Re: transparent proxy with multiple squids?
On Sun, Jun 01, 2003 at 07:23:12PM -0500, Jos? Guzm?n wrote: I have a main router/firwall for the lan in one box, and a squid hierarchy for redundancy of two or three boxes (siblings). What's the best way to do transparent proxying with 2 or more squids with iptables? What if I add a second router/firewall box with vrrpd and want to keep the transparent proxy to several squid boxes? In short: what's the best way to do scalable transparent proxying with iptables? the same way that you build scalable NON-transparent proxies - by using a load balancer in front of your squid boxes. as far as your routers are concerned, there's only one transparent proxy box (the load-balancer's IP). the LB handles all the real proxy servers, and can automatically add/remove them to/from the proxy array as required. for more info on building a linux-based load-balancer, see the LVS project at http://www.linuxvirtualserver.org/ craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: transparent proxy with multiple squids?
On Sun, Jun 01, 2003 at 07:23:12PM -0500, Jos? Guzm?n wrote: I have a main router/firwall for the lan in one box, and a squid hierarchy for redundancy of two or three boxes (siblings). What's the best way to do transparent proxying with 2 or more squids with iptables? What if I add a second router/firewall box with vrrpd and want to keep the transparent proxy to several squid boxes? In short: what's the best way to do scalable transparent proxying with iptables? the same way that you build scalable NON-transparent proxies - by using a load balancer in front of your squid boxes. as far as your routers are concerned, there's only one transparent proxy box (the load-balancer's IP). the LB handles all the real proxy servers, and can automatically add/remove them to/from the proxy array as required. for more info on building a linux-based load-balancer, see the LVS project at http://www.linuxvirtualserver.org/ craig
transparent proxy with multiple squids?
Hi, I have a main router/firwall for the lan in one box, and a squid hierarchy for redundancy of two or three boxes (siblings). What's the best way to do transparent proxying with 2 or more squids with iptables? What if I add a second router/firewall box with vrrpd and want to keep the transparent proxy to several squid boxes? In short: what's the best way to do scalable transparent proxying with iptables? current setup: /(net1)-[r] / (net2)-[o] LAN (net3)-[u]-(ISP) \ (net4)-[t] \(net5)-[e] (squids)-(net6)-[r] Thanks José --- The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers. Bill Gates, The Road Ahead ---
Re: Transparent Proxy in the 2.4.x kernel
Apparently, on Tue, Nov 13, 2001 at 02:46:46PM +1100, Andrew Tait wrote: Hi All, I have been considering upgrading our servers from the 2.2.x kernel up to the 2.4 (we have 1 server running testing/woody, soon to be 2). However, one thing I want in a new kernel is transparent proxying, which wasn't (AFAIK) compiled in the debian image for 2.2. Is the 2.4 debian kernel-image compiled with transparent proxy? Or do I need to compile my own? I don't know what the 2.4 debian kernel-image has in it since I've only compiled my own but here is how you would setup a transparent proxy with 2.4. http://netfilter.samba.org/netfilter-faq-3.html#ss3.12 I would guess the debian image has the necessary netfilter modules. -- Tim Moss [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Transparent Proxy in the 2.4.x kernel
Apparently, on Tue, Nov 13, 2001 at 02:46:46PM +1100, Andrew Tait wrote: Hi All, I have been considering upgrading our servers from the 2.2.x kernel up to the 2.4 (we have 1 server running testing/woody, soon to be 2). However, one thing I want in a new kernel is transparent proxying, which wasn't (AFAIK) compiled in the debian image for 2.2. Is the 2.4 debian kernel-image compiled with transparent proxy? Or do I need to compile my own? I don't know what the 2.4 debian kernel-image has in it since I've only compiled my own but here is how you would setup a transparent proxy with 2.4. http://netfilter.samba.org/netfilter-faq-3.html#ss3.12 I would guess the debian image has the necessary netfilter modules. -- Tim Moss [EMAIL PROTECTED]
Transparent Proxy in the 2.4.x kernel
Hi All, I have been considering upgrading our servers from the 2.2.x kernel up to the 2.4 (we have 1 server running testing/woody, soon to be 2). However, one thing I want in a new kernel is transparent proxying, which wasn't (AFAIK) compiled in the debian image for 2.2. Is the 2.4 debian kernel-image compiled with transparent proxy? Or do I need to compile my own? Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Transparent Proxy in the 2.4.x kernel
Hi All, I have been considering upgrading our servers from the 2.2.x kernel up to the 2.4 (we have 1 server running testing/woody, soon to be 2). However, one thing I want in a new kernel is transparent proxying, which wasn't (AFAIK) compiled in the debian image for 2.2. Is the 2.4 debian kernel-image compiled with transparent proxy? Or do I need to compile my own? Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 It's the smell! If there is such a thing. Agent Smith - The Matrix
Re: HTTPS transparent proxy with Squid
