[squid-users] Re: How to make Squid 3.3.8 a transparent proxy?
Problem is here: HIER_DIRECT/127.0.0.1 ... Strange enough, squid forwards the request to 127.0.0.1 I am not sure, whether you need 2 ports to be specified: http_port 3129 http_port 3128 intercept In your setup, you need special firwall rules, to avoid a loop: DG forwards to port 80, squid intercepts, forwards to port 80, NO INTERCEPT THEN (hopefully) So you should post firewall rules, as well. Otherwise: I always did it the other way: client --- (transparent) squid ---DG --web because 1) client does not need to specify proxy explicitly (in your setup, a MUST) 2) no need to cache content, later on blocked by DG 3) Not sure any more, whether DG supports parent proxy Then my setup matched the rules in http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect Only the line cache_peer 127.0.0.1 parent DG-port 0 no-query no-digest no-netdb-exchange to be added to squid.conf -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/How-to-make-Squid-3-3-8-a-transparent-proxy-tp4665624p4665633.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: How to make Squid 3.3.8 a transparent proxy?
On 04/18/2014 10:20 PM, Tobias Krais wrote: Here what /var/log/squid3/access.log tells when I try to access a website: -%- 1397848529.466 1029 127.0.0.1 TCP_MISS/503 4320 GET http://www.design-to-use.de/index.php? - HIER_DIRECT/127.0.0.1 text/html 1397848530.502999 127.0.0.1 TCP_MISS/503 4099 GET http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/127.0.0.1 text/html -%- it's not a denial by squid but probably from other sites. try two things: First use only squid no DG. Then see if it works. After this add DG as a parent proxy. Eliezer
Re: [squid-users] Re: How to make Squid 3.3.8 a transparent proxy?
Hi babajaga, HIER_DIRECT/127.0.0.1 ... Strange enough, squid forwards the request to 127.0.0.1 Is there a possibility to tell squid stop forwarding. I am not sure, whether you need 2 ports to be specified: http_port 3129 http_port 3128 intercept I tried it, but it still does not work. Same error. Here my current squid.conf: -%- acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # http_access deny !Safe_ports # http_access deny CONNECT !SSL_ports # http_access allow localhost manager # http_access deny manager # http_access allow localhost # http_access deny all http_access allow all http_port 3127 http_port 3128 intercept coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 -%- In your setup, you need special firwall rules, to avoid a loop: DG forwards to port 80, squid intercepts, forwards to port 80, NO INTERCEPT THEN (hopefully) So you should post firewall rules, as well. Here it is: -%- # Zuerst: direktes Verbinden zu Proxies verbieten iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner dansguardian -j ACCEPT iptables -A OUTPUT -p tcp --dport 3128 -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp --dport 8100 -j REJECT # Fuer folgende Netzwerke braucht es keinen Proxy iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j ACCEPT iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j ACCEPT iptables -t nat -A OUTPUT -d 127.0.0.1 -j ACCEPT # Aqbanking does not support Proxys: allow some HBCI IPs iptables -A OUTPUT -d 193.110.133.32 -j ACCEPT iptables -A OUTPUT -d 195.140.47.194 -j ACCEPT iptables -A OUTPUT -d 195.145.106.77 -j ACCEPT iptables -A OUTPUT -d 195.145.106.98 -j ACCEPT iptables -A OUTPUT -d 212.184.124.125 -j ACCEPT iptables -A OUTPUT -d 213.95.18.77 -j ACCEPT iptables -A OUTPUT -d 213.95.18.98 -j ACCEPT iptables -A OUTPUT -d 213.95.70.61 -j ACCEPT iptables -A OUTPUT -d 217.115.75.100 -j ACCEPT # Rules to Reject HTTPS without Dansguardian iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner proxy -j ACCEPT iptables -A OUTPUT -p udp --dport 443 -m owner --uid-owner proxy -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j REJECT iptables -A OUTPUT -p udp --dport 443 -j REJECT # Port 80 Traffic automatisch auf Dansguardian legen # Traffic von root akzeptieren iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT # ... alle anderen Benutzer auf Port 8080 umbiegen iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -p udp --dport 80 -j REDIRECT --to-port 8080 -%- But even without flushing all rules and setting the proxy manually - same error... Otherwise: I always did it the other way: client --- (transparent) squid ---DG --web because 1) client does not need to specify proxy explicitly (in your setup, a MUST) 2) no need to cache content, later on blocked by DG 3) Not sure any more, whether DG supports parent proxy With squid 3.1.20 it works perfectly. Thus I think it should work with squid 3.3.8, too. Here the relevant part of my dansguardian.conf: -%- # the port that DansGuardian listens to. filterport = 8080 # the ip of the proxy (default is the loopback - i.e. this server) proxyip = 127.0.0.1 # the port DansGuardian connects to proxy on proxyport = 3128 -%- Dansguardian forwards correctly to squid. The dansguardian part works (and blocks) perfectly. Then my setup matched the rules in http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect I read this link also. That is why I made the change from transparent to intercept. My scenario is a bit different from that on the link: client and server is the same machine. Only the line cache_peer 127.0.0.1 parent DG-port 0 no-query no-digest no-netdb-exchange to be added to squid.conf Now I added this line at the end of the squid.conf file. But still no change. Do you have any other ideas? Greetings, Tobi
Re: [squid-users] Re: How to make Squid 3.3.8 a transparent proxy?
