Re: [squid-users] Squid TPROXY issues with Google sites

[Vieri]

From: Alex Rousskov 
>
> You need to figure out why. Two common reasons are SSL-level errors and
> http_access denials. Both should be reflected in access.log and
> debugging cache.log.


I finally found out it was an http_access deny on an ACL match with url_regex.

Thanks Alex.

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TPROXY issues with Google sites

[Alex Rousskov]

On 05/28/2017 05:40 AM, Vieri wrote:

> Please keep in mind that I'm basically an end-user, a sys-admin. I
> wish I had the time to study Squid's source code.

Nobody (certainly not me) has suggested anything that requires studying
Squid source code. If you think that I have, you have misinterpreted
what I have said.


> The cache log reports errors but they are not necessarily related to
> this client as there are many others actively browsing.

I recommend triaging this using a Squid instance isolated from all other
traffic. You are making both your job and the job of those who are
trying to help you more difficult by trying to save a few minutes/hours
that are usually required to set up an isolated test.


> Anyway, as a workaround I'm willing to splice/tunnel traffic to
> accounts.google.com *ONLY*, and bump everything else (although I'd
> prefer to understand why bumping isn't "working" for this site).

> I've tried this:

> acl GoogleAccounts ssl::server_name accounts.google.com
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice GoogleAccounts
> ssl_bump bump all

> However, traffic to accounts.google.com is not spliced, it's bumped
> like the rest.

You need to figure out why. Two common reasons are SSL-level errors and
http_access denials. Both should be reflected in access.log and
debugging cache.log.


> Can FQDNs be used in ACLs as in the example above even when peeking at step 1?

Yes. They may not work, but they can be used. They should work if the
request contains TLS SNI. Modern browser requests usually do, but you
can confirm by studying browser-Squid traffic with a tool like Wireshark.


> If I peek at step 2 then I won't be able to "bump all"

Correct.


> Likewise, If I need to stare at step 2 then I'll never be able to splice

Correct.


Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TPROXY issues with Google sites

[Vieri]

Hi Alex et al.,

Thank you very much for your analysis and help. I really appreciate it.

Please keep in mind that I'm basically an end-user, a sys-admin. I wish I had 
the time to study Squid's source code. All I can do for now is read the docs 
that so many people have kindly published.

In 99% of my use cases, I only need this:

ssl_bump stare all
ssl_bump bump all

However, some sites simply don't behave well when accessed with Squid TPROXY. 
This is an example I'm reporting regarding access to 
https://accounts.google.com.

The use case is simple. A client browser successfully connects to 
https://accounts.google.com and I can see this in the access log (there might 
be some garbage but I'm posting it all for completeness):

# tail -f /var/log/squid/access.log | grep 10.215.145.8
1495969366.990 90 10.215.145.8 TCP_MISS/302 870 GET 
https://accounts.google.com/ - ORIGINAL_DST/216.58.201.141 text/html
1495969367.089 91 10.215.145.8 TCP_MISS/302 1206 GET 
https://accounts.google.com/ManageAccount - ORIGINAL_DST/216.58.201.141 
text/html
1495969367.165165 10.215.145.8 TAG_NONE/200 0 CONNECT 216.58.201.141:443 - 
ORIGINAL_DST/216.58.201.141 -
1495969367.546452 10.215.145.8 TCP_MISS/200 254275 GET 
https://accounts.google.com/ServiceLogin? - ORIGINAL_DST/216.58.201.141 
text/html
1495969367.684 99 10.215.145.8 TCP_MISS/200 837 GET 
https://accounts.google.com/_/common/diagnostics/? - 
ORIGINAL_DST/216.58.201.141 application/json
1495969367.799218 10.215.145.8 TAG_NONE/200 0 CONNECT 216.58.201.141:443 - 
ORIGINAL_DST/216.58.201.141 -
1495969368.341356 10.215.145.8 TCP_MISS/200 9598 GET 
https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw
 - ORIGINAL_DST/172.217.9.227 text/javascript
1495969373.609249 10.215.145.8 TCP_MISS/200 9598 GET 
https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw
 - ORIGINAL_DST/172.217.9.227 text/javascript
1495969393.879248 10.215.145.8 TCP_MISS/200 9598 GET 
https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm,ssIgD,GJkP8c,HUb4Ab,sy3j,DnoIKd,sy1a,sy1g,YKZpNb,sy19,VI9RTb,sy18,sy24,GEsPC/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw
 - ORIGINAL_DST/172.217.9.227 text/javascript
1495969393.940166 10.215.145.8 TCP_MISS/200 452 GET 
http://detectportal.firefox.com/success.txt - ORIGINAL_DST/23.219.93.219 
text/plain
1495969394.116225 10.215.145.8 TCP_MISS/200 1261 GET 
https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw
 - ORIGINAL_DST/172.217.9.227 text/javascript
1495969394.204873 10.215.145.8 TAG_NONE/200 0 CONNECT 54.148.190.222:443 - 
ORIGINAL_DST/54.148.190.222 -
1495969394.724488 10.215.145.8 TCP_MISS/200 195 POST 
https://incoming.telemetry.mozilla.org/submit/telemetry/3474d8df-c0c5-454b-916f-20ad7f8cb3f3/main/Firefox/52.0.2/release/20170323105023?
 - ORIGINAL_DST/54.148.190.222 text/plain
1495969399.355223 10.215.145.8 TCP_MISS/200 1261 GET 
https://ssl.gstatic.com/accounts/static/_/js/k=gaia.gaiafe_glif.es.QCvs5i6XPsY.O/m=ZJkSm/am=gggAAACgARcEwFGwAlAM/rt=j/rs=ABkqax2H2XpBhaGl4fmxx-IOq5MdI_K9yw
 - ORIGINAL_DST/172.217.9.227 text/javascript

The client browser successfully renders Google's log-in page where you enter a 
username. However, it is NOT possible to "click next" and enter a password.
No matter what the user does on that page, nothing is logged in 
/var/log/squid/access.log.

The cache log reports errors but they are not necessarily related to this 
client as there are many others actively browsing.

# grep -i error /var/log/squid/cache.log 
2017/05/28 12:55:48 kid1| Error negotiating SSL on FD 93: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/2)
2017/05/28 12:55:48 kid1| Error negotiating SSL connection on FD 90: 
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate (1/0)
2017/05/28 12:55:49 kid1| Error negotiating SSL on FD 143: error:1409F07F:SSL 
routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:55:50 kid1| Error negotiating SSL on FD 172: error:1409F07F:SSL 
routines:ssl3_write_pending:bad write retry (1/-1/0)
2017/05/28 12:55:55 kid1| Error negotiating SSL on FD 57: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
2017/05/28 12:55:55 kid1| Error negotiating SSL connection on FD 27: 
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)
2017/05/28 12:55:58 kid1| Error negotiating SSL on FD 57: error:1409F07F:SSL 
routines:ssl3_write_pending:bad write retry 

Re: [squid-users] Squid TPROXY issues with Google sites

[Alex Rousskov]

On 05/26/2017 05:22 PM, Vieri wrote:

> If I have this:
> 
> ssl_bump peek all
> ssl_bump splice AllowTroublesome
> ssl_bump bump all

... then you have a configuration that does not make sense because one
cannot bump after peeking at step2. Your configuration is equivalent to

  * if the current step is 1 or 2, then peek
  * if AllowTroublesome during step 3, then splice
  * otherwise, do the impossible

which, bugs notwithstanding, is equivalent to

  ssl_bump peek all
  ssl_bump splice all

If the above does not block anything then your http_access rules allow
all CONNECTs (and you never get beyond CONNECTs because you do not bump).


> If I replace the above snippet with this:
> 
> ssl_bump stare all
> ssl_bump bump all

This configuration makes sense (but it may not do what you want).

If you want to be able to make a "splice or bump" decision, then you
have to make it during step2:

  ssl_bump peek step1
  ssl_bump splice AllowTroublesome
  ssl_bump bump all


> If I had an http_access rule that allowed the transaction to take
> place then I would expect it to happen regardless of the ssl_bump
> directive.

Your expectations are wrong. SslBump directives expose http_access rules
to more (or fewer) transactions. For example, the "splice all"
configuration does not expose http_access rules to any GET requests.


> Alex, you mention the SSLPeekAndSplice web page. I'll try to sum it
> up in just a few lines

The SslBump feature is too complex to sum it up in just a few lines
unless those lines are something like "do not use it without fully
understanding it". Once you learn the basics of SSL handshake, which
Squid steps look at what parts of the handshake, and what the essential
difference between peeking and staring is, then SslBump becomes less of
black magic. Without that knowledge, it is a dark mystery.


> - peek implies splice which means you can't do content analysis (as
> in scan for threats via c-icap modules)

Wrong. Peeking at step1 does not preclude future bumping. Peeking at
step2 precludes future bumping. If you peek at step2, then you have to
splice or terminate at step3.


> - stare implies bump which means you can do content analysis

Wrong for similar/symmetrical reasons.


> - you don't need to stare, you can just bump

Wrong in many cases -- usually you _do_ need to stare (or peek) at least
at step1, but YMMV.


> - you need to stare before bump if you want the clients to accept a
> certificate with domain names instead of IP addresses

Misleading. You need to stare or peek to get more information, including
the server domain name. That information comes from either the client or
the server, depending on the step. That information is used to generate
a fake certificate. The more info Squid has, the better it can
fake/mimic the true certificate, but learning more information restricts
the set of ssl_bump actions.


> - you can bump first by ACLs and then splice the rest

If you mean that ssl_bump rules may start with "bump" rules and end with
"splice" rules, then this is true, but the reverse is also true, and the
rules may contain a mixture of many actions.


> - you can bump after peek but only if you do that at SslBump1

Too vague to be generally useful. You can bump after peeking at step1.
You cannot bump after peeking at step2.


> the "Bump All Sites Except Banks" example where the next
> phrase contradicts the title by saying that the requests to non-banks
> won't be bumped.

Correct! The example, the title, and the warning were written by
different people. One of them is right. If you know how SslBump works,
you know which part is correct. At that time, please feel free to
propose changes to fix the wiki page. Hundreds of folks receive SslBump
help on this mailing list, but only one of them took the pains to
improve the page afterwards (thank you again, Marcus Kool!). Parts of
that page still need a lot of work.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TPROXY issues with Google sites

[Amos Jeffries]

On 27/05/17 03:44, Vieri wrote:

Hi,

I'd like to block access to Google Mail but allow it to Google Drive. I also 
need to intercept Google Drive traffic (https) and scan its content via c-icap 
modules for threats (with clamav and other tools which would block potentially 
harmful files).

I've failed so far.

I added mail.google.com to a custom file named "denied.domains" and loaded as 
denied_domains ACL in Squid. I know that in TLS traffic there are only IP addresses, so I created 
the "server_name" ACL as seen below.


Erm, not quite. The raw-IP having to be dealt with comes from the use of 
TPROXY (or NAT), not TLS. It is used when Squid is deciding whether to 
permit the traffic on the TCP connection to be processed.


Once the TLS is received (by "peek") the TLS SNI (if any) becomes available.



[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

First of all, I was expecting that if a client tried to open 
https://mail.google.com, the connection would be blocked by Squid 
(DenyTroublesome ACL). It isn't. Why?


Any of the http_access lines you omitted from the config snippet might 
be letting it through. Order is important, and knowing the whole 
http_access sequence (and more) is just as important to correctly answer 
a question such as this. So take the below with a grain of salt, I am 
assuming nothing else in your config has subtle effects on the 
processing outcome.


There are several things that can lead to it;

* Google servers do have working rDNS. So raw-IP becomes a server 
hostname for dstdomain ACL to match.
 - the rDNS is within *.1e1.net so will not match your list shown, but 
it is enough to possibly evade your IP rules.


* If no provides access control lines match Squid inverted the action on 
the last one and does that.

  - yours are all deny, so the implicit action there is "allow all"

* "ssl_bump peek all" fetches the TLS SNI server name for 
ssl::server_name ACL to match.
 - so by the time Squid gets to processing the AllowTroublesome it 
already knows the client is trying to reach a *.google.com domain.



Second, I am unable to scan content since Squid is splicing all Google traffic. However, 
if I "bump AllowTroublesome", I can enter my username in 
https://accounts.google.com, but trying to access to the next step (user password) fails 
with an unreported error.

Any suggestions?


The rest of your related squid.conf is needed for that, including 
details of the files includes into the ACLs. In particular it is not 
clear what this "unreported error" is or why it happens.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TPROXY issues with Google sites

[Alex Rousskov]

On 05/26/2017 09:44 AM, Vieri wrote:

> I know that in TLS traffic there are only IP addresses

This is a gross exaggeration. The reality is much more nuanced.


> I added mail.google.com to a custom file named "denied.domains" and loaded as 
> denied_domains ACL in Squid. 

> [...]
> acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
> http_access deny denied_domains !allowed_groups !allowed_ips
> http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
> [...]
> reply_header_access Alternate-Protocol deny all
> acl AllowTroublesome ssl::server_name .google.com .gmail.com
> acl DenyTroublesome ssl::server_name mail.google.com
> http_access deny DenyTroublesome
> ssl_bump peek all
> ssl_bump splice AllowTroublesome
> ssl_bump bump all


> First of all, I was expecting that if a client tried to open
> https://mail.google.com, the connection would be blocked by Squid
> (DenyTroublesome ACL). It isn't. Why?

If a transaction is not blocked, then you have an http_access rule that
allows it. You need to figure out which rule does that. You can figure
that out by studying debugging logs, adding/logging annotate_transaction
ACLs, and/or altering http_access rules.


> Second, I am unable to scan content since Squid is splicing all
> Google traffic.

You told Squid to bump nothing because nothing can be bumped after
"ssl_bump peek all". You may want to study the following wiki page,
including definitions of actions such as "peek" and examples.

http://wiki.squid-cache.org/Features/SslPeekAndSplice

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid TPROXY issues with Google sites

[Benjamin E. Nichols]

Here is a list of google domains that may help you,

http://www.squidblacklist.org/downloads/whitelists/google.domains


On 5/26/2017 10:44 AM, Vieri wrote:

Hi,

I'd like to block access to Google Mail but allow it to Google Drive. I also 
need to intercept Google Drive traffic (https) and scan its content via c-icap 
modules for threats (with clamav and other tools which would block potentially 
harmful files).

I've failed so far.

I added mail.google.com to a custom file named "denied.domains" and loaded as 
denied_domains ACL in Squid. I know that in TLS traffic there are only IP addresses, so I created 
the "server_name" ACL as seen below.

[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

First of all, I was expecting that if a client tried to open 
https://mail.google.com, the connection would be blocked by Squid 
(DenyTroublesome ACL). It isn't. Why?

Second, I am unable to scan content since Squid is splicing all Google traffic. However, 
if I "bump AllowTroublesome", I can enter my username in 
https://accounts.google.com, but trying to access to the next step (user password) fails 
with an unreported error.

Any suggestions?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


--
--

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

1-405-397-1360 - Call Anytime.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid TPROXY issues with Google sites

[Vieri]

Hi,

I'd like to block access to Google Mail but allow it to Google Drive. I also 
need to intercept Google Drive traffic (https) and scan its content via c-icap 
modules for threats (with clamav and other tools which would block potentially 
harmful files).

I've failed so far.

I added mail.google.com to a custom file named "denied.domains" and loaded as 
denied_domains ACL in Squid. I know that in TLS traffic there are only IP 
addresses, so I created the "server_name" ACL as seen below.

[...]
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
[...]
reply_header_access Alternate-Protocol deny all
acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

First of all, I was expecting that if a client tried to open 
https://mail.google.com, the connection would be blocked by Squid 
(DenyTroublesome ACL). It isn't. Why?

Second, I am unable to scan content since Squid is splicing all Google traffic. 
However, if I "bump AllowTroublesome", I can enter my username in 
https://accounts.google.com, but trying to access to the next step (user 
password) fails with an unreported error.

Any suggestions?

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid tproxy net unreachable

[Abi Askushi]

Thank you Amos.

I have the following at squidguard:

default {
pass !porn !adv !drugs !custom any
redirect http://localhost:10080/error.php
}

Which when squid in intercept mode the user is "redirected" to error page.
I'm not sure if squidguard is rewriting or redirecting.
With squid in tproxy mode the user gets the squid error page "The Requested
URL cannot be retrieved: network unreachable 101 ... "

I did replace this squid error page with my custom and it can be displayed
to user, though this means that I will not be able to discern connections
errors from deny errors.
I would prefer not to do this dirty trick and have a more clean approach.
Attempts to resolve it through routing table hacks were not successful
also.






On Sun, May 14, 2017 at 3:16 PM, Amos Jeffries  wrote:

> On 14/05/17 01:59, Abi Askushi wrote:
>
>> Hi,
>>
>> I have setup squid (v 3.1.20) with tproxy and relevant iptables and
>> policy routes. It is functioning ok except one thing, squid is not able to
>> redirect to deny page (located on same device) and it gives error "101
>> network unreachable". I have squidguard in the setup as a helper program
>> and squidguard is doing the redirection to a page on localhost. With squid
>> in intercept mode this redirection to deny page is ok. I have also disabled
>> rpfilter in kernel. I may provide more details on configs if needed.
>>
>> Did anyone encounter this? Any ideas?
>>
>>
> It is not possible to use a global IP address (eg the spoofed client IP)
> to connect to any machines lo (localhost) interface.
>
> So Squid is not able to perform TPROXY spoofing to fetch the page your SG
> is *re-writing* (not redirecting) the URL to. If you actually are
> redirecting then the client cannot connect to the web server running in
> *its* localhost interface.
>
>
> PS. please upgrade, no up to date OS releases I'm aware of still ship
> Squid-3.1.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid tproxy net unreachable

[Amos Jeffries]

On 14/05/17 01:59, Abi Askushi wrote:

Hi,

I have setup squid (v 3.1.20) with tproxy and relevant iptables and 
policy routes. It is functioning ok except one thing, squid is not 
able to redirect to deny page (located on same device) and it gives 
error "101 network unreachable". I have squidguard in the setup as a 
helper program and squidguard is doing the redirection to a page on 
localhost. With squid in intercept mode this redirection to deny page 
is ok. I have also disabled rpfilter in kernel. I may provide more 
details on configs if needed.


Did anyone encounter this? Any ideas?



It is not possible to use a global IP address (eg the spoofed client IP) 
to connect to any machines lo (localhost) interface.


So Squid is not able to perform TPROXY spoofing to fetch the page your 
SG is *re-writing* (not redirecting) the URL to. If you actually are 
redirecting then the client cannot connect to the web server running in 
*its* localhost interface.



PS. please upgrade, no up to date OS releases I'm aware of still ship 
Squid-3.1.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid tproxy net unreachable

[Abi Askushi]

Hi,

I have setup squid (v 3.1.20) with tproxy and relevant iptables and policy
routes. It is functioning ok except one thing, squid is not able to
redirect to deny page (located on same device) and it gives error "101
network unreachable". I have squidguard in the setup as a helper program
and squidguard is doing the redirection to a page on localhost. With squid
in intercept mode this redirection to deny page is ok. I have also disabled
rpfilter in kernel. I may provide more details on configs if needed.

Did anyone encounter this? Any ideas?

Thanx,
Alex
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid tproxy connection time out

[mrghorbani]

also what about this topology?
 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-connection-time-out-tp4681027p4681044.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid tproxy connection time out

[mrghorbani]

hello,
i had created the topology diagram as i get from your idea, does it that you
mentioned?
but, according to that my bgp and wireless points are connected to mikrotik
router, i can not move squid to the end point...in this network, now and in
exists network, i routed the client to the mikrotik  as gw and then routed
him by mikrotik to squid so, now, mikrotik is between the client and squid
but in virtuality
 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-connection-time-out-tp4681027p4681040.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid tproxy connection time out

[Omid Kosari]

Hello,

I think your problem is topology . I suggest change the position of squid so
the mikrotik router stands between clients and squid box .

Also assign a private ip address to your squid and also one ip from same
range to your mikrotik router . Then try to mangle and route to that private
ip .





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-connection-time-out-tp4681027p4681037.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid tproxy connection time out

[mr ghorbani]

hello masters
I have a problem on the squid in tproxy mode and it is that  squid
return Error "110 connection
the timeout." for all Requests on port 3129, which is related to tproxy
Of course, by eliminating the code
ip route add local 0.0.0.0/0 dev lo table 100
Problem solved, but in this case, Squid does not record any activity log.

i had attached the network topology.

In this network, 185.12.32.1 is gw for both of the client and squid. it is set
to That route the client communication to the squid and then, squid
connect it to the internet by using this gw and also redirect port 80
to 3129 and tproxy to cache the data.
The gw is connected to the Internet and also it is the bgp for these
IP addresses.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid tproxy

[Amos Jeffries]

On 29/08/2015 5:27 a.m., Vieri wrote:
 Hi,
 
 
 [reposting a trimmed-down message]
 

 My goal is to allow lan users to access a greater number of sites if
they explicitly configure the squid proxy server in their browsers and
authenticate. If they don't then traffic to port 80 and 443 will be
transparently redirected to a squid proxy server by the corporate
firewall (in my case, firewall and squid are on the same machine).
 
 Since I noticed that I cannot REQUIRE proxy_auth and create an
additional http_port for tproxy without authentication, I merely created
two instances of squid.

Yes you cannot require authn from an ACL test that gets checked on
intercepted traffic.

Jumping to the conclusion that you needed two proxies was extreme.

This would do it:

 http_port 3128
 http_port 3129 tproxy

 acl login proxy_auth REQUIRED
 acl explicit myportname 3128
 acl interceted myportname 3129

 http_access deny explicit !login
 http_access deny intercepted !localnet

Your regular rules then follow.

But if there is anything like a group check of external ACL with %LOGIN
place the 'explicit' ACL as the first one on the line, like the login
above. You will then have to figure out what (if anything) to do with
the intercepted traffic to check the same thing(s).


 
 The first instance requires authentication and listens on port 3128.
All works fine when setting up the proxy address and port 3128 (or via
wpad.dat) on the client.
 
 The second instance does not require authentication and listens on
port 3129 in tproxy mode and on port 3130 in forward proxy mode.
 
 The firewall on the same machine as squid (iptables) redirects port
 80
to 3129
 
 I tried connecting from a Firefox client browser (lan IP addr.
10.215.144.48) without proxy manually configured to internet host
89.16.167.134:80.
 
 The second squid proxy instance handles the connection but fails
 with
a connection timeout (see log below).

 squid.tproxy.conf (of second instance):
 
 acl SSL_ports port 443
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl Safe_ports port 901 # SWAT
 acl CONNECT method CONNECT
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager
 include /etc/squid/squid.custom.rules.tproxy
 http_access allow localhost
 http_access deny all
 coredump_dir /var/cache/squid
 refresh_pattern ^ftp: 1440 20% 10080
 refresh_pattern ^gopher: 1440 0% 1440
 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
 refresh_pattern . 0 20% 4320
 pid_filename /run/squid.tproxy.pid
 cache_dir ufs /var/cache/squid.tproxy 100 16 256
 
 squid.custom.rules.tproxy:
 
 access_log daemon:/var/log/squid/access.tproxy.log squid
 cache_log /var/log/squid/cache.tproxy.log
 http_access allow all
 email_err_data on
 error_directory /usr/share/squid/errors/HMAN
 debug_options rotate=1 ALL,5
 append_domain .mydomain.org
 http_port 3130
 http_port 3129 tproxy
 dns_v4_first on
 
 squid 3.5.6
 kernel 4.1.4
 
 CONFIG_NETFILTER_XT_TARGET_TPROXY=m
 CONFIG_NETFILTER_XT_MATCH_SOCKET=m
 CONFIG_NF_CONNTRACK=m
 
 lsmod shows xt_TPROXY, nf_conntrack, xt_socket
 
 Here's the log (connecting from client browser at 10.215.144.48 to internet 
 host at 89.16.167.134):
 
 http://pastebin.com/W2e8csZT
 
 What is causing the timeout?

TCP SYN+ACK packet never gets back to Squid on the server connection.

 
 Is there something wrong with my squid configuration or should I look 
 elsewhere?
 

The Squid operation seems to be perfectly fine.


The above SYN+ACK packet disappearance is a common sign that you have
triangular routing going on. Where the server response gets sent
straight to the client not to Squid.

You dont mention what routing or iptables configuration you have. It
could be there on the same machine, or it could be any of the network
routers elsewhere the traffic is going over.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid tproxy

[Vieri]

Hi,


[reposting a trimmed-down message]

My goal is to allow lan users to access a greater number of sites if they 
explicitly configure the squid proxy server in their browsers and authenticate. 
If they don't then traffic to port 80 and 443 will be transparently redirected 
to a squid proxy server by the corporate firewall (in my case, firewall and 
squid are on the same machine).

Since I noticed that I cannot REQUIRE proxy_auth and create an additional 
http_port for tproxy without authentication, I merely created two instances of 
squid.

The first instance requires authentication and listens on port 3128. All works 
fine when setting up the proxy address and port 3128 (or via wpad.dat) on the 
client.

The second instance does not require authentication and listens on port 3129 in 
tproxy mode and on port 3130 in forward proxy mode.

The firewall on the same machine as squid (iptables) redirects port 80 to 3129

I tried connecting from a Firefox client browser (lan IP addr. 10.215.144.48) 
without proxy manually configured to internet host 89.16.167.134:80.

The second squid proxy instance handles the connection but fails with a 
connection timeout (see log below).

squid.tproxy.conf (of second instance):

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.custom.rules.tproxy
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
pid_filename /run/squid.tproxy.pid
cache_dir ufs /var/cache/squid.tproxy 100 16 256

squid.custom.rules.tproxy:

access_log daemon:/var/log/squid/access.tproxy.log squid
cache_log /var/log/squid/cache.tproxy.log
http_access allow all
email_err_data on
error_directory /usr/share/squid/errors/HMAN
debug_options rotate=1 ALL,5
append_domain .mydomain.org
http_port 3130
http_port 3129 tproxy
dns_v4_first on

squid 3.5.6
kernel 4.1.4

CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NF_CONNTRACK=m

lsmod shows xt_TPROXY, nf_conntrack, xt_socket

Here's the log (connecting from client browser at 10.215.144.48 to internet 
host at 89.16.167.134):

http://pastebin.com/W2e8csZT

What is causing the timeout?

Is there something wrong with my squid configuration or should I look elsewhere?

Thanks,

Vieri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid tproxy web filtering intergration with DNS ?!

[Ahmad]

HI ALL ,
i have an idea ,

i have squid with tproxy and with  squidguard .

all we know that  webfiltering is not strong becuase it needed to be updated
frequently ,

i  also have dns server inside , and i began to think how to strenthen the
web filtering

i found that if i configured my dns with Norton DNS as forwarder , and let
my squid server point to my internet DNS , i will have the benefit of
webfiltering from :
1- squidguard
2- Norton DNS

i think that norton dns is very strong relative to squidguard and any other
content filtering .

im here is hear your opinios !

regards




-
Dr.x
--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-web-filtering-intergration-with-DNS-tp4662800.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Squid TPROXY and TCP_MISS/000 entries

[Amos Jeffries]

On 22/04/2013 9:46 p.m., Marcin Czupryniak wrote:



Hello all!,
checking my logs from time to time I see that there are some 
requests which return the TCP_MISS/000 log code, I'm managing a 
medium sized Active-Standby transparent caching proxy (direct 
routing) which is handling around 100 requests per second (average 
on daily basis), I know what the entry means but I'm not exactly 
sure whether under normal operating conditions they are normal to 
see in such amount.


The number of these entries is less than 0,001% of total requests 
served (avg 1 entry per 10 seconds), should I worry about it or 
others get them too?


How long a duration do they show? any consistency to the type of 
requests? is there
As far as I can see sometimes a sequence of 000 misses is replied to 
the same requesting IP (mostly web spiders) but in the meantime they 
do get tons of other content.

Some of them (maybe 20%) come in couples something like:

1366622555.453   1488 87.19.154.90 TCP_MISS/000 0 GET 
http://yammo.it/index.php? - DIRECT/151.1.96.198 -
1366622555.454   2327 87.19.154.90 TCP_MISS/000 0 GET 
http://yammo.it/index.php? - DIRECT/151.1.96.198 -


1366622571.558292 82.90.127.184 TCP_MISS/000 0 GET 
http://www.forumviaggiatori.com/tabindex.php? - DIRECT/5.134.122.135 -
1366622571.575242 82.90.127.184 TCP_MISS/000 0 GET 
http://www.forumviaggiatori.com/popup%0Bg.png - DIRECT/5.134.122.135 -


1366622596.390   1972 193.32.73.24 TCP_MISS/000 0 GET 
http://www.romaintheclub.com/24042013-shed-function-goa - 
DIRECT/5.134.122.154 -
1366622596.561166 193.32.73.24 TCP_MISS/000 0 GET 
http://www.romaintheclub.com/24042013-shed-function-goa - 
DIRECT/5.134.122.154 -




Hmm, some of these are too long to be happy eyeballs. I'd put the odd 
pairing down to spiders or some artifact of the way they are referenced 
in the original pages.






In normal traffic this could be the result of:

* DNS lookup failure/timeout.
Identified by the lack of upstream server information on the log 
line. This is very common as websites contain broken links, broken 
XHR scripts, and even some browsers send garbage FQDN in requests to 
probe network functionality. Not to mention DNS misconfiguration and 
broken DNS servers not responding to  lookups.
We are not using IPv6 yet, and it could be due to actually failed DNS 
lookups, as I still have to fix some issues we have with our local 
resolvers. Details from DNS stats


Rcode Matrix:
RCODE ATTEMPT1 ATTEMPT2 ATTEMPT3
09369030
1000
2 1525 1522 1522
3  54000
4000
5000



If this were the problem you would see NONE/- on the access log lines.




* Happy Eyeballs clients.
 Identified by the short duration of transaction as clients open 
multiple connections abort some almost immediately.

Maybe that's why they come in couples?


* HTTP Expect:100-continue feature being used over a Squid having 
ignore_expect_100 on configured - or some other proxy doing the 
equivalent.
Identified by the long duration of the transaction, HTTP method type 
plus an Expect header on request, and sometimes no body size. As the 
client sends headers with Expect: then times out waiting for a 
100-continue response which is never going to appear. These clients 
are broken as they are supposed to send the request payload on 
timeout anyway which would make the transaction complete properly.

Did not check this one


 3) PMTUd breakage on the upstream routes.
Identified at the TCP level by complete lack of TCP ACK to data 
packets following a successful TCP SYN + SYN/ACK handshake. This 
would account for the intermittent nature of it as HTTP response 
sizes vary a only large packets go over the MTU size (individual TCP 
packets, *not* HTTP response message size).

I don't think it's the case here



Amos


I suspect that most of the misses come from loaded webservers 
discarding requests (and so squid never receives a reply) or by actual 
firewalls discarding excessive packets.

Any other suggestions?


Note: Firewalls discarding excessive packets is another way of saying 
PMTUd problems, as the MTU discovery is what tells the firewalls what 
size packets to expect.


No more suggestins from me, I think thats pretty much all of them covered.

Amos

Re: [squid-users] Squid TPROXY and TCP_MISS/000 entries

[Marcin Czupryniak]

Hello all!,
checking my logs from time to time I see that there are some requests 
which return the TCP_MISS/000 log code, I'm managing a medium sized 
Active-Standby transparent caching proxy (direct routing) which is 
handling around 100 requests per second (average on daily basis), I 
know what the entry means but I'm not exactly sure whether under 
normal operating conditions they are normal to see in such amount.


The number of these entries is less than 0,001% of total requests 
served (avg 1 entry per 10 seconds), should I worry about it or 
others get them too?


How long a duration do they show? any consistency to the type of 
requests? is there
As far as I can see sometimes a sequence of 000 misses is replied to the 
same requesting IP (mostly web spiders) but in the meantime they do get 
tons of other content.

Some of them (maybe 20%) come in couples something like:

1366622555.453   1488 87.19.154.90 TCP_MISS/000 0 GET 
http://yammo.it/index.php? - DIRECT/151.1.96.198 -
1366622555.454   2327 87.19.154.90 TCP_MISS/000 0 GET 
http://yammo.it/index.php? - DIRECT/151.1.96.198 -


1366622571.558292 82.90.127.184 TCP_MISS/000 0 GET 
http://www.forumviaggiatori.com/tabindex.php? - DIRECT/5.134.122.135 -
1366622571.575242 82.90.127.184 TCP_MISS/000 0 GET 
http://www.forumviaggiatori.com/popup%0Bg.png - DIRECT/5.134.122.135 -


1366622596.390   1972 193.32.73.24 TCP_MISS/000 0 GET 
http://www.romaintheclub.com/24042013-shed-function-goa - 
DIRECT/5.134.122.154 -
1366622596.561166 193.32.73.24 TCP_MISS/000 0 GET 
http://www.romaintheclub.com/24042013-shed-function-goa - 
DIRECT/5.134.122.154 -





In normal traffic this could be the result of:

* DNS lookup failure/timeout.
Identified by the lack of upstream server information on the log line. 
This is very common as websites contain broken links, broken XHR 
scripts, and even some browsers send garbage FQDN in requests to probe 
network functionality. Not to mention DNS misconfiguration and broken 
DNS servers not responding to  lookups.
We are not using IPv6 yet, and it could be due to actually failed DNS 
lookups, as I still have to fix some issues we have with our local 
resolvers. Details from DNS stats


Rcode Matrix:
RCODE ATTEMPT1 ATTEMPT2 ATTEMPT3
09369030
1000
2 1525 1522 1522
3  54000
4000
5000



* Happy Eyeballs clients.
 Identified by the short duration of transaction as clients open 
multiple connections abort some almost immediately.

Maybe that's why they come in couples?


* HTTP Expect:100-continue feature being used over a Squid having 
ignore_expect_100 on configured - or some other proxy doing the 
equivalent.
Identified by the long duration of the transaction, HTTP method type 
plus an Expect header on request, and sometimes no body size. As the 
client sends headers with Expect: then times out waiting for a 
100-continue response which is never going to appear. These clients 
are broken as they are supposed to send the request payload on timeout 
anyway which would make the transaction complete properly.

Did not check this one


 3) PMTUd breakage on the upstream routes.
Identified at the TCP level by complete lack of TCP ACK to data 
packets following a successful TCP SYN + SYN/ACK handshake. This would 
account for the intermittent nature of it as HTTP response sizes vary 
a only large packets go over the MTU size (individual TCP packets, 
*not* HTTP response message size).

I don't think it's the case here



Amos


I suspect that most of the misses come from loaded webservers discarding 
requests (and so squid never receives a reply) or by actual firewalls 
discarding excessive packets.

Any other suggestions?

Martin

Re: [squid-users] Squid TPROXY and TCP_MISS/000 entries

[Amos Jeffries]

On 20/04/2013 5:34 p.m., Marcin Czupryniak wrote:

Hello all!,
checking my logs from time to time I see that there are some requests 
which return the TCP_MISS/000 log code, I'm managing a medium sized 
Active-Standby transparent caching proxy (direct routing) which is 
handling around 100 requests per second (average on daily basis), I 
know what the entry means but I'm not exactly sure whether under 
normal operating conditions they are normal to see in such amount.


The number of these entries is less than 0,001% of total requests 
served (avg 1 entry per 10 seconds), should I worry about it or others 
get them too?


How long a duration do they show? any consistency to the type of 
requests? is there


In normal traffic this could be the result of:

* DNS lookup failure/timeout.
Identified by the lack of upstream server information on the log line. 
This is very common as websites contain broken links, broken XHR 
scripts, and even some browsers send garbage FQDN in requests to probe 
network functionality. Not to mention DNS misconfiguration and broken 
DNS servers not responding to  lookups.


* Happy Eyeballs clients.
 Identified by the short duration of transaction as clients open 
multiple connections abort some almost immediately.


* HTTP Expect:100-continue feature being used over a Squid having 
ignore_expect_100 on configured - or some other proxy doing the 
equivalent.
Identified by the long duration of the transaction, HTTP method type 
plus an Expect header on request, and sometimes no body size. As the 
client sends headers with Expect: then times out waiting for a 
100-continue response which is never going to appear. These clients are 
broken as they are supposed to send the request payload on timeout 
anyway which would make the transaction complete properly.


 3) PMTUd breakage on the upstream routes.
Identified at the TCP level by complete lack of TCP ACK to data packets 
following a successful TCP SYN + SYN/ACK handshake. This would account 
for the intermittent nature of it as HTTP response sizes vary a only 
large packets go over the MTU size (individual TCP packets, *not* HTTP 
response message size).



Amos

[squid-users] Squid TPROXY and TCP_MISS/000 entries

[Marcin Czupryniak]

Hello all!,
checking my logs from time to time I see that there are some requests 
which return the TCP_MISS/000 log code, I'm managing a medium sized 
Active-Standby transparent caching proxy (direct routing) which is 
handling around 100 requests per second (average on daily basis), I know 
what the entry means but I'm not exactly sure whether under normal 
operating conditions they are normal to see in such amount.


The number of these entries is less than 0,001% of total requests served 
(avg 1 entry per 10 seconds), should I worry about it or others get them 
too?

[squid-users] Squid Tproxy WCCPV2 Centos

[Juan C. Crespo R.]

Guys

I've been trying to build a solution using Squid in Centos, but 
there is something missing. the WCCPV2 service is adquired by the 
router, but after a while it stop redirecting the request, so I guest 
there is something missing at the gre config, could you send me a good 
example how to do this?


Thanks

[squid-users] Squid TPROXY and Bonding LACP

[Marcin Czupryniak]

Hello to all,
since today I've started to replace my bonding mode from balance-alb to 
802.3ad (finally got 2 new stackable switches!) and SQUID stopped to work...
I've just replaced the bonding option mode=balance-alb to 
mode=802.3ad and several related, restarted the machine and boom!
Squid is actually working and listening to requests, the iptables rules 
are the same for the working squid before the change and yet nothing is 
logged inside the access.log file.
However the websites squid is accelerating are working properly but just 
squid isn't intercepting the traffic... The strangest thing so far is 
that if I stop squid, then the websites stop to work as well, even if 
squid isn't intercepting (apparently from the logfiles) a single bit!
Could someone please explain me how is this possible and if others have 
a similar setup?

Thanks in advance

Marcin Czupryniak

Re: [squid-users] Squid TPROXY and Bonding LACP

[Eliezer Croitoru]

On 11/6/2012 9:50 PM, Marcin Czupryniak wrote:

Hello to all,
since today I've started to replace my bonding mode from balance-alb to
802.3ad (finally got 2 new stackable switches!) and SQUID stopped to
work...
I've just replaced the bonding option mode=balance-alb to
mode=802.3ad and several related, restarted the machine and boom!
Squid is actually working and listening to requests, the iptables rules
are the same for the working squid before the change and yet nothing is
logged inside the access.log file.
However the websites squid is accelerating are working properly but just
squid isn't intercepting the traffic... The strangest thing so far is
that if I stop squid, then the websites stop to work as well, even if
squid isn't intercepting (apparently from the logfiles) a single bit!
Could someone please explain me how is this possible and if others have
a similar setup?
Thanks in advance

Marcin Czupryniak


And how is it related to squid?
all the lower level under the application is Linux kernel stuff.

if you can give some more info on your infrastructure I will be happy to 
give you some directions.


Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer at ngtech.co.il

[squid-users] Squid Tproxy in Bridge Mode - Static Routes

[Ulises Nicolini]

Hello,

I have a transparent proxy squid server work in bridge mode and tproxy 
with two interfaces : LAN and WAN. My clients are reachable by LAN 
interface by a group of gateways (Router 1, Router 2..Router(n))


CLIENTS (Network1)ROUTER1
   \
   
+|LAN SQUID WAN|-ROUTERWAN INTERNET
   /  
CLIENTS (Network2)ROUTER2

...   |
CLIENTS (Network(n)ROUTER(n)  
   



Squid Server default gateway = ROUTERWAN

For make this toplogy i need create static routes in the squid server 
for the return routes, otherwise the squid responses are sent to default 
wateway (ROUTERWAN)


ip route add Network1 via ROUTER1
ip route add Network2 via ROUTER2

ip route add Network(n) via ROUTER(n)

Is possible create this routes dynamically when for example intercept 
the incoming traffic with iptables to redirect this to squid? Use static 
routes is very dificult to support, being necessary add or remove 
networks form squid server when my distribution toplogogy is modified.


Sorry for may bad english

Ulises

Re: [squid-users] Squid Tproxy in Bridge Mode - Static Routes

[Eliezer Croitoru]

On 9/13/2012 6:17 PM, Ulises Nicolini wrote:

Is possible create this routes dynamically when for example intercept
the incoming traffic with iptables to redirect this to squid? Use static
routes is very dificult to support, being necessary add or remove
networks form squid server when my distribution toplogogy is modified.

Sorry for may bad english

Ulises

This is not a matter of squid in any way but routing.
you can use route servers such as quagga and bird.
you can if you want to put another router that you will manage for this 
purpose only but linux routing combined with route server can give you 
what ever you need for the matter.
add some good routing protocol to the network if there isnt and manage 
it a bit more efficient and managed.


Regards,
Eliezer

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer at ngtech.co.il

[squid-users] squid tproxy in ipv6 enviroment.

[Pawel Mojski]

Hi All;

I'm trying to run squid tproxy feature in native ipv6 enviroment.
It's a bridge deployed between core router and next router. Next thing 
to do for me will be add ds-lite traffic in this native ipv6 network.


Squid complied correctly, but when trying to add ebtables rules got an 
error:


v6priv linux #  ebtables -t broute -A BROUTING -i eth0 -p ipv6 
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

For IP filtering the protocol must be specified as IPv4.

What's wrong? Have something been changed or maybe I have to enable 
another kernel feature?


Regards;
Pawel Mojski

Re: [squid-users] squid tproxy in ipv6 enviroment.

[Pawel Mojski]

W dniu 26-Jun-12 12:08, Pawel Mojski pisze:



v6priv linux #  ebtables -t broute -A BROUTING -i eth0 -p ipv6 
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

For IP filtering the protocol must be specified as IPv4.



Ok, I've found my mistake. I should use --ip6-proto and --ip6-sport.
But, now all commands are accepter but traffic could not work.
I suppose it might be rp_filter configuration but I can not find any 
rp_filter switch for ipv6.

Is rp_filter for ipv6 is enabled or disabled per default?

Here is my configuration:
#!/bin/sh
PATH=$PATH:/sbin

LAN=eth1
WAN=eth0
ip6tables -t mangle -F
ip6tables -t mangle -X

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port 3129


ebtables -t broute -F
ebtables -t broute -A BROUTING -i $LAN -p ipv6 --ip6-proto tcp 
--ip6-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $WAN -p ipv6 --ip6-proto tcp 
--ip6-sport 80 -j redirect --redirect-target DROP


After running this, no traffic to port 80 is accepted.

Here are ip6tables stats:
v6priv ~ # ip6tables -t mangle -vL
Chain PREROUTING (policy ACCEPT 27 packets, 1944 bytes)
 pkts bytes target prot opt in out source destination
0 0 DIVERT tcp  anyany anywhere 
anywhere socket
   52  4160 TPROXY tcp  anyany anywhere 
anywhere tcp dpt:http TPROXY redirect :::3129 mark 0x1/0x1


Chain INPUT (policy ACCEPT 27 packets, 1944 bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain DIVERT (1 references)
 pkts bytes target prot opt in out source destination
0 0 MARK   all  anyany anywhere 
anywhere MARK set 0x1

0 0 ACCEPT all  anyany anywhere anywhere




Regards;
Pawel Mojski

Re: [squid-users] squid tproxy in ipv6 enviroment.

[Pawel Mojski]

W dniu 26-Jun-12 13:40, Pawel Mojski pisze:

W dniu 26-Jun-12 12:08, Pawel Mojski pisze:



v6priv linux #  ebtables -t broute -A BROUTING -i eth0 -p ipv6 
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

For IP filtering the protocol must be specified as IPv4.



Ok, I've found my mistake. I should use --ip6-proto and --ip6-sport.
But, now all commands are accepter but traffic could not work.
I suppose it might be rp_filter configuration but I can not find any 
rp_filter switch for ipv6.

Is rp_filter for ipv6 is enabled or disabled per default?

[...]

rp_filter per default is disabled.
All works fine, is just forgot to bind squid to 3129 port.

So, at the end of the day you have running config for tproxy ipv6 on 
bridge interface.

I think it might be useful for someone.

Have a nice day to all of you.

Regards;
Pawel Mojski

Re: [squid-users] squid tproxy in ipv6 enviroment.

[Amos Jeffries]

On 27.06.2012 00:14, Pawel Mojski wrote:

W dniu 26-Jun-12 13:40, Pawel Mojski pisze:

W dniu 26-Jun-12 12:08, Pawel Mojski pisze:



v6priv linux #  ebtables -t broute -A BROUTING -i eth0 -p ipv6 
--ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP

For IP filtering the protocol must be specified as IPv4.



Ok, I've found my mistake. I should use --ip6-proto and --ip6-sport.
But, now all commands are accepter but traffic could not work.
I suppose it might be rp_filter configuration but I can not find any 
rp_filter switch for ipv6.

Is rp_filter for ipv6 is enabled or disabled per default?

[...]

rp_filter per default is disabled.
All works fine, is just forgot to bind squid to 3129 port.

So, at the end of the day you have running config for tproxy ipv6 on
bridge interface.
I think it might be useful for someone.

Have a nice day to all of you.

Regards;
Pawel Mojski



Thank you very much for proving this does work :)
Wiki being checked/updated.

Amos

[squid-users] squid + tproxy is not working properly when using url_rewriter and local apache script for youtube caching

[x-man]

Hello there, 

I'm using squid transparent proxy for caching and I have also youtube
caching done with url_rewrite and apache script running on same machine as
squid.

It was all working fine, until I decided to go with TPROXY, as it has many
benefits. When I implemented the tproxy rules in iptables, everything
continued to work except the playing of youtube videos - where the
url_rewriter and the apache script come into play.  The url_rewriter
redirects the youtube requests to a local .php script working on the Apache
(on same machine)

I think it has something to do with how squid communicates with the local
apache process (where the software for youtube caching works) and somehow
the tproxy is screwing this up, because after implementing the tproxy the
requests to the Apache are sent with the USER-IP (previous without tproxy,
it was with SQUID-IP) and the reply from the apache script probably goes
directly the user, instead of returning back through the squid process. 

Also the apache script should be able to freely communicate with the real
youtube servers, to fetch the video from there.

Here are my rules for tproxy, but I think they are pretty standart: 

iptables -t mangle -N DIVERT 
iptables -t mangle -A DIVERT -j MARK --set-mark 1 
iptables -t mangle -A DIVERT -j ACCEPT 
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT 
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 8081 

echo 1  /proc/sys/net/ipv4/ip_forward 
ip rule add fwmark 1 lookup 100 
ip route add local 0.0.0.0/0 dev lo table 100 


The system is UBUNTU 12.04 with squid version 3.1.19. 

Anyone experienced same problem and eventually some workaround with the
Squid options or with iptables rules? 


--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-tproxy-is-not-working-properly-when-using-url-rewriter-and-local-apache-script-for-youtube-cacg-tp4568053p4568053.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] squid + tproxy is not working properly when using url_rewriter and local apache script for youtube caching

[Amos Jeffries]

On 19.04.2012 03:27, x-man wrote:

Hello there,

I'm using squid transparent proxy for caching and I have also youtube
caching done with url_rewrite and apache script running on same 
machine as

squid.

It was all working fine, until I decided to go with TPROXY, as it has 
many

benefits. When I implemented the tproxy rules in iptables, everything
continued to work except the playing of youtube videos - where the
url_rewriter and the apache script come into play.  The url_rewriter
redirects the youtube requests to a local .php script working on the 
Apache

(on same machine)

I think it has something to do with how squid communicates with the 
local
apache process (where the software for youtube caching works) and 
somehow
the tproxy is screwing this up, because after implementing the tproxy 
the
requests to the Apache are sent with the USER-IP (previous without 
tproxy,
it was with SQUID-IP) and the reply from the apache script probably 
goes
directly the user, instead of returning back through the squid 
process.


Have you verified that Apache is actually getting the request? Traffic 
from a globally routable IP to/from localhost is often prohibited by the 
kernel or even hardware.




Amos

Re: [squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID

[Vignesh Ramamurthy]

Hi Amos,

Thanks a lot for your help. Your suggestion of redirecting using
cache-peering worked. I did cache-peering with the same squid instance
(on a different port) and from then on sent to our captive portal.
That way, didnt have to change any URL rewriting logic.

Best Regards,
Vignesh

On Wed, Mar 7, 2012 at 4:43 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 On 6/03/2012 6:50 a.m., Vignesh Ramamurthy wrote:

 Hello,

 We are using squid to transparently proxy the traffic to a captive
 portal that is residing on the same machine as the squid server. The
 solution was working based on a NAT REDIRECT . We are moving the
 solution to TPROXY based now as part of migration to IPv6. The TPROXY
 works fine in intercepting traffic and also successfully able to allow
 / deny traffic to IPv6 sites. We are facing a strange issue when we
 try to access a URL in the same machine that hosts the squid server.
 The acces hangs and squid is not able to connect to the URL. We are
 having AOL webserver to host the webpage.


 As a workaround you can use the cache_peer no-tproxy option to get Squid
 to use its own IP when contacting that local server. It can still use the
 X-Forwarded-For header to get the client IP.

 I'm not too clear on the details, but I think it has something to do with
 the packets not actually going through routing or some layers of the
 handling TPROXY needs when shifting between processes on the same machine.
 If you want to learn the details and get it going please contact the
 netfilter people to find out whats happening to the packets once they leave
 Squid.

 Amos

Re: [squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID

[Amos Jeffries]

On 6/03/2012 6:50 a.m., Vignesh Ramamurthy wrote:

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.


As a workaround you can use the cache_peer no-tproxy option to get 
Squid to use its own IP when contacting that local server. It can still 
use the X-Forwarded-For header to get the client IP.


I'm not too clear on the details, but I think it has something to do 
with the packets not actually going through routing or some layers of 
the handling TPROXY needs when shifting between processes on the same 
machine. If you want to learn the details and get it going please 
contact the netfilter people to find out whats happening to the packets 
once they leave Squid.


Amos

Re: [squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID

[Eliezer Croitoru]

you need to add a the first rule such as:
ip6tables -t mangle -A PREROUTING -p tcp -d (IP of the machine) --dport 
80 -j ACCEPT

= here all the other iptables rules =

Regards
Eliezer

On 05/03/2012 20:09, Vignesh Ramamurthy wrote:

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.

All the configurations as recommended by the squid sites are done.
-  Firewall rules with TPROXY and DIVERT chian has been setup as below

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
ip6tables -t mangle -A PREROUTING  -i eth0.20 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
ip6tables -t mangle -A PREROUTING -j ACCEPT

-  Policy routing to route proxied traffic to the local box is also
done as recommended
16383:  from all fwmark 0x1 lookup 100
16390:  from all lookup local
32766:  from all lookup main

ip -6 route show table 100
local default dev lo  metric 1024
local default dev eth0.20  metric 1024


Squid configuration used is standard and have provided below a
snapshot of cache.log. Running squid in full debug level with max
logging. I have provided the final set of logs for this transaction.
The URL accessed in the test is
http://[2001:4b8:1::549]/sample_page.adp.

Appreciate any assistance / pointers to solve this. Please do let me
know if any additional information is required.

2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
-
GET /sample_page.adp HTTP/1.1
User-Agent: w3m/0.5.2
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: [2001:4b8:1::549]
Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
Cache-Control: max-age=259200
Connection: keep-alive


--
2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
0x871f6e8*1
2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
type=2, handler=1, client_data=0x84df560, timeout=0
2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
constructed, this=0x871ff48 [call204]
2012/03/05 04:29:26.321 kid1| event.cc(261) will call
MaintainSwapSpace() [call204]
2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
MaintainSwapSpace [call204]
2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
'MaintainSwapSpace', in 1.00 seconds
2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
constructed, this=0x871ff48 [call205]
2012/03/05 04:29:27.149 kid1| event.cc(261) will call
memPoolCleanIdlePools() [call205]
2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
memPoolCleanIdlePools [call205]
2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
'memPoolCleanIdlePools', in 15.00 seconds
2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
constructed, this=0x871ff48 [call206]
2012/03/05 04:29:27.165 kid1| event.cc(261) will call
fqdncache_purgelru() [call206]
2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
fqdncache_purgelru [call206]
2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
'fqdncache_purgelru', in 10.00 seconds
2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()

[squid-users] SQUID TPROXY not working when URL is hosted on the same machine running SQUID

[Vignesh Ramamurthy]

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.

All the configurations as recommended by the squid sites are done.
- Firewall rules with TPROXY and DIVERT chian has been setup as below

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
ip6tables -t mangle -A PREROUTING  -i eth0.20 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
ip6tables -t mangle -A PREROUTING -j ACCEPT

- Policy routing to route proxied traffic to the local box is also
done as recommended
16383:  from all fwmark 0x1 lookup 100
16390:  from all lookup local
32766:  from all lookup main

ip -6 route show table 100
local default dev lo  metric 1024
local default dev eth0.20  metric 1024


Squid configuration used is standard and have provided below a
snapshot of cache.log. Running squid in full debug level with max
logging. I have provided the final set of logs for this transaction.
The URL accessed in the test is
http://[2001:4b8:1::549]/sample_page.adp.

Appreciate any assistance / pointers to solve this. Please do let me
know if any additional information is required.

--
cache.log-
2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
-
GET /sample_page.adp HTTP/1.1
User-Agent: w3m/0.5.2
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: [2001:4b8:1::549]
Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
Cache-Control: max-age=259200
Connection: keep-alive


--
2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
0x871f6e8*1
2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
type=2, handler=1, client_data=0x84df560, timeout=0
2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
constructed, this=0x871ff48 [call204]
2012/03/05 04:29:26.321 kid1| event.cc(261) will call
MaintainSwapSpace() [call204]
2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
MaintainSwapSpace [call204]
2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
'MaintainSwapSpace', in 1.00 seconds
2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
constructed, this=0x871ff48 [call205]
2012/03/05 04:29:27.149 kid1| event.cc(261) will call
memPoolCleanIdlePools() [call205]
2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
memPoolCleanIdlePools [call205]
2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
'memPoolCleanIdlePools', in 15.00 seconds
2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
constructed, this=0x871ff48 [call206]
2012/03/05 04:29:27.165 kid1| event.cc(261) will call
fqdncache_purgelru() [call206]
2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
fqdncache_purgelru [call206]
2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
'fqdncache_purgelru', in 10.00 seconds
2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()

Best Regards,
Vignesh

[squid-users] SQUID TPROXY option does not work when URL is on the same machine as SQUID

[Vignesh Ramamurthy]

Hello,

We are using squid to transparently proxy the traffic to a captive
portal that is residing on the same machine as the squid server. The
solution was working based on a NAT REDIRECT . We are moving the
solution to TPROXY based now as part of migration to IPv6. The TPROXY
works fine in intercepting traffic and also successfully able to allow
/ deny traffic to IPv6 sites. We are facing a strange issue when we
try to access a URL in the same machine that hosts the squid server.
The acces hangs and squid is not able to connect to the URL. We are
having AOL webserver to host the webpage.

All the configurations as recommended by the squid sites are done.
- Firewall rules with TPROXY and DIVERT chian has been setup as below

ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-mark 1
ip6tables -t mangle -A DIVERT -j ACCEPT
ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -m tos --tos 0x20 -j ACCEPT
ip6tables -t mangle -A PREROUTING  -i eth0.20 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 8085
ip6tables -t mangle -A PREROUTING -j ACCEPT

- Policy routing to route proxied traffic to the local box is also
done as recommended
16383:  from all fwmark 0x1 lookup 100
16390:  from all lookup local
32766:  from all lookup main

ip -6 route show table 100
local default dev lo  metric 1024
local default dev eth0.20  metric 1024


Squid configuration used is standard and have provided below a
snapshot of cache.log. Running squid in full debug level with max
logging. I have provided the final set of logs for this transaction.
The URL accessed in the test is
http://[2001:4b8:1::549]/sample_page.adp.

Appreciate any assistance / pointers to solve this. Please do let me
know if any additional information is required.

2012/03/05 04:29:26.320 kid1| HTTP Server REQUEST:
-
GET /sample_page.adp HTTP/1.1
User-Agent: w3m/0.5.2
Accept: text/html, text/*;q=0.5, image/*, application/*, audio/*, multipart/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: [2001:4b8:1::549]
Via: 1.0 nmd.tst26.aus.wayport.net (squid/3.2.0.15-20120228-r11519)
X-Forwarded-For: 2001:4b8:1:5:250:56ff:feb2:2cfc
Cache-Control: max-age=259200
Connection: keep-alive


--
2012/03/05 04:29:26.320 kid1| Write.cc(21) Write:
local=[2001:4b8:1:5:250:56ff:feb2:2cfc]:43673
remote=[2001:4b8:1::549]:80 FD 13 flags=25: sz 417: asynCall
0x871f6e8*1
2012/03/05 04:29:26.320 kid1| ModPoll.cc(149) SetSelect: FD 13,
type=2, handler=1, client_data=0x84df560, timeout=0
2012/03/05 04:29:26.320 kid1| HttpStateData status out: [ job7]
2012/03/05 04:29:26.321 kid1| leaving AsyncJob::start()
2012/03/05 04:29:26.321 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:26.321 kid1| The AsyncCall MaintainSwapSpace
constructed, this=0x871ff48 [call204]
2012/03/05 04:29:26.321 kid1| event.cc(261) will call
MaintainSwapSpace() [call204]
2012/03/05 04:29:26.321 kid1| entering MaintainSwapSpace()
2012/03/05 04:29:26.321 kid1| AsyncCall.cc(34) make: make call
MaintainSwapSpace [call204]
2012/03/05 04:29:26.321 kid1| event.cc(344) schedule: schedule: Adding
'MaintainSwapSpace', in 1.00 seconds
2012/03/05 04:29:26.321 kid1| leaving MaintainSwapSpace()
2012/03/05 04:29:27.149 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.149 kid1| The AsyncCall memPoolCleanIdlePools
constructed, this=0x871ff48 [call205]
2012/03/05 04:29:27.149 kid1| event.cc(261) will call
memPoolCleanIdlePools() [call205]
2012/03/05 04:29:27.149 kid1| entering memPoolCleanIdlePools()
2012/03/05 04:29:27.149 kid1| AsyncCall.cc(34) make: make call
memPoolCleanIdlePools [call205]
2012/03/05 04:29:27.150 kid1| event.cc(344) schedule: schedule: Adding
'memPoolCleanIdlePools', in 15.00 seconds
2012/03/05 04:29:27.150 kid1| leaving memPoolCleanIdlePools()
2012/03/05 04:29:27.165 kid1| event.cc(252) checkEvents: checkEvents
2012/03/05 04:29:27.165 kid1| The AsyncCall fqdncache_purgelru
constructed, this=0x871ff48 [call206]
2012/03/05 04:29:27.165 kid1| event.cc(261) will call
fqdncache_purgelru() [call206]
2012/03/05 04:29:27.165 kid1| entering fqdncache_purgelru()
2012/03/05 04:29:27.165 kid1| AsyncCall.cc(34) make: make call
fqdncache_purgelru [call206]
2012/03/05 04:29:27.165 kid1| event.cc(344) schedule: schedule: Adding
'fqdncache_purgelru', in 10.00 seconds
2012/03/05 04:29:27.166 kid1| leaving fqdncache_purgelru()

[squid-users] squid tproxy is not spoofing the client IP

[nipun_mlist Assam]

I am trying to setup squid with tproxy. But I see that the client IP
is not getting spoofed. Other stuffs work fine, i.e. squid listens on
a transparent socket, but while creating the outgoing connection squid
doesn't spoof the client IP.

Below is my config file
#

acl manager proto cache_object
acl localhost src 127.0.0.1/32
http_port  11181 ssl-bump cert=/extra/squid/etc/Centos6.0.pem
http_port  85 tproxy
http_port  86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
pid_filename /extra/squid/var/squid.pid
cache_effective_user squid
cache_effective_group squid
logfile_rotate 5
debug_options ALL,9
coredump_dir /extra/squid/var/
visible_hostname squidhost
access_log /extra/squid/var/logs/access.log
cache_log /extra/squid/var/logs/cache.log
visible_hostname r810
sslproxy_flags DONT_VERIFY_PEER
http_access allow manager localhost
http_access deny manager
http_access allow all
ssl_bump allow all
always_direct allow all
sslproxy_cert_error allow all
#==

Also, following are the commands to set the iptables configuration:
===
 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 85
 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 86


Routing related flags are set like:
==
echo 0  /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1  /proc/sys/net/ipv4/ip_forward
echo 1  /proc/sys/net/ipv4/conf/all/forwarding


Regards,
Nipun
Bangalore

Re: [squid-users] squid tproxy

[benjamin fernandis]

  Hi Amos,

Thanks for your kind response.As per your reply ,i set rp_filter value 2
.But no luck.

And then i tried for bridge mode in that i can see traffic in tproxy
iptables rules, but i m not getting requests in squid access.log

my os : fedora 15 64 bit
kernel:  2.6.40.4-5.fc15.x86_64
squid : Squid Cache: Version 3.1.15


As per your before suggestions, i used latest kernel and latest squid
version.But still same issue i  am facing.Please please guide me to
solve this problem.

Regards,
Benjamin



On Sat, Sep 24, 2011 at 11:03 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On Fri, 23 Sep 2011 16:49:24 +0530, benjamin fernandis wrote:

 Hi All,

 I am trying to deploy squid with existing network for cache gain and
 tproxy feature.I configured squid properly there is no error.I can see
 traffic in access.log and iptables tproxy rule but at end users end
 they are getting squid error page with request time out.

 What could be the mistake behind this problem.?

 Is there anything remaining in squid?

 It has recently been brought to my attentino that the rp_filter system
 underwent a re-designe in kernel 2.6.32 and what we had in the wiki is doing
 the opposite (strict blocking) of what we wanted (loose checks default, none
 on the interface). Check your rp_filter values they should be 2 now where
 previously we were advising 1, and 0 on the interface where TPROXY is
 happening.



 reference : http://wiki.squid-cache.org/Features/Tproxy4


 squid version: 3.1.15
 os : fedora 15


 Squid in network:

     ROUTER    PBR CONFIGURATION  ( FOR port 80 traffic
 pass to squid from bandwith shapper , for port 80 traffic pass
 internet to squid)
          |
          |
       SWITCH
        |  |
        |  | -SQUID BOX
        |
    BANDWITH
     SHAPPER
        |
        |
 END USERS



 Kindly guide me to solve this abnormal problem.


 Thanks,
 Benjamin

Re: [squid-users] squid tproxy

[benjamin fernandis]

Hi Amos,

One input from my side.

Current network is ISP network and they having BGP routed public ip
pool.So does it has any conflict with them.?

Because traffic comes into tproxy iptables rules means marking dones
is good but requests are not coming into squid access.log.

Best Regards,
Benjamin


On Sun, Sep 25, 2011 at 6:43 PM, benjamin fernandis
benjo11...@gmail.com wrote:
  Hi Amos,

 Thanks for your kind response.As per your reply ,i set rp_filter value 2
 .But no luck.

 And then i tried for bridge mode in that i can see traffic in tproxy
 iptables rules, but i m not getting requests in squid access.log

 my os : fedora 15 64 bit
 kernel:  2.6.40.4-5.fc15.x86_64
 squid : Squid Cache: Version 3.1.15


 As per your before suggestions, i used latest kernel and latest squid
 version.But still same issue i  am facing.Please please guide me to
 solve this problem.

 Regards,
 Benjamin



 On Sat, Sep 24, 2011 at 11:03 AM, Amos Jeffries squ...@treenet.co.nz wrote:
 On Fri, 23 Sep 2011 16:49:24 +0530, benjamin fernandis wrote:

 Hi All,

 I am trying to deploy squid with existing network for cache gain and
 tproxy feature.I configured squid properly there is no error.I can see
 traffic in access.log and iptables tproxy rule but at end users end
 they are getting squid error page with request time out.

 What could be the mistake behind this problem.?

 Is there anything remaining in squid?

 It has recently been brought to my attentino that the rp_filter system
 underwent a re-designe in kernel 2.6.32 and what we had in the wiki is doing
 the opposite (strict blocking) of what we wanted (loose checks default, none
 on the interface). Check your rp_filter values they should be 2 now where
 previously we were advising 1, and 0 on the interface where TPROXY is
 happening.



 reference : http://wiki.squid-cache.org/Features/Tproxy4


 squid version: 3.1.15
 os : fedora 15


 Squid in network:

     ROUTER    PBR CONFIGURATION  ( FOR port 80 traffic
 pass to squid from bandwith shapper , for port 80 traffic pass
 internet to squid)
          |
          |
       SWITCH
        |  |
        |  | -SQUID BOX
        |
    BANDWITH
     SHAPPER
        |
        |
 END USERS



 Kindly guide me to solve this abnormal problem.


 Thanks,
 Benjamin

[squid-users] squid tproxy

[benjamin fernandis]

Hi All,

I am trying to deploy squid with existing network for cache gain and
tproxy feature.I configured squid properly there is no error.I can see
traffic in access.log and iptables tproxy rule but at end users end
they are getting squid error page with request time out.

What could be the mistake behind this problem.?

Is there anything remaining in squid?

reference : http://wiki.squid-cache.org/Features/Tproxy4


squid version: 3.1.15
os : fedora 15


Squid in network:



 ROUTER    PBR CONFIGURATION  ( FOR port 80 traffic
pass to squid from bandwith shapper , for port 80 traffic pass
internet to squid)
  |
  |
  |
  |
   SWITCH
|  |
|  |
|  | -SQUID BOX
|
BANDWITH
 SHAPPER
|
|
|
END USERS



Kindly guide me to solve this abnormal problem.


Thanks,
Benjamin

Re: [squid-users] squid tproxy

[Amos Jeffries]

On Fri, 23 Sep 2011 16:49:24 +0530, benjamin fernandis wrote:

Hi All,

I am trying to deploy squid with existing network for cache gain and
tproxy feature.I configured squid properly there is no error.I can 
see

traffic in access.log and iptables tproxy rule but at end users end
they are getting squid error page with request time out.

What could be the mistake behind this problem.?

Is there anything remaining in squid?


It has recently been brought to my attentino that the rp_filter system 
underwent a re-designe in kernel 2.6.32 and what we had in the wiki is 
doing the opposite (strict blocking) of what we wanted (loose checks 
default, none on the interface). Check your rp_filter values they should 
be 2 now where previously we were advising 1, and 0 on the 
interface where TPROXY is happening.





reference : http://wiki.squid-cache.org/Features/Tproxy4


squid version: 3.1.15
os : fedora 15


Squid in network:

 ROUTER    PBR CONFIGURATION  ( FOR port 80 traffic
pass to squid from bandwith shapper , for port 80 traffic pass
internet to squid)
  |
  |
   SWITCH
|  |
|  | -SQUID BOX
|
BANDWITH
 SHAPPER
|
|
END USERS



Kindly guide me to solve this abnormal problem.


Thanks,
Benjamin

[squid-users] squid tproxy problem

[benjamin fernandis]

Hi,

I configured squid for tproxy feature in my network with bridge mode.

I follow http://wiki.squid-cache.org/Features/Tproxy4

But I m not getting requests in access.log of squid.

My configuration:

cat /etc/squid/squid.conf

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
acl mynetwork src '/etc/squid/mynetwork'
acl cache_deny dst '/etc/squid/deny1'


cache deny cache_deny
#
cache_mem 1024 MB


# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow mynetwork
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /cache/squid 25600 32 512

# Leave coredumps in the first cache dir
coredump_dir /cache/squid
httpd_suppress_version_string on

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320

ip rule list
0:from all lookup local
32765:from all fwmark 0x1 lookup 100
32766:from all lookup main
32767:from all lookup default

iptables -L -nvx -t mangle
Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
pkts  bytes target prot opt in out source
 destination
   10993   689414 DIVERT tcp  --  *  *   0.0.0.0/0
   0.0.0.0/0   socket
   16765  1000259 TPROXY tcp  --  *  *   0.0.0.0/0
   0.0.0.0/0   tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
0x1/0x1

Chain INPUT (policy ACCEPT 15122 packets, 1149717 bytes)
pkts  bytes target prot opt in out source
 destination

Chain FORWARD (policy ACCEPT 959996 packets, 79295677 bytes)
pkts  bytes target prot opt in out source
 destination

Chain OUTPUT (policy ACCEPT 28272 packets, 10090599 bytes)
pkts  bytes target prot opt in out source
 destination

Chain POSTROUTING (policy ACCEPT 988265 packets, 89386044 bytes)
pkts  bytes target prot opt in out source
 destination

Chain DIVERT (1 references)
pkts  bytes target prot opt in out source
 destination
   10993   689414 MARK   all  --  *  *   0.0.0.0/0
   0.0.0.0/0   MARK set 0x1
   10993   689414 ACCEPT all  --  *  *   0.0.0.0/0
   0.0.0.0/0


ebtables -t broute --list
Bridge table: broute

Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
-p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect

OS CENTOS 6 64 bit
squid : 3.1.4
KERNEL : 2.6.32-71.29.1.el6.x86_64


Please guide me.

Thanks,
Benjamin

RE: [squid-users] squid tproxy

[Ritter, Nicholas]

I'm here...can send you the steps if you like. I am troubleshooting some 
performance issues with it though.

Nicholas


-Original Message-
From: Benjamin [mailto:benjo11...@gmail.com] 
Sent: Monday, August 08, 2011 12:45 AM
To: squid-users@squid-cache.org; squ...@treenet.co.nz
Subject: Re: [squid-users] squid tproxy


  Hi,

Can we have contact information of Mr. Ritter for new config of squid tproxy 
with centos 6.

Regards,
Benajo

Re: [squid-users] squid tproxy

[Benjamin]

 Hi,

Can we have contact information of Mr. Ritter for new config of squid 
tproxy with centos 6.


Regards,
Benajo

Re: [squid-users] squid tproxy

[Amos Jeffries]

On 02/08/11 17:22, benjamin fernandis wrote:

Hi,

I want to configure squid tproxy as external device.So for that what
changes do i need to follow in iptables rule and policy routing from
OS side?

Current Lab setup:
 WAN ROUTER
   |
  |
  |
   switch---LINUX 
MACHINE ( configured as router ) -- end users 
|
|
 squid

Currently i tried to follow squid wiki steps to configure tproxy.And i
can see traffic in squid access log but browsing not happening . even
i  m not seeing any traffic in iptables for tproxy rule.

Kindly guide me to solve this problem.


I want to deploy squid box as external device for getting cache
gain.So for that do i need to change anything in iptables or policy
routing?


Possibly, checklist below:

Squid needs to be setup as a third router box.

LINUX MACHINE:
  user subnet gateway - users
  default gateway - squid

squid:
  user subnet gateway - LINUX MACHINE
  default gateway - WAN ROUTER

WAN ROUTER:
  default gateway - WAN
  user subnet gateway - squid

Any smart switch functionality based on IPs disabled. Or at least 
tuned to not do things by users IP.


Policy routing on both WAN ROUTER and LINUX MACHINE. For non-80 ports 
lop-sided routing around the squid box is okay but best to avoid it.

 http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

 - DMZ config for LINUX MACHINE.
 - internal amongst the clients config for WAN ROUTER.


OS : centos 6 32 bit
squid : 3.1.4


Mr Ritter has a new config for CentOS 6. Better than the one in the wiki 
right now. If its not updated soon, contact him for details.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.10

[squid-users] squid tproxy

[benjamin fernandis]

Hi,

I want to configure squid tproxy as external device.So for that what
changes do i need to follow in iptables rule and policy routing from
OS side?

Current Lab setup:
WAN ROUTER
  |
  |
  |
   switch---LINUX 
MACHINE ( configured as router ) -- end users 
|
|
 squid

Currently i tried to follow squid wiki steps to configure tproxy.And i
can see traffic in squid access log but browsing not happening . even
i  m not seeing any traffic in iptables for tproxy rule.

Kindly guide me to solve this problem.


I want to deploy squid box as external device for getting cache
gain.So for that do i need to change anything in iptables or policy
routing?

OS : centos 6 32 bit
squid : 3.1.4

Thanks,
Benjo

Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

[Francisco André Barbosa Neto]

Hi Amos!

I'm writing to thank you for give me the solution. I reconfigure
squidguard to redirect with the 302 code as you can see below and now the
redirecting the blocked sites is working ok in my proxy setup!

Thank you very very much!!

Squidguard.conf used now:

dbhome /var/lib/squidguard
logdir /var/log/squidguard

src admin {
ip  192.168.10.96
ip  192.168.10.57
}

dest negados {
domainlist negados
}

acl {
admin {
pass !negados all
redirect 302:http://192.168.10.61:90/negado.html
}

default {
pass  none
redirect 302:http://192.168.10.61:90/negado.html
}
}



--
Francisco André Barbosa Neto
fn...@getsmart.com.br mailto:fn...@networkexplorer.com.br
Get Smart IT Solutions
http://www.getsmart.com.br http://www.getsmart.com.br/
Fone: 55-11-4655-2232
--

[squid-users] Squid + Tproxy + Bridge mode + squidguard

[Francisco André Barbosa Neto]

Hi all I'm new to the list and I decided to write here because I'm with a
big trouble!

I have installed an squid in bridge mode with tproxy support.

Everything is working ok, but I'm using in the same squid proxy squidguard
as an redirector.

The problem is when the client try to access an url that is blocked squid
can't receive the redirect header and page stay loading for a long time
until squid return an error telling that is impossible to access the site
http://ip of my bridge interface/negado.html

If I click on the link the page opens normally!!

Does anybody have any clue about this problem???

Below is my server information:

CentOS 5.6
Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
Iptables 1.4.10 with iptables supporte
Libcap 2.19 installed
Squid 3.1.8 with Tproxy support ok!

Routes.sh script (called from /etc/rc.d/rc.local
#!/bin/sh

ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE=eth0
INET_IFACE=eth1

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

cd /proc/sys/net/bridge/

for i in *
 do
   echo 0  $i
 done
unset i


Changes in /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_acct = 1
net.ipv4.conf.lo.rp_filter = 0


Squidguard.conf
dbhome /var/lib/squidguard
logdir /var/log/squidguard

src admin {
ip  192.168.10.96
}

dest negados {
domainlist negados
}

acl {
admin {
pass !negados all
redirect http://192.168.10.61:90/negado.html
}

default {
pass  none
redirect http://192.168.10.61:90/negado.html
}
}


Apache is listening on port 90, I've already tried in port 80 without
success too

Squid.conf (relevant part only)
http_port 3128
http_port 3129 tproxy
tcp_outgoing_address 192.168.10.61
icp_port 3130

url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 5


acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
acl CONNECT method CONNECT
#acl msn url_regex -i /gateway/gateway.dll
#acl autenticado proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl liberados src 192.168.0.71 192.168.0.99
acl our_networks src 192.168.10.0/24
#http_access allow liberados
#http_access deny msn
#http_access allow autenticado
http_access allow our_networks
http_access deny all
http_reply_access allow our_networks
icp_access allow all
miss_access allow all


Thanks!!



--
Francisco André Barbosa Neto
fn...@getsmart.com.br mailto:fn...@networkexplorer.com.br
Get Smart IT Solutions
http://www.getsmart.com.br http://www.getsmart.com.br/
Fone: 55-11-4655-2232
--

Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

[Amos Jeffries]

On 01/07/11 05:57, Francisco André Barbosa Neto wrote:

Hi all I'm new to the list and I decided to write here because I'm with a
big trouble!

I have installed an squid in bridge mode with tproxy support.

Everything is working ok, but I'm using in the same squid proxy squidguard
as an redirector.

The problem is when the client try to access an url that is blocked squid
can't receive the redirect header and page stay loading for a long time
until squid return an error telling that is impossible to access the site
http://ip of my bridge interface/negado.html

If I click on the link the page opens normally!!

Does anybody have any clue about this problem???


Yes. Think about what TPROXY does

 It makes outgoing requests from Squid have the IP of the remote client 
which connected inwards.


When you redirect to http://192.168.10.61:90/negado.html with a 3xx 
HTTP status the client makes a new request. Retrieving the URL directly 
(port 90 not caught into Squid).


 When you rewrite AKA send Squid a URL without HTTP status. Squid 
will contact the new URLs server without informing the client.


 The server at 192.168.10.61:90 sees a connection coming from the 
client (faked by Squid) and sends its TCP SYNACK messages back to the 
client. Squid never gets them. The client sees unexpected TCP packets 
from a strange source and drops them for security reasons. Everything hangs.


Run SquidGuard on the command line and ensure it is producing 3xx status 
on redirected URLs.


Amos



Below is my server information:

CentOS 5.6
Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
Iptables 1.4.10 with iptables supporte
Libcap 2.19 installed
Squid 3.1.8 with Tproxy support ok!

Routes.sh script (called from /etc/rc.d/rc.local
#!/bin/sh

ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE=eth0
INET_IFACE=eth1

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

cd /proc/sys/net/bridge/

for i in *
  do
echo 0  $i
  done
unset i


Changes in /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_acct = 1
net.ipv4.conf.lo.rp_filter = 0


Squidguard.conf
dbhome /var/lib/squidguard
logdir /var/log/squidguard

src admin {
 ip  192.168.10.96
}

dest negados {
 domainlist negados
}

acl {
 admin {
 pass !negados all
 redirect http://192.168.10.61:90/negado.html
 }

 default {
 pass  none
 redirect http://192.168.10.61:90/negado.html
 }
}


Apache is listening on port 90, I've already tried in port 80 without
success too

Squid.conf (relevant part only)
http_port 3128
http_port 3129 tproxy
tcp_outgoing_address 192.168.10.61
icp_port 3130

url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 5


acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
acl CONNECT method CONNECT
#acl msn url_regex -i /gateway/gateway.dll
#acl autenticado proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl liberados src 192.168.0.71 192.168.0.99
acl our_networks src 192.168.10.0/24
#http_access allow liberados
#http_access deny msn
#http_access allow autenticado
http_access allow our_networks
http_access deny all
http_reply_access allow our_networks
icp_access allow all
miss_access allow all


Thanks!!



--
Francisco André Barbosa Neto
fn...@getsmart.com.brmailto:fn...@networkexplorer.com.br
Get Smart IT Solutions
http://www.getsmart.com.brhttp://www.getsmart.com.br/
Fone: 55-11-4655-2232
--





--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.9 and 3.1.12.3

Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

[Francisco André Barbosa Neto]

Hi Amos!

I will verify if the squidguard are returning the 3xx status tomorrow for
sure, but about the tcp port 90, I've tried to is on port 80 too but the
problem persists.

Is it the same behavior in this case?

Thanks!
--
Francisco André Barbosa Neto
fn...@getsmart.com.br mailto:fn...@networkexplorer.com.br
Get Smart IT Solutions
http://www.getsmart.com.br http://www.getsmart.com.br/
Fone: 55-11-4655-2232
--





From: Amos Jeffries squ...@treenet.co.nz
Date: Fri, 01 Jul 2011 13:26:10 +1200
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard


On 01/07/11 05:57, Francisco André Barbosa Neto wrote:
Hi all I'm new to the list and I decided to write here because I'm with a
big trouble!

I have installed an squid in bridge mode with tproxy support.

Everything is working ok, but I'm using in the same squid proxy
squidguard
as an redirector.

The problem is when the client try to access an url that is blocked squid
can't receive the redirect header and page stay loading for a long time
until squid return an error telling that is impossible to access the site
http://ip of my bridge interface/negado.html

If I click on the link the page opens normally!!

Does anybody have any clue about this problem???

Yes. Think about what TPROXY does

  It makes outgoing requests from Squid have the IP of the remote client
which connected inwards.

When you redirect to http://192.168.10.61:90/negado.html with a 3xx
HTTP status the client makes a new request. Retrieving the URL directly
(port 90 not caught into Squid).

  When you rewrite AKA send Squid a URL without HTTP status. Squid
will contact the new URLs server without informing the client.

  The server at 192.168.10.61:90 sees a connection coming from the
client (faked by Squid) and sends its TCP SYNACK messages back to the
client. Squid never gets them. The client sees unexpected TCP packets
from a strange source and drops them for security reasons. Everything
hangs.

Run SquidGuard on the command line and ensure it is producing 3xx status
on redirected URLs.

Amos


Below is my server information:

CentOS 5.6
Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
Iptables 1.4.10 with iptables supporte
Libcap 2.19 installed
Squid 3.1.8 with Tproxy support ok!

Routes.sh script (called from /etc/rc.d/rc.local
#!/bin/sh

ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark
0x1/0x1 --on-port 3129

##!/bin/sh
CLIENT_IFACE=eth0
INET_IFACE=eth1

ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT

cd /proc/sys/net/bridge/

for i in *
   do
 echo 0  $i
   done
unset i


Changes in /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_acct = 1
net.ipv4.conf.lo.rp_filter = 0


Squidguard.conf
dbhome /var/lib/squidguard
logdir /var/log/squidguard

src admin {
  ip  192.168.10.96
}

dest negados {
  domainlist negados
}

acl {
  admin {
  pass !negados all
  redirect http://192.168.10.61:90/negado.html
  }

  default {
  pass  none
  redirect http://192.168.10.61:90/negado.html
  }
}


Apache is listening on port 90, I've already tried in port 80 without
success too

Squid.conf (relevant part only)
http_port 3128
http_port 3129 tproxy
tcp_outgoing_address 192.168.10.61
icp_port 3130

url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 5


acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
acl CONNECT method CONNECT
#acl msn url_regex -i /gateway/gateway.dll
#acl autenticado proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl liberados src 192.168.0.71 192.168.0.99
acl our_networks src 192.168.10.0/24
#http_access allow liberados
#http_access deny msn
#http_access allow autenticado
http_access allow our_networks
http_access deny all
http_reply_access allow our_networks
icp_access allow all
miss_access allow all


Thanks!!



--
Francisco André Barbosa Neto
fn

Re: [squid-users] Squid + Tproxy + Bridge mode + squidguard

[Amos Jeffries]

On 01/07/11 15:05, Francisco André Barbosa Neto wrote:

Hi Amos!

I will verify if the squidguard are returning the 3xx status tomorrow for
sure, but about the tcp port 90, I've tried to is on port 80 too but the
problem persists.

Is it the same behavior in this case?


All depends on the presence or absence for that 30x. If its not there 
the port is irrelevant, if it is something else entirely is going on.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.9 and 3.1.12.3

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Dear Amos,
Hi
As the documentation suggests, I have used the following rules, but
except the first one, others fail:

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 10

Any ideas?

Warm Regards,
Ali Majdzadeh Kohbanani


2011/6/8 Ali Majdzadeh ali.majdza...@gmail.com

 Amos,
 Thanks for your reply. As you had depicted in the diagrams, I think
 you meant that the clients and the Squid box are both connected to the
 gateway through the switch, didn't you? If it is so, yes, they are
 connected, but the default gateway for the clients is set to the IP
 address of the Squid box.
 So, you mean we should insert a special firewall rule in our gateway
 in order to detect and bypass the Squid outward traffic by its MAC
 address, is that true? Does this method still preserves the clients'
 IP addresses?
 Sorry for my elementary questions and thanks in advance for your helpful 
 notes.

 Warm Regards,
 Ali

 2011/6/8 Ali Majdzadeh ali.majdza...@gmail.com:
  Amos,
  Thanks for your reply. As you had depicted in the diagrams, I think
  you meant that the clients and the Squid box are both connected to the
  gateway through the switch, didn't you? If it is so, yes, they are
  connected, but the default gateway for the clients is set to the IP
  address of the Squid box.
  So, you mean we should insert a special firewall rule in our gateway
  in order to detect and bypass the Squid outward traffic by its MAC
  address, is that true? Does this method still preserves the clients'
  IP addresses?
  Sorry for my elementary questions and thanks in advance for your helpful 
  notes.
 
  Warm Regards,
  Ali
 
  2011/6/8 Amos Jeffries squ...@treenet.co.nz:
  On 08/06/11 22:53, Ali Majdzadeh wrote:
 
  Amos,
  Hi
  Thanks for your reply. The Squid box has only one NIC and it is
  connected to the internet via it's default gateway, I think I should
  have corrected our network diagram as follows:
  Internet-  Gateway-  Squid-  Clients
  Does this configuration make any difference?
 
  That diagram is no different, but a 1-NIC squid box would be:
 
   Internet-Gateway-Clients.
   \-Squid
 
  or:
 
   Internet-Gateway--switch--Clients.
 \-Squid
 
 
  That makes a difference.
 
  If you bump cache.log up to ALL,5 during a test connection. You may see
  traffic arrive but then hang while connecting out.
 
   If you do see that behaviour in cache.log, the problems is at the gateway
  end. It MUST be able to detect and bypass the Squid outward traffic by MAC
  address or tcp_outgoing_tos instead of IP address.
 
  Amos
 
  Thanks again for your reply. I will try to reconfigure the whole
  solution from scratch to find out where I go wrong.
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/8 Amos Jeffriessqu...@treenet.co.nz:
 
  On 08/06/11 01:15, Ali Majdzadeh wrote:
 
  Amos,
  The configuration is as follows:
  Internet-Squid-Clients
 
  Would you please clarify what you mean by declaring routing packets
  to the squid box?
 
  That the packets actually do get passed/routed through the squid box and
  not
  via some other possible route.
 
  Does the above configuration conform to the
  so-called declaration?
 
  If those are physical wires or even just logical routing table entries,
  yes
  it does.
 
  If it is so, what should be done to solve the
  issue?
 
  Your packet counter incrementing is a good sign that the ruting layer is
  okay.
 
  Thanks again.
  By the way, we have compiled libcap from source and it is the latest
  version of the library.
 
  Okay. That should do :).
 
 
  2011/6/6 Ali Majdzadehali.majdza...@gmail.com
 
  Amos,
  Sorry, the packet counter increments, I made a mistake, but still no
  logs either in access.log nor in cache.log.
 
 
  Given that you have a recent libcap. That means we must suspect the
  kernel
  handling once TPROXY marks the packets.
 
  The table 100 bit of the config has given a lot of people trouble.
  AFAIK
  normally you only have one such table entry and for TPROXY its internal
  to
  the kernel with the lo interface. BUT, some people have had to
  configure
  other interfaces to get it working.
 
  Try to add a table 100 (or whatever you called it) entry for each NIC the
  box has. If your kernel accepts them check access.log again.
 
  If your kernel denies multiple tables, erase the existing one and try
  creating one for each NIC. Repeating until you find one that works.
 
  OR, if that still fails. We have to get help from Balabit and/or
  Netfilter
  and figure WTF is happening.
 
  Amos
 
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/6 Ali Majdzadehali.majdza...@gmail.com:
 
  Amos,
  Hi
  The packet counter on -j TPROXY does not increment. So, why clients
  are able to surf the web?
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/6 Ali Majdzadehali.majdza...@gmail.com
 
  Amos,
  Hi
  Thanks for your reply. Ragarding 

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
Sorry for the typo; here are the rules:

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/11 Ali Majdzadeh ali.majdza...@gmail.com:
 Dear Amos,
 Hi
 As the documentation suggests, I have used the following rules, but
 except the first one, others fail:

 ip rule add fwmark 1 lookup 100
 ip -f inet route add local 0.0.0.0/0 dev lo table 100
 ip -f inet route add local 0.0.0.0/0 dev eth0 table 10

 Any ideas?

 Warm Regards,
 Ali Majdzadeh Kohbanani


 2011/6/8 Ali Majdzadeh ali.majdza...@gmail.com

 Amos,
 Thanks for your reply. As you had depicted in the diagrams, I think
 you meant that the clients and the Squid box are both connected to the
 gateway through the switch, didn't you? If it is so, yes, they are
 connected, but the default gateway for the clients is set to the IP
 address of the Squid box.
 So, you mean we should insert a special firewall rule in our gateway
 in order to detect and bypass the Squid outward traffic by its MAC
 address, is that true? Does this method still preserves the clients'
 IP addresses?
 Sorry for my elementary questions and thanks in advance for your helpful 
 notes.

 Warm Regards,
 Ali

 2011/6/8 Ali Majdzadeh ali.majdza...@gmail.com:
  Amos,
  Thanks for your reply. As you had depicted in the diagrams, I think
  you meant that the clients and the Squid box are both connected to the
  gateway through the switch, didn't you? If it is so, yes, they are
  connected, but the default gateway for the clients is set to the IP
  address of the Squid box.
  So, you mean we should insert a special firewall rule in our gateway
  in order to detect and bypass the Squid outward traffic by its MAC
  address, is that true? Does this method still preserves the clients'
  IP addresses?
  Sorry for my elementary questions and thanks in advance for your helpful 
  notes.
 
  Warm Regards,
  Ali
 
  2011/6/8 Amos Jeffries squ...@treenet.co.nz:
  On 08/06/11 22:53, Ali Majdzadeh wrote:
 
  Amos,
  Hi
  Thanks for your reply. The Squid box has only one NIC and it is
  connected to the internet via it's default gateway, I think I should
  have corrected our network diagram as follows:
  Internet-  Gateway-  Squid-  Clients
  Does this configuration make any difference?
 
  That diagram is no different, but a 1-NIC squid box would be:
 
   Internet-Gateway-Clients.
   \-Squid
 
  or:
 
   Internet-Gateway--switch--Clients.
 \-Squid
 
 
  That makes a difference.
 
  If you bump cache.log up to ALL,5 during a test connection. You may see
  traffic arrive but then hang while connecting out.
 
   If you do see that behaviour in cache.log, the problems is at the gateway
  end. It MUST be able to detect and bypass the Squid outward traffic by MAC
  address or tcp_outgoing_tos instead of IP address.
 
  Amos
 
  Thanks again for your reply. I will try to reconfigure the whole
  solution from scratch to find out where I go wrong.
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/8 Amos Jeffriessqu...@treenet.co.nz:
 
  On 08/06/11 01:15, Ali Majdzadeh wrote:
 
  Amos,
  The configuration is as follows:
  Internet-Squid-Clients
 
  Would you please clarify what you mean by declaring routing packets
  to the squid box?
 
  That the packets actually do get passed/routed through the squid box and
  not
  via some other possible route.
 
  Does the above configuration conform to the
  so-called declaration?
 
  If those are physical wires or even just logical routing table entries,
  yes
  it does.
 
  If it is so, what should be done to solve the
  issue?
 
  Your packet counter incrementing is a good sign that the ruting layer is
  okay.
 
  Thanks again.
  By the way, we have compiled libcap from source and it is the latest
  version of the library.
 
  Okay. That should do :).
 
 
  2011/6/6 Ali Majdzadehali.majdza...@gmail.com
 
  Amos,
  Sorry, the packet counter increments, I made a mistake, but still no
  logs either in access.log nor in cache.log.
 
 
  Given that you have a recent libcap. That means we must suspect the
  kernel
  handling once TPROXY marks the packets.
 
  The table 100 bit of the config has given a lot of people trouble.
  AFAIK
  normally you only have one such table entry and for TPROXY its 
  internal
  to
  the kernel with the lo interface. BUT, some people have had to
  configure
  other interfaces to get it working.
 
  Try to add a table 100 (or whatever you called it) entry for each NIC 
  the
  box has. If your kernel accepts them check access.log again.
 
  If your kernel denies multiple tables, erase the existing one and try
  creating one for each NIC. Repeating until you find one that works.
 
  OR, if that still fails. We have to get help from Balabit and/or
  Netfilter
  and figure WTF is happening.
 
  Amos
 
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/6 

Re: [squid-users] Squid TProxy Problem

[Amos Jeffries]

On 08/06/11 22:53, Ali Majdzadeh wrote:

Amos,
Hi
Thanks for your reply. The Squid box has only one NIC and it is
connected to the internet via it's default gateway, I think I should
have corrected our network diagram as follows:
Internet-  Gateway-  Squid-  Clients
Does this configuration make any difference?


That diagram is no different, but a 1-NIC squid box would be:

 Internet-Gateway-Clients.
  \-Squid

or:

 Internet-Gateway--switch--Clients.
\-Squid


That makes a difference.

If you bump cache.log up to ALL,5 during a test connection. You may see 
traffic arrive but then hang while connecting out.


 If you do see that behaviour in cache.log, the problems is at the 
gateway end. It MUST be able to detect and bypass the Squid outward 
traffic by MAC address or tcp_outgoing_tos instead of IP address.


Amos


Thanks again for your reply. I will try to reconfigure the whole
solution from scratch to find out where I go wrong.

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/8 Amos Jeffriessqu...@treenet.co.nz:

On 08/06/11 01:15, Ali Majdzadeh wrote:


Amos,
The configuration is as follows:
Internet-Squid-Clients

Would you please clarify what you mean by declaring routing packets
to the squid box?


That the packets actually do get passed/routed through the squid box and not
via some other possible route.


Does the above configuration conform to the
so-called declaration?


If those are physical wires or even just logical routing table entries, yes
it does.


If it is so, what should be done to solve the
issue?


Your packet counter incrementing is a good sign that the ruting layer is
okay.


Thanks again.
By the way, we have compiled libcap from source and it is the latest
version of the library.


Okay. That should do :).



2011/6/6 Ali Majdzadehali.majdza...@gmail.com


Amos,
Sorry, the packet counter increments, I made a mistake, but still no
logs either in access.log nor in cache.log.



Given that you have a recent libcap. That means we must suspect the kernel
handling once TPROXY marks the packets.

The table 100 bit of the config has given a lot of people trouble. AFAIK
normally you only have one such table entry and for TPROXY its internal to
the kernel with the lo interface. BUT, some people have had to configure
other interfaces to get it working.

Try to add a table 100 (or whatever you called it) entry for each NIC the
box has. If your kernel accepts them check access.log again.

If your kernel denies multiple tables, erase the existing one and try
creating one for each NIC. Repeating until you find one that works.

OR, if that still fails. We have to get help from Balabit and/or Netfilter
and figure WTF is happening.

Amos



Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadehali.majdza...@gmail.com:


Amos,
Hi
The packet counter on -j TPROXY does not increment. So, why clients
are able to surf the web?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadehali.majdza...@gmail.com


Amos,
Hi
Thanks for your reply. Ragarding the documentation, I have inserted
the following routing rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Now, access.log is populated with proper logs, but clients can not
surf the web, I mean the proxy server is unable to forward http
responses to clients' browsers. When the client enters for example
www.google.com, the connection to the http server is established but
the process halts at Waiting for www.google.com and after a while
Squid reports the unablility to retreive the requested URL.
By the way, we have disabled selinux.
Any ideas?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Amos Jeffriessqu...@treenet.co.nz:


On 06/06/11 06:32, Ali Majdzadeh wrote:


Hello All,
I have setup the following configuration:
Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
configure option)
Kernel (2.6.38.3)
iptables (1.4.11)

I have added the following two directives in squid.conf:
http_port 3128
http_port 3129 tproxy

Also, I have configured iptables with the following rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

Everything work as expected, I mean, the users can surf the web and
the proxy server is transparent. The problem is that actually there
is
no caching. I mean, both cache.log and access.log files are empty. On


That would be transparency to the point of not going through the
proxy.
access.log should have entries for each request.


the other hand, if I manually set the proxy configuration in clients'
browsers (the IP address of the squid server and port number 3128)
everything is OK; the log files are incremented and objects are
cached.

Have anyone faced the same issue?


Some. Its usually boiled down to 

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
Thanks for your reply. As you had depicted in the diagrams, I think
you meant that the clients and the Squid box are both connected to the
gateway through the switch, didn't you? If it is so, yes, they are
connected, but the default gateway for the clients is set to the IP
address of the Squid box.
So, you mean we should insert a special firewall rule in our gateway
in order to detect and bypass the Squid outward traffic by its MAC
address, is that true? Does this method still preserves the clients'
IP addresses?
Sorry for my elementary questions and thanks in advance for your helpful notes.

Warm Regards,
Ali

2011/6/8 Ali Majdzadeh ali.majdza...@gmail.com:
 Amos,
 Thanks for your reply. As you had depicted in the diagrams, I think
 you meant that the clients and the Squid box are both connected to the
 gateway through the switch, didn't you? If it is so, yes, they are
 connected, but the default gateway for the clients is set to the IP
 address of the Squid box.
 So, you mean we should insert a special firewall rule in our gateway
 in order to detect and bypass the Squid outward traffic by its MAC
 address, is that true? Does this method still preserves the clients'
 IP addresses?
 Sorry for my elementary questions and thanks in advance for your helpful 
 notes.

 Warm Regards,
 Ali

 2011/6/8 Amos Jeffries squ...@treenet.co.nz:
 On 08/06/11 22:53, Ali Majdzadeh wrote:

 Amos,
 Hi
 Thanks for your reply. The Squid box has only one NIC and it is
 connected to the internet via it's default gateway, I think I should
 have corrected our network diagram as follows:
 Internet-  Gateway-  Squid-  Clients
 Does this configuration make any difference?

 That diagram is no different, but a 1-NIC squid box would be:

  Internet-Gateway-Clients.
              \-Squid

 or:

  Internet-Gateway--switch--Clients.
                        \-Squid


 That makes a difference.

 If you bump cache.log up to ALL,5 during a test connection. You may see
 traffic arrive but then hang while connecting out.

  If you do see that behaviour in cache.log, the problems is at the gateway
 end. It MUST be able to detect and bypass the Squid outward traffic by MAC
 address or tcp_outgoing_tos instead of IP address.

 Amos

 Thanks again for your reply. I will try to reconfigure the whole
 solution from scratch to find out where I go wrong.

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/8 Amos Jeffriessqu...@treenet.co.nz:

 On 08/06/11 01:15, Ali Majdzadeh wrote:

 Amos,
 The configuration is as follows:
 Internet-    Squid-    Clients

 Would you please clarify what you mean by declaring routing packets
 to the squid box?

 That the packets actually do get passed/routed through the squid box and
 not
 via some other possible route.

 Does the above configuration conform to the
 so-called declaration?

 If those are physical wires or even just logical routing table entries,
 yes
 it does.

 If it is so, what should be done to solve the
 issue?

 Your packet counter incrementing is a good sign that the ruting layer is
 okay.

 Thanks again.
 By the way, we have compiled libcap from source and it is the latest
 version of the library.

 Okay. That should do :).


 2011/6/6 Ali Majdzadehali.majdza...@gmail.com

 Amos,
 Sorry, the packet counter increments, I made a mistake, but still no
 logs either in access.log nor in cache.log.


 Given that you have a recent libcap. That means we must suspect the
 kernel
 handling once TPROXY marks the packets.

 The table 100 bit of the config has given a lot of people trouble.
 AFAIK
 normally you only have one such table entry and for TPROXY its internal
 to
 the kernel with the lo interface. BUT, some people have had to
 configure
 other interfaces to get it working.

 Try to add a table 100 (or whatever you called it) entry for each NIC the
 box has. If your kernel accepts them check access.log again.

 If your kernel denies multiple tables, erase the existing one and try
 creating one for each NIC. Repeating until you find one that works.

 OR, if that still fails. We have to get help from Balabit and/or
 Netfilter
 and figure WTF is happening.

 Amos


 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Ali Majdzadehali.majdza...@gmail.com:

 Amos,
 Hi
 The packet counter on -j TPROXY does not increment. So, why clients
 are able to surf the web?

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Ali Majdzadehali.majdza...@gmail.com

 Amos,
 Hi
 Thanks for your reply. Ragarding the documentation, I have inserted
 the following routing rules:
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 Now, access.log is populated with proper logs, but clients can not
 surf the web, I mean the proxy server is unable to forward http
 responses to clients' browsers. When the client enters for example
 www.google.com, the connection to the http server is established but
 the process halts at Waiting for www.google.com and after a while
 Squid reports the unablility to 

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
The configuration is as follows:
Internet - Squid - Clients

Would you please clarify what you mean by declaring routing packets
to the squid box? Does the above configuration conform to the
so-called declaration? If it is so, what should be done to solve the
issue?
Thanks again.
By the way, we have compiled libcap from source and it is the latest
version of the library.


Warm Regards,
Ali Majdzadeh Kohbanani


2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com

 Amos,
 Sorry, the packet counter increments, I made a mistake, but still no
 logs either in access.log nor in cache.log.

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com:
  Amos,
  Hi
  The packet counter on -j TPROXY does not increment. So, why clients
  are able to surf the web?
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com
 
  Amos,
  Hi
  Thanks for your reply. Ragarding the documentation, I have inserted
  the following routing rules:
  ip rule add fwmark 1 lookup 100
  ip route add local 0.0.0.0/0 dev lo table 100
  Now, access.log is populated with proper logs, but clients can not
  surf the web, I mean the proxy server is unable to forward http
  responses to clients' browsers. When the client enters for example
  www.google.com, the connection to the http server is established but
  the process halts at Waiting for www.google.com and after a while
  Squid reports the unablility to retreive the requested URL.
  By the way, we have disabled selinux.
  Any ideas?
 
  Warm Regards,
  Ali Majdzadeh Kohbanani
 
  2011/6/6 Amos Jeffries squ...@treenet.co.nz:
   On 06/06/11 06:32, Ali Majdzadeh wrote:
  
   Hello All,
   I have setup the following configuration:
   Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
   configure option)
   Kernel (2.6.38.3)
   iptables (1.4.11)
  
   I have added the following two directives in squid.conf:
   http_port 3128
   http_port 3129 tproxy
  
   Also, I have configured iptables with the following rules:
   iptables -t mangle -N DIVERT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
   iptables -t mangle -A DIVERT -j MARK --set-mark 1
   iptables -t mangle -A DIVERT -j ACCEPT
   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
   --tproxy-mark 0x1/0x1 --on-port 3129
  
   Everything work as expected, I mean, the users can surf the web and
   the proxy server is transparent. The problem is that actually there is
   no caching. I mean, both cache.log and access.log files are empty. On
  
   That would be transparency to the point of not going through the proxy.
   access.log should have entries for each request.
  
   the other hand, if I manually set the proxy configuration in clients'
   browsers (the IP address of the squid server and port number 3128)
   everything is OK; the log files are incremented and objects are
   cached.
  
   Have anyone faced the same issue?
  
   Some. Its usually boiled down to missing out some details omitted. 
   building
   against libcap2 or routing packets to the squid box for example.
  
   Are the packet counters on that -j TPROXY rule showing captures?
  
   Did you follow the rest of the feature config?
    ie the special sub-routing table? OS packet filtering toggles? selinux
   updated to allow tproxy?
  
   Is this box even routing or bridging port 80 traffic for the network?
  
   Amos
   --
   Please be using
    Current Stable Squid 2.7.STABLE9 or 3.1.12
    Beta testers wanted for 3.2.0.8 and 3.1.12.2
  
 

Re: [squid-users] Squid TProxy Problem

[Amos Jeffries]

On 08/06/11 01:15, Ali Majdzadeh wrote:

Amos,
The configuration is as follows:
Internet-  Squid-  Clients

Would you please clarify what you mean by declaring routing packets
to the squid box?


That the packets actually do get passed/routed through the squid box and 
not via some other possible route.



Does the above configuration conform to the
so-called declaration?


If those are physical wires or even just logical routing table entries, 
yes it does.



If it is so, what should be done to solve the
issue?


Your packet counter incrementing is a good sign that the ruting layer is 
okay.



Thanks again.
By the way, we have compiled libcap from source and it is the latest
version of the library.


Okay. That should do :).



2011/6/6 Ali Majdzadehali.majdza...@gmail.com


Amos,
Sorry, the packet counter increments, I made a mistake, but still no
logs either in access.log nor in cache.log.



Given that you have a recent libcap. That means we must suspect the 
kernel handling once TPROXY marks the packets.


The table 100 bit of the config has given a lot of people trouble. 
AFAIK normally you only have one such table entry and for TPROXY its 
internal to the kernel with the lo interface. BUT, some people have 
had to configure other interfaces to get it working.


Try to add a table 100 (or whatever you called it) entry for each NIC 
the box has. If your kernel accepts them check access.log again.


If your kernel denies multiple tables, erase the existing one and try 
creating one for each NIC. Repeating until you find one that works.


OR, if that still fails. We have to get help from Balabit and/or 
Netfilter and figure WTF is happening.


Amos



Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadehali.majdza...@gmail.com:

Amos,
Hi
The packet counter on -j TPROXY does not increment. So, why clients
are able to surf the web?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadehali.majdza...@gmail.com


Amos,
Hi
Thanks for your reply. Ragarding the documentation, I have inserted
the following routing rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Now, access.log is populated with proper logs, but clients can not
surf the web, I mean the proxy server is unable to forward http
responses to clients' browsers. When the client enters for example
www.google.com, the connection to the http server is established but
the process halts at Waiting for www.google.com and after a while
Squid reports the unablility to retreive the requested URL.
By the way, we have disabled selinux.
Any ideas?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Amos Jeffriessqu...@treenet.co.nz:

On 06/06/11 06:32, Ali Majdzadeh wrote:


Hello All,
I have setup the following configuration:
Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
configure option)
Kernel (2.6.38.3)
iptables (1.4.11)

I have added the following two directives in squid.conf:
http_port 3128
http_port 3129 tproxy

Also, I have configured iptables with the following rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

Everything work as expected, I mean, the users can surf the web and
the proxy server is transparent. The problem is that actually there is
no caching. I mean, both cache.log and access.log files are empty. On


That would be transparency to the point of not going through the proxy.
access.log should have entries for each request.


the other hand, if I manually set the proxy configuration in clients'
browsers (the IP address of the squid server and port number 3128)
everything is OK; the log files are incremented and objects are
cached.

Have anyone faced the same issue?


Some. Its usually boiled down to missing out some details omitted. building
against libcap2 or routing packets to the squid box for example.

Are the packet counters on that -j TPROXY rule showing captures?

Did you follow the rest of the feature config?
  ie the special sub-routing table? OS packet filtering toggles? selinux
updated to allow tproxy?

Is this box even routing or bridging port 80 traffic for the network?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2






--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
Hi
Thanks for your reply. Ragarding the documentation, I have inserted
the following routing rules:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Now, access.log is populated with proper logs, but clients can not
surf the web, I mean the proxy server is unable to forward http
responses to clients' browsers. When the client enters for example
www.google.com, the connection to the http server is established but
the process halts at Waiting for www.google.com and after a while
Squid reports the unablility to retreive the requested URL.
By the way, we have disabled selinux.
Any ideas?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Amos Jeffries squ...@treenet.co.nz:
 On 06/06/11 06:32, Ali Majdzadeh wrote:

 Hello All,
 I have setup the following configuration:
 Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
 configure option)
 Kernel (2.6.38.3)
 iptables (1.4.11)

 I have added the following two directives in squid.conf:
 http_port 3128
 http_port 3129 tproxy

 Also, I have configured iptables with the following rules:
 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT
 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
 --tproxy-mark 0x1/0x1 --on-port 3129

 Everything work as expected, I mean, the users can surf the web and
 the proxy server is transparent. The problem is that actually there is
 no caching. I mean, both cache.log and access.log files are empty. On

 That would be transparency to the point of not going through the proxy.
 access.log should have entries for each request.

 the other hand, if I manually set the proxy configuration in clients'
 browsers (the IP address of the squid server and port number 3128)
 everything is OK; the log files are incremented and objects are
 cached.

 Have anyone faced the same issue?

 Some. Its usually boiled down to missing out some details omitted. building
 against libcap2 or routing packets to the squid box for example.

 Are the packet counters on that -j TPROXY rule showing captures?

 Did you follow the rest of the feature config?
  ie the special sub-routing table? OS packet filtering toggles? selinux
 updated to allow tproxy?

 Is this box even routing or bridging port 80 traffic for the network?

 Amos
 --
 Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
Hi
The packet counter on -j TPROXY does not increment. So, why clients
are able to surf the web?

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com

 Amos,
 Hi
 Thanks for your reply. Ragarding the documentation, I have inserted
 the following routing rules:
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 Now, access.log is populated with proper logs, but clients can not
 surf the web, I mean the proxy server is unable to forward http
 responses to clients' browsers. When the client enters for example
 www.google.com, the connection to the http server is established but
 the process halts at Waiting for www.google.com and after a while
 Squid reports the unablility to retreive the requested URL.
 By the way, we have disabled selinux.
 Any ideas?

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Amos Jeffries squ...@treenet.co.nz:
  On 06/06/11 06:32, Ali Majdzadeh wrote:
 
  Hello All,
  I have setup the following configuration:
  Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
  configure option)
  Kernel (2.6.38.3)
  iptables (1.4.11)
 
  I have added the following two directives in squid.conf:
  http_port 3128
  http_port 3129 tproxy
 
  Also, I have configured iptables with the following rules:
  iptables -t mangle -N DIVERT
  iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  iptables -t mangle -A DIVERT -j MARK --set-mark 1
  iptables -t mangle -A DIVERT -j ACCEPT
  iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
  --tproxy-mark 0x1/0x1 --on-port 3129
 
  Everything work as expected, I mean, the users can surf the web and
  the proxy server is transparent. The problem is that actually there is
  no caching. I mean, both cache.log and access.log files are empty. On
 
  That would be transparency to the point of not going through the proxy.
  access.log should have entries for each request.
 
  the other hand, if I manually set the proxy configuration in clients'
  browsers (the IP address of the squid server and port number 3128)
  everything is OK; the log files are incremented and objects are
  cached.
 
  Have anyone faced the same issue?
 
  Some. Its usually boiled down to missing out some details omitted. building
  against libcap2 or routing packets to the squid box for example.
 
  Are the packet counters on that -j TPROXY rule showing captures?
 
  Did you follow the rest of the feature config?
   ie the special sub-routing table? OS packet filtering toggles? selinux
  updated to allow tproxy?
 
  Is this box even routing or bridging port 80 traffic for the network?
 
  Amos
  --
  Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
 

Re: [squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Amos,
Sorry, the packet counter increments, I made a mistake, but still no
logs either in access.log nor in cache.log.

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com:
 Amos,
 Hi
 The packet counter on -j TPROXY does not increment. So, why clients
 are able to surf the web?

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Ali Majdzadeh ali.majdza...@gmail.com

 Amos,
 Hi
 Thanks for your reply. Ragarding the documentation, I have inserted
 the following routing rules:
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 Now, access.log is populated with proper logs, but clients can not
 surf the web, I mean the proxy server is unable to forward http
 responses to clients' browsers. When the client enters for example
 www.google.com, the connection to the http server is established but
 the process halts at Waiting for www.google.com and after a while
 Squid reports the unablility to retreive the requested URL.
 By the way, we have disabled selinux.
 Any ideas?

 Warm Regards,
 Ali Majdzadeh Kohbanani

 2011/6/6 Amos Jeffries squ...@treenet.co.nz:
  On 06/06/11 06:32, Ali Majdzadeh wrote:
 
  Hello All,
  I have setup the following configuration:
  Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
  configure option)
  Kernel (2.6.38.3)
  iptables (1.4.11)
 
  I have added the following two directives in squid.conf:
  http_port 3128
  http_port 3129 tproxy
 
  Also, I have configured iptables with the following rules:
  iptables -t mangle -N DIVERT
  iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  iptables -t mangle -A DIVERT -j MARK --set-mark 1
  iptables -t mangle -A DIVERT -j ACCEPT
  iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
  --tproxy-mark 0x1/0x1 --on-port 3129
 
  Everything work as expected, I mean, the users can surf the web and
  the proxy server is transparent. The problem is that actually there is
  no caching. I mean, both cache.log and access.log files are empty. On
 
  That would be transparency to the point of not going through the proxy.
  access.log should have entries for each request.
 
  the other hand, if I manually set the proxy configuration in clients'
  browsers (the IP address of the squid server and port number 3128)
  everything is OK; the log files are incremented and objects are
  cached.
 
  Have anyone faced the same issue?
 
  Some. Its usually boiled down to missing out some details omitted. building
  against libcap2 or routing packets to the squid box for example.
 
  Are the packet counters on that -j TPROXY rule showing captures?
 
  Did you follow the rest of the feature config?
   ie the special sub-routing table? OS packet filtering toggles? selinux
  updated to allow tproxy?
 
  Is this box even routing or bridging port 80 traffic for the network?
 
  Amos
  --
  Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
 

[squid-users] Squid TProxy Problem

[Ali Majdzadeh]

Hello All,
I have setup the following configuration:
Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
configure option)
Kernel (2.6.38.3)
iptables (1.4.11)

I have added the following two directives in squid.conf:
http_port 3128
http_port 3129 tproxy

Also, I have configured iptables with the following rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

Everything work as expected, I mean, the users can surf the web and
the proxy server is transparent. The problem is that actually there is
no caching. I mean, both cache.log and access.log files are empty. On
the other hand, if I manually set the proxy configuration in clients'
browsers (the IP address of the squid server and port number 3128)
everything is OK; the log files are incremented and objects are
cached.

Have anyone faced the same issue?

Warm Regards,
Ali Majdzadeh Kohbanani

Re: [squid-users] Squid TProxy Problem

[Amos Jeffries]

On 06/06/11 06:32, Ali Majdzadeh wrote:

Hello All,
I have setup the following configuration:
Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
configure option)
Kernel (2.6.38.3)
iptables (1.4.11)

I have added the following two directives in squid.conf:
http_port 3128
http_port 3129 tproxy

Also, I have configured iptables with the following rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

Everything work as expected, I mean, the users can surf the web and
the proxy server is transparent. The problem is that actually there is
no caching. I mean, both cache.log and access.log files are empty. On


That would be transparency to the point of not going through the proxy. 
access.log should have entries for each request.



the other hand, if I manually set the proxy configuration in clients'
browsers (the IP address of the squid server and port number 3128)
everything is OK; the log files are incremented and objects are
cached.

Have anyone faced the same issue?


Some. Its usually boiled down to missing out some details omitted. 
building against libcap2 or routing packets to the squid box for example.


Are the packet counters on that -j TPROXY rule showing captures?

Did you follow the rest of the feature config?
 ie the special sub-routing table? OS packet filtering toggles? selinux 
updated to allow tproxy?


Is this box even routing or bridging port 80 traffic for the network?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2

[squid-users] Squid, TPROXY and SquidGuard

[Mamadou Touré]

Hi,
all i've implemented squid with Tproxy and SquidGuard for transparent
content filtering.
squid conf:


http_port 3129 tproxy
redirect_program /usr/local/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf -d
redirect_children 10

+

my squidGuard.conf
+

.
dest  porn {
       domainlist           porn/domains
       urllist              porn/urls
       expressionlist       porn/expressions
       redirect             http://localhost/denied.bl
}

acl {
       winxp_1 {
               pass !porn any
       }
       default {
               pass any
       }
 }
..


HTTP traffic are redirect via:
+++

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
+

My traffic passthrougth squid but the contents are not filtered
because the user can access porn site.
Also there access are logged in access.log
can someone help me?

regards.

Re: [squid-users] Squid + Tproxy + Bridge on Kernel 2.6.34 - Workaround

[Luis Daniel Lucio Quiroz]

Le mardi 25 mai 2010 23:21:39, senthilkumaar2021 a écrit :
 Hi,
 
 Squid + Tproxy + Bridge Setup on latest kernel - version 2.6.34
 
 I had followed all the steps that had given in the
 http://wiki.squid-cache.org/Features/Tproxy4
 
 Kernel - 2.6.34
 iptable - 1.4.8
 ebtable - 2.0.9-1
 
 But clients were unable to browse and no errors in cache.log. Error -
 Network Unreachable. The error had returned by browser not squid proxy.
 
 Workaround :-
 
 After adding the following rules, clients are able to browse.
 
 # ip rule add dev device name fwmark 1 lookup 100
 
 example
 
 # ip rule add dev eth0 fwmark 1 lookup 100
 
 NOTE : Repeat the above for each interface except  lo 
 
 Source - https://lists.balabit.hu/pipermail/tproxy/2010-January/001212.html
 
 Based on the above source this issue had identified on kernel version -
 2.6.32. But still not yet fixed.
 
 I have CC ed this mail to netfilter mailing lists also.
 
 Hope this helps
 
 Thanks,
 Senthil

I was about to  ask
if this is fixed in 2.6.33+

or shall i stay in 2.6.31.x

Re: [squid-users] Squid + Tproxy + Bridge on Kernel 2.6.34 - Workaround

[Amos Jeffries]

On Tue, 15 Jun 2010 13:37:48 -0500, Luis Daniel Lucio Quiroz
luis.daniel.lu...@gmail.com wrote:
 Le mardi 25 mai 2010 23:21:39, senthilkumaar2021 a écrit :
 Hi,
 
 Squid + Tproxy + Bridge Setup on latest kernel - version 2.6.34
 
 I had followed all the steps that had given in the
 http://wiki.squid-cache.org/Features/Tproxy4
 
 Kernel - 2.6.34
 iptable - 1.4.8
 ebtable - 2.0.9-1
 
 But clients were unable to browse and no errors in cache.log. Error -
 Network Unreachable. The error had returned by browser not squid proxy.
 
 Workaround :-
 
 After adding the following rules, clients are able to browse.
 
 # ip rule add dev device name fwmark 1 lookup 100
 
 example
 
 # ip rule add dev eth0 fwmark 1 lookup 100
 
 NOTE : Repeat the above for each interface except  lo 
 
 Source -
 https://lists.balabit.hu/pipermail/tproxy/2010-January/001212.html
 
 Based on the above source this issue had identified on kernel version -
 2.6.32. But still not yet fixed.
 
 I have CC ed this mail to netfilter mailing lists also.
 
 Hope this helps
 
 Thanks,
 Senthil
 
 I was about to  ask
 if this is fixed in 2.6.33+
 
 or shall i stay in 2.6.31.x

From the Squid side;
 I have not seen any concrete evidence that this problem was anything more
than a configuration mixup.

This fix is to configure routing tables so that packets the bridge stack
sends to the routing stacks (ebtables ... -j DROP) actually get routed to
Squid. Our wiki demo uses 127.0.0.1 and the lo interface, it seems like the
reporter was using a global IP and only had to configure a global
interfaces' routing.

The other two older reporters have been suspiciously silent on the lists
since the same bridge/router interaction was mentioned.

Amos

Re: [squid-users] Squid + Tproxy + Bridge on Kernel 2.6.34 - Workaround

[senthilkumaar2021]

Hi

The tproxy setup in bridge mode worked well as per in wiki squid till 
the kernel version 2.6.30.xx


When we tested tproxy in bridge mode for kernels greater than 
2.6.33.xx(2.6.34 also).


The tproxy was not working.when the following workaround was used the 
tproxy was working fine.


# ip rule add dev device name fwmark 1 lookup 100

example

# ip rule add dev eth0 fwmark 1 lookup 100

NOTE : Repeat the above for each interface except  lo 

and also

echo 0  /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1  /proc/sys/net/ipv4/ip_forward
echo 1  /proc/sys/net/ipv4/ip_nonlocal_bind
echo 0  /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0  /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0  /proc/sys/net/ipv4/conf/br0/rp_filter
echo 1  /proc/sys/net/ipv4/conf/all/forwarding
echo 1  /proc/sys/net/ipv4/conf/all/send_redirects
echo 1  /proc/sys/net/ipv4/conf/eth0/send_redirects

We suspect the problem was not in squid and it is related to net filter.

Regards
senthil

Amos Jeffries wrote:

On Tue, 15 Jun 2010 13:37:48 -0500, Luis Daniel Lucio Quiroz
luis.daniel.lu...@gmail.com wrote:
  

Le mardi 25 mai 2010 23:21:39, senthilkumaar2021 a écrit :


Hi,

Squid + Tproxy + Bridge Setup on latest kernel - version 2.6.34

I had followed all the steps that had given in the
http://wiki.squid-cache.org/Features/Tproxy4

Kernel - 2.6.34
iptable - 1.4.8
ebtable - 2.0.9-1

But clients were unable to browse and no errors in cache.log. Error -
Network Unreachable. The error had returned by browser not squid proxy.

Workaround :-

After adding the following rules, clients are able to browse.

# ip rule add dev device name fwmark 1 lookup 100

example

# ip rule add dev eth0 fwmark 1 lookup 100

NOTE : Repeat the above for each interface except  lo 

Source -
https://lists.balabit.hu/pipermail/tproxy/2010-January/001212.html

Based on the above source this issue had identified on kernel version -
2.6.32. But still not yet fixed.

I have CC ed this mail to netfilter mailing lists also.

Hope this helps

Thanks,
Senthil
  

I was about to  ask
if this is fixed in 2.6.33+

or shall i stay in 2.6.31.x



From the Squid side;
 I have not seen any concrete evidence that this problem was anything more
than a configuration mixup.

This fix is to configure routing tables so that packets the bridge stack
sends to the routing stacks (ebtables ... -j DROP) actually get routed to
Squid. Our wiki demo uses 127.0.0.1 and the lo interface, it seems like the
reporter was using a global IP and only had to configure a global
interfaces' routing.

The other two older reporters have been suspiciously silent on the lists
since the same bridge/router interaction was mentioned.

Amos

  

[squid-users] Squid + Tproxy + Bridge on Kernel 2.6.34 - Workaround

[senthilkumaar2021]

Hi,

Squid + Tproxy + Bridge Setup on latest kernel - version 2.6.34

I had followed all the steps that had given in the
http://wiki.squid-cache.org/Features/Tproxy4

Kernel - 2.6.34
iptable - 1.4.8
ebtable - 2.0.9-1

But clients were unable to browse and no errors in cache.log. Error -
Network Unreachable. The error had returned by browser not squid proxy.

Workaround :-

After adding the following rules, clients are able to browse.

# ip rule add dev device name fwmark 1 lookup 100

example

# ip rule add dev eth0 fwmark 1 lookup 100

NOTE : Repeat the above for each interface except  lo 

Source - https://lists.balabit.hu/pipermail/tproxy/2010-January/001212.html

Based on the above source this issue had identified on kernel version -
2.6.32. But still not yet fixed.

I have CC ed this mail to netfilter mailing lists also.

Hope this helps

Thanks,
Senthil

Re: [squid-users] Squid-tproxy patch for squid 3.0

[Vivek]

Thanks Amos, We want Tproxy v4 support ( 2.6.28 kernel support) for 
squid 2.7. If we could get squid-3.0-tproxy patch from any achieves it 
would be very helpful for us to develop a patch for 2.7..




Thanks in advance.



-VIvek









-Original Message-

From: Amos Jeffries squ...@treenet.co.nz

To: Vivek vivek...@aol.in

Cc: squid-users@squid-cache.org

Sent: Tue, 7 Apr 2009 12:17 pm

Subject: Re: [squid-users] Squid-tproxy patch for squid 3.0



















Vivek wrote:




Hi All,

















I need squid tproxy patch for squid 3.0. I know squid 3.1 has the



built-in code for tproxy support. But i need the patch file.








Where can i download the patch( Not kernel patch) squid-tproxy 

patch?.








If anybody knows give the link.










The patch I and others were initially providing was found to be broken

and was dropped when the support in 3.1 required a major kernel 
overhaul


to fix the problem.





Amos



--

Please be using



 Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13



 Current Beta Squid 3.1.0.6













You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

Re: [squid-users] Squid-tproxy patch for squid 3.0

[Amos Jeffries]

Vivek wrote:
Thanks Amos, We want Tproxy v4 support ( 2.6.28 kernel support) for 
squid 2.7. If we could get squid-3.0-tproxy patch from any achieves it 
would be very helpful for us to develop a patch for 2.7..




There no single patch just a large collection of incremental changes.

The 2.7 code base is also a lot different to the 3.x codebase in these 
areas.


Whats missing from 3.1 that you need from 2.7? It would be a more 
future-proof work if the port was along the developer roadmap.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6

Re: [squid-users] Squid-tproxy patch for squid 3.0

[Vivek]

Thanks Amos,



As per the benchmark result 2.7 perform better than 3.1. But Tproxy v2 
patch for 2.7 is obsolete. So that i need Tproxy v4 patch for squid 
2.7. If anybody have have ?..




--Vivek



-Original Message-

From: Amos Jeffries squ...@treenet.co.nz

To: Vivek vivek...@aol.in

Cc: squid-users@squid-cache.org

Sent: Tue, 7 Apr 2009 2:23 pm

Subject: Re: [squid-users] Squid-tproxy patch for squid 3.0





Vivek wrote:




Thanks Amos, We want Tproxy v4 support ( 2.6.28 kernel support) for


squid 2.7. If we could get squid-3.0-tproxy patch from any achieves 

it


would be very helpful for us to develop a patch for 2.7..










There no single patch just a large collection of incremental changes.





The 2.7 code base is also a lot different to the 3.x codebase in these

areas.





Whats missing from 3.1 that you need from 2.7? It would be a more

future-proof work if the port was along the developer roadmap.





Amos



--

Please be using



 Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13



 Current Beta Squid 3.1.0.6













You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

[squid-users] Squid-tproxy patch for squid 3.0

[Vivek]

Hi All,



I need squid tproxy patch for squid 3.0. I know squid 3.1 has the 
built-in code for tproxy support. But i need the patch file.


Where can i download the patch( Not kernel patch) squid-tproxy patch?.

If anybody knows give the link.



Regards

Vivek





You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

Re: [squid-users] Squid-tproxy patch for squid 3.0

[Amos Jeffries]

Vivek wrote:

Hi All,



I need squid tproxy patch for squid 3.0. I know squid 3.1 has the 
built-in code for tproxy support. But i need the patch file.


Where can i download the patch( Not kernel patch) squid-tproxy patch?.

If anybody knows give the link.



The patch I and others were initially providing was found to be broken 
and was dropped when the support in 3.1 required a major kernel overhaul 
to fix the problem.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6

Re: [squid-users] squid TPROXY and empty access.log

[Jack Daniels]

On Wed, Mar 25, 2009 at 11:19 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 Okay. It looks like the requests are not actually going through Squid.

Thank you again for your reply.
It seems strange. I know only that if I stop Squid process, the client
behind Tproxy-Squid cannot reach any website.
The client can reach http pages only when Squid is running and is in
Tproxy mode.

 What cache.log is incrementing by is the startup operational info. No
 actual requests. Once squid reaches a state where it can receive requests
 it justs sits idle and checks the garbage collection occasionally.

Is it due to a wrong configuration or a wrong version? As you have
already seen all configurations seems ok and all the necessary steps
have been made.

Have you any other suggestions? Maybe it is only a problem of versions
(I'm just hypothesizing..). Could you suggest me a right combination
of versions to use Tproxyv4? (kernel+iptables+squid).

Thank you in advance.

Re: [squid-users] squid TPROXY and empty access.log

[Amos Jeffries]

Jack Daniels wrote:

On Wed, Mar 25, 2009 at 11:19 PM, Amos Jeffries squ...@treenet.co.nz wrote:

Okay. It looks like the requests are not actually going through Squid.


Thank you again for your reply.
It seems strange. I know only that if I stop Squid process, the client
behind Tproxy-Squid cannot reach any website.
The client can reach http pages only when Squid is running and is in
Tproxy mode.


What cache.log is incrementing by is the startup operational info. No
actual requests. Once squid reaches a state where it can receive requests
it justs sits idle and checks the garbage collection occasionally.


Is it due to a wrong configuration or a wrong version? As you have
already seen all configurations seems ok and all the necessary steps
have been made.

Have you any other suggestions? Maybe it is only a problem of versions
(I'm just hypothesizing..). Could you suggest me a right combination
of versions to use Tproxyv4? (kernel+iptables+squid).


Only the kernel 2.6.28+ iptables 1.4.3+ and Squid 3.1.*  which you are 
already using.


next step would be to perhapse try with debug_options ALL,9 in 
squid.conf and see if more data gets into cache.log.


If that fails too, try the netfilter lists and see if someone in the 
kernel crowd has more insight into the packet behavior.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6

Re: [squid-users] squid TPROXY and empty access.log

[Amos Jeffries]

Jack Daniels wrote:

Hello,
I've a problem to log client request activities when Squid is in TPROXY mode.
In squid.conf I have 'access_log /var/log/squid/access.log squid',
this file is correctly created but results empty.

# ls -la /var/log/squid/

-rw-r- 1 proxy proxy  0 24 mar 16:09 access.log
-rw-r- 1 proxy proxy 413659 24 mar 16:09 cache.log
-rw-r- 1 proxy proxy  0 24 mar 16:09 referer.log
-rw-r--r-- 1 root  proxy  6 24 mar 16:09 squid.pid
-rw-r- 1 proxy proxy  0 24 mar 16:09 store.log

If I remove 'tproxy' option from http_port in squid.conf it seems work
(access.log is correctly written) but I lose the TPROXY Ip spoofing
feature.

Is this a bug?
There is a way to log client request activities in tproxy mode? I need
this feature to use Sarg in this environment.



Sounds like a bug, but there are a few things below you need to clear up 
before you can be sure its not them...



Thanks in advance.


Here some details:

# uname -r
2.6.28.8

# squid -v
Squid Cache: Version 3.1.0.6
configure options:  '--enable-linux-tproxy' '--enable-linux-netfilter'




http://wiki.squid-cache.org/Features/Tproxy4

Obsolete --enable-tproxy option. Remains only for legacy v2.2 cttproxy 
support.


It does things to the kernel TPROXYv4 may not like. Kill it.



'--enable-ssl' '--with-openssl=/usr/include/openssl/'
'--enable-err-languages=EnglisItalian'
'--enable-default-err-language=Italian'


the err options are also DEAD.


'--disable-htcp'
'--with-large-files' '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libdir=/usr/lib/squid'
'--libexecdir=/usr/lib/squid' '--docdir=/usr/share/doc/squid'
'--datarootdir=/usr/share/squid' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--mandir=/usr/share/man' '--with-logdir=/var/log/squid'
'--enable-inline' '--enable-async-io=8' '--with-pthreads'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-snmp' '--enable-delay-pools' '--enable-cache-digests'
'--enable-underscores' '--enable-icap-client' '--enable-referer-log'
'--enable-useragent-log' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=NCSA'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user,unix_group'
'--with-filedescriptors=65536' '--with-default-user=proxy'
--with-squid=/usr/src/squid-3.1.0.6 --enable-ltdl-convenience

# iptables -V
iptables v1.4.3-rc1

# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DIVERT tcp  --  anywhere anywheresocket
TPROXY tcp  --  anywhere anywheretcp
dpt:www TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain DIVERT (1 references)
target prot opt source   destination
MARK   all  --  anywhere anywhereMARK xset
0x1/0x
ACCEPT all  --  anywhere anywhere

# cat /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all



http_port 3128 tproxy
#http_port 3128


http://wiki.squid-cache.org/Features/Tproxy4

NP: A dedicated squid port for tproxy is REQUIRED



hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
coredump_dir /var/spool/squid/cache
cache_effective_user proxy
cache_effective_group proxy
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
referer_log /var/log/squid/referer.log



log_access allow all
cache allow all


Two very redundant settings.



# squid 

Re: [squid-users] squid TPROXY and empty access.log

[Jack Daniels]

On Wed, Mar 25, 2009 at 12:00 PM, Amos Jeffries squ...@treenet.co.nz wrote:
 Sounds like a bug, but there are a few things below you need to clear up
 before you can be sure its not them...

Thank you for your fast reply. I tried your suggestion but it didn't
work. Here some details:

 Obsolete --enable-tproxy option. Remains only for legacy v2.2 cttproxy
 support.

 It does things to the kernel TPROXYv4 may not like. Kill it.

 the err options are also DEAD.

Done.

# squid -v
Squid Cache: Version 3.1.0.6
configure options:  '--enable-linux-netfilter' '--enable-ssl'
'--with-openssl=/usr/include/openssl/' '--disable-htcp'
'--with-large-files' '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libdir=/usr/lib/squid'
'--libexecdir=/usr/lib/squid' '--docdir=/usr/share/doc/squid'
'--datarootdir=/usr/share/squid' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--mandir=/usr/share/man' '--with-logdir=/var/log/squid'
'--enable-inline' '--enable-async-io=8' '--with-pthreads'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-snmp' '--enable-delay-pools' '--enable-cache-digests'
'--enable-underscores' '--enable-icap-client' '--enable-referer-log'
'--enable-useragent-log' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=NCSA'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user,unix_group'
'--with-filedescriptors=65536' '--with-default-user=proxy'
--with-squid=/usr/src/squid-3.1.0.6 --enable-ltdl-convenience

 http_port 3128 tproxy
 #http_port 3128

 NP: A dedicated squid port for tproxy is REQUIRED

 log_access allow all
 cache allow all

 Two very redundant settings.

Ok, I've reduced squid.conf to a minimal configuration

# cat /etc/squid/squid.conf
acl localnet src 172.31.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
http_access allow localnet
http_access deny all
http_port 3128
http_port 3129 tproxy
coredump_dir /var/spool/squid/cache
cache_effective_user proxy
cache_effective_group proxy
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log

# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DIVERT tcp  --  anywhere anywheresocket
TPROXY tcp  --  anywhere anywheretcp
dpt:www TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

(...)

Chain DIVERT (1 references)
target prot opt source   destination
MARK   all  --  anywhere anywhereMARK xset
0x1/0x
ACCEPT all  --  anywhere anywhere

# squid -X -d1 -N -f /etc/squid/squid.conf
2009/03/25 12:50:33.512| command-line -X overrides: ALL,7
2009/03/25 12:50:33.512| CacheManager::registerAction: registering legacy mem
2009/03/25 12:50:33.512| CacheManager::findAction: looking for action mem
2009/03/25 12:50:33.512| Action not found.
2009/03/25 12:50:33.512| CacheManager::registerAction: registered mem
2009/03/25 12:50:33.512| CacheManager::registerAction: registering
legacy squidaio_counts
2009/03/25 12:50:33.512| CacheManager::findAction: looking for action
squidaio_counts
2009/03/25 12:50:33.512| Action not found.
2009/03/25 12:50:33.512| CacheManager::registerAction: registered
squidaio_counts
2009/03/25 12:50:33.512| CacheManager::registerAction: registering legacy diskd
2009/03/25 12:50:33.512| CacheManager::findAction: looking for action diskd
2009/03/25 12:50:33.512| Action not found.
2009/03/25 12:50:33.512| CacheManager::registerAction: registered diskd
2009/03/25 12:50:33.512| aclDestroyACLs: invoked
2009/03/25 12:50:33.512| ACL::Prototype::Registered: invoked for type src
2009/03/25 12:50:33.512| ACL::Prototype::Registered:yes
2009/03/25 12:50:33.512| ACL::FindByName 'all'
2009/03/25 12:50:33.512| ACL::FindByName found no match
2009/03/25 12:50:33.512| aclParseAclLine: Creating ACL 'all'
2009/03/25 12:50:33.512| ACL::Prototype::Factory: cloning an object
for type 'src'
2009/03/25 12:50:33.512| aclIpParseIpData: all
2009/03/25 12:50:33.513| aclParseAccessLine: looking for ACL name 'all'
2009/03/25 12:50:33.513| ACL::FindByName 'all'
2009/03/25 12:50:33.513| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2009/03/25 12:50:33.514| Processing: 'acl localnet src 172.31.1.0/24'
2009/03/25 12:50:33.514| ACL::Prototype::Registered: invoked for type src
2009/03/25 12:50:33.514| ACL::Prototype::Registered:yes
2009/03/25 12:50:33.514| ACL::FindByName 'localnet'
2009/03/25 12:50:33.514| ACL::FindByName found no match
2009/03/25 12:50:33.514| aclParseAclLine: Creating ACL 'localnet'
2009/03/25 12:50:33.514| ACL::Prototype::Factory: cloning an object
for type 'src'
2009/03/25 12:50:33.514| aclIpParseIpData: 172.31.1.0/24
2009/03/25 12:50:33.514| Processing: 'acl SSL_ports port 443'
2009/03/25 12:50:33.514| ACL::Prototype::Registered: invoked for type port
2009/03/25 

Re: [squid-users] squid TPROXY and empty access.log

[Amos Jeffries]

 On Wed, Mar 25, 2009 at 12:00 PM, Amos Jeffries squ...@treenet.co.nz
 wrote:
 Sounds like a bug, but there are a few things below you need to clear up
 before you can be sure its not them...

 Thank you for your fast reply. I tried your suggestion but it didn't
 work. Here some details:

 Obsolete --enable-tproxy option. Remains only for legacy v2.2 cttproxy
 support.

 It does things to the kernel TPROXYv4 may not like. Kill it.

 the err options are also DEAD.

 Done.

 # squid -v
 Squid Cache: Version 3.1.0.6
 configure options:  '--enable-linux-netfilter' '--enable-ssl'
 '--with-openssl=/usr/include/openssl/' '--disable-htcp'
 '--with-large-files' '--prefix=/usr' '--exec_prefix=/usr'
 '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libdir=/usr/lib/squid'
 '--libexecdir=/usr/lib/squid' '--docdir=/usr/share/doc/squid'
 '--datarootdir=/usr/share/squid' '--datadir=/usr/share/squid'
 '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
 '--mandir=/usr/share/man' '--with-logdir=/var/log/squid'
 '--enable-inline' '--enable-async-io=8' '--with-pthreads'
 '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
 '--enable-snmp' '--enable-delay-pools' '--enable-cache-digests'
 '--enable-underscores' '--enable-icap-client' '--enable-referer-log'
 '--enable-useragent-log' '--enable-follow-x-forwarded-for'
 '--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=NCSA'
 '--enable-digest-auth-helpers=password'
 '--enable-external-acl-helpers=ip_user,unix_group'
 '--with-filedescriptors=65536' '--with-default-user=proxy'
 --with-squid=/usr/src/squid-3.1.0.6 --enable-ltdl-convenience

 http_port 3128 tproxy
 #http_port 3128

 NP: A dedicated squid port for tproxy is REQUIRED

 log_access allow all
 cache allow all

 Two very redundant settings.

 Ok, I've reduced squid.conf to a minimal configuration

 # cat /etc/squid/squid.conf
 acl localnet src 172.31.1.0/24
 acl SSL_ports port 443
 acl Safe_ports port 80
 http_access allow localnet
 http_access deny all
 http_port 3128
 http_port 3129 tproxy
 coredump_dir /var/spool/squid/cache
 cache_effective_user proxy
 cache_effective_group proxy
 access_log /var/log/squid/access.log squid
 cache_store_log /var/log/squid/store.log

 # iptables -t mangle -L
 Chain PREROUTING (policy ACCEPT)
 target prot opt source   destination
 DIVERT tcp  --  anywhere anywheresocket
 TPROXY tcp  --  anywhere anywheretcp
 dpt:www TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

 (...)

 Chain DIVERT (1 references)
 target prot opt source   destination
 MARK   all  --  anywhere anywhereMARK xset
 0x1/0x
 ACCEPT all  --  anywhere anywhere

 # squid -X -d1 -N -f /etc/squid/squid.conf
 2009/03/25 12:50:33.512| command-line -X overrides: ALL,7
 2009/03/25 12:50:33.512| CacheManager::registerAction: registering legacy
 mem
 2009/03/25 12:50:33.512| CacheManager::findAction: looking for action mem
 2009/03/25 12:50:33.512| Action not found.
 2009/03/25 12:50:33.512| CacheManager::registerAction: registered mem
 2009/03/25 12:50:33.512| CacheManager::registerAction: registering
 legacy squidaio_counts
 2009/03/25 12:50:33.512| CacheManager::findAction: looking for action
 squidaio_counts
 2009/03/25 12:50:33.512| Action not found.
 2009/03/25 12:50:33.512| CacheManager::registerAction: registered
 squidaio_counts
 2009/03/25 12:50:33.512| CacheManager::registerAction: registering legacy
 diskd
 2009/03/25 12:50:33.512| CacheManager::findAction: looking for action
 diskd
 2009/03/25 12:50:33.512| Action not found.
 2009/03/25 12:50:33.512| CacheManager::registerAction: registered diskd
 2009/03/25 12:50:33.512| aclDestroyACLs: invoked
 2009/03/25 12:50:33.512| ACL::Prototype::Registered: invoked for type src
 2009/03/25 12:50:33.512| ACL::Prototype::Registered:yes
 2009/03/25 12:50:33.512| ACL::FindByName 'all'
 2009/03/25 12:50:33.512| ACL::FindByName found no match
 2009/03/25 12:50:33.512| aclParseAclLine: Creating ACL 'all'
 2009/03/25 12:50:33.512| ACL::Prototype::Factory: cloning an object
 for type 'src'
 2009/03/25 12:50:33.512| aclIpParseIpData: all
 2009/03/25 12:50:33.513| aclParseAccessLine: looking for ACL name 'all'
 2009/03/25 12:50:33.513| ACL::FindByName 'all'
 2009/03/25 12:50:33.513| Processing Configuration File:
 /etc/squid/squid.conf (depth 0)
 2009/03/25 12:50:33.514| Processing: 'acl localnet src 172.31.1.0/24'
 2009/03/25 12:50:33.514| ACL::Prototype::Registered: invoked for type src
 2009/03/25 12:50:33.514| ACL::Prototype::Registered:yes
 2009/03/25 12:50:33.514| ACL::FindByName 'localnet'
 2009/03/25 12:50:33.514| ACL::FindByName found no match
 2009/03/25 12:50:33.514| aclParseAclLine: Creating ACL 'localnet'
 2009/03/25 12:50:33.514| ACL::Prototype::Factory: cloning an object
 for type 'src'
 2009/03/25 12:50:33.514| aclIpParseIpData: 172.31.1.0/24
 2009/03/25 12:50:33.514| Processing: 'acl SSL_ports port 

[squid-users] squid TPROXY and empty access.log

[Jack Daniels]

Hello,
I've a problem to log client request activities when Squid is in TPROXY mode.
In squid.conf I have 'access_log /var/log/squid/access.log squid',
this file is correctly created but results empty.

# ls -la /var/log/squid/

-rw-r- 1 proxy proxy  0 24 mar 16:09 access.log
-rw-r- 1 proxy proxy 413659 24 mar 16:09 cache.log
-rw-r- 1 proxy proxy  0 24 mar 16:09 referer.log
-rw-r--r-- 1 root  proxy  6 24 mar 16:09 squid.pid
-rw-r- 1 proxy proxy  0 24 mar 16:09 store.log

If I remove 'tproxy' option from http_port in squid.conf it seems work
(access.log is correctly written) but I lose the TPROXY Ip spoofing
feature.

Is this a bug?
There is a way to log client request activities in tproxy mode? I need
this feature to use Sarg in this environment.

Thanks in advance.


Here some details:

# uname -r
2.6.28.8

# squid -v
Squid Cache: Version 3.1.0.6
configure options:  '--enable-linux-tproxy' '--enable-linux-netfilter'
'--enable-ssl' '--with-openssl=/usr/include/openssl/'
'--enable-err-languages=EnglisItalian'
'--enable-default-err-language=Italian' '--disable-htcp'
'--with-large-files' '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libdir=/usr/lib/squid'
'--libexecdir=/usr/lib/squid' '--docdir=/usr/share/doc/squid'
'--datarootdir=/usr/share/squid' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--mandir=/usr/share/man' '--with-logdir=/var/log/squid'
'--enable-inline' '--enable-async-io=8' '--with-pthreads'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-snmp' '--enable-delay-pools' '--enable-cache-digests'
'--enable-underscores' '--enable-icap-client' '--enable-referer-log'
'--enable-useragent-log' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm' '--enable-basic-auth-helpers=NCSA'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user,unix_group'
'--with-filedescriptors=65536' '--with-default-user=proxy'
--with-squid=/usr/src/squid-3.1.0.6 --enable-ltdl-convenience

# iptables -V
iptables v1.4.3-rc1

# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
DIVERT tcp  --  anywhere anywheresocket
TPROXY tcp  --  anywhere anywheretcp
dpt:www TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain DIVERT (1 references)
target prot opt source   destination
MARK   all  --  anywhere anywhereMARK xset
0x1/0x
ACCEPT all  --  anywhere anywhere

# cat /etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 3128 tproxy
#http_port 3128
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
coredump_dir /var/spool/squid/cache
cache_effective_user proxy
cache_effective_group proxy
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
referer_log /var/log/squid/referer.log
log_access allow all
cache allow all

# squid -X -d1 -N
2009/03/24 16:04:06.955| command-line -X overrides: ALL,7
2009/03/24 16:04:06.955| CacheManager::registerAction: registering legacy mem
2009/03/24 16:04:06.955| CacheManager::findAction: looking for action mem
2009/03/24 16:04:06.955| Action not found.
2009/03/24 16:04:06.955| CacheManager::registerAction: registered mem
2009/03/24 16:04:06.955| CacheManager::registerAction: registering
legacy squidaio_counts
2009/03/24 16:04:06.955| CacheManager::findAction: looking for action
squidaio_counts

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Ming-Ching Tiew]

From: Ming-Ching Tiew [EMAIL PROTECTED]


 But the fact is that as soon as I turn on squid directive,

   http_port 3128 tproxy transparent

 I will get private IP belonging to the original http web requestor
 appearing
 in the internet line - EVEN THOUGH - I do have a POSTROUTING
 rule in the nat table to SNAT. As a matter of fact,

   iptables -t nat -nvL POSTROUTING

 shows that the SNAT rule has been traversed ( and the counter is
incremented
 ! ).


Just want to mention that my problem is fixed by doing this patch :-

http://freshmeat.net/projects/doublenatcttproxy2patch/?branch_id=71776

Regards.



Important Warning! 

*** 

This electronic communication (including any attached files) may contain 
confidential and/or legally privileged information and is only intended for the 
use of the person to whom it is addressed. If you are not the intended 
recipient, you do not have permission to read, use, disseminate, distribute, 
copy or retain any part of this communication or its attachments in any form. 
If this e-mail was sent to you by mistake, please take the time to notify the 
sender so that they can identify the problem and avoid any more mistakes in 
sending e-mail to you. The unauthorised use of information contained in this 
communication or its attachments may result in legal action against any person 
who uses it.

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Adrian Chadd]

Would you mind filing a bugzilla report with all of this in it please?

Thanks,



Adrian

On Tue, Oct 23, 2007, Ming-Ching Tiew wrote:
 
 From: Ming-Ching Tiew [EMAIL PROTECTED]
 
 
  But the fact is that as soon as I turn on squid directive,
 
http_port 3128 tproxy transparent
 
  I will get private IP belonging to the original http web requestor
  appearing
  in the internet line - EVEN THOUGH - I do have a POSTROUTING
  rule in the nat table to SNAT. As a matter of fact,
 
iptables -t nat -nvL POSTROUTING
 
  shows that the SNAT rule has been traversed ( and the counter is
 incremented
  ! ).
 
 
 Just want to mention that my problem is fixed by doing this patch :-
 
 http://freshmeat.net/projects/doublenatcttproxy2patch/?branch_id=71776
 
 Regards.
 
 
 
 Important Warning! 
 
 *** 
 
 This electronic communication (including any attached files) may contain 
 confidential and/or legally privileged information and is only intended for 
 the use of the person to whom it is addressed. If you are not the intended 
 recipient, you do not have permission to read, use, disseminate, distribute, 
 copy or retain any part of this communication or its attachments in any form. 
 If this e-mail was sent to you by mistake, please take the time to notify the 
 sender so that they can identify the problem and avoid any more mistakes in 
 sending e-mail to you. The unauthorised use of information contained in this 
 communication or its attachments may result in legal action against any 
 person who uses it.

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -

[squid-users] Squid, tproxy, nat and multi-homed

[Ming-Ching Tiew]

I have a unique situation where I have a multi-homed
machine running squid where I will need to do some
kind of load balancing for outbound squid traffic.

Well, if both the outgoing interface are nat-ed, things will
be relatively easier, I will just do transparent proxy 
(without tproxy ). Since the identity of the original http
requests are lost anyway, tproxy will be redundant.

However, in a situation where one of the outgoing legs is 
NOT NAT-ed, while another leg is NAT-ed, this is where 
I am in trouble.

When the outgoing interface is not NAT-ed, I would like
to be able to do tproxy, retaining the identity of the
original http requests. However, when I use the squid
redirective,

http_port 3128 tproxy transparent

The un-NAT-ed leg will work just fine but I noticed that for the
NAT-ed leg, the outgoing traffic gets out to the internet
using the source IP of the original http request DESPITE that 
there is a SNAT on the nat POSTROUTING chain. As you can 
imagine, this will cause return traffic unable to come back to the 
machine.

Wonder if it is the limitation of the tproxy kernel patch,
or it's just the way I did (wrong) which causes the behaviour.

Appreciate your inputs.

 


Important Warning! 

*** 

This electronic communication (including any attached files) may contain 
confidential and/or legally privileged information and is only intended for the 
use of the person to whom it is addressed. If you are not the intended 
recipient, you do not have permission to read, use, disseminate, distribute, 
copy or retain any part of this communication or its attachments in any form. 
If this e-mail was sent to you by mistake, please take the time to notify the 
sender so that they can identify the problem and avoid any more mistakes in 
sending e-mail to you. The unauthorised use of information contained in this 
communication or its attachments may result in legal action against any person 
who uses it.

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Amos Jeffries]

 I have a unique situation where I have a multi-homed
 machine running squid where I will need to do some
 kind of load balancing for outbound squid traffic.

 Well, if both the outgoing interface are nat-ed, things will
 be relatively easier, I will just do transparent proxy
 (without tproxy ). Since the identity of the original http
 requests are lost anyway, tproxy will be redundant.

 However, in a situation where one of the outgoing legs is
 NOT NAT-ed, while another leg is NAT-ed, this is where
 I am in trouble.

 When the outgoing interface is not NAT-ed, I would like
 to be able to do tproxy, retaining the identity of the
 original http requests. However, when I use the squid
 redirective,

 http_port 3128 tproxy transparent

Thats the config.
 tproxy option also implies transparent, but having both is clear.
If its a config problem its not there.

 The un-NAT-ed leg will work just fine but I noticed that for the
 NAT-ed leg, the outgoing traffic gets out to the internet
 using the source IP of the original http request DESPITE that
 there is a SNAT on the nat POSTROUTING chain. As you can
 imagine, this will cause return traffic unable to come back to the
 machine.

 Wonder if it is the limitation of the tproxy kernel patch,
 or it's just the way I did (wrong) which causes the behaviour.

Most common failure like this requires 'you need to patch the kernel', but
it sounds like that's been done.

Next step is seeing what tcpdump shows about the two types of traffic.
And possibly what type of router/balancer is doing the splitting?


PS. Do you HAVE to use tproxy? If the NATing isn't a problem you could use
a plain intercepting/transparent proxy and have remote sources down both
streams see the squid IP as the source of requests.

Amos

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Ming-Ching Tiew]

From: Amos Jeffries [EMAIL PROTECTED]


Thanks for the quick response :-


 Most common failure like this requires 'you need to patch the kernel', but
 it sounds like that's been done.


Yupe this has been done.

 Next step is seeing what tcpdump shows about the two types of traffic.
 And possibly what type of router/balancer is doing the splitting?


This has been done too. Very clearly, tcpdump shows that for the
none NAT-ed leg, the identity of the original requests have been
spoofed, but the bad thing is that, it also spoofed the NAT-ed leg
as well despite there is a POSTROUTING rule to do SNAT in
the nat table. Seems to me the 'tproxy' directive in squid makes
iptables nat POSTROUTING SNAT useless !


 PS. Do you HAVE to use tproxy?

YES. It works if I don't use it together with nat.

 If the NATing isn't a problem you could use
 a plain intercepting/transparent proxy and have remote sources down both
 streams see the squid IP as the source of requests.


That will be undesirable for the none-NAT-ed leg because the traffic
will head towards an firewall will screen/filter the outgoing traffic based
on the source IPs.

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Amos Jeffries]

 From: Amos Jeffries [EMAIL PROTECTED]


 Thanks for the quick response :-


 Most common failure like this requires 'you need to patch the kernel',
 but
 it sounds like that's been done.


 Yupe this has been done.

 Next step is seeing what tcpdump shows about the two types of traffic.
 And possibly what type of router/balancer is doing the splitting?


 This has been done too. Very clearly, tcpdump shows that for the
 none NAT-ed leg, the identity of the original requests have been
 spoofed, but the bad thing is that, it also spoofed the NAT-ed leg
 as well despite there is a POSTROUTING rule to do SNAT in
 the nat table. Seems to me the 'tproxy' directive in squid makes
 iptables nat POSTROUTING SNAT useless !

No not useless. The NAT should be symmetrically unmangling any mangled
destination on incoming traffic. As far as NAT is concerned the client is
the real requestor. You just need to be careful that the unmangling
happens BEFORE the tproxy return redirection toward squid.

The internal side of the NAT gateway can and should be treated identical
to the non-NAT firewall you mentioned. Both need to operate independant of
tproxy and on the external side of any tproxy operations.

Amos

Re: [squid-users] Squid, tproxy, nat and multi-homed

[Ming-Ching Tiew]

From: Amos Jeffries [EMAIL PROTECTED]

 No not useless. The NAT should be symmetrically unmangling any mangled
 destination on incoming traffic. As far as NAT is concerned the client is
 the real requestor. You just need to be careful that the unmangling
 happens BEFORE the tproxy return redirection toward squid.

 The internal side of the NAT gateway can and should be treated identical
 to the non-NAT firewall you mentioned. Both need to operate independant of
 tproxy and on the external side of any tproxy operations.


But the fact is that as soon as I turn on squid directive,

  http_port 3128 tproxy transparent

I will get private IP belonging to the original http web requestor
appearing
in the internet line - EVEN THOUGH - I do have a POSTROUTING
rule in the nat table to SNAT. As a matter of fact,

  iptables -t nat -nvL POSTROUTING

shows that the SNAT rule has been traversed ( and the counter is incremented
! ).

The problem goes away and everything works perfectly when I remove
'tproxy' in the squid directive !