subject:"\[squid\-users\] Unsuccessful at using Squid v4 with intercept"

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-11-04 Thread Amos Jeffries

On 5/11/19 1:57 am, FOUTREL Sébastien wrote:
> 
> Hello,
> With your comments and help I succesfully did the fwmark/routing
> intercept squid.
> 
> From what i read from the other examples, the only method to use if
> squid is not on the router is always using routes. Which means my squid
> MUST always be directly connected to the router.
> Am I wrong ?
> 

You can route over a tunnel between the router and Squid ...



> The only way that seems to be able to work if not directly connected is
> the wccp one which seems to use gre.
> 

... GRE is one type of tunnel.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-11-04 Thread FOUTREL Sébastien

Hello,
With your comments and help I succesfully did the fwmark/routing intercept 
squid.

>From what i read from the other examples, the only method to use if squid is 
>not on the router is always using routes. Which means my squid MUST always be 
>directly connected to the router.
Am I wrong ?

The only way that seems to be able to work if not directly connected is the 
wccp one which seems to use gre.

Thanks.

De : squid-users  de la part de 
Rafael Akchurin 
Envoyé : vendredi 1 novembre 2019 07:35
À : Amos Jeffries; squid-users@lists.squid-cache.org
Objet : Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Hello Sebastian,

If you decide to go policy routing way as Amos suggested - please see the 
tutorial at 
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html
Transparently filtering HTTPS with Squid and Policy Based Routing — Web Filter 
for Your 
Network<https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html>
docs.diladele.com
Detailed tutorial for setting up policy based routing intercept-style HTTPS 
filtering on Ubuntu 16 using Squid, iptables and Web Safety.

Or 
https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html
 for WCCP.
Transparent HTTPS Web Filter with Squid, Cisco ASA and ICAP — Web Filter for 
Your 
Network<https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html>
docs.diladele.com
Step-by-step tutorial for enabling transparent HTTP and HTTPS filtering with 
Squid, Cisco ASA and Diladele Web Safety.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Friday, 1 November 2019 07:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Unsuccessful at using Squid v4 with intercept

On 1/11/19 5:53 am, FOUTREL Sébastien wrote:
> --
> --
> *De :* Antony Stone
> *Envoyé :* mercredi 30 octobre 2019 17:39
>
> On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:
>
>> Hello, I would like to use squid as a transparent proxy for my users.
>
>> "Clients" are behind a Debian "Router" which MASQUERADE them (as they
>> use RFC 1918 ips).
>>
>> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
>> server which is outside my network.
>>
>> I read a lot of tutorials and examples from squid site...
>
> Did that include the links I've given below?
>
> Yes I read almost all examples config from wiki.squid-cache.org
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was
> mislead by the fact that there is a DNAT config and a REDIRECT config..
> DNAT is completely useless if Squid only support to be on the router.
> Wasn't it possible to dnat to a different server with older versions
> (my memory is faulty) ?
> http://tldp.org/HOWTO/TransparentProxy-6.html for example.

Squid-2 used to ignore all NAT errors and just go where the client HTTP headers 
were claiming to be going. This proved to be a major security vulnerability 
with a pile of nasty related issues and side effects.
CVE-2009-0801 for reference.

DNAT is a tiny amount faster and less CPU cycles on the kernel NAT side of 
interception, and can be used in config tricks to get more than 64K entries in 
the NAT tables. So it is kept around for extremely high-traffic proxies.

REDIRECT is better for zero-conf installations or ones with a dynamic IP 
address on the proxy machine (eg IPv6 auto-conf and privacy addressing).

>
> I read the "fw mark and route policy" method as an alternative not the
> only way to go. My mistake.
>

Easily made if you are reading *every* example config. Policy Routing _is_ an 
alternative ... to WCCP.

There are so many different types of routers with different config 
requirements, and also numerous NAT systems. Our formal Intercept examples are 
laid out as separate router config example and NAT config example. Pick one 
from each category as appropriate to the software your network uses for each 
machine.

Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-11-01 Thread Rafael Akchurin

Hello Sebastian, 

If you decide to go policy routing way as Amos suggested - please see the 
tutorial at 
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html
Or 
https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html
 for WCCP.

