Re: [squid-users] Intercept @ Squid-3.4.6

Hi Roberto,

El 23/07/2014 20:54, Roberto O. Fernández Crisial escribió:
> Hi guys,
>
> I hope you're doing fine. I'm trying to intercept HTTP requests on
> Squid 3.4.6 but I'm going crazy. Is there any http_port parameter
> change between 3.1.10 and 3.4.6?
>
> I have 3.1.10 working fine, here are the examples:
>
> IPTABLES CONFIGURATION (Global config)
> -A PREROUTING -s 10.1.0.0/16 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination SQUIDIP:3129
>
>
> With Squid 3.1.10
>
> SQUID CONF
> http_port 3128 transparent
> http_port 3129 intercept
>
> START SQUID 3.1.10
> 2014/07/23 16:06:38| Accepting intercepted HTTP connections at
> 0.0.0.0:3128, FD 12.
> 2014/07/23 16:06:38| Accepting intercepted HTTP connections at
> 0.0.0.0:3129, FD 13.
>
> CURL
> curl http://www.ciudad.com.ar -x http://SQUIDIP:80
>
> STRACE
> accept(13, {sa_family=AF_INET, sin_port=htons(34330),
> sin_addr=inet_addr("10.1.100.158")}, [16]) = 9
> getsockname(9, {sa_family=AF_INET, sin_port=htons(3129),
> sin_addr=inet_addr("SQUIDIP")}, [16]) = 0
> connect(15, {sa_family=AF_INET6, sin6_port=htons(80),
> inet_pton(AF_INET6, "::ffff:200.42.143.77", &sin6_addr),
> sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINPROGRESS (Operation now
> in progress)
>
> STOP SQUID 3.1.10
>
>
> Now with Squid 3.4.6
>
> SQUID CONF
> http_port 3128
> http_port 3129 intercept
>
> START SQUID 3.4.6
> 2014/07/23 16:06:05| Accepting HTTP Socket connections at
> local=[::]:3128 remote=[::] FD 19 flags=9
> 2014/07/23 16:06:05| Accepting NAT intercepted HTTP Socket connections
> at local=[::]:3129 remote=[::] FD 20 flags=41
>
> CURL
> curl http://www.ciudad.com.ar -x http://SQUIDIP:80
>
> STRACE
> accept(20, {sa_family=AF_INET6, sin6_port=htons(34428),
> inet_pton(AF_INET6, "::ffff:10.1.100.158", &sin6_addr),
> sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 8
> getsockname(8, {sa_family=AF_INET6, sin6_port=htons(3129),
> inet_pton(AF_INET6, "::ffff:SQUIDIP", &sin6_addr), sin6_flowinfo=0,
> sin6_scope_id=0}, [28]) = 0
> connect(10, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("SQUIDIP")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
>
> STOP SQUID 3.4.6
>
>
> I see in Squid 3.4.6 the squid process tries to conect to itself on
> port 80. With Squid 3.1.10 works fine (connets to reomte server). Any
> ideas?
>
> Thank you all in advance.
>
> Best,

In my case I'm running v. 3.3.8, but I'm having the same issue than you.
The packets are correctly DNATed from the client to the squid box, but
once there, squid3 seems to try to connect to itself several times and
keeps adding its 'visible_hostname' to the Via header, causing a
forwarding loop.

I've followed these instructions to achieve it:
http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource

Recently, the document got updated adding a new iptables OUTPUT rule,
you could try and see if it works to you (it didn't work to me, though).

Regards,

Nicolás
Received on Wed Jul 23 2014 - 20:15:53 MDT