Re: [squid-users] TPROXY Error

[Eliezer Croitoru]

Hey Ben,

Still waiting for the relevant output.
Once I will have the relevant details I will probably be able to verify how and 
what is the issue.

Eliezer

-Original Message-
From: Eliezer Croitoru  
Sent: Thursday, July 8, 2021 12:04 AM
To: 'squid-users@lists.squid-cache.org' 
Cc: 'Ben Goz' 
Subject: RE: [squid-users] TPROXY Error

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:
> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz  
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group 
default qlen 1000
 link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc 
fq_codel state UP group default qlen 1000
 link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
 inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
valid_lft forever preferred_lft forever
 inet6 fe80::2e0:4cff:fe36:d3/64 scope link
valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default

> 4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]

Re: [squid-users] TPROXY Error

[Ben Goz]

By the help of God.

It looks like the point of failure (?)

BTW, My kernel already contains the required tproxy drivers by default 
correct?



Regards,

Ben

On 08/07/2021 0:03, Eliezer Croitoru wrote:

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:

5.  the output of 'ip route show table 100'

$ ip route show table 100
local default dev lo scope host

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz 
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:

Hey Ben,

I want to try and reset this issue because I am missing some technical
details.

1. What Linux Distro and what version are you using?'

Ubuntu 20.04

2. the output of 'ip address'

$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq
master bond0 state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group
default qlen 1000
  link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc
fq_codel state UP group default qlen 1000
  link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
  inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
 valid_lft forever preferred_lft forever
  inet6 fe80::2e0:4cff:fe36:d3/64 scope link
 valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
 valid_lft forever preferred_lft forever
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc
noqueue state UP group default qlen 1000
  link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
  inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
 valid_lft forever preferred_lft forever
  inet6 fe80::b859:58ff:fe58:232b/64 scope link
 valid_lft forever preferred_lft forever

3. the output of 'ip rule'

$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default


4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213


5.  the output of 'ip route show table 100'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0

Re: [squid-users] TPROXY Error

[Eliezer Croitoru]

Hey Ben,

You are missing the critical output of the full command:
Ip route show table 100

What you posted was:
> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
##

It's important to see the relevant routing table.
The linux Kernel have couple routing tables which each can contain different 
routing/forwarding table.
If you want to understand a bit more you might be able to try and lookup for 
FIB.
( take a peek at: http://linux-ip.net/html/routing-tables.html)

Eliezer

-Original Message-
From: Ben Goz  
Sent: Wednesday, July 7, 2021 3:36 PM
To: Eliezer Croitoru ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TPROXY Error

By the help of God.


Hi Eliezer,

Thanks for your help.

Please let me know if you need more information.


Regards,

Ben

On 07/07/2021 14:01, Eliezer Croitoru wrote:
> Hey Ben,
>
> I want to try and reset this issue because I am missing some technical
> details.
>
> 1. What Linux Distro and what version are you using?'
Ubuntu 20.04
> 2. the output of 'ip address'
$ ip address
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1f0:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
3: ens1f1:  mtu 1500 qdisc mq 
master bond0 state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
4: usb0:  mtu 1500 qdisc noop state DOWN group 
default qlen 1000
 link/ether ca:13:59:65:c2:56 brd ff:ff:ff:ff:ff:ff
5: enx00e04c3600d3:  mtu 1500 qdisc 
fq_codel state UP group default qlen 1000
 link/ether 00:e0:4c:36:00:d3 brd ff:ff:ff:ff:ff:ff
 inet 8.11.39.250/30 brd 8.11.39.251 scope global enx00e04c3600d3
valid_lft forever preferred_lft forever
 inet6 fe80::2e0:4cff:fe36:d3/64 scope link
valid_lft forever preferred_lft forever
6: bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
7: bond0.212@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 8.13.140.1/28 brd 8.13.140.15 scope global bond0.212
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
8: bond0.213@bond0:  mtu 1500 qdisc 
noqueue state UP group default qlen 1000
 link/ether ba:59:58:58:23:2b brd ff:ff:ff:ff:ff:ff
 inet 1.21.213.1/24 brd 1.21.213.255 scope global bond0.213
valid_lft forever preferred_lft forever
 inet6 fe80::b859:58ff:fe58:232b/64 scope link
valid_lft forever preferred_lft forever
> 3. the output of 'ip rule'
$ ip rule
0:from all lookup local
32762:from all fwmark 0x1 lookup 100
32763:from all fwmark 0x1 lookup 100
32764:from all fwmark 0x1 lookup 100
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default

> 4.  the output of 'ip route show'

$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213

> 5.  the output of 'ip route show table 100'
$ ip route show
default via 8.13.140.14 dev bond0.212 proto static
1.21.213.0/24 dev bond0.213 proto kernel scope link src 1.21.213.1
8.11.39.248/30 dev enx00e04c3600d3 proto kernel scope link src 8.11.39.250
8.13.140.0/28 dev bond0.212 proto kernel scope link src 8.13.140.1
8.13.144.0/20 via 1.21.213.254 dev bond0.213
8.13.148.1 via 1.21.213.254 dev bond0.213
> 6. the output of 'iptables-save'


$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Jul  7 12:25:05 2021
*mangle
:PREROUTING ACCEPT [72898710:6084386298]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 80 -j TPROXY --on-port 
15644 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i bond0.213 -p tcp -m tcp --dport 443 -j TPROXY --on-port 
15645 -

Re: [squid-users] TPROXY Error

[Ben Goz]

 your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly 
plugged) machines

acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16        # RFC 1918 local private network 
(LAN)

acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly 
plugged) machines


acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

http_access allow all

# Squid normally listens to port 3128
http_port 15643
http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem

always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLInterceptRegexp_always ssl::server_name_regex -i xxx
acl NoSSLIntercept ssl::server_name  "xxx"
acl NoSSLInterceptRegexp ssl::server_name_regex -i "xxx"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s 
/var/lib/ssl_db -M 4MB

sslcrtd_children 32 startup=15 idle=3
#sslproxy_capath /etc/ssl/certs

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

range_offset_limit -1

dns_v4_first on
forwarded_for off
cache deny all

9. the output of 'squid -v'

$ ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' 
'--enable-linux-netfilter' --enable-ltdl-convenience



10. the output of 'uname -a'

uname -a
Linux xxx 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 
x86_64 x86_64 x86_64 GNU/Linux


Once we will have all the above details (reducing/modifying any private
details) we can try to maybe help you.

Eliezer

-Original Message-
From: squid-users  On Behalf Of
Ben Goz
Sent: Wednesday, June 30, 2021 3:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] TPROXY Error

  By the help of God.

Hi All,
I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.
It looks like iptables TPROXY redirect works but squid prints out the
following error:

ERROR: NAT/TPROXY lookup failed to locate original IPs on
local=xxx:443 remote=xxx:49471 FD 14 flags=17

I think I loaded all TPROXY required kernel modules.

The ip forwarding works fine without the iptables rules. and I don't
see any squid ERROR on getsockopt

Please le

Re: [squid-users] TPROXY Error

[Eliezer Croitoru]

Hey Ben,

I want to try and reset this issue because I am missing some technical
details.

1. What Linux Distro and what version are you using?
2. the output of 'ip address'
3. the output of 'ip rule'
4.  the output of 'ip route show'
5.  the output of 'ip route show table 100'
6. the output of 'iptables-save'
7. the output of 'nft -nn list ruleset' (if exists on the OS)
8. the output of your squid.conf
9. the output of 'squid -v'
10. the output of 'uname -a'

Once we will have all the above details (reducing/modifying any private
details) we can try to maybe help you.

Eliezer

-Original Message-
From: squid-users  On Behalf Of
Ben Goz
Sent: Wednesday, June 30, 2021 3:16 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] TPROXY Error

 By the help of God.

Hi All,
I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.
It looks like iptables TPROXY redirect works but squid prints out the
following error:

ERROR: NAT/TPROXY lookup failed to locate original IPs on
local=xxx:443 remote=xxx:49471 FD 14 flags=17

I think I loaded all TPROXY required kernel modules.

The ip forwarding works fine without the iptables rules. and I don't
see any squid ERROR on getsockopt

Please let me know what I'm missing?

Thanks,
Ben
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

[Amos Jeffries]

On 5/07/21 11:31 pm, Ben Goz wrote:

By the help of God.

Someone have an idea what's wrong with my configuration?



The config you have shown does not contain any visible issues.

The feature page has information minimum kernel and library requirements 
for TPROXY to work reasonably well. There are also sections on other 
things to check for in regards to routing table behaviours in various 
kernels, and system security policies (eg SELinux, Apport, systemd)

  

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

[Ben Goz]

By the help of God.

Someone have an idea what's wrong with my configuration?

On 30/06/2021 15:55, Ben Goz wrote:


On 30/06/2021 15:25, Antony Stone wrote:

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:


I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

# ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions 
on distribution see https://www.openssl.org/source/license.html


configure options:  '--with-openssl' '--enable-ssl-crtd' 
'--enable-ecap' '--enable-linux-netfilter' --enable-ltdl-convenience




2. Please show us the TPROXY rules you have.



iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15645



including:

ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100



3. Please show us the relevant lines for intercept proxying from your
squid.conf



http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem

always_direct allow all






Regards,


Antony.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

[Ben Goz]

On 30/06/2021 15:25, Antony Stone wrote:

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:


I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

# ./squid -v
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html


configure options:  '--with-openssl' '--enable-ssl-crtd' '--enable-ecap' 
'--enable-linux-netfilter' --enable-ltdl-convenience




2. Please show us the TPROXY rules you have.



iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j 
TPROXY --tproxy-mark 0x1/0x1 --on-port 15645



including:

ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100



3. Please show us the relevant lines for intercept proxying from your
squid.conf



http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on 
options=ALL dynamic_cert_mem_cache_size=4MB 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem

always_direct allow all






Regards,


Antony.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

[Antony Stone]

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:

> I'm trying to configure squid as a transparent proxy using TPROXY.
> The machine I'm using has 2 NICs, one for input and the other one for
> output traffic.
> The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

2. Please show us the TPROXY rules you have.

3. Please show us the relevant lines for intercept proxying from your 
squid.conf


Regards,


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TPROXY Error

[Ben Goz]

 By the help of God.

Hi All,
I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.
It looks like iptables TPROXY redirect works but squid prints out the
following error:

ERROR: NAT/TPROXY lookup failed to locate original IPs on
local=xxx:443 remote=xxx:49471 FD 14 flags=17

I think I loaded all TPROXY required kernel modules.

The ip forwarding works fine without the iptables rules. and I don't
see any squid ERROR on getsockopt

Please let me know what I'm missing?

Thanks,
Ben
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy sslbump and user authentication

[Vieri]

On Tuesday, April 21, 2020, 2:41:02 PM GMT+2, Matus UHLAR - fantomas 
 wrote: 

>>On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries 
>> wrote:
>>>
>>> Please see the FAQ:
>>> 
>>>
>>> Why bother with the second proxy at all? The explicit proxy has access
>>> to all the details the interception one does (and more - such as
>>> credentials). It should be able to do all filtering necessary.
>
> On 21.04.20 12:33, Vieri wrote:
>>Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with 
>>ICAP + squidclamav, for instance?
>
> yes.
>
>>Simply put, will I be able to block, eg. 
>> https://secure.eicar.org/eicarcom2.zip not by mimetype, file extension,
>> url matching, etc., but by analyzing its content with clamav via ICAP?
>
> without bumping, you won't be able to block by anything, only by 
> secure.eicar.org hostname.

Hi,

I'm not sure I understand how that should be configured.

I whipped up a test instance with the configuration I'm showing below.

My browser can authenticate via kerberos and access several web sites (http & 
https) if I explicitly set it to proxy everything to squid10.mydomain.org on 
port 3228.
However, icap/clamav filtering is "not working" for neither http nor https.
My cache log shows a lot of messages regarding "icap" when I try to download an 
eicar test file. So something is triggered, but before sending a huge log to 
the mailing list, what should I be looking for exactly, or is there a specific 
loglevel I should set?

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

pid_filename /run/squid.testexplicit.pid
access_log daemon:/var/log/squid/access.test.log squid
cache_log /var/log/squid/cache.test.log

acl explicit myportname 3227
acl explicitbump myportname 3228
acl interceptedssl myportname 3229

http_port 3227
# http_port 3228 tproxy
http_port 3228 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem 
sslflags=NO_DEFAULT_CA
https_port 3229 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem 
sslflags=NO_DEFAULT_CA
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db_test -M 
16MB
sslcrtd_children 40 startup=20 idle=10

cache_dir diskd /var/cache/squid.test 32 16 256

external_acl_type nt_group ttl=0 children-max=50 %LOGIN 
/usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s 
HTTP/squid10.mydomain.org@MYREALNAME
auth_param negotiate children 60
auth_param negotiate keep_alive on

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl localnet src 172.16.0.1
acl localnet src fc00::/7

acl ORG_all proxy_auth REQUIRED

http_access deny explicit !ORG_all
#http_access deny explicit SSL_ports
http_access deny explicitbump !localnet
http_access deny explicitbump !ORG_all
http_access deny interceptedssl !localnet
http_access deny interceptedssl !ORG_all

http_access allow CONNECT interceptedssl SSL_ports

http_access allow localnet
http_reply_access allow localnet

http_access allow ORG_all

debug_options rotate=1 ALL,9
# debug_options rotate=1 ALL,1

append_domain .mydomain.org

ssl_bump stare all
ssl_bump bump all

http_access allow localhost

http_access deny all

coredump_dir /var/cache/squid

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
icap_service_failure_limit -1
icap_persistent_connections off


--
Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy sslbump and user authentication

[Vieri]

On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries 
 wrote: 
>
> Please see the FAQ:
> 
>
> Why bother with the second proxy at all? The explicit proxy has access
> to all the details the interception one does (and more - such as
> credentials). It should be able to do all filtering necessary.

Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with 
ICAP + squidclamav, for instance?
Simply put, will I be able to block, eg. https://secure.eicar.org/eicarcom2.zip 
not by mimetype, file extension, url matching, etc., but by analyzing its 
content with clamav via ICAP?

> TPROXY and NAT are for proxying traffic of clients which do not support
> HTTP proxies. They are hugely limited in what they can do. If you have
> ability to use explicit-proxy, do so.

Unfortunately, some programs don't support proxies, or we simply don't care and 
want to force-filter traffic anyway.

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy sslbump and user authentication

[Matus UHLAR - fantomas]

On Tuesday, April 21, 2020, 8:29:28 AM GMT+2, Amos Jeffries 
 wrote:


Please see the FAQ:


Why bother with the second proxy at all? The explicit proxy has access
to all the details the interception one does (and more - such as
credentials). It should be able to do all filtering necessary.


On 21.04.20 12:33, Vieri wrote:

Can the explicit proxy ssl-bump HTTPS traffic and thus analyze traffic with 
ICAP + squidclamav, for instance?


yes.

Simply put, will I be able to block, eg. 
https://secure.eicar.org/eicarcom2.zip not by mimetype, file extension,

url matching, etc., but by analyzing its content with clamav via ICAP?


without bumping, you won't be able to block by anything, only by 
secure.eicar.org
hostname.


TPROXY and NAT are for proxying traffic of clients which do not support
HTTP proxies. They are hugely limited in what they can do. If you have
ability to use explicit-proxy, do so.


Unfortunately, some programs don't support proxies, or we simply don't care
and want to force-filter traffic anyway.


of course, but it has drawbacks.
You need to create own certificate and push it to clients/applications.
Some applications may refuse the certificate anyway 


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy sslbump and user authentication

[Amos Jeffries]

On 21/04/20 11:08 am, Vieri wrote:
> Hi,
> 
> Is it possible to somehow combine the filtering capabilities of tproxy 
> ssl-bump for access to https sites and the access control flexibility of 
> proxy_auth (eg. kerberos)?

Please see the FAQ:
 



> 
> Is having two proxy servers in sequence an acceptable approach, or can it be 
> done within the same instance with the CONNECT method?
> 
> My first approach would be to configure clients to send their user 
> credentials to an explicit proxy (Squid #1) which would then proxy_auth via 
> Kerberos to a PDC. ACL rules would be applied here based on users, domains, 
> IP addr., etc.
> 
> The http/https traffic would then go forcibly through a tproxy ssl-bump host 
> (Squid #2) which would basically analyze/filter traffic via ICAP.


Why bother with the second proxy at all? The explicit proxy has access
to all the details the interception one does (and more - such as
credentials). It should be able to do all filtering necessary.

TPROXY and NAT are for proxying traffic of clients which do not support
HTTP proxies. They are hugely limited in what they can do. If you have
ability to use explicit-proxy, do so.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] tproxy sslbump and user authentication

[Vieri]

Hi,

Is it possible to somehow combine the filtering capabilities of tproxy ssl-bump 
for access to https sites and the access control flexibility of proxy_auth (eg. 
kerberos)?

Is having two proxy servers in sequence an acceptable approach, or can it be 
done within the same instance with the CONNECT method?

My first approach would be to configure clients to send their user credentials 
to an explicit proxy (Squid #1) which would then proxy_auth via Kerberos to a 
PDC. ACL rules would be applied here based on users, domains, IP addr., etc.

The http/https traffic would then go forcibly through a tproxy ssl-bump host 
(Squid #2) which would basically analyze/filter traffic via ICAP.

Has anyone already dealt with this problem, and how?

Regards,

Vieri

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] tproxy first time implementation on squid.

[Alex K]

You might be missing a NAT at last node before the packet is left to
Internet otherwise you need a public IP at the windows client.

On Oct 22, 2017 19:08, "Hanoch Hanoch K"  wrote:

> Hi
> I am trying to configure tproxy to expose the ip address i am using to
> internet sites and not the ip address of the squid server.
> I did read the wiki from the squid web site and acted upon.
> the environment i am using is test and i will need to deploy it into
> producton when test will work and all the subject will be clear to me.
> so the server is ubuntu 14.04.
> squid was compiled with netfilter prefix.
> the kernel is new and seems to have built in support in the tproxy.
> iptables rules where created as the wiki request.
> route option had been applied and the sysctl was configured as requested
> by the wiki.
> the client is windows 7 vmware vm and also the server is vmware vm with 2
> ethernet adapters.
> one of  the interfaces connect the windows 7 and one having ip from the
> built in dhcp server at the router and it is the internet interface.
> the server and the client both behind router and all have private ip.
> till now the setup.
> the problem is when I try to surf with this configuration i get time out.
> at the wiki it says it is routing problem.
> but digging the logs i do not understand where is my mistake.
> can i use this configuration? lets say can i send ip like 10.0.0.2 to be
> discovered at internet?
> is this configuration is legal?
> do not i need public ip on all the interfaces?
> if not what is wrong.
> i will be happy to supply any log or conf file.
> please try to help me.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] tproxy first time implementation on squid.

[Hanoch Hanoch K]

Hi
I am trying to configure tproxy to expose the ip address i am using to
internet sites and not the ip address of the squid server.
I did read the wiki from the squid web site and acted upon.
the environment i am using is test and i will need to deploy it into
producton when test will work and all the subject will be clear to me.
so the server is ubuntu 14.04.
squid was compiled with netfilter prefix.
the kernel is new and seems to have built in support in the tproxy.
iptables rules where created as the wiki request.
route option had been applied and the sysctl was configured as requested by
the wiki.
the client is windows 7 vmware vm and also the server is vmware vm with 2
ethernet adapters.
one of  the interfaces connect the windows 7 and one having ip from the
built in dhcp server at the router and it is the internet interface.
the server and the client both behind router and all have private ip.
till now the setup.
the problem is when I try to surf with this configuration i get time out.
at the wiki it says it is routing problem.
but digging the logs i do not understand where is my mistake.
can i use this configuration? lets say can i send ip like 10.0.0.2 to be
discovered at internet?
is this configuration is legal?
do not i need public ip on all the interfaces?
if not what is wrong.
i will be happy to supply any log or conf file.
please try to help me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)

[Jens Offenbach]

@Amos
Thank you very much for improving the Squid configuration. I am currently in 
the setup phase and "opened" everything, in order not to run into permission 
problems. I have added and removed your suggestions, respectively. The 
configuration looks much better now.

I was able to solve my Tproxy problem. The routing table was missing. The 
following commands fixed it:
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

Regards,
Jens
 

Gesendet: Mittwoch, 26. Oktober 2016 um 13:12 Uhr
Von: "Amos Jeffries" <squ...@treenet.co.nz>
An: squid-users@lists.squid-cache.org
Betreff: Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 
16.04.1)
On 26/10/2016 7:42 p.m., Jens Offenbach wrote:
> Hi,
> I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 
> 16.04.1, but I cannot get it working. When a client tries to connect to the 
> web, the connection always times out.
>
> Hopefully, someone has an idea what's going.
>
> uname-r:
> 4.4.0-45-generic
>
> sysct:
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
>
> squid.conf:
> # ACCESS CONTROLS
> # 
> -
> acl localnet src 139.2.0.0/16
> acl localnet src 193.96.112.0/21
> acl localnet src 192.109.216.0/24
> acl localnet src 100.1.4.0/22
> acl localnet src 10.0.0.0/8
> acl localnet src 172.16.0.0/12
> acl localnet src 192.168.0.0/16
> acl to_localnet dst 139.2.0.0/16
> acl to_localnet dst 193.96.112.0/21
> acl to_localnet dst 192.109.216.0/24
> acl to_localnet dst 100.1.4.0/22
> acl to_localnet dst 10.0.0.0/8
> acl to_localnet dst 172.16.0.0/12
> acl to_localnet dst 192.168.0.0/16
>

Missing basic security controlsto prevent this being an abused open proxy.
http_access deny !Safe_Ports
http_access deny CONNECT !SSL_Ports


> http_access allow manager localhost
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access allow to_localnet

Permits external visitors uncontrolled access to your LAN IP spaces.
Particularly when combined with the "always_direct allow to_localnet" below.
Really want that?

> http_access deny all
>
> # NETWORK OPTIONS
> # 
> -
> http_port 10.30.200.99:3128
> http_port 10.30.216.254:3128
> http_port 10.30.216.254:3129 tproxy
>
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> # 
> -
> cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
> cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest

I suspect the peers are sending TCP SYN+ACK responses directly back to
the client IP which Squid is spoofing.

Add the option "no-tproxy" to these peer lines to avoid that.

>
> # MEMORY CACHE OPTIONS
> # 
> -
> maximum_object_size_in_memory 8 MB
> memory_replacement_policy heap LFUDA
> cache_mem 256 MB
>
> # DISK CACHE OPTIONS
> # 
> -
> maximum_object_size 10 GB
> cache_replacement_policy heap GDSF
> cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240
>
> # LOGFILE OPTIONS
> # 
> -
> access_log daemon:/var/log/squid/access.log squid
> cache_store_log daemon:/var/log/squid/store.log
>

store.log is very rarely needed. You might consider removing it for some
extra speed out of the proxy.


> # OPTIONS FOR TROUBLESHOOTING
> # 
> -
> cache_log /var/log/squid/cache.log
> coredump_dir /var/log/squid
>
> # OPTIONS FOR TUNING THE CACHE
> # 
> -
> cache allow all

Unnecessary default value configured.

>
> # ADMINISTRATIVE PARAMETERS
> # 
> -
> visible_hostname my-proxy.mycompany.com
>
> # ICP OPTIONS
> # 
> -
> icp_port 0
>

Unnecessary default value configured.

> # OPTIONS INFLUENCING REQUEST FORWARDING
> # 
> -
> always_direct allow to_localnet
> always_direct allow to_localhost
> never_direct allow all
>

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)

[Amos Jeffries]

On 26/10/2016 7:42 p.m., Jens Offenbach wrote:
> Hi,
> I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 
> 16.04.1, but I cannot get it working. When a client tries to connect to the 
> web, the connection always times out.
> 
> Hopefully, someone has an idea what's going.
> 
> uname-r:
> 4.4.0-45-generic
> 
> sysct:
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> 
> squid.conf:
> # ACCESS CONTROLS
> # 
> -
>   acl localnetsrc 139.2.0.0/16
>   acl localnetsrc 193.96.112.0/21
>   acl localnetsrc 192.109.216.0/24
>   acl localnetsrc 100.1.4.0/22
>   acl localnetsrc 10.0.0.0/8
>   acl localnetsrc 172.16.0.0/12
>   acl localnetsrc 192.168.0.0/16
>   acl to_localnet dst 139.2.0.0/16
>   acl to_localnet dst 193.96.112.0/21
>   acl to_localnet dst 192.109.216.0/24
>   acl to_localnet dst 100.1.4.0/22
>   acl to_localnet dst 10.0.0.0/8
>   acl to_localnet dst 172.16.0.0/12
>   acl to_localnet dst 192.168.0.0/16
> 

Missing basic security controlsto prevent this being an abused open proxy.
 http_access deny !Safe_Ports
 http_access deny CONNECT !SSL_Ports


>   http_access allow manager localhost
>   http_access deny  manager
>   http_access allow localnet
>   http_access allow localhost
>   http_access allow to_localnet

Permits external visitors uncontrolled access to your LAN IP spaces.
Particularly when combined with the "always_direct allow to_localnet" below.
  Really want that?

>   http_access deny all
> 
> # NETWORK OPTIONS
> # 
> -
>   http_port 10.30.200.99:3128
>   http_port 10.30.216.254:3128
>   http_port 10.30.216.254:3129 tproxy
> 
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> # 
> -
>   cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
>   cache_peer  roxy.mycompany.com parent 8080 0 no-query no-digest

I suspect the peers are sending TCP SYN+ACK responses directly back to
the client IP which Squid is spoofing.

Add the option "no-tproxy" to these peer lines to avoid that.

> 
> # MEMORY CACHE OPTIONS
> # 
> -
>   maximum_object_size_in_memory 8 MB
>   memory_replacement_policy heap LFUDA
>   cache_mem 256 MB
> 
> # DISK CACHE OPTIONS
> # 
> -
>   maximum_object_size 10 GB
>   cache_replacement_policy heap GDSF
>   cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240
> 
> # LOGFILE OPTIONS
> # 
> -
>   access_log daemon:/var/log/squid/access.log squid
>   cache_store_log daemon:/var/log/squid/store.log
> 

store.log is very rarely needed. You might consider removing it for some
extra speed out of the proxy.


> # OPTIONS FOR TROUBLESHOOTING
> # 
> -
>   cache_log /var/log/squid/cache.log
>   coredump_dir /var/log/squid
>   
> # OPTIONS FOR TUNING THE CACHE
> # 
> -
>   cache allow all

Unnecessary default value configured.

>   
> # ADMINISTRATIVE PARAMETERS
> # 
> -
>   visible_hostname my-proxy.mycompany.com
> 
> # ICP OPTIONS
> # 
> -
>   icp_port 0
> 

Unnecessary default value configured.

> # OPTIONS INFLUENCING REQUEST FORWARDING 
> # 
> -
>   always_direct allow to_localnet
>   always_direct allow to_localhost
>   never_direct  allow all
> 

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)

[Jens Offenbach]

Hi,
I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 
16.04.1, but I cannot get it working. When a client tries to connect to the 
web, the connection always times out.

Hopefully, someone has an idea what's going.

uname-r:
4.4.0-45-generic

sysct:
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

squid.conf:
# ACCESS CONTROLS
# -
  acl localnetsrc 139.2.0.0/16
  acl localnetsrc 193.96.112.0/21
  acl localnetsrc 192.109.216.0/24
  acl localnetsrc 100.1.4.0/22
  acl localnetsrc 10.0.0.0/8
  acl localnetsrc 172.16.0.0/12
  acl localnetsrc 192.168.0.0/16
  acl to_localnet dst 139.2.0.0/16
  acl to_localnet dst 193.96.112.0/21
  acl to_localnet dst 192.109.216.0/24
  acl to_localnet dst 100.1.4.0/22
  acl to_localnet dst 10.0.0.0/8
  acl to_localnet dst 172.16.0.0/12
  acl to_localnet dst 192.168.0.0/16

  http_access allow manager localhost
  http_access deny  manager
  http_access allow localnet
  http_access allow localhost
  http_access allow to_localnet
  http_access deny all

# NETWORK OPTIONS
# -
  http_port 10.30.200.99:3128
  http_port 10.30.216.254:3128
  http_port 10.30.216.254:3129 tproxy

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -
  cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
  cache_peer  roxy.mycompany.com parent 8080 0 no-query no-digest

# MEMORY CACHE OPTIONS
# -
  maximum_object_size_in_memory 8 MB
  memory_replacement_policy heap LFUDA
  cache_mem 256 MB

# DISK CACHE OPTIONS
# -
  maximum_object_size 10 GB
  cache_replacement_policy heap GDSF
  cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240

# LOGFILE OPTIONS
# -
  access_log daemon:/var/log/squid/access.log squid
  cache_store_log daemon:/var/log/squid/store.log

# OPTIONS FOR TROUBLESHOOTING
# -
  cache_log /var/log/squid/cache.log
  coredump_dir /var/log/squid
  
# OPTIONS FOR TUNING THE CACHE
# -
  cache allow all
  
# ADMINISTRATIVE PARAMETERS
# -
  visible_hostname my-proxy.mycompany.com

# ICP OPTIONS
# -
  icp_port 0

# OPTIONS INFLUENCING REQUEST FORWARDING 
# -
  always_direct allow to_localnet
  always_direct allow to_localhost
  never_direct  allow all

# DNS OPTIONS
# -
  dns_nameservers 192.168.0.1
  dns_nameservers 192.168.0.2

# MISCELLANEOUS
# -
  memory_pools off

iptables-rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 
0x1/0x1 --on-port 3129 --on-ip 10.30.216.254

I can see that packets are traversing the chain DIVERT and TPROXY (packet 
counter):
Chain DIVERT (1 references)
 pkts bytes target prot opt in out source   destination
1134K  416M MARK   all  --  *  *   0.0.0.0/00.0.0.0/0   
 MARK set 0x1
1134K  416M ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0

Chain PREROUTING (policy ACCEPT 2380 packets, 261K bytes)
 pkts bytes target prot opt in out source   destination
1253K  455M neutron-openvswi-PREROUTING  all  --  *  *   0.0.0.0/0  
  0.0.0.0/0
1134K  416M DIVERT tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 socket
 2125  119K LOGtcp  --  *  *   0.0.0.0/00.0.0.0/0   
 tcp dpt:80 LOG flags 0 level 4 prefix "TPROXY : "
   63  3780 TPROXY tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 tcp dpt:80 TPROXY redirect 10.30.216.254:3129 mark 0x1/0x1

The client request is present in my syslog:
Oct 26 08:38:49 os-controller01 kernel: [ 4590.987956] TPROXY : IN=eth2 OUT= 
MAC=00:50:56:8d:2f:d4:02:05:69:02:be:68:08:00 SRC=10.30.216.132 
DST=74.125.24.94 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=21615 DF PROTO=TCP 
SPT=47706 DPT=80 WINDOW=27200 RES=0x00 SYN URGP=0

There is nothing in squid logs.

I have 

Re: [squid-users] TProxy and client_dst_passthru

[Omid Kosari]

Amos Jeffries wrote
> ==> ORIGINAL_DST is should *only* ever be used on MISS or
> REFRESH/revalidate traffic. Never on a HIT. Thus zero (0%) hit-ratio is
> the expected behaviour.
> 
> For the same reason that a report of the log traffic using "grep -v HIT"
> will show zero cache ratio.

I have describe my problem in another thread
http://squid-web-proxy-cache.1019090.n4.nabble.com/range-offset-limit-not-working-as-expected-td4679355.html
. Based on your suggestion , now squid only has one dns server which is same
as users .

I am sure that this url
http://download.cdn.mozilla.net/pub/firefox/releases/48.0.2/update/win32/en-US/firefox-48.0.2.complete.mar
existed and cached . So why there are lots of log lines with ORIGINAL_DST ?





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4679477.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Alex Rousskov]

On 09/11/2016 10:23 AM, Amos Jeffries wrote:
> The only visible problem is why that 2% exists.
> 
> ==> ORIGINAL_DST is should *only* ever be used on MISS or
> REFRESH/revalidate traffic. Never on a HIT. Thus zero (0%) hit-ratio is
> the expected behaviour.


It is possible that a terminology clash affects Squid code and Squid
output interpretation. There are two popular approaches:

A. "Hit" means "served from the cache" or, more precisely, "the response
is based on the cache entry present in the cache at the time of request
interpretation". "Pure hits" (or similar) are served without an attempt
to contact the origin server. "Revalidation hits" (or similar) are
served after an attempt to check the cached entry freshness with the
origin server (that did not result in replacing or removing the
previously cached entry).

B. "Hit" means served without an attempt to contact the origin server.
Revalidation transactions are not hits (by definition).

The above definitions are not precise and do not cover all use cases,
but that is not important for highlighting the key difference between them.


Many people, including Amos in his email quoted above AFAICT, are using
approach "B". Many people, including myself, are using approach "A".
Squid code, output, and documentation mix the two approaches,
unfortunately. Be careful when you interpret what you see.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 12/09/2016 3:04 a.m., Omid Kosari wrote:
> 
> I refer to following messages .i have same problem
> 

The "problem" is misunderstanding of the log entry meaning.

> 
> FredT wrote
>> Hi Amos,
>>
>> We have done additional tests in production with ISPs and the ORIGINAL_DST
>> in tproxy cannot be cached.
>> In normal mode (not tproxy), ORIGINAL_DST can be cached, no problem.
>> But once in tproxy (http_port 3128 tproxy), no way, it's impossible to get
>> TCP_HIT.
>>
>> We have played with the client_dst_passthru and the host_verify_strict,
>> many combinaisons on/off.
>> By settings client_dst_passthru ON and host_verify_strict OFF, we can
>> reduce the number of ORIGINAL_DST (generating DNS "alerts" in the
>> cache.log) but it makes issues with HTTPS websites (facebook, hotmail,
>> gmail, etc...).

Nod. That is the purpose of those controls. So they are working.

>> We have also tried many DNS servers (internals and/or externals), same
>> issue.
>>
>> I read what you explain in your previous email but it seems there is
>> something weird.
>> The problem is that the ORIGINAL_DST could be up to 25% of the traffic
>> with some installations meaning this part is "out-of-control" in term of
>> cache potential.

Any server type could be up to 100%. The type of server used implies
nothing about caching potential.

The reverse is true: caching potential implies server type, with
adjustments for traffic mode type and squid.conf settings.

For example:
 HIT implies HEIR_NONE.

 MISS with intercept/tproxy implies ORIGINAL_DST or a peer.
 REFRESH with intercept/tproxy implies ORIGINAL_DST or a peer.

 MISS in forward-proxy implies DIRECT or a peer.
 REFRESH in forward-proxy implies DIRECT or a peer.

> 
> FredT wrote
>> Hi Eliezer,
>>
>> Well, we have done many tests with Squid (3.1 to 3.5.x), disabling
>> "client_dst_passthru" (off) will stop the DNS entry as explained in the
>> wiki, the option directly acts on the flag "ORIGINAL_DST".
>> As you know, ORIGINAL_DST switches the optimization off (ex: StoreID) then
>> it's not possible to cache the URL (ex:
>> http://cdn2.example.com/mypic.png).

ORIGINAL_DST does nothing. It is simply a label indicating which type of
server supplied the HTTP response message for the transaction.

>>
>> In no tproxy/NAT mode, the client_dst_passthru works perfectly by
>> disabling the DNS entry control, so optimization is done correctly.
>> But in tproxy/NAT, the client_dst_passthru has no effect, we see
>> ORIGINAL_DST in logs.
>>
>> So, maybe I'm totaly wrong here the client_dst_passthru is not related to
>> the ORIGINAL_DST,

"client_dst_passthru on" makes Squid use ORIGINAL_DST (client provided)
server instead of DIRECT (DNS lookup) server(s) for *all* intercepted
traffic. Even requests where DIRECT is possible.


> or there is an explaination why the client_dst_passthru
>> does not act in tproxy/NAT...
>>

There is. The "transparent" part of "transparent interception proxy"
means that MISS should use the same server the client was originally
sending its request to (the ORIGINAL_DST server).


>> Bye Fred
> 
> please look at following results 
...
> 
> 60% vs 2% hit ratio(bytes) . The problem is ORIGINAL_DST
> 

The only visible problem is why that 2% exists.

==> ORIGINAL_DST is should *only* ever be used on MISS or
REFRESH/revalidate traffic. Never on a HIT. Thus zero (0%) hit-ratio is
the expected behaviour.

For the same reason that a report of the log traffic using "grep -v HIT"
will show zero cache ratio.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Omid Kosari]

Antony Stone wrote
> On Thursday 08 September 2016 at 12:27:42, Omid Kosari wrote:
> 
>> Hi Fred,
>> 
>> Same problem here . Do you found any solution or workaround ?
> 
> Please clarify which message you are reply / referring to.
> 
> Thanks,
> 
> 
> Antony.
> 
> -- 
> Archaeologists have found a previously-unknown dinosaur which seems to
> have 
> had a very large vocabulary.  They've named it Thesaurus.
> 
>Please reply to the
> list;
>  please *don't* CC
> me.
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

I refer to following messages .i have same problem


FredT wrote
> Hi Amos,
> 
> We have done additional tests in production with ISPs and the ORIGINAL_DST
> in tproxy cannot be cached.
> In normal mode (not tproxy), ORIGINAL_DST can be cached, no problem.
> But once in tproxy (http_port 3128 tproxy), no way, it's impossible to get
> TCP_HIT.
> 
> We have played with the client_dst_passthru and the host_verify_strict,
> many combinaisons on/off.
> By settings client_dst_passthru ON and host_verify_strict OFF, we can
> reduce the number of ORIGINAL_DST (generating DNS "alerts" in the
> cache.log) but it makes issues with HTTPS websites (facebook, hotmail,
> gmail, etc...).
> We have also tried many DNS servers (internals and/or externals), same
> issue.
> 
> I read what you explain in your previous email but it seems there is
> something weird.
> The problem is that the ORIGINAL_DST could be up to 25% of the traffic
> with some installations meaning this part is "out-of-control" in term of
> cache potential.
> 
> All help is welcome here
> Thanks in advance.
> 
> Bye Fred 


FredT wrote
> Hi Eliezer,
> 
> Well, we have done many tests with Squid (3.1 to 3.5.x), disabling
> "client_dst_passthru" (off) will stop the DNS entry as explained in the
> wiki, the option directly acts on the flag "ORIGINAL_DST".
> As you know, ORIGINAL_DST switches the optimization off (ex: StoreID) then
> it's not possible to cache the URL (ex:
> http://cdn2.example.com/mypic.png).
> 
> In no tproxy/NAT mode, the client_dst_passthru works perfectly by
> disabling the DNS entry control, so optimization is done correctly.
> But in tproxy/NAT, the client_dst_passthru has no effect, we see
> ORIGINAL_DST in logs.
> 
> So, maybe I'm totaly wrong here the client_dst_passthru is not related to
> the ORIGINAL_DST, or there is an explaination why the client_dst_passthru
> does not act in tproxy/NAT...
> 
> Bye Fred

please look at following results 
As you know the following command shows statistics of line which only have
ORIGINAL_DST

tail -n 100 /var/log/squid/access.log | grep -a ORIGINAL_DST | calamaris 
--config-file /etc/calamaris/calamaris.conf --all-useful-reports | more


- --
--
Proxy statistics
- --
--
Total amount:   requests
378310
unique hosts/users:hosts  
1859
Total Bandwidth:Byte
16453M
Proxy efficiency (HIT [kB/sec] / DIRECT [kB/sec]):factor  
1.22
Average speed increase:%  
0.39
TCP response time of 100% requests: msec
0M
- --
--
Cache statistics
- --
--
Total amount cached:requests 
11945
Request hit rate:  %  
3.16
Bandwidth savings:  Byte  
355M
Bandwidth savings in Percent (Byte hit rate):  %  
2.16
Average cached object size: Byte
0M
Average direct object size: Byte
0M
Average object size:Byte
0M
- --
--

# Incoming TCP-requests by status
status  request  %  sec/req   Byte   % 
kB/sec
-- - -- ---  --
---
HIT11945   3.161.94 355M   2.16  
15.66
 TCP_REFRESH_UNMODIFIED_ABORTED
 104   0.03   44.89 158M   0.96  
34.55
 TCP_REFRESH_UNMODIFIED11795   3.120.77 119M   0.72  
13.47
 TCP_REFRESH_UNMODIFIED_TIMEDOUT
   8   0.00 1108.82  79M   0.48   
9.09
 TCP_HIT_ABORTED

Re: [squid-users] TProxy and client_dst_passthru

[Antony Stone]

On Thursday 08 September 2016 at 12:27:42, Omid Kosari wrote:

> Hi Fred,
> 
> Same problem here . Do you found any solution or workaround ?

Please clarify which message you are reply / referring to.

Thanks,


Antony.

-- 
Archaeologists have found a previously-unknown dinosaur which seems to have 
had a very large vocabulary.  They've named it Thesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Omid Kosari]

Hi Fred,

Same problem here . Do you found any solution or workaround ?

Regards



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4679422.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY and IPv6 issues CentOS 7

[Amos Jeffries]

On 24/10/2015 9:02 a.m., James White wrote:
> I'm literally stumped at this point. The fact TPROXY is working for
> IPv4 indicates that I have the necessary setup in place for TPROXY to
> at least work, but IPv6 not working is a mystery. Like I said the
> Squid box is fully IPv6 capable and clients connecting via 3128 have a
> working IPv6 setup.
> 
> I maybe should of mentioned that the server Squid is running on is a
> HP Microserver Gen8 it does have multiple NICs, but only eno1 is in
> use, eno2 is disabled. I'm pretty sure there is some form of routing
> issue at the Squid box, but I've read every bit of information about
> TPROXY with IPv6 and I cannot see where I have done something wrong.
> Reading many articles on the subject they all hint at the same routing
> and ip6tables rules that I am using currently.
> 
> I've tried using the loopback interface and eno1 (main LAN interface)
> and they both yield the same results for IPv6 connectivity.
> 
> I hope someone can chime in with some additional
> troubleshooting/debugging steps, because I literally have no idea now!
> 

Wish I could give some better help. But there have been a few situations
where people have ended up in the same mystery situation with TPROXY and
one of us found a solution yet. That was usually on Debian/Ubuntu
systems though. Whatever the bug was did seem to get fixed in more
recent kernels for them.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY and IPv6 issues CentOS 7

[James White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm literally stumped at this point. The fact TPROXY is working for
IPv4 indicates that I have the necessary setup in place for TPROXY to
at least work, but IPv6 not working is a mystery. Like I said the
Squid box is fully IPv6 capable and clients connecting via 3128 have a
working IPv6 setup.

I maybe should of mentioned that the server Squid is running on is a
HP Microserver Gen8 it does have multiple NICs, but only eno1 is in
use, eno2 is disabled. I'm pretty sure there is some form of routing
issue at the Squid box, but I've read every bit of information about
TPROXY with IPv6 and I cannot see where I have done something wrong.
Reading many articles on the subject they all hint at the same routing
and ip6tables rules that I am using currently.

I've tried using the loopback interface and eno1 (main LAN interface)
and they both yield the same results for IPv6 connectivity.

I hope someone can chime in with some additional
troubleshooting/debugging steps, because I literally have no idea now!

James

On 17/10/2015 10:32, James White wrote:
> Hi Amos,
> 
> Thanks for your reply.
> 
> I've tried setting the rp_filter values to 1 and 2 and there is no 
> difference in behaviour.
> 
> Traffic isn't being tagged on dport 3128 directly. What I meant was
> I needed to exclude the configured outgoing IPv6 address at the
> DD-WRT router level with a PREROUTING rule, otherwise there was a
> loop and traffic would be messed up.
> 
> Enabling the via header temporarily, I checked to see what was
> being passed. According to my tests, the IPv6 address of my proxy
> was the value, so the traffic is making it to the Squid box, but no
> IPv6 requests are logged in the access.log from any TPROXY clients
> and all IPv6 requests from TPROXY clients are timing out e.g.
> ipv6.google.com
> 
> I'm pretty confident the problem lies on my Squid server at this 
> point, I can't see any issues with the policy routing on my DD-WRT
> route r.
> 
> MTU is configured correctly and the Squid box can ping and
> traceroute IPv6 addresses.
> 
> I'm really at a loss of what the issue is. I've read the TPROXY
> wiki article many times and there is nothing obvious to me that
> identifies my issue. I've looked for other resources for TPROXY and
> IPv6 and can't find anything else either.
> 
> Thanks,
> 
> James
> 
> On 14/10/2015 04:20, Amos Jeffries wrote:
>> On 14/10/2015 7:07 a.m., James White wrote:
>>> Hi all,
>>> 
>>> I operate a squid box which has two http_port setups:
>>> 
>>> http_port 3128 http_port 3129 TPROXY
>>> 
>>> I have implemented TPROXY to replace my NAT setup on a CentOS 7
>>>  Squid 3.3 box. Currently the IPv4 connectivity is working
>>> great, the IPv6 connectivity is broken when going through
>>> TPROXY. All IPv6 connections timeout and from tests it appears
>>> there is a broken IPv6 setup. Using test-ipv6.com I get a 
>>> broken/misconfiguration warning. IPv6 connections handled by
>>> the standard 3128 setup work OK, direct IPv6 connections
>>> outside of the proxy are also OK, TPROXY IPv6 is not working
>>> properly.
>>> 
>>> I have looked at several TPROXY resources and cannot see where
>>> I have gone wrong or what might be causing the issue. I am
>>> using my DD-WRT routing with policy routing to pass the traffic
>>> to the Squid box which then uses further policy routing to push
>>> the traffic to the TPROXY binding on port 3129.
>>> 
>>> DD-WRT firewall/routing rules:
>>> 
>>> PROXY_IPV6="2001:470::xx::x" CLIENTIFACE="br0" FWMARK=3
>>> 
>>> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s
>>> $PROXY_IPV6 -p tcp --dport 80 -j ACCEPT ip6tables -t mangle -A
>>> PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark
>>> $FWMARK ip6tables -t mangle -A PREROUTING -m mark --mark
>>> $FWMARK -j ACCEPT ip6tables -t filter -A FORWARD -i
>>> $CLIENTIFACE -o $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
>>> 
>>> ip -f inet6 rule add fwmark $FWMARK table 2 ip -f inet6 route 
>>> add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
>>> 
>>> 
>>> Squid box firewall and routing rules:
>>> 
>>> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add
>>>  local default dev eno1 table 100
>>> 
>>> ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -t 
>>> mangle -N DIVERT
>>> 
>>> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t
>>>  mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING
>>> -p tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -p
>>> tcp -m tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port
>>> 3129
>>> 
>>> 
>>> The following sysctl values are set:
>>> 
>>> net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 
>>> net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eno1.rp_filter =
>>> 0
>>> 
> 
>> Double-check the meaning of 0 in those rules. The rp_filter value
>>  meanings changed just prior to 3.x kernels, and no longer do
>> what most online tutorials say.
> 
> 
>>> I have defined specific IPv4 

Re: [squid-users] TPROXY and IPv6 issues CentOS 7

[James White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Amos,

Thanks for your reply.

I've tried setting the rp_filter values to 1 and 2 and there is no
difference in behaviour.

Traffic isn't being tagged on dport 3128 directly. What I meant was I
needed to exclude the configured outgoing IPv6 address at the DD-WRT
router level with a PREROUTING rule, otherwise there was a loop and
traffic would be messed up.

Enabling the via header temporarily, I checked to see what was being
passed. According to my tests, the IPv6 address of my proxy was the
value, so the traffic is making it to the Squid box, but no IPv6
requests are logged in the access.log from any TPROXY clients and all
IPv6 requests from TPROXY clients are timing out e.g. ipv6.google.com

I'm pretty confident the problem lies on my Squid server at this
point, I can't see any issues with the policy routing on my DD-WRT route
r.

MTU is configured correctly and the Squid box can ping and traceroute
IPv6 addresses.

I'm really at a loss of what the issue is. I've read the TPROXY wiki
article many times and there is nothing obvious to me that identifies
my issue. I've looked for other resources for TPROXY and IPv6 and
can't find anything else either.

Thanks,

James

On 14/10/2015 04:20, Amos Jeffries wrote:
> On 14/10/2015 7:07 a.m., James White wrote:
>> Hi all,
>> 
>> I operate a squid box which has two http_port setups:
>> 
>> http_port 3128 http_port 3129 TPROXY
>> 
>> I have implemented TPROXY to replace my NAT setup on a CentOS 7 
>> Squid 3.3 box. Currently the IPv4 connectivity is working great, 
>> the IPv6 connectivity is broken when going through TPROXY. All 
>> IPv6 connections timeout and from tests it appears there is a 
>> broken IPv6 setup. Using test-ipv6.com I get a 
>> broken/misconfiguration warning. IPv6 connections handled by the 
>> standard 3128 setup work OK, direct IPv6 connections outside of 
>> the proxy are also OK, TPROXY IPv6 is not working properly.
>> 
>> I have looked at several TPROXY resources and cannot see where I 
>> have gone wrong or what might be causing the issue. I am using
>> my DD-WRT routing with policy routing to pass the traffic to the 
>> Squid box which then uses further policy routing to push the 
>> traffic to the TPROXY binding on port 3129.
>> 
>> DD-WRT firewall/routing rules:
>> 
>> PROXY_IPV6="2001:470::xx::x" CLIENTIFACE="br0" FWMARK=3
>> 
>> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 
>> -p tcp --dport 80 -j ACCEPT ip6tables -t mangle -A PREROUTING -i 
>> $CLIENTIFACE -p tcp --dport 80 -j MARK --set-mark $FWMARK 
>> ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j 
>> ACCEPT ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o 
>> $CLIENTIFACE -p tcp --dport 80 -j ACCEPT
>> 
>> ip -f inet6 rule add fwmark $FWMARK table 2 ip -f inet6 route
>> add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
>> 
>> 
>> Squid box firewall and routing rules:
>> 
>> ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add 
>> local default dev eno1 table 100
>> 
>> ip6tables -t mangle -F ip6tables -t mangle -X ip6tables -t
>> mangle -N DIVERT
>> 
>> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1 ip6tables -t 
>> mangle -A DIVERT -j ACCEPT ip6tables -t mangle -A PREROUTING -p 
>> tcp -m socket -j DIVERT ip6tables -t mangle -A PREROUTING -p tcp 
>> -m tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>> 
>> 
>> The following sysctl values are set:
>> 
>> net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 
>> net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eno1.rp_filter = 0
>> 
> 
> Double-check the meaning of 0 in those rules. The rp_filter value 
> meanings changed just prior to 3.x kernels, and no longer do what 
> most online tutorials say.
> 
> 
>> I have defined specific IPv4 and IPv6 addresses for the Squid 
>> traffic to go over, I had to exclude these with PREROUTING RULES 
>> as this broke connectivity on LAN clients which use the standard 
>> http_port setup of 3128. IPv6 connectivity for these clients is 
>> OK.
> 
> Pause.
> 
> How is traffic to --dport 3128 matching "-p tcp -m tcp --dport 80" 
> ?
> 
> It seems to me that would be part of yoru problem. Unless you mean 
> that these rules had to go on the router. In which case, yes you
> do need to prevent Squid outbound traffic being looped back to it
> a second time.
> 
>> 
>> iptables -t mangle -I PREROUTING -p tcp --dport 80 -s
>> 192.168.x.x -j ACCEPT ip6tables -t mangle -I PREROUTING -p tcp
>> --dport 80 -s 2001:470::xx::x -j ACCEPT
>> 
>> 
>> I don't know if I need additional values for any ipv6 config 
>> value. Nothing is mentioned in the TPROXY Squid wiki article.
> 
> Given the likelihood of so called "privacy addressing" in IPv6 you 
> may need to make the v6 bypasses use /64 subnets instead of single 
> IP's
> 
>> 
>> 
>> Any ideas on what I could be missing?
>> 
> 
> When debugging make sure "via on" directive exists in squid.conf. 
> That will highlight looping errors 

Re: [squid-users] TPROXY and IPv6 issues CentOS 7

[Amos Jeffries]

On 14/10/2015 7:07 a.m., James White wrote:
> Hi all,
> 
> I operate a squid box which has two http_port setups:
> 
> http_port 3128
> http_port 3129 TPROXY
> 
> I have implemented TPROXY to replace my NAT setup on a CentOS 7 Squid
> 3.3 box. Currently the IPv4 connectivity is working great, the IPv6
> connectivity is broken when going through TPROXY. All IPv6 connections
> timeout and from tests it appears there is a broken IPv6 setup. Using
> test-ipv6.com I get a broken/misconfiguration warning. IPv6
> connections handled by the standard 3128 setup work OK, direct IPv6
> connections outside of the proxy are also OK, TPROXY IPv6 is not
> working properly.
> 
> I have looked at several TPROXY resources and cannot see where I have
> gone wrong or what might be causing the issue. I am using my DD-WRT
> routing with policy routing to pass the traffic to the Squid box which
> then uses further policy routing to push the traffic to the TPROXY
> binding on port 3129.
> 
> DD-WRT firewall/routing rules:
> 
> PROXY_IPV6="2001:470::xx::x"
> CLIENTIFACE="br0"
> FWMARK=3
> 
> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp
> --dport 80 -j ACCEPT
> ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j
> MARK --set-mark $FWMARK
> ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
> ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp
> --dport 80 -j ACCEPT
> 
> ip -f inet6 rule add fwmark $FWMARK table 2
> ip -f inet6 route add default via $PROXY_IPV6 dev $CLIENTIFACE table 2
> 
> 
> Squid box firewall and routing rules:
> 
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev eno1 table 100
> 
> ip6tables -t mangle -F
> ip6tables -t mangle -X
> ip6tables -t mangle -N DIVERT
> 
> ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
> ip6tables -t mangle -A DIVERT -j ACCEPT
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3129
> 
> 
> The following sysctl values are set:
> 
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.eno1.rp_filter = 0
> 

Double-check the meaning of 0 in those rules. The rp_filter value
meanings changed just prior to 3.x kernels, and no longer do what most
online tutorials say.


> I have defined specific IPv4 and IPv6 addresses for the Squid traffic
> to go over, I had to exclude these with PREROUTING RULES as this broke
> connectivity on LAN clients which use the standard http_port setup of
> 3128. IPv6 connectivity for these clients is OK.

Pause.

How is traffic to --dport 3128 matching "-p tcp -m tcp --dport 80" ?

It seems to me that would be part of yoru problem. Unless you mean that
these rules had to go on the router. In which case, yes you do need to
prevent Squid outbound traffic being looped back to it a second time.

> 
> iptables -t mangle -I PREROUTING -p tcp --dport 80 -s 192.168.x.x -j
> ACCEPT
> ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s
> 2001:470::xx::x -j ACCEPT
> 
> 
> I don't know if I need additional values for any ipv6 config value.
> Nothing is mentioned in the TPROXY Squid wiki article.

Given the likelihood of so called "privacy addressing" in IPv6 you may
need to make the v6 bypasses use /64 subnets instead of single IP's

> 
> 
> Any ideas on what I could be missing?
> 

When debugging make sure "via on" directive exists in squid.conf. That
will highlight looping errors that you may have from misconfiguration
TPROXY.


Also, make sure that ICMP and path-MTU etc are working. Particularly
from the Squid machine to the Internet.

If you haven't already been through the list and double/triple-checked,
the troubleshooting section of
 may have the answer.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TPROXY and IPv6 issues CentOS 7

[James White]

Hi all,

I operate a squid box which has two http_port setups:

http_port 3128
http_port 3129 TPROXY

I have implemented TPROXY to replace my NAT setup on a CentOS 7 Squid
3.3 box. Currently the IPv4 connectivity is working great, the IPv6
connectivity is broken when going through TPROXY. All IPv6 connections
timeout and from tests it appears there is a broken IPv6 setup. Using
test-ipv6.com I get a broken/misconfiguration warning. IPv6
connections handled by the standard 3128 setup work OK, direct IPv6
connections outside of the proxy are also OK, TPROXY IPv6 is not
working properly.

I have looked at several TPROXY resources and cannot see where I have
gone wrong or what might be causing the issue. I am using my DD-WRT
routing with policy routing to pass the traffic to the Squid box which
then uses further policy routing to push the traffic to the TPROXY
binding on port 3129.

DD-WRT firewall/routing rules:

PROXY_IPV6="2001:470::xx::x"
CLIENTIFACE="br0"
FWMARK=3

ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -s $PROXY_IPV6 -p tcp
--dport 80 -j ACCEPT
ip6tables -t mangle -A PREROUTING -i $CLIENTIFACE -p tcp --dport 80 -j
MARK --set-mark $FWMARK
ip6tables -t mangle -A PREROUTING -m mark --mark $FWMARK -j ACCEPT
ip6tables -t filter -A FORWARD -i $CLIENTIFACE -o $CLIENTIFACE -p tcp
--dport 80 -j ACCEPT

ip -f inet6 rule add fwmark $FWMARK table 2
ip -f inet6 route add default via $PROXY_IPV6 dev $CLIENTIFACE table 2


Squid box firewall and routing rules:

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev eno1 table 100

ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t mangle -N DIVERT

ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129


The following sysctl values are set:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eno1.rp_filter = 0

I have defined specific IPv4 and IPv6 addresses for the Squid traffic
to go over, I had to exclude these with PREROUTING RULES as this broke
connectivity on LAN clients which use the standard http_port setup of
3128. IPv6 connectivity for these clients is OK.

iptables -t mangle -I PREROUTING -p tcp --dport 80 -s 192.168.x.x -j
ACCEPT
ip6tables -t mangle -I PREROUTING -p tcp --dport 80 -s
2001:470::xx::x -j ACCEPT


I don't know if I need additional values for any ipv6 config value.
Nothing is mentioned in the TPROXY Squid wiki article.


Any ideas on what I could be missing?

