subject:"Re\: \[squid\-users\] NAT\/TPROXY lookup failed to locate original IPs"

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

2016-01-06 Thread Ben Barker

Thanks Amos - good points - thanks. Both now fixed - thought I still seem
to be getting errors...sorry to be a bit inept here!

squid -v
Squid Cache: Version 3.5.12
Service Name: squid
configure options:
 '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
'--datadir=/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--enable-icap-client' '--enable-linux-netfilter' '--enable-ssl-crtd'
'--with-default-user=squid' '--with-openssl'

cctv@bridgebox ~/squid-3.5.12 $ 2016/01/06 11:56:58 kid1| Current Directory
is /home/cctv/squid-3.5.12
2016/01/06 11:56:58 kid1| Starting Squid Cache version 3.5.12 for
i686-pc-linux-gnu...
2016/01/06 11:56:58 kid1| Service Name: squid
2016/01/06 11:56:58 kid1| Process ID 1721
2016/01/06 11:56:58 kid1| Process Roles: worker
2016/01/06 11:56:58 kid1| With 1024 file descriptors available
2016/01/06 11:56:58 kid1| Initializing IP Cache...
2016/01/06 11:56:58 kid1| DNS Socket created at [::], FD 6
2016/01/06 11:56:58 kid1| DNS Socket created at 0.0.0.0, FD 7
2016/01/06 11:56:58 kid1| Adding nameserver 208.67.222.222 from
/etc/resolv.conf
2016/01/06 11:56:58 kid1| Adding nameserver 208.67.220.220 from
/etc/resolv.conf
2016/01/06 11:56:58 kid1| helperOpenServers: Starting 5/5 'ssl_crtd'
processes
2016/01/06 11:56:58 kid1| helperOpenServers: Starting 0/20
'basic_ncsa_auth' processes
2016/01/06 11:56:58 kid1| helperOpenServers: No 'basic_ncsa_auth' processes
needed.
2016/01/06 11:56:58 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2016/01/06 11:56:58 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2016/01/06 11:56:58 kid1| Store logging disabled
2016/01/06 11:56:58 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects
2016/01/06 11:56:58 kid1| Target number of buckets: 1008
2016/01/06 11:56:58 kid1| Using 8192 Store buckets
2016/01/06 11:56:58 kid1| Max Mem  size: 262144 KB
2016/01/06 11:56:58 kid1| Max Swap size: 0 KB
2016/01/06 11:56:58 kid1| Using Least Load store dir selection
2016/01/06 11:56:58 kid1| Current Directory is /home/cctv/squid-3.5.12
2016/01/06 11:56:58 kid1| Finished loading MIME types and icons.
2016/01/06 11:56:58 kid1| HTCP Disabled.
2016/01/06 11:56:58 kid1| Squid plugin modules loaded: 0
2016/01/06 11:56:58 kid1| Adaptation support is off.
2016/01/06 11:56:58 kid1| Accepting HTTP Socket connections at
local=[::]:13128 remote=[::] FD 22 flags=9
2016/01/06 11:56:58 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=[::]:13129 remote=[::] FD 23 flags=41
2016/01/06 11:56:59 kid1| storeLateRelease: released 0 objects
squid2016/01/06 11:57:24 kid1| Starting new basicauthenticator helpers...
2016/01/06 11:57:24 kid1| helperOpenServers: Starting 1/20
'basic_ncsa_auth' processes
2016/01/06 11:58:57 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=10.163.17.250:13129 remote=x:48616 FD 16 flags=33: (92) Protocol
not available
2016/01/06 11:58:57 kid1| ERROR: NAT/TPROXY lookup failed to locate
original IPs on local=x:13129 remote=x:48616 FD 16 flags=33
2016/01/06 11:58:58 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=x:13129 remote=10.163.45.115:48617 FD 16 flags=33: (92) Protocol
not available




On Wed, Jan 6, 2016 at 11:43 AM, Amos Jeffries  wrote:

> On 6/01/2016 10:50 p.m., dbrb2 wrote:
> > Squid version and config options:
> >
> > Squid Cache: Version 3.5.12
> > Service Name: squid
> > configure options:  '--prefix=/usr' '--localstatedir=/var'
> > '--libexecdir=/lib/squid' '--datadir=/share/squid'
> > '--sysconfdir=/etc/squid' '--with-default-user=proxy'
> > '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
> > '--enable-icap-client' '--enable-ssl' '--enable-ssl-crtd'
> > '--with-default-user=squid' '--with-openssl'
>
> You have --with-default-user=X listed twice with two different account
> names. Pick one.
>
> Also --enable-ssl does not exist in 3.5. Remove.
>
> You are missing the --enable-linux-netfilter option that enables NAT
> interception on Linux.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

2016-01-06 Thread dbrb2

Squid version and config options:

Squid Cache: Version 3.5.12
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--enable-icap-client' '--enable-ssl' '--enable-ssl-crtd'
'--with-default-user=squid' '--with-openssl'


Squid.conf:

auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/users
auth_param basic realm cctv

acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_port 13128
https_port 13129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
ssl_bump none localhost
ssl_bump server-first all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

On Wed, Jan 6, 2016 at 9:41 AM, Antony Stone [via Squid Web Proxy Cache] <
ml-node+s1019090n467546...@n4.nabble.com> wrote:

> On Wednesday 06 January 2016 at 10:36:20, dbrb2 wrote:
>
> > I am trying to build squid on Mint 17.3
> > kernel 3.19.0-32 geeric
> > Squid 3.5.12
>
> > when I try to proxy an SSL connection, the squid logs show:
> >
> > ERROR: NAT/TPROXY lookup failed to locate original IPs on local=
> > remote=yyy
> >
> > I'm not having much luck deciphering this...any ideas?
>
> Show us your squid.conf without comments or blank lines?
>
>
> Antony.
>
> --
> Behind the counter a boy with a shaven head stared vacantly into space,
> a dozen spikes of microsoft protruding from the socket behind his ear.
>
>  - William Gibson, Neuromancer (1984)
>
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list
> [hidden email] 
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-tp4675464p4675465.html
> To unsubscribe from NAT/TPROXY lookup failed to locate original IPs, click
> here
> 
> .
> NAML
> 
>




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-tp4675464p4675466.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

2016-01-06 Thread Amos Jeffries

On 6/01/2016 10:50 p.m., dbrb2 wrote:
> Squid version and config options:
> 
> Squid Cache: Version 3.5.12
> Service Name: squid
> configure options:  '--prefix=/usr' '--localstatedir=/var'
> '--libexecdir=/lib/squid' '--datadir=/share/squid'
> '--sysconfdir=/etc/squid' '--with-default-user=proxy'
> '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-icap-client' '--enable-ssl' '--enable-ssl-crtd'
> '--with-default-user=squid' '--with-openssl'

You have --with-default-user=X listed twice with two different account
names. Pick one.

Also --enable-ssl does not exist in 3.5. Remove.

You are missing the --enable-linux-netfilter option that enables NAT
interception on Linux.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

2016-01-06 Thread Amos Jeffries

On 7/01/2016 1:08 a.m., Ben Barker wrote:
> Thanks Amos - good points - thanks. Both now fixed - thought I still seem
> to be getting errors...sorry to be a bit inept here!
> 
> squid -v
> Squid Cache: Version 3.5.12
> Service Name: squid
> configure options:
>  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
> '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
> '--enable-icap-client' '--enable-linux-netfilter' '--enable-ssl-crtd'
> '--with-default-user=squid' '--with-openssl'
> 
> cctv@bridgebox ~/squid-3.5.12 $ 2016/01/06 11:56:58 kid1| Current Directory
> is /home/cctv/squid-3.5.12
> 2016/01/06 11:56:58 kid1| Starting Squid Cache version 3.5.12 for
> i686-pc-linux-gnu...

> 2016/01/06 11:58:57 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
> local=10.163.17.250:13129 remote=x:48616 FD 16 flags=33: (92) Protocol
> not available

The first error means the kernel NAT tables do not have any record of
the connection that arrived on the Squid intercept port.

* Do not make test connections directly to the intercept port. Test it
*exactly* as if you are a client going straight to the Internet.

* Do not perform the NAT on any other machine.

Compare your NAT rules with these to ensure you have them all right
(notice how there are 4 rules):
 

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

Re: [squid-users] NAT/TPROXY lookup failed to locate original IPs

4 matches

Site Navigation

Mail list logo

Footer information