Re: [squid-users] tproxy configuration

On Thu, Feb 21, 2013 at 6:10 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
>>
>> Please, find below the network topology, squid.conf and rc.local
>> configuration files. It appears that the squid is not routing the
>> http requests. I am not sure what I am doing wrong here
>> Please note, the same squid.conf works on transparent proxy (non
>> tproxy), for the exception of tproxy keyword and service changes.
>> Thanks in advance,
>>
>> WAN
>> ||
>> ||
>> wccp/gre tunnel ||
>> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
>> 3.3 || Int ip 2 192.168.11.1
>> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
>> ||
>> ||
>> WLAN Router Int. ip
>> 192.168.11.32 Ext. ip 192.168.7.1
>> ||
>> ||
>> ||
>> Client Workstation 192.168.7.110
>>
>>
>> #!/bin/sh -e
>> #
>> # rc.local
>> #
>> # This script is executed at the end of each multiuser runlevel.
>> # Make sure that the script will "exit 0" on success or any other
>> # value on error.
>> #
>> # In order to enable or disable this script just change the execution
>> # bits.
>> #
>> # By default this script does nothing.
>> # GRE Tunnel :
>> echo "Loading modules.."
>> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
>>
>> LOCALIP="192.168.8.21"
>> FORTIDIRIP="192.168.8.1"
>> FORTIIPID="XX.XX.XXX.254"
>> echo "changing routing and reverse path stuff.."
>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>
>
> What about rp_filter on eth0 where the traffic is actually exiting the Squid
> box?

Could you elaborate on this..

>
>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> echo "creating tunnel..."
>> iptunnel add wccp0 mode gre remote $FORTIIPID local $LOCALIP dev eth0
>> ifconfig wccp0 127.0.1.1/32 up
>> echo "creating routing table for tproxy..."
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>
>
> You may need this to be dev eth0 instead of dev lo. Experiment to find out
> which.
>
>
>> echo "creating iptables tproxy rules..."
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>> iptables -A FORWARD -i lo -j ACCEPT
>
>
> What about forwarding of non-localhost traffic? such as the TPROXY spoofed
> client IPs.
>

Could you elaborate on this, as well.

