Spam detection software, running on the system master.squid-cache.org,
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content
Spam detection software, running on the system master.squid-cache.org,
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.
Content
I have a weird problem. SQUID is configured as a transparent proxy.
client--VPN - SQUID -- internet
squid.conf
cache deny all
forwarded_for on
strip_query_terms off
cache_effective_user proxy
cache_effective_group proxy
client_dst_passthru on
host_verify_strict off
http_port 3130 intercept
Amos Jeffries squid3 at treenet.co.nz writes:
On 6/11/2013 12:37 p.m., WorkingMan wrote:
1) Is the POST body request preserved when using url_rewrite_program?
Based on
my test it seems to be lost. If it's lost is it easy to modify SQUID to
preserve that (or maybe an option to enable
1) Is the POST body request preserved when using url_rewrite_program? Based on
my test it seems to be lost. If it's lost is it easy to modify SQUID to
preserve that (or maybe an option to enable that)?
2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just
wondering.
3) what
1) Is the POST body request preserved when using url_rewrite_program? Based on
my test it seems to be lost. If it's lost is it easy to modify SQUID to
preserve that (or maybe an option to enable that)?
2) Can URL be rewritten in content adaptation like eCAP (or ICAP)? Just
wondering.
3) what
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey there,
Man you need to understand something.
Your basic routing doesn't help in any way.
In your case you should have a network which is a simple thing...
I do not rembebr the machine settings but once you have a strickt
default via
WorkingMan signup_mail2002 at yahoo.com writes:
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey there,
Man you need to understand something.
Your basic routing doesn't help in any way.
In your case you should have a network which is a simple thing...
I do not rembebr
WorkingMan signup_mail2002 at yahoo.com writes:
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey there,
Man you need to understand something.
Your basic routing doesn't help in any way.
In your case you should have a network which is a simple thing...
I do not rembebr
I can say for sure this is the issue. First of all I can make this work
with
two Ubuntu VMs under the same LAN which allowed me to compare the
difference.
Eliezer's observation is correct. On my VMs traffic goes through the
gateway
(ie: the router) before going to the remote box. On
There is a very specific order of packet flow required to get these
things working. And an equally specific order of configuration and
testing needed to ensure that it is all working.
I have taken the liberty of re-arranging the details you posted to
follow the order of configuration
One hint I had was that the traffic are not marked correctly.
This line if added (I got it from somewhere online) will change the mac
address
of
the web site to be the one of SQUID:
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark
2
With that rule:
I have confidence that we can get to the bottom of this with this level
of
details.
I am currently stuck at this step:
VPN Server - Web Site (SQUID's mac)
This was also where I was stuck before. At this point I am simply
issuing a
curl
www.cnn.com from VPN server (VPN
Amos Jeffries squid3 at treenet.co.nz writes:
On 2/11/2013 9:17 p.m., WorkingMan wrote:
One hint I had was that the traffic are not marked correctly.
This line if added (I got it from somewhere online) will change the mac
address
of
the web site to be the one of SQUID:
iptables
Eliezer Croitoru eliezer at ngtech.co.il writes:
Just to make sure I understood:
How many boxes do you have?
what is VPN and what is SQUID?
You do understand that there is no way to run TPROXY on amaozn safely??
So leave TPROXY out of sight for now.
If you have two machines it's another
Eliezer Croitoru eliezer at ngtech.co.il writes:
On 11/01/2013 10:30 AM, WorkingMan wrote:
I am not using TPROXY. VPN/SQUID are two different servers.
OK now you mangled everything!!
try to start from scratch which means design.
Put the VPN on the same squid server or retry to design
Some questions that might lead you in a useful direction for solving this:
* is eth0 the right interface to be operating with?
does VPN have an interface of its own with better results?
is there something special you have to add on top of all this to make
it work over a VPN connection?
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey there,
On 10/30/2013 10:18 PM, WorkingMan wrote:
I think we need a up to date guide on
transparent proxy for remote host (with concrete example that works). I
followed too many guides that don't work.
