[squid-users] Re: transparent (intercepting?) without wccp, options?

From: Ezequiel Birman <stormwatch_at_espiga4.com.ar>
Date: Thu, 05 Jul 2012 23:16:08 -0300

>>>>> "Eliezer" == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes:

> On 7/5/2012 4:48 AM, Ezequiel Birman wrote:
>>>>>>> "Amos" == Amos Jeffries <squid3_at_treenet.co.nz> writes:
>> > On 04.07.2012 15:54, Ezequiel Birman wrote: >>>>>>> "Eliezer"
>> == Eliezer Croitoru <eliezer_at_ngtech.co.il> writes: >> > <snip>
>> >>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
>> >> >> > this is a good way to start but it wont be a transparent
>> >> proxy but > a "nat" proxy but it can be good for your needs as
>> >> anyway you have > nat in the RV042. >> >> Are you sure? The
>> only mention to nat in is in order to redirect >> port 80 to 3128
>> on squid box. This is the intro: >> ...
>> > Yes. There are 4 protocol layers involved. ebtables - rules
>> stops > it being a bridge "transparent relay/proxy" and makes it
>> routed > traffic. iptables - rules use NAT (interception proxy)
>> instead of > TPROXY (transparent proxy). squid - config file
>> uses > URL-rewriters to prevent Squid being a HTTP protocol
>> "transparent > proxy" (HTTP definition of "transparent proxy" is
>> the Squid > default behaviour).
>> > There is a lot of people confused by the meaning of the word >
>> "transparent". With good reason, it has been used out of context
>> > so much.
>> Where should I start then? Could yo point me to some doc,
>> tutorial or config example to implement what Eliezer suggested? I
>> mean beside the books which I didn't buy yet.
>> Regards
> dont worry! i dont know anyone that masters linux and got it all
> from books he didnt bout :)

XD I meant, of course, the two squid books, Begginer's Guide and
advanced. Anyway, if i get this right maybe I'll write a tutorial

> it's pretty simple to implement as long you do understand the
> concepts. you will just need to practice and see how all of it
> actually fits together as a puzzle.

> start with a bridge interface and bridge tools. it depends on
> what linux distro you are using. debian is a nice and simple one.
> you need to install the bridge tools + ebtables and configure the
> bridge interface for two Ethernet interfaces. the next step is to
> add the bridge interface ip address and default route. all the
> above can be done in the /etc/...somewhere this link:
> http://wiki.debian.org/BridgeNetworkConnections#Libvirt_and_bridging
> can help you a bit.

> on debian it will work just like that.. config.. apply
> settings.. connect one cable .. connect second cable ...done.

> after that you can install\compile squid3.1 will be here to help
> if you need something.

> Eliezer

> -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for
> Nonprofit organizations eliezer <at> ngtech.co.il

I am using CentOS 6.2, for no better reason that I use fedora at home.

Bridge is working, then installed squid via yum.


$ squid -v
Squid Cache: Version 3.1.10
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' --with-squid=/builddir/build/BUILD/squid-3.1.10

What now? If I understand correctly, I need to set up rules in ebtables
to drop (deviate) http packets. Then set iptables in order to redirect
to port 3129 (tproxy), and that's it? Am I right?

In http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration I
see rules applied to eth0, should i rewrite br0 in place of eth0?

Should i copy the setup from
without changes?

Already did: "setsebol -P squid_connect_any=1 squid_use_tproxy=1". By
the way, i think setsebol variables don't accept "yes" as a value.

Anything else?

Thanks for your time

Ezequiel Birman
Received on Fri Jul 06 2012 - 02:08:47 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT