Re: [squid-users] filtering based on google search
michael hiatt wrote: I would like to be shown how to block OR allow (I'm not fussed either way, I beleive I can transpose the answer to what I want to do) based upon a google search query (submitted by the user). The key here being the google search term i want to be able create an ACL for. Not just the google web-site. So... you want a filter which people can either bypass it trivially by browsing from google search results. Or if they do need to use google will automatically block anything they do from then on? Good luck. So going forth with the blacklist-whitelist example (the further complicated one), how would I achieve a pattern that matches and allows "pirates of penzance" but denies occurences of "pirate"? whitelist: pirates.of.penzance blacklist: pirates I have read through the FAQ but I don't believe this exact scenario is covered in depth. http://en.wikipedia.org/wiki/Internet_censorship Also to show I have tried, I have come up with a url_regex pattern in my file like so: q=pirates It would be much better though if I could make this a bit more semantic by including the google domain in there and being able to include spaces in the pattern. Sounds like you are using regex patterns without understanding how they work. Look it up. http://google.com/search?q=Perl+regular+expressions Amos Date: Mon, 9 Nov 2009 19:18:48 +1300 From: squ...@treenet.co.nz CC: squid-users@squid-cache.org Subject: Re: [squid-users] filtering based on google search michael hiatt wrote: Hi, Just wondering if there is a way of getting squid to block or allow based on google search results. That sentence makes no sense to me whatsoever. Can you explain it a bit? What are you intending to get out of it? I have tried setting two url_regex -i "file/path/goes/here" one for allowed and one for blocked. if I set http://www.google.com to be allowed then unwanted words can be searched and their results displayed. Clicking on said results displays error/blocked page. If I remove http://www.google.com then I can't search on some words that I want. Example: I would like to search on "pirates of penzance" but cannot because "pirate" is a keyword in my block list. Is there a better way around this? I don't want to (and can't) install other software like squid-guard and dans guardian. I'm hoping to do this in squid alone. You describe a perfectly working URL keyword filter. - whitelisting "google.com" ... allows *ALL* of google.com. - blacklisting *pirate* ... blocks *ALL* mentions of "pirate" in URL (including google lookup URLs, result URLs, etc) Your choices are: * accept the price of keyword filtering URLs. * stop using the filter. * complicate your config further with a set of whitelisted-blacklisted keywords based on other things (like your google.com example). see FAQ on managing ACLs... http://wiki.squid-cache.org/SquidFaq/SquidAcl Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14 View photos of singles in your area! Looking for a date? _ Looking for a date? View photos of singles in your area! http://clk.atdmt.com/NMN/go/150855801/direct/01/ -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] sslBump, error SSL unknown certificate error
On 28.10.09 07:13, vandermeer wrote: > Got it, i did not have my full list of signing authority certificates > installed in the right local. i updated these using: > > apt-get install openssl ca-certificates > > Then copied the certs from the /etc/ssl/certs directory into my openssl > installation directory. works great now! copied? Are you running chrooted or why can't you use them right in /etc/ssl/certs ? I think that is the whole purpose of ssl-certificated to have them shared and automatically updated... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: [squid-users] Transparent SSL allowed list. If not possible with squid, would it be possible other ways?
On 29.10.09 13:14, Matthew Young wrote: > Ive been advised by Amos in past postings that having transparent SSL > manipulation with SQUID is not possible, agreed. However I need to be > able to _somehow_ have an allowed list of ssl sites specific to each > LAN user (based on private IP or MAC) that he/she can access. Again > this has to be with squid configured as transparent, and not with a > pac file or settings in a browser. of course that would still make people who turn proxy off disable that. > If squid definately cannot help here, I thought of a way to then take > my list of SSL enabled sites (gmail.com for example) and resolve the > domain to an IP and then add it in a firewall so that X user has > access to port 443 on that firewall. However the downside to this is > that if gmail changes the IP (which they will) the firewall rule which > is static would need an update. Yes, this is the only solution and it's downside. The same would be if you'd put those restrictions into squid. You just can not intercept and filter SSL request (unless using sslBump but your users would see it) > Other a lot more complicated way would be for a packet sniffer on the > outgoing DNS connection soliciating the access to enabled ssl site > and then immediately create a firewall rule for that. > > What is the best practice? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: [squid-users] Time-based oddity that I can't quite nail down...
