Re: [squid-users] Transparent Proxy by squid 2.6 stable 14 in ubuntu 7.10 not working

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 02 Feb 2008 16:07:42 +1300

Lets just go over all these settings....

kang ason wrote:
> --- kang ason <a550n@yahoo.com> wrote:
>
>> Date: Fri, 1 Feb 2008 07:00:27 -0800 (PST)
>> From: kang ason <a550n@yahoo.com>
>> Subject: Transparent Proxy by squid 2.6 stable 14 in
>> ubuntu 7.10 not working
>> To: squid-users@squid-cache.org
>>
>> Dear all
>>
>> i have server running squid (transparent proxy) in
>> linux (squid installed using synaptic Package
>> Manager
>> on ubuntu 7.10 with squid 2.6 Stable 14)
>>
>> this server have two interfaces, eth0 to internet &
>> eth1 to LAN
>> And this is my squid.conf
>>
>> http_port 192.168.10.10:8080 transparent

Fine. BUT, is 192.168.10.10 an IP assigned to eth1 ??
As a test you can drop the IP here and FW inbound traffic to
192.168.10.10:8080

>> hierarchy_stoplist cgi-bin ?

>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY

You can kill these to and replace them with the refresh_patterns below.

>> cache_vary on
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> cache_mem 128 MB
>> cache_swap_low 98
>> cache_swap_high 99
>> maximum_object_size 51200 KB
>> minimum_object_size 0 KB
>> ipcache_size 2048
>> ipcache_low 98
>> ipcache_high 99
>> fqdncache_size 2048
>> cache_replacement_policy heap LFUDA
>> memory_replacement_policy heap GDSF
>> cache_dir ufs /var/spool/squid 5000 18 256
>> access_log /var/log/squid/access.log
>> squid
>> cache_log /dev/null

Better to have a cache_log and see whats going wrong with squid when
something does.

>> cache_store_log /dev/null

Better to use "cache_store_log none" and prevent all the attempted
writes to /dev/null

>> emulate_httpd_log off
>> log_ip_on_direct on
>> mime_table /usr/share/squid/mime.conf
>> log_mime_hdrs off
>> pid_filename /var/run/squid.pid
>> log_fqdn off
>> ftp_user admin@server
>> ftp_list_width 32
>> ftp_passive on
>> ftp_sanitycheck on
>> hosts_file /etc/hosts
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440

Useful to add:
   refresh_pattern (cgi-bin|\?) 0 0% 0

>> refresh_pattern . 0 20% 4320
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255

I know its the default config line, but better to use CIDR or no mask
here (default is /32)

>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 # https

>> acl SSL_ports port 563 # snews
>> acl SSL_ports port 873 # rsync

It's useful to make sure _ALL_ of the SSL_Ports are also in Safe_Ports.

>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl
>> Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 873 # rsync
>> acl Safe_ports port 901 # SWAT
>> acl purge method PURGE
>> acl CONNECT method CONNECT
>>
>> ## Client IP Address
>> acl VLAN10 src 192.168.10.0/255.255.255.0

Better to use CIDR 192.168.10.0/24

>> http_access deny CONNECT !SSL_ports
>> http_access deny !Safe_ports
>> http_access deny purge
>> http_access allow purge localhost

Ahhh... that will never match. The line above ALWAYS denies purge.
Kill it or switch the config lines.

>> http_access deny manager
>> http_access allow VLAN10
>> http_access allow manager localhost

again, that will never match for the global 'deny manager' above.

>> http_access allow localhost
>> http_access deny all

>> icp_access allow all
>> cache_mgr admin@server
>> cache_effective_user proxy
>> cache_effective_group proxy
>> visible_hostname Proxy.server
>> always_direct allow all
>> coredump_dir /var/spool/squid
>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>> store_dir_select_algorithm round-robin
>> ## ---- end of
>> squid.conf ----
>>
>> and this is my iptables for squid transparent
>> iptables -t nat -A PREROUTING -i eth1 -s
>> 192.168.10/24 -p tcp --dport 80 -j REDIRECT
>> --to-port 8080

Well, unless you have other IPA assigned to eth1, using IP here is
pretty redundant,

>> iptables -A PREROUTING -t nat -i eth1 -p tcp -s
>> 192.168.10.0/24 -j ACCEPT

So what is NAT meant to be doing with this traffic? ACCEPT allows
without changes.
It seems to me that port-80 traffic is being redirected to squid, and
the rest is let out into the internet with RFC1918 private addresses
(depending on "-t filter -A FORWARD" bridging rules).

>> iptables -t nat -A POSTROUTING -o eth0 -s
>> 192.168.10/24 -j MASQUERADE

Try this:
iptables -t nat -A PREROUTING -o eth0 -s 192.168.10.10 -p tcp --dport 80
-j ACCEPT
  iptables -t nat -A PREROUTING -i eth1 -s 192.168.10/24 -p tcp --dport
80 -j REDIRECT --to-port 8080

  iptables -t filter -A FORWARD -i eth1 -s 192.168.10/24 -p tcp --dport
80 -j REJECT

>>
>> when i look into /var/log/squid/access.log, i can
>> found client access squid.
>> if client setting browser using proxy into
>> 192.168.10.10 with port 8080, i can see client in
>> /var/log/squid/access.log
>>
>> what wrong with my squid.conf or iptables rules?
>> why transparent proxy not working, & why client must
>> setting using proxy in their browser if the want
>> using
>> proxy.

Also check that some form of transparency support has been built into
your squid.
  Run 'squid -v'.
  Look for '--enable-linux-netfilter' in the configured list.

>>
>> thanks.
>>
>>
>>
>> regards
>> ason
>> Cah Kopeng
>> Lereng Utara Gunung Merbabu

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Fri Feb 01 2008 - 20:07:40 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:04 MST