Thanks,

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Amos,

We did tons of tests with the latest Squid versions and this is not the
behaviour with the host_verify_strict off and client_dst_passthru off.
With those 2 options OFF, we see a lot of ORIGINAL_DST that we should not
see if we follow your explainations, so it seems there is a bug somewhere ?

Can you check from your side (tproxy or not, same behaviour), thanks in
advance.

Bye Fred



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672054.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 4/07/2015 8:02 p.m., Stakres wrote:
 Hi Amos,
 
 We did tons of tests with the latest Squid versions and this is not the
 behaviour with the host_verify_strict off and client_dst_passthru off.
 With those 2 options OFF, we see a lot of ORIGINAL_DST that we should not
 see if we follow your explainations, so it seems there is a bug somewhere ?
 

Such as?
 Enable debug_options 85,3 to see host verify checks and results in action.


 Can you check from your side (tproxy or not, same behaviour), thanks in
 advance.

The tests I have all work as expected, including malware PoC...

When verify passes Squid goes DIRECT (client_dst_passthru off) or
ORIGINAL_DST (client_dst_passthru on). With caching allowed.

When verify fails Squid goes ORIGINAL_DST or NONE (409 rejection). With
caching blocked.

Non-intercepted traffic does not get verified by default
(host_verfy_strict off).

Verified non-intercepted traffic (host_verify_strict on) with URL and
Host header containing identical content is treated normally. 409
rejection for all other.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Amos,
Can we expect a workaround to allow the object to the cache if the dns
record is corrected by Squid instead that having an ORIGINAL_DST ?
If Squid corrects the request, it mean the URL will be good, so we should be
able to cache the object 

Fred




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672041.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 4/07/2015 1:21 a.m., Stakres wrote:
 Amos,
 You told the Squid will check the original dns from the headers, then it'll
 do its own dns resolution to verify they both match.
 So, if no match, Squid does the request to internet based on the dns it
 found.
 If I'm right, that the current way, correct ?

Depends on what you mean by it found.

ORIGINAL_DST comes from TCP packet headers, which cannot be forged
without the packets going astray. Squid trusts it when in doubt.

Squid own DNS lookup is for the HTTP Host header value. To compare
against the TCP value. Host can be trivially forged. So neither Host nor
the DNS resulting from it can be trusted when in doubt.

 
 What we could do is the same way but as Squid has downloaded the object
 based on its dns records, it means the object is correct, the right one. So,
 keep all details from Squid job and push the object to the cache (if
 cacheable).

When there is doubt about what server is correct there is no right
object. Squid relays the request to the place the client would have
reached had the proxy not been intercepting the traffic (ORIGINAL_DST).
Then prevents the unreliable object being given to other clients (cached).


There does seem to be one bug in that Squid will not always HIT on
existing cache content for the requested URL. Any help finding and
fixing that.


 
 user request - squid checks the dns is ok (corrects it if needed) - squid
 download the right object and cache.
 user request - squid checks the dns is ok (corrects it if needed) - squid
 pushs from its cache.
 
 Again, if Squid requests the right object based on its dns requests, it'll
 deliver to clients the good one.
 So, we should not see ORIGINAL_DST anymore...

Thats the CVE-2009-0801 problem. Whenever the Host header DNS is used
the proxy and all other clients fetching the cached URL from it, are
subject to malicious alterations made to that header.
Thus its only near-trustworthy when the DNS results contain the TCP dst-IP.

We let the request through to the ORIGINAL_DST to reduce penalty on the
client. But caching without the trust is going a bit too far.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Amos,
You told the Squid will check the original dns from the headers, then it'll
do its own dns resolution to verify they both match.
So, if no match, Squid does the request to internet based on the dns it
found.
If I'm right, that the current way, correct ?

What we could do is the same way but as Squid has downloaded the object
based on its dns records, it means the object is correct, the right one. So,
keep all details from Squid job and push the object to the cache (if
cacheable).

user request - squid checks the dns is ok (corrects it if needed) - squid
download the right object and cache.
user request - squid checks the dns is ok (corrects it if needed) - squid
pushs from its cache.

Again, if Squid requests the right object based on its dns requests, it'll
deliver to clients the good one.
So, we should not see ORIGINAL_DST anymore...

And, when I see the archi Yuri must to do to avoid ORIGINAL_DST, I'm sure
all Squid users will be happy 

Fred




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672044.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 4/07/2015 12:05 a.m., Stakres wrote:
 Hi Amos,
 Can we expect a workaround to allow the object to the cache if the dns
 record is corrected by Squid instead that having an ORIGINAL_DST ?
 If Squid corrects the request, it mean the URL will be good, so we should be
 able to cache the object 

Any ideas on how Squid could correct the request when all data comes
from the untrusted client?

I am still looking for ways to get per-client caching to operate
cleanly. For these (and Cache-Control:private objects) to be stored for
re-use by the one client.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi,

I'm back to this post because it still does not work.
You explain OFF - Squid selects a (possibly new, or not) IP to be used as
the
server (logs DIRECT)., sorry to say this is not the reality in the Squid.
We have set the pass-thru directive to OFF and here is the result:
TCP_MISS/206 72540 GET
http://www.google.com/dl/chrome/win/B6585D9F8CF5DBD2/43.0.2357.130_chrome_installer.exe
- ORIGINAL_DST/216.58.220.36

Is there a way to totaly disable the DNS control done by Squid ?

Thanks 

Bye Fred



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672013.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Amos,

216.58.220.36 != www.google.com ??? 
Have a look: http://www.ip-adress.com/whois/216.58.220.36, this is google.

Depending the DNS server used, the IP can change, we know that especialy due
to BGP.

In the case the client is an ISP providing internet to smaller ISPs with
different DNS with their end users, here I understand that due to the
ORIGINAL_DST squid will check the headers and if the dns records do not
match so squid will not cache, even with a storeid engine, because too many
different DNS servers in the loop (users - small ISP - big ISP - squid -
internet), am I right ?

So, the result is a very poor 9% saving where we could expect around 50%
saving. 

Can you plan, for a next build, a workaround to accept the original dns
record from the headers and check dns if and only if the headers do not
contain any dns record ?
I understand Squid should provide some securities but here we should have
the possibility to ON/OFF these securities.
Or do we need to downgrade to Squid 2.7/3.0 ?

ISPs need to cache a lot, security is not their main issue.

Thanks in advance.
Fred




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672020.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 2/07/2015 6:32 p.m., Stakres wrote:
 Hi,
 
 I'm back to this post because it still does not work.
 You explain OFF - Squid selects a (possibly new, or not) IP to be used as
 the
 server (logs DIRECT)., sorry to say this is not the reality in the Squid.
 We have set the pass-thru directive to OFF and here is the result:
 TCP_MISS/206 72540 GET
 http://www.google.com/dl/chrome/win/B6585D9F8CF5DBD2/43.0.2357.130_chrome_installer.exe
 - ORIGINAL_DST/216.58.220.36
 
 Is there a way to totaly disable the DNS control done by Squid ?

No. The requests where ORIGINAL_DST is mandatory it is so because the
client Host header contains an identifiable problem. The URL cannot be
cached without allowing other clients to be affected by that problem.
Specifically that 216.58.220.36 != www.google.com.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Yury,

In your installation, with your devices... At home, I do the same like you,
but I'm not an ISP.

Here the issue is that end users could use different dns the ISPs cannot
control.
Home/Entreprise, the admin can control the used DNS servers with devices. In
an ISP environment, we cannot control/manage, end users do what they want.
2 different worlds, not the same rules, sorry 

Fred






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672024.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Fred,

I'm talkin not about localhost installation.

My squid serves business-center. With hundreds of users.

In this environment, we use also transparent DNS interception onto DNS
cache. DNS cache itself uses clean sources for resolving, using dnscrypt.

This permit me almost full control above DNS. ;)

Sorry, but you can build your own world. :)) Or can't
: As you wish.

WNR, Yuri

02.07.15 18:59, Stakres пишет:
 Hi Yury,

 In your installation, with your devices... At home, I do the same like
you,
 but I'm not an ISP.

 Here the issue is that end users could use different dns the ISPs cannot
 control.
 Home/Entreprise, the admin can control the used DNS servers with
devices. In
 an ISP environment, we cannot control/manage, end users do what they want.
 2 different worlds, not the same rules, sorry

 Fred






 --
 View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672024.html
 Sent from the Squid - Users mailing list archive at Nabble.com.
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVlT4lAAoJENNXIZxhPexG90EH/0YI+7ERqjv32GDz564YupeF
Cu0y2oCdclt5zNBQMVzXfKOwYpePk6XDk9coSCMiTPOq8gjagB4sx5nm+da3tCd/
+vJvF17ht4f0Ue1CPblv7h2McX+ui6+92V3/saaDMMHr59XjAqfycg3Iev8wnH56
uWL35hYfm+djZVse0roKUdB4E43fAFH5NelMEnFOdWRXuJn8WFlWPTNMly1mYOzz
5KwQR0mWhb9QyKgQc/rWmsEoby2SxqulkbpkHfu5cT+F1G0CtcNvjcaseEZ7S9ku
WSaex0XNQtBX/WDEDla/pagPc45yMUBpQXm10k5B4V6RUO8R/67/EZmUXrQ+8EE=
=aBUc
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Fred,

I'm talkin not about localhost installation.

My squid serves business-center. With hundreds of users.

In this environment, we use also transparent DNS interception onto DNS
cache. DNS cache itself uses clean sources for resolving, using dnscrypt.

This permit me almost full control above DNS. ;)

Sorry, but you can build your own world. :)) Or can't
: As you wish.

WBR, Yuri

02.07.15 18:59, Stakres пишет:
 Hi Yury,

 In your installation, with your devices... At home, I do the same like
you,
 but I'm not an ISP.

 Here the issue is that end users could use different dns the ISPs cannot
 control.
 Home/Entreprise, the admin can control the used DNS servers with
devices. In
 an ISP environment, we cannot control/manage, end users do what they want.
 2 different worlds, not the same rules, sorry

 Fred






 --
 View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672024.html
 Sent from the Squid - Users mailing list archive at Nabble.com.
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVlT4zAAoJENNXIZxhPexGgIUIAKxf4R9KsRmCAsQPOMysX/LO
EhMyv5FgGzVCWg2aSLfPX1QwPJJS0FAg7VUxEXuKVk8biRWGDpgHIlJEMGThSkRh
bp7GH6CLesvv5fs+jG9uumWtS/bS7Kogvr8dZso784qo1fU6bxEp1imol1JnIW8i
I45E8+3JBuniIrxY62wY5jgbKoa+JxAEyGRcptLGaBpTofivg5b7Lkoe8s9+zRSy
YoJl8N/KoTk0bP4BTTjsC+YKKvqMhzv1iFEoebqd/Tpk2t+9pPoek26gosfmbZyw
iZE6FKtH2Hx5YROHYnY0lJTRZS7Av2NO8ZwtEEOORfJM5nnzGWMaXlLer/w7KwA=
=yLQQ
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Amos,

We have done additional tests in production with ISPs and the ORIGINAL_DST
in tproxy cannot be cached.
In normal mode (not tproxy), ORIGINAL_DST can be cached, no problem.
But once in tproxy (http_port 3128 tproxy), no way, it's impossible to get
TCP_HIT.

We have played with the client_dst_passthru and the host_verify_strict, many
combinaisons on/off.
By settings client_dst_passthru ON and host_verify_strict OFF, we can reduce
the number of ORIGINAL_DST (generating DNS alerts in the cache.log) but it
makes issues with HTTPS websites (facebook, hotmail, gmail, etc...).
We have also tried many DNS servers (internals and/or externals), same
issue.

I read what you explain in your previous email but it seems there is
something weird.
The problem is that the ORIGINAL_DST could be up to 25% of the traffic with
some installations meaning this part is out-of-control in term of cache
potential.

All help is welcome here 
Thanks in advance.

Bye Fred



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4670629.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Amos Jeffries]

On 4/03/2015 8:19 p.m., Stakres wrote:
 Hi Eliezer,
 
 Well, we have done many tests with Squid (3.1 to 3.5.x), disabling
 client_dst_passthru (off) will stop the DNS entry as explained in the
 wiki, the option directly acts on the flag ORIGINAL_DST.

You literally have that backwards.

The cause is NAT/TPROXY.
The directive is acting on the NAT mangled dst-IP address (replace it?
yes/no).
The log flag is an effect telling you what was chosen (yes or no answer).


 As you know, ORIGINAL_DST switches the optimization off (ex: StoreID) then
 it's not possible to cache the URL (ex: http://cdn2.example.com/mypic.png).
 
 In no tproxy/NAT mode, the client_dst_passthru works perfectly by disabling
 the DNS entry control, so optimization is done correctly.

WTF? no (and FWIW I wrote that pass-thru feature).

In no TPROXY/NAT mode the client *explicitly* requests Squid to fetch
a URL. Squid looks up DNS for the domain in that URL and contacts any
one of the IPs available.
 There is no client DNS lookup to do pass-thru for. The directive has no
effect whatsoever.


 But in tproxy/NAT, the client_dst_passthru has no effect, we see
 ORIGINAL_DST in logs.

In TPROXY/NAT intercept mode, the client does the DNS lookup and selects
which IP to contact. The NAT/TPROXY diverts the traffic into Squid.
Squid grabs the original client dst-IP from the kernel records. Does a
second DNS lookup to see where the URL was supposed to be going
according to more reliable sources.

 *IF* (and only if) Squid can verify the IP the client selected actually
belongs to the domain in the URL does Squid check the pass-thru directive:
 ON (default) - Squid uses the IP the client was connecting to (logs
ORIGINAL_DST);
 OFF - Squid selects a (possibly new, or not) IP to be used as the
server (logs DIRECT).

 Otherwise, when that dst-IP validation fails, Squid uses the IP the
client was connecting to. The directive has no effect whatsoever.


 
 So, maybe I'm totaly wrong here the client_dst_passthru is not related to
 the ORIGINAL_DST, or there is an explaination why the client_dst_passthru
 does not act in tproxy/NAT...

client_dst_passthru is simply whether or not to use ORIGINAL_DST in the
cases where it is both available AND optional.
 There are other cases where it is mandatory to use, or is unavailable.


For users the key information is that:

Setting OFF enables HTTP routing optimizations and network error
recovery to take place, but severly confuses people/applications who
dont understand much about HTTP.


Setting ON reduces problems with broken web applications that (wrongly)
assume end-to-end connectivity within HTTP, or that (wrongly) assume all
connections to a given IP are going to end up at the same origin server.
Neither of those assumptions are true for HTTP whether it goes over port
80 or port 443 or a proxy.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TProxy and client_dst_passthru

[Stakres]

Hi All,

Does someone know why the *client_dst_passthru* does not work in TProxy
mode ?

From the Squid wiki, we can read that:
/Regardless of this option setting, when dealing with intercepted
traffic Squid will verify the Host: header and any traffic which
fails Host verification will be treated as if this option were ON/.

In normal (no intercept) http_port, the option works fine but does not act
on Tproxy...

Thanks in advance for your feedbacks 

Bye Fred



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Eliezer Croitoru]

Hey Fred,

It is unclear what doesn't work for you.
What would you expect to work and how it works or doesn't work from a 
user perspective rather then an admin?

Is there any trouble from the user side about this issue?

Eliezer

On 04/03/2015 00:14, Stakres wrote:

Hi All,

Does someone know why the *client_dst_passthru* does not work in TProxy
mode ?

 From the Squid wiki, we can read that:
/Regardless of this option setting, when dealing with intercepted
traffic Squid will verify the Host: header and any traffic which
fails Host verification will be treated as if this option were ON/.

In normal (no intercept) http_port, the option works fine but does not act
on Tproxy...

Thanks in advance for your feedbacks

Bye Fred


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TProxy and client_dst_passthru

[Stakres]

Hi Eliezer,

Well, we have done many tests with Squid (3.1 to 3.5.x), disabling
client_dst_passthru (off) will stop the DNS entry as explained in the
wiki, the option directly acts on the flag ORIGINAL_DST.
As you know, ORIGINAL_DST switches the optimization off (ex: StoreID) then
it's not possible to cache the URL (ex: http://cdn2.example.com/mypic.png).

In no tproxy/NAT mode, the client_dst_passthru works perfectly by disabling
the DNS entry control, so optimization is done correctly.
But in tproxy/NAT, the client_dst_passthru has no effect, we see
ORIGINAL_DST in logs.

So, maybe I'm totaly wrong here the client_dst_passthru is not related to
the ORIGINAL_DST, or there is an explaination why the client_dst_passthru
does not act in tproxy/NAT...

Bye Fred



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4670194.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Tproxy immediately closing connection

[jan]

I installed libcap-dev package, recompiled squid and TPROXY is now 
working fine for both IPv4 and IPv6.


Thanks Amos!

On 2014-07-26 11:35, Amos Jeffries wrote:

On 25/07/2014 10:02 a.m., Jan Krupa wrote:

Hi all,

I've been struggling to configure transparent proxy for IPv6 on my
Raspberry Pi acting as a router following the guide:
http://wiki.squid-cache.org/Features/Tproxy4

Despite all my efforts, all I got was squid squid immediately closing
connection after it was established (not rejecting connection, 
three-way

handshake is successful and then the client receives RST packet).



Do you have libcap2 installed and libcap2-dev used to build Squid?
 there have been a few issues where its absence were not notified by 
Squid.


Amos

Re: [squid-users] Tproxy immediately closing connection

[Amos Jeffries]

On 25/07/2014 10:02 a.m., Jan Krupa wrote:
 Hi all,
 
 I've been struggling to configure transparent proxy for IPv6 on my
 Raspberry Pi acting as a router following the guide:
 http://wiki.squid-cache.org/Features/Tproxy4
 
 Despite all my efforts, all I got was squid squid immediately closing
 connection after it was established (not rejecting connection, three-way
 handshake is successful and then the client receives RST packet).
 

Do you have libcap2 installed and libcap2-dev used to build Squid?
 there have been a few issues where its absence were not notified by Squid.

Amos

[squid-users] Tproxy immediately closing connection

[Jan Krupa]

Hi all,

I've been struggling to configure transparent proxy for IPv6 on my 
Raspberry Pi acting as a router following the guide:

http://wiki.squid-cache.org/Features/Tproxy4

Despite all my efforts, all I got was squid squid immediately closing 
connection after it was established (not rejecting connection, three-way 
handshake is successful and then the client receives RST packet).


For example:

root@rpi:~# telnet ::1 3129
Trying 2001:470:71:604::1...
Connected to 2001:470:71:604::1.
Escape character is '^]'.
Connection closed by foreign host.


