Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)
@Amos Thank you very much for improving the Squid configuration. I am currently in the setup phase and "opened" everything, in order not to run into permission problems. I have added and removed your suggestions, respectively. The configuration looks much better now. I was able to solve my Tproxy problem. The routing table was missing. The following commands fixed it: ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Regards, Jens Gesendet: Mittwoch, 26. Oktober 2016 um 13:12 Uhr Von: "Amos Jeffries" <squ...@treenet.co.nz> An: squid-users@lists.squid-cache.org Betreff: Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1) On 26/10/2016 7:42 p.m., Jens Offenbach wrote: > Hi, > I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server > 16.04.1, but I cannot get it working. When a client tries to connect to the > web, the connection always times out. > > Hopefully, someone has an idea what's going. > > uname-r: > 4.4.0-45-generic > > sysct: > net.ipv4.ip_forward=1 > net.ipv4.conf.default.rp_filter=0 > net.ipv4.conf.all.rp_filter=0 > > squid.conf: > # ACCESS CONTROLS > # > - > acl localnet src 139.2.0.0/16 > acl localnet src 193.96.112.0/21 > acl localnet src 192.109.216.0/24 > acl localnet src 100.1.4.0/22 > acl localnet src 10.0.0.0/8 > acl localnet src 172.16.0.0/12 > acl localnet src 192.168.0.0/16 > acl to_localnet dst 139.2.0.0/16 > acl to_localnet dst 193.96.112.0/21 > acl to_localnet dst 192.109.216.0/24 > acl to_localnet dst 100.1.4.0/22 > acl to_localnet dst 10.0.0.0/8 > acl to_localnet dst 172.16.0.0/12 > acl to_localnet dst 192.168.0.0/16 > Missing basic security controlsto prevent this being an abused open proxy. http_access deny !Safe_Ports http_access deny CONNECT !SSL_Ports > http_access allow manager localhost > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access allow to_localnet Permits external visitors uncontrolled access to your LAN IP spaces. Particularly when combined with the "always_direct allow to_localnet" below. Really want that? > http_access deny all > > # NETWORK OPTIONS > # > - > http_port 10.30.200.99:3128 > http_port 10.30.216.254:3128 > http_port 10.30.216.254:3129 tproxy > > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM > # > - > cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default > cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest I suspect the peers are sending TCP SYN+ACK responses directly back to the client IP which Squid is spoofing. Add the option "no-tproxy" to these peer lines to avoid that. > > # MEMORY CACHE OPTIONS > # > - > maximum_object_size_in_memory 8 MB > memory_replacement_policy heap LFUDA > cache_mem 256 MB > > # DISK CACHE OPTIONS > # > - > maximum_object_size 10 GB > cache_replacement_policy heap GDSF > cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240 > > # LOGFILE OPTIONS > # > - > access_log daemon:/var/log/squid/access.log squid > cache_store_log daemon:/var/log/squid/store.log > store.log is very rarely needed. You might consider removing it for some extra speed out of the proxy. > # OPTIONS FOR TROUBLESHOOTING > # > - > cache_log /var/log/squid/cache.log > coredump_dir /var/log/squid > > # OPTIONS FOR TUNING THE CACHE > # > - > cache allow all Unnecessary default value configured. > > # ADMINISTRATIVE PARAMETERS > # > - > visible_hostname my-proxy.mycompany.com > > # ICP OPTIONS > # > - > icp_port 0 > Unnecessary default value configured. > # OPTIONS INFLUENCING REQUEST FORWARDING > # > - > always_direct allow to_localnet > always_direct allow to_localhost > never_direct allow all > Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)
On 26/10/2016 7:42 p.m., Jens Offenbach wrote: > Hi, > I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server > 16.04.1, but I cannot get it working. When a client tries to connect to the > web, the connection always times out. > > Hopefully, someone has an idea what's going. > > uname-r: > 4.4.0-45-generic > > sysct: > net.ipv4.ip_forward=1 > net.ipv4.conf.default.rp_filter=0 > net.ipv4.conf.all.rp_filter=0 > > squid.conf: > # ACCESS CONTROLS > # > - > acl localnetsrc 139.2.0.0/16 > acl localnetsrc 193.96.112.0/21 > acl localnetsrc 192.109.216.0/24 > acl localnetsrc 100.1.4.0/22 > acl localnetsrc 10.0.0.0/8 > acl localnetsrc 172.16.0.0/12 > acl localnetsrc 192.168.0.0/16 > acl to_localnet dst 139.2.0.0/16 > acl to_localnet dst 193.96.112.0/21 > acl to_localnet dst 192.109.216.0/24 > acl to_localnet dst 100.1.4.0/22 > acl to_localnet dst 10.0.0.0/8 > acl to_localnet dst 172.16.0.0/12 > acl to_localnet dst 192.168.0.0/16 > Missing basic security controlsto prevent this being an abused open proxy. http_access deny !Safe_Ports http_access deny CONNECT !SSL_Ports > http_access allow manager localhost > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access allow to_localnet Permits external visitors uncontrolled access to your LAN IP spaces. Particularly when combined with