Someone claims that it is possible to do tproxy between 2 local processes.
I wonder if anyone has tested with squid. Maybe testing seems to fail ..
- Forwarded Message -
From: Balazs Scheidler ba...@balabit.hu
To: Karol Piłat cu...@vitresoft.com
Cc: Ming-Ching Tiew mct
From: Eliezer Croitoru elie...@ngtech.co.il
To: squid-users@squid-cache.org
Cc:
Sent: Saturday, July 28, 2012 10:53 AM
Subject: Re: [squid-users] tproxy can't connect to target url after url rewrite
program to different host
On 07/28/2012 02:55 AM, Ming-Ching Tiew wrote:
Tested
From: Eliezer Croitoru elie...@ngtech.co.il
To: squid-users@squid-cache.org
now that you remind me.
i have seen this kind of problem!!!
it was nasty on squid 3.1.
you can see in iptables connection tracking that squid is opening the
socket but it sends the first syn and wont get the
Tested this with Squid Version 3.1.20-20120710-r10457,
After a simple url_rewrite_program changing from url to
a different host, the communication will not succeed
( using linux bridge with ebtables/iptables for this tproxy
communication ).
The nat intercept mode could succeed.
- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: squid-users@squid-cache.org
The HTTP Host: header contains a domain name which does not match the IP
address the TCP connection is being
made to. http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery covers
- Original Message -
From: Ming-Ching Tiew mct...@yahoo.com
To: squid-users@squid-cache.org squid-users@squid-cache.org
The test is very repeated, ie when I 'make install' from squid-3.2.0.12 it
works but not
squid-3.2.018.
I meant the tests were very repeatable, squid-3.2.0.12
- Original Message -
From: Ming-Ching Tiew mct...@yahoo.com
To: squid-users@squid-cache.org squid-users@squid-cache.org
The test is very repeated, ie when I 'make install' from squid-3.2.0.12 it
works but not
squid-3.2.018.
I meant the tests were very repeatable, squid-3.2.0.12
- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: squid-users@squid-cache.org
One big change in 3.2.0.14 related to TPROXY traffic handling. A bug in
host_strict_verify was fixed, making the validation bypass properly when
the (default) non-strict was configured.
- Original Message -
From: Eliezer Croitoru elie...@ngtech.co.il
i would say that the result can show some really nasty issue you are
having in the network level and ebtables+switch is the basic thing to check.
i will try to dump the tcp sessions on the interfaces using:
tcpdump -i
OK I could see the same problem with just fedora 15. The client side I use a
Window XP
machine loaded with Firefox and Internet Explorer. What I experience with this
set up
is that, it is impossible to logon on to Yahoo mail using Firefox. But in other
occasions,
from home internet, I have
- Original Message -
From: Ming-Ching Tiew mct...@yahoo.com
rc.local attached.
Attachment rejected so re-post inline below :-
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do
- Original Message -
From: Eliezer Croitoru elie...@ngtech.co.il
so what you just need for ebtables is two rules:
all packets the are destined to the web om port 80.. route them into the
machine... later will be intercepted by tproxy so:
ebtables -t broute -A BROUTING -i eth0 -p
Thank you for the input. I will do that sometime later and report back
when I have new info.
- Original Message -
From: Eliezer Croitoru elie...@ngtech.co.il
they indeed are not suppose to fail your setup but it's not suppose to
be symmetric with tproxy.
the idea of the bridge is
, 2012 8:08 PM
Subject: Re: [squid-users] yahoo mail problem with tproxy (squid 3.1.19, kernel
3.2.21)
On 7/18/2012 11:35 AM, Felix Leimbach wrote:
Hi,
On 07/18/2012 04:28 AM, Ming-Ching Tiew wrote:
When logging out from yahoo mail, it's very slow and eventually there
is any error.
I'm
When logging out from yahoo mail, it's very slow and eventually there is any
error.
Don't get that when configured to use nat mode.
attachment: zero_size_reply.jpg
squid 3.1.20 is supposed to be compiled with eCap 0.0.3, not ecap 0.2.0.
squid 3.2 can be compiled with ecap 0.2.0.
