[squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC
over https) and Active Sync for an Exchange 2010?
Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https
for Outlook Anywhere and Active Sync for Outlook mobile devices like Android
and iPhone I had some success but problems with some Active Sync clients are
still a show stopper.
RPC over https works fine with that squid version.
The problem is the very first http OPTIONS request for Active Sync which is
using http Basic Authentication from an Android with TouchDown as client app.
The cache.log shows the following request and response:
Mobile sending:
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
Connection: keep-alive
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxx==
Content-Length: 0
Host: webmail.domain.com
Squid sending to IIS (Basic dGV... ist the same as above):
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxx==
Content-Length: 0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com=Surrogate/1.0
Cache-Control: max-age=259200
Connection: keep-alive
IIS responding:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm=webmail.domain.com
X-Powered-By: ASP.NET
Date: Wed, 18 Jan 2012 14:38:32 GMT
Content-Length: 1344
There the connection is closed by the client. Maybe the headers added by squid
are not accepted by IIS? Is there any parameter to disable adding
Surrogate-Capability, Cache-Control and Connection to the forwarded request?
/opt/squid32/sbin/squid -v
Squid Cache: Version 3.2.0.13
configure options: '--prefix=/opt/squid32' '--enable-ssl'
squid.conf:
cache_effective_user squidext
cache_effective_group squidext
pid_filename /var/run/squidext.pid
acl srcall src all
acl EXCH dstdomain webmail.domain.com
ssl_unclean_shutdown on
httpd_suppress_version_string on
cache_mgr noemailaddress
visible_hostname webmail.domain.com
# Internet connector
https_port 172.17.200.25:443 accel cert=/etc/ssl/certs/webmail.domain.com.pem \
key=/etc/ssl/certs/webmail.domain.com.pem defaultsite=webmail.domain.com
# destination server (IIS for Exchange)
cache_peer 192.168.100.24 parent 443 0 \
ssl sslflags=DONT_VERIFY_PEER \
sslcert=/etc/ssl/certs/webmail.domain.com.pem
sslkey=/etc/ssl/certs/webmail.domain.com.pem \
proxy-only no-query no-digest front-end-https=on sourcehash round-robin
originserver \
login=PASSTHRU name=exchange forceddomain=webmail.domain.com
debug_options ALL,2
logformat combined %a %[ui %[un [%tl] %rm %ru HTTP/%rv %Hs %st
%{Referer}h %{User-Agent}h %Ss:%Sh
access_log stdio:/var/log/squidext/access.log combined
cache_log /var/log/squidext/cache.log
never_direct allow EXCH
http_access allow EXCH
http_access deny srcall
cache_peer_access exchange allow EXCH
cache_peer_access exchange deny srcall
via off
forwarded_for transparent
#eof
Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
On 19/01/2012 10:13 p.m., Isenberg, Holger wrote: Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010? Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper. RPC over https works fine with that squid version. The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response: Mobile sending: OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ Connection: keep-alive X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxx== Content-Length: 0 Host: webmail.domain.com Squid sending to IIS (Basic dGV... ist the same as above): OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1 User-Agent: TouchDown(MSRPC)/7.1.00012/ TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/ X-MS-PolicyKey: 0 MS-ASProtocolVersion: 2.5 Authorization: Basic dGVxxx== Content-Length: 0 Host: webmail.domain.com Surrogate-Capability: webmail.domain.com=Surrogate/1.0 Cache-Control: max-age=259200 Connection: keep-alive IIS responding: HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Basic realm=webmail.domain.com X-Powered-By: ASP.NET Date: Wed, 18 Jan 2012 14:38:32 GMT Content-Length: 1344 There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request? 401 status means the header not being accepted is the Authorization: header. Connection is unchanged from what was passed to Squid, just re-positioned. Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP. To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. Amos
[squid-users] Squid workers bug
Hi, When using squid 3.2.0.14, configured with 4 workers, i can see segfault from one of the workers (don't know why currently). squid3[6832]: segfault at 7fff4b271ff8 ip 005bb7e1 sp 7fff4b272000 error 6 in squid3[40+3c8000] Logs are plenty of : 2012/01/19 06:26:07 kid3| varyEvaluateMatch: Oops. Not a Vary object on second attempt, 'http://www.lefigaro.fr/scripts/FigaroTools.js?20110728' 'accept-encoding=gzip,%20deflate' 2012/01/19 06:26:07 kid3| clientProcessHit: Vary object loop! I would have expected that the squid coordinator restart the faulty worker, but it don't append. I can't see anything in the log regarding that. Is there a way to restart properly a worker? And what can i do to debug a faulty worker? Regards. -- Jean-Philippe Menil - Pôle réseau Service IRTS DSI Université de Nantes jean-philippe.me...@univ-nantes.fr Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
RE: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?