Hi Eliezer it's not a denial by squid but probably from other sites. which site do you think? try two things: First use only squid no DG. Still same error. Here is the comletet error message in my browser: -%- ERROR The requested URL could not be retrieved Der folgende Fehler wurde beim Versuch die URL http://www.tagesschau.de/ zu holen festgestellt: Zugriff verweigert. Die Anfrage wurde aufgrund mangelnder Zugriffsrechte verweigert. Bitte kontaktieren Sie Ihren Dienstanbieter falls sie denken, dass dies ein Fehler ist. Ihr Cache Administrator ist webmaster. Erzeugt am Sat, 19 Apr 2014 19:32:06 GMT von Ubuntu-XPS (squid/3.3.8) -%- Last line says: generated by squid. The message text above says: Access denied ... because of insufficient access privileges. Then see if it works. After this add DG as a parent proxy. Does not work either. Thanks for your ideas! Greetings, Tobias
Re: [squid-users] Re: How to make Squid 3.3.8 a transparent proxy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/04/2014 7:35 a.m., Tobias Krais wrote: Hi babajaga, HIER_DIRECT/127.0.0.1 ... Strange enough, squid forwards the request to 127.0.0.1 Is there a possibility to tell squid stop forwarding. With an http_access deny line. The results will not be what you want though. Your setup expectations seems to be based on an misunderstanding of how transparency and interception work together. To begin with NAT intercept is *not* fully transparent. The server is always completely aware of the proxies existence. Only the client is kept unaware that it is talking to a proxy and not directly to the origin server. I hope the details below will help clarify why that is a critical fact... (If you want to skip the reasons for things I have a short summary at the end of this mail.) I am not sure, whether you need 2 ports to be specified: http_port 3129 http_port 3128 intercept I tried it, but it still does not work. Same error. Here my current squid.conf: -%- acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70 # gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # http_access deny !Safe_ports # http_access deny CONNECT !SSL_ports # http_access allow localhost manager # http_access deny manager # http_access allow localhost # http_access deny all http_access allow all http_port 3127 http_port 3128 intercept coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020% 10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 -%- In your setup, you need special firwall rules, to avoid a loop: DG forwards to port 80, squid intercepts, forwards to port 80, NO INTERCEPT THEN (hopefully) So you should post firewall rules, as well. Here it is: -%- snip # Fuer folgende Netzwerke braucht es keinen Proxy iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j ACCEPT iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j ACCEPT iptables -t nat -A OUTPUT -d 127.0.0.1 -j ACCEPT snip # Port 80 Traffic automatisch auf Dansguardian legen # Traffic von root akzeptieren iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT # ... alle anderen Benutzer auf Port 8080 umbiegen iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -p udp --dport 80 -j REDIRECT --to-port 8080 NOTE: HTTP does not travel over UDP. -%- But even without flushing all rules and setting the proxy manually - same error... Your nat rules are not catching traffic on arrival. They are catching traffic as it leaves the entire machine. Both DG outbound, and Squid outbound, and client outbound all mixed up and hitting the same rules. If I am reading that properly you have configured the following: client---(NAT) \ DG -- (NAT , OUTPUT ACCEPT) - Internet Squid [ doing nothing ] or possibly: client---(NAT) \ Squid -- (NAT, OUTPUT ACCEPT 'proxy') - Internet | DG receiving nothing Otherwise: I always did it the other way: client --- (transparent) squid ---DG --web because NOTE: This is the way a transparent intercpetion proxy is seup. You can choose _either_ Squid or DG to be the front one with (transparent) on it, but not both. It is setup this way because as I said at the beginning, NAT intercept is not fully transparent. * the second proxy in the chain is fully aware of the first proxies existence. There is no reason to hide the second one from the first. Doing so will only cause problems - one of which is the looping problem you are hitting. 1) client does not need to specify proxy explicitly (in your setup, a MUST) 2) no need to cache content, later on blocked by DG 3) Not sure any more, whether DG supports parent proxy With squid 3.1.20 it works perfectly. *No it does not*. Squid 3.1 and older just hid the problems it was causing. I see below that this is all internal to one machine - if this is a situation like the proxies being installed on an end-user device then the extra layers of NAT are useless. If this is a VM server with lots of internal clients, then treat it as a network and the entire machine has been vulnerable to CVE-2009-0801. Thus I think it should work with squid 3.3.8, too. Here the relevant part of my dansguardian.conf: -%- # the port that DansGuardian listens to.