Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
inbox.google.com:443 - ORIGINAL_DST/216.58.223.197 - and part of my cache.log 2018/10/25 11:36:21 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 22 flags=9 2018/10/25 11:36:21 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3126 remote=[::] FD 23 flags=41 2018/10/25 11:36:21 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 24 flags=41 2018/10/25 11:36:22 kid1| storeLateRelease: released 0 objects 2018/10/25 11:42:08| Squid is already running! Process ID 3497 2018/10/25 11:46:20| Squid is already running! Process ID 3497 2018/10/25 11:46:24| Squid is already running! Process ID 3497 2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=52.97.133.178:443 remote=10.0.0.250:39627 FD 39 flags=33 (local IP does not match any domain IP) 2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443 2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=52.97.133.178:443 remote=10.0.0.250:39628 FD 39 flags=33 (local IP does not match any domain IP) 2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443 2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on local=52.97.133.178:443 remote=10.0.0.250:39629 FD 39 flags=33 (local IP does not match any domain IP) please how do i get the adaptation to work for https traffic? Thanks for everyones help. Uchenna Nebedum On Fri, Oct 19, 2018, 20:09 Rafael Akchurin wrote: > Yes you can use any ICAP/eCAP server you like, just adjust the docs as > required and that is it. > > > > *From:* Uchenna Nebedum > *Sent:* Friday, 19 October 2018 20:17 > *To:* Rafael Akchurin > *Cc:* squid-users@lists.squid-cache.org > *Subject:* Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate > original IPs on local > > > > Thanks a lot Rafael, I've gone through the documentation it looks to be > very promising, one reservation i have is I want to use greasyspoon for > icap and i see ecap is implemented already. I intend to install everything > as suggested on the link, then after this change squid.conf to remove ecap > connection. > > Please, I hope this will work? > > > > Thanks a lot again for the link, it really explained everything well > enough for a beginner. > > Uchenna Nebedum > > > > On Fri, Oct 19, 2018, 18:30 Rafael Akchurin > wrote: > > Hello Uchenna, > > > > May be this policy based routing with Mikrotik tutorial will be of any use > > See > https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html > > > > Best regards, > > Rafael Akchurin > > Diladele B.V. > > > > > > *From:* squid-users *On > Behalf Of *Uchenna Nebedum > *Sent:* Friday, 19 October 2018 18:42 > *To:* squid-users@lists.squid-cache.org > *Subject:* [squid-users] ERROR: NAT/TPROXY lookup failed to locate > original IPs on local > > > > Good Day All, > > i'm new to squid and i have configured squid as an http transparent proxy > with a mikrotik. > > the squid server has only a single NIC, so i followed a tutorial and set > up a dst-nat to squid proxy for traffic on port 80, > > Chain:dstnat. > > Protocol:tcp > > Dst-port:80 > > Action:dst-nat > > To Addresses:192.168.2.2 (squid proxy) > > To ports:8080 > > but after setup, only https traffic works correctly, > > http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE" > > squid access.log is empty then in squid cache.log these are the errors > > > > ``` > > 2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on > local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 flags=33: (92) > Protocol not available > 2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate > original IPs on local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 > flags=33 > > ``` > > please find below my squid.conf contents > > > > ``` > > acl localnet src 192.168.1.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > icap_enable off > icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/REQMOD > adaptation_service_set class_req service_req > adaptation_access class_req allow all > icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/RESPMOD > adaptation_service_set class_resp service_resp > adaptation_access class
Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
Yes you can use any ICAP/eCAP server you like, just adjust the docs as required and that is it. From: Uchenna Nebedum Sent: Friday, 19 October 2018 20:17 To: Rafael Akchurin Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local Thanks a lot Rafael, I've gone through the documentation it looks to be very promising, one reservation i have is I want to use greasyspoon for icap and i see ecap is implemented already. I intend to install everything as suggested on the link, then after this change squid.conf to remove ecap connection. Please, I hope this will work? Thanks a lot again for the link, it really explained everything well enough for a beginner. Uchenna Nebedum On Fri, Oct 19, 2018, 18:30 Rafael Akchurin mailto:rafael.akchu...@diladele.com>> wrote: Hello Uchenna, May be this policy based routing with Mikrotik tutorial will be of any use See https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html Best regards, Rafael Akchurin Diladele B.V. From: squid-users mailto:squid-users-boun...