>
>> iptables -A INPUT -s $FORTIDIRIP -p udp -m udp --dport 2048 -j ACCEPT
>> iptables -A INPUT -i wccp0 -j ACCEPT
>> iptables -A INPUT -p gre -j ACCEPT
>> iptables -t mangle -F
>> iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 3228
>> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 3229
>> exit 0
>>
>> squid.conf
>> ---------------
>> #debug_options ALL,1 33,2
>> #debug_options ALL,1 33,2 28,9
>> hierarchy_stoplist cgi-bin
>> acl QUERY urlpath_regex cgi-bin
>> #cache_effective_user squid
>> shutdown_lifetime 1 second
>> visible_hostname server
>> httpd_suppress_version_string on
>> forwarded_for off
>> #1GB disk cache
>> cache_dir ufs /usr/local/var/cache/squid 1024 16 256
>>
>> maximum_object_size 5 MB
>> cache_mem 1024 MB
>> cache_swap_low 90
>> cache_swap_high 95
>> maximum_object_size_in_memory 512 KB
>> request_header_access Referer deny all
>> reply_header_access Referer deny all
>> http_port 80 accel
>> acl site1 dstdomain site1.domain.com
>> acl site2 dstdomain site2.domain.com
>> acl site3 dstdomain site3.domain.com
>> acl site4 dstdomain site4.domain.com
>> acl site5 dstdomain site5.domain.com
>> acl site6 dstdomain site6.domain.com
>> acl site7 dstdomain site7.domain.com
>> https_port 443 cert=/etc/ssl/certs/domain_sites.crt
>> key=/etc/ssl/private/domain.key accel vport
>> # never_direct allow site1
>> always_direct allow site1
>> http_access allow site1
>> http_access deny site1
>> always_direct allow site2
>> http_access allow site2
>> http_access deny site2
>> always_direct allow site3
>> http_access allow site3
>> http_access deny site3
>> always_direct allow site4
>> http_access allow site4
>> http_access deny site4
>> always_direct allow site5
>> http_access allow site5
>> http_access deny site5
>> always_direct allow site6
>> http_access allow site6
>> http_access deny site6
>> always_direct allow site7
>> http_access allow site7
>> http_access deny site7
>> #
>> # Recommended minimum configuration:
>> #
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src {WAN Network} # RFC1918 possible internal network
>> acl localnet src fc00::/7 # RFC 4193 local private network range
>> acl localnet src fe80::/10 # RFC 4291 link-local (directly
>> plugged) machines
>> acl SSL_ports port 443
>> acl SSL_ports port 4435
>> acl SSL_ports port 8443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 8080 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl pictures url_regex -i .*\.jpg$
>> http_access allow pictures
>> #
>> # Recommended minimum Access Permission configuration:
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>> # Deny requests to certain unsafe ports
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than secure SSL ports
>> http_access deny CONNECT !SSL_ports
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>> #
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> http_access allow localnet
>> http_access allow localhost
>> # And finally deny all other access to this proxy
>> http_access deny all
>> # Squid normally listens to port 3128
>> http_port 3228 tproxy
>> https_port 3229 tproxy ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
>> key=/etc/ssl/private/domain.key
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
>> key=/etc/ssl/private/domain.key
>> always_direct allow all
>> ssl_bump server-first all
>> #ssl_bump allow all
>> # the following two options are unsafe and not always necessary:
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/local/libexec/ssl_crtd -s
>> /usr/local/var/lib/squid/ssl_db -M 4MB
>> sslcrtd_children 5
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_encode off
>> icap_client_username_header X-Authenticated-User
>> icap_preview_enable on
>> icap_preview_size 1024
>> icap_service_failure_limit -1
>> icap_service_revival_delay 30
>> icap_service qlproxy1 reqmod_precache bypass=0
>> icap://127.0.0.1:1344/reqmod
>> icap_service qlproxy2 respmod_precache bypass=0
>> icap://127.0.0.1:1344/respmod
>> icap_service squidclamav1 reqmod_precache bypass=0
>> icap://127.0.0.1:1345/squidclamav
>> icap_service squidclamav2 respmod_precache bypass=0
>> icap://127.0.0.1:1345/squidclamav
>> adaptation_service_chain svcRequest squidclamav1 qlproxy1
>> adaptation_service_chain svcResponse squidclamav2 qlproxy2
>> adaptation_access svcRequest allow all
>> adaptation_access svcResponse allow all
>> # FortiGate interface of wccp
>> wccp2_router 192.168.8.1
>> # wccp version 2 configuration for standard service HTTP on tcp port
>> 80 (service 0) with authentication password 'fortinet'
>> wccp2_service dynamic 90
>> wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240
>> ports=80,443
>> wccp2_service dynamic 95
>> wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
>> priority=240 ports=80,443
>> # tunneling method GRE for forward traffic
>> wccp2_forwarding_method 1
>> # tunneling method GRE for return traffic
>> wccp2_return_method 1
>> # Assignemment method (default), only relevant if multiple caches used
>> wccp2_assignment_method 1
>> # wccp weight (default) ,only relevant if multiple caches used
>> wccp2_weight 10000
>> # which interface to use for WCCP (0.0.0.0 determines the interface
>> from routing)
>> wccp2_address 0.0.0.0
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> #cache_dir ufs /usr/local/var/cache/squid 100 16 256
>> # Leave coredumps in the first cache dir
>> coredump_dir /usr/local/var/cache/squid
>> # Add any of your own refresh_pattern entries above these.
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>
>
Received on Fri Feb 22 2013 - 04:07:25 MST