With using 3.1.18 now and login=PASS instead and added connection-auth=on, both in cache_peer, Active Sync can be used now. cache_peer 192.168.100.24 parent 443 0 \ ssl sslflags=DONT_VERIFY_PEER \ sslcert=/etc/ssl/certs/webmail.domain.com.pem sslkey=/etc/ssl/certs/webmail.domain.com.pem \ proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver \ login=PASS connection-auth=on name=exchange forceddomain=webmail.domain.com I'll reply again in a few days, if this configuration is stable... -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Thursday, January 19, 2012 11:13 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server? 401 status means the header not being accepted is the Authorization: header. Connection is unchanged from what was passed to Squid, just re-positioned. Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP. To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. Amos
[squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
Hi All,
I have been configuring a new Squid server today. The original configuration
(without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server..
The source server is where end-users establish a connection, The Squid server
is (10.10.10.1) and The Client in question is (10.10.10.100)
SOURCE SERVER:
iptables -t nat -N cache /dev/null 21
iptables -t nat -F cache
iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
iptables -t nat -N cache_users /dev/null 21
iptables -t nat -F cache_users
iptables -t nat -A PREROUTING -j cache_users
iptables -t nat -A cache_users -s 10.10.10.100 -j cache
iptables -t nat -L cache -nvx
Now I wanted to use TProxy (so that the client address is shown rather than the
squid server ip) - I made the following changes:
SQUID SERVER
Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 +
squid-2.7s9-tproxy-4.patch
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid
--srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid
--enable-linux-netfilter --enable-linux-tproxy
http_port 3128
http_port 3129 tproxy
echo 1 /proc/sys/net/ipv4/ip_forward
echo 2 /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
AND TO THE SOURCE SERVER:
FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j
DNAT --to 10.10.10.1:3128
TO: iptables -t nat -I cache -p tcp -m tcp --dport 80
-j DNAT --to 10.10.10.1:80
Now the redirection is working... But all the requests are producing an error,
invalid get request...
== /var/log/squid/cache.log ==
2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid
Request
== /var/log/squid/access.log ==
1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/-
text/html
== /var/log/squid/store.log ==
1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400
1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request
Error displayed in browser:
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; en)
Presto/2.10.229 Version/11.60
Host: google.co.uk
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate
Cookie:
NID=55=nLRCbUnrM3C7dIaU0ZMwmU4sN89GspazHRw8hQfw8aPn-DoDA4HgTfiLubioA26TMXvjxdNRQqjNwtMsgy0PykVn1F0AqVEl5VQTuB-UNrT1Od9FNHefLUFn62bKTxDd;
PREF=ID=2bc21a6253c0a51e:U=121832e3827d293d:FF=0:TM=1326808544:LM=1326808546:S=BIrQ44EQPGOaCNys
Connection: Keep-Alive
The following error was encountered:
Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed
Your cache administrator is webmaster.
Generated Thu, 19 Jan 2012 15:33:48 GMT by cache (squid/2.7.STABLE9)
Any input would be greatly appreciated.
