone: 55-11-4655-2232
>>------------------------------------------------------
>>
>>
>
>
>--
>Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.12
> Beta testers wanted for 3.2.0.9 and 3.1.12.3
>
>
>
Received on Fri Jul 01 2011 - 03:05:13 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 12:00:03 MDT