RE: [squid-users] HTTPS passthrough
Ok, I see what you mean. Yes, I tried the https://www.openssl.org and it worked a-ok but it's still not showing in my squid log. -Original Message- From: Henrik Nordström [mailto:hen...@henriknordstrom.net] Sent: Friday, April 02, 2010 1:29 PM To: Johnson, S Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HTTPS passthrough fre 2010-04-02 klockan 12:59 -0500 skrev Johnson, S: > 02/Apr/2010,12:34:32, > 21000,192.168.80.9,TCP_MISS/200,0,CONNECT,www.tcfbank.com:443,-,DIRECT/2 > 06.71.19.108,- Can you connect to https sites from the proxy without using Squid? This must work for Squid to work.. Btw, I can not connect to that https://www.tcfbank.com server from here with or without Squid.. connection timeout after 2 minutes. Another site you can try: wget -O- https://www.openssl.org/ Regards Henrik -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] Squid loops on epoll/read/gettimeofday
Henrik Nordström wrote: fre 2010-04-02 klockan 15:41 -0300 skrev Marcus Kool: strange indeed, but this is strace output with which I am not very familiar. Strace should print the whole array that it uses as argument to epoll_wait or just prints the first element ? (and the 2nd argument could be FD 27) For epoll_wait it prints the valid entries in the result array, which has length 1 in this case (see return value last on the line). Can you please use cachemgr to view the current filedescriptors page to note what fd 23 & fd 27 is being used for? I restarted Squid and now it does not loop... The lsof output in the original email is of little help: A little. Both are pipes. And it's not unlikely these pipes have the same fd assignments now after restart. What does cachemgr say now? I use this Squid at home and it lightly used so maybe it does have the same FDs allocated after a restart... Cachemgr gives this (after the restart): Active file descriptors: File Type Tout Nread * Nwrite * Remote AddressDescription -- - -- 5 Log 0 00 /local/squid/logs/cache.log 7 Socket01275 241 .0DNS Socket 8 Pipe 0 63 9934ufdbgclient #1 9 Pipe 0 0* 0ufdbgclient #2 10 Pipe 0 0* 0ufdbgclient #3 11 Pipe 0 0* 0ufdbgclient #4 12 Pipe 0 0* 0ufdbgclient #5 13 Pipe 0 0* 0ufdbgclient #6 14 Pipe 0 0* 0ufdbgclient #7 15 Pipe 0 0* 0ufdbgclient #8 16 Pipe 0 0* 0ufdbgclient #9 17 Pipe 0 0* 0ufdbgclient #10 18 Pipe 0 0* 0ufdbgclient #11 19 Pipe 0 0* 0ufdbgclient #12 20 File 0 0 8242 /local/squid/logs/access.log 21 Pipe 0 00unlinkd -> squid 22 File 0 0 312 /local/squid/cache/swap.state 23 Socket 1440 848* 0 10.2.2.9.56505 http://srv004.home01.urlfilterdb.com/Squid/cgi-bin/cachemgr.cgi 24 Pipe 0 00squid -> unlinkd 25 Socket0 00 .0HTTP Socket 26 Socket2 0*1794 10.2.2.9.80 http://srv004.home01.urlfilterdb.com/Squid/cgi-bin/cachemgr.cgi 27 Socket 1440 170* 0* 127.0.0.1.35576 cache_object://localhost/filedescriptors 28 Pipe 0 0* 0async-io completetion event: main 29 Pipe 0 00async-io completetion event: threads squid 13665 squid 20w REG9,3 1478687 4718702 /local/squid/logs/access.log squid 13665 squid 21r FIFO0,6 1723502 pipe squid 13665 squid 22w REG9,3 30400812 4718715 /local/squid/cache/swap.state squid 13665 squid 23r FIFO0,6 1723506 pipe squid 13665 squid 24w FIFO0,6 1723503 pipe squid 13665 squid 25u IPv41723505 TCP *:squid (LISTEN) squid 13665 squid 26w FIFO0,6 1723506 pipe squid 13665 squid 27r FIFO0,6 1723507 pipe FD 27 * squid 13665 squid 28w FIFO0,6 1723507 pipe squid 13665 squid 29u IPv41771231 TCP srv004:squid->xxx (ESTABLISHED) It seems that FD 27 and 28 point to the same object (as FD 23 and FD 26) Hmm.. The strace output lists the parameters at the call time and we do not see the return values (only the function return value). Should be return values. strace knows how epoll_wait works. Is it possible that FD 27 has an EPOLLERR condition instead of a EPOLLIN condition and the loop is caused by trying to do read() on FD 27 ? (I do not see any check for a return of EPOLLERR in the sources). read should not return EAGAIN if there is an pending error condition. > Regards Henrik
Re: [squid-users] TPROXY Routing
I'll check that as well... have to grab some IPs and add to the interfaces. 2010/4/2 Henrik Nordström : > fre 2010-04-02 klockan 11:54 -0700 skrev Kurt Sandstrom: >> Thats the thing... if I enable the ebtables rules the bridging of http >> on the local network stops but squid shows no activity even though the >> tproxy counters increase. > > And if you configure a client to use the TPROXY as a router while having > the ebtables ruels disabled? (routing test) > > Regards > Henrik > >
