Re: [squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID

From: Eliezer Croitoru <eliezer_at_ec.hadorhabaac.com>
Date: Wed, 07 Mar 2012 17:33:46 +0200

you need to add a the first rule such as:
ip6tables -t mangle -A PREROUTING -p tcp -d (IP of the machine) --dport
80 -j ACCEPT
= here all the other iptables rules =

Regards
Eliezer

On 05/03/2012 20:09, Vignesh Ramamurthy wrote:
> Hello,
>
> We are using squid to transparently proxy the traffic to a captive
> portal that is residing on the same machine as the squid server. The
> solution was working based on a NAT REDIRECT . We are moving the
> solution to TPROXY based now as part of migration to IPv6. The TPROXY
> works fine in intercepting traffic and also successfully able to allow
> / deny traffic to IPv6 sites. We are facing a strange issue when we
> try to access a URL in the same machine that hosts the squid server.
> The acces hangs and squid is not able to connect to the URL. We are
> having AOL webserver to host the webpage.
>
> All the configurations as recommended by the squid sites are done.
> -> Firewall rules with TPROXY and DIVERT chian has been setup as below
>
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
> ip6tables -t mangle -A DIVERT -j ACCEPT
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
> ip6tables -t mangle -A PREROUTING -i eth0.20 -p tcp --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
> ip6tables -t mangle -A PREROUTING -j ACCEPT
>
> -> Policy routing to route proxied traffic to the local box is also
> done as recommended
> 16383: from all fwmark 0x1 lookup 100
> 16390: from all lookup local
> 32766: from all lookup main
>
> ip -6 route show table 100
> local default dev lo metric 1024
> local default dev eth0.20 metric 1024
>
>
> Squid configuration used is standard and have provided below a
> snapshot of cache.log. Running squid in full debug level with max
> logging. I have provided the final set of logs for this transaction.
> The URL accessed in the test is
> http://[2001:4b8:1::549]/sample_page.adp.
>
> Appreciate any assistance / pointers to solve this. Please do let me
> know if any additional information is required.
>
> 2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
> ---------
> GET /sample_page.adp HTTP/1.1
> User-Agent: w3m/0.5.2
> Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
> Accept-Encoding: gzip, compress, bzip, bzip2, deflate
> Accept-Language: en;q=1.0
> Host: [2001:4b8:1::549]
> Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
> X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
> Cache-Control: max-age=259200
> Connection: keep-alive
>
>
> ----------
> 2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
> local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
> remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
> 0x871f6e8*1
> 2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
> type=2, handler=1, client_data=0x84df560, timeout=0
> 2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
> 2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
> 2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
> 2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
> constructed, this=0x871ff48 [call204]
> 2012/03/05 04:29:26.321 kid1| event.cc(261) will call
> MaintainSwapSpace() [call204]
> 2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
> 2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
> MaintainSwapSpace [call204]
> 2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
> 'MaintainSwapSpace', in 1.00 seconds
> 2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
> 2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
> 2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
> constructed, this=0x871ff48 [call205]
> 2012/03/05 04:29:27.149 kid1| event.cc(261) will call
> memPoolCleanIdlePools() [call205]
> 2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
> 2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
> memPoolCleanIdlePools [call205]
> 2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
> 'memPoolCleanIdlePools', in 15.00 seconds
> 2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
> 2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
> 2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
> constructed, this=0x871ff48 [call206]
> 2012/03/05 04:29:27.165 kid1| event.cc(261) will call
> fqdncache_purgelru() [call206]
> 2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
> 2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
> fqdncache_purgelru [call206]
> 2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
> 'fqdncache_purgelru', in 10.00 seconds
> 2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()
Received on Wed Mar 07 2012 - 15:33:54 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 07 2012 - 12:00:02 MST