Hi, On Sun, 08 Nov 2009, Kurt Buff wrote: > During the normal work out at my company, the squid proxy is > reasonably responsive, and seems to work well. However, after roughly > 5pm each day, through the night and all during the weekend, web browsing > is very slow, with pages taking a very long time (30+ seconds, to > sometimes minutes) to load. > > Does anyone have some suggestions on where I might start looking at > this problem? I haven't found anything in the logs that I can detect > as relevant. Stopping and starting squid makes no difference. The first thing I'd be inclined to try is to connect directly, bypassing squid and see does the problem go away. If it's quick to connect directly, then squid is probably where the issue is. If you still see the delays going direct then it's probably something else (eg high contention on your link). Gavin
Re: [squid-users] Tproxy4+squid: ebtables wiki
So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. There some one can give the clue, thanks in advance.. R Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9 Marko Kotar wrote: Just curious which kernel version are u using? --- On Thu, 10/29/09, Dan wrote: From: Dan Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To: "Marko Kotar" Cc: squid-users@squid-cache.org Date: Thursday, October 29, 2009, 5:24 PM Those are the same ebtable and iptable rules that I am using except that I use DROP. If it is working for you then that is great. :) As for why it works that way I don't know. When I use ACCEPT the traffic is bridged through and not redirected to squid. Thanks, Irvan Adrian Marko Kotar wrote: Ok My ebtable rules are(without -i option): ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT This might be the different: Bridge is up and it is having an ip address. Ethernet interfaces are up but not having any ip address asigned. ifconfig eth0 up promisc ... bridge interface is configured with dhclient: dhclient3 br0 This rules are for the routing; ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 And: echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all and port is set to the same address as in iptables, and having TPROXY set. I am using: 2.6.28-16-server x86_64 ubuntu, default or compiled ebtables v2.0.9-1 (June 2009), compiled iptables v1.4.5, Squid Cache: Version 3.1.0.14 configure options: '--enable-linux-netfilter' --with-squid=/home/marko/src/squid-3.1.0.14 --enable-ltdl-convenience configured ony with additional linux-netfilter flag I've used various network configurations: -virtual computer using VmBox with virtual interface in the linux bridge on guest pc. -computer with two interfaces. -double bridged vmbox: two virtual machines: first having 2 virtual interfaces. birdged and having sqiud. second virtual pc being client with one virtual interface. one interface of first was bridged on guest computer to external interface, other two were bridged together. Drop didn't work in any of them, accept was tested only in first. i think thats all the settings i have. --- On Wed, 10/28/09, Dan wrote: From: Dan Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To: "Marko Kotar" , squid-users@squid-cache.org Date: Wednesday, October 28, 2009, 9:21 PM Marko Kotar wrote: Thanks. "redirect The redirect target will change the MAC target address to that of the bridge device the frame arrived on. This target can only be used in the BROUTING chain of the broute table and the PREROUTING chain of the nat table. In the BROUTING chain, the MAC address of the bridge port is used as destination address, in the PREROUTING chain, the MAC
[squid-users] Question about PURGE
Hi, I have an app which sends PURGE's to squid caches on demand or on document changes. It testing this works fine and I am making PURGE requests on document changes as part of a publish event. 200 or 404 responses are almost instantaneous as all of the servers are on the same network. Hoe does squid execute the PURGE internally? Does it mark the object in the cache to be PURGE'd the next time the object is requested or does it remove as soon the item when the PURGE request is made? Will there be situations when a PURGE requests might time out on a busy Squid? It is advisable to have my publisher Queue up PURGE requests in a separate thread or process? Thanks, John *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please note that emails to, from and within RTÉ may be subject to the Freedom of Information Act 1997 and may be liable to disclosure.
Re: [squid-users] Tproxy4+squid: ebtables wiki
Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? If you start Squid with the -X option is there anything about spoofing or transparent mentioned? Amos Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9 Marko Kotar wrote: Just curious which kernel version are u using? --- On Thu, 10/29/09, Dan wrote: From: Dan Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To: "Marko Kotar" Cc: squid-users@squid-cache.org Date: Thursday, October 29, 2009, 5:24 PM Those are the same ebtable and iptable rules that I am using except that I use DROP. If it is working for you then that is great. :) As for why it works that way I don't know. When I use ACCEPT the traffic is bridged through and not redirected to squid. Thanks, Irvan Adrian Marko Kotar wrote: Ok My ebtable rules are(without -i option): ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target ACCEPT This might be the different: Bridge is up and it is having an ip address. Ethernet interfaces are up but not having any ip address asigned. ifconfig eth0 up promisc ... bridge interface is configured with dhclient: dhclient3 br0 This rules are for the routing; ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 And: echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all and port is set to the same address as in iptables, and having TPROXY set. I am using: 2.6.28-16-server x86_64 ubuntu, default or compiled ebtables v2.0.9-1 (June 2009), compiled iptables v1.4.5, Squid Cache: Version 3.1.0.14 configure options: '--enable-linux-netfilter' --with-squid=/home/marko/src/squid-3.1.0.14 --enable-ltdl-convenience configured ony with additional linux-netfilter flag I've used various network configurations: -virtual computer using VmBox with virtual interface in the linux bridge on guest pc. -computer with two interfaces. -double bridged vmbox: two virtual machines: first having 2 virtual interfaces. birdged and having sqiud. second virtual pc being client with one virtual interface. one interface of first was bridged on guest computer to external interface, other two were bridged together. Drop didn't work in any of them, accept was tested only in first. i think thats all the settings i have. --- On Wed, 10/28/09, Dan wrote: From: Dan Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To: "Marko Kotar" , squid-users@squid-cache.org Date: Wednesday, October 28, 2009, 9:21 PM Marko Kotar wrote: Thanks. "redirect
[squid-users] squid not being rotated
Hi EveryBody, i have observed that since a few days my squid cache logs are not being rotated even when i try to rotate through manual squid -k rotate command. so pls guide me how can i resolve this problem. i am runngind squid 2.7 on freebsd 7. Regards,
Re: [squid-users] Question about PURGE
John G. Moylan wrote: Hi, I have an app which sends PURGE's to squid caches on demand or on document changes. It testing this works fine and I am making PURGE requests on document changes as part of a publish event. 200 or 404 responses are almost instantaneous as all of the servers are on the same network. Hoe does squid execute the PURGE internally? Does it mark the object in the cache to be PURGE'd the next time the object is requested or does it remove as soon the item when the PURGE request is made? Will there be situations when a PURGE requests might time out on a busy Squid? It is advisable to have my publisher Queue up PURGE requests in a separate thread or process? Lot of questions ;). Squid needs to scan the object cache to find the matching URL then update any of several indexes of information for erasure. Squid treats PURGE like any other request and does not reply until its finished. As such it _may_ timeout before being run. The problem though is that on a busy cache the PURGE request is likely to be the most resource hungry operation going and block other requests being accepted. Yes it's advisable to spread them out rather than bunch them up. For the reason above. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.14
Re: [squid-users] Time-based oddity that I can't quite nail down...