Maybe you still have
TPROXY is not routing. It is packet interception, taking a packet from
the kernel TCP stack and delivering it to a local process running on
that machine. Taking packets from that same local process marked with a
special TPROXY flag and allowing them to be routed despite having a src
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey,
On 10/31/2013 09:58 AM, WorkingMan wrote:
iptables -t nat -A POSTROUTING -j MASQUERADE
try to flush all the iptables rules by:
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
then add the next:
iptables -t nat
I am suspecting something is going on but I am just not seen it in the
logs.
tshark is not catching anything either by host IP or port 3130 on either
VPN/SQUID. Does the TPROXY way work for SQUID on a remote server because I
was going to try that next?
ping, dns lookup all seems normal
I hope I can refocus this question to the real problem.
I am currently have a working VPN setup but once I add my policy routing
rules it breaks the client's port 80 connection (everything else still good,
apps still work. I don't any traffic going to my SQUID server.
First of all I don't use
Mike Cardwell squid-users at lists.grepular.com writes:
* on the Wed, Oct 23, 2013 at 05:14:00PM +1300, Amos Jeffries wrote:
For starters NAT has never been transparent proxy. NAT is the lazy
admins replacement, using the proxy IP on outbound to avoid having to
setup proper routing
Eliezer Croitoru eliezer at ngtech.co.il writes:
Hey,
I was wondering to myself?
Why do you intercept traffic using Amazon?
You should host your proxy close enough to have good response time which
is ok if Amazon is close enough.
In order to perform your goal you will need to use the
Depends on the VPN client..
What VPN client have you used until now?
Eliezer
I am using iPhone 5's Built-in client. Server is strongswan 5.1.
I will be testing with android's built-in client.
That line above the headers is showing the problem:
HTTP Client local=SQUID IP:3130 remote=VPN server:65090 FD 10
flags=1
local= contains the details of www.nba.com server where the request is
being fetched original dst IP:port from the TCP packets.
remote= contains the client
What I tried:
1)with clean.rules I can connect to VPN and access internet without any
issue
1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
2) with proxy.rules VPN client get invalid URL (previously mentioned error).
proxy is not intercept or transparent
http_port
WorkingMan signup_mail2002 at yahoo.com writes:
-
GET / HTTP/1.1
Host: www.nba.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
Cookie: s_fid=32FDC9FA0E2D94CE-297956A1143A207A; s_vi=
[CS]v1|28AFB9BC0501287A
For access denied I found something interesting.
client_side_request.cc(572) hostHeaderIpVerify:
validate IP 127.0.0.1:3130 non-match from Host: IP 165.254.27.105
client_side_request.cc(572) hostHeaderIpVerify:
validate IP 127.0.0.1:3130 non-match from Host: IP 165.254.27.115
Setup: VPN -- SQUID (both in Amazon EC2 classic instances, not VPC)
1) SQUID works fine by itself when I tried by configuring the browser (and
before setting SQUID as transparent proxy).
2) VPN (strongswan) works fine by itself as well.
Now I added a few iptables rules to route traffic to SQUID
It appears that one of the test I was doing is not correct so it can yield
some hint to the problem. -k reconfigure didn't take effect when I made the
change. So for the browser with direct proxy setting. I am able to browse
correctly if not using intercept (ie: using SQUID server's public IP
To eliminate any iptables issues. I also tested on SQUID server using curl.
curl -x http://localhost:3130 www.cnn.com
Of course I am also getting the same error of access denied.
1) why intercept mode fails (do I need any special rule on my remote
SQUID
box?) with access denied for all requests
Where is the NAT/TPROXY interception happening for (1)?
It is required to be done directly on the Squid machine, with packets
sent to that machine by *routing* or
For #2 the error from SQUID's error page that I see is like this:
ERROR
The requested error was encountered while trying to retrieve the URL : /
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol
Missing hostname
...
34 matches
Mail list logo
