Re: [squid-users] not working tproxy in squid 3.2

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 19 Mar 2013 20:49:25 +0200

Hey Oleg,

I want to understand couple things about the situation.
what is the problem? a memory leak?
How do you see the memory leak? and where?
The memory leak you are talking about is in a case of tproxy usage only?

what is the load of the proxy cache?
do you use it for filtering or just plain cache?
on what environment?
the more details you can give on the scenario and point with your finger
on the problem I will be happy to assist us finding the culprit.

What linux distro are you using?

Regards,
Eliezer

On 3/19/2013 1:41 PM, Oleg wrote:
> Hi, all.
>
> After squid 3.1 ate all of my memory, i installed squid 3.2 (which also ate
> all of my memory, but this is an another story). It seems, in squid 3.2 tproxy
> is not work right. squid reply to my request, but count of packets too small
> for normal workflow. If i connect directly to squid (to normal mode 3128 port),
> all work fine.
>
> How can i debug this problem?
>
> My config (3.2.8):
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access allow all
> http_port 3128
> http_port 3129 tproxy
> access_log none
> coredump_dir /usr/local/var/cache/squid
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 30 startup=5 idle=10 concurrency=0
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> cache_effective_user proxy
>
> iptables-save:
>
> # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013
> *raw
> :PREROUTING ACCEPT [7824875024:8401335411812]
> :OUTPUT ACCEPT [3675157306:6129226492352]
> COMMIT
> # Completed on Wed Mar 6 15:41:59 2013
> # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013
> *mangle
> :PREROUTING ACCEPT [6770135987:6702261415787]
> :INPUT ACCEPT [4838725878:6108754481433]
> :FORWARD ACCEPT [2985099037:2292524666165]
> :OUTPUT ACCEPT [3675156676:6129226454540]
> :POSTROUTING ACCEPT [6660255713:8421751120705]
> :tproxied - [0:0]
> -A PREROUTING -p tcp -m socket --transparent -j tproxied
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0xffffffff
> -A tproxied -j MARK --set-xmark 0x1/0xffffffff
> -A tproxied -j ACCEPT
> COMMIT
> # Completed on Wed Mar 6 15:41:59 2013
> # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013
> *nat
> :PREROUTING ACCEPT [166764142:12594892291]
> :INPUT ACCEPT [88382392:5321491245]
> :OUTPUT ACCEPT [54669707:3295422034]
> :POSTROUTING ACCEPT [132896164:10559090386]
> COMMIT
> # Completed on Wed Mar 6 15:41:59 2013
> # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013
> *filter
> :INPUT ACCEPT [14588788:12990241586]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [12967278:12836984550]
> :block_ip - [0:0]
> :fail2ban-ssh - [0:0]
> -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
> -A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3128 -j ACCEPT
> -A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3129 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 3129 -j DROP
> -A FORWARD -o eth0 -j block_ip
> -A fail2ban-ssh -j RETURN
> COMMIT
> # Completed on Wed Mar 6 15:41:59 2013
>
> ip rule:
> 0: from all lookup local
> 30000: from all fwmark 0x1 lookup tproxy
> 32766: from all lookup main
> 32767: from all lookup default
>
> ip rou show table tproxy:
> local default dev lo scope host
>
> This configuration works fine with squid 3.1.
>

-- 
Eliezer Croitoru
http://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Tue Mar 19 2013 - 18:50:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 20 2013 - 12:00:06 MDT