[squid-users] ISP-style Transparent Proxy from Nick Bright on 2012-11-07 (squid-users)

From: Nick Bright <nick.bright_at_valnet.net>
Date: Wed, 07 Nov 2012 16:08:05 -0600

Greetings,

We're working to attempt to get a completely transparent proxy up and
running. By completely transparent I mean:

1) The web server should see the clients' actual IP (not the proxy)
2) The client should see the response coming back from the IP of the web
server.

We're trying to implement this with WCCPv2 Interception on a
7204vxr/NPE-G1 with IOS 12.3.15a.

The configuration guide has been explicitly followed at:
http://wiki.squid-cache.org/Features/Tproxy4

The machine is running CentOS 6. I've tried with the stock kernel, and
with 3.6.5 installed from elrepo.org. selinux is disabled. Using the
non-tproxy port in squid by explicitly configuring the proxy,
successfully proxies & caches traffic (proxy server ip reported by web
server).

Squid version is 3.1.10-9.el6_3 from CentOS6 repository.

All commands successfully complete, but the proxy isn't working.

I've observed that:

1) The Cisco router sees the web cache as reported by "sh ip wccp" (see
attached sh_ip_wccp.txt).
2) tcpdump -i tun0 reports packets arriving from the Cisco router.
3) tcpdump -i eth2 reports packets leaving the cache server bound for
the destination web server
4) The destination web server shows no hits in the access_log file
5) tcpdump on the web server shows packets arriving from the client IP
address on port 80.
6) tcpdump on the web server shows packets leaving bound for the client IP
7) The client browser times out, receiving an HTML error from Squid
reporting "Connection to <server ip> failed."
8) When the timeout occurs, the squid access log reports "TCP_MISS/504
4123 GET http://myip.valnet.net/ - DIRECT/64.254.32.23 text/html"

I've attached numerous files containing statuses of various things that
need to be set, such as rp_filter sysctl values, output of "show ip
wccp", the squid.conf file, the cisco configuration, and the contents of
iptables.

Any advice appreciated.

Thanks,

-- 
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

text/plain attachment: cisco_config.txt

text/plain attachment: iptables.txt

text/plain attachment: show_ip_wccp.txt

text/plain attachment: squid.conf.txt

text/plain attachment: sysctl_values.txt

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wed Nov 07 2012 - 22:08:12 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:03 MST