Re: [squid-users] ISP-style Transparent Proxy

From: Amos Jeffries <>
Date: Thu, 08 Nov 2012 11:24:20 +1300

On 08.11.2012 11:08, Nick Bright wrote:
> Greetings,
> We're working to attempt to get a completely transparent proxy up and
> running. By completely transparent I mean:
> 1) The web server should see the clients' actual IP (not the proxy)
> 2) The client should see the response coming back from the IP of the
> web server.
> We're trying to implement this with WCCPv2 Interception on a
> 7204vxr/NPE-G1 with IOS 12.3.15a.
> The configuration guide has been explicitly followed at:
> The machine is running CentOS 6. I've tried with the stock kernel,
> and with 3.6.5 installed from selinux is disabled. Using
> the non-tproxy port in squid by explicitly configuring the proxy,
> successfully proxies & caches traffic (proxy server ip reported by
> web
> server).
> Squid version is 3.1.10-9.el6_3 from CentOS6 repository.
> All commands successfully complete, but the proxy isn't working.
> I've observed that:
> 1) The Cisco router sees the web cache as reported by "sh ip wccp"
> (see attached sh_ip_wccp.txt).
> 2) tcpdump -i tun0 reports packets arriving from the Cisco router.
> 3) tcpdump -i eth2 reports packets leaving the cache server bound for
> the destination web server
> 4) The destination web server shows no hits in the access_log file
> 5) tcpdump on the web server shows packets arriving from the client
> IP address on port 80.
> 6) tcpdump on the web server shows packets leaving bound for the
> client IP

... and yet #4 ?

What *type* of packets? ICMP packet-too-large messages have a way of
disappearing silently on some networks, and in some versions of TPROXY

> 7) The client browser times out, receiving an HTML error from Squid
> reporting "Connection to <server ip> failed."
> 8) When the timeout occurs, the squid access log reports
> "TCP_MISS/504 4123 GET - DIRECT/
> text/html"

Just once or many times? the most common issue with TPROXY is
forwarding loops.

The other thing to look for is whether there is packet-level symmetry
in the network. Catching every single server->client packet at the WCCP
router and sending to Squid is critical.

> I've attached numerous files containing statuses of various things
> that need to be set, such as rp_filter sysctl values, output of "show
> ip wccp", the squid.conf file, the cisco configuration, and the
> contents of iptables.
> Any advice appreciated.
> Thanks,

Please update to squid-3.2 series if possible. There are some major
security vulnerabilities in transparent and intercepted traffic for
older versions. The latest releases will also help catch forwarding
loops better on intercepted traffic.

Received on Wed Nov 07 2012 - 22:24:23 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:03 MST