On Thu, Jul 26, 2001 at 08:52:53AM +0400, Ant wrote: AvdM HTTPS uses port 443, so it won't work with your current ipchains setup. AvdM You might be able to start a second squid process, and redirect HTTPS AvdM requists through it. Could you tell me how to redirect HTTPS through squid, and give an example of configuration. It is very interesting for me for the ICQ with HTTPS proxing option enabled. Just look for HTTPS proxy options in ICQ... a few points: - Don't use transparant proxying if you don't really need it. Some services (last time I cheked the hotmail attachment function didn't work thru a transparant proxy). This is because some pages check for proxy settings, and use some different way if a proxy is detected. They won't detect a transparant proxy though. There often are ways you can set proxy settings centralized, f.e. in Windows 9x and NT4, you can make some 'policy' to do it (contact me if you need an administrative template for it). Windows 2000 can set it in group policies. In *nix you can often set it using some export http_proxy=http://foo:8080 (or ftp_proxy) in /etc/profile, or setenv http_proxy http://foo:8080 in cshrc for csh. I guess there are similair ways to do it for netscape friends. For other proxy settings, consult your application's manual. - HTTPS won't be cached by any proxy, for security reasons, so proxying HTTPS won't speed up anything. If possible, just NAT (masquerade) it. - The only valid reason to transproxy HTTPS is if your internet connection does not allow direct connections to port 443 (some restrictive firewall f.e.), and the clients are too decentralized to enforce real proxy settings. I think you'll need specific HTTPS transproxy support in squid (or some other transproxy) to be able to transproxy HTTPS. The HTTPS requests should just be tunneled thru a proxy (using CONNECT, read my previous mail for more info). AFAIK a transparant proxy usually uses GET requests, for normal HTTP requests. Since HTTPS is encrypted, you can't decode the GET request, and translate it in some proxy GET request. The transparant proxy should establish a CONNECTion thru the proxy, and redirect the traffic thru that tunnel. If you find (or make) a transparant proxy with HTTPS support (thru CONNECT), you'll have to set it up in ipchains just like http (substitute all occurances of port 80 with port 443). Then instruct the transparant proxy to listen for requests to port 443 (http_accel_port 443). I never really tested transproxying with HTTPS, always just masqueraded it, so don't ask me for real example configurations for transproxy HTTPS ;) Cheers, Alson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HTTPS transparent proxy with Squid
On Wed, Jul 25, 2001 at 11:41:32AM +0100, Sean Kelly wrote: Hello, I read an article of yours on http://www.mail-archive.com/debian-isp@lists.debian.org/msg02194.html and was wondering if you could offer some advice. I am transparently proxying HTTP requests using Linux and Squid. The linux kernel (using IPChains) is set to send any port 80 requests to the proxy port (3128). This works fine. However, if I try the same thing with HTTPS requests it does not work. HTTPS uses port 443, so it won't work with your current ipchains setup. You might be able to start a second squid process, and redirect HTTPS requists through it. HTTPS is not proxied anyway, it's tunnelled thru a proxy (http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12). I'm not sure if squid will proxy HTTPS, since it's a different protocol from HTTP. I'm afraid it won't work. I suggest you masquerade the traffic if possible (using ipchains ip masquerading), since it won't be cached anyway. If you really have to go through a proxy, and it won't work with a second squid process, you'll have to write your own transproxy. http://www.transproxy.nlc.net.au/ is a different transparant proxy program, it only forwards requests to a proxy, doesn't proxy itself. You might be able to adapt it to work with HTTPS, then you'll have to read the RFC's on that topic. Don't ask me how to do that, never done it really :) Someone else on debian-isp might have more experience on transproxying HTTPS trafic Cheers, Alson -- ,---. Name: Alson van der Meulen Personal: [EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' What's this switch for anyways...? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: transparent proxy
On Mon, Apr 16, 2001 at 03:05:16PM +0200, Martin Kos wrote: hi jeff On Mon, 16 Apr 2001, Jeff Waugh wrote: Check the transproxy howto from the LDP. yup.. i've done so.. first i had the problem that the howto is only for kernel 2.4 (i'm using 2.2), but i've found a howto for 2.2. but it still hadn't worked. finally it was only an error with the order of my ipchains-rules and not of the rule itself :-(( now everything is working fine with http-proxying, but how can i also proxy the httpS-traffic? i haven't found anything about this in the howto and if i only change the port-number in my ipchains-rule it does not work, any idea? https traffic isn't proxied, it uses connects thru the proxy. look at the squid config for info (hint: the https port is 443) there're some pointers about transproxying in the /usr/share/doc/squid dir iirc, read the squid faq, and some README.* like file. the README about transproxying is a bit outdated, but the stuff in the squid faq is quite good iirc. -- ,---. Name: Alson van der Meulen Personal: [EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' don't do that, it'll crash the sys SHIT - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: transparent proxy