Kind Regards,
Sam
[squid-users] Running squid out of the router/gateway
Hello * I work at a small ISP. We give non routeable IPs 172.16/12 IPs to most of our customers, and some of them buys publics IPs from us. We have a squid box in the public segment of our network Until now we were NATing at mikrotiks outgoing tcp/80 connections to the squid public ip ( 200.45.94.2 ). This worked quite good, but lately we have an issue with forwarding loops such as: at cache.log 2011/11/20 15:15:09| WARNING: Forwarding loop detected for: POST /versioncheck.asp HTTP/1.1 Content-Type: application/x-www-form-urlencoded Pragma: no-cache Content-Length: 75 Via: 1.0 powerweb.iaconecta.com (squid/3.1.12) X-Forwarded-For: 200.45.94.7 Host: 200.45.94.2:31280 Cache-Control: max-age=259200 Connection: keep-alive And at access.log 1324811063.537 4 200.45.94.2 TCP_MISS/400 69381 POST http://200.45.94.2:31280/versioncheck.asp - DIRECT/200.45.94.2 text/html 1324811063.538 6 200.45.94.2 TCP_MISS/400 69467 POST http://200.45.94.2:31280/versioncheck.asp - DIRECT/200.45.94.2 text/html [] Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? THanks in advance.
Re: [squid-users] Running squid out of the router/gateway
On 2012-01-19 17:37, Sebastian muniz wrote: Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? THanks in advance. You might look at whether your routers support WCCP. http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol -- Message sent via my webmail account.
[squid-users] ufdbGuard v1.28 is out - check out the URL filter for Squid
ufdbGuard version 1.28 has been released on January 19, 2012. ufdbGuard is a URL filter for Squid with the following features: - filter web access based on rules for users, times, website category - works with free and commercial URL databases - can enforce SafeSearch for all major search engines - prohibits the use of SSH tunnels, VPNs, Tor, UltraSurf et al. - supports edufilter of YouTube - detects all major chat applications that use HTTPS - can enforce safer browsing for HTTPS sites - multithreaded and very fast ufdbGuard is Open Source Software and is free. It can be downloaded from http://sourceforge.net or http://www.urlfilterdb.com
[squid-users] Squid Sibling Proxy-Only Still Caching Locally
I am configuring squid caches to be siblings of each other and have gotten them to correctly communicate with each other from an ICP perspective and have one of the caches (B) pull content from another cache (A) that already had the object cached, but it seems when it pulls this object that it ends up caching it locally. When a subsequent request is made to cache B, it is found right away, logs a TCP_HIT and returns the object. I would have expected that request to make an ICP request to A again and then retrieve it from it but instead it was in its cache. I believe I verified this as well by looking on disk and there is then an object which did not exist prior. I thought by making the sibling proxy-only that would force to never cache from anything it received from a sibling, but it doesn't appear to be the case. Thanks Darren Cache A Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8060 accel defaultsite=mysite.com vport=80 cache_peer parent.com parent 7779 0 no-query originserver name=myAccel icp_port 3200 icp_access allow all cache_peer myhost sibling 8061 3201 name=myhost8061 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache A Log [01-18-2012:15:32:01] 1326922321.696 22 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:14] 1326922334.204 2 10.208.128.43 TCP_HIT/200 48657 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.314 - 127.0.0.2 UDP_HIT/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Cache B Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8061 accel defaultsite=mysite.com vport=80 cache_peer trp0001-08.int.westgroup.com parent 7779 0 no-query originserver name=myAccel icp_port 3201 icp_access allow all cache_peer myhost sibling 8060 3200 name=myhost8060 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache B Log [01-18-2012:15:32:01] 1326922321.674 - 127.0.0.2 UDP_MISS/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.354 40 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-19-2012:15:39:31] 1327009171.018 2 10.208.128.43 TCP_HIT/200 48658 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:-
Re: [squid-users] Running squid out of the router/gateway
On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote:
Reading at squid site, looks like NATting outgoing connections to a
squid running on an other box is not a good idea.
Questions:
What is the suggested way to implement this scenario?
