Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
is there anything you can get using these settings? have you tried using the squid mahcine on non transparent mode? On 17/02/2011 17:07, Harald Dunkel wrote: Hi Jeff, On 02/17/11 14:24, jeffrey j donovan wrote: greetings im assuming your using ipfw on BSD, what does your redirect statement look like ? OpenBSD comes with Packet Filter instead of ipfw. Here is the pf code: : match out on $ext_if inet nat-to ($ext_if:0) pass in quick on internal proto tcp from $int_squid_host to !$lan port $http_port tag LAN_INET pass in quick on internal proto tcp from $lanto !$lan port $http_port route-to ( $int_if $int_squid_host ) tag HTTP_SQUID : pass out on external tagged LAN_INET pass out on internal tagged HTTP_SQUID : Surely much more code than in your ipfw example. Regards Harri
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
Hi Jeff, On 02/17/11 14:24, jeffrey j donovan wrote: > > > greetings > im assuming your using ipfw on BSD, what does your redirect statement look > like ? OpenBSD comes with Packet Filter instead of ipfw. Here is the pf code: : match out on $ext_if inet nat-to ($ext_if:0) pass in quick on internal proto tcp from $int_squid_host to !$lan port $http_port tag LAN_INET pass in quick on internal proto tcp from $lanto !$lan port $http_port route-to ( $int_if $int_squid_host ) tag HTTP_SQUID : pass out on external tagged LAN_INET pass out on internal tagged HTTP_SQUID : Surely much more code than in your ipfw example. Regards Harri
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
Hi Amos, On 02/17/11 12:52, Amos Jeffries wrote: > > The problem could be clam. AFAIK it requires the full object to do its scan. > Which means downloading the full thing then scanning before the user gets to > see the byte one of response. I'm not sure if the various authors have > updated clamav or squidclamav to handle tickle-scanning yet. If they have > check your version supports it. > If I switch off c-icap in squid.conf, then clamav is not involved anymore, and yet I get the same problem. Using "wget -Ncv" I also see the progress bar moving while the download is not complete yet. After 35secs wget responds "connection reset by peer" and continues where the previous download was interrupted. If squid/ clamav would wait for the full thing then wget's progress bar would not move. I would say that we can ignore clamav here. Regards Harri
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
On Feb 17, 2011, at 2:46 AM, Harald Dunkel wrote: > Hi Jeff, > > On 02/16/11 16:40, jeffrey j donovan wrote: >> >> is squid configured as intercept ( aka transparent ) or as proxy? >> >> post squid.conf and we can see whats up. > > Sorry, I knew I had forgotten something. Here it is: > > # cat /etc/squid3/squid.conf | egrep -v ^\#\|^\$ > http_access allow all > http_port 3128 > http_port 3129 intercept disable-pmtu-discovery=transparent > hierarchy_stoplist cgi-bin ? > cache_dir aufs /var/spool/squid3 4096 16 256 > coredump_dir /var/spool/squid3 > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > icap_enable on > icap_preview_enable on > icap_preview_size 128 > icap_send_client_ip on > icap_service service_req reqmod_precache bypass=1 > icap://127.0.0.1:1344/squidclamav > icap_service service_resp respmod_precache bypass=0 > icap://127.0.0.1:1344/squidclamav > adaptation_access service_req allow all > adaptation_access service_resp allow all > dns_defnames on > > > Squid is version 3.1.9. > > (I will fix the acl today, big promise.) > > > Regards > > Harri greetings im assuming your using ipfw on BSD, what does your redirect statement look like ? it should look something like ; fwd 10.0.2.3,3128 tcp from 10.104.0.0/16 to any dst-port 80 in recv en1 -j
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
On 17/02/11 20:46, Harald Dunkel wrote: Hi Jeff, On 02/16/11 16:40, jeffrey j donovan wrote: is squid configured as intercept ( aka transparent ) or as proxy? post squid.conf and we can see whats up. Sorry, I knew I had forgotten something. Here it is: # cat /etc/squid3/squid.conf | egrep -v ^\#\|^\$ http_access allow all http_port 3128 http_port 3129 intercept disable-pmtu-discovery=transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/spool/squid3 4096 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icap_enable on icap_preview_enable on icap_preview_size 128 icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all adaptation_access service_resp allow all dns_defnames on The problem could be clam. AFAIK it requires the full object to do its scan. Which means downloading the full thing then scanning before the user gets to see the byte one of response. I'm not sure if the various authors have updated clamav or squidclamav to handle tickle-scanning yet. If they have check your version supports it. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
Hi Jeff, On 02/16/11 16:40, jeffrey j donovan wrote: > > is squid configured as intercept ( aka transparent ) or as proxy? > > post squid.conf and we can see whats up. Sorry, I knew I had forgotten something. Here it is: # cat /etc/squid3/squid.conf | egrep -v ^\#\|^\$ http_access allow all http_port 3128 http_port 3129 intercept disable-pmtu-discovery=transparent hierarchy_stoplist cgi-bin ? cache_dir aufs /var/spool/squid3 4096 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icap_enable on icap_preview_enable on icap_preview_size 128 icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all adaptation_access service_resp allow all dns_defnames on Squid is version 3.1.9. (I will fix the acl today, big promise.) Regards Harri
Re: [squid-users] wiki ConfigExamples/Intercept/LinuxDnat does not work
On Feb 16, 2011, at 10:29 AM, Harald Dunkel wrote: > Hi folks, > > I would like to route HTTP traffic from my OpenBSD gateway > to a dedicated host running squid 3.1 on Linux for interception. > Here is a picture: > >/|\ 87.189.95.69 > | > | > em0 | > +++ > | OpenBSD Gateway | > +++ > em1 |172.99.96.4 > | > |172.99.96.50 > | +---+ > +---| Linux Squid Proxy | > | +---+ > | > | +-+ > +---| HTTP Client | > 172.99.96.156 +-+ > > The iptables code on > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat > > was very helpful for small files, but for a large download > on a slow line the http client prints "connection reset by > peer" after 30+ secs, and terminates. > > The state information on the OpenBSD gateway shows > > em1 tcp 87.189.95.69:80 <- 172.99.96.156:45848 CLOSED:SYN_SENT > em1 tcp 87.189.95.69:80 <- 172.99.96.50:51229 ESTABLISHED:ESTABLISHED > em0 tcp 80.149.209.55:64755 (172.99.96.50:51229) -> 87.189.95.69:80 > ESTABLISHED:ESTABLISHED > > immediately after the connection has been opened. > The line with "CLOSED:SYN_SENT" goes away when the > client gets the ECONNRESET. > > 30 seconds is the default timeout for removing entries > from OpenBSD's statefull inspection table. Is it possible > that the squid proxy did not complete the TCP handshake > via the gateway, but by using the direct connection to the > client? is squid configured as intercept ( aka transparent ) or as proxy? post squid.conf and we can see whats up. -j > > > Any helpful comment would be highly appreciated. > > Regards > > Harri