subject:"Re\: \[squid\-users\] Squid 3.x or 4.x acting as a transparent http proxy \(NOT https\)"

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-22 Thread Eliezer Croitoru

What is "fully transparent proxy"? tproxy or intercept mode?
Can you give me more details on your setup? (It works here locally...)

Eliezer

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: setuid [mailto:set...@gmail.com] 
Sent: Thursday, February 22, 2018 19:58
To: Eliezer Croitoru ; 'Amos Jeffries' 

Cc: 'setuid' ; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy 
(NOT https)

On 02/22/2018 12:29 PM, Eliezer Croitoru wrote:
> Is this issue still unresolved?
> After reading the whole thread and getting back to the first post I
really don't understand the issue.

No, unresolved. At this point, I'm firmly convinced that Squid 3.x and
later _does not_ work as a fully transparent proxy on either FreeBSD nor
Linux, full stop.

Any version  of Squid earlier than 3.x, works flawlessly in this regard
with a similar configuration.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-22 Thread Eliezer Croitoru

Is this issue still unresolved?
After reading the whole thread and getting back to the first post I really 
don't understand the issue.
OK so google search "foo" didn't helped to understand how to install and 
configure Squid-Cache right?
You got to the right place!

Now if you don't plan to run Squid-Cache on-top of a Linux system, on what OS 
specifically do you want to run Squid-Cache on-top?
Also what type of hypervisor are you using for your VM?(XEN, VMWARE, KVM, other)
If you want to use a BSD flavored OS you should stick with the OS recommended 
firewall.
For OpenBSD it's PF.
For FreeBSD it's either PF or IPFW but there is something regarding PF and IPFW 
and multiple CPU's on the past and I'm not sure what is the state of it 
currently.
The last time I tested(a year ago) PF was working fine on FreeBSD 10+11 but had 
some issue with virtio NIC's which Debian had a similar issue.
If you are using a BSD OS and not planning to set it up for above 1Gbit link 
then just use an Intel E1000 nic to make things just work as expected.

If there is a need for a test I have a lab ready to test the issue with:
Linux\Windows \BSD Client's
Linux\BSD Router with Squid on-top of it.

When I will receive more details I might be able to clear some doubt's.

Eliezer

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Thursday, February 8, 2018 10:13
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy 
(NOT https)

On 08/02/18 10:11, setuid wrote:
> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
> 
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
> 
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
> 
> ==
>   07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ==
> 
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
> 
> ==
>   07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ==
> 
> These were the same exact request against the same exact Squid instance.

Lets start with the obvious then. HEAD is Not the same as GET. These are
*different* requests. Therefore something major is wrong with your
understanding of the situation.

> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
> 
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
> 
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==
> 
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
> 
> My current environment looks like this:
> 
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
> 
> That router has a firewall script on it that says:
> 
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
> 
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
> 
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ==
> 
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
> 

No. This takes HTTP (port 80 syntax) and sends

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-08 Thread Amos Jeffries


On 08/02/18 10:11, setuid wrote:
> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
> 
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
> 
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
> 
> ==
>   07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ==
> 
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
> 
> ==
>   07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ==
> 
> These were the same exact request against the same exact Squid instance.

Lets start with the obvious then. HEAD is Not the same as GET. These are
*different* requests. Therefore something major is wrong with your
understanding of the situation.


> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
> 
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
> 
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==
> 
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
> 
> My current environment looks like this:
> 
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
> 
> That router has a firewall script on it that says:
> 
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
> 
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
> 
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ==
> 
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
> 

No. This takes HTTP (port 80 syntax) and sends it to a remote proxy
expecting explicit-proxy syntax.


> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".


It also "Just Worked" for anyone attacking your network via
CVE-2009-0801 methods. And would provide them with an effective
invisibility cloak while doing so (original IP:ports destroyed by the NAT).
 Not exactly desirable behaviour.



> 
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
> 

You need simply *route* traffic properly in the way the Internet was
designed to work. Instead of abusing NAT.

When that is done properly the NAT happens *only* as the final step to
get the traffic into the Squid process by the machine/device/VM Squid is
running on.


> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
> 
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF

Hmm. I see that page is updated and missing quote a few things. Thanks
for bringing this to attention.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Amos Jeffries

On 08/02/18 12:44, setuid wrote:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> 
> Yes, my ipfw configuration is:
> 
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 6 permit ip from any to any

Earlier you wrote:

> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==

Your IPFW rules are sending intercepted traffic to port 3128.

HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port
"mode" for matches the type of traffic arriving to maintain traffic
integrity in the face of security vulnerabilities relevant (or not) to
each traffic type.

This adds some natural limitations which were not previously visible in
Squid-2 which was broken, just not informing you of the problem(s).

These are:

* you MUST configure NAT on the same device / machine / VM that Squid is
running on. Squid requires access directly to the kernel NAT tables.

* you MUST only send traffic of a given type to the port with matching
"mode" flag.
 - explicit/forward proxy is implied when *no* more specific mode is
supplied,
 - NAT traffic requires "intercept" flag,
 - TPROXY traffic requires "tproxy" flag, and
 - interception of HTTPS traffic requires "ssl-bump" flag (which can be
combined with the others)

Also, were the build options displayed earlier the same ones you used
for testing *BSD and Linux systems?
 The Linux Netfilter and *BSD PF NAT systems will never work if you
disable them and permit *only* IPFW-transparent in the Squid build.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri

Where ipfw runs? In virtual machine, or on hypervisor?


08.02.2018 05:44, setuid пишет:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> Yes, my ipfw configuration is:
>
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 6 permit ip from any to any

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 2/7/18 6:36 PM, Yuri wrote:
> Did you used ipfw NAT configuration on same box with squid?

Yes, my ipfw configuration is:

$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
src-ip 192.168.1.1
$cmd add 6 permit ip from any to any
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri

Squid is relatively difficult to run with transparent mode on virtual
platforms due to NAT limitations on virtual platforms (this is not
squid's issue, this is issue if virtual platforms).

I'm using squid only in transparent mode (only in transparent mode)
several years on Solaris (bare metal) without any issues in HTTP/HTTPS
interception. With IPFilter. With 1-2-6-8 interfaces with different LAN
topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All
without serious problems.

But on bare-metal.

08.02.2018 05:25, setuid пишет:
> On 2/7/18 5:37 PM, Rafael Akchurin wrote:
>> How is your network configured? Your rules indicate you have 2 nics but you 
>> later say you have one..
> Originally, I started with 1 NIC (it's a VM), and added 2 more, because
> I read that pf/ipfw can't rewrite ingress packets on the same interface
> it used for egress, but I haven't tried creating a bridge and routes to
> attempt to make that work yet.
>
> The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
> routable IP bound to eth0) and the secondary NIC sits on the "backup"
> network (LAN-side) on 192.168.2.x.
>
> Let's break it down:
>
> [WAN router]
>   |-- LAN: 192.168.1.1 (wired LAN)
>   `-- WWAN: 10.0.1.1 (wireless clients)
>
> BSD VM: 192.168.1.25
>
> Ubuntu VM:
>   |-- INET: 32.215.x.x
>   `-- LAN: 192.168.2.x
>
> The WAN router is what sends traffic sent over it on :80, over to .1.25
> (BSD) to cache.
>
> Previously, I had it pointed to Squid 2.6 sitting on my NAS
> (192.168.1.20) and that would work perfectly as a transparent proxy.
>
> When I pointed the WAN router to .25 instead of .20, and upgraded the
> version of Squid by using BSD's version from ports on .25, this process
> all fell apart.
>
> So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
> requirement to get transparent proxying working with anything using
> Squid 3.x or later?
>
> Can this be done with a single NIC sitting on an Internet-facing LAN
> segment?
>
> If so, how?
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri

If you configured squid with

'--enable-ipfw-transparent'

you should use manual for ipfw configuration.

Did you used ipfw NAT configuration on same box with squid?