On Mon, Nov 9, 2009 at 03:12, Gavin McCullagh wrote: > Hi, > > On Sun, 08 Nov 2009, Kurt Buff wrote: > >> During the normal work out at my company, the squid proxy is >> reasonably responsive, and seems to work well. However, after roughly >> 5pm each day, through the night and all during the weekend, web browsing >> is very slow, with pages taking a very long time (30+ seconds, to >> sometimes minutes) to load. >> >> Does anyone have some suggestions on where I might start looking at >> this problem? I haven't found anything in the logs that I can detect >> as relevant. Stopping and starting squid makes no difference. > > The first thing I'd be inclined to try is to connect directly, bypassing > squid and see does the problem go away. If it's quick to connect directly, > then squid is probably where the issue is. If you still see the delays > going direct then it's probably something else (eg high contention on your > link). > > Gavin That's good troubleshooting, but the firewall only allows the squid server out on ports 80 and 443. I'll have to see if I can convince management to allow it for troubleshooting purposes. Kurt
Re: [squid-users] Tproxy4+squid: ebtables wiki
Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libcap-dev is already the newest version. If you start Squid with the -X option is there anything about spoofing or transparent mentioned? 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3128 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3129 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP spoofing enabled) 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. Thanks, Irvan Adrian Amos Kernel 2.6.30.8, Squid 3.1.0.14, iptables 1.4.3.1, ebtables 2.0.9 Marko Kotar wrote: Just curious which kernel version are u using? --- On Thu, 10/29/09, Dan wrote: From: Dan Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To: "Marko Kotar" Cc: squid-users@squid-cache.org Date: Thursday, October 29, 2009, 5:24 PM Those are the same ebtable and iptable rules that I am using except that I use DROP. If it is working for you then that is great. :) As for why it works that way I don't know. When I use ACCEPT the traffic is bridged through and not redirected to squid. Thanks, Irvan Adrian Marko Kot
Re: [squid-users] Question about PURGE
Thanks Amos, J On Tue, 2009-11-10 at 01:47 +1300, Amos Jeffries wrote: > John G. Moylan wrote: > > Hi, > > > > I have an app which sends PURGE's to squid caches on demand or on > > document changes. It testing this works fine and I am making PURGE > > requests on document changes as part of a publish event. 200 or 404 > > responses are almost instantaneous as all of the servers are on the same > > network. > > > > Hoe does squid execute the PURGE internally? Does it mark the object in > > the cache to be PURGE'd the next time the object is requested or does it > > remove as soon the item when the PURGE request is made? Will there be > > situations when a PURGE requests might time out on a busy Squid? It is > > advisable to have my publisher Queue up PURGE requests in a separate > > thread or process? > > Lot of questions ;). > > Squid needs to scan the object cache to find the matching URL then > update any of several indexes of information for erasure. > > Squid treats PURGE like any other request and does not reply until its > finished. As such it _may_ timeout before being run. The problem though > is that on a busy cache the PURGE request is likely to be the most > resource hungry operation going and block other requests being accepted. > > Yes it's advisable to spread them out rather than bunch them up. For the > reason above. > > Amos *** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Please note that emails to, from and within RTÉ may be subject to the Freedom of Information Act 1997 and may be liable to disclosure.
RE: [squid-users] Tproxy4+squid: ebtables wiki
So it sounds like this is a problem with ubuntu 9.10 in general? I am running the server version as well, everything looks to be compiled properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be starting as well. -Original Message- From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] Sent: Monday, November 09, 2009 8:46 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: > Irvan Adrian K wrote: >> So, What the solution for these threads ? because i'm in the same >> trouble to make TPROXY4 work in UBUNTU 9.10 Server >> > > Explicit "Server" release or normal? I have recently found that the > kernel for normal Ubuntu is missing some routing features needed on a > end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC T,xt_MARK,xt_socket,xt_TPROXY >> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >> 2.0.9, and until now, following the manual in >> http://wiki.squid-cache.org, like this : >> >> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >> -j redirect --redirect-target DROP >> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j >> redirect --redirect-target DROP >> >> cd /proc/sys/net/bridge/ >> for i in * >> do >> echo 0 > $i >> done >> unset i >> >> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >> echo 1 > /proc/sys/net/ipv4/ip_forward >> >> iptables are: >> iptables -t mangle -N DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 3129 >> >> squid configuration is default, except >> acl allow all >> >> After following like above, the iptables counter was increasing >> redirecting to TPROXY, but there was nothing >> in the squid, i can't open anything.. >> >> But if i change the ebtables --redirect-target ACCEPT, the connection >> running, but the packet just bridged nothing came to Squid, just like >> nothing on there.. > > Yes. That is why they are "DROP". In BROUTING it means something like; > DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY > >> >> There some one can give the clue, thanks in advance.. >> >> R >> > > Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libcap-dev is already the newest version. > > > If you start Squid with the -X option is there anything about spoofing > or transparent mentioned? 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3128 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3129 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP spoofing enabled) 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. Thanks, Irvan Adrian > > Amos > >> >> >> Kernel 2.6.30.8, Squid 3.1.0.14, i
