Re: [squid-users] Unable to make Squid work as a transparent proxy (Squid 3.1.7, Linux Debian, WCCP2)
Hi Amos, On Sun, Nov 7, 2010 at 5:12 AM, Amos Jeffries squ...@treenet.co.nz wrote: http_port 3128 intercept I have changed the config from http_port 3128 transparent to http_port 3128 intercept, but I see no change in the behaviour. You will also need a separate port for the normal browser-configured and management requests. 3.1 will reject these if sent to a NAT interception port. I don't get this. Could you please be so kind to explain, or to point me to a page in the documentation? Also check the squid access.log. This will determine whether it is the ASA side or the Internet side of Squid which then needs to be tcpdumped for port 80 to find out whats going on. The file access.log is empty. Thanks a lot for your help, L.
Re: [squid-users] Unable to make Squid work as a transparent proxy (Squid 3.1.7, Linux Debian, WCCP2)
On 09/11/10 00:11, Leonardo wrote: Hi Amos, On Sun, Nov 7, 2010 at 5:12 AM, Amos Jeffriessqu...@treenet.co.nz wrote: http_port 3128 intercept I have changed the config from http_port 3128 transparent to http_port 3128 intercept, but I see no change in the behaviour. You will also need a separate port for the normal browser-configured and management requests. 3.1 will reject these if sent to a NAT interception port. I don't get this. Could you please be so kind to explain, or to point me to a page in the documentation? Ah, sorry I was mixing up me modes and versions. The statement was wrong about the rejections. It's just a LAN-wide exploitable security hole. Also check the squid access.log. This will determine whether it is the ASA side or the Internet side of Squid which then needs to be tcpdumped for port 80 to find out whats going on. The file access.log is empty. So the ASA side. Now you know were to look for the mysterious missing packets. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
Re: [squid-users] Unable to make Squid work as a transparent proxy (Squid 3.1.7, Linux Debian, WCCP2)
On 06/11/10 04:50, Leonardo wrote: Hi all, I have compiled and installed Squid 3.1.7 on a Linux 2.6.26 (Debian 5.0.5), and successfully tested it as a non-transparent proxy (i.e. the proxy address:port is explicitly specified in the web browser). Now I need to use it to do transparent proxying. For this, I'm following the example at http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 . The clients will be on subnet 10.11.1.0/24. $ROUTER_IP and $SQUID_IP are both on the subnet 10.8.0.0/16. Squid has been compiled as follows: configure options: '--enable-linux-netfilter' '--enable-wccp' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' 'CPPFLAGS=-I../libltdl' --with-squid=/root/squid-3.1.7 --enable-ltdl-convenience === Squid configuration: === File /etc/rc.local : modprobe ip_gre ip tunnel add wccp0 mode gre remote $ROUTER_IP local $SQUID_IP dev eth0 ifconfig wccp0 $SQUID_IP netmask 255.255.255.255 up echo 0/proc/sys/net/ipv4/conf/wccp0/rp_filter echo 0/proc/sys/net/ipv4/conf/eth0/rp_filter echo 1/proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A POSTROUTING -j MASQUERADE File /etc/squid/squid.conf : I am basically using the default config, adding only the commands for transparent proxying: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Transparent proxying http_port 3128 transparent http_port 3128 intercept You will also need a separate port for the normal browser-configured and management requests. 