08.02.2018 05:14, setuid пишет:
> On 2/7/18 4:31 PM, Yuri wrote:
>> I'm not seen your configuration options for squid. Not squid.conf. Just
>> ./configure options.
> Here's what I'm building with (from 'make config' in ports tree)
>
> '--bindir=/usr/local/sbin'
> '--build=amd64-portbld-freebsd11.1'
> '--datadir=/usr/local/etc/squid'
> '--disable-arch-native'
> '--disable-ecap'
> '--disable-epoll'
> '--disable-esi'
> '--disable-ipf-transparent'
> '--disable-ipv6'
> '--disable-linux-netfilter'
> '--disable-linux-tproxy'
> '--disable-pf-transparent'
> '--disable-silent-rules'
> '--disable-snmp'
> '--disable-ssl'
> '--disable-ssl-crtd'
> '--disable-stacktraces'
> '--disable-translation'
> '--enable-auth'
> '--enable-auth-basic=DB
> '--enable-auth-digest=file'
> '--enable-auth-negotiate=none'
> '--enable-auth-ntlm=fake
> '--enable-build-info'
> '--enable-cache-digests'
> '--enable-delay-pools'
> '--enable-disk-io=DiskThreads
> '--enable-eui'
> '--enable-external-acl-helpers=file_userip
> '--enable-follow-x-forwarded-for'
> '--enable-forw-via-db'
> '--enable-htcp'
> '--enable-http-violations'
> '--enable-icap-client'
> '--enable-icmp'
> '--enable-ident-lookups'
> '--enable-ipfw-transparent'
> '--enable-kqueue'
> '--enable-loadable-modules'
> '--enable-log-daemon-helpers=file'
> '--enable-removal-policies=lru
> '--enable-security-cert-validators=fake'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-storeio=aufs
> '--enable-url-rewrite-helpers=fake'
> '--enable-wccp'
> '--enable-wccpv2'
> '--enable-zph-qos'
> '--infodir=/usr/local/info/'
> '--libexecdir=/usr/local/libexec/squid'
> '--localstatedir=/var'
> '--mandir=/usr/local/man'
> '--prefix=/usr/local'
> '--sbindir=/usr/local/sbin'
> '--sysconfdir=/usr/local/etc/squid'
> '--with-default-user=squid'
> '--with-large-files'
> '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache'
> '--without-gnutls'
> '--without-gss'
> '--without-heimdal-krb5'
> '--without-mit-krb5'
> '--without-nat-devpf'
> '--without-nettle'

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 2/7/18 5:37 PM, Rafael Akchurin wrote:
> How is your network configured? Your rules indicate you have 2 nics but you 
> later say you have one..

Originally, I started with 1 NIC (it's a VM), and added 2 more, because
I read that pf/ipfw can't rewrite ingress packets on the same interface
it used for egress, but I haven't tried creating a bridge and routes to
attempt to make that work yet.

The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
routable IP bound to eth0) and the secondary NIC sits on the "backup"
network (LAN-side) on 192.168.2.x.

Let's break it down:

[WAN router]
  |-- LAN: 192.168.1.1 (wired LAN)
  `-- WWAN: 10.0.1.1 (wireless clients)

BSD VM: 192.168.1.25

Ubuntu VM:
  |-- INET: 32.215.x.x
  `-- LAN: 192.168.2.x

The WAN router is what sends traffic sent over it on :80, over to .1.25
(BSD) to cache.

Previously, I had it pointed to Squid 2.6 sitting on my NAS
(192.168.1.20) and that would work perfectly as a transparent proxy.

When I pointed the WAN router to .25 instead of .20, and upgraded the
version of Squid by using BSD's version from ports on .25, this process
all fell apart.

So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
requirement to get transparent proxying working with anything using
Squid 3.x or later?

Can this be done with a single NIC sitting on an Internet-facing LAN
segment?

If so, how?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 2/7/18 4:31 PM, Yuri wrote:
> I'm not seen your configuration options for squid. Not squid.conf. Just
> ./configure options.