Re: [squid-users] Issue with some files and templates
Hi Henrik, Thank you for your reply My http_port settings are http_port 3128 vhost (note if I remove the vhost I won't be able to access my backend server) Here is my bit of the config http_port 80 accel vhost defaultsite=www.mysite.org cache_peer 192.168.1.3 parent 81 0 no-query originserver name=main acl our_site dstdomain www.mysite.org www.mysite2.com www.mysite3.net mysite.org http_access allow mail_site http_access allow our_site cache_peer_access main allow our_site cache_peer_access main deny all cl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 192.168.1.0/32 #Acces conrol http_access allow manager localhost http_access deny manager http_access deny !Safe_ports # http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow all http_access allow SSL_ports http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 3128 vhost refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid visible_hostname proxy icp_port 3130 hosts_file /etc/hosts coredump_dir /usr/local/squid/var/cache I have this in my cache.log but I don't know where it's coming from WARNING: CONNECT method received on http Accelerator port 3128 2010/04/02 06:02:02| WARNING: for request: CONNECT intlreg.aol.com:443 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Proxy-Connection: Keep-Alive Content-Length: 0 Host: intlreg.aol.com Pragma: no-cache This: WARNING: for request: CONNECT intlreg.aol.com:443 HTTP/1.1 (No Idea) not from me anyway and this lientProcessRequest: Invalid Request 2010/04/02 13:35:00| Failed to select source for 'http://mysite.net/' 2010/04/02 13:35:00| always_direct = 0 2010/04/02 13:35:00|never_direct = 0 2010/04/02 13:35:00|timedout = 0 2010/04/02 13:46:43| Failed to select source for 'http://81.XX.XX.XX/install.txt' ((This is my public IP) 2010/04/02 13:46:43| always_direct = 0 2010/04/02 13:46:43|never_direct = 0 2010/04/02 13:46:43|timedout = 0 2010/04/02 13:46:43| Failed to select source for 'http://XX.XX.XX.XX/cart/install.txt' 2010/04/02 13:46:43| always_direct = 0 2010/04/02 13:46:43|never_direct = 0 2010/04/02 13:46:43|timedout = 0 2010/04/02 13:46:43| Failed to select source for 'http://XX.XX.XX.XX/zencart/install.txt' 2010/04/02 13:46:43| always_direct = 0 2010/04/02 13:46:43|never_direct = 0 2010/04/02 13:46:43|timedout = 0 2010/04/02 13:46:45| Failed to select source for 'http://XX.XX.XX.XX/shop/install.txt' 2010/04/02 13:46:45| always_direct = 0 2010/04/02 13:46:45|never_direct = 0 2010/04/02 13:46:45|timedout = 0 2010/04/02 13:46:45| Failed to select source for 'http://XX.XX.XX.XX/butik/install.txt' 2010/04/02 13:46:45| always_direct = 0 2010/04/02 13:46:45|never_direct = 0 2010/04/02 13:46:45|timedout = 0 2010/04/02 13:46:45| Failed to select source for 'http://XX.XX.XX.XX/zcart/install.txt' 2010/04/02 13:46:45| always_direct = 0 2010/04/02 13:46:45|never_direct = 0 2010/04/02 13:46:45|timedout = 0 2010/04/02 13:46:46| Failed to select source for 'http://XX.XX.XX.XX/shop2/install.txt' 2010/04/02 13:46:46| always_direct = 0 2010/04/02 13:46:46|never_direct = 0 2010/04/02 13:46:46|timedout = 0 2010/04/02 13:46:46| Failed to select source for 'http://XX.XX.XX.XX/catalog/install.txt' 2010/04/02 13:46:46| always_direct = 0 2010/04/02 13:46:46|never_direct = 0 2010/04/02 13:46:46|timedout = 0 2010/04/02 13:46:46| Failed to select source for 'http://XX.XX.XX.XX/boutique/install.txt' 2010/04/02 13:46:46| always_direct = 0 2010/04/02 13:46:46|never_direct = 0 2010/04/02 13:46:46|timedout = 0 2010/04/02 13:46:50| Failed to select source for 'http://XX.XX.XX.XX/store/install.txt' 2010/04/02 13:46:50| always_direct = 0 2010/04/02 13:46:50|never_direct = 0 2010/04/02 13:46:50|timedout = 0 2010/04/02 14:24:17| WARNING: CONNECT method received on http Accelerator port 3128 2010/04/02 14:24:17| WARNING: for request: CONNECT intlreg.aol.com:443 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Proxy-Connection: Keep-Alive Content-Length: 0 I also checked out this link https://intlreg.aol.com where these attempts originate from, and nobody seem to be able to locate them checked this website belllow but no info http://www.talkreviews.com/intlreg.aol.com Is there a way to block this please? And finally my access.log fills up within minutes, it is now in the size of 23, 780, 83
