On 28/05/2013 8:11 p.m., Amm wrote:
> ________________________________
>> From: alvarogp <alvarix.gp_at_gmail.com>
>> To: squid-users_at_squid-cache.org
>> Sent: Tuesday, 28 May 2013 1:28 PM
>> Subject: [squid-users] Re: TPROXY
>>
>>
>> alvarogp wrote
>>> Hello,
>>>
>>> I have the next configuration:
>>> - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access)
>>> - IPtables 1.4.12
>>> - Squid 3.3.4 with Tproxy
>>>
>>> With Iptables I have configured the proxy to forward the traffic from the
>>> local LAN (eth0) to the outside world (eth1). The configuration is:
>>>
>>> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>> iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED
>>> -j ACCEPT
>>> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> To configure and install Tproxy I have followed the tutorial described in
>>> the wiki:
>>>
>>> ./configure --enable-linux-netfilter
>>>
>>> net.ipv4.ip_forward = 1
>>> net.ipv4.conf.default.rp_filter = 0
>>> net.ipv4.conf.all.rp_filter = 0
>>> net.ipv4.conf.eth0.rp_filter = 0
>>>
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 3129
>>>
>>> For squid.conf, I have maintained the configuration my default adding to
>>> it:
>>>
>>> http_port 3128
>>> http_port 3129 tproxy
>>>
>>> If Squid is running, the packets from the local LAN are routed correctly
>>> and the web pages are showed perfectly. The problem I have is that this
>>> accesses are not reflected in the access.log and cache.log, so could be
>>> possible that squid is not caching any cacheable content?
> I have had exact same problem when I was trying TPROXY with similar
> configuration.
>
> Squid would route packets but not LOG anything in access log.
>
> If I stop squid then clients cant access any website. (this indicates that
> packets are indeed routing through squid).
access.log would indicate that none of them are actually making it to
the Squid process.
Perhapse the Ubuntu kernel version has a bug which makes the packets
work when *some* process it listening on the required port, but the
packets actually not getting there.
Or perhapse TCP packets are sending the HTTP reuqest through Squid and
Squid relaying it but the response not going back to Squid (direct back
to client). In that event Squid would wait for some time (read/write
timeouts are 15 minutes long) before logging the failed HTTP
transaction. That could be caused by some bad configuration on a router
outside of the Squid machine.
Amos
Received on Tue May 28 2013 - 10:45:21 MDT
This archive was generated by hypermail 2.2.0 : Tue May 28 2013 - 12:00:07 MDT