Here's what I'm building with (from 'make config' in ports tree)

'--bindir=/usr/local/sbin'
'--build=amd64-portbld-freebsd11.1'
'--datadir=/usr/local/etc/squid'
'--disable-arch-native'
'--disable-ecap'
'--disable-epoll'
'--disable-esi'
'--disable-ipf-transparent'
'--disable-ipv6'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-pf-transparent'
'--disable-silent-rules'
'--disable-snmp'
'--disable-ssl'
'--disable-ssl-crtd'
'--disable-stacktraces'
'--disable-translation'
'--enable-auth'
'--enable-auth-basic=DB
'--enable-auth-digest=file'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake
'--enable-build-info'
'--enable-cache-digests'
'--enable-delay-pools'
'--enable-disk-io=DiskThreads
'--enable-eui'
'--enable-external-acl-helpers=file_userip
'--enable-follow-x-forwarded-for'
'--enable-forw-via-db'
'--enable-htcp'
'--enable-http-violations'
'--enable-icap-client'
'--enable-icmp'
'--enable-ident-lookups'
'--enable-ipfw-transparent'
'--enable-kqueue'
'--enable-loadable-modules'
'--enable-log-daemon-helpers=file'
'--enable-removal-policies=lru
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-storeio=aufs
'--enable-url-rewrite-helpers=fake'
'--enable-wccp'
'--enable-wccpv2'
'--enable-zph-qos'
'--infodir=/usr/local/info/'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var'
'--mandir=/usr/local/man'
'--prefix=/usr/local'
'--sbindir=/usr/local/sbin'
'--sysconfdir=/usr/local/etc/squid'
'--with-default-user=squid'
'--with-large-files'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--with-swapdir=/var/squid/cache'
'--without-gnutls'
'--without-gss'
'--without-heimdal-krb5'
'--without-mit-krb5'
'--without-nat-devpf'
'--without-nettle'
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin

Thats strange. 
How is your network configured? Your rules indicate you have 2 nics but you 
later say you have one..

Best regards,
Rafael Akchurin

> Op 7 feb. 2018 om 23:31 heeft setuid  het volgende 
> geschreven:
> 
>> On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
>> If you do not mind looking at other tutorials - these are what we have in 
>> the test lab.
> 
>> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> 
> I can confirm that the instructions in this tutorial results in the same
> exact failure scenario as all previous attempts and tests (once I
> removed the unnecessary Apache/Web Safety bits).
> 
> Firewall rules are:
> 
> -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT
> 
> Squid config is generic, with the exception of:
> 
> http_port 3126 intercept
> 
> There is a single interface on the host, which resides on the LAN _and_
> is Internet-facing (eth0).
> 
> The result is that I get the same as before:
> 
> ==> /var/log/squid3/access.log <==
> 1518042565.613  0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
> text/html
> 
> If I point the client (curl, browser, perl + LWP) at the proxy directly
> on 3128, it works as expected.
> 
> I am firmly convinved that _transparent_ proxying with squid, is 100%
> non-functional. The proxy works fine, but transparent proxying is
> demonstrably broken in anything later than 3.x.
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have in the 
> test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html

I can confirm that the instructions in this tutorial results in the same
exact failure scenario as all previous attempts and tests (once I
removed the unnecessary Apache/Web Safety bits).

Firewall rules are:

-A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT

Squid config is generic, with the exception of:

http_port 3126 intercept

There is a single interface on the host, which resides on the LAN _and_
is Internet-facing (eth0).

The result is that I get the same as before:

==> /var/log/squid3/access.log <==
1518042565.613  0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
text/html

If I point the client (curl, browser, perl + LWP) at the proxy directly
on 3128, it works as expected.

I am firmly convinved that _transparent_ proxying with squid, is 100%
non-functional. The proxy works fine, but transparent proxying is
demonstrably broken in anything later than 3.x.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin

No unfortunately nothing like this is in our lab for FreeBSD - but default 
Squid package in pfSense runs transparently without issues I have heard (or 
with other issues than you have).