Sorry I am offering no help but I am interested to know how do you set up a
stress test environment.
I supposed it's an automatic script based stress tests ?
- Original Message -
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 2 $i
done
Really strange. I have never able to get tproxy to work unless I switch the
rp_filter to 0.
When rp_filter is 2, I could sniff the traffic, but somehow squid is not able
to see it.
--- On Fri, 7/6/12, Ezequiel Birman stormwa...@espiga4.com.ar wrote:
In http://wiki.squid-cache.org/Features/Tproxy4#Routing_configuration
I
see rules applied to eth0, should i rewrite br0 in place of
eth0?
I think it should rather be lo.
I did not follow the rp_filter thingie
--- On Mon, 7/2/12, Ming-Ching Tiew mct...@yahoo.com wrote:
No your symptom and mine are totally different. With the
limited testing, I don't see any problem with any OSes, any
sites. I only see problem when visiting yahoo mail. Meaning
when I use Windows XP, firefox, IE, Linux
--- On Mon, 7/2/12, Eliezer Croitoru elie...@ngtech.co.il wrote:
it works slowly for all clients or just windows 7 ? other
clients?
i have seen a problem when applying tproxy on a router with
win7 client.
from unknown reason using standard routing and intercept
everything
works fine
:10:29.915| The reply for GET http://mail.yahoo.com/ is ALLOWED,
because it matched 'all'
--- On Thu, 6/28/12, Ming-Ching Tiew mct...@yahoo.com wrote:
From: Ming-Ching Tiew mct...@yahoo.com
Subject: [squid-users] yahoo
--- On Mon, 7/2/12, Ming-Ching Tiew mct...@yahoo.com wrote:
Attached please find the 'squid -X -N -d2 21' ouput
log when connecting to yahoo mail. When connecting to http://mail.yahoo.com,
I get a 'No object data
received'. When connecting to https, the bridge is not setup
to intercept
I have set up a bridge according to instruction here :-
http://wiki.squid-cache.org/Features/Tproxy4
with squid 3.1.19 and kernel 3.2.21.
The configuration is working with other with most of the sites, except for
yahoo mail. It's is extremely slow with yahoo mail, can hardly able to login
I have a configuration where if I start squid with -N, it works. But if I run
it without that, I will get child started, child exited a few times and
eventually the parent process will die too. Because there is nothing in between
the 'started' and 'exited' of the child process, I have no clues
If you use the
http://www.openbsd.org/faq/pf/pools.html#outgoing
method as I use now then even through the outgoing address will be
changed for 50% of the packets those same packets will be routed out
through the default interface only :-(
First of all I don't know anything about OpenBSD
From: Siju George [EMAIL PROTECTED]
But not something I would recommend. Many sites dislikes clients coming
from more than one IP during the same session. The client IP is often
embedded in session cookies etc, making the session fail if the IP
changes.
Yes Henrik.
Such sites are
From: Siju George [EMAIL PROTECTED]
I have a System with two Internet connections.
Is it possible to configure squid to load balance out going internet
traffic through those two Internet Connections?
This is assuming that you are running Linux :-
Just set up multiple routing and weight
From: Ming-Ching Tiew [EMAIL PROTECTED]
This is assuming that you are running Linux :-
Just set up multiple routing and weight assignment.
You might have to turn off kernel option which
caches multiple routing.
I meant MULTI PATH routing
From: Siju George [EMAIL PROTECTED]
Is there any option to do it in the squid.conf file?
I know there is a tcp_outgoing_address option.
just wondering if it is possible to make it use all outgoing IP
address in a round-robin manner :-)
As far as I know, you could do split access
From: Ming-Ching Tiew [EMAIL PROTECTED]
But the fact is that as soon as I turn on squid directive,
http_port 3128 tproxy transparent
I will get private IP belonging to the original http web requestor
appearing
in the internet line - EVEN THOUGH - I do have
I have a unique situation where I have a multi-homed
machine running squid where I will need to do some
kind of load balancing for outbound squid traffic.
Well, if both the outgoing interface are nat-ed, things will
be relatively easier, I will just do transparent proxy
(without tproxy ). Since
From: Amos Jeffries [EMAIL PROTECTED]
Thanks for the quick response :-
Most common failure like this requires 'you need to patch the kernel', but
it sounds like that's been done.
Yupe this has been done.
Next step is seeing what tcpdump shows about the two types of traffic.
And
From: Amos Jeffries [EMAIL PROTECTED]
No not useless. The NAT should be symmetrically unmangling any mangled
destination on incoming traffic. As far as NAT is concerned the client is
the real requestor. You just need to be careful that the unmangling
happens BEFORE the tproxy return
How to create an acl source IP which matches nothing ?
acl link1 src xx
What is the xx which I need to put so that it will not match
anything ?
I tried doing xx = ! 0/0. But squid complaints that it's not valid.
Reason I want to this is that I am keeping the acl parameters
in
From: Adrian Chadd [EMAIL PROTECTED]
Did you try COSS?
Commercial units have had a lot more attention. Chances are you've
not gotten someone with Squid expertise to se any of your stuff up
or do any deep analysis of the problems; what did you expect
would happen?
Is there anyone who
From: Henrik Nordstrom [EMAIL PROTECTED]
avg-cpu: %user %nice %system %iowait %steal %idle
0.92 0.001.09 6.16 0.00
91.83
It's not much blocking on disk I/O either, only 6.16%. 91.83% of the
time your server is doing absolutely
From: Henrik Nordstrom [EMAIL PROTECTED]
From: Henrik Nordstrom [EMAIL PROTECTED]
Shouldn't have much effect on Squid as Squid is using direct POSIX I/O,
and not C stdio I/O, bypassing almost all of the C library.
That's why I asked the question, what will be the test which I can
run to verify the performance of IO needed by squid.
What is the price to pay for increasing the file descriptor ?
Has anyone compiled squid with 50,000 file descriptor ?
I am using it on a machine with 2 G RAM and SCSI Harddisk.
Regards.
Important Warning!
***
I wonder if anyone has a good I/O test which will sort of represent
the way squid needed the I/O to perform. Basically I need one program
which I can use to check the influence of various components of the
system ( OS, parameters, harddisk, library version ) on the I/O for
maximizing
squid
Anyone has experience peculiar things with Squid and PPPoE ?
I have a setup where Squid is doing transparent tproxy for PPPoE
and non-PPPoE users, however the experience is that when
squid is serving the cached files for PPPoE users, it's slower
than a commercial product.
Is it possible that
First of all the good news. After much struggle, I finally managed to
get Squid 2.6 stable 13 to work with Foundary ServerIron XL with this
config :-
http_port 3128 tproxy transparent
http_port 80 vhost
It seems the second line is a must for whatever reasons.
And iptables :-
Believe it or not, I got problem understanding the basics.
What's the difference between forward and reverse proxy.
When I read the article,
http://jayant7k.blogspot.com/2006/10/reverse-proxy-using-squid.html
When I read paragraph 3,4 5, I think what is said about
reverse proxy is equally
From: Michel Santos [EMAIL PROTECTED]
anyway, level 3 switch/bridge understand up to OSI Layer4 and layer 4
switch/bridge understand up to OSI layer 7 as I said already before
so you can google for OSI Layer definition and see what that is, that
are the differente network layers from
From: Henrik Nordstrom [EMAIL PROTECTED]
Can I simulate a level 4 switch behaviour using Linux ? If yes,
any insight to the necessary ebtables/iptables rules ?
Linux policy routing is an example of layer 4.
I am wondering if this setup shall be a reason representation of a so-called
level 4
From: Michel Santos [EMAIL PROTECTED]
aren't you mixing things here? *layer* 4 and *level* 4 are different
things and policy routing eventually is still another
I know you are the expert but your answers are not helping at all.
