On 12/07/2013 3:09 p.m., Kai Meyer wrote:
> Sorry for the long post, but I like to error on the side of verbosity
> when I'm grasping at straws.
>
> I've been happily running Dansguardian(2.10.1.1-4.el6.x86_64) +
> squid(3.1.10-9.el6_3.x86_64) on CentOS 6 for a while.
>
> Recently, I've been dealing with an HTTP 1.1 error by disabling the
> proxy temporarily. I finally decided to fix it for real and it looks
> like squid 3.3 will solve my problem. So I hacked the squid 3.3 source
> into the CentOS 3.1 source rpm, and produced a package you can find here:
> http://kai.gnukai.com/repo/
>
> I was using a "close-to-stock" squid 3.1 configuration that was working:
> ---snip---
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> follow_x_forwarded_for deny all
> http_access deny all
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> visible_hostname CENSORED
> ---snip---
>
> I dropped in squid 3.3, and it complained about line one. So I dropped
> line 1, and had some more issues. So I decided to start with the stock
> 3.3 squid configuration, and simply "add" the peices I thought I
> needed. I ended up with this:
> ---snip---
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> follow_x_forwarded_for deny all
> visible_hostname CENSORED
> always_direct allow all
> http_port 3129 transparent
> ---snip---
>
> You may notice I "added" port 3129 instead of replacing the 3128. I
> did that just to avoid the "kid1| ERROR: No forward-proxy ports
> configured." error. I've updated my dansguardian config accordingly.
With DG in front of Squid you do not need the "transaprent" option on
squid.conf port. That is only for when NAT is passing the intercepted
traffic directly to the Squid listening port. DG acts as the receiving
proxy in yoru case and passes it as forward-proxy traffic to Squid.
Using that option on forward-proxy traffic will cause Squid to fail teh
destination security checks and enter a forwarding loop.
>
> For reference, here's my iptables config. ppp0 is my internet
> connection, br0 is my local network connection, and tun+ interfaces
> are any OpenVPN
>
> ---snip---
> *nat
> :PREROUTING ACCEPT [10:812]
> :POSTROUTING ACCEPT [3:236]
> :OUTPUT ACCEPT [6:469]
> :whitelist - [0:0]
> -A PREROUTING -j whitelist
> -A PREROUTING -s 10.9.8.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 10.9.8.0/24 -i br0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 10.9.8.1:8080
> -A POSTROUTING -j MASQUERADE
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [34:8038]
> :OUTPUT ACCEPT [5:337]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --set --name DEFAULT --rsource
> -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --rcheck --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
> LOG --log-prefix "SSH DROP: " --log-level 6
> -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
> DROP
> -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> -A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i br0 -j ACCEPT
> -A INPUT -i tun+ -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -i br0 -j ACCEPT
> -A FORWARD -i tun+ -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o tun+ -j ACCEPT
> COMMIT
> *mangle
> :PREROUTING ACCEPT [109:23590]
> :INPUT ACCEPT [50:3853]
> :FORWARD ACCEPT [59:19737]
> :OUTPUT ACCEPT [29:2882]
> :POSTROUTING ACCEPT [88:22619]
> COMMIT
> ---snip---
>
>
> So, with the DNAT rule enabled, every http page (ie:
> http://kai.gnukai.com/ip.php) comes back in my browser with the error
> ---snip---
> Access Denied.
>
> Access control configuration prevents your request from being
> allowed at
> this time. Please contact your service provider if you feel this is
> incorrect.
> ---snip---
>
> If I http decode the mailto: link to root, I get this:
> ---snip---
> mailto:root?subject=CacheErrorInfo - ERR_ACCESS_DENIED&body=CacheHost:
> shuttle.gamer.gnukai.com
> ErrPage: ERR_ACCESS_DENIED
> Err: [none]
> TimeStamp: Fri, 12 Jul 2013 01:08:40 GMT
>
> ClientIP: 10.9.8.1
>
> HTTP Request:
> GET /ip.php HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: shuttle
> Accept: */*
> Via: 1.0 CENSORED (squid/3.3.6)
> X-Forwarded-For: 10.9.8.104, 10.9.8.1
Squid IP address being 10.9.8.1 ?
> Cache-Control: max-age=259200
> Connection: keep-alive
> ---snip---
>
> 10.9.8.104 is my browser. If I use curl to get the headers back, they
> look like this:
>
> ---snip---
> HTTP/1.1 403 Forbidden
> Server: squid/3.3.6
> Mime-Version: 1.0
> Date: Fri, 12 Jul 2013 02:53:39 GMT
> Content-Type: text/html
> Content-Length: 3447
> X-Squid-Error: ERR_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> X-Cache: MISS from CENSORED
> X-Cache-Lookup: MISS from CENSORED:3128
> X-Cache: MISS from CENSORED
> X-Cache-Lookup: MISS from CENSORED:3128
> Via: 1.1 CENSORED (squid/3.3.6), 1.1 CENSORED (squid/3.3.6)
There you have the confirmation. Forwarding loop from your Squid to
itself. The 403 will be generated by Squid detecting that loop and
halting the request before it sucks up all the resources on that box.
> Connection: keep-alive
> ---snip---
>
> I'm confused that it says 3128, when it's clearly talking 3129 on the
> lo device:
> 0.000000 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [SYN] Seq=0
> Win=32792 Len=0 MSS=16396 TSV=211693779 TSER=0 WS=7
> 0.000012 10.9.8.1 -> 10.9.8.1 TCP 3129 > 35160 [SYN, ACK]
> Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=211693779 TSER=211693779 WS=7
> 0.000021 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [ACK] Seq=1
> Ack=1 Win=32896 Len=0 TSV=211693779 TSER=211693779
> 0.000869 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [PSH, ACK]
> Seq=1 Ack=1 Win=32896 Len=44 TSV=211693780 TSER=211693779
> ....
"CENSORED:3128" is the public (forward-proxy) FQDN and port number for
Squid.
Amos
Received on Fri Jul 12 2013 - 07:27:19 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 12 2013 - 12:00:12 MDT