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: setuid [mailto:set...@gmail.com] 
Sent: Wednesday, February 7, 2018 10:45 PM
To: Rafael Akchurin ; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy 
(NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.htm
> l 
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.h
> tml

Thanks for the quick reply. Do you have a version of these that is BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using Linux 
as a means to validate that the functionality to do transparent proxying was 
broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should be 
decoupled as they're not required to get this working (and are likely 
prohibited in many-to-most enterprises who would deploy a proxy in this 
fashion).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Thanks for the quick reply. Do you have a version of these that is
BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using
Linux as a means to validate that the functionality to do transparent
proxying was broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should
be decoupled as they're not required to get this working (and are likely
prohibited in many-to-most enterprises who would deploy a proxy in this
fashion).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Rafael Akchurin

Hello setuid,

If you do not mind looking at other tutorials - these are what we have in the 
test lab.

https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

First one for Squid running on the gateway and the second one for separate 
Squid that intercepts  traffic re-routed from the router using 
Policy-Based-Routing.
The tutorials are working, I test it with every release of our ICAP web filter.

Best regards,
Rafael Akchurin
Diladele B.V.



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of setuid
Sent: Wednesday, February 7, 2018 10:11 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT 
https)

I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, 
ipfilter) does not work at all, when configured as a transparent proxy. Full 
stop.

I went through hundreds of posts on dozens of forums, blogs and other 
resources, tried dozens and dozens of configurations suggested by those posts, 
tried all 3 firewall options on BSD, tried two versions of Ubuntu and the 
various versions of Squid from the apt repos, as well as those in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my 
configuration was set to. That result, is that _every single http request I 
make_ when Squid is configured as a transparent proxy, results in the following 
response being logged:

==
07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
==

When I point a client directly at the proxy, using a browser, curl or anything 
else, I see:

==
07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") 
==

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is 
_identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config, with 
the exception of the following lines:

==
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
==

I've tried all of the obvious links, blogs and resources I could Google up, and 
100% of them fail to function as described. Most people I've seen on the forums 
who attempt to get this working, throw their hands up in defeat and end up 
configuring the proxy directly on every client that needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

==
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 
-j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 
-j DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT 
--to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp 
--dport $PROXY_PORT -j ACCEPT ==

This takes every packet that hits the router on :80, and sends it to my Squid 
server on .25, which mangles it and sends it back to 192.168.1.1 (router), and 
onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same exact 
configuration, but http_port was set to 'accel', and I didn't need _any_ 
NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to (but 
direct-to and direct-reply aren't supported on FreeBSD's pf, only OpenBSD's pf 
supports that syntax), and iptables PREROUTING and POSTROUTING mojo (also 
fails).

Here's a list of some of the resources I've tried, with 100% failure in every 
case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* https://ubuntuforums.org/showthread.php?t=2210987
*

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread Yuri

One stupid idiotic question.

Did you build your squid with transparent NAT support?

This is mandatory prerequisite for transparent squid.

I'm not seen your configuration options for squid. Not squid.conf. Just
./configure options.


08.02.2018 03:11, setuid пишет:
> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ==
>   07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ==
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ==
>   07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ==
>
> These were the same exact request against the same exact Squid instance.
> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ==
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>
> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".
>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>
> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
> * https://www.benzedrine.ch/transquid.html
> *
> https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
> *
> https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
> *
> https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
> * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
> * https://ubuntuforums.org/showthread.php?t=2210987
> *
> http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
> *
> http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
>
> I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
> (helpful folks there, but they too, failed to get this working).
>
> So I'm at an impasse. Is this just 100%

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

2018-02-07 Thread setuid

On 02/07/2018 04:11 PM, setuid wrote:
> That router has a firewall script on it that says:
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25

Yes, this is a typo here in email but is correct in the router's
firewall script.

This should be either 192.168.2.20 or 192.168.1.25; both are Squid
caches inside my LAN on Ubuntu and BSD respectively.

Here's an example of my ipfw rules, for comparison:

==
$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80
via em0
$cmd 00810 fwd 127.0.0.1,3128 ip from any to any dst-port 21 src-ip
192.168.1.0/24
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.1
src-ip 192.168.1.0/24
==

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

17 matches

Site Navigation

Mail list logo

Footer information