Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
What is "fully transparent proxy"? tproxy or intercept mode? Can you give me more details on your setup? (It works here locally...) Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: setuid [mailto:set...@gmail.com] Sent: Thursday, February 22, 2018 19:58 To: Eliezer Croitoru; 'Amos Jeffries' Cc: 'setuid' ; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https) On 02/22/2018 12:29 PM, Eliezer Croitoru wrote: > Is this issue still unresolved? > After reading the whole thread and getting back to the first post I really don't understand the issue. No, unresolved. At this point, I'm firmly convinced that Squid 3.x and later _does not_ work as a fully transparent proxy on either FreeBSD nor Linux, full stop. Any version of Squid earlier than 3.x, works flawlessly in this regard with a similar configuration. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
Is this issue still unresolved? After reading the whole thread and getting back to the first post I really don't understand the issue. OK so google search "foo" didn't helped to understand how to install and configure Squid-Cache right? You got to the right place! Now if you don't plan to run Squid-Cache on-top of a Linux system, on what OS specifically do you want to run Squid-Cache on-top? Also what type of hypervisor are you using for your VM?(XEN, VMWARE, KVM, other) If you want to use a BSD flavored OS you should stick with the OS recommended firewall. For OpenBSD it's PF. For FreeBSD it's either PF or IPFW but there is something regarding PF and IPFW and multiple CPU's on the past and I'm not sure what is the state of it currently. The last time I tested(a year ago) PF was working fine on FreeBSD 10+11 but had some issue with virtio NIC's which Debian had a similar issue. If you are using a BSD OS and not planning to set it up for above 1Gbit link then just use an Intel E1000 nic to make things just work as expected. If there is a need for a test I have a lab ready to test the issue with: Linux\Windows \BSD Client's Linux\BSD Router with Squid on-top of it. When I will receive more details I might be able to clear some doubt's. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Amos Jeffries Sent: Thursday, February 8, 2018 10:13 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https) On 08/02/18 10:11, setuid wrote: > I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5, > 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, > ipf, ipfilter) does not work at all, when configured as a transparent > proxy. Full stop. > > I went through hundreds of posts on dozens of forums, blogs and other > resources, tried dozens and dozens of configurations suggested by those > posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu > and the various versions of Squid from the apt repos, as well as those > in BSD's ports. > > All of them, 100%, fail in _exactly_ the same way, no matter what my > configuration was set to. That result, is that _every single http > request I make_ when Squid is configured as a transparent proxy, results > in the following response being logged: > > == > 07/Feb/2018:15:10:59 -0500.213 0 192.168.1.1 TAG_NONE/400 3583 GET > / - HIER_NONE/- text/html ("-" "-") > == > > When I point a client directly at the proxy, using a browser, curl or > anything else, I see: > > == > 07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD > http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") > == > > These were the same exact request against the same exact Squid instance. Lets start with the obvious then. HEAD is Not the same as GET. These are *different* requests. Therefore something major is wrong with your understanding of the situation. > If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is > _identical_ for every single http request I make, regardless of origin. > > My Squid configuration is 100% default, identical to the generic config, > with the exception of the following lines: > > == > http_port 3128 > http_port 3129 intercept > tcp_outgoing_address 192.168.1.25 > debug_options ALL,9 > == > > I've tried all of the obvious links, blogs and resources I could Google > up, and 100% of them fail to function as described. Most people I've > seen on the forums who attempt to get this working, throw their hands up > in defeat and end up configuring the proxy directly on every client that > needs it. > > My current environment looks like this: > > [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ] > > That router has a firewall script on it that says: > > == > #!/bin/sh > PROXY_IP=192.168.2.25 > PROXY_PORT=3128 > LAN_IP=$(nvram get lan_ipaddr) > LAN_NET=$LAN_IP/$(nvram get lan_netmask) > > iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp > --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j > DNAT --to $PROXY_IP:$PROXY_PORT > > iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j > SNAT --to $LAN_IP > iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp > --dport $PROXY_PORT -j ACCEPT > == > > This takes every packet that hits the router on :80, and sends it to my > Squid server on .25, which mangles it and sends it back to 192.168.1.1 > (router), and onward back to client who requested it. > No. This takes HTTP (port 80 syntax) and sends
