Re: [squid-users] Squid-3 + Tproxy4 clarification
On tis, 2008-11-04 at 22:37 +0530, Arun Srinivasan wrote: Yes. I could see the connections go over lo interface. However, it is not getting handled by the stack. Public addresses can not talk to loopback addresses (127.X). This is an intentional security restriction in the TCP/IP stack. Also I don't think using TPROXY internally on the same server is even intended to work. It's intended use is on traffic being routed by the proxy to some other servers (i.e. Internet). Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Squid-3 + Tproxy4 clarification
Arun Srinivasan wrote: Thanks for the response. - does the client IP have access to use the hidden peer proxy? Yes. To ensure this I tried it out with an 'nc' utility instead of peer proxy. - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Yes. I could see the connections go over lo interface. However, it is not getting handled by the stack. Aha, there is the problem then. Henriks other post described the problem clearly, so I won't repeat. To get this to work you will likely need to try having both squid instances listening on different ports of the machines public IP. You will still loose the spoofing ability within the second-hop proxy, but the traffic should at least flow properly. Amos 2008/11/4 Amos Jeffries [EMAIL PROTECTED]: Arun Srinivasan wrote: Hi List, Has anyone successfully used cache_peer support with tproxy4 enabled? Not that I'm aware of at this point. The scenario is running Squid proxy with tproxy4 enabled and another http proxy (no tproxy4) on the same box. First Squid would receive the request from the user, then connects to its cache_peer which is the other http proxy. With tproxy enabled, am not able to establish connection between Squid and the other proxy. However, in interception mode, am able to do this. Please advise if I am missing out anything. Following are the packages and its versions used: Kernel version: 2.6.26 Tproxy version: tproxy4-2.6.26-200809262032 iptables version: tproxy-iptables-1.4.0-20080521-113954-1211362794 Squid version: squid-3.HEAD-20081021 The new TPROXY/Squid interaction is that it natively spoofs the client IP on all outbound links made newly for that request. Two things to check are: - does the client IP have access to use the hidden peer proxy? - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1 -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
Re: [squid-users] Squid-3 + Tproxy4 clarification
Thanks for the response. - does the client IP have access to use the hidden peer proxy? Yes. To ensure this I tried it out with an 'nc' utility instead of peer proxy. - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Yes. I could see the connections go over lo interface. However, it is not getting handled by the stack. 2008/11/4 Amos Jeffries [EMAIL PROTECTED]: Arun Srinivasan wrote: Hi List, Has anyone successfully used cache_peer support with tproxy4 enabled? Not that I'm aware of at this point. The scenario is running Squid proxy with tproxy4 enabled and another http proxy (no tproxy4) on the same box. First Squid would receive the request from the user, then connects to its cache_peer which is the other http proxy. With tproxy enabled, am not able to establish connection between Squid and the other proxy. However, in interception mode, am able to do this. Please advise if I am missing out anything. Following are the packages and its versions used: Kernel version: 2.6.26 Tproxy version: tproxy4-2.6.26-200809262032 iptables version: tproxy-iptables-1.4.0-20080521-113954-1211362794 Squid version: squid-3.HEAD-20081021 The new TPROXY/Squid interaction is that it natively spoofs the client IP on all outbound links made newly for that request. Two things to check are: - does the client IP have access to use the hidden peer proxy? - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1 -- Regards, Arun S.
Re: [squid-users] Squid-3 + Tproxy4 clarification
Arun Srinivasan wrote: Hi List, Has anyone successfully used cache_peer support with tproxy4 enabled? Not that I'm aware of at this point. The scenario is running Squid proxy with tproxy4 enabled and another http proxy (no tproxy4) on the same box. First Squid would receive the request from the user, then connects to its cache_peer which is the other http proxy. With tproxy enabled, am not able to establish connection between Squid and the other proxy. However, in interception mode, am able to do this. Please advise if I am missing out anything. Following are the packages and its versions used: Kernel version: 2.6.26 Tproxy version: tproxy4-2.6.26-200809262032 iptables version: tproxy-iptables-1.4.0-20080521-113954-1211362794 Squid version: squid-3.HEAD-20081021 The new TPROXY/Squid interaction is that it natively spoofs the client IP on all outbound links made newly for that request. Two things to check are: - does the client IP have access to use the hidden peer proxy? - do the connections between peers go over lo interface? I'm not sure what the special kernel behavior with public IPs on localhost interface would be. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