Re: [squid-users] sslBump, error SSL unknown certificate error
This is a test box, and i did not install openssl via apt-get, so there is a lot of non standard configuration that i have just to get things to work, you know? Matus UHLAR - fantomas wrote: > > On 28.10.09 07:13, vandermeer wrote: >> Got it, i did not have my full list of signing authority certificates >> installed in the right local. i updated these using: >> >> apt-get install openssl ca-certificates >> >> Then copied the certs from the /etc/ssl/certs directory into my openssl >> installation directory. works great now! > > copied? Are you running chrooted or why can't you use them right in > /etc/ssl/certs ? I think that is the whole purpose of ssl-certificated to > have them shared and automatically updated... > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > WinError #98652: Operation completed successfully. > > -- View this message in context: http://old.nabble.com/sslBump%2C-error-SSL-unknown-certificate-error-tp26084033p26267558.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Issue compiling last 3.1 squid in 64-bit platform
Greetings! I'm trying to test some new features of the 3.1 Squid Brand and I just tried to compile the last snapshot (squid-3.1.0.14-20091109) on Slackware 13.0 64-BIT, with an Intel Xeon server (64-bit), gcc 4.3.3. Even not using any special configure options, I always get the error: (...) depbase=`echo DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/usr/local/squid/etc/squid.conf\" -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/squid/share\" -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/squid/etc\" -I.. -I../include -I../src -I../include -I/usr/local/include -I../lib -I../lib/libLtdl -I../src -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -D_REENTRANT -g -O2 -MT DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o -MD -MP -MF $depbase.Tpo -c -o DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc &&\ mv -f $depbase.Tpo $depbase.Po rm -f libDiskDaemon.a /usr/bin/ar cru libDiskDaemon.a DiskIO/DiskDaemon/DiskdFile.o DiskIO/DiskDaemon/DiskdIOStrategy.o DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o ranlib libDiskDaemon.a make[3]: *** No rule to make target `-lpthread', needed by `all-am'. Stop. make[3]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make: *** [all-recursive] Error 1 If I disable the threads option in the configure line, I get: (...) depbase=`echo globals.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ g++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\"/usr/local/squid/etc/squid.conf\" -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/squid/share\" -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/squid/etc\" -I.. -I../include -I../src -I../include -I/usr/local/include -I../lib -I../lib/libLtdl -I../src -Werror -Wall -Wpointer-arith -Wwrite-strings -Wcomments -g -O2 -MT globals.o -MD -MP -MF $depbase.Tpo -c -o globals.o globals.cc &&\ mv -f $depbase.Tpo $depbase.Po make[3]: *** No rule to make target `-lm', needed by `ufsdump'. Stop. make[3]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' make: *** [all-recursive] Error 1 Did anyone have this problem, too? Is this a 64-bit related issue? This server has 16GB RAM, so I need to use 64-bit, right? Any ideas on how to solve this? I did some research in the maillist and google, but didn't find the same issue. Thank you all very much!!
Re: [squid-users] 1024 file descriptors is good
Le mardi 20 octobre 2009 16:04:16, Leonardo Rodrigues a écrit : > Mariel Sebedio escreveu: > > Hi, I have a RHEL 5.4 with squid3.0STABLE19 and have a performance > > problems... > > > > My cache.log not report warning > > > > When I see in cachemgr.cgi I just have a 1024 File descriptors... > > if you're not getting the famous WARNING in your cache.log > > WARNING! Your cache is running out of filedescriptors > > then you really dont need to worry about 1024 FDs. That's now too > much, but that's pretty enough for having a good number of simultaneos > clients. > > Filedescriptors problems (running low on them) could give you some > problems, but in any case you would see the warning on your logs. If > you're not seeing it, then problem is not filedescriptor related. And if > that's not filedescriptor related, raising it wont change anything. > > your performance problem is somewhere else . > I did fix that with this method: /etc/security/limits.conf: * - nofile 131072 and configure with --with-filedescriptors=8192 numbers are just a try, but you must set both of them higher than 1024. After that I get this error rid. LD
[squid-users] Reverse proxy, SSL cert for each cache peer
Can someone point me to how I can setup squid, to listen on port 443 and depending on the URL being asked, to use a certain cache peer with a certain SSL cert? I've been doing this for just one cache peer, using by just using the cert= key= options on the https_port directive. Can they be used on the cache_peer also? - Nick
Re: [squid-users] Tproxy4+squid: ebtables wiki