On Mon, Apr 16, 2001 at 03:05:16PM +0200, Martin Kos wrote: hi jeff On Mon, 16 Apr 2001, Jeff Waugh wrote: Check the transproxy howto from the LDP. yup.. i've done so.. first i had the problem that the howto is only for kernel 2.4 (i'm using 2.2), but i've found a howto for 2.2. but it still hadn't worked. finally it was only an error with the order of my ipchains-rules and not of the rule itself :-(( now everything is working fine with http-proxying, but how can i also proxy the httpS-traffic? i haven't found anything about this in the howto and if i only change the port-number in my ipchains-rule it does not work, any idea? https traffic isn't proxied, it uses connects thru the proxy. look at the squid config for info (hint: the https port is 443) there're some pointers about transproxying in the /usr/share/doc/squid dir iirc, read the squid faq, and some README.* like file. the README about transproxying is a bit outdated, but the stuff in the squid faq is quite good iirc. -- ,---. Name: Alson van der Meulen Personal: [EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' don't do that, it'll crash the sys SHIT -
Re: transparent proxy
quote who="Martin Kos" but i haven't seen a package that installs squid as a transparent proxy? am i missing something? i would be happy if somebody could give me some help. thank ya. There is no package, just "configuration files". :) Check the transproxy howto from the LDP. - Jeff -- You'll see what I mean. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: transparent proxy
hi jeff On Mon, 16 Apr 2001, Jeff Waugh wrote: Check the transproxy howto from the LDP. yup.. i've done so.. first i had the problem that the howto is only for kernel 2.4 (i'm using 2.2), but i've found a howto for 2.2. but it still hadn't worked. finally it was only an error with the order of my ipchains-rules and not of the rule itself :-(( now everything is working fine with http-proxying, but how can i also proxy the httpS-traffic? i haven't found anything about this in the howto and if i only change the port-number in my ipchains-rule it does not work, any idea? thanks for your help! Martin -- http://www.kos.li/ [EMAIL PROTECTED] +41-76-384-93-33 ICQ# 13556143 Say NO to HTML in mail and news Proudly running Debian GNU/Linux. See http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
transparent proxy
hi! i've a machine up and running with 2 network interfaces and up to yet i've masqueraded all the traffic from eth1 to eth0, but now i'll be using squid, but the problem is, i won't configure every machine to use the proxy, so i've thought i schould use the squid as a transparent proxy. i haven't found or haven't used the right ipchains-commands to set up the firewall. i've looked at the firewall-howto, but there is only written The SQUID developers provide RedHat and Debian packages. If you can, use one of these, but i haven't seen a package that installs squid as a transparent proxy? am i missing something? i would be happy if somebody could give me some help. thank ya. greets Martin -- http://www.kos.li/ [EMAIL PROTECTED] +41-76-384-93-33 ICQ# 13556143 Say NO to HTML in mail and news Proudly running Debian GNU/Linux. See http://www.debian.org/
Re: transparent proxy
quote who=Martin Kos but i haven't seen a package that installs squid as a transparent proxy? am i missing something? i would be happy if somebody could give me some help. thank ya. There is no package, just configuration files. :) Check the transproxy howto from the LDP. - Jeff -- You'll see what I mean.
Re: transparent proxy
hi jeff On Mon, 16 Apr 2001, Jeff Waugh wrote: Check the transproxy howto from the LDP. yup.. i've done so.. first i had the problem that the howto is only for kernel 2.4 (i'm using 2.2), but i've found a howto for 2.2. but it still hadn't worked. finally it was only an error with the order of my ipchains-rules and not of the rule itself :-(( now everything is working fine with http-proxying, but how can i also proxy the httpS-traffic? i haven't found anything about this in the howto and if i only change the port-number in my ipchains-rule it does not work, any idea? thanks for your help! Martin -- http://www.kos.li/ [EMAIL PROTECTED] +41-76-384-93-33 ICQ# 13556143 Say NO to HTML in mail and news Proudly running Debian GNU/Linux. See http://www.debian.org/
Transparent proxy question.
Have setup transparent proxy using an access-list on a Cisco 1603 and running ipchains to forward packets to squid on the proxy. When I have the proxy set ( manual http proxy ) it works fine, but when proxy is disable and transparent should take affect this is what happends: Packet gets forwarded from cisco to proxy machine packet gets sent to squid but on the my browser i get a squid error saying that: the url :/ cannout be found please check the url and make sure no illegal characters are being used. Has anyone got any clues? any help appreciated! Nathan