I tried different systems and the results are as follows:

Raspbian (debian-based) 3.12.22 kernel, squid 3.4.6 - unsuccessful
Centos 6.5 2.6.32 kernel, squid 3.4.6 - unsuccessful
Fedora 20 3.12 kernel - successful
Ubuntu 14.04 3.13 kernel, squid 3.3.6 - successful


Configuration is just default with tproxy port added:

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
http_port 3129 tproxy
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern .020%4320


I dumped the logs from Centos 6.5 to see what's going on:

The most verbose squid cache log (-X option):

2014/07/24 23:36:11.147| TcpAcceptor.cc(220) doAccept: New connection on 
FD 10
2014/07/24 23:36:11.147| TcpAcceptor.cc(295) acceptNext: connection on 
local=[::]:3129 remote=[::] FD 10 flags=25

2014/07/24 23:36:11.147| fd.cc(221) fd_open: fd_open() FD 8 HTTP Request
2014/07/24 23:36:11.147| Intercept.cc(371) Lookup: address BEGIN: 
me/client= [::1]:3129, destination/me= [::1]:36047
2014/07/24 23:36:11.147| TcpAcceptor.cc(287) acceptOne: Listener: 
local=[::]:3129 remote=[::] FD 10 flags=25 accepted new connection 
local=[::1]:3129 remote=[::1]:36047 FD 8 flags=17 handler Subscription: 
0x29f9a20*1
2014/07/24 23:36:11.147| AsyncCall.cc(18) AsyncCall: The AsyncCall 
httpAccept constructed, this=0x25d6bb0 [call40]
2014/07/24 23:36:11.147| cbdata.cc(419) cbdataInternalLock: cbdataLock: 
0x257c398=3
2014/07/24 23:36:11.147| cbdata.cc(419) cbdataInternalLock: cbdataLock: 
0x257c398=4
2014/07/24 23:36:11.147| cbdata.cc(510) cbdataReferenceValid: 
cbdataReferenceValid: 0x257c398
2014/07/24 23:36:11.147| cbdata.cc(419) cbdataInternalLock: cbdataLock: 
0x257c398=5
2014/07/24 23:36:11.147| cbdata.cc(456) cbdataInternalUnlock: 
cbdataUnlock: 0x257c398=4
2014/07/24 23:36:11.147| AsyncCall.cc(85) ScheduleCall: 
TcpAcceptor.cc(317) will call httpAccept(local=[::1]:3129 
remote=[::1]:36047 FD 8 flags=17, flag=-1, data=0x257c398, MXID_1) [call40]
2014/07/24 23:36:11.147| ModEpoll.cc(139) SetSelect: FD 10, type=1, 
handler=1, client_data=0x29fb108, timeout=0
2014/07/24 23:36:11.147| AsyncCallQueue.cc(51) fireNext: entering 
httpAccept(local=[::1]:3129 remote=[::1]:36047 FD 8 flags=17, flag=-1, 
data=0x257c398, MXID_1)
2014/07/24 23:36:11.147| AsyncCall.cc(30) make: make call httpAccept 
[call40]
2014/07/24 23:36:11.147| cbdata.cc(510) cbdataReferenceValid: 
cbdataReferenceValid: 0x257c398
2014/07/24 23:36:11.147| cbdata.cc(510) cbdataReferenceValid: 
cbdataReferenceValid: 0x257c398
2014/07/24 23:36:11.147| cbdata.cc(419) cbdataInternalLock: cbdataLock: 
0x257c398=5
2014/07/24 23:36:11.147| cbdata.cc(510) cbdataReferenceValid: 
cbdataReferenceValid: 0x257c398

2014/07/24 23:36:11.147| client_side.cc(3408) httpAccept:
reentrant debuging 2-{cbdata.cc(510) cbdataReferenceValid: 
cbdataReferenceValid: 0x257c398}-2
httpAccept: local=[::]:3129 remote=[::] FD 10 flags=25: accept failure: 
(0) No error.
2014/07/24 23:36:11.147| cbdata.cc(456) cbdataInternalUnlock: 
cbdataUnlock: 0x257c398=4
2014/07/24 23:36:11.147| AsyncCallQueue.cc(53) fireNext: leaving 
httpAccept(local=[::1]:3129 remote=[::1]:36047 FD 8 flags=17, flag=-1, 
data=0x257c398, MXID_1)
2014/07/24 23:36:11.147| cbdata.cc(456) cbdataInternalUnlock: 
cbdataUnlock: 0x257c398=3
2014/07/24 23:36:11.147| cbdata.cc(456) cbdataInternalUnlock: 
cbdataUnlock: 0x257c398=2
2014/07/24 23:36:11.147| Connection.cc(33) ~Connection: BUG #3329: 
Orphan Comm::Connection: local=[::1]:3129 remote=[::1]:36047 FD 8 flags=17
2014/07/24 23:36:11.147| Connection.cc(34) ~Connection: NOTE: 1 Orphans 
since last started.
2014/07/24 23:36:11.148| comm.cc(1080) _comm_close: 

Re: [squid-users] TPROXY Squid Error.

[Eliezer Croitoru]

Well about the rules of mikrotik you already know that NAT is not the 
direction.

In any case about the basic_data.sh script.
I had a type but..
What terminal are you using??
In most color terminals you won't see the special markings.

Thanks,
Eliezer

On 07/10/2014 03:28 AM, Info OoDoO wrote:

Hi,
I'm using Microtik 1100 AH X2 Router,

here is my Basic Data from your latest script.

http://pastebin.com/GHkD5yYx

Thanks,
Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Hi,
I'm using Microtik 1100 AH X2 Router,

here is my Basic Data from your latest script.

http://pastebin.com/GHkD5yYx

Thanks,
Ganesh J


On Wed, Jul 9, 2014 at 1:08 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 What router are you using??

 Eliezer

 P.S. I will be at the squid irc channel for about couple hours
 http://webchat.freenode.net/?channels=squid


 On 07/08/2014 10:19 PM, Info OoDoO wrote:

 Configured Squid 3.4.6 again with all the options, still facing the same
 issue.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:

 We were in the same problem just a few days ago.  Can you recompile and
 check?

 Also, since you are compiling, then can you also try the latest stable
 version 3.4.6?

 Regards
 HASSAN


 On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:

 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:

 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com
 wrote:

 For your kind attention, i have not installed Squid 3.1.10 from YUM.
 I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

What are the rules in Mikrotik that you are using?  What is the
network diagram?  How many interfaces on Mikrotik are you using for
this purpose?  How many NICs are there on the Squid box?  Can you give
an idea of your network diagram?

Also, a few days ago, I also posted the rules that I am using in
Mikrotik.  Can you check if they match yours?

Regards
HASSAN

On Thu, Jul 10, 2014 at 6:28 AM, Info OoDoO i...@oodoo.co.in wrote:
 Hi,
 I'm using Microtik 1100 AH X2 Router,

 here is my Basic Data from your latest script.

 http://pastebin.com/GHkD5yYx

 Thanks,
 Ganesh J


 On Wed, Jul 9, 2014 at 1:08 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 What router are you using??

 Eliezer

 P.S. I will be at the squid irc channel for about couple hours
 http://webchat.freenode.net/?channels=squid


 On 07/08/2014 10:19 PM, Info OoDoO wrote:

 Configured Squid 3.4.6 again with all the options, still facing the same
 issue.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:

 We were in the same problem just a few days ago.  Can you recompile and
 check?

 Also, since you are compiling, then can you also try the latest stable
 version 3.4.6?

 Regards
 HASSAN


 On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:

 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:

 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com
 wrote:

 For your kind attention, i have not installed Squid 3.1.10 from YUM.
 I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

I use two ports in Micortik Router. one for WAN and other for LAN, I
have No rules setup in Router except the natting Src and Dst for
private to public IP and vice versa.

There are two nics in squid box. but I am using only one.

The Lan From router is Connected to switch and the squid nic is also
connected to the same vlan of the switch.

and i'm using a box connected to the the same vlan of the switch to test squid.

Simple .  Router to Switch
Squid to Switch
Test to Switch

All in the same Vlan.

Thanks,
Ganesh J


On Thu, Jul 10, 2014 at 6:04 AM, Nyamul Hassan nya...@gmail.com wrote:
 What are the rules in Mikrotik that you are using?  What is the
 network diagram?  How many interfaces on Mikrotik are you using for
 this purpose?  How many NICs are there on the Squid box?  Can you give
 an idea of your network diagram?

 Also, a few days ago, I also posted the rules that I am using in
 Mikrotik.  Can you check if they match yours?

 Regards
 HASSAN

 On Thu, Jul 10, 2014 at 6:28 AM, Info OoDoO i...@oodoo.co.in wrote:
 Hi,
 I'm using Microtik 1100 AH X2 Router,

 here is my Basic Data from your latest script.

 http://pastebin.com/GHkD5yYx

 Thanks,
 Ganesh J


 On Wed, Jul 9, 2014 at 1:08 AM, Eliezer Croitoru elie...@ngtech.co.il 
 wrote:
 What router are you using??

 Eliezer

 P.S. I will be at the squid irc channel for about couple hours
 http://webchat.freenode.net/?channels=squid


 On 07/08/2014 10:19 PM, Info OoDoO wrote:

 Configured Squid 3.4.6 again with all the options, still facing the same
 issue.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:

 We were in the same problem just a few days ago.  Can you recompile and
 check?

 Also, since you are compiling, then can you also try the latest stable
 version 3.4.6?

 Regards
 HASSAN


 On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:

 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:

 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com
 wrote:

 For your kind attention, i have not installed Squid 3.1.10 from YUM.
 I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

There you go.  NAT rules will not work on TProxy.  You need to play
with Mangle rules.  The ones I am using are:

/ip fir man
add action=mark-routing chain=prerouting disabled=no dst-port=80
new-routing-mark=_to_squid_ passthrough=yes protocol=tcp
src-address-list=_to_squid_ src-mac-address=!MAC of squid server
add action=mark-routing chain=prerouting disabled=no
dst-address-list=_to_squid_ new-routing-mark=_to_squid_
passthrough=yes protocol=tcp src-port=80
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=IP of squid server
routing-mark=_to_squid_

Notes:
*  Please change the MC of squid server and IP of squid server
accordingly.  Do not include the  or  tag.
*  Be careful that the ! mark before the MAC address is there
intentionally, and serves a purpose.
*  We work entirely on src-address-list, so that we can control who
passes through Squid and who does not.  You could replace that with
just src-address.
*  Please disable / remove all other NAT or related rules that might
interfere with these rules here.
*  These rules assume that your clients are on Real IP (which our
clients are).  If the clients are on the Private IP range (as you
described), and you are still facing problems, then perhaps your NAT
rule is interfering.  In that case, can you make a pastebin of the
/export?

Please see if these work out for you, and then advise.

Regards
HASSAN


On Thu, Jul 10, 2014 at 6:54 AM, Info OoDoO i...@oodoo.co.in wrote:
 I use two ports in Micortik Router. one for WAN and other for LAN, I
 have No rules setup in Router except the natting Src and Dst for
 private to public IP and vice versa.

 There are two nics in squid box. but I am using only one.

 The Lan From router is Connected to switch and the squid nic is also
 connected to the same vlan of the switch.

 and i'm using a box connected to the the same vlan of the switch to test 
 squid.

 Simple .  Router to Switch
 Squid to Switch
 Test to Switch

 All in the same Vlan.

 Thanks,
 Ganesh J


 On Thu, Jul 10, 2014 at 6:04 AM, Nyamul Hassan nya...@gmail.com wrote:
 What are the rules in Mikrotik that you are using?  What is the
 network diagram?  How many interfaces on Mikrotik are you using for
 this purpose?  How many NICs are there on the Squid box?  Can you give
 an idea of your network diagram?

 Also, a few days ago, I also posted the rules that I am using in
 Mikrotik.  Can you check if they match yours?

 Regards
 HASSAN

 On Thu, Jul 10, 2014 at 6:28 AM, Info OoDoO i...@oodoo.co.in wrote:
 Hi,
 I'm using Microtik 1100 AH X2 Router,

 here is my Basic Data from your latest script.

 http://pastebin.com/GHkD5yYx

 Thanks,
 Ganesh J


 On Wed, Jul 9, 2014 at 1:08 AM, Eliezer Croitoru elie...@ngtech.co.il 
 wrote:
 What router are you using??

 Eliezer

 P.S. I will be at the squid irc channel for about couple hours
 http://webchat.freenode.net/?channels=squid


 On 07/08/2014 10:19 PM, Info OoDoO wrote:

 Configured Squid 3.4.6 again with all the options, still facing the same
 issue.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:

 We were in the same problem just a few days ago.  Can you recompile and
 check?

 Also, since you are compiling, then can you also try the latest stable
 version 3.4.6?

 Regards
 HASSAN


 On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:

 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:

 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com
 wrote:

 For your kind attention, i have not installed Squid 3.1.10 from YUM.
 I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Thanks Hassan,

I have covered all the steps except the WCCP Configuration, Coz i dont
use WCCP Router. I tried discovering for Routing loop and was unable
to find any, Could you please help me How to Find a Routing loop.

Here is my Squid Conf and my TCPdump sample.

http://pastebin.com/aJskfywx -- TCPdump
http://pastebin.com/b9u24rEC -- Squid Conf

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

tcpdump shows traffic flowing both ways, which is good.  We also need
to have the following settings:

#  sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0

The last two lines are for my specific system where I have two NICs.
Feel free to modify on your own.  After changing the file running
sysctl -p usually works.  To check if it did, please run the
following commands:

find /proc/sys/net/ipv4/ -iname rp_filter
find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +

The first shows all the rp_filter in your system.
The second shows if they are indeed set to 0 as needed.

Please do a pastebin for both sysctl.conf and the outputs of the find commands.

Regards
HASSAN


On Tue, Jul 8, 2014 at 2:34 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 I have covered all the steps except the WCCP Configuration, Coz i dont
 use WCCP Router. I tried discovering for Routing loop and was unable
 to find any, Could you please help me How to Find a Routing loop.

 Here is my Squid Conf and my TCPdump sample.

 http://pastebin.com/aJskfywx -- TCPdump
 http://pastebin.com/b9u24rEC -- Squid Conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in 
 wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Thanks Hassan,
Yes I have the following settings done.

Please see the details in the pastebin

http://pastebin.com/YzKDSV7J -- Find Results.

http://pastebin.com/XhZYiDxm --sysctl.conf

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 2:29 PM, Nyamul Hassan nya...@gmail.com wrote:
 tcpdump shows traffic flowing both ways, which is good.  We also need
 to have the following settings:

 #  sysctl.conf
 net.ipv4.ip_forward = 1
 net.ipv4.conf.default.rp_filter = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.conf.eth1.rp_filter = 0

 The last two lines are for my specific system where I have two NICs.
 Feel free to modify on your own.  After changing the file running
 sysctl -p usually works.  To check if it did, please run the
 following commands:

 find /proc/sys/net/ipv4/ -iname rp_filter
 find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +

 The first shows all the rp_filter in your system.
 The second shows if they are indeed set to 0 as needed.

 Please do a pastebin for both sysctl.conf and the outputs of the find 
 commands.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 2:34 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 I have covered all the steps except the WCCP Configuration, Coz i dont
 use WCCP Router. I tried discovering for Routing loop and was unable
 to find any, Could you please help me How to Find a Routing loop.

 Here is my Squid Conf and my TCPdump sample.

 http://pastebin.com/aJskfywx -- TCPdump
 http://pastebin.com/b9u24rEC -- Squid Conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in 
 wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

Ok.  Good so far.  I saw you opened another email about this.  Please
keep related discussions in one single thread.  We had similar TProxy
issues around 7-8 days ago.  From your emails, it seems you are
running CentOS 6.5, just like we are.  The difference is that you are
using Squid 3.1 which is available in CentOS yum.  We installed the
same on our CentOS, and confirmed that Squid 3.1 is working with
TProxy.  So, I think this is a routing / iptables issue.

In that email, you mentioned that Squid is receiving the packets?  How
are you determining this?

Also, can you enable:
debug_options ALL,1 89,9 17,3
in your squid.conf?  This will print a bunch of debug messages in
cache.log when you try to browse through proxy.

Also, before you start browsing, run this command:
tcpdump -n -nn -e -i any dst port 80
That should allow you to see some packet header data.

Now, try to browse from client, and pastebin the output of both
cache.log  tcpdump.

Regards
HASSAN


On Tue, Jul 8, 2014 at 4:54 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,
 Yes I have the following settings done.

 Please see the details in the pastebin

 http://pastebin.com/YzKDSV7J -- Find Results.

 http://pastebin.com/XhZYiDxm --sysctl.conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:29 PM, Nyamul Hassan nya...@gmail.com wrote:
 tcpdump shows traffic flowing both ways, which is good.  We also need
 to have the following settings:

 #  sysctl.conf
 net.ipv4.ip_forward = 1
 net.ipv4.conf.default.rp_filter = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.conf.eth1.rp_filter = 0

 The last two lines are for my specific system where I have two NICs.
 Feel free to modify on your own.  After changing the file running
 sysctl -p usually works.  To check if it did, please run the
 following commands:

 find /proc/sys/net/ipv4/ -iname rp_filter
 find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +

 The first shows all the rp_filter in your system.
 The second shows if they are indeed set to 0 as needed.

 Please do a pastebin for both sysctl.conf and the outputs of the find 
 commands.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 2:34 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 I have covered all the steps except the WCCP Configuration, Coz i dont
 use WCCP Router. I tried discovering for Routing loop and was unable
 to find any, Could you please help me How to Find a Routing loop.

 Here is my Squid Conf and my TCPdump sample.

 http://pastebin.com/aJskfywx -- TCPdump
 http://pastebin.com/b9u24rEC -- Squid Conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in 
 wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Sorry for the other mail chain. it was opened accidentally yesterday.

Thanks for the response.

please find the required data below.

http://pastebin.com/Abs3QmMe -- cache.log

http://pastebin.com/eS94BHHu -- TCP Dump.

I was able to see the site logged in access.log with http code 504,
Gateway Timed Out. so i thought the packets are sent to squid.

For your kind attention, i have not installed Squid 3.1.10 from YUM. I
have Compiled and installed from the source with the following
options.

http://pastebin.com/jFhzd3qj


Thanks,
Ganesh J



On Tue, Jul 8, 2014 at 10:44 PM, Nyamul Hassan nya...@gmail.com wrote:
 Ok.  Good so far.  I saw you opened another email about this.  Please
 keep related discussions in one single thread.  We had similar TProxy
 issues around 7-8 days ago.  From your emails, it seems you are
 running CentOS 6.5, just like we are.  The difference is that you are
 using Squid 3.1 which is available in CentOS yum.  We installed the
 same on our CentOS, and confirmed that Squid 3.1 is working with
 TProxy.  So, I think this is a routing / iptables issue.

 In that email, you mentioned that Squid is receiving the packets?  How
 are you determining this?

 Also, can you enable:
 debug_options ALL,1 89,9 17,3
 in your squid.conf?  This will print a bunch of debug messages in
 cache.log when you try to browse through proxy.

 Also, before you start browsing, run this command:
 tcpdump -n -nn -e -i any dst port 80
 That should allow you to see some packet header data.

 Now, try to browse from client, and pastebin the output of both
 cache.log  tcpdump.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 4:54 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,
 Yes I have the following settings done.

 Please see the details in the pastebin

 http://pastebin.com/YzKDSV7J -- Find Results.

 http://pastebin.com/XhZYiDxm --sysctl.conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:29 PM, Nyamul Hassan nya...@gmail.com wrote:
 tcpdump shows traffic flowing both ways, which is good.  We also need
 to have the following settings:

 #  sysctl.conf
 net.ipv4.ip_forward = 1
 net.ipv4.conf.default.rp_filter = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.conf.eth1.rp_filter = 0

 The last two lines are for my specific system where I have two NICs.
 Feel free to modify on your own.  After changing the file running
 sysctl -p usually works.  To check if it did, please run the
 following commands:

 find /proc/sys/net/ipv4/ -iname rp_filter
 find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +

 The first shows all the rp_filter in your system.
 The second shows if they are indeed set to 0 as needed.

 Please do a pastebin for both sysctl.conf and the outputs of the find 
 commands.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 2:34 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 I have covered all the steps except the WCCP Configuration, Coz i dont
 use WCCP Router. I tried discovering for Routing loop and was unable
 to find any, Could you please help me How to Find a Routing loop.

