On 23/10/2012 10:21 p.m., alberto.desi wrote:
> Hello guys,
> I'm becoming crazy!
> I am a student and I am working with Squid for a project about content
> delivery networks.
> Setting up the system (all in IPv6) I have found out some issues.
>
> To set up it I followed http://wiki.squid-cache.org/Features/Tproxy4 because
> I need a trasparent proxy and for IPv6 this the way. The problem is that
> passing through I have to start a rewrite_url_program, written in perl. All
> is working, I pass, the perl file is started and so on. But I have to
> rewrite the url or to a machine called origin or to the local machine, where
> I have installed Squid. If I rewrite the url to go to the origin, is ok.
> When I rewrite the link to go to the local cache it seems like blocked. I am
> using this iptables rules:
Sounds familiar. Did you get my response to your earlier request ~10
days ago?
Some questions:
* a machine *called* "origin" or an "origin server" ?
* a machine called "localhost" or the "local machine" ?
The difference in these things is rather important.
A copy of the perl re-writer would be helpful in identifying what it does.
Also, a copy of the cache.log output when squid is run with
"debug_options 11,2". The line containing "HTTP Server REQUEST", the one
above it, and the headers below which are generated when sending your
re-written request would also be very useful.
Amos
>
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
> ip6tables -t mangle -A DIVERT -j ACCEPT
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
> 0x1/0x1 --on-port 3129
>
> and I set up also
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev eth0 table 100 <= changed dev with
> arriving interface (for me eth2)
>
> It seems that the packets redirected to the cache of the machine with squid
> are in an internal loop.
> Can you help me to understand why, and maybe how to find a solution?
> This mechanism was working with the IPv4 rules for the trasparent proxy
> (with nat chain), but here with IPv6 the things are different!!!
>
> Thanks a lot
>
> P.S.
> all the machines are running
> - Linux Ubuntu, kernel 2.6.39
> - iptables v. 1.4.16.2
> - Squid 3.2.2
>
>
> *[squid.conf]* file
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
> acl localnet src 3001::/64
> acl localnet src 5001::/64
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> http_access allow all
> # And finally deny all other access to this proxy
> #http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 3129 tproxy
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> visible_hostname machine1
> url_rewrite_program /home/alberto/rewriteurl.pl
>
Received on Tue Oct 23 2012 - 09:48:18 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 23 2012 - 12:00:04 MDT