the "always_direct allow to_localnet" below. Really want that? > http_access deny all > > # NETWORK OPTIONS > # > - > http_port 10.30.200.99:3128 > http_port 10.30.216.254:3128 > http_port 10.30.216.254:3129 tproxy > > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM > # > - > cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default > cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest I suspect the peers are sending TCP SYN+ACK responses directly back to the client IP which Squid is spoofing. Add the option "no-tproxy" to these peer lines to avoid that. > > # MEMORY CACHE OPTIONS > # > - > maximum_object_size_in_memory 8 MB > memory_replacement_policy heap LFUDA > cache_mem 256 MB > > # DISK CACHE OPTIONS > # > - > maximum_object_size 10 GB > cache_replacement_policy heap GDSF > cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240 > > # LOGFILE OPTIONS > # > - > access_log daemon:/var/log/squid/access.log squid > cache_store_log daemon:/var/log/squid/store.log > store.log is very rarely needed. You might consider removing it for some extra speed out of the proxy. > # OPTIONS FOR TROUBLESHOOTING > # > - > cache_log /var/log/squid/cache.log > coredump_dir /var/log/squid > > # OPTIONS FOR TUNING THE CACHE > # > - > cache allow all Unnecessary default value configured. > > # ADMINISTRATIVE PARAMETERS > # > - > visible_hostname my-proxy.mycompany.com > > # ICP OPTIONS > # > - > icp_port 0 > Unnecessary default value configured. > # OPTIONS INFLUENCING REQUEST FORWARDING > # > - > always_direct allow to_localnet > always_direct allow to_localhost > never_direct allow all > Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)
Hi, I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 16.04.1, but I cannot get it working. When a client tries to connect to the web, the connection always times out. Hopefully, someone has an idea what's going. uname-r: 4.4.0-45-generic sysct: net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 squid.conf: # ACCESS CONTROLS # - acl localnetsrc 139.2.0.0/16 acl localnetsrc 193.96.112.0/21 acl localnetsrc 192.109.216.0/24 acl localnetsrc 100.1.4.0/22 acl localnetsrc 10.0.0.0/8 acl localnetsrc 172.16.0.0/12 acl localnetsrc 192.168.0.0/16 acl to_localnet dst 139.2.0.0/16 acl to_localnet dst 193.96.112.0/21 acl to_localnet dst 192.109.216.0/24 acl to_localnet dst 100.1.4.0/22 acl to_localnet dst 10.0.0.0/8 acl to_localnet dst 172.16.0.0/12 acl to_localnet dst 192.168.0.0/16 http_access allow manager localhost http_access deny manager http_access allow localnet http_access allow localhost http_access allow to_localnet http_access deny all # NETWORK OPTIONS # - http_port 10.30.200.99:3128 http_port 10.30.216.254:3128 http_port 10.30.216.254:3129 tproxy # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # - cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest # MEMORY CACHE OPTIONS # - maximum_object_size_in_memory 8 MB memory_replacement_policy heap LFUDA cache_mem 256 MB # DISK CACHE OPTIONS # - maximum_object_size 10 GB cache_replacement_policy heap GDSF cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240 # LOGFILE OPTIONS # - access_log daemon:/var/log/squid/access.log squid cache_store_log daemon:/var/log/squid/store.log # OPTIONS FOR TROUBLESHOOTING # - cache_log /var/log/squid/cache.log coredump_dir /var/log/squid # OPTIONS FOR TUNING THE CACHE # - cache allow all # ADMINISTRATIVE PARAMETERS # - visible_hostname my-proxy.mycompany.com # ICP OPTIONS # - icp_port 0 # OPTIONS INFLUENCING REQUEST FORWARDING # - always_direct allow to_localnet always_direct allow to_localhost never_direct allow all # DNS OPTIONS # - dns_nameservers 192.168.0.1 dns_nameservers 192.168.0.2 # MISCELLANEOUS # - memory_pools off iptables-rules: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 0x1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 --on-ip 10.30.216.254 I can see that packets are traversing the chain DIVERT and TPROXY (packet counter): Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 1134K 416M MARK all -- * * 0.0.0.0/00.0.0.0/0 MARK set 0x1 1134K 416M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 Chain PREROUTING (policy ACCEPT 2380 packets, 261K bytes) pkts bytes target prot opt in out source destination 1253K 455M neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 1134K 416M DIVERT tcp -- * * 0.0.0.0/00.0.0.0/0 socket 2125 119K LOGtcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:80 LOG flags 0 level 4 prefix "TPROXY : " 63 3780 TPROXY tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:80 TPROXY redirect 10.30.216.254:3129 mark 0x1/0x1 The client request is present in my syslog: Oct 26 08:38:49 os-controller01 kernel: [ 4590.987956] TPROXY : IN=eth2 OUT= MAC=00:50:56:8d:2f:d4:02:05:69:02:be:68:08:00 SRC=10.30.216.132 DST=74.125.24.94 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=21615 DF PROTO=TCP SPT=47706 DPT=80 WINDOW=27200 RES=0x00 SYN URGP=0 There is nothing in squid logs. I have