How can I get rid of the loop?
I use this script to transparently proxy on a box that isn't the
firewall using a combination of iptables to set a mark and then iproute
to change the default GW for packets with that mark set.
The idea is that we first of all accept packets from the proxy so they
don't get marked, and then we mark all packets going to port 80 and then
redirect them to the proxy.
On the proxy host you will need to accept and redirect the packets to
the squid port.
iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j
ACCEPT
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
8080
Transproxy script:
#!/bin/sh
cacheserver=192.168.1.2
cacheport=3128
wwwports=80
fwmark=3
routing_table=2
dev=br0
stop()
{
/sbin/ip rule del fwmark $fwmark table $routing_table
/sbin/ip route del table $routing_table
for port in $wwwports; do
/sbin/iptables -t mangle -D PREROUTING -j ACCEPT -p tcp --dport $port
-s $cacheserver
/sbin/iptables -t mangle -D PREROUTING -j MARK --set-mark 3 -p tcp
--dport $port
done
}
start()
{
/sbin/ip rule add fwmark $fwmark table $routing_table
/sbin/ip route add default via $cacheserver dev $dev table $routing_table
for port in $wwwports; do
/sbin/iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport $port
-s $cacheserver
/sbin/iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp
--dport $port
done
}
case $1 in
stop)
stop
;;
start)
start
;;
restart)
stop
start
;;
esac
--
Tim Fletcher t...@night-shade.org.uk
Re: [squid-users] Running squid out of the router/gateway
On 20/01/2012 1:11 p.m., Tim Fletcher wrote: On Thu, 2012-01-19 at 14:37 -0300, Sebastian muniz wrote: Reading at squid site, looks like NATting outgoing connections to a squid running on an other box is not a good idea. Questions: What is the suggested way to implement this scenario? How can I get rid of the loop? I use this script to transparently proxy on a box that isn't the firewall using a combination of iptables to set a mark and then iproute to change the default GW for packets with that mark set. The idea is that we first of all accept packets from the proxy so they don't get marked, and then we mark all packets going to port 80 and then redirect them to the proxy. Called policy routing and documented in the Squid wiki interception configs under that name. http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute On the proxy host you will need to accept and redirect the packets to the squid port. iptables -A PREROUTING -d 192.168.1.2 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 You are missing -t nat on those rules. Amos
Re: [squid-users] clientTryParseRequest: FD 12 Invalid Request | TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html | GET error:invalid-request
On 20/01/2012 6:02 a.m., Sam Beechey wrote:
Hi All,
I have been configuring a new Squid server today. The original configuration
(without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server..
The source server is where end-users establish a connection, The Squid server
is (10.10.10.1) and The Client in question is (10.10.10.100
)
SOURCE SERVER:
iptables -t nat -N cache/dev/null 21
iptables -t nat -F cache
iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
iptables -t nat -N cache_users/dev/null 21
iptables -t nat -F cache_users
iptables -t nat -A PREROUTING -j cache_users
iptables -t nat -A cache_users -s 10.10.10.100 -j cache
iptables -t nat -L cache -nvx
Now I wanted to use TProxy (so that the client address is shown rather than the
squid server ip) - I made the following changes:
SQUID SERVER
Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 +
squid-2.7s9-tproxy-4.patch
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid
--srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid
--enable-linux-netfilter --enable-linux-tproxy
http_port 3128
http_port 3129 tproxy
echo 1 /proc/sys/net/ipv4/ip_forward
echo 2 /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
AND TO THE SOURCE SERVER:
FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j
DNAT --to 10.10.10.1:3128
TO: iptables -t nat -I cache -p tcp -m tcp --dport 80
-j DNAT --to 10.10.10.1:80
Now the redirection is working... But all the requests are producing an error,
invalid get request...
NAT and TPROXY are multually exclusive systems.
It is unclear whether this SOURCE SERVER is (a) the orign server
providing the responses, or (b) a gateway server between the client and
Squid.
