[squid-users] Re: TPROXY Configuration

From: Roman Gelfand <rgelfand2_at_gmail.com>
Date: Wed, 6 Feb 2013 12:20:32 -0500

Please, ignore this post. I found I need to add more configuration as
in http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration

On Wed, Feb 6, 2013 at 9:27 AM, Roman Gelfand <rgelfand2_at_gmail.com> wrote:
> I have configured the tproxy as follows, but it appears packets are
> not hitting squid. Please note, the wccp configuration on the router
> is already working with squid http_port transparent configuration and,
> obviously, different iptables configuration. Any help is appreciated.
>
> Thanks in advance.
>
> squid.conf
> ---------------
>
> http_port 3228 tproxy
> https_port 3229 tproxy ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
> key=/etc/ssl/private/domain.key
>
> # FortiGate interface of wccp
> wccp2_router 192.168.5.1
>
> wccp2_service dynamic 90
> wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443
>
> wccp2_service dynamic 95
> wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80,443
>
> # tunneling method GRE for forward traffic
> wccp2_forwarding_method 1
>
> # tunneling method GRE for return traffic
> wccp2_return_method 1
>
> # Assignemment method (default), only relevant if multiple caches used
> wccp2_assignment_method 1
>
> # wccp weight (default) ,only relevant if multiple caches used
> wccp2_weight 10000
>
> # which interface to use for WCCP (0.0.0.0 determines the interface
> from routing)
> wccp2_address 0.0.0.0
>
> rc.local
> -----------
>
> modprobe ip_gre
> modprobe ip_tables
> modprobe x_tables
> ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0
> ip addr add 192.168.5.21/32 dev wccp0
> ip link set wccp0 up
>
> # Route to send the content back to the GRE tunnel
> route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0
>
> # Disabling reverse path filtering and enable routing in the kernel
> echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Setup the redirection of traffic from the GRE tunnel to squid port 3128
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>
> iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3228
> iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3229
>
> exit 0
Received on Wed Feb 06 2013 - 17:20:39 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 07 2013 - 12:00:03 MST