Re: [squid-users] ./configure with TProxy from Amos Jeffries on 2012-02-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Feb 2012 00:59:16 +1300

On 28/02/2012 11:53 p.m., parashuram wrote:
> On 2/28/2012 3:47 PM, cc wrote:
>> Hi,
>>
>> I'm getting:
>>
>> configure:26480: WARNING: Missing needed capabilities (libcap or
>> libcap2) for TPROXY
>> configure:26482: WARNING: Linux Transparent Proxy support WILL NOT be
>> enabled
>> configure:26484: WARNING: Reduced support to Interception Proxy
> Even i had got these WARNING but I ignored warnings and got compiled
> correctly( dont know whether good practice). all u need to do is
> change squid.conf http_port 3128 directive to http_port 3128
> transparent, with this setup my transparent proxy running fine.

parashuram, the many meanings of the word "transparent" has got up and
bit you.

The port flags which used to be called "transparent" is still accepted
by current Squid for backward compatibility as an alias of "intercept"
(full name "Interception proxy"). "intercept" is the current option
which should be used on NAT interception ports. Some people used to call
those ports "transparent interception proxy", and others wrongly
abbreviate it to "transparent proxy" resulting in bad confusion.

"TPROXY" feature (full name "Transparent Proxy") has a different port
option, "tproxy", for receiving diverted packets. This works only if you
have the security library to get spoofing access to send the packets
back with spoofed IP (for transparent proxy/relay at the TCP/IP level).
Both of you seem to not have that library, so transparent proxy is not
working.

The differences?
  - intercept is only invisible to the client. Server can see full
details about the proxy IPs.
  - tproxy spoofs the client IP address. Server cannot tell TCP
connections from real client and proxy apart.
    * websites such as hotmail or WindowsLive logins doing tricks with
alternative secure TCP connections will work through TPROXY but not NAT.

- intercept uses NAT to alter the packets so they reach Squid. IPv4-only.
- tproxy uses kernel packet delivery functions. IPv4 and IPv6 support.

Amos
Received on Tue Feb 28 2012 - 11:59:22 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 28 2012 - 12:00:11 MST