3.1 will reject these if sent to a NAT interception port. wccp2_router $ROUTER_IP wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user http_access deny to_localhost # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache 5 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 === === === Configuration of the router, a Cisco ASA 5520 firewall: === access-list wccp_redirect extended deny ip host $SQUID_IP any access-list wccp_redirect extended permit tcp 10.11.1.0 255.255.255.0 any eq www wccp web-cache redirect-list wccp_redirect wccp interface inside web-cache redirect in === === This does not work. The browser gives an error Unable to connect to remote server after a timeout. Here is is the output of tcpdump -vvnn -i eth0 port 2048 on the Squid machine: 15:05:01.279896 IP (tos 0x0, ttl 64, id 22913, offset 0, flags [none], proto UDP (17), length 172) $SQUID_IP.2048 $ROUTER_IP.2048: UDP, length 144 15:05:01.280090 IP (tos 0x0, ttl 255, id 5011, offset 0, flags [none], proto UDP (17), length 168) $ROUTER_IP.2048 $SQUID_IP.2048: UDP, length 140 15:05:11.279893 IP (tos 0x0, ttl 64, id 22914, offset 0, flags [none], proto UDP (17), length 172) $SQUID_IP.2048 $ROUTER_IP.2048: UDP, length 144 15:05:11.280083 IP (tos 0x0, ttl 255, id 20123, offset 0, flags [none], proto UDP (17), length 168) $ROUTER_IP.2048 $SQUID_IP.2048: UDP, length 140 This is what I see on the Cisco ASA when I turn debugging on with debug ip wccp packets: WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP
[squid-users] Unable to make Squid work as a transparent proxy (Squid 3.1.7, Linux Debian, WCCP2)
Hi all, I have compiled and installed Squid 3.1.7 on a Linux 2.6.26 (Debian 5.0.5), and successfully tested it as a non-transparent proxy (i.e. the proxy address:port is explicitly specified in the web browser). Now I need to use it to do transparent proxying. For this, I'm following the example at http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 . The clients will be on subnet 10.11.1.0/24. $ROUTER_IP and $SQUID_IP are both on the subnet 10.8.0.0/16. Squid has been compiled as follows: configure options: '--enable-linux-netfilter' '--enable-wccp' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' 'CPPFLAGS=-I../libltdl' --with-squid=/root/squid-3.1.7 --enable-ltdl-convenience === Squid configuration: === File /etc/rc.local : modprobe ip_gre ip tunnel add wccp0 mode gre remote $ROUTER_IP local $SQUID_IP dev eth0 ifconfig wccp0 $SQUID_IP netmask 255.255.255.255 up echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter echo 0 /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A POSTROUTING -j MASQUERADE File /etc/squid/squid.conf : I am basically using the default config, adding only the commands for transparent proxying: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Transparent proxying http_port 3128 transparent wccp2_router $ROUTER_IP wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user http_access deny to_localhost # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache 5 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 === === === Configuration of the router, a Cisco ASA 5520 firewall: === access-list wccp_redirect extended deny ip host $SQUID_IP any access-list wccp_redirect extended permit tcp 10.11.1.0 255.255.255.0 any eq www wccp web-cache redirect-list wccp_redirect wccp interface inside web-cache redirect in === === This does not work. The browser gives an error Unable to connect to remote server after a timeout. Here is is the output of tcpdump -vvnn -i eth0 port 2048 on the Squid machine: 15:05:01.279896 IP (tos 0x0, ttl 64, id 22913, offset 0, flags [none], proto UDP (17), length 172) $SQUID_IP.2048 $ROUTER_IP.2048: UDP, length 144 15:05:01.280090 IP (tos 0x0, ttl 255, id 5011, offset 0, flags [none], proto UDP (17), length 168) $ROUTER_IP.2048 $SQUID_IP.2048: UDP, length 140 15:05:11.279893 IP (tos 0x0, ttl 64, id 22914, offset 0, flags [none], proto UDP (17), length 172) $SQUID_IP.2048 $ROUTER_IP.2048: UDP, length 144 15:05:11.280083 IP (tos 0x0, ttl 255, id 20123, offset 0, flags [none], proto UDP (17), length 168) $ROUTER_IP.2048 $SQUID_IP.2048: UDP, length 140 This is what I see on the Cisco ASA when I turn debugging on with debug ip wccp packets: WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 01ED WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP w/ rcv_id 01EE WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 01EE WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP