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 08/02/18 10:11, setuid wrote: > I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5, > 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, > ipf, ipfilter) does not work at all, when configured as a transparent > proxy. Full stop. > > I went through hundreds of posts on dozens of forums, blogs and other > resources, tried dozens and dozens of configurations suggested by those > posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu > and the various versions of Squid from the apt repos, as well as those > in BSD's ports. > > All of them, 100%, fail in _exactly_ the same way, no matter what my > configuration was set to. That result, is that _every single http > request I make_ when Squid is configured as a transparent proxy, results > in the following response being logged: > > == > 07/Feb/2018:15:10:59 -0500.213 0 192.168.1.1 TAG_NONE/400 3583 GET > / - HIER_NONE/- text/html ("-" "-") > == > > When I point a client directly at the proxy, using a browser, curl or > anything else, I see: > > == > 07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD > http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") > == > > These were the same exact request against the same exact Squid instance. Lets start with the obvious then. HEAD is Not the same as GET. These are *different* requests. Therefore something major is wrong with your understanding of the situation. > If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is > _identical_ for every single http request I make, regardless of origin. > > My Squid configuration is 100% default, identical to the generic config, > with the exception of the following lines: > > == > http_port 3128 > http_port 3129 intercept > tcp_outgoing_address 192.168.1.25 > debug_options ALL,9 > == > > I've tried all of the obvious links, blogs and resources I could Google > up, and 100% of them fail to function as described. Most people I've > seen on the forums who attempt to get this working, throw their hands up > in defeat and end up configuring the proxy directly on every client that > needs it. > > My current environment looks like this: > > [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ] > > That router has a firewall script on it that says: > > == > #!/bin/sh > PROXY_IP=192.168.2.25 > PROXY_PORT=3128 > LAN_IP=$(nvram get lan_ipaddr) > LAN_NET=$LAN_IP/$(nvram get lan_netmask) > > iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp > --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j > DNAT --to $PROXY_IP:$PROXY_PORT > > iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j > SNAT --to $LAN_IP > iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp > --dport $PROXY_PORT -j ACCEPT > == > > This takes every packet that hits the router on :80, and sends it to my > Squid server on .25, which mangles it and sends it back to 192.168.1.1 > (router), and onward back to client who requested it. > No. This takes HTTP (port 80 syntax) and sends it to a remote proxy expecting explicit-proxy syntax. > When I was using 2.6 (without large_file support), I was using this same > exact configuration, but http_port was set to 'accel', and I didn't need > _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)". It also "Just Worked" for anyone attacking your network via CVE-2009-0801 methods. And would provide them with an effective invisibility cloak while doing so (original IP:ports destroyed by the NAT). Not exactly desirable behaviour. > > Now I need to jump through hoops to do pf incantations of rdr/direct-to > (but direct-to and direct-reply aren't supported on FreeBSD's pf, only > OpenBSD's pf supports that syntax), and iptables PREROUTING and > POSTROUTING mojo (also fails). > You need simply *route* traffic properly in the way the Internet was designed to work. Instead of abusing NAT. When that is done properly the NAT happens *only* as the final step to get the traffic into the Squid process by the machine/device/VM Squid is running on. > Here's a list of some of the resources I've tried, with 100% failure in > every case. There are dozens more that I've lost in my browser history now. > > * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw > * > https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF Hmm. I see that page is updated and missing quote a few things. Thanks for bringing this to attention. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 08/02/18 12:44, setuid wrote: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em0 > $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0 > $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25 > src-ip 192.168.1.1 > $cmd add 6 permit ip from any to any Earlier you wrote: > My Squid configuration is 100% default, identical to the generic config, > with the exception of the following lines: > > == > http_port 3128 > http_port 3129 intercept > tcp_outgoing_address 192.168.1.25 > debug_options ALL,9 > == Your IPFW rules are sending intercepted traffic to port 3128. HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port "mode" for matches the type of traffic arriving to maintain traffic integrity in the face of security vulnerabilities relevant (or not) to each traffic type. This adds some natural limitations which were not previously visible in Squid-2 which was broken, just not informing you of the problem(s). These are: * you MUST configure NAT on the same device / machine / VM that Squid is running on. Squid requires access directly to the kernel NAT tables. * you MUST only send traffic of a given type to the port with matching "mode" flag. - explicit/forward proxy is implied when *no* more specific mode is supplied, - NAT traffic requires "intercept" flag, - TPROXY traffic requires "tproxy" flag, and - interception of HTTPS traffic requires "ssl-bump" flag (which can be combined with the others) Also, were the build options displayed earlier the same ones you used for testing *BSD and Linux systems? The Linux Netfilter and *BSD PF NAT systems will never work if you disable them and permit *only* IPFW-transparent in the Squid build. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
Where ipfw runs? In virtual machine, or on hypervisor? 08.02.2018 05:44, setuid пишет: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em0 > $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0 > $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25 > src-ip 192.168.1.1 > $cmd add 6 permit ip from any to any -- * * C++20 : Bug to the future * * signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 2/7/18 6:36 PM, Yuri wrote: > Did you used ipfw NAT configuration on same box with squid? Yes, my ipfw configuration is: $cmd 00700 deny ip from any to any dst-port 3128 via em0 $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0 $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25 src-ip 192.168.1.1 $cmd add 6 permit ip from any to any ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
Squid is relatively difficult to run with transparent mode on virtual platforms due to NAT limitations on virtual platforms (this is not squid's issue, this is issue if virtual platforms). I'm using squid only in transparent mode (only in transparent mode) several years on Solaris (bare metal) without any issues in HTTP/HTTPS interception. With IPFilter. With 1-2-6-8 interfaces with different LAN topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All without serious problems. But on bare-metal. 08.02.2018 05:25, setuid пишет: > On 2/7/18 5:37 PM, Rafael Akchurin wrote: >> How is your network configured? Your rules indicate you have 2 nics but you >> later say you have one.. > Originally, I started with 1 NIC (it's a VM), and added 2 more, because > I read that pf/ipfw can't rewrite ingress packets on the same interface > it used for egress, but I haven't tried creating a bridge and routes to > attempt to make that work yet. > > The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet > routable IP bound to eth0) and the secondary NIC sits on the "backup" > network (LAN-side) on 192.168.2.x. > > Let's break it down: > > [WAN router] > |-- LAN: 192.168.1.1 (wired LAN) > `-- WWAN: 10.0.1.1 (wireless clients) > > BSD VM: 192.168.1.25 > > Ubuntu VM: > |-- INET: 32.215.x.x > `-- LAN: 192.168.2.x > > The WAN router is what sends traffic sent over it on :80, over to .1.25 > (BSD) to cache. > > Previously, I had it pointed to Squid 2.6 sitting on my NAS > (192.168.1.20) and that would work perfectly as a transparent proxy. > > When I pointed the WAN router to .25 instead of .20, and upgraded the > version of Squid by using BSD's version from ports on .25, this process > all fell apart. > > So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a > requirement to get transparent proxying working with anything using > Squid 3.x or later? > > Can this be done with a single NIC sitting on an Internet-facing LAN > segment? > > If so, how? > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- * * C++20 : Bug to the future * * signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
If you configured squid with '--enable-ipfw-transparent' you should use manual for ipfw configuration. Did you used ipfw NAT configuration on same box with squid? 08.02.2018 05:14, setuid пишет: > On 2/7/18 4:31 PM, Yuri wrote: >> I'm not seen your configuration options for squid. Not squid.conf. Just >> ./configure options. > Here's what I'm building with (from 'make config' in ports tree) > > '--bindir=/usr/local/sbin' > '--build=amd64-portbld-freebsd11.1' > '--datadir=/usr/local/etc/squid' > '--disable-arch-native' > '--disable-ecap' > '--disable-epoll' > '--disable-esi' > '--disable-ipf-transparent' > '--disable-ipv6' > '--disable-linux-netfilter' > '--disable-linux-tproxy' > '--disable-pf-transparent' > '--disable-silent-rules' > '--disable-snmp' > '--disable-ssl' > '--disable-ssl-crtd' > '--disable-stacktraces' > '--disable-translation' > '--enable-auth' > '--enable-auth-basic=DB > '--enable-auth-digest=file' > '--enable-auth-negotiate=none' > '--enable-auth-ntlm=fake > '--enable-build-info' > '--enable-cache-digests' > '--enable-delay-pools' > '--enable-disk-io=DiskThreads > '--enable-eui' > '--enable-external-acl-helpers=file_userip > '--enable-follow-x-forwarded-for' > '--enable-forw-via-db' > '--enable-htcp' > '--enable-http-violations' > '--enable-icap-client' > '--enable-icmp' > '--enable-ident-lookups' > '--enable-ipfw-transparent' > '--enable-kqueue' > '--enable-loadable-modules' > '--enable-log-daemon-helpers=file' > '--enable-removal-policies=lru > '--enable-security-cert-validators=fake' > '--enable-storeid-rewrite-helpers=file' > '--enable-storeio=aufs > '--enable-url-rewrite-helpers=fake' > '--enable-wccp' > '--enable-wccpv2' > '--enable-zph-qos' > '--infodir=/usr/local/info/' > '--libexecdir=/usr/local/libexec/squid' > '--localstatedir=/var' > '--mandir=/usr/local/man' > '--prefix=/usr/local' > '--sbindir=/usr/local/sbin' > '--sysconfdir=/usr/local/etc/squid' > '--with-default-user=squid' > '--with-large-files' > '--with-logdir=/var/log/squid' > '--with-pidfile=/var/run/squid/squid.pid' > '--with-swapdir=/var/squid/cache' > '--without-gnutls' > '--without-gss' > '--without-heimdal-krb5' > '--without-mit-krb5' > '--without-nat-devpf' > '--without-nettle' -- * * C++20 : Bug to the future * * signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 2/7/18 5:37 PM, Rafael Akchurin wrote: > How is your network configured? Your rules indicate you have 2 nics but you > later say you have one.. Originally, I started with 1 NIC (it's a VM), and added 2 more, because I read that pf/ipfw can't rewrite ingress packets on the same interface it used for egress, but I haven't tried creating a bridge and routes to attempt to make that work yet. The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet routable IP bound to eth0) and the secondary NIC sits on the "backup" network (LAN-side) on 192.168.2.x. Let's break it down: [WAN router] |-- LAN: 192.168.1.1 (wired LAN) `-- WWAN: 10.0.1.1 (wireless clients) BSD VM: 192.168.1.25 Ubuntu VM: |-- INET: 32.215.x.x `-- LAN: 192.168.2.x The WAN router is what sends traffic sent over it on :80, over to .1.25 (BSD) to cache. Previously, I had it pointed to Squid 2.6 sitting on my NAS (192.168.1.20) and that would work perfectly as a transparent proxy. When I pointed the WAN router to .25 instead of .20, and upgraded the version of Squid by using BSD's version from ports on .25, this process all fell apart. So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a requirement to get transparent proxying working with anything using Squid 3.x or later? Can this be done with a single NIC sitting on an Internet-facing LAN segment? If so, how? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 2/7/18 4:31 PM, Yuri wrote: > I'm not seen your configuration options for squid. Not squid.conf. Just > ./configure options. Here's what I'm building with (from 'make config' in ports tree) '--bindir=/usr/local/sbin' '--build=amd64-portbld-freebsd11.1' '--datadir=/usr/local/etc/squid' '--disable-arch-native' '--disable-ecap' '--disable-epoll' '--disable-esi' '--disable-ipf-transparent' '--disable-ipv6' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-pf-transparent' '--disable-silent-rules' '--disable-snmp' '--disable-ssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-translation' '--enable-auth' '--enable-auth-basic=DB '--enable-auth-digest=file' '--enable-auth-negotiate=none' '--enable-auth-ntlm=fake '--enable-build-info' '--enable-cache-digests' '--enable-delay-pools' '--enable-disk-io=DiskThreads '--enable-eui' '--enable-external-acl-helpers=file_userip '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-htcp' '--enable-http-violations' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipfw-transparent' '--enable-kqueue' '--enable-loadable-modules' '--enable-log-daemon-helpers=file' '--enable-removal-policies=lru '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-storeio=aufs '--enable-url-rewrite-helpers=fake' '--enable-wccp' '--enable-wccpv2' '--enable-zph-qos' '--infodir=/usr/local/info/' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--mandir=/usr/local/man' '--prefix=/usr/local' '--sbindir=/usr/local/sbin' '--sysconfdir=/usr/local/etc/squid' '--with-default-user=squid' '--with-large-files' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--without-gss' '--without-heimdal-krb5' '--without-mit-krb5' '--without-nat-devpf' '--without-nettle' ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
Thats strange. How is your network configured? Your rules indicate you have 2 nics but you later say you have one.. Best regards, Rafael Akchurin > Op 7 feb. 2018 om 23:31 heeft setuidhet volgende > geschreven: > >> On 02/07/2018 04:38 PM, Rafael Akchurin wrote: >> If you do not mind looking at other tutorials - these are what we have in >> the test lab. > >> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html > > I can confirm that the instructions in this tutorial results in the same > exact failure scenario as all previous attempts and tests (once I > removed the unnecessary Apache/Web Safety bits). > > Firewall rules are: > > -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT > -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT > > Squid config is generic, with the exception of: > > http_port 3126 intercept > > There is a single interface on the host, which resides on the LAN _and_ > is Internet-facing (eth0). > > The result is that I get the same as before: > > ==> /var/log/squid3/access.log <== > 1518042565.613 0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/- > text/html > > If I point the client (curl, browser, perl + LWP) at the proxy directly > on 3128, it works as expected. > > I am firmly convinved that _transparent_ proxying with squid, is 100% > non-functional. The proxy works fine, but transparent proxying is > demonstrably broken in anything later than 3.x. > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 02/07/2018 04:38 PM, Rafael Akchurin wrote: > If you do not mind looking at other tutorials - these are what we have in the > test lab. > https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html I can confirm that the instructions in this tutorial results in the same exact failure scenario as all previous attempts and tests (once I removed the unnecessary Apache/Web Safety bits). Firewall rules are: -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT Squid config is generic, with the exception of: http_port 3126 intercept There is a single interface on the host, which resides on the LAN _and_ is Internet-facing (eth0). The result is that I get the same as before: ==> /var/log/squid3/access.log <== 1518042565.613 0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/- text/html If I point the client (curl, browser, perl + LWP) at the proxy directly on 3128, it works as expected. I am firmly convinved that _transparent_ proxying with squid, is 100% non-functional. The proxy works fine, but transparent proxying is demonstrably broken in anything later than 3.x. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
No unfortunately nothing like this is in our lab for FreeBSD - but default Squid package in pfSense runs transparently without issues I have heard (or with other issues than you have). Best regards, Rafael Akchurin Diladele B.V. -Original Message- From: setuid [mailto:set...@gmail.com] Sent: Wednesday, February 7, 2018 10:45 PM To: Rafael Akchurin; squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https) On 02/07/2018 04:38 PM, Rafael Akchurin wrote: > If you do not mind looking at other tutorials - these are what we have in the test lab. > https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.htm > l > https://docs.diladele.com/tutorials/policy_based_routing_squid/index.h > tml Thanks for the quick reply. Do you have a version of these that is BSD-specific? I'm ultimately going to run Squid exclusively on BSD, although was using Linux as a means to validate that the functionality to do transparent proxying was broken (confirmed in both OS'). I'll give these a go tonight on Ubuntu and see where I get. I do see the Apache/Web Safety hooks as "interesting", but they should be decoupled as they're not required to get this working (and are likely prohibited in many-to-most enterprises who would deploy a proxy in this fashion). ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 02/07/2018 04:38 PM, Rafael Akchurin wrote: > If you do not mind looking at other tutorials - these are what we have in the test lab. > https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html > https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html Thanks for the quick reply. Do you have a version of these that is BSD-specific? I'm ultimately going to run Squid exclusively on BSD, although was using Linux as a means to validate that the functionality to do transparent proxying was broken (confirmed in both OS'). I'll give these a go tonight on Ubuntu and see where I get. I do see the Apache/Web Safety hooks as "interesting", but they should be decoupled as they're not required to get this working (and are likely prohibited in many-to-most enterprises who would deploy a proxy in this fashion). ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