Best regards,
Rafael Akchurin
Diladele B.V.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Friday, 1 November 2019 07:02
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Unsuccessful at using Squid v4 with intercept

On 1/11/19 5:53 am, FOUTREL Sébastien wrote:
> --
> --
> *De :* Antony Stone
> *Envoyé :* mercredi 30 octobre 2019 17:39
>  
> On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:
> 
>> Hello, I would like to use squid as a transparent proxy for my users.
> 
>> "Clients" are behind a Debian "Router" which MASQUERADE them (as they 
>> use RFC 1918 ips).
>> 
>> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
>> server which is outside my network.
>> 
>> I read a lot of tutorials and examples from squid site...
> 
> Did that include the links I've given below?
> 
> Yes I read almost all examples config from wiki.squid-cache.org 
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was 
> mislead by the fact that there is a DNAT config and a REDIRECT config..
> DNAT is completely useless if Squid only support to be on the router.
> Wasn't it possible to dnat to a different server with older versions 
> (my memory is faulty) ?
> http://tldp.org/HOWTO/TransparentProxy-6.html for example.

Squid-2 used to ignore all NAT errors and just go where the client HTTP headers 
were claiming to be going. This proved to be a major security vulnerability 
with a pile of nasty related issues and side effects.
CVE-2009-0801 for reference.

DNAT is a tiny amount faster and less CPU cycles on the kernel NAT side of 
interception, and can be used in config tricks to get more than 64K entries in 
the NAT tables. So it is kept around for extremely high-traffic proxies.

REDIRECT is better for zero-conf installations or ones with a dynamic IP 
address on the proxy machine (eg IPv6 auto-conf and privacy addressing).

> 
> I read the "fw mark and route policy" method as an alternative not the 
> only way to go. My mistake.
> 

Easily made if you are reading *every* example config. Policy Routing _is_ an 
alternative ... to WCCP.

There are so many different types of routers with different config 
requirements, and also numerous NAT systems. Our formal Intercept examples are 
laid out as separate router config example and NAT config example. Pick one 
from each category as appropriate to the software your network uses for each 
machine.

Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-11-01 Thread Amos Jeffries

On 1/11/19 5:53 am, FOUTREL Sébastien wrote:
> 
> *De :* Antony Stone
> *Envoyé :* mercredi 30 octobre 2019 17:39
>  
> On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:
> 
>> Hello, I would like to use squid as a transparent proxy for my users.
> 
>> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use
>> RFC 1918 ips).
>> 
>> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
>> server which is outside my network.
>> 
>> I read a lot of tutorials and examples from squid site...
> 
> Did that include the links I've given below?
> 
> Yes I read almost all examples config from wiki.squid-cache.org
> 
> And I was
> mislead by the fact that there is a DNAT config and a REDIRECT config..
> DNAT is completely useless if Squid only support to be on the router.
> Wasn't it possible to dnat to a different server with older versions (my
> memory is faulty) ?
> http://tldp.org/HOWTO/TransparentProxy-6.html for example.

Squid-2 used to ignore all NAT errors and just go where the client HTTP
headers were claiming to be going. This proved to be a major security
vulnerability with a pile of nasty related issues and side effects.
CVE-2009-0801 for reference.

DNAT is a tiny amount faster and less CPU cycles on the kernel NAT side
of interception, and can be used in config tricks to get more than 64K
entries in the NAT tables. So it is kept around for extremely
high-traffic proxies.

REDIRECT is better for zero-conf installations or ones with a dynamic IP
address on the proxy machine (eg IPv6 auto-conf and privacy addressing).

> 
> I read the "fw mark and route policy" method as an alternative not the
> only way to go. My mistake.
> 

Easily made if you are reading *every* example config. Policy Routing
_is_ an alternative ... to WCCP.

There are so many different types of routers with different config
requirements, and also numerous NAT systems. Our formal Intercept
examples are laid out as separate router config example and NAT config
example. Pick one from each category as appropriate to the software your
network uses for each machine.

Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-10-31 Thread FOUTREL Sébastien

De : squid-users  de la part de 
Antony Stone 
Envoyé : mercredi 30 octobre 2019 17:39
À : squid-users@lists.squid-cache.org
Objet : Re: [squid-users] Unsuccessful at using Squid v4 with intercept

On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:

> Hello, I would like to use squid as a transparent proxy for my users.

> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use
> RFC 1918 ips).
>
> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
> server which is outside my network.
>
> I read a lot of tutorials and examples from squid site...

Did that include the links I've given below?

Yes I read almost all examples config from 
wiki.squid-cache.org<https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
<https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was mislead by 
the fact that there is a DNAT config and a REDIRECT config.. DNAT is completely 
useless if Squid only support to be on the router.
Wasn't it possible to dnat to a different server with older versions (my memory 
is faulty) ?
http://tldp.org/HOWTO/TransparentProxy-6.html for example.

I read the "fw mark and route policy" method as an alternative not the only way 
to go. My mistake.

> I Applied a DNAT to trafic coming from Clients thru Router to Proxy.
>
> iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination :3129

Have you put this rule onto the firewall you mention, or the Squid box itself?

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
#Requirements_and_methods_for_Interception_Caching

states "NAT configuration will only work when used *on the squid box* ."

So, you *must* put that rule on the Squid machine itself, not on the firewall.

It goes on to say "To intercept from a gateway machine and direct traffic at a
separate squid box use policy routing." with a link to
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> HTTP is coming to squid successfully but squid logs show a request coming
> from proxy himself and a request coming from Router (as Clients are NATed
> by Router)

Ah, so you *are* doing the NAT on the router :)  Don't :)

> if I allow in squid.conf the Proxy IP, I end up with a Forward loop...
>
>
> I also tried the tproxy scenario with no success.

Well, give us some details of what you tried, how you configured it, what
worked, and what didn't work, and we might be able to help, otherwise we can
only say "well, tproxy does work if set up properly, so if yours doesn't work,
it isn't set up properly", which isn't a very helpful answer...

I read with a new eye the tproxy page 
https://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY and 
found that I forgot the policy routing part.
Will try again.

Thanks for your help.
Sebastien.

Antony.

--
If at first you don't succeed, destroy all the evidence that you tried.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

2019-10-30 Thread Antony Stone

On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:

> Hello, I would like to use squid as a transparent proxy for my users.

> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use
> RFC 1918 ips).
> 
> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
> server which is outside my network.
> 
> I read a lot of tutorials and examples from squid site...

Did that include the links I've given below?

> I Applied a DNAT to trafic coming from Clients thru Router to Proxy.
> 
> iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination :3129

Have you put this rule onto the firewall you mention, or the Squid box itself?

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
#Requirements_and_methods_for_Interception_Caching

states "NAT configuration will only work when used *on the squid box* ."

So, you *must* put that rule on the Squid machine itself, not on the firewall.

It goes on to say "To intercept from a gateway machine and direct traffic at a 
separate squid box use policy routing." with a link to 
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> HTTP is coming to squid successfully but squid logs show a request coming
> from proxy himself and a request coming from Router (as Clients are NATed
> by Router)

Ah, so you *are* doing the NAT on the router :)  Don't :)

> if I allow in squid.conf the Proxy IP, I end up with a Forward loop...
> 
> 
> I also tried the tproxy scenario with no success.

Well, give us some details of what you tried, how you configured it, what 
worked, and what didn't work, and we might be able to help, otherwise we can 
only say "well, tproxy does work if set up properly, so if yours doesn't work, 
it isn't set up properly", which isn't a very helpful answer...

Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Unsuccessful at using Squid v4 with intercept

2019-10-30 Thread FOUTREL Sébastien

Hello, I would like to use squid as a transparent proxy for my users.


My platform is pretty simple 


"Clients" are behind a Debian "Router" which MASQUERADE them (as they use RFC 
1918 ips).

I have a Squid 4.6 from Debian Buster packages installed on a "Proxy" server 
which is outside my network.


I read a lot of tutorials and examples from squid site...


I Applied a DNAT to trafic coming from Clients thru Router to Proxy.

iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination :3129


HTTP is coming to squid successfully but squid logs show a request coming from 
proxy himself and a request coming from Router (as Clients are NATed by Router)


if I allow in squid.conf the Proxy IP, I end up with a Forward loop...


I also tried the tproxy scenario with no success.


I'd really like some help.


Thanks !

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

[squid-users] Unsuccessful at using Squid v4 with intercept

7 matches

Site Navigation

Mail list logo

Footer information