Re: [squid-users] TPROXY Routing
Henrik N. has got to be as dense as any forest tree. I've asked him twice, I've asked him thrice, I swear I'd almost pay a price. I have no interest in squibs email trists, please take me off your mailing list. Bill 785-887-6966 b...@billfair.com On Apr 2, 2010, at 1:13 PM, Henrik Nordström wrote: fre 2010-04-02 klockan 09:47 -0700 skrev Kurt Sandstrom: 2 things I may try this evening... grab tcp traffic from eth0 and br0 to see if redirected port 3129 is being routed out of the system instead of to the localhost. Then try (a shot in the dark) changing: Which MAC address is being used on the packets sent out? Have a feeling the packets never gets diverted off the bridge.. if so then the MAC is unchanged when the packet is sent out. If the packet did get diverted from the bridge to routing then the source MAC of the packets when leaving the server will be that of br0. other sign to look for is if the IP ttl gets decremented. If the packet is being bridged then ttl stays the same, if it's being routed then ttl is decremented by one. Regards Henrik
Re: [squid-users] TPROXY Routing
fre 2010-04-02 klockan 11:54 -0700 skrev Kurt Sandstrom: > Thats the thing... if I enable the ebtables rules the bridging of http > on the local network stops but squid shows no activity even though the > tproxy counters increase. And if you configure a client to use the TPROXY as a router while having the ebtables ruels disabled? (routing test) Regards Henrik
Re: [squid-users] Squid loops on epoll/read/gettimeofday
fre 2010-04-02 klockan 15:41 -0300 skrev Marcus Kool: > strange indeed, but this is strace output with which I am not very familiar. > Strace should print the whole array that it uses as argument to > epoll_wait or just prints the first element ? (and the 2nd argument > could be FD 27) For epoll_wait it prints the valid entries in the result array, which has length 1 in this case (see return value last on the line). > > Can you please use cachemgr to view the current filedescriptors page to > > note what fd 23 & fd 27 is being used for? > > I restarted Squid and now it does not loop... > The lsof output in the original email is of little help: A little. Both are pipes. And it's not unlikely these pipes have the same fd assignments now after restart. What does cachemgr say now? > squid 13665 squid 20w REG9,3 1478687 4718702 > /local/squid/logs/access.log > squid 13665 squid 21r FIFO0,6 1723502 pipe > squid 13665 squid 22w REG9,3 30400812 4718715 > /local/squid/cache/swap.state > squid 13665 squid 23r FIFO0,6 1723506 pipe > squid 13665 squid 24w FIFO0,6 1723503 pipe > squid 13665 squid 25u IPv41723505 TCP *:squid > (LISTEN) > squid 13665 squid 26w FIFO0,6 1723506 pipe > squid 13665 squid 27r FIFO0,6 1723507 pipe > FD 27 * > squid 13665 squid 28w FIFO0,6 1723507 pipe > squid 13665 squid 29u IPv41771231 TCP > srv004:squid->xxx > (ESTABLISHED) > > It seems that FD 27 and 28 point to the same object (as FD 23 and FD 26) Hmm.. > The strace output lists the parameters at the call time and > we do not see the return values (only the function return value). Should be return values. strace knows how epoll_wait works. > Is it possible that FD 27 has an EPOLLERR condition instead of a > EPOLLIN condition and the loop is caused by trying to do read() on FD 27 ? > (I do not see any check for a return of EPOLLERR in the sources). read should not return EAGAIN if there is an pending error condition. Regards Henrik
Re: [squid-users] TPROXY Routing
Thats the thing... if I enable the ebtables rules the bridging of http on the local network stops but squid shows no activity even though the tproxy counters increase. If I wget to 0.0.0.0 my squid shows wget connection but returns a gateway error so I know the squid is replying to requests it receives. I'm thinking perhaps the traffic might be being directed to the bridge route instead of lo which would cause it to die. 2010/4/2 Henrik Nordström : > fre 2010-04-02 klockan 09:47 -0700 skrev Kurt Sandstrom: > >> 2 things I may try this evening... grab tcp traffic from eth0 and br0 >> to see if redirected port 3129 is being routed out of the system >> instead of to the localhost. Then try (a shot in the dark) changing: > > Which MAC address is being used on the packets sent out? > > Have a feeling the packets never gets diverted off the bridge.. if so > then the MAC is unchanged when the packet is sent out. > > If the packet did get diverted from the bridge to routing then the > source MAC of the packets when leaving the server will be that of br0. > > other sign to look for is if the IP ttl gets decremented. If the packet > is being bridged then ttl stays the same, if it's being routed then ttl > is decremented by one. > > Regards > Henrik > >