@lists.squid-cache.org>> On Behalf Of Uchenna Nebedum Sent: Friday, 19 October 2018 18:42 To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> Subject: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local Good Day All, i'm new to squid and i have configured squid as an http transparent proxy with a mikrotik. the squid server has only a single NIC, so i followed a tutorial and set up a dst-nat to squid proxy for traffic on port 80, Chain:dstnat. Protocol:tcp Dst-port:80 Action:dst-nat To Addresses:192.168.2.2 (squid proxy) To ports:8080 but after setup, only https traffic works correctly, http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE" squid access.log is empty then in squid cache.log these are the errors ``` 2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.2:8080<http://192.168.2.2:8080> remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33: (92) Protocol not available 2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.2:8080<http://192.168.2.2:8080> remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33 ``` please find below my squid.conf contents ``` acl localnet src 192.168.1.0/24<http://192.168.1.0/24> acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT icap_enable off icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/REQMOD<http://127.0.0.1:1344/REQMOD> adaptation_service_set class_req service_req adaptation_access class_req allow all icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/RESPMOD<http://127.0.0.1:1344/RESPMOD> adaptation_service_set class_resp service_resp adaptation_access class_resp allow all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localnet http_access allow localhost http_access allow all http_port 3128 http_port 8080 transparent access_log daemon:/var/log/squid/access.log squid coredump_dir /var/spool/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 ``` please any help or correction would be highly appreciated, i am not even sure if the approach is correct. -- Nebedum Uchenna ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
Thanks a lot Rafael, I've gone through the documentation it looks to be very promising, one reservation i have is I want to use greasyspoon for icap and i see ecap is implemented already. I intend to install everything as suggested on the link, then after this change squid.conf to remove ecap connection. Please, I hope this will work? Thanks a lot again for the link, it really explained everything well enough for a beginner. Uchenna Nebedum On Fri, Oct 19, 2018, 18:30 Rafael Akchurin wrote: > Hello Uchenna, > > > > May be this policy based routing with Mikrotik tutorial will be of any use > > See > https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html > > > > Best regards, > > Rafael Akchurin > > Diladele B.V. > > > > > > *From:* squid-users *On > Behalf Of *Uchenna Nebedum > *Sent:* Friday, 19 October 2018 18:42 > *To:* squid-users@lists.squid-cache.org > *Subject:* [squid-users] ERROR: NAT/TPROXY lookup failed to locate > original IPs on local > > > > Good Day All, > > i'm new to squid and i have configured squid as an http transparent proxy > with a mikrotik. > > the squid server has only a single NIC, so i followed a tutorial and set > up a dst-nat to squid proxy for traffic on port 80, > > Chain:dstnat. > > Protocol:tcp > > Dst-port:80 > > Action:dst-nat > > To Addresses:192.168.2.2 (squid proxy) > > To ports:8080 > > but after setup, only https traffic works correctly, > > http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE" > > squid access.log is empty then in squid cache.log these are the errors > > > > ``` > > 2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on > local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 flags=33: (92) > Protocol not available > 2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate > original IPs on local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 > flags=33 > > ``` > > please find below my squid.conf contents > > > > ``` > > acl localnet src 192.168.1.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > icap_enable off > icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/REQMOD > adaptation_service_set class_req service_req > adaptation_access class_req allow all > icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/RESPMOD > adaptation_service_set class_resp service_resp > adaptation_access class_resp allow all > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access deny to_localhost > http_access allow localnet > http_access allow localhost > http_access allow all > http_port 3128 > http_port 8080 transparent > access_log daemon:/var/log/squid/access.log squid > coredump_dir /var/spool/squid > refresh_pattern ^ftp:144020%10080 > refresh_pattern ^gopher:14400%1440 > refresh_pattern -i (/cgi-bin/|\?) 00%0 > refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > refresh_pattern .020%4320 > > ``` > > please any help or correction would be highly appreciated, i am not even > sure if the approach is correct. > > > -- > > Nebedum Uchenna > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