Hello setuid, If you do not mind looking at other tutorials - these are what we have in the test lab. https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html First one for Squid running on the gateway and the second one for separate Squid that intercepts traffic re-routed from the router using Policy-Based-Routing. The tutorials are working, I test it with every release of our ICAP web filter. Best regards, Rafael Akchurin Diladele B.V. -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of setuid Sent: Wednesday, February 7, 2018 10:11 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https) I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5, 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, ipfilter) does not work at all, when configured as a transparent proxy. Full stop. I went through hundreds of posts on dozens of forums, blogs and other resources, tried dozens and dozens of configurations suggested by those posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu and the various versions of Squid from the apt repos, as well as those in BSD's ports. All of them, 100%, fail in _exactly_ the same way, no matter what my configuration was set to. That result, is that _every single http request I make_ when Squid is configured as a transparent proxy, results in the following response being logged: == 07/Feb/2018:15:10:59 -0500.213 0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/- text/html ("-" "-") == When I point a client directly at the proxy, using a browser, curl or anything else, I see: == 07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") == These were the same exact request against the same exact Squid instance. If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is _identical_ for every single http request I make, regardless of origin. My Squid configuration is 100% default, identical to the generic config, with the exception of the following lines: == http_port 3128 http_port 3129 intercept tcp_outgoing_address 192.168.1.25 debug_options ALL,9 == I've tried all of the obvious links, blogs and resources I could Google up, and 100% of them fail to function as described. Most people I've seen on the forums who attempt to get this working, throw their hands up in defeat and end up configuring the proxy directly on every client that needs it. My current environment looks like this: [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ] That router has a firewall script on it that says: == #!/bin/sh PROXY_IP=192.168.2.25 PROXY_PORT=3128 LAN_IP=$(nvram get lan_ipaddr) LAN_NET=$LAN_IP/$(nvram get lan_netmask) iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT == This takes every packet that hits the router on :80, and sends it to my Squid server on .25, which mangles it and sends it back to 192.168.1.1 (router), and onward back to client who requested it. When I was using 2.6 (without large_file support), I was using this same exact configuration, but http_port was set to 'accel', and I didn't need _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)". Now I need to jump through hoops to do pf incantations of rdr/direct-to (but direct-to and direct-reply aren't supported on FreeBSD's pf, only OpenBSD's pf supports that syntax), and iptables PREROUTING and POSTROUTING mojo (also fails). Here's a list of some of the resources I've tried, with 100% failure in every case. There are dozens more that I've lost in my browser history now. * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw * https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF * https://www.benzedrine.ch/transquid.html * https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/ * https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html * https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/ * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu * https://ubuntuforums.org/showthread.php?t=2210987 *
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
One stupid idiotic question. Did you build your squid with transparent NAT support? This is mandatory prerequisite for transparent squid. I'm not seen your configuration options for squid. Not squid.conf. Just ./configure options. 08.02.2018 03:11, setuid пишет: > I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5, > 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, > ipf, ipfilter) does not work at all, when configured as a transparent > proxy. Full stop. > > I went through hundreds of posts on dozens of forums, blogs and other > resources, tried dozens and dozens of configurations suggested by those > posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu > and the various versions of Squid from the apt repos, as well as those > in BSD's ports. > > All of them, 100%, fail in _exactly_ the same way, no matter what my > configuration was set to. That result, is that _every single http > request I make_ when Squid is configured as a transparent proxy, results > in the following response being logged: > > == > 07/Feb/2018:15:10:59 -0500.213 0 192.168.1.1 TAG_NONE/400 3583 GET > / - HIER_NONE/- text/html ("-" "-") > == > > When I point a client directly at the proxy, using a browser, curl or > anything else, I see: > > == > 07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD > http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") > == > > These were the same exact request against the same exact Squid instance. > If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is > _identical_ for every single http request I make, regardless of origin. > > My Squid configuration is 100% default, identical to the generic config, > with the exception of the following lines: > > == > http_port 3128 > http_port 3129 intercept > tcp_outgoing_address 192.168.1.25 > debug_options ALL,9 > == > > I've tried all of the obvious links, blogs and resources I could Google > up, and 100% of them fail to function as described. Most people I've > seen on the forums who attempt to get this working, throw their hands up > in defeat and end up configuring the proxy directly on every client that > needs it. > > My current environment looks like this: > > [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ] > > That router has a firewall script on it that says: > > == > #!/bin/sh > PROXY_IP=192.168.2.25 > PROXY_PORT=3128 > LAN_IP=$(nvram get lan_ipaddr) > LAN_NET=$LAN_IP/$(nvram get lan_netmask) > > iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp > --dport 80 -j ACCEPT > iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j > DNAT --to $PROXY_IP:$PROXY_PORT > > iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j > SNAT --to $LAN_IP > iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp > --dport $PROXY_PORT -j ACCEPT > == > > This takes every packet that hits the router on :80, and sends it to my > Squid server on .25, which mangles it and sends it back to 192.168.1.1 > (router), and onward back to client who requested it. > > When I was using 2.6 (without large_file support), I was using this same > exact configuration, but http_port was set to 'accel', and I didn't need > _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)". > > Now I need to jump through hoops to do pf incantations of rdr/direct-to > (but direct-to and direct-reply aren't supported on FreeBSD's pf, only > OpenBSD's pf supports that syntax), and iptables PREROUTING and > POSTROUTING mojo (also fails). > > Here's a list of some of the resources I've tried, with 100% failure in > every case. There are dozens more that I've lost in my browser history now. > > * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw > * > https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF > * https://www.benzedrine.ch/transquid.html > * > https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/ > * > https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html > * > https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/ > * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu > * https://ubuntuforums.org/showthread.php?t=2210987 > * > http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html > * > http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https > > I also tried asking in #squid on Freenode (dead channel), and #FreeBSD > (helpful folks there, but they too, failed to get this working). > > So I'm at an impasse. Is this just 100%
Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)
On 02/07/2018 04:11 PM, setuid wrote: > That router has a firewall script on it that says: > == > #!/bin/sh > PROXY_IP=192.168.2.25 Yes, this is a typo here in email but is correct in the router's firewall script. This should be either 192.168.2.20 or 192.168.1.25; both are Squid caches inside my LAN on Ubuntu and BSD respectively. Here's an example of my ipfw rules, for comparison: == $cmd 00700 deny ip from any to any dst-port 3128 via em0 $cmd 00800 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80 via em0 $cmd 00810 fwd 127.0.0.1,3128 ip from any to any dst-port 21 src-ip 192.168.1.0/24 $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.1 src-ip 192.168.1.0/24 == ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users