 Here is my Squid Conf and my TCPdump sample.

 http://pastebin.com/aJskfywx -- TCPdump
 http://pastebin.com/b9u24rEC -- Squid Conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in 
 wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some 

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

+Eliezer

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:46 PM, Info OoDoO i...@oodoo.co.in wrote:
 Sorry for the other mail chain. it was opened accidentally yesterday.

 Thanks for the response.

 please find the required data below.

 http://pastebin.com/Abs3QmMe -- cache.log

 http://pastebin.com/eS94BHHu -- TCP Dump.

 I was able to see the site logged in access.log with http code 504,
 Gateway Timed Out. so i thought the packets are sent to squid.

 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Thanks,
 Ganesh J



 On Tue, Jul 8, 2014 at 10:44 PM, Nyamul Hassan nya...@gmail.com wrote:
 Ok.  Good so far.  I saw you opened another email about this.  Please
 keep related discussions in one single thread.  We had similar TProxy
 issues around 7-8 days ago.  From your emails, it seems you are
 running CentOS 6.5, just like we are.  The difference is that you are
 using Squid 3.1 which is available in CentOS yum.  We installed the
 same on our CentOS, and confirmed that Squid 3.1 is working with
 TProxy.  So, I think this is a routing / iptables issue.

 In that email, you mentioned that Squid is receiving the packets?  How
 are you determining this?

 Also, can you enable:
 debug_options ALL,1 89,9 17,3
 in your squid.conf?  This will print a bunch of debug messages in
 cache.log when you try to browse through proxy.

 Also, before you start browsing, run this command:
 tcpdump -n -nn -e -i any dst port 80
 That should allow you to see some packet header data.

 Now, try to browse from client, and pastebin the output of both
 cache.log  tcpdump.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 4:54 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,
 Yes I have the following settings done.

 Please see the details in the pastebin

 http://pastebin.com/YzKDSV7J -- Find Results.

 http://pastebin.com/XhZYiDxm --sysctl.conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:29 PM, Nyamul Hassan nya...@gmail.com wrote:
 tcpdump shows traffic flowing both ways, which is good.  We also need
 to have the following settings:

 #  sysctl.conf
 net.ipv4.ip_forward = 1
 net.ipv4.conf.default.rp_filter = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.eth0.rp_filter = 0
 net.ipv4.conf.eth1.rp_filter = 0

 The last two lines are for my specific system where I have two NICs.
 Feel free to modify on your own.  After changing the file running
 sysctl -p usually works.  To check if it did, please run the
 following commands:

 find /proc/sys/net/ipv4/ -iname rp_filter
 find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +

 The first shows all the rp_filter in your system.
 The second shows if they are indeed set to 0 as needed.

 Please do a pastebin for both sysctl.conf and the outputs of the find 
 commands.

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 2:34 PM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 I have covered all the steps except the WCCP Configuration, Coz i dont
 use WCCP Router. I tried discovering for Routing loop and was unable
 to find any, Could you please help me How to Find a Routing loop.

 Here is my Squid Conf and my TCPdump sample.

 http://pastebin.com/aJskfywx -- TCPdump
 http://pastebin.com/b9u24rEC -- Squid Conf

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 2:55 AM, Nyamul Hassan nya...@gmail.com wrote:
 Did you check the possibility of a routing loop as described in the
 troubleshooting section of the TProxy wiki page?  In fact, can you
 check that you have covered all the steps mentioned in that section?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in 
 wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to 

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


Oh!  If you did compile it, then can you check if you have
libcap-devel installed?

Regards
HASSAN

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Yes.. it is installed..

libcap-devel.x86_64  2.16-5.5.el6  @base

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com wrote:
 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Sorry, I installed it recently and it was not there when i compiled
and configured squid from source.

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:
 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com wrote:
 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

We were in the same problem just a few days ago.  Can you recompile and check?

Also, since you are compiling, then can you also try the latest stable
version 3.4.6?

Regards
HASSAN


On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:
 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:
 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com wrote:
 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Configured Squid 3.4.6 again with all the options, still facing the same issue.

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:
 We were in the same problem just a few days ago.  Can you recompile and check?

 Also, since you are compiling, then can you also try the latest stable
 version 3.4.6?

 Regards
 HASSAN


 On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:
 Sorry, I installed it recently and it was not there when i compiled
 and configured squid from source.

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:
 Yes.. it is installed..

 libcap-devel.x86_64  2.16-5.5.el6  @base

 Thanks,
 Ganesh J


 On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com wrote:
 For your kind attention, i have not installed Squid 3.1.10 from YUM. I
 have Compiled and installed from the source with the following
 options.

 http://pastebin.com/jFhzd3qj


 Oh!  If you did compile it, then can you check if you have
 libcap-devel installed?

 Regards
 HASSAN

Re: [squid-users] TPROXY Squid Error.

[Eliezer Croitoru]

What router are you using??

Eliezer

P.S. I will be at the squid irc channel for about couple hours
http://webchat.freenode.net/?channels=squid

On 07/08/2014 10:19 PM, Info OoDoO wrote:

Configured Squid 3.4.6 again with all the options, still facing the same issue.

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:55 PM, Nyamul Hassan nya...@gmail.com wrote:

We were in the same problem just a few days ago.  Can you recompile and check?

Also, since you are compiling, then can you also try the latest stable
version 3.4.6?

Regards
HASSAN


On Wed, Jul 9, 2014 at 12:24 AM, Info OoDoO i...@oodoo.co.in wrote:

Sorry, I installed it recently and it was not there when i compiled
and configured squid from source.

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:52 PM, Info OoDoO i...@oodoo.co.in wrote:

Yes.. it is installed..

libcap-devel.x86_64  2.16-5.5.el6  @base

Thanks,
Ganesh J


On Tue, Jul 8, 2014 at 11:49 PM, Nyamul Hassan nya...@gmail.com wrote:

For your kind attention, i have not installed Squid 3.1.10 from YUM. I
have Compiled and installed from the source with the following
options.

http://pastebin.com/jFhzd3qj



Oh!  If you did compile it, then can you check if you have
libcap-devel installed?

Regards
HASSAN

[squid-users] TPROXY Squid Error.

[collect oodoo]

I have configured squid with the options in the below paste ..
http://pastebin.com/jFhzd3qj
I packets are being forwarded from the cache box to internet and i'm
able to see the Client Public address instaed of squid Box Public
Address..
the Issue here is the requests are not being forwarded by or through Squid..
I'm unable to view any log for the request on access.log.
If i use the same squid in transparent mode then I'm able to view the
requests forwarded and logged on access.log but it shows Squid Box
Public IP address.
Can some body Help me on this..
My basic Data of Machine is

http://pastebin.com/TdnhnJtx

Thanks,
Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

Can you also pastebin your squid.conf?

Regards
HASSAN

On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

Hi Ganesh,

In your basic data pastebin, seems like the ip rule and ip route
rules are missing.

Please see if running the following commands helps the situation:
* echo 100 squidtproxy  /etc/iproute2/rt_tables
* ip rule add fwmark 1 lookup 100
* ip route add local default dev lo table 100

Regards
HASSAN


On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Info OoDoO]

Thanks Hassan,

Now the request are passing through Squid but Failing with 110
Connection Timed Out Error.

When I use transparent Mode its working fine. Any Idea..!!

Thanks,
Ganesh J
Thanks,
OodoO Fiber,
+91 8940808080
www.oodoo.co.in


On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TPROXY Squid Error.

[Nyamul Hassan]

Did you check the possibility of a routing loop as described in the
troubleshooting section of the TProxy wiki page?  In fact, can you
check that you have covered all the steps mentioned in that section?

Regards
HASSAN

On Tue, Jul 8, 2014 at 2:37 AM, Info OoDoO i...@oodoo.co.in wrote:
 Thanks Hassan,

 Now the request are passing through Squid but Failing with 110
 Connection Timed Out Error.

 When I use transparent Mode its working fine. Any Idea..!!

 Thanks,
 Ganesh J
 Thanks,
 OodoO Fiber,
 +91 8940808080
 www.oodoo.co.in


 On Tue, Jul 8, 2014 at 1:16 AM, Nyamul Hassan nya...@gmail.com wrote:
 Hi Ganesh,

 In your basic data pastebin, seems like the ip rule and ip route
 rules are missing.

 Please see if running the following commands helps the situation:
 * echo 100 squidtproxy  /etc/iproute2/rt_tables
 * ip rule add fwmark 1 lookup 100
 * ip route add local default dev lo table 100

 Regards
 HASSAN


 On Tue, Jul 8, 2014 at 1:15 AM, Nyamul Hassan nya...@gmail.com wrote:
 Can you also pastebin your squid.conf?

 Regards
 HASSAN

 On Tue, Jul 8, 2014 at 12:53 AM, collect oodoo coll...@oodoo.co.in wrote:
 I have configured squid with the options in the below paste ..
 http://pastebin.com/jFhzd3qj
 I packets are being forwarded from the cache box to internet and i'm
 able to see the Client Public address instaed of squid Box Public
 Address..
 the Issue here is the requests are not being forwarded by or through 
 Squid..
 I'm unable to view any log for the request on access.log.
 If i use the same squid in transparent mode then I'm able to view the
 requests forwarded and logged on access.log but it shows Squid Box
 Public IP address.
 Can some body Help me on this..
 My basic Data of Machine is

 http://pastebin.com/TdnhnJtx

 Thanks,
 Ganesh J

Re: [squid-users] TProxy Setup

[Eliezer Croitoru]

Hey Hassan,

I have found this interesting proxy setup in youtube:
http://www.youtube.com/watch?v=S65Gp79YHu8

Which is exactly what you need for your case.
I also see now that mikrotik routers do make it very simple to setup.

Note that this setup uses a upstream proxy which is using port 8080 and 
you will need to define a rule (maybe on the mac address level) which 
will not redirect traffic from the proxy towards the clients and the web.


Eliezer

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Thanks for the video, Eliezer!  The Mikrotik configuration part was
quite interesting!

New Basic Data:
http://pastebin.com/ULT2d4Ej

Debug (All,1 89,9 17,3)
http://pastebin.com/0Ycgtea2

Just one request from the client browser was made.  The destination is
also a server under our control.  http://130.94.72.133.  It is just a
simple HTML file with the words It works!

Thank you for your time, Eliezer!

Regards
HASSAN


On Sun, Jul 6, 2014 at 1:06 PM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 Hey Hassan,

 I have found this interesting proxy setup in youtube:
 http://www.youtube.com/watch?v=S65Gp79YHu8

 Which is exactly what you need for your case.
 I also see now that mikrotik routers do make it very simple to setup.

 Note that this setup uses a upstream proxy which is using port 8080 and you
 will need to define a rule (maybe on the mac address level) which will not
 redirect traffic from the proxy towards the clients and the web.

 Eliezer

Re: [squid-users] TProxy Setup

[Amos Jeffries]

On 2014-07-06 20:18, Nyamul Hassan wrote:

Thanks for the video, Eliezer!  The Mikrotik configuration part was
quite interesting!

New Basic Data:
http://pastebin.com/ULT2d4Ej

Debug (All,1 89,9 17,3)
http://pastebin.com/0Ycgtea2

Just one request from the client browser was made.  The destination is
also a server under our control.  http://130.94.72.133.  It is just a
simple HTML file with the words It works!



Hmm. Three TCP connections arrived at Squid.

2014/07/06 14:13:23.147 ... BEGIN: me/client= 130.94.72.133:80, 
destination/me= 116.193.170.10:4246
2014/07/06 14:13:23.149 ... BEGIN: me/client= 130.94.72.133:80, 
destination/me= 116.193.170.10:4247
2014/07/06 14:13:23.890 ... BEGIN: me/client= 130.94.72.133:80, 
destination/me= 116.193.170.10:4248


Assuming that the TPROXY was configured at the time these lines were 
logged it appears you have a forwarding loop, probably in the router.


One of the key things with TPROXY is that IP address based rules in the 
router do not work. Outgoing packets from Squid appear to be coming from 
the client, so only rules checking the interface or MAC address work 
properly work on separate routers like the Mikrotik.


Amos

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Dear Amos,

Thank you for your suggestion!

The browser on the client is Chrome.  Interestingly, when I try to
open any link in Chrome, it tries 3 times.  But, when we try from an
Incognito Mode window, it makes only one request.

Morever, there are two routers:
one for Host - Rtr1 - Squid
another for Squid - Rtr2 - Internet

This was done as per your advice so that we can detect loops in the
router with rules.

Please check this pastebin (all data from Rtr1):
http://pastebin.com/fdZpHvjn

*  The first line is just the logging rule that we use, which is the
same (for logic) as the routing-mark rule.
*  The number of packets that are logged by the router between
Incognito vs Non-Incognito mode of Chrome, are different.  5 (five)
for Incognito Mode, and 13 (thirteen) for Non-Incognito mode.
*  There are 3 (three) different source ports on client IP for
Non-Incognito Mode, but only 1 (one) for Incognito Mode.
*  All the MAC addresses are the same.

Also, the router only has policy - routing rules which are not
touched between Squid TProxy, Squid Intercept, and the
tproxy-example software as mentioned in an earlier email.

Thank you once again for looking into this Amos!

Regards
HASSAN

On Sun, Jul 6, 2014 at 4:09 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 2014-07-06 20:18, Nyamul Hassan wrote:

 Thanks for the video, Eliezer!  The Mikrotik configuration part was
 quite interesting!

 New Basic Data:
 http://pastebin.com/ULT2d4Ej

 Debug (All,1 89,9 17,3)
 http://pastebin.com/0Ycgtea2

 Just one request from the client browser was made.  The destination is
 also a server under our control.  http://130.94.72.133.  It is just a
 simple HTML file with the words It works!



 Hmm. Three TCP connections arrived at Squid.

 2014/07/06 14:13:23.147 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4246
 2014/07/06 14:13:23.149 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4247
 2014/07/06 14:13:23.890 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4248

 Assuming that the TPROXY was configured at the time these lines were logged
 it appears you have a forwarding loop, probably in the router.

 One of the key things with TPROXY is that IP address based rules in the
 router do not work. Outgoing packets from Squid appear to be coming from the
 client, so only rules checking the interface or MAC address work properly
 work on separate routers like the Mikrotik.

 Amos

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Dear Amos,

I was working with Eliezer with the debug_options in Squid, and with a
ALL,9 option, captured the relevant log for a request from Incognito
Chrome on client:

http://pastebin.com/WWYpxceG

I am trying to understand the flow within Squid:
Line_1-7 shows that the packet was recieved
Line_8-14 httpAccept needs to be constructed / called
Line_16-17 confirms that httpAccept was called
Line_22-24 shows that httpAccept ended with accept failure

I went to the relevant lines in client_side.cc (3406-3410), and it says:

if (params.flag != COMM_OK) {
// Its possible the call was still queued when the client disconnected
debugs(33, 2, httpAccept:   s-listenConn  : accept failure: 
 xstrerr(params.xerrno));
return;
}

Does that help in anyway, or am I barking up the wrong tree?

Regards
HASSAN



On Sun, Jul 6, 2014 at 4:44 PM, Nyamul Hassan nya...@gmail.com wrote:
 Dear Amos,

 Thank you for your suggestion!

 The browser on the client is Chrome.  Interestingly, when I try to
 open any link in Chrome, it tries 3 times.  But, when we try from an
 Incognito Mode window, it makes only one request.

 Morever, there are two routers:
 one for Host - Rtr1 - Squid
 another for Squid - Rtr2 - Internet

 This was done as per your advice so that we can detect loops in the
 router with rules.

 Please check this pastebin (all data from Rtr1):
 http://pastebin.com/fdZpHvjn

 *  The first line is just the logging rule that we use, which is the
 same (for logic) as the routing-mark rule.
 *  The number of packets that are logged by the router between
 Incognito vs Non-Incognito mode of Chrome, are different.  5 (five)
 for Incognito Mode, and 13 (thirteen) for Non-Incognito mode.
 *  There are 3 (three) different source ports on client IP for
 Non-Incognito Mode, but only 1 (one) for Incognito Mode.
 *  All the MAC addresses are the same.

 Also, the router only has policy - routing rules which are not
 touched between Squid TProxy, Squid Intercept, and the
 tproxy-example software as mentioned in an earlier email.

 Thank you once again for looking into this Amos!

 Regards
 HASSAN

 On Sun, Jul 6, 2014 at 4:09 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 2014-07-06 20:18, Nyamul Hassan wrote:

 Thanks for the video, Eliezer!  The Mikrotik configuration part was
 quite interesting!

 New Basic Data:
 http://pastebin.com/ULT2d4Ej

 Debug (All,1 89,9 17,3)
 http://pastebin.com/0Ycgtea2

 Just one request from the client browser was made.  The destination is
 also a server under our control.  http://130.94.72.133.  It is just a
 simple HTML file with the words It works!



 Hmm. Three TCP connections arrived at Squid.

 2014/07/06 14:13:23.147 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4246
 2014/07/06 14:13:23.149 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4247
 2014/07/06 14:13:23.890 ... BEGIN: me/client= 130.94.72.133:80,
 destination/me= 116.193.170.10:4248

 Assuming that the TPROXY was configured at the time these lines were logged
 it appears you have a forwarding loop, probably in the router.

 One of the key things with TPROXY is that IP address based rules in the
 router do not work. Outgoing packets from Squid appear to be coming from the
 client, so only rules checking the interface or MAC address work properly
 work on separate routers like the Mikrotik.

 Amos

Re: [squid-users] TProxy Setup

[Amos Jeffries]

On 2014-07-06 23:09, Nyamul Hassan wrote:

Dear Amos,

I was working with Eliezer with the debug_options in Squid, and with a
ALL,9 option, captured the relevant log for a request from Incognito
Chrome on client:

http://pastebin.com/WWYpxceG

I am trying to understand the flow within Squid:
Line_1-7 shows that the packet was recieved
Line_8-14 httpAccept needs to be constructed / called
Line_16-17 confirms that httpAccept was called
Line_22-24 shows that httpAccept ended with accept failure

I went to the relevant lines in client_side.cc (3406-3410), and it 
says:


if (params.flag != COMM_OK) {
// Its possible the call was still queued when the client disconnected
debugs(33, 2, httpAccept:   s-listenConn  : accept failure: 
 xstrerr(params.xerrno));
return;
}

Does that help in anyway, or am I barking up the wrong tree?


This is the right direction. The next thing is to find out why the 
accepted socket has an error flag attached to it by TcpAcceptor.


(Eliezer will have to help you with that digging for now. I am 
travelling and unable to look into the code for a few days.)


Amos

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

On Sun, Jul 6, 2014 at 6:32 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 Does that help in anyway, or am I barking up the wrong tree?


 This is the right direction. The next thing is to find out why the accepted
 socket has an error flag attached to it by TcpAcceptor.

 (Eliezer will have to help you with that digging for now. I am travelling
 and unable to look into the code for a few days.)

 Amos



Thank you!  TcpAcceptor.cc says it's section 5, so updated debug to
debug_options ALL,1 89,9 17,9 11,9 33,9, 5,9 and got the following:

http://pastebin.com/Aace2JGw

Will have to read / understand TcpAcceptor.cc to find out more.

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

The problem has been found!  I did not have libcap-devel installed.
This is a primary requirement for TProxy.

Nonetheless, Squid also does not throw any error during runtime.  It
opens the TProxy port, inspite of not having it compiled.  This is a
bug.

Thank you Eliezer for your extensive help in this regard!  You rock!