I don't need to be told that you are the expert but I will be
Anyone has experience with level 4 switch ? What is the working
principle of a level 4 in respect to redirecting web traffic to a cache
engine ? Does it do dst IP address rewrite ( iptables DNAT ) or
does it do dst MAC address rewrite ( ebtables dnat ) when redirecting
traffic to the cache
From: Adrian Chadd [EMAIL PROTECTED]
On Tue, Jul 17, 2007, Ming-Ching Tiew wrote:
Anyone has experience with level 4 switch ? What is the working
principle of a level 4 in respect to redirecting web traffic to a cache
engine ? Does it do dst IP address rewrite ( iptables DNAT
From: Henrik Nordstrom [EMAIL PROTECTED]
From: Henrik Nordstrom [EMAIL PROTECTED]
Can I simulate a level 4 switch behaviour using Linux ? If yes,
any insight to the necessary ebtables/iptables rules ?
Linux policy routing is an example of layer 4.
For load balancing see Linux Virtual Server / IPVS. Part of the linux
kernel, and
#!/bin/sh
/mnt/squid/libexec/cachemgr.cgi | sed -e '1,8d'
Everything works perfectly after this.
Odd.. what kind of web server are you using?
I use busybox httpd. Do you mean the extra text is expected
and it should be handled by the web server ? Then it might
then be the web server
From: Ming-Ching Tiew [EMAIL PROTECTED]
it (correctly) display the formatted html text asking
me for name and password, and but when I click
continue it displayed this text on the browser rather than
formatted html, it looks to me there are extra text in front
of the output which confuses
I am using squid2.6 stable13, kernel 2.6.18 and tproxy and
uclibc 0.9.28.
I am using httpd from busybox 1.4.2, running at port 8080
since squid's http port is 80.
The problem I have is that when I run cachemgr.cgi,
http://192.168.128.20:8080/cgi-bin/cachemgr.cgi
it (correctly)
From: Ming-Ching Tiew [EMAIL PROTECTED]
I am using squid in a Linux box setting up as a bridge, and have
set up ebtables and iptables following the documentation
available on the Net :-
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect
I think I fixed the issue by changing the ebtables rule to :-
ebtables -t broute -A BROUTING --logical-in br0 -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target DROP
Note that subtle changes. With that I don't need to add routes and other
shits.
I would
From: Ming-Ching Tiew [EMAIL PROTECTED]
It seems then to me that the http reply ( source port 80 ) has also be
directed ***INTO*** the Bridge/Squid S. Why is that so ? Why didn't the
Bridge/Squid forward the reply packet to the other side of the
interface ?
I am looking for something more
From: Henrik Nordstrom [EMAIL PROTECTED]
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
-i eth0 --ip-source your.lan.network/mask \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
If you look at the http://ebtables.sourceforge.net/examples.html#easy,
it says when
From: Henrik Nordstrom [EMAIL PROTECTED]
I lost you, what do you mean by bridge-netfilter integration. Any URL ?
It's a kernel option.
Did you mean
CONFIG_BRIDGE_NETFILTER=y
and all these :-
#
CONFIG_BRIDGE_NF_EBTABLES=m
CONFIG_BRIDGE_EBT_BROUTE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
This is long I appreciate you patience.
I am using squid in a Linux box setting up as a bridge, and have
set up ebtables and iptables following the documentation
available on the Net :-
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect
First of all the good news. I have gotten squid to work in bridge mode
and tproxy on kernel 2.6.18, squid 2.6 stable13 and uclibc 0.9.28.
And I managed to use ebtables/iptables to transparently provide
web caching.
But now the bad news, I could not get it to work using wccp, as soon as
I
From: Ming-Ching Tiew [EMAIL PROTECTED]
To: squid-users@squid-cache.org
Sent: Wednesday, July 04, 2007 3:38 PM
Subject: [squid-users] squid 2.6 stable13, tproxy and wccp
But now the bad news, I could not get it to work using wccp, as soon as
I configure wccp_router xx.xx.xx.xx
62 matches
Mail list logo