To throw in my 2 cents. I have tried to using both ubuntu server 9.04 and 9.10 neither of them I could get to work. I experienced the same problem. So to make sure it wasn't me making a mistake somewhere I tried the same config and setup on Fedora and that worked fine. So being lazy I just went with that. I am very interested in getting TPROXY to work with ubuntu server as I prefer it as my server OS. Roth, Joe wrote: So it sounds like this is a problem with ubuntu 9.10 in general? I am running the server version as well, everything looks to be compiled properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be starting as well. -Original Message- From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] Sent: Monday, November 09, 2009 8:46 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC T,xt_MARK,xt_socket,xt_TPROXY I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libcap-dev is already the newest version. If you start Squid with the -X option is there anything about spoofing or transparent mentioned? 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3128 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: [::]:3129 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 2009/11/0
RE: [squid-users] Tproxy4+squid: ebtables wiki
Great to know that it wasn't something that I have been doing wrong. What ver of Fedora did you use? Were the netfilter/tproxy mods already compiled into the kernel? Thanks, --Joe -Original Message- From: Dan [mailto:d...@jisp.net] Sent: Monday, November 09, 2009 2:22 PM To: Roth, Joe Cc: Irvan Adrian K; Amos Jeffries; squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To throw in my 2 cents. I have tried to using both ubuntu server 9.04 and 9.10 neither of them I could get to work. I experienced the same problem. So to make sure it wasn't me making a mistake somewhere I tried the same config and setup on Fedora and that worked fine. So being lazy I just went with that. I am very interested in getting TPROXY to work with ubuntu server as I prefer it as my server OS. Roth, Joe wrote: > So it sounds like this is a problem with ubuntu 9.10 in general? I am > running the server version as well, everything looks to be compiled > properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be > starting as well. > > -Original Message- > From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] > Sent: Monday, November 09, 2009 8:46 AM > To: Amos Jeffries > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki > > Dear Mr Amos, thanks for your respond, very helpfull.. > > Amos Jeffries wrote: > >> Irvan Adrian K wrote: >> >>> So, What the solution for these threads ? because i'm in the same >>> trouble to make TPROXY4 work in UBUNTU 9.10 Server >>> >>> >> Explicit "Server" release or normal? I have recently found that the >> kernel for normal Ubuntu is missing some routing features needed on a >> end box pretending to be a server. >> > Server release distribution of UBUNTU 9.10, not desktop one.. as you > know that UBUNTU have several type of distribution : server, desktop, > etc.., and as we analyze that UBUNTU Server > not differ than Debian, and have complete support for TPROXY built in, > without recompile : > > xt_tcpudp 2780 2 > nf_nat 17808 2 iptable_nat,ipt_REDIRECT > nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat > xt_MARK 1884 2 > xt_socket 2556 2 > nf_conntrack 67608 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > xt_TPROXY 1948 2 > nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY > nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] > x_tables 16544 10 > ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC > T,xt_MARK,xt_socket,xt_TPROXY > > >>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >>> 2.0.9, and until now, following the manual in >>> http://wiki.squid-cache.org, like this : >>> >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >>> -j redirect --redirect-target DROP >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 >>> > -j > >>> redirect --redirect-target DROP >>> >>> cd /proc/sys/net/bridge/ >>> for i in * >>> do >>> echo 0 > $i >>> done >>> unset i >>> >>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>> echo 1 > /proc/sys/net/ipv4/ip_forward >>> >>> iptables are: >>> iptables -t mangle -N DIVERT >>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>> iptables -t mangle -A DIVERT -j ACCEPT >>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>> --tproxy-mark 0x1/0x1 --on-port 3129 >>> >>> squid configuration is default, except >>> acl allow all >>> >>> After following like above, the iptables counter was increasing >>> redirecting to TPROXY, but there was nothing >>> in the squid, i can't open anything.. >>> >>> But if i change the ebtables --redirect-target ACCEPT, the connection >>> > > >>> running, but the packet just bridged nothing came to Squid, just like >>> > > >>> nothing on there.. >>> >> Yes. That is why they are "DROP". In BROUTING it means something like; >> > > >> DROP off the bridge into the routing code, vs ACCEPT over the bridge. >> > Yes, we look that, after adding --redirect-target DROP at ebtables, > counter at iptables -j TPROXY increase, like this one : > > 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 socket > 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > > before DROP at ebtables, there was none packet come to iptables -j > TPROXY > >>> There some one can give the clue, thanks in advance.. >>> >>> R >>> >>> >> Did you build Squid with libcap2-dev installed on the system? >> > UBUNTU prefer libcap-dev rather than libcap2-dev, > > apt-get install libcap2-dev > Reading package lists... Done > Building dependency tree > R
Re: [squid-users] Tproxy4+squid: ebtables wiki
Roth, Joe wrote: Great to know that it wasn't something that I have been doing wrong. What ver of Fedora did you use? Were the netfilter/tproxy mods already compiled into the kernel? Fedora 11, tproxy is part of the kernel. Thanks, --Joe -Original Message- From: Dan [mailto:d...@jisp.net] Sent: Monday, November 09, 2009 2:22 PM To: Roth, Joe Cc: Irvan Adrian K; Amos Jeffries; squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki To throw in my 2 cents. I have tried to using both ubuntu server 9.04 and 9.10 neither of them I could get to work. I experienced the same problem. So to make sure it wasn't me making a mistake somewhere I tried the same config and setup on Fedora and that worked fine. So being lazy I just went with that. I am very interested in getting TPROXY to work with ubuntu server as I prefer it as my server OS. Roth, Joe wrote: So it sounds like this is a problem with ubuntu 9.10 in general? I am running the server version as well, everything looks to be compiled properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be starting as well. -Original Message- From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] Sent: Monday, November 09, 2009 8:46 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC T,xt_MARK,xt_socket,xt_TPROXY I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting
Re: [squid-users] Tproxy4+squid: ebtables wiki
Wow, thanks for the sharing, Dan.. it's very informative for me to know that.. because i have been working for 2 weeks till know, very desperated.. i have been using Debian 5 Lenny and Ubuntu 9.04 and 9.10, and so far nothing work :(, .. all the configuration i have tried, and i have been recompile many kernel from 2.6.20 - 2.6.25, 2.6.29. 2.6.31, and so far there was no solution at all.. Same to me, i have been using Debian and Ubuntu server for all my server since a long time, and so hard for me to change different distro, but learning from you, i have to try Fedora or may be CentOS, for TPROXY.. Thanks, Irvan Adrian Dan wrote: To throw in my 2 cents. I have tried to using both ubuntu server 9.04 and 9.10 neither of them I could get to work. I experienced the same problem. So to make sure it wasn't me making a mistake somewhere I tried the same config and setup on Fedora and that worked fine. So being lazy I just went with that. I am very interested in getting TPROXY to work with ubuntu server as I prefer it as my server OS. Roth, Joe wrote: So it sounds like this is a problem with ubuntu 9.10 in general? I am running the server version as well, everything looks to be compiled properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be starting as well. -Original Message- From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] Sent: Monday, November 09, 2009 8:46 AM To: Amos Jeffries Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC T,xt_MARK,xt_socket,xt_TPROXY I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libc
Re: [squid-users] Issue compiling last 3.1 squid in 64-bit platform
On Mon, 9 Nov 2009 14:02:51 -0200 (BRST), rena...@flash.net.br wrote: > Greetings! I'm trying to test some new features of the 3.1 Squid Brand and > I just tried to compile the last snapshot (squid-3.1.0.14-20091109) on > Slackware 13.0 64-BIT, with an Intel Xeon server (64-bit), gcc 4.3.3. Even > not using any special configure options, I always get the error: > > (...) > depbase=`echo DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o | sed > 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > g++ -DHAVE_CONFIG_H > -DDEFAULT_CONFIG_FILE=\"/usr/local/squid/etc/squid.conf\" > -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/squid/share\" > -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/squid/etc\" -I.. > -I../include -I../src -I../include -I/usr/local/include -I../lib > -I../lib/libLtdl -I../src -Werror -Wall -Wpointer-arith > -Wwrite-strings -Wcomments -D_REENTRANT -g -O2 -MT > DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o -MD -MP -MF > $depbase.Tpo -c -o DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o > DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc &&\ > mv -f $depbase.Tpo $depbase.Po > rm -f libDiskDaemon.a > /usr/bin/ar cru libDiskDaemon.a DiskIO/DiskDaemon/DiskdFile.o > DiskIO/DiskDaemon/DiskdIOStrategy.o > DiskIO/DiskDaemon/DiskDaemonDiskIOModule.o > ranlib libDiskDaemon.a > make[3]: *** No rule to make target `-lpthread', needed by `all-am'. Stop. > make[3]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make: *** [all-recursive] Error 1 > > > If I disable the threads option in the configure line, I get: > > (...) > depbase=`echo globals.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\ > g++ -DHAVE_CONFIG_H > -DDEFAULT_CONFIG_FILE=\"/usr/local/squid/etc/squid.conf\" > -DDEFAULT_SQUID_DATA_DIR=\"/usr/local/squid/share\" > -DDEFAULT_SQUID_CONFIG_DIR=\"/usr/local/squid/etc\" -I.. > -I../include -I../src -I../include -I/usr/local/include -I../lib > -I../lib/libLtdl -I../src -Werror -Wall -Wpointer-arith > -Wwrite-strings -Wcomments -g -O2 -MT globals.o -MD -MP -MF > $depbase.Tpo -c -o globals.o globals.cc &&\ > mv -f $depbase.Tpo $depbase.Po > make[3]: *** No rule to make target `-lm', needed by `ufsdump'. Stop. > make[3]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/home/sources/squid-3.1.0.14-20091109/src' > make: *** [all-recursive] Error 1 > > > Did anyone have this problem, too? Is this a 64-bit related issue? This > server has 16GB RAM, so I need to use 64-bit, right? Any ideas on how to > solve this? I did some research in the maillist and google, but didn't > find the same issue. > > Thank you all very much!! Firstly, report code problems in beta release code to squid-dev mailing list so the devs can find out about it. I think the fix is now ported. Please try the next bundle (20091110) when its ready in a few hours. Amos
Re: [squid-users] Tproxy4+squid: ebtables wiki
On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K wrote: > Dear Mr Amos, thanks for your respond, very helpfull.. > > Amos Jeffries wrote: >> Irvan Adrian K wrote: >>> So, What the solution for these threads ? because i'm in the same >>> trouble to make TPROXY4 work in UBUNTU 9.10 Server >>> >> >> Explicit "Server" release or normal? I have recently found that the >> kernel for normal Ubuntu is missing some routing features needed on a >> end box pretending to be a server. > Server release distribution of UBUNTU 9.10, not desktop one.. as you > know that UBUNTU have several type of distribution : server, desktop, > etc.., and as we analyze that UBUNTU Server > not differ than Debian, and have complete support for TPROXY built in, > without recompile : Good. > > xt_tcpudp 2780 2 > nf_nat 17808 2 iptable_nat,ipt_REDIRECT > nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat > xt_MARK 1884 2 > xt_socket 2556 2 > nf_conntrack 67608 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > xt_TPROXY 1948 2 > nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY > nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] > x_tables 16544 10 > ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY > >>> I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables >>> 2.0.9, and until now, following the manual in >>> http://wiki.squid-cache.org, like this : >>> >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 >>> -j redirect --redirect-target DROP >>> ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j >>> redirect --redirect-target DROP >>> >>> cd /proc/sys/net/bridge/ >>> for i in * >>> do >>> echo 0 > $i >>> done >>> unset i >>> >>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter >>> echo 1 > /proc/sys/net/ipv4/ip_forward >>> >>> iptables are: >>> iptables -t mangle -N DIVERT >>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>> iptables -t mangle -A DIVERT -j ACCEPT >>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>> --tproxy-mark 0x1/0x1 --on-port 3129 >>> >>> squid configuration is default, except >>> acl allow all >>> >>> After following like above, the iptables counter was increasing >>> redirecting to TPROXY, but there was nothing >>> in the squid, i can't open anything.. >>> >>> But if i change the ebtables --redirect-target ACCEPT, the connection >>> running, but the packet just bridged nothing came to Squid, just like >>> nothing on there.. >> >> Yes. That is why they are "DROP". In BROUTING it means something like; >> DROP off the bridge into the routing code, vs ACCEPT over the bridge. > Yes, we look that, after adding --redirect-target DROP at ebtables, > counter at iptables -j TPROXY increase, like this one : > > 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 socket > 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > > before DROP at ebtables, there was none packet come to iptables -j TPROXY Good. >> >>> >>> There some one can give the clue, thanks in advance.. >>> >>> R >>> >> >> Did you build Squid with libcap2-dev installed on the system? > UBUNTU prefer libcap-dev rather than libcap2-dev, > > apt-get install libcap2-dev > Reading package lists... Done > Building dependency tree > Reading state information... Done > Note, selecting libcap-dev instead of libcap2-dev > libcap-dev is already the newest version. I think this means they publish the code for libcap version 2.x in the libcap-dev package. I hope so anyway, since later releases will require functionality in version 2.x of libcap to build. For now that should be fine. >> >> >> If you start Squid with the -X option is there anything about spoofing >> or transparent mentioned? > > 2009/11/09 08:43:17.338| Processing: 'http_port 3128 ' > 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3128 > 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: > [::]:3128 > 2009/11/09 08:43:17.338| Processing: 'http_port 3129 tproxy' > 2009/11/09 08:43:17.338| http(s)_port: found Listen on Port: 3129 > 2009/11/09 08:43:17.338| http(s)_port: found Listen on wildcard address: > [::]:3129 > 2009/11/09 08:43:17.338| Starting IP Spoofing on port [::]:3129 > 2009/11/09 08:43:17.338| Disabling Authentication on port [::]:3129 (IP > spoofing enabled) > 2009/11/09 08:43:17.338| Detect TPROXY support on port [::]:3129 > 2009/11/09 08:43:17.338| ...Probing for IPv6 TPROXY support. > 2009/11/09 08:43:17.339| ...Probing for IPv4 TPROXY support. > 2009/11/09 08:43:17.339| IPv4 TPROXY support detected. Using. > Okay. And no sign of anything saying "Stopping full transpar
Re: [squid-users] Tproxy4+squid: ebtables wiki
On Tue, 10 Nov 2009 05:05:02 +0700, Irvan Adrian K wrote: > Wow, thanks for the sharing, Dan.. it's very informative for me to know > that.. because i have been working for 2 weeks till know, very > desperated.. i have been using Debian 5 Lenny and Ubuntu 9.04 and 9.10, > and so far nothing work :(, .. all the configuration i have tried, and > i have been recompile many kernel from 2.6.20 - 2.6.25, 2.6.29. 2.6.31, > and so far there was no solution at all.. > > Same to me, i have been using Debian and Ubuntu server for all my server > since a long time, and so hard for me to change different distro, but > learning from you, i have to try Fedora or may be CentOS, for TPROXY.. > > Thanks, > > Irvan Adrian > Lenny too? rats. Okay, well and truly time for a bug report to the Debian kernel guys. Amos > Dan wrote: >> To throw in my 2 cents. I have tried to using both ubuntu server 9.04 >> and 9.10 neither of them I could get to work. I experienced the same >> problem. So to make sure it wasn't me making a mistake somewhere I >> tried the same config and setup on Fedora and that worked fine. So >> being lazy I just went with that. I am very interested in getting >> TPROXY to work with ubuntu server as I prefer it as my server OS. >> >> Roth, Joe wrote: >>> So it sounds like this is a problem with ubuntu 9.10 in general? I am >>> running the server version as well, everything looks to be compiled >>> properly, dmesg shows TPROXY starting, squid shoq IP spoofing to be >>> starting as well. >>> >>> -Original Message- >>> From: Irvan Adrian K [mailto:ir...@grahamedia.net.id] Sent: Monday, >>> November 09, 2009 8:46 AM >>> To: Amos Jeffries >>> Cc: squid-users@squid-cache.org >>> Subject: Re: [squid-users] Tproxy4+squid: ebtables wiki >>> >>> Dear Mr Amos, thanks for your respond, very helpfull.. >>> >>> Amos Jeffries wrote: >>> Irvan Adrian K wrote: > So, What the solution for these threads ? because i'm in the same > trouble to make TPROXY4 work in UBUNTU 9.10 Server > > Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. >>> Server release distribution of UBUNTU 9.10, not desktop one.. as you >>> know that UBUNTU have several type of distribution : server, desktop, >>> etc.., and as we analyze that UBUNTU Server >>> not differ than Debian, and have complete support for TPROXY built >>> in, without recompile : >>> >>> xt_tcpudp 2780 2 >>> nf_nat 17808 2 iptable_nat,ipt_REDIRECT >>> nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat >>> xt_MARK 