If (a), then the NAT happening on S will be erasing the IP
addresses setup by TPROXY on the packets. Destroying your idea of
getting the client IP to show up anywhere and bouncing the packets back
to a Squid forward-proxy listening port which cannot handle origin
server (reverse-proxy) formatted HTTP traffic.
If (b), then the NAT is erasing the server IP address which packet
routing relies on to determine where the packet is going once it leaves
Squid. Making the packets go straight back to a Squid forward-proxy
listening port which cannot handle origin server (reverse-proxy)
formatted HTTP traffic.
Either way results in:
client -- ... --(TPROXY)-- Squid --Squid:3128
== /var/log/squid/cache.log==
2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid
Request
== /var/log/squid/access.log==
1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/-
text/html
These NONE:// say that Squid received a GET request from client
10.10.10.100 and rejected it as invalid HTTP before even getting to
identify the URL fully.
== /var/log/squid/store.log==
1326987346.801 RELEASE -1 45B97B27006C6BC283B7EC45B6A1A89C 400
1326987346-1-1 text/html 1820/1820 GET error:invalid-request
Error displayed in browser:
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET / HTTP/1.1
The URL / is a origin server format relative URL, not valid forward
proxy absolute URL required by proxies. Squid cannot handle this
arriving on port 3128.
Amos
Re: [squid-users] Squid Sibling Proxy-Only Still Caching Locally
On 20/01/2012 10:41 a.m., darren.trzy...@thomsonreuters.com wrote: I am configuring squid caches to be siblings of each other and have gotten them to correctly communicate with each other from an ICP perspective and have one of the caches (B) pull content from another cache (A) that already had the object cached, but it seems when it pulls this object that it ends up caching it locally. When a subsequent request is made to cache B, it is found right away, logs a TCP_HIT and returns the object. I would have expected that request to make an ICP request to A again and then retrieve it from it but instead it was in its cache. I believe I verified this as well by looking on disk and there is then an object which did not exist prior. I thought by making the sibling proxy-only that would force to never cache from anything it received from a sibling, but it doesn't appear to be the case. Thanks Darren Cache A Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8060 accel defaultsite=mysite.com vport=80 cache_peer parent.com parent 7779 0 no-query originserver name=myAccel icp_port 3200 icp_access allow all cache_peer myhost sibling 8061 3201 name=myhost8061 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache A Log [01-18-2012:15:32:01] 1326922321.696 22 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note the *PARENT* is source. Not the sibling. [01-18-2012:15:32:14] 1326922334.204 2 10.208.128.43 TCP_HIT/200 48657 GET joe.com/thumb.png - NONE/- image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.314 - 127.0.0.2 UDP_HIT/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note this last lookup was a UDP_HIT. But the sibling fetch which should have followed it is not listed. Cache B Config (without logging configurations) acl all src all acl manager proto cache_object debug_options ALL,1 33,2 cache_mem 4096 MB http_port 10.208.129.40:8061 accel defaultsite=mysite.com vport=80 cache_peer trp0001-08.int.westgroup.com parent 7779 0 no-query originserver name=myAccel icp_port 3201 icp_access allow all cache_peer myhost sibling 8060 3200 name=myhost8060 proxy-only http_access allow all cache_peer_access myAccel allow all cache_peer_access myAccel deny all Cache B Log [01-18-2012:15:32:01] 1326922321.674 - 127.0.0.2 UDP_MISS/000 116 ICP_QUERY joe.com/thumb.png - NONE/- - PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- [01-18-2012:15:32:25] 1326922345.354 40 10.208.128.43 TCP_MISS/200 48646 GET joe.com/thumb.png - FIRST_UP_PARENT/myAccel image/png PRODUCT:- BU:- SESSION:- USER:- ROOT:- PARENT:- Note the *PARENT* is the source, not the sibling. Also, note the two requests above are completely unrelated to each other. The first is cacheB denying a sibling probe from cacheA. The second is cacheB serving an HTTP request from some client at 10.208.128.43. Amos
