[squid-users] Re: squid tproxy problem

From: benjamin fernandis <benjo11111_at_gmail.com>
Date: Thu, 18 Aug 2011 16:16:13 +0530

Hi,

Any suggestions please.

My Current Network Setup:

    WAN ROUTER(114.30.XX.1 --- public ip)
              |
              |
              |
       SWITCH
              |
              |
              |
       SQUID BOX (114.30.XX.19 gw: 114.30.XX.1) ( bridge mode)
              |
              |
              |
        BANDWITH MGMT. LINUX BOX ( 114.30.XX.10 gw: 114.30.XX.1)
              |
              |
              |
       END USERS ( mix with private ips and public ips )

at squid box : eth0 ----->internet( cable from switch)
                       eth1-----> cable connected to BANDWITH MGMT. LINUX BOX)

i am using centos 6 and squid version is 3.1.10

I can see traffic in tproxy iptables rules but i can not get any
request to access.log

Kindly guide me to solve this problem.

Regards,
Benjamin

On Wed, Aug 17, 2011 at 7:15 PM, benjamin fernandis
<benjo11111_at_gmail.com> wrote:
> Hi,
>
> I configured squid for tproxy feature in my network with bridge mode.
>
> I follow http://wiki.squid-cache.org/Features/Tproxy4
>
> But I m not getting requests in access.log of squid.
>
> My configuration:
>
> cat /etc/squid/squid.conf
>
> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
>
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
> acl mynetwork src '/etc/squid/mynetwork'
> acl cache_deny dst '/etc/squid/deny1'
>
>
> cache deny cache_deny
> #
> cache_mem 1024 MB
>
>
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow mynetwork
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 3129 tproxy
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir aufs /cache/squid 25600 32 512
>
> # Leave coredumps in the first cache dir
> coredump_dir /cache/squid
> httpd_suppress_version_string on
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> ip rule list
> 0:    from all lookup local
> 32765:    from all fwmark 0x1 lookup 100
> 32766:    from all lookup main
> 32767:    from all lookup default
>
> iptables -L -nvx -t mangle
> Chain PREROUTING (policy ACCEPT 959157 packets, 79545939 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>   10993   689414 DIVERT     tcp  --  *      *       0.0.0.0/0
>   0.0.0.0/0           socket
>   16765  1000259 TPROXY     tcp  --  *      *       0.0.0.0/0
>   0.0.0.0/0           tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark
> 0x1/0x1
>
> Chain INPUT (policy ACCEPT 15122 packets, 1149717 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain FORWARD (policy ACCEPT 959996 packets, 79295677 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain OUTPUT (policy ACCEPT 28272 packets, 10090599 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain POSTROUTING (policy ACCEPT 988265 packets, 89386044 bytes)
>    pkts      bytes target     prot opt in     out     source
>     destination
>
> Chain DIVERT (1 references)
>    pkts      bytes target     prot opt in     out     source
>     destination
>   10993   689414 MARK       all  --  *      *       0.0.0.0/0
>   0.0.0.0/0           MARK set 0x1
>   10993   689414 ACCEPT     all  --  *      *       0.0.0.0/0
>   0.0.0.0/0
>
>
> ebtables -t broute --list
> Bridge table: broute
>
> Bridge chain: BROUTING, entries: 2, policy: ACCEPT
> -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect
> -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect
>
> OS CENTOS 6 64 bit
> squid : 3.1.4
> KERNEL : 2.6.32-71.29.1.el6.x86_64
>
>
> Please guide me.
>
> Thanks,
> Benjamin
>
Received on Thu Aug 18 2011 - 10:46:21 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 18 2011 - 12:00:04 MDT