[squid-users] Dansguardian + squid

From: Kai Meyer <kai_at_gnukai.com>
Date: Thu, 11 Jul 2013 21:09:12 -0600

Sorry for the long post, but I like to error on the side of verbosity
when I'm grasping at straws.

I've been happily running Dansguardian(2.10.1.1-4.el6.x86_64) +
squid(3.1.10-9.el6_3.x86_64) on CentOS 6 for a while.

Recently, I've been dealing with an HTTP 1.1 error by disabling the
proxy temporarily. I finally decided to fix it for real and it looks
like squid 3.3 will solve my problem. So I hacked the squid 3.3 source
into the CentOS 3.1 source rpm, and produced a package you can find
here:
http://kai.gnukai.com/repo/

I was using a "close-to-stock" squid 3.1 configuration that was
working:
---snip---
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
follow_x_forwarded_for deny all
http_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname CENSORED
---snip---

I dropped in squid 3.3, and it complained about line one. So I dropped
line 1, and had some more issues. So I decided to start with the stock
3.3 squid configuration, and simply "add" the peices I thought I needed.
I ended up with this:
---snip---
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
follow_x_forwarded_for deny all
visible_hostname CENSORED
always_direct allow all
http_port 3129 transparent
---snip---

You may notice I "added" port 3129 instead of replacing the 3128. I did
that just to avoid the "kid1| ERROR: No forward-proxy ports configured."
error. I've updated my dansguardian config accordingly.

For reference, here's my iptables config. ppp0 is my internet
connection, br0 is my local network connection, and tun+ interfaces are
any OpenVPN

---snip---
*nat
:PREROUTING ACCEPT [10:812]
:POSTROUTING ACCEPT [3:236]
:OUTPUT ACCEPT [6:469]
:whitelist - [0:0]
-A PREROUTING -j whitelist
-A PREROUTING -s 10.9.8.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.9.8.0/24 -i br0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.9.8.1:8080
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [34:8038]
:OUTPUT ACCEPT [5:337]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name DEFAULT --rsource
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --rcheck --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
LOG --log-prefix "SSH DROP: " --log-level 6
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
DROP
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [109:23590]
:INPUT ACCEPT [50:3853]
:FORWARD ACCEPT [59:19737]
:OUTPUT ACCEPT [29:2882]
:POSTROUTING ACCEPT [88:22619]
COMMIT
---snip---

So, with the DNAT rule enabled, every http page (ie:
http://kai.gnukai.com/ip.php) comes back in my browser with the error
---snip---
      Access Denied.

    Access control configuration prevents your request from being
allowed at
    this time. Please contact your service provider if you feel this is
    incorrect.
---snip---

If I http decode the mailto: link to root, I get this:
---snip---
mailto:root?subject=CacheErrorInfo - ERR_ACCESS_DENIED&body=CacheHost:
shuttle.gamer.gnukai.com
ErrPage: ERR_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 12 Jul 2013 01:08:40 GMT

ClientIP: 10.9.8.1

HTTP Request:
GET /ip.php HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: shuttle
Accept: */*
Via: 1.0 CENSORED (squid/3.3.6)
X-Forwarded-For: 10.9.8.104, 10.9.8.1
Cache-Control: max-age=259200
Connection: keep-alive
---snip---

10.9.8.104 is my browser. If I use curl to get the headers back, they
look like this:

---snip---
HTTP/1.1 403 Forbidden
Server: squid/3.3.6
Mime-Version: 1.0
Date: Fri, 12 Jul 2013 02:53:39 GMT
Content-Type: text/html
Content-Length: 3447
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
Via: 1.1 CENSORED (squid/3.3.6), 1.1 CENSORED (squid/3.3.6)
Connection: keep-alive
---snip---

I'm confused that it says 3128, when it's clearly talking 3129 on the
lo device:
   0.000000 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [SYN] Seq=0
Win=32792 Len=0 MSS=16396 TSV=211693779 TSER=0 WS=7
   0.000012 10.9.8.1 -> 10.9.8.1 TCP 3129 > 35160 [SYN, ACK]
Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=211693779 TSER=211693779 WS=7
   0.000021 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [ACK] Seq=1
Ack=1 Win=32896 Len=0 TSV=211693779 TSER=211693779
   0.000869 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [PSH, ACK]
Seq=1 Ack=1 Win=32896 Len=44 TSV=211693780 TSER=211693779
....

I get the feeling this is an ACL issue, but I can't find it. What's
really confusing me is that if I change the iptables DNAT rule to
redirect straight to squid (port 3129), I don't run into this issue.

Any ideas?
Received on Fri Jul 12 2013 - 03:09:17 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 12 2013 - 12:00:12 MDT