Re: [squid-users] Re: Client timing out when using squid as tproxy

Thu, 03 Mar 2011 08:20:17 -0800 

On 04/03/11 04:58, mbruell wrote:


Amos Jeffries-2 wrote:


On Wed, 2 Mar 2011 14:29:01 -0800 (PST), mbruell wrote:


Firewall policy grabs traffic from the client based on IP address,
and
forces it to our proxy through the wccp tunnel.


  "based on IP address" is very bad. Working TPROXY traffic coming out of
  squid will have the client IP address.

  Manipulation of the traffic MUST use measures other than IP to
  filter/route the traffic if both streams are possibly handled. The
  easiest ways are to use interface name or machine MAC/EUI address on the
  firewall and router. Packet MARKs, TOS or VPN marks are also available,
  but more complex to handle.




Okay - though I thought our wccp tunnel was taking care of that. The
firewall rule that grabs the machine's IP traffic only does so on the
interface facing the client. Once it's been grabbed, it's getting sent down
the gre tunnel.


Okay. Good.




The following error crops up after about a minute of launching squid,
and
repeats every 10 sec:
Unknown record type in WCCPv2 Packet (6)


Is this error meaningful?



Nope. There is a patch to silence it here:
 http://bugs.squid-cache.org/show_bug.cgi?id=3122



Amos Jeffries-2 wrote:



This is NAT interception, not TPROXY interception.

  The two are not compatible. NAT being obsoleted by TPROXY. Remove this
  rule.




Okay - I removed the rule, but there are still some other issues (it's still
not working).

So are the ip rules in mangle table all that is needed here?



Yes.



Amos Jeffries-2 wrote:


Since you have a mixup with NAT/TPROXY earlier also check that your
  http_port 3129 line only has the "tproxy" flag on it.



Double checked this - it was not misconfigured.

Should we be seeing traffic on the lo interface when it's all working
correctly? The packet count on lo is very low, and doesn't change when
trying to proxy the traffic.




Okay, try adding the special route table to eth0 as well. If that still 
fails try adding it to wccp0.
 I'd like to know the results here. It works on lo for some but seems 
not everyone, though I have not yet had concrete confirmation that it 
matters.




Also - it looks like the tunnel is sending the traffic to the computer
running squid (wccp rx = 3.7 KB, but tx = o), but it's not getting anything
back from it to send to the client.



looks that way yes.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5






















					Reply via email to