Hello Uchenna, May be this policy based routing with Mikrotik tutorial will be of any use See https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html Best regards, Rafael Akchurin Diladele B.V. From: squid-users On Behalf Of Uchenna Nebedum Sent: Friday, 19 October 2018 18:42 To: squid-users@lists.squid-cache.org Subject: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local Good Day All, i'm new to squid and i have configured squid as an http transparent proxy with a mikrotik. the squid server has only a single NIC, so i followed a tutorial and set up a dst-nat to squid proxy for traffic on port 80, Chain:dstnat. Protocol:tcp Dst-port:80 Action:dst-nat To Addresses:192.168.2.2 (squid proxy) To ports:8080 but after setup, only https traffic works correctly, http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE" squid access.log is empty then in squid cache.log these are the errors ``` 2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.2:8080<http://192.168.2.2:8080> remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33: (92) Protocol not available 2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.2:8080<http://192.168.2.2:8080> remote=192.168.1.254:41248<http://192.168.1.254:41248> FD 10 flags=33 ``` please find below my squid.conf contents ``` acl localnet src 192.168.1.0/24<http://192.168.1.0/24> acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT icap_enable off icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/REQMOD<http://127.0.0.1:1344/REQMOD> adaptation_service_set class_req service_req adaptation_access class_req allow all icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/RESPMOD<http://127.0.0.1:1344/RESPMOD> adaptation_service_set class_resp service_resp adaptation_access class_resp allow all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localnet http_access allow localhost http_access allow all http_port 3128 http_port 8080 transparent access_log daemon:/var/log/squid/access.log squid coredump_dir /var/spool/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 ``` please any help or correction would be highly appreciated, i am not even sure if the approach is correct. -- Nebedum Uchenna ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
On Friday 19 October 2018 at 18:42:00, Uchenna Nebedum wrote: > Good Day All, > i'm new to squid and i have configured squid as an http transparent proxy > with a mikrotik. > the squid server has only a single NIC, so i followed a tutorial and set up > a dst-nat to squid proxy for traffic on port 80, Please contact whomever wrote that tutorial and ask them to remove it, because this will not work. > please any help or correction would be highly appreciated, i am not even > sure if the approach is correct. https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat explains that what you are trying to do cannot work, because the NAT *must* be done *on* the Squid server. https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute outlines the correct way to get packets redirected to Squid running as an intercepting proxy. Regards, Antony. -- Schrödinger's rule of data integrity: the condition of any backup is unknown until a restore is attempted. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ERROR: NAT/TPROXY lookup failed to locate original IPs on local
Good Day All, i'm new to squid and i have configured squid as an http transparent proxy with a mikrotik. the squid server has only a single NIC, so i followed a tutorial and set up a dst-nat to squid proxy for traffic on port 80, Chain:dstnat. Protocol:tcp Dst-port:80 Action:dst-nat To Addresses:192.168.2.2 (squid proxy) To ports:8080 but after setup, only https traffic works correctly, http traffic client error is "This page isn't working ERR_EMPTY_RESPONSE" squid access.log is empty then in squid cache.log these are the errors ``` 2018/10/19 17:08:54 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 flags=33: (92) Protocol not available 2018/10/19 17:08:54 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=192.168.2.2:8080 remote=192.168.1.254:41248 FD 10 flags=33 ``` please find below my squid.conf contents ``` acl localnet src 192.168.1.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT icap_enable off icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/REQMOD adaptation_service_set class_req service_req adaptation_access class_req allow all icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/RESPMOD adaptation_service_set class_resp service_resp adaptation_access class_resp allow all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localnet http_access allow localhost http_access allow all http_port 3128 http_port 8080 transparent access_log daemon:/var/log/squid/access.log squid coredump_dir /var/spool/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 ``` please any help or correction would be highly appreciated, i am not even sure if the approach is correct. -- Nebedum Uchenna ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