Regards
HASSAN


On Sun, Jul 6, 2014 at 6:54 PM, Nyamul Hassan nya...@gmail.com wrote:
 On Sun, Jul 6, 2014 at 6:32 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 Does that help in anyway, or am I barking up the wrong tree?


 This is the right direction. The next thing is to find out why the accepted
 socket has an error flag attached to it by TcpAcceptor.

 (Eliezer will have to help you with that digging for now. I am travelling
 and unable to look into the code for a few days.)

 Amos



 Thank you!  TcpAcceptor.cc says it's section 5, so updated debug to
 debug_options ALL,1 89,9 17,9 11,9 33,9, 5,9 and got the following:

 http://pastebin.com/Aace2JGw

 Will have to read / understand TcpAcceptor.cc to find out more.

 Regards
 HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Just filed the bug:
http://bugs.squid-cache.org/show_bug.cgi?id=4078

Regards
HASSAN


On Sun, Jul 6, 2014 at 9:29 PM, Nyamul Hassan nya...@gmail.com wrote:
 The problem has been found!  I did not have libcap-devel installed.
 This is a primary requirement for TProxy.

 Nonetheless, Squid also does not throw any error during runtime.  It
 opens the TProxy port, inspite of not having it compiled.  This is a
 bug.

 Thank you Eliezer for your extensive help in this regard!  You rock!

 Regards
 HASSAN


 On Sun, Jul 6, 2014 at 6:54 PM, Nyamul Hassan nya...@gmail.com wrote:
 On Sun, Jul 6, 2014 at 6:32 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 Does that help in anyway, or am I barking up the wrong tree?


 This is the right direction. The next thing is to find out why the accepted
 socket has an error flag attached to it by TcpAcceptor.

 (Eliezer will have to help you with that digging for now. I am travelling
 and unable to look into the code for a few days.)

 Amos



 Thank you!  TcpAcceptor.cc says it's section 5, so updated debug to
 debug_options ALL,1 89,9 17,9 11,9 33,9, 5,9 and got the following:

 http://pastebin.com/Aace2JGw

 Will have to read / understand TcpAcceptor.cc to find out more.

 Regards
 HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

I apologize Eliezer if my words meant that Squid in general was
flawed.  On the contrary, we have been using Squid 2 for almost 6
years over multiple proxies, and have only found it to be among the
exceptional open source softwares out there.  And, the community
behind Squid also compares to the top few in the open source world.

What I meant was, perhaps the version of Squid that I am using (3.4.6)
has some changes that might have caused the TProxy to break
temporarily.

I'll have a go with other older versions and check further.

Wish me luck!

Regards
HASSAN


On Sat, Jul 5, 2014 at 8:12 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 Hey,

 I am not sure if you understand you question which is:
 I have a software that works on many many many many systems around the
 world, Why is it not working for me? because of the setup or because of the
 software?

 I would not say that computers are saints or that software are perfect but
 since I can use the proxy for so many systems and it works fine..
 I raise the question: What is going on on your system setup?
 If you will understand that something is wrong but not from squid side you
 will be open to understand that something is wrongly configured.
 I Tried to understand your network diagram but I cannot read it well(sorry
 my bad).
 If you can describe the setup in words I will try again to understand it.
 I will try to build a setup with a mikrotik device to try and help you and
 others that doesn't happen to make it work.

 Eliezer


 On 07/05/2014 12:02 AM, Nyamul Hassan wrote:

 Dear Amos,

 We just found a small software:
 https://github.com/kristrev/tproxy-example

 As the author put it:
 The example transparent proxy application accepts TCP connections on
 the specified port (set to 9876 in tproxy_test.h) and attempts a TCP
 connection to the original host. If it is successful, the application
 starts forwarding data between the two connections (using splice()).

 So, we compiled it and ran it, on port 9876.  Then changed the
 iptables mangle rules WITH ONLY the port 9876, all others remaining as
 they were.

 Everything is working perfectly!  So, is it safe to assume that
 iptables  kernel is working perfectly?  That there is a problem in
 Squid?

 Regards
 HASSAN



 On Sat, Jul 5, 2014 at 1:26 AM, Nyamul Hassannya...@gmail.com  wrote:

 That is the problem then. Something is blocking the traffic arriving
  at Squid listening port. selinux, rp_filter or ip_forward sysctl 
  settings I
  usually find are the problem for this, although there have been a few 
  cases
  where nobody could figure out why this was happening.
 

 
 We might be approaching that magical situation where we do not know
 what is happening!
 
 rp_filter is set to 0 for all as follows:
 
 [root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
 /proc/sys/net/ipv4/conf/all/rp_filter
 /proc/sys/net/ipv4/conf/default/rp_filter
 /proc/sys/net/ipv4/conf/lo/rp_filter
 /proc/sys/net/ipv4/conf/eth0/rp_filter
 /proc/sys/net/ipv4/conf/eth1/rp_filter
 [root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {}
  +
 0
 0
 0
 0
 0
 
 IP Rule  Route list is as follows:
 
 [root@proxy01 ~]# ip rule list
 0:  from all lookup local
 32765:  from all fwmark 0x1 lookup squidtproxy
 32766:  from all lookup main
 32767:  from all lookup default
 [root@proxy01 ~]# ip route list table squidtproxy
 local default dev eth0  scope host
 

 
 see the /!\ notes under in the wiki page under the section about
  setting up the route table.
 
 The interface(s) to attach the table to is the one receiving the
  packets. From your description I suspect you will have two interfaces - 
  one
  for each of Rtr1 and Rtr2.
 
 For debugging try setting it for each interfaces receiving traffic and
  see if TPROXY starts working.
 

 
 While playing with the linux iptables / ip commands, I have come
 across an interesting situation.
 
 I modified the mangle rule to mark as 111, and updated the ip rule
  to show:
 32765:  from all fwmark 0x6f lookup squidtproxy
 
 All other settings are unchanged.
 
 No other changes were made.  Under this situation, my test client was
 getting web pages loaded!  But, Squid was still not getting any
 requests!  Seemed like regular routing of traffic! I have checked both
 routers, and confirmed that, traffic was passing through SquidBox, but
 Squid process was not seeing it.  :-/
 
 

 
 Great. Thank you for these details. I am creating a Microtik wiki page
  based on them.
 

 
 If there is anything that I can help you with regarding the Mikrotik
 (that's k for both characters) wiki page, I would be most obliged.
 
 Regards
 HASSAN

Re: [squid-users] TProxy Setup

[Eliezer Croitoru]

Hey,

I cannot tell you it's the case since I do not tend to verify that 
tproxy works on every squid release due to the basic small changes that 
happen from minor version to the other.
I test it on the first major release such as 3.3 and 3.4 and then don't 
tend to check it later.


But I am not sure this is the case...
I have tested squid 3.4 for tproxy more then once so it seems like it 
should work and if non of the working setups that upgraded complained I 
assumed it stays this way.


But lets try another way, run the debugging script from:
http://www1.ngtech.co.il/squid/basic_data.sh
As a root user

also add to your squid.conf the line:
debug_options ALL,1 89,9 17,3
and restart squid.

This will give you more information in squid and will show you some 
output in cache.log that will make us understand what is the situation 
with tproxy requests..
If you do not get the website it doesn't mean that squid does what it id 
does good.

It is possible that other things are bad..

Eliezer

P.S. I am at the #squid irc channel at freenode and using this link:
http://webchat.freenode.net/?channels=squid
You can get there and talk to me.
My nick name is elico




On 07/05/2014 05:15 PM, Nyamul Hassan wrote:

I apologize Eliezer if my words meant that Squid in general was
flawed.  On the contrary, we have been using Squid 2 for almost 6
years over multiple proxies, and have only found it to be among the
exceptional open source softwares out there.  And, the community
behind Squid also compares to the top few in the open source world.

What I meant was, perhaps the version of Squid that I am using (3.4.6)
has some changes that might have caused the TProxy to break
temporarily.

I'll have a go with other older versions and check further.

Wish me luck!

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Thank you Eliezer for your email.

We have been able to get the information into pastebin as follows:

Squid.conf
http://pastebin.com/QGCfXbCk

./basic_data.sh
http://pastebin.com/EP8kB8MU

Debug (All,9)
http://pastebin.com/WWYpxceG
We already were reading the full debug logs, when your email arrived.
So, the data was ready.  We just copied the relevant lines that showed
up.

In that last pastebin, line 29  30 is interesting:
2014/07/06 03:24:42.962 kid1| Connection.cc(33) ~Connection: BUG
#3329: Orphan Comm::Connection: local=130.94.72.133:80
remote=A.B.170.10:4362 FD 12 flags=17
2014/07/06 03:24:42.962 kid1| Connection.cc(34) ~Connection: NOTE: 1
Orphans since last started.

Perhaps that is an indication of the source of the trouble?

Regards
HASSAN

On Sun, Jul 6, 2014 at 3:13 AM, Eliezer Croitoru elie...@ngtech.co.il wrote:
 Hey,

 I cannot tell you it's the case since I do not tend to verify that tproxy
 works on every squid release due to the basic small changes that happen from
 minor version to the other.
 I test it on the first major release such as 3.3 and 3.4 and then don't tend
 to check it later.

 But I am not sure this is the case...
 I have tested squid 3.4 for tproxy more then once so it seems like it should
 work and if non of the working setups that upgraded complained I assumed it
 stays this way.

 But lets try another way, run the debugging script from:
 http://www1.ngtech.co.il/squid/basic_data.sh
 As a root user

 also add to your squid.conf the line:
 debug_options ALL,1 89,9 17,3
 and restart squid.

 This will give you more information in squid and will show you some output
 in cache.log that will make us understand what is the situation with tproxy
 requests..
 If you do not get the website it doesn't mean that squid does what it id
 does good.
 It is possible that other things are bad..

 Eliezer

 P.S. I am at the #squid irc channel at freenode and using this link:
 http://webchat.freenode.net/?channels=squid
 You can get there and talk to me.
 My nick name is elico





 On 07/05/2014 05:15 PM, Nyamul Hassan wrote:

 I apologize Eliezer if my words meant that Squid in general was
 flawed.  On the contrary, we have been using Squid 2 for almost 6
 years over multiple proxies, and have only found it to be among the
 exceptional open source softwares out there.  And, the community
 behind Squid also compares to the top few in the open source world.

 What I meant was, perhaps the version of Squid that I am using (3.4.6)
 has some changes that might have caused the TProxy to break
 temporarily.

 I'll have a go with other older versions and check further.

 Wish me luck!

 Regards
 HASSAN

Re: [squid-users] TProxy Setup

[Eliezer Croitoru]

Hey Hassan,

OK so after looking at the debug script:
- you don't have squid running at the time that the script ran.(no port 
3129 listening)
- I need the relevant ALL,1 89,9 debug specifically.. All any other 
debug sections I do not care about right now.


I see you are running CentOS by the kernel version.

Try to filter the logs but replacing the IP address instead with A.B.X.X 
with a consistent numbered IP address so It would be readable.


Thanks,
Eliezer

On 07/06/2014 03:50 AM, Nyamul Hassan wrote:

Thank you Eliezer for your email.

We have been able to get the information into pastebin as follows:

Squid.conf
http://pastebin.com/QGCfXbCk

./basic_data.sh
http://pastebin.com/EP8kB8MU

Debug (All,9)
http://pastebin.com/WWYpxceG
We already were reading the full debug logs, when your email arrived.
So, the data was ready.  We just copied the relevant lines that showed
up.

In that last pastebin, line 29  30 is interesting:
2014/07/06 03:24:42.962 kid1| Connection.cc(33) ~Connection: BUG
#3329: Orphan Comm::Connection: local=130.94.72.133:80
remote=A.B.170.10:4362 FD 12 flags=17
2014/07/06 03:24:42.962 kid1| Connection.cc(34) ~Connection: NOTE: 1
Orphans since last started.

Perhaps that is an indication of the source of the trouble?

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Amos Jeffries]

Just some quick answers to your questions inline below. (I've not had 
time to consider this in detail sorry.)


On 2014-07-04 03:03, Nyamul Hassan wrote:

Thank you Amos  Eliezer for your responses!

Amos, we have enabled debug_options 11,2, but that did not show any
HTTP request being received by Squid, not even after doing the changes
that Eliezer suggested.  But they did show up, when we reverted back
to http_port 3127 intercept related configuration.  More details
below.


That is the problem then. Something is blocking the traffic arriving at 
Squid listening port. selinux, rp_filter or ip_forward sysctl settings I 
usually find are the problem for this, although there have been a few 
cases where nobody could figure out why this was happening.




Eliezer, we tried with the ip route add local default dev lo table
100, but still same problem.  I think the wiki page
http://wiki.squid-cache.org/Features/Tproxy4 needs to be updated as it
clearly says dev eth0 and not dev lo.


see the /!\ notes under in the wiki page under the section about setting 
up the route table.


The interface(s) to attach the table to is the one receiving the 
packets. From your description I suspect you will have two interfaces - 
one for each of Rtr1 and Rtr2.


For debugging try setting it for each interfaces receiving traffic and 
see if TPROXY starts working.




Our setup would need a bit explanation.  Please bear with me while I
describe as below:

For Traffic From Host:
#Start# Host (eth0 A.B.170.10/26) --
-- (eth2 A.B.170.1/26) Rtr1 (eth2 A.B.170.1/26) --
-- (eth0 A.B.170.24/26) SquidBox (eth1 A.B.169.21/28) --
-- (eth2 A.B.169.17/28) Rtr2 (eth1 BGP peered uplink) --
--  Internet #End#

For Traffic From Internet:
#Start# Internet --
-- (eth1 BGP peered uplink) Rtr2 (eth2 A.B.169.17/28) --
-- (eth1 A.B.169.21/28) SquidBox (eth0 A.B.170.24/28) --
-- (eth0 A.B.170.10/26) Host #End#
* In my understanding, this should not pass through Rtr1 as as
SquidBox eth0 is in the same subnet as Host.


All HTTP traffic should pass through SquidBox, and in fact through Squid 
itself. The TCP layer ports and packet serial numbers do not match what 
the client is aware of, so any traffic accidentally reaching it without 
going through Squid will be dropped.


Put this off to later though. Right now the packets are not even getting 
into Squid.




Both Rtr1  Rtr2 are Linux based router called Mikrotik, installed on
x86 hardware.
Rtr1 has the following rules:
/ip firewall mangle add action=mark-routing chain=prerouting
disabled=no dst-port=80 new-routing-mark=_to_squid_ passthrough=yes
protocol=tcp src-address=A.B.170.10
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0
gateway=A.B.170.24 routing-mark=_to_squid_ scope=30 target-scope=10

Rtr2 has the following rules:
/ip firewall mangle add action=mark-routing chain=prerouting
disabled=no dst-address=A.B.170.10 new-routing-mark=_to_squid_
passthrough=yes protocol=tcp src-port=80
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0
gateway=A.B.169.21 routing-mark=_to_squid_ scope=30 target-scope=10

The policy routing rules are the same on Rtr1 when we use the REDIRECT
rule in iptables -t nat for http_port 3127 intercept, and in that
instance SquidBox works like a charm. All the HTTP request are now
showing up in cache.log because of debug_options 11,2 as Amos
suggested.


Great. Thank you for these details. I am creating a Microtik wiki page 
based on them.




However, whenever we remove the nat rules and introduce the mangle
rules + ip rule + ip route in table 100 for http_port 3129 tproxy,
Rtr1 shows that the packets are marked and forwarded to SquidBox.
Even SquidBox properly logs the packets in /var/log/messages due to
the mangle table rule, but Squid process on SquidBox does not seem to
be receiving the packets.  No HTTP request entry showing up in
cache.log.

IPTables -L for mangle show the following:
[root@proxy01 ~]# iptables -vxnL --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT 235 packets, 29632 bytes)
num  pkts  bytes target prot opt in out source
  destination
1   00 ACCEPT all  --  *  *   0.0.0.0/0
A.B.169.21
26174   821596 ACCEPT all  --  *  *   0.0.0.0/0
A.B.170.24
3100551367 ACCEPT all  --  *  *   0.0.0.0/0
A.B.174.0/24
4   00 ACCEPT all  --  *  *   0.0.0.0/0
M.N.0.66
5  49 3420 DIVERT tcp  --  *  *   0.0.0.0/0
0.0.0.0/0   socket
6  52 3840 LOGtcp  --  *  *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 LOG flags 0 level 4 prefix
`TProxy: '
7  52 3840 TPROXY tcp  --  *  *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 TPROXY redirect 0.0.0.0:3129
mark 0x1/0x1

The IP rule  route lists, and rt_tables  rp_filter show:

[root@proxy01 ~]# ip route list table squidtproxy
local default dev lo  

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

 That is the problem then. Something is blocking the traffic arriving at Squid 
 listening port. selinux, rp_filter or ip_forward sysctl settings I usually 
 find are the problem for this, although there have been a few cases where 
 nobody could figure out why this was happening.


We might be approaching that magical situation where we do not know
what is happening!

rp_filter is set to 0 for all as follows:

[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/default/rp_filter
/proc/sys/net/ipv4/conf/lo/rp_filter
/proc/sys/net/ipv4/conf/eth0/rp_filter
/proc/sys/net/ipv4/conf/eth1/rp_filter
[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +
0
0
0
0
0

IP Rule  Route list is as follows:

[root@proxy01 ~]# ip rule list
0:  from all lookup local
32765:  from all fwmark 0x1 lookup squidtproxy
32766:  from all lookup main
32767:  from all lookup default
[root@proxy01 ~]# ip route list table squidtproxy
local default dev eth0  scope host


 see the /!\ notes under in the wiki page under the section about setting up 
 the route table.

 The interface(s) to attach the table to is the one receiving the packets. 
 From your description I suspect you will have two interfaces - one for each 
 of Rtr1 and Rtr2.

 For debugging try setting it for each interfaces receiving traffic and see if 
 TPROXY starts working.


While playing with the linux iptables / ip commands, I have come
across an interesting situation.

I modified the mangle rule to mark as 111, and updated the ip rule to show:
32765:  from all fwmark 0x6f lookup squidtproxy

All other settings are unchanged.

No other changes were made.  Under this situation, my test client was
getting web pages loaded!  But, Squid was still not getting any
requests!  Seemed like regular routing of traffic! I have checked both
routers, and confirmed that, traffic was passing through SquidBox, but
Squid process was not seeing it.  :-/



 Great. Thank you for these details. I am creating a Microtik wiki page based 
 on them.


If there is anything that I can help you with regarding the Mikrotik
(that's k for both characters) wiki page, I would be most obliged.

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Dear Amos,

We just found a small software:
https://github.com/kristrev/tproxy-example

As the author put it:
The example transparent proxy application accepts TCP connections on
the specified port (set to 9876 in tproxy_test.h) and attempts a TCP
connection to the original host. If it is successful, the application
starts forwarding data between the two connections (using splice()).

So, we compiled it and ran it, on port 9876.  Then changed the
iptables mangle rules WITH ONLY the port 9876, all others remaining as
they were.

Everything is working perfectly!  So, is it safe to assume that
iptables  kernel is working perfectly?  That there is a problem in
Squid?

Regards
HASSAN



On Sat, Jul 5, 2014 at 1:26 AM, Nyamul Hassan nya...@gmail.com wrote:
 That is the problem then. Something is blocking the traffic arriving at 
 Squid listening port. selinux, rp_filter or ip_forward sysctl settings I 
 usually find are the problem for this, although there have been a few cases 
 where nobody could figure out why this was happening.