Re: [squid-users] Squid loops on epoll/read/gettimeofday
Henrik Nordström wrote: mån 2010-03-29 klockan 13:58 -0300 skrev Marcus Kool: 0.33 epoll_wait(6, {{EPOLLIN, {u32=23, u64=8800387989527}}}, 2400, 10) = 1 0.32 gettimeofday({1269878848, 223083}, NULL) = 0 0.31 read(27, 0xffd3de98, 256) = -1 EAGAIN (Resource temporarily unavailable) This is odd.. epoll_wait says fd 23 is ready for reading, but then Squid reads on fd 27. strange indeed, but this is strace output with which I am not very familiar. Strace should print the whole array that it uses as argument to epoll_wait or just prints the first element ? (and the 2nd argument could be FD 27) Can you please use cachemgr to view the current filedescriptors page to note what fd 23 & fd 27 is being used for? I restarted Squid and now it does not loop... The lsof output in the original email is of little help: squid 13665 squid 20w REG9,3 1478687 4718702 /local/squid/logs/access.log squid 13665 squid 21r FIFO0,6 1723502 pipe squid 13665 squid 22w REG9,3 30400812 4718715 /local/squid/cache/swap.state squid 13665 squid 23r FIFO0,6 1723506 pipe squid 13665 squid 24w FIFO0,6 1723503 pipe squid 13665 squid 25u IPv41723505 TCP *:squid (LISTEN) squid 13665 squid 26w FIFO0,6 1723506 pipe squid 13665 squid 27r FIFO0,6 1723507 pipe FD 27 * squid 13665 squid 28w FIFO0,6 1723507 pipe squid 13665 squid 29u IPv41771231 TCP srv004:squid->xxx (ESTABLISHED) It seems that FD 27 and 28 point to the same object (as FD 23 and FD 26) Note that FD 27 and FD 28 have the same NODE. This pipe is used for what ??? Are you using aufs? If so then it's an internal notification channel to wake up the main thread when disk I/O have completed. Yes I use aufs. The EAGAIN return code to read is strange. It suggest that the read() could return data soon, but Squid is looping now for over 4 hours. Not strange if fd 27 is the aufs notification pipe. Well, the strange thing is that it loops and uses 100% CPU. The strange thing is why it does not act on fd 23 as returned by epoll_wait. The strace output lists the parameters at the call time and we do not see the return values (only the function return value). Is it possible that FD 27 has an EPOLLERR condition instead of a EPOLLIN condition and the loop is caused by trying to do read() on FD 27 ? (I do not see any check for a return of EPOLLERR in the sources). -Marcus Regards Henrik
Re: [squid-users] Issue with some files and templates
fre 2010-04-02 klockan 19:14 +0100 skrev a...@gmail: > Since I installed Squid, now that I can access my backend server and vhosted > websites > There are a lot of things that aren't working, some links can't be accessed, > some folders can't be opened, images, a lot of things. Can you describe your setup in a bit more detail? http_port settings? cache_peer settings? cache_peer_access settings? And what does access.log report? Does it match your expectations on what was requested and where Squid tried to forward it? And does the requested URLs match what your origin servers expect? Including host component. Regards Henrik
Re: [squid-users] HTTPS passthrough
fre 2010-04-02 klockan 12:59 -0500 skrev Johnson, S: > 02/Apr/2010,12:34:32, > 21000,192.168.80.9,TCP_MISS/200,0,CONNECT,www.tcfbank.com:443,-,DIRECT/2 > 06.71.19.108,- Can you connect to https sites from the proxy without using Squid? This must work for Squid to work.. Btw, I can not connect to that https://www.tcfbank.com server from here with or without Squid.. connection timeout after 2 minutes. Another site you can try: wget -O- https://www.openssl.org/ Regards Henrik
[squid-users] Issue with some files and templates
