Re: [squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID
Hi Amos, Thanks a lot for your help. Your suggestion of redirecting using cache-peering worked. I did cache-peering with the same squid instance (on a different port) and from then on sent to our captive portal. That way, didnt have to change any URL rewriting logic. Best Regards, Vignesh On Wed, Mar 7, 2012 at 4:43 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 6/03/2012 6:50 a.m., Vignesh Ramamurthy wrote: Hello, We are using squid to transparently proxy the traffic to a captive portal that is residing on the same machine as the squid server. The solution was working based on a NAT REDIRECT . We are moving the solution to TPROXY based now as part of migration to IPv6. The TPROXY works fine in intercepting traffic and also successfully able to allow / deny traffic to IPv6 sites. We are facing a strange issue when we try to access a URL in the same machine that hosts the squid server. The acces hangs and squid is not able to connect to the URL. We are having AOL webserver to host the webpage. As a workaround you can use the cache_peer no-tproxy option to get Squid to use its own IP when contacting that local server. It can still use the X-Forwarded-For header to get the client IP. I'm not too clear on the details, but I think it has something to do with the packets not actually going through routing or some layers of the handling TPROXY needs when shifting between processes on the same machine. If you want to learn the details and get it going please contact the netfilter people to find out whats happening to the packets once they leave Squid. Amos
[squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID
Hello, We are using squid to transparently proxy the traffic to a captive portal that is residing on the same machine as the squid server. The solution was working based on a NAT REDIRECT . We are moving the solution to TPROXY based now as part of migration to IPv6. The TPROXY works fine in intercepting traffic and also successfully able to allow / deny traffic to IPv6 sites. We are facing a strange issue when we try to access a URL in the same machine that hosts the squid server. The acces hangs and squid is not able to connect to the URL. We are having AOL webserver to host the webpage. All the configurations as recommended by the squid sites are done. - Firewall rules with TPROXY and DIVERT chian has been setup as below ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT ip6tables -t mangle -A PREROUTING -i eth0.20 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8085 ip6tables -t mangle -A PREROUTING -j ACCEPT - Policy routing to route proxied traffic to the local box is also done as recommended 16383: from all fwmark 0x1 lookup 100 16390: from all lookup local 32766: from all lookup main ip -6 route show table 100 local default dev lo metric 1024 local default dev eth0.20 metric 1024 Squid configuration used is standard and have provided below a snapshot of cache.log. Running squid in full debug level with max logging. I have provided the final set of logs for this transaction. The URL accessed in the test is http://[2001:4b8:1::549]/sample_page.adp. Appreciate any assistance / pointers to solve this. Please do let me know if any additional information is required. -- cache.log- 2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST: - GET /sample_page.adp HTTP/1.1 User-Agent: w3m/0.5.2 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: [2001:4b8:1::549] Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519) X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc Cache-Control: max-age=259200 Connection: keep-alive -- 2012/03/05 04:29:26.320 kid1| Write.cc(21) Write: local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673 remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall 0x871f6e8*1 2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13, type=2, handler=1, client_data=0x84df560, timeout=0 2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7] 2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start() 2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace constructed, this=0x871ff48 [call204] 2012/03/05 04:29:26.321 kid1| event.cc(261) will call MaintainSwapSpace() [call204] 2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace() 2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call MaintainSwapSpace [call204] 2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding 'MaintainSwapSpace', in 1.00 seconds 2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace() 2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools constructed, this=0x871ff48 [call205] 2012/03/05 04:29:27.149 kid1| event.cc(261) will call memPoolCleanIdlePools() [call205] 2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools() 2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call memPoolCleanIdlePools [call205] 2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding 'memPoolCleanIdlePools', in 15.00 seconds 2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools() 2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru constructed, this=0x871ff48 [call206] 2012/03/05 04:29:27.165 kid1| event.cc(261) will call fqdncache_purgelru() [call206] 2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru() 2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call fqdncache_purgelru [call206] 2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding 'fqdncache_purgelru', in 10.00 seconds 2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru() Best Regards, Vignesh
[squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID
Hello, We are using squid to transparently proxy the traffic to a captive portal that is residing on the same machine as the squid server. The solution was working based on a NAT REDIRECT . We are moving the solution to TPROXY based now as part of migration to IPv6. The TPROXY works fine in intercepting traffic and also successfully able to allow / deny traffic to IPv6 sites. We are facing a strange issue when we try to access a URL in the same machine that hosts the squid server. The acces hangs and squid is not able to connect to the URL. We are having AOL webserver to host the webpage. All the configurations as recommended by the squid sites are done. - Firewall rules with TPROXY and DIVERT chian has been setup as below ip6tables -t mangle -N DIVERT ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT ip6tables -t mangle -A PREROUTING -i eth0.20 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8085 ip6tables -t mangle -A PREROUTING -j ACCEPT - Policy routing to route proxied traffic to the local box is also done as recommended 16383: from all fwmark 0x1 lookup 100 16390: from all lookup local 32766: from all lookup main ip -6 route show table 100 local default dev lo metric 1024 local default dev eth0.20 metric 1024 Squid configuration used is standard and have provided below a snapshot of cache.log. Running squid in full debug level with max logging. I have provided the final set of logs for this transaction. The URL accessed in the test is http://[2001:4b8:1::549]/sample_page.adp. Appreciate any assistance / pointers to solve this. Please do let me know if any additional information is required. 2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST: - GET /sample_page.adp HTTP/1.1 User-Agent: w3m/0.5.2 Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/* Accept-Encoding: gzip, compress, bzip, bzip2, deflate Accept-Language: en;q=1.0 Host: [2001:4b8:1::549] Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519) X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc Cache-Control: max-age=259200 Connection: keep-alive -- 2012/03/05 04:29:26.320 kid1| Write.cc(21) Write: local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673 remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall 0x871f6e8*1 2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13, type=2, handler=1, client_data=0x84df560, timeout=0 2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7] 2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start() 2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace constructed, this=0x871ff48 [call204] 2012/03/05 04:29:26.321 kid1| event.cc(261) will call MaintainSwapSpace() [call204] 2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace() 2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call MaintainSwapSpace [call204] 2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding 'MaintainSwapSpace', in 1.00 seconds 2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace() 2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools constructed, this=0x871ff48 [call205] 2012/03/05 04:29:27.149 kid1| event.cc(261) will call memPoolCleanIdlePools() [call205] 2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools() 2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call memPoolCleanIdlePools [call205] 2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding 'memPoolCleanIdlePools', in 15.00 seconds 2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools() 2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents 2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru constructed, this=0x871ff48 [call206] 2012/03/05 04:29:27.165 kid1| event.cc(261) will call fqdncache_purgelru() [call206] 2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru() 2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call fqdncache_purgelru [call206] 2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding 'fqdncache_purgelru', in 10.00 seconds 2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()