 We might be approaching that magical situation where we do not know
 what is happening!

 rp_filter is set to 0 for all as follows:

 [root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
 /proc/sys/net/ipv4/conf/all/rp_filter
 /proc/sys/net/ipv4/conf/default/rp_filter
 /proc/sys/net/ipv4/conf/lo/rp_filter
 /proc/sys/net/ipv4/conf/eth0/rp_filter
 /proc/sys/net/ipv4/conf/eth1/rp_filter
 [root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +
 0
 0
 0
 0
 0

 IP Rule  Route list is as follows:

 [root@proxy01 ~]# ip rule list
 0:  from all lookup local
 32765:  from all fwmark 0x1 lookup squidtproxy
 32766:  from all lookup main
 32767:  from all lookup default
 [root@proxy01 ~]# ip route list table squidtproxy
 local default dev eth0  scope host


 see the /!\ notes under in the wiki page under the section about setting up 
 the route table.

 The interface(s) to attach the table to is the one receiving the packets. 
 From your description I suspect you will have two interfaces - one for each 
 of Rtr1 and Rtr2.

 For debugging try setting it for each interfaces receiving traffic and see 
 if TPROXY starts working.


 While playing with the linux iptables / ip commands, I have come
 across an interesting situation.

 I modified the mangle rule to mark as 111, and updated the ip rule to 
 show:
 32765:  from all fwmark 0x6f lookup squidtproxy

 All other settings are unchanged.

 No other changes were made.  Under this situation, my test client was
 getting web pages loaded!  But, Squid was still not getting any
 requests!  Seemed like regular routing of traffic! I have checked both
 routers, and confirmed that, traffic was passing through SquidBox, but
 Squid process was not seeing it.  :-/



 Great. Thank you for these details. I am creating a Microtik wiki page based 
 on them.


 If there is anything that I can help you with regarding the Mikrotik
 (that's k for both characters) wiki page, I would be most obliged.

 Regards
 HASSAN

Re: [squid-users] TProxy Setup

[Eliezer Croitoru]

Hey,

I am not sure if you understand you question which is:
I have a software that works on many many many many systems around the 
world, Why is it not working for me? because of the setup or because of 
the software?


I would not say that computers are saints or that software are perfect 
but since I can use the proxy for so many systems and it works fine..

I raise the question: What is going on on your system setup?
If you will understand that something is wrong but not from squid side 
you will be open to understand that something is wrongly configured.
I Tried to understand your network diagram but I cannot read it 
well(sorry my bad).

If you can describe the setup in words I will try again to understand it.
I will try to build a setup with a mikrotik device to try and help you 
and others that doesn't happen to make it work.


Eliezer

On 07/05/2014 12:02 AM, Nyamul Hassan wrote:

Dear Amos,

We just found a small software:
https://github.com/kristrev/tproxy-example

As the author put it:
The example transparent proxy application accepts TCP connections on
the specified port (set to 9876 in tproxy_test.h) and attempts a TCP
connection to the original host. If it is successful, the application
starts forwarding data between the two connections (using splice()).

So, we compiled it and ran it, on port 9876.  Then changed the
iptables mangle rules WITH ONLY the port 9876, all others remaining as
they were.

Everything is working perfectly!  So, is it safe to assume that
iptables  kernel is working perfectly?  That there is a problem in
Squid?

Regards
HASSAN



On Sat, Jul 5, 2014 at 1:26 AM, Nyamul Hassannya...@gmail.com  wrote:

That is the problem then. Something is blocking the traffic arriving at Squid 
listening port. selinux, rp_filter or ip_forward sysctl settings I usually find are 
the problem for this, although there have been a few cases where nobody could figure 
out why this was happening.



We might be approaching that magical situation where we do not know
what is happening!

rp_filter is set to 0 for all as follows:

[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/default/rp_filter
/proc/sys/net/ipv4/conf/lo/rp_filter
/proc/sys/net/ipv4/conf/eth0/rp_filter
/proc/sys/net/ipv4/conf/eth1/rp_filter
[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +
0
0
0
0
0

IP Rule  Route list is as follows:

[root@proxy01 ~]# ip rule list
0:  from all lookup local
32765:  from all fwmark 0x1 lookup squidtproxy
32766:  from all lookup main
32767:  from all lookup default
[root@proxy01 ~]# ip route list table squidtproxy
local default dev eth0  scope host



see the /!\ notes under in the wiki page under the section about setting up 
the route table.

The interface(s) to attach the table to is the one receiving the packets. 
From your description I suspect you will have two interfaces - one for each of Rtr1 
and Rtr2.

For debugging try setting it for each interfaces receiving traffic and see if 
TPROXY starts working.



While playing with the linux iptables / ip commands, I have come
across an interesting situation.

I modified the mangle rule to mark as 111, and updated the ip rule to show:
32765:  from all fwmark 0x6f lookup squidtproxy

All other settings are unchanged.

No other changes were made.  Under this situation, my test client was
getting web pages loaded!  But, Squid was still not getting any
requests!  Seemed like regular routing of traffic! I have checked both
routers, and confirmed that, traffic was passing through SquidBox, but
Squid process was not seeing it.  :-/




Great. Thank you for these details. I am creating a Microtik wiki page based 
on them.



If there is anything that I can help you with regarding the Mikrotik
(that's k for both characters) wiki page, I would be most obliged.

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Nyamul Hassan]

Thank you Amos  Eliezer for your responses!

Amos, we have enabled debug_options 11,2, but that did not show any
HTTP request being received by Squid, not even after doing the changes
that Eliezer suggested.  But they did show up, when we reverted back
to http_port 3127 intercept related configuration.  More details
below.

Eliezer, we tried with the ip route add local default dev lo table
100, but still same problem.  I think the wiki page
http://wiki.squid-cache.org/Features/Tproxy4 needs to be updated as it
clearly says dev eth0 and not dev lo.

Our setup would need a bit explanation.  Please bear with me while I
describe as below:

For Traffic From Host:
#Start# Host (eth0 A.B.170.10/26) --
-- (eth2 A.B.170.1/26) Rtr1 (eth2 A.B.170.1/26) --
-- (eth0 A.B.170.24/26) SquidBox (eth1 A.B.169.21/28) --
-- (eth2 A.B.169.17/28) Rtr2 (eth1 BGP peered uplink) --
--  Internet #End#

For Traffic From Internet:
#Start# Internet --
-- (eth1 BGP peered uplink) Rtr2 (eth2 A.B.169.17/28) --
-- (eth1 A.B.169.21/28) SquidBox (eth0 A.B.170.24/28) --
-- (eth0 A.B.170.10/26) Host #End#
* In my understanding, this should not pass through Rtr1 as as
SquidBox eth0 is in the same subnet as Host.

Both Rtr1  Rtr2 are Linux based router called Mikrotik, installed on
x86 hardware.
Rtr1 has the following rules:
/ip firewall mangle add action=mark-routing chain=prerouting
disabled=no dst-port=80 new-routing-mark=_to_squid_ passthrough=yes
protocol=tcp src-address=A.B.170.10
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0
gateway=A.B.170.24 routing-mark=_to_squid_ scope=30 target-scope=10

Rtr2 has the following rules:
/ip firewall mangle add action=mark-routing chain=prerouting
disabled=no dst-address=A.B.170.10 new-routing-mark=_to_squid_
passthrough=yes protocol=tcp src-port=80
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0
gateway=A.B.169.21 routing-mark=_to_squid_ scope=30 target-scope=10

The policy routing rules are the same on Rtr1 when we use the REDIRECT
rule in iptables -t nat for http_port 3127 intercept, and in that
instance SquidBox works like a charm.  All the HTTP request are now
showing up in cache.log because of debug_options 11,2 as Amos
suggested.

However, whenever we remove the nat rules and introduce the mangle
rules + ip rule + ip route in table 100 for http_port 3129 tproxy,
Rtr1 shows that the packets are marked and forwarded to SquidBox.
Even SquidBox properly logs the packets in /var/log/messages due to
the mangle table rule, but Squid process on SquidBox does not seem to
be receiving the packets.  No HTTP request entry showing up in
cache.log.

IPTables -L for mangle show the following:
[root@proxy01 ~]# iptables -vxnL --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT 235 packets, 29632 bytes)
num  pkts  bytes target prot opt in out source
  destination
1   00 ACCEPT all  --  *  *   0.0.0.0/0
A.B.169.21
26174   821596 ACCEPT all  --  *  *   0.0.0.0/0
A.B.170.24
3100551367 ACCEPT all  --  *  *   0.0.0.0/0
A.B.174.0/24
4   00 ACCEPT all  --  *  *   0.0.0.0/0
M.N.0.66
5  49 3420 DIVERT tcp  --  *  *   0.0.0.0/0
0.0.0.0/0   socket
6  52 3840 LOGtcp  --  *  *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 LOG flags 0 level 4 prefix
`TProxy: '
7  52 3840 TPROXY tcp  --  *  *   0.0.0.0/0
0.0.0.0/0   tcp dpt:80 TPROXY redirect 0.0.0.0:3129
mark 0x1/0x1

The IP rule  route lists, and rt_tables  rp_filter show:

[root@proxy01 ~]# ip route list table squidtproxy
local default dev lo  scope host

[root@proxy01 ~]# ip rule list
0:  from all lookup local
32765:  from all fwmark 0x1 lookup squidtproxy
32766:  from all lookup main
32767:  from all lookup default

[root@proxy01 ~]# cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
100 squidtproxy

[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter
/proc/sys/net/ipv4/conf/all/rp_filter
/proc/sys/net/ipv4/conf/default/rp_filter
/proc/sys/net/ipv4/conf/lo/rp_filter
/proc/sys/net/ipv4/conf/eth0/rp_filter
/proc/sys/net/ipv4/conf/eth1/rp_filter
/proc/sys/net/ipv4/conf/gre0/rp_filter
/proc/sys/net/ipv4/conf/gretap0/rp_filter

[root@proxy01 ~]# find /proc/sys/net/ipv4/ -iname rp_filter -exec cat {} +
0
0
0
0
0
0
0

Amos, we also looked into the routing loop that you mentioned.
Since there are two routers involved, Rtr1  Rtr2, with Squid
connected to both of them, we used the rules above, so, Rtr1 only
policy-routes Host - Squid and Rtr2 policy-routes Internet - Squid.
This should be correct, no?  In the very least, Squid should be
receiving the packets, and the HTTP request headers should show up in
cache.log, shouldn't they?

We apologize for the rather long email.  Hopefully, 

[squid-users] TProxy Setup

[Nyamul Hassan]

Hi,

We are trying to run Squid 3.4.6 with TProxy.  Earlier we used to run
Squid 2.7.Stable9 in transparent mode with a DNAT rule on the router
box to redirect traffic.  This being our first jibe at Squid3, we have
successfully configured intercept mode with the router doing a
policy-based routing (instead of DNAT).  All works quite well!

However, when we try to do a TProxy configuration, Squid does not seem
to be seeing the traffic at all.  Since Squid3 is working in
intercept we assume that is not the problem.  IPTables is configured
as follows:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix TProxy: 
-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT

The Log option shows similar lines as follows (our IP omitted below):
Jul  3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=test
DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

We also tried both with and without the IP commands:

ip rule add fwmark 1 lookup 100
ip route add local default dev eth0 table 100

We have searched through Google, mailing lists, Squid Docs, but seems
like we are still missing through something.  One thing though, a lot
of the TProxy examples accompany WCCP or Bridge.  Are either of them
mandatory in TProxy setup?  If not, could someone help us where we are
doing things wrong?

Thanks in advance for youguidance.

Regards
HASSAN

Re: [squid-users] TProxy Setup

[Amos Jeffries]

On 2014-07-03 12:01, Nyamul Hassan wrote:

Hi,

We are trying to run Squid 3.4.6 with TProxy.  Earlier we used to run
Squid 2.7.Stable9 in transparent mode with a DNAT rule on the router
box to redirect traffic.  This being our first jibe at Squid3, we have
successfully configured intercept mode with the router doing a
policy-based routing (instead of DNAT).  All works quite well!

However, when we try to do a TProxy configuration, Squid does not seem
to be seeing the traffic at all.  Since Squid3 is working in
intercept we assume that is not the problem.  IPTables is configured
as follows:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix TProxy: 
-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 
--on-port 3129

-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT

The Log option shows similar lines as follows (our IP omitted below):
Jul  3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=test
DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

We also tried both with and without the IP commands:

ip rule add fwmark 1 lookup 100
ip route add local default dev eth0 table 100

We have searched through Google, mailing lists, Squid Docs, but seems
like we are still missing through something.  One thing though, a lot
of the TProxy examples accompany WCCP or Bridge.  Are either of them
mandatory in TProxy setup?  If not, could someone help us where we are
doing things wrong?


WCCP and Bridge are optional.

Since your policy routing is working and the syslog shows iptables 
working it seems like the traffic should at least be arriving at Squid.


I suggest these steps for troubleshooting:

1) Double-check the Troubleshooting section entries on the TPROXY wiki 
page to see if you have missed anything simple (like #3 below).


2) run Squid with debug level 11,2 to see what IP:port are being used on 
traffic arriving and leaving Squid. This can help confirm the TCP 
connections in syslog are correct, and tells you what to look for in #3 
below.


3) check the routing rules on traffic once it leaves Squid (using the 
serve connection details found in #2). The router often needs additional 
policy routing rules for TPROXY to ensure it does not create a loop.


Amos

Re: [squid-users] TProxy Setup

[Eliezer Croitoru]

Hey There,

You have seem to use the wrong rules in ip route and maybe something else.
I need more for the picture to understand what and how you implemented it.
What I need is the IP and wires topology.
Wccp is not good for you(maybe) but the examples are perfect from any 
aspect.

Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2

You can take the relevant rules from the article to correct yours.
basically what you need is:
#!/usr/bin/bash

echo Loading modules..
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

LOCALIP=10.80.2.2

echo changing routing and reverse path stuff..
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
  echo 0  $i
done
echo 1  /proc/sys/net/ipv4/ip_forward

echo creating routing table for tproxy...
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

echo creating iptables tproxy rules...
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port 3129

##END OF FILE

The route towards the lo is important to enable the tproxy action.
In your settings I have seen that you have used something else which 
will probably cause some strange issues.


All The Bests,
Eliezer
On 07/03/2014 03:01 AM, Nyamul Hassan wrote:

Hi,

We are trying to run Squid 3.4.6 with TProxy.  Earlier we used to run
Squid 2.7.Stable9 in transparent mode with a DNAT rule on the router
box to redirect traffic.  This being our first jibe at Squid3, we have
successfully configured intercept mode with the router doing a
policy-based routing (instead of DNAT).  All works quite well!

However, when we try to do a TProxy configuration, Squid does not seem
to be seeing the traffic at all.  Since Squid3 is working in
intercept we assume that is not the problem.  IPTables is configured
as follows:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix TProxy: 
-A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT

The Log option shows similar lines as follows (our IP omitted below):
Jul  3 05:15:24 proxy01 kernel: TProxy: IN=eth0 OUT=
MAC=00:22:4d:a7:9a:8c:00:15:17:c8:a0:39:08:00 SRC=test
DST=195.93.85.193 LEN=52 TOS=0x00 PREC=0x00 TTL=1 ID=25176 DF
PROTO=TCP SPT=3264 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

We also tried both with and without the IP commands:

ip rule add fwmark 1 lookup 100
ip route add local default dev eth0 table 100

We have searched through Google, mailing lists, Squid Docs, but seems
like we are still missing through something.  One thing though, a lot
of the TProxy examples accompany WCCP or Bridge.  Are either of them
mandatory in TProxy setup?  If not, could someone help us where we are
doing things wrong?

Thanks in advance for youguidance.

Regards
HASSAN

[squid-users] TPROXY surf as client

[Omid Kosari]

We have full TPROXY in our network . Is there a way to surf an address with
clients IP addresses ?
Lets think we have 1000 ip addresses . I want Squid opens google.com with
those 1000 IPs .
Something like fake traffic from different users .
I know i may use squidclient or a script on squid box but they uses squids
own ip and not all client ip . Also please suggest a way to don't create for
current online users .
Thanks .



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-surf-as-client-tp4666439.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] TPROXY surf as client

[Amos Jeffries]

On 21/06/2014 7:46 p.m., Omid Kosari wrote:
 We have full TPROXY in our network . Is there a way to surf an address with
 clients IP addresses ?

Send HTTP requests from the client machine, or re-allocate the IP
address to a test machine and request from there.

 Lets think we have 1000 ip addresses . I want Squid opens google.com with
 those 1000 IPs .
 Something like fake traffic from different users .

User and IP address are not the same thing. TPROXY only deals with IP
addresses, not users.

Amos

Re: [squid-users] Tproxy mode on Debian 7 Table does not exist

[David Touzeau]

Thanks Eliezer,


But using tmangle allows me to use tproxy in Squid http_port ?



-Message d'origine- 
From: Eliezer Croitoru

Sent: Wednesday, February 26, 2014 3:18 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Tproxy mode on Debian 7 Table does not exist

You should use -t mangle instead of tproxy

Good luck,
Eliezer

On 26/02/2014 13:57, David Touzeau wrote:


uname –a report #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux

iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80
iptables v1.4.14: can't initialize iptables table `tproxy': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Did i missing something ???


Best regards

Re: [squid-users] Tproxy mode on Debian 7 Table does not exist

[Amos Jeffries]

On 27/02/2014 11:17 p.m., David Touzeau wrote:
 Thanks Eliezer,
 
 
 But using tmangle allows me to use tproxy in Squid http_port ?

-t mangle is the [ip/ip6/nf/x]tables table where TPROXY operations are
configured.

-t tproxy does not exist, as mentioned by iptables error message.

Squid http_port is a different piece entirely. There are other pieces as
well like the routing rules, libcap2 permissions and spoofing flags.
Together the separate pieces make the transparent proxy feature work.

Amos

 
 
 
 -Message d'origine- From: Eliezer Croitoru
 Sent: Wednesday, February 26, 2014 3:18 PM
 To: squid-users@squid-cache.org
 Subject: Re: [squid-users] Tproxy mode on Debian 7 Table does not exist
 
 You should use -t mangle instead of tproxy
 
 Good luck,
 Eliezer
 
 On 26/02/2014 13:57, David Touzeau wrote:

 uname –a report #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux

 iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
 TPROXY --on-port 80
 iptables v1.4.14: can't initialize iptables table `tproxy': Table does
 not exist (do you need to insmod?)
 Perhaps iptables or your kernel needs to be upgraded.

 Did i missing something ???


 Best regards
 

[squid-users] Tproxy mode on Debian 7 Table does not exist

[David Touzeau]

Hi all

I’m trying to implement the Tproxy mode on Debian 7 without successs.
Is there anybody have successfully implement it on Debian 7

I have setup this :
modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre gre

lsmod |grep proxy
nf_tproxy_core 12404  1 xt_TPROXY

uname –a report #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux

iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j 
TPROXY --on-port 80
iptables v1.4.14: can't initialize iptables table `tproxy': Table does not 
exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

Did i missing something ???


Best regards 

Re: [squid-users] Tproxy mode on Debian 7 Table does not exist

[Eliezer Croitoru]

You should use -t mangle instead of tproxy

Good luck,
Eliezer

On 26/02/2014 13:57, David Touzeau wrote:


uname –a report #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux

iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80
iptables v1.4.14: can't initialize iptables table `tproxy': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Did i missing something ???


Best regards