Hi All, Since I installed Squid, now that I can access my backend server and vhosted websites There are a lot of things that aren't working, some links can't be accessed, some folders can't be opened, images, a lot of things. I simply can't understand what does Squid do to block all of these things and (please don't say it's not Squid) , I can understand that Squid might block any direct access to a folder etc.. but not the files and apps interaction: while contacting the OriginServer why is it that almost a quarter of items aren't displayed, I even get this items, folder, file, " not found on this server" When I know they are there. I really don't know what to do, as if Squid stops applications talking to each other within the same folder, I really don't how to explain it. It's a shame because the concept of a proxy server is a good idea but almost 40% of things refuse to work as they used to. If anyone can give me an idea on how to work around these problems please, Regards Adam
Re: [squid-users] TPROXY Routing
fre 2010-04-02 klockan 09:47 -0700 skrev Kurt Sandstrom: > 2 things I may try this evening... grab tcp traffic from eth0 and br0 > to see if redirected port 3129 is being routed out of the system > instead of to the localhost. Then try (a shot in the dark) changing: Which MAC address is being used on the packets sent out? Have a feeling the packets never gets diverted off the bridge.. if so then the MAC is unchanged when the packet is sent out. If the packet did get diverted from the bridge to routing then the source MAC of the packets when leaving the server will be that of br0. other sign to look for is if the IP ttl gets decremented. If the packet is being bridged then ttl stays the same, if it's being routed then ttl is decremented by one. Regards Henrik
[squid-users] HTTPS passthrough
I'm missing something here... I had another squid/dansguardian proxy that was set up to pass though HTTPS traffic and I as using a URL blacklist to prevent "bad site" access. Unfortunately, that proxy was lost and I'm building anew. I have my browser set to port 3128 (squid) and when I try to attach to a SSL site there is a very long delay then I see three of the following messages: 02/Apr/2010,12:34:32, 21000,192.168.80.9,TCP_MISS/200,0,CONNECT,www.tcfbank.com:443,-,DIRECT/2 06.71.19.108,- So it looks like it's trying to go there. I already know I cannot do content filtering through HTTPS, but all I want is for the traffic to be passed through like I had it before. I'll block the places I don't want using a blacklist. Here's my config: Shorewall rules: = ACCEPT$FWnet tcpwww REDIRECT loc8080 tcp www - ACCEPT loc fw tcp www ACCEPT loc fw tcp 53 ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 443 Squid: = acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl to_localbox dst 192.168.80.5/32 acl mylocalserver dst 64.8.132.1/32 follow_x_forwarded_for allow localhost acl_uses_indirect_client on delay_pool_uses_indirect_client on log_uses_indirect_client on external_acl_type session ttl=300 children=1 negative_ttl=0 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: http_access http_access allow mylocalserver http_access allow to_localbox deny_info http://192.168.80.5/index.php?url=%s session http_access allow session http_access allow SSL_ports http_access allow CONNECT SSL_ports http_access deny !session http_access deny !Safe_ports
Re: [squid-users] TPROXY Routing
dump the packet at eth0 and eth1. When traffic comes into eth1 i called 'old packet', squid should forward the 'new' packet to eth0. Check 'the new' packet and 'old packet', look at source ip and destination ip. it should same source and destination ip. if this is correct, Check the reply packet from internet, Also check in cache.log, any error or not ? if you test, you should test from another computer that reside below the bridge. if doing wget, dont set the proxy in parameter, because you are using TPROXY. 2010/4/2 Kurt Sandstrom : > You are correct in that it's a routing issue... > > I have network -> eth1(no ip bridged)->eth0(no ip bridged)-> gateway(router) > the eth1 and eth0 interfaces have a br0 assigned. > > when I assign the bridge interface I use the following for routing: > > ifconfig br0 xxx.xxx.xxx.xxx netmask 255.255.0.0 up #routable IP > route add default gw xxx.xxx.xxx.xxx dev br0 #gateway > > Then I use: > > ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp > --ip-dport 80 -j redirect --redirect-target DROP > ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp > --ip-sport 80 -j redirect --redirect-target DROP > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3129 > cd /proc/sys/net/bridge/ > for i in * > do > echo 0 > $i > done > unset i > > and I think this is where the problem resides but may be wrong: > > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > My iptables are being traversed and I can see the counters increasing > in the PREROUTING chain TPROXY target > > 2 things I may try this evening... grab tcp traffic from eth0 and br0 > to see if redirected port 3129 is being routed out of the system > instead of to the localhost. Then try (a shot in the dark) changing: > > ip route add local 0.0.0.0/0 dev lo table 100 to ip route add local > 0.0.0.0/0 dev br0 table 100 > > If you have any other ideas then please let me know... I know I'm > close and the help received here has really helped > > Kurt > > > > > > > > > > > > I did a couple tests on the system last night. If wget > 0.0.0.0:3129(tproxy port) then I see traffic in the squid access.log. > I recieve a gateway not found error > > 2010/4/2 johan firdianto : >> Have you setup ebtables to drop packet, >> ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp >> --ip-dport 80 -j redirect --redirect-target DROP >> ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp >> --ip-sport 80 -j redirect --redirect-target DROP >> >> second hint, >> route all your network/netmask ip address to dev bridge, >> example: >> ip route add 192.168.100.0/24 dev br0 >> ip route add 10.0.0.0/8 dev br0 >> BUT, if you have router again below your bridge, you should define >> routing in your bridge. >> Because your box actually act as bridge and router. Act as router >> because you intercepted trafic to squid. So, when kernel will forward >> the traffic to network, they must know which interface to forward. >> >> >> >> 2010/4/2 Henrik Nordström : >>> tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom: The bridging is working just not redirecting to the squid. I can see the counters increment for port 80 but nothing on the squid side. >>> >>> TPROXY has some quite peculiar requirements, and the combination with >>> bridgeing makes those even more complex. And is why I ask that you first >>> verify your TPROXY setup in routing mode before trying the same in >>> bridge mode. It's simply about isolating why things do not work for you >>> instead of trying to guess if it's the bridge-iptables integration, >>> ebtables, iptables TPROXY rules, routing, or whatever.. >>> >>> Regards >>> Henrik >>> >>> >> >
Re: [squid-users] TPROXY Routing
You are correct in that it's a routing issue... I have network -> eth1(no ip bridged)->eth0(no ip bridged)-> gateway(router) the eth1 and eth0 interfaces have a br0 assigned. when I assign the bridge interface I use the following for routing: ifconfig br0 xxx.xxx.xxx.xxx netmask 255.255.0.0 up #routable IP route add default gw xxx.xxx.xxx.xxx dev br0#gateway Then I use: ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i and I think this is where the problem resides but may be wrong: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 My iptables are being traversed and I can see the counters increasing in the PREROUTING chain TPROXY target 2 things I may try this evening... grab tcp traffic from eth0 and br0 to see if redirected port 3129 is being routed out of the system instead of to the localhost. Then try (a shot in the dark) changing: ip route add local 0.0.0.0/0 dev lo table 100 to ip route add local 0.0.0.0/0 dev br0 table 100 If you have any other ideas then please let me know... I know I'm close and the help received here has really helped Kurt I did a couple tests on the system last night. If wget 0.0.0.0:3129(tproxy port) then I see traffic in the squid access.log. I recieve a gateway not found error 2010/4/2 johan firdianto : > Have you setup ebtables to drop packet, > ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp > --ip-dport 80 -j redirect --redirect-target DROP > ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp > --ip-sport 80 -j redirect --redirect-target DROP > > second hint, > route all your network/netmask ip address to dev bridge, > example: > ip route add 192.168.100.0/24 dev br0 > ip route add 10.0.0.0/8 dev br0 > BUT, if you have router again below your bridge, you should define > routing in your bridge. > Because your box actually act as bridge and router. Act as router > because you intercepted trafic to squid. So, when kernel will forward > the traffic to network, they must know which interface to forward. > > > > 2010/4/2 Henrik Nordström : >> tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom: >>> The bridging is working just not redirecting to the squid. I can see >>> the counters increment for port 80 but nothing on the squid side. >> >> TPROXY has some quite peculiar requirements, and the combination with >> bridgeing makes those even more complex. And is why I ask that you first >> verify your TPROXY setup in routing mode before trying the same in >> bridge mode. It's simply about isolating why things do not work for you >> instead of trying to guess if it's the bridge-iptables integration, >> ebtables, iptables TPROXY rules, routing, or whatever.. >> >> Regards >> Henrik >> >> >
Re: [squid-users] Upgrade to 3.1.1
You'd better compile and make for the new installation of 3.1. On Fri, Apr 2, 2010 at 8:44 PM, GIGO . wrote: > > Is it possible to upgrade from Squid3.0 to Squid3.1.1 by applying patch/diff. > Is there any howto available which can be refered to? Should every body > upgrade? > _ > Hotmail: Trusted email with Microsoft’s powerful SPAM protection. > https://signup.live.com/signup.aspx?id=60969
[squid-users] Upgrade to 3.1.1
Is it possible to upgrade from Squid3.0 to Squid3.1.1 by applying patch/diff. Is there any howto available which can be refered to? Should every body upgrade? _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: [squid-users] Squid loops on epoll/read/gettimeofday
mån 2010-03-29 klockan 13:58 -0300 skrev Marcus Kool: > 0.33 epoll_wait(6, {{EPOLLIN, {u32=23, u64=8800387989527}}}, 2400, > 10) = 1 > 0.32 gettimeofday({1269878848, 223083}, NULL) = 0 > 0.31 read(27, 0xffd3de98, 256) = -1 EAGAIN (Resource temporarily > unavailable) This is odd.. epoll_wait says fd 23 is ready for reading, but then Squid reads on fd 27. Can you please use cachemgr to view the current filedescriptors page to note what fd 23 & fd 27 is being used for? > Note that FD 27 and FD 28 have the same NODE. > This pipe is used for what ??? Are you using aufs? If so then it's an internal notification channel to wake up the main thread when disk I/O have completed. > The EAGAIN return code to read is strange. It suggest that the > read() could return data soon, but Squid is looping now for over 4 hours. Not strange if fd 27 is the aufs notification pipe. The strange thing is why it does not act on fd 23 as returned by epoll_wait. Regards Henrik
Re: [squid-users] AUP using squid_session + username
tis 2010-03-30 klockan 18:13 +1000 skrev John Kenyon: > As I understand only the %s variable (requested url) can be used with > deny_info, however if I specify an error page I have access to other > variables, i.e. %a which contains username. Is there any way to pass the > username to an external page using deny_info? You can configure the web server serving that page to also require authentication. If it's an intranet server using NTLM then authenitcation will be transparent to the user just as it is to the proxy. Regards Henrik
Re: [squid-users] Squid not caching
fre 2010-04-02 klockan 09:38 +0530 skrev jayesh chavan: > Hi, > My squid is not caching anything.My squid config file contains: I could not see any cache_dir or even cache_mem configuration. Which means your Squid is running with the default of 8 MB of memory cache only.. Regards Henrik
Re: [squid-users] TPROXY Routing
Have you setup ebtables to drop packet, ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP second hint, route all your network/netmask ip address to dev bridge, example: ip route add 192.168.100.0/24 dev br0 ip route add 10.0.0.0/8 dev br0 BUT, if you have router again below your bridge, you should define routing in your bridge. Because your box actually act as bridge and router. Act as router because you intercepted trafic to squid. So, when kernel will forward the traffic to network, they must know which interface to forward. 2010/4/2 Henrik Nordström : > tor 2010-04-01 klockan 13:43 -0700 skrev Kurt Sandstrom: >> The bridging is working just not redirecting to the squid. I can see >> the counters increment for port 80 but nothing on the squid side. > > TPROXY has some quite peculiar requirements, and the combination with > bridgeing makes those even more complex. And is why I ask that you first > verify your TPROXY setup in routing mode before trying the same in > bridge mode. It's simply about isolating why things do not work for you > instead of trying to guess if it's the bridge-iptables integration, > ebtables, iptables TPROXY rules, routing, or whatever.. > > Regards > Henrik > >