[squid-users] Weirdness with cisco l2tp tunnel, transparent proxy, Centos 4.2 squid server
This is a strange one. We are terminating an L2TP tunnel on our Cisco 7200 running ios c7200-js-mz.123-13.bin. The tunnel is using a virtual template which has the proxy route map enabled on it. The relevant Cisco config: access-list 110 deny tcp host 10.0.0.2 any # squid server eth0:1 access-list 110 permit tcp any any eq www access-list 110 deny ip any any route-map proxy-redirect permit 10 match ip address 110 set ip next-hop 10.0.0.2 # squid server eth0:1 interface Virtual-Template1 description Tunnel Virtual Template ip unnumbered FastEthernet3/0 ip mroute-cache ip policy route-map proxy-redirect no logging event link-status timeout absolute 4320 0 peer default ip address pool IP-POOL no keepalive ppp authentication chap pap callin ppp multilink The Centos box is running IPTables with the following rules for squid: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 And its a standard squid config. Some users are able to browse web sites fine. However a handful of users cant they get Web site found in the IE status bar and blue progress lines but the site fails. I can see the request for the site hit the squid access log. Has anyone got a setup like this and if so am I doing it correctly? Thanks Tony
[squid-users] Problem with Interception Caching/Proxying
Hi Below is a diagram of part of our network. We have an L2TP tunnel that gets terminated on our Cisco 7200 for DSL users. The tunnel comes from our Upstream provider and once terminated we do the Radius authentication and then redirect all port 80 traffic to our Squid server. However the Squid part doesn't seem to be working correctly, although I can see the request come into Squid by watching the Squid access log, the end user never gets the web page he requested, unless that web site is on the 10.0.0.x network. I followed the examples on the Squid site to do the redirection of port 80 traffic, the Cisco has an access list and a route map to redirect port 80 to the Squid server, the Squid server then forwards port 80 traffic to port 3128. I've even run Squid on port 80 so requests go directly to the Squid port from the Cisco 7200. If I configure my web browser on my PC to use the Squid server as a proxy I can browse web sites fine, however this is when I'm not coming via the tunnel on the router, just purely over the Internet. 10.0.0.1 (gw on upstream) | | | 10.0.0.4 - | cisco 2900 switch || Radius | - - | | 10.0.0.2 | |10.0.0.3 --- |Cisco 7200 | | sQUID | - The Relevant parts of the Cisco config looks like this: ### interface FastEthernet3/0 ip address 10.0.0.2 255.255.255.0 no ip route-cache cef no ip route-cache no ip mroute-cache duplex full interface Virtual-Template1 ip unnumbered FastEthernet3/0 ip mroute-cache ip policy route-map proxy-redirect no logging event link-status timeout absolute 4320 0 peer default ip address pool IP-POOL no keepalive ppp authentication chap pap callin ppp multilink access-list 110 deny tcp host 10.0.0.3 any access-list 110 permit tcp any any eq www access-list 110 deny tcp any any ! route-map proxy-redirect permit 10 match ip address 110 set ip next-hop 10.0.0.3 ## And the Squid server uses the following iptables rule to forward the web traffic to port 80. ### echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to port 3128 ### It seems that although the Cisco is redirecting port 80 to the Squid server and the server then forwards the requests to port 3128 and I can see the requests come in, either the Squid server can't retrieve the website from the outside world or can't return the site back to the end user. If I take the route map off the Cisco 7200 and just all traffic through end users can browse web sites ok. But as soon as I redirect them to Squid it all goes wrong. The Cisco 7200 is running IOS 12.3 The Squid server is a Centos 4.2 running squid-2.5.STABLE6-3.4E.11. I can only think it's a config problem? If anyone can help I would appreciate it. Thanks Tony -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.12/266 - Release Date: 21/02/2006
[squid-users] Finding real remote address
I users coming into our network over an L2TP tunnel who are assigned an IP
address and then are directed through our squid servers via an LVS.
My problem is that the squid access log shows the requests coming from the
IP address of the L2TP tunnel but I want it to tell me what the remote users
IP address is.
My setup is as follows:
User (IP: 10.0.0.2)
|
|
L2TP Tunnel (IP: 192.168.0.2)
|
|
LVS (IP: 192.168.0.4)
|
|
Squid Server (IP: 192.168.0.6)
Squid shows the requests from 192.168.0.4 (LVS ip).
I've created a script that shows all variables via a CGI script:
#
#!/usr/bin/perl
use CGI;
my $page = new CGI;
print $page-header, $page-start_html;
foreach $key (sort keys (%ENV))
{
print $key = $ENV{$key}P
}
$page-end_html;
#
And it shows the following info:
HTTP_X_FORWARDED_FOR = 192.168.0.2 (tunnel)
REMOTE_ADDR = 192.168.0.4 (LVS)
SERVER_ADDR = 192.168.0.4 (LVS)
SERVER_NAME = 192.168.0.2 (tunnel)
But never shows the users IP.
The reason I need this is because we use squidguard to filter access to
certain web sites and some users might need to see these blocked sites. So
we have a script that they can access to turn off the filtering for them for
a short time. It determines their IP address and rebuilds the
squidguard.conf file allowing their IP to bypass the squidguard filtering.
However all it's doing at the moment is allowing the tunnel IP to bypass the
filtering which means everyone is unfiltered.
I don't want to add the IP's into the squidguard.conf file and leave them
there as there are so many users it would be an admin nightmare.
It must be possible because if I run squid on the server terminating the
tunnel and use that to request pages via, it shows the real IP address and
not the tunnel IP.
Anyone got any ideas?
Thanks in advance.
Tony
[squid-users] Cache directories
Hi all I have squid running but was wondering what happens when the cache dirs get full or reach the limit set in the squid.conf. Will squid clear out the oldest entries or do I have to clear them out myself? Thanks Tony