1884 2 >>> xt_socket 2556 2 >>> nf_conntrack 67608 4 >>> iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket >>> xt_TPROXY 1948 2 >>> nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY >>> nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] >>> x_tables 16544 10 >>> ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIREC >>> T,xt_MARK,xt_socket,xt_TPROXY >>> >>> > I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables > 2.0.9, and until now, following the manual in > http://wiki.squid-cache.org, like this : > > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 > -j redirect --redirect-target DROP > ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 > >>> -j >>> > redirect --redirect-target DROP > > cd /proc/sys/net/bridge/ > for i in * > do > echo 0 > $i > done > unset i > > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables are: > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY > --tproxy-mark 0x1/0x1 --on-port 3129 > > squid configuration is default, except > acl allow all > > After following like above, the iptables counter was increasing > redirecting to TPROXY, but there was nothing > in the squid, i can't open anything.. > > But if i change the ebtables --redirect-target ACCEPT, the connection > >>> >>> > running, but the packet just bridged nothing came to Squid, just like > >>> >>> > nothing on there.. > Yes. That is why they are "DROP". In BROUTING it means something like; >>> >>> DROP off the bridge into the routing code, vs ACCEPT over the bridge. >>> Yes, we look that, after adding --redirect-target DROP at ebtables, >>> counter at iptables -j TPROXY increase, like this o
Re: [squid-users] Reverse proxy, SSL cert for each cache peer
On Mon, 9 Nov 2009 13:41:42 -0500, Nick Duda wrote: > Can someone point me to how I can setup squid, to listen on port 443 and > depending on the URL being asked, to use a certain cache peer with a > certain SSL cert? I've been doing this for just one cache peer, using by > just using the cert= key= options on the https_port directive. Can they be > used on the cache_peer also? > > - Nick Yes. http://www.squid-cache.org/Doc/config/cache_peer ... and the config examples in the wiki. Amos
Re: [squid-users] Tproxy4+squid: ebtables wiki
Dear Amos, Everthing should be 'working properly' but in fact, there no one packet arriving on tproxy of squid, after packet come into iptables : 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 as we can see that have been 1451 packet come into iptables, but there was nothing come to acces.log on squid, and none of our client can connect to Internet.. except clear ebtables : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP but after we cleared, the server just function like a bridge, the packet not come into iptables (packet counters of iptables still at zero), and there was nothing in access.log on squid, Today we want to try using CentOS 5.4. and soon after we install and configure it with TPROXY, and test it, i will post it in here right a way.. wish me luck :p Irvan Adrian Everything Amos Jeffries wrote: On Mon, 09 Nov 2009 20:46:19 +0700, Irvan Adrian K wrote: Dear Mr Amos, thanks for your respond, very helpfull.. Amos Jeffries wrote: Irvan Adrian K wrote: So, What the solution for these threads ? because i'm in the same trouble to make TPROXY4 work in UBUNTU 9.10 Server Explicit "Server" release or normal? I have recently found that the kernel for normal Ubuntu is missing some routing features needed on a end box pretending to be a server. Server release distribution of UBUNTU 9.10, not desktop one.. as you know that UBUNTU have several type of distribution : server, desktop, etc.., and as we analyze that UBUNTU Server not differ than Debian, and have complete support for TPROXY built in, without recompile : Good. xt_tcpudp 2780 2 nf_nat 17808 2 iptable_nat,ipt_REDIRECT nf_conntrack_ipv4 13352 3 iptable_nat,nf_nat xt_MARK 1884 2 xt_socket 2556 2 nf_conntrack 67608 4 iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket xt_TPROXY 1948 2 nf_defrag_ipv4 1756 3 nf_conntrack_ipv4,xt_socket,xt_TPROXY nf_tproxy_core 2428 2 xt_socket,xt_TPROXY,[permanent] x_tables 16544 10 ebt_redirect,ebt_ip,ebtables,xt_tcpudp,iptable_nat,ip_tables,ipt_REDIRECT,xt_MARK,xt_socket,xt_TPROXY I'm using Kernel 2.6.31, Squid 3.1.0.15, iptables 1.4.5, ebtables 2.0.9, and until now, following the manual in http://wiki.squid-cache.org, like this : ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward iptables are: iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 squid configuration is default, except acl allow all After following like above, the iptables counter was increasing redirecting to TPROXY, but there was nothing in the squid, i can't open anything.. But if i change the ebtables --redirect-target ACCEPT, the connection running, but the packet just bridged nothing came to Squid, just like nothing on there.. Yes. That is why they are "DROP". In BROUTING it means something like; DROP off the bridge into the routing code, vs ACCEPT over the bridge. Yes, we look that, after adding --redirect-target DROP at ebtables, counter at iptables -j TPROXY increase, like this one : 12830 3896K DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 1451 69360 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 before DROP at ebtables, there was none packet come to iptables -j TPROXY Good. There some one can give the clue, thanks in advance.. R Did you build Squid with libcap2-dev installed on the system? UBUNTU prefer libcap-dev rather than libcap2-dev, apt-get install libcap2-dev Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting libcap-dev instead of libcap2-dev libcap-dev is already the newest version. I think this means they publish the code for libcap version 2.x in the libcap-dev package. I hope so anyway, since later releases will require functionality in version 2.x of libcap to build. For now that should be fine. If you start Squid with the -X option is there anything about spoofing or transparent mentioned?