Re: [squid-users] Re: Three questions about Squid configuration

From: Nicolás <nicolas_at_devels.es>
Date: Fri, 18 Jul 2014 08:51:52 +0100

Hi Amos,

El 18/07/2014 5:21, Amos Jeffries escribió:
> On 18/07/2014 7:25 a.m., Nicolás wrote:
>> Ok, I'll try to explain the scenario again and more detailed (I remark
>> that I'm using this guide which states that it should work for public IP
>> addresses: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource):
>>
>> Client side: Has public IP address A.B.C.D
>> Server side: Has public IP address E.F.G.H
>>
>> On the client side, I added the following iptables rule:
>>
>> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
>> E.F.G.H:3128
> Okay. The situation seems clear now. This rule is capturing both the
> client UA output traffic and Squid output traffic.
>
> You need the rule omitting Squid from being catured. The config example
> should have mentioned it, I have added that now.
>
> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
> 80 -j ACCEPT
>
> Note the one you tried earlier and failed was in PREROUTING, not OUTPUT.
> This should be the correct one.
>

Unfortunately, this one neither seems to make a difference. On the squid
box, the squid daemon is run by user proxy so I got the UID and replaced
it in the rule you provided:

     # id proxy
     uid=13(proxy) gid=13(proxy) groups=13(proxy)

So on the client box:

      iptables -t nat -A OUTPUT --match owner --uid-owner 13 -p tcp
--dport 80 -j ACCEPT

Then I appended the DNAT rule.

However, I should have (re)mentioned it: Additionally to have different
public IP addresses, both the client box and the squid box are on
different networks (basically the squid box is located in a different
country than the client box). Should that make a difference?
Additionally, the UID 13 corresponds to the squid box, should that work
even if on the client box UID 13 corresponds to a different user?

Also if you wish, I can run squid with the -N -d options and send you
the output log, so you probably will rapidly know what else could be
happening there.

Regards,

Nicolás

>
> NP: you could also use REDIRECT instead of DNAT if you want to avoid
> figuring out the server/client "side" IP address issues. But try the
> above iptables rule in your existing config first to confirm if it works
> before moving on to that change.
>
>
> <snip>
>> access.log:
>>
>> 1405623902.957 0 A.B.C.D TCP_MISS/403 4300 GET
>> http://google.es/ - HIER_NONE/- text/html
>> 1405623902.958 1 A.B.C.D TCP_MISS/403 4419 GET
>> http://google.es/ - HIER_DIRECT/E.F.G.H text/html
>>
> Note that these are in order of completion rather than order of
> initiation. The second line is the first request (cleint->server
> intercepted into Squid) the first line is the squid->server looped request.
>
> Amos
Received on Fri Jul 18 2014 - 07:52:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2014 - 12:00:04 MDT