[squid-users] Re: squid tproxy problem from Benjamin on 2011-08-18 (squid-users)

From: Benjamin <benjo11111_at_gmail.com>
Date: Thu, 18 Aug 2011 16:21:38 +0530

I tested interception in bridge mode with current setup.that is
working fine.but when i configure tproxy , it is not working.Please
guide me for that.

Thanks,
Benjo
> Hi,
>
> Any suggestions please.
>
> My Current Network Setup:
>
> WAN ROUTER(114.30.XX.1 --- public ip)
> |
> |
> |
> SWITCH
> |
> |
> |
> SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
> |
> |
> |
> BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
> |
> |
> |
> END USERS ( mix with private ips and public ips )
>
>
> at squid box : eth0 ----->internet( cable from switch)
> eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)
>
> i am using centos 6 and squid version is 3.1.10
>
> I can see traffic in tproxy iptables rules but i can not get any
> request to access.log
>
> Kindly guide me to solve this problem.
>
> Regards,
> Benjamin
>
> On Wed, Aug 17, 2011 at 7:15 PM, benjamin fernandis
> <benjo11111_at_gmail.com> wrote:
>> Hi,
>>
>> I configured squid for tproxy feature in my network with bridge mode.
>>
>> I follow http://wiki.squid-cache.org/Features/Tproxy4
>>
>> But I m not getting requests in access.log of squid.
>>
>> My configuration:
>>
>> cat /etc/squid/squid.conf
>>
>> #
>> # Recommended minimum configuration:
>> #
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl localhost src ::1/128
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
>> acl to_localhost dst ::1/128
>>
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl mynetwork src '/etc/squid/mynetwork'
>> acl cache_deny dst '/etc/squid/deny1'
>>
>>
>> cache deny cache_deny
>> #
>> cache_mem 1024 MB
>>
>>
>> # Recommended minimum Access Permission configuration:
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow manager localhost
>> http_access deny manager
>>
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>>
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>>
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> http_access allow mynetwork
>> http_access allow localhost
>>
>> # And finally deny all other access to this proxy
>> http_access deny all
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>> http_port 3129 tproxy
>>
>> # We recommend you to use at least the following line.
>> hierarchy_stoplist cgi-bin ?
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> cache_dir aufs /cache/squid 25600 32 512
>>
>> # Leave coredumps in the first cache dir
>> coredump_dir /cache/squid
>> httpd_suppress_version_string on
>>
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> ip rule list
>> 0: from all lookup local
>> 32765: from all fwmark 0x1 lookup 100
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>> iptables -L -nvx -t mangle
>> Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 10993 689414 DIVERT tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 socket
>> 16765 1000259 TPROXY tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
>> 0x1/0x1
>>
>> Chain INPUT (policy ACCEPT 15122 packets, 1149717 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain FORWARD (policy ACCEPT 959996 packets, 79295677 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 28272 packets, 10090599 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 988265 packets, 89386044 bytes)
>> pkts bytes target prot opt in out source
>> destination
>>
>> Chain DIVERT (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 10993 689414 MARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK set 0x1
>> 10993 689414 ACCEPT all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>>
>>
>> ebtables -t broute --list
>> Bridge table: broute
>>
>> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
>> -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
>> -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect
>>
>> OS CENTOS 6 64 bit
>> squid : 3.1.4
>> KERNEL : 2.6.32-71.29.1.el6.x86_64
>>
>>
>> Please guide me.
>>
>> Thanks,
>> Benjamin
>>
Received on Thu Aug 18 2011 - 10:51:46 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 18 2011 - 12:00:04 MDT