Re: [squid-users] Squid TProxy Problem

From: Ali Majdzadeh <ali.majdzadeh_at_gmail.com>
Date: Mon, 6 Jun 2011 15:10:08 +0430

Amos,
Sorry, the packet counter increments, I made a mistake, but still no
logs either in access.log nor in cache.log.

Warm Regards,
Ali Majdzadeh Kohbanani

2011/6/6 Ali Majdzadeh <ali.majdzadeh_at_gmail.com>:
> Amos,
> Hi
> The packet counter on -j TPROXY does not increment. So, why clients
> are able to surf the web?
>
> Warm Regards,
> Ali Majdzadeh Kohbanani
>
> 2011/6/6 Ali Majdzadeh <ali.majdzadeh_at_gmail.com>
>>
>> Amos,
>> Hi
>> Thanks for your reply. Ragarding the documentation, I have inserted
>> the following routing rules:
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>> Now, access.log is populated with proper logs, but clients can not
>> surf the web, I mean the proxy server is unable to forward http
>> responses to clients' browsers. When the client enters for example
>> www.google.com, the connection to the http server is established but
>> the process halts at Waiting for www.google.com and after a while
>> Squid reports the unablility to retreive the requested URL.
>> By the way, we have disabled selinux.
>> Any ideas?
>>
>> Warm Regards,
>> Ali Majdzadeh Kohbanani
>>
>> 2011/6/6 Amos Jeffries <squid3_at_treenet.co.nz>:
>> > On 06/06/11 06:32, Ali Majdzadeh wrote:
>> >>
>> >> Hello All,
>> >> I have setup the following configuration:
>> >> Squid (3.1.12) (--enable-linux-netfilter passed as the one and only
>> >> configure option)
>> >> Kernel (2.6.38.3)
>> >> iptables (1.4.11)
>> >>
>> >> I have added the following two directives in squid.conf:
>> >> http_port 3128
>> >> http_port 3129 tproxy
>> >>
>> >> Also, I have configured iptables with the following rules:
>> >> iptables -t mangle -N DIVERT
>> >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> >> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> >> iptables -t mangle -A DIVERT -j ACCEPT
>> >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> >> --tproxy-mark 0x1/0x1 --on-port 3129
>> >>
>> >> Everything work as expected, I mean, the users can surf the web and
>> >> the proxy server is transparent. The problem is that actually there is
>> >> no caching. I mean, both cache.log and access.log files are empty. On
>> >
>> > That would be transparency to the point of not going through the proxy.
>> > access.log should have entries for each request.
>> >
>> >> the other hand, if I manually set the proxy configuration in clients'
>> >> browsers (the IP address of the squid server and port number 3128)
>> >> everything is OK; the log files are incremented and objects are
>> >> cached.
>> >>
>> >> Have anyone faced the same issue?
>> >
>> > Some. Its usually boiled down to missing out some details omitted. building
>> > against libcap2 or routing packets to the squid box for example.
>> >
>> > Are the packet counters on that -j TPROXY rule showing captures?
>> >
>> > Did you follow the rest of the feature config?
>> >  ie the special sub-routing table? OS packet filtering toggles? selinux
>> > updated to allow tproxy?
>> >
>> > Is this box even routing or bridging port 80 traffic for the network?
>> >
>> > Amos
>> > --
>> > Please be using
>> >  Current Stable Squid 2.7.STABLE9 or 3.1.12
>> >  Beta testers wanted for 3.2.0.8 and 3.1.12.2
>> >
>
Received on Mon Jun 06 2011 - 10:40:14 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 07 2011 - 12:00:02 MDT