Re: [squid-users] transparent proxy on remote box issue from Eliezer Croitoru on 2013-10-25 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sat, 26 Oct 2013 07:27:06 +0300

Hey,

I was wondering to myself?
Why do you intercept traffic using Amazon?
You should host your proxy close enough to have good response time which
is ok if Amazon is close enough.

In order to perform your goal you will need to use the right interfaces
rules in IPTABLES.

What are you using on the client machine?
And also do you expect the squid box to use it's own IP as a src or the
client IP?
If you have an example on the IP level I might be able to compose an
example that should work for you.

Eliezer

On 10/23/2013 09:46 PM, WorkingMan wrote:
> Setup: VPN <--> SQUID (both in Amazon EC2 classic instances, not VPC)
>
> 1) SQUID works fine by itself when I tried by configuring the browser (and
> before setting SQUID as transparent proxy).
> 2) VPN (strongswan) works fine by itself as well.
>
> Now I added a few iptables rules to route traffic to SQUID and back.
>
> //used these guide (applied all rules from first link, and loop back rule
> from second link, in the sec box of the page):
>
> http://www.linuxdocs.org/HOWTOs/mini/TransparentProxy-6.html
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>
> Behavior (iphone connect to VPN and browse the net; same behavior if
> connected directly to proxy):
> 1) when I set in intercept mode, I see whole URL and I get access denied. In
> access.log:
> <VPN IP> TCP_MISS/403 4424 GET http://www.cnn.com/ - HIER_NONE/- text/html
> <VPN IP> TCP_MISS/403 4515 GET http://www.cnn.com/ - HIER_DIRECT/<SQUID IP>
> text/html
>
> cache.log:
> Referer: http://www.cnn.com/
> Accept-Encoding: gzip, deflate
> Accept: */*
> Accept-Language: en-us
> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_2 like Mac OS X)
> AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A501
> Safari/9537.53
> Via: 1.1 ip-<SQUID IP> (squid/3.3.9-20131010-r12634)
> Cache-Control: max-age=0
> Connection: keep-alive
>
>
> 2) when I set to default mode (just port info), I get invalid URL. hostname
> information is missing.
> access.log - <VPN IP> NONE/400 3544 GET / - HIER_NONE/- text/html
> cache.log - <empty>
>
> //squid.conf
> forwarded_for transparent
> cache_effective_user proxy
> http_port 3130 intercept
> http_port 3128
> debug_options ALL,1
> forward_max_tries 25
>
>
> I have no idea where the problem is.
>
> Thanks
>
Received on Sat Oct 26 2013 - 04:27:22 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 29 2013 - 12:00:06 MDT