[squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working
hi all i setup my squid proxy follow this url kernel version iptables all match Minimum Requirements http://wiki.squid-cache.org/Features/Tproxy4#Feature:_TPROXY_version_4.1.2B-_Support some diffenernt ip route add default via isp'gateway dev ppp0 table 100 my squid.conf #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #url filter acl badDomain dstdomain yahoo.com acl keyword url_regex -i plurk http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow myDomain # And finally deny all other access to this proxy http_access deny all icp_access allow localnet icp_access deny all #Allow HTCP queries from local networks only htcp_access allow localnet htcp_access deny all visible_hostname testlab # Squid normally listens to port 3128 #http_port 3128 transparent http_port 3129 tproxy #http_port 3128 tproxy transparent cache deny all access_log /usr/local/squid/var/logs/access.log squid #cache_dir null /tmp cache_store_log none cache_effective_user squid cache_effective_group squid when i start my squid proxy the traffic is via ppp0 to internet but url filter rule is notworking ! this squid.conf is copy from squid 3.0 i use squid 3.1 because i want ctrol the traffic out going multi wan please give me any advice thank a lot
Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working
mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih: when i start my squid proxy the traffic is via ppp0 to internet but url filter rule is notworking ! Is there anything in access.log? Regards Henrik
Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working
2010/3/8 Henrik Nordstrom hen...@henriknordstrom.net: mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih: when i start my squid proxy the traffic is via ppp0 to internet but url filter rule is notworking ! Is there anything in access.log? Regards Henrik there is nothing access.log cache log 2010/03/08 12:27:44| WARNING: -D command-line option is obsolete. 2010/03/08 12:27:44| Warning: empty ACL: acl exempt src 2010/03/08 12:27:44| Starting Squid Cache version 3.1.0.14 for i686-pc-linux-gnu... 2010/03/08 12:27:44| Process ID 29452 2010/03/08 12:27:44| With 1024 file descriptors available 2010/03/08 12:27:44| Initializing IP Cache... 2010/03/08 12:27:44| DNS Socket created at [::], FD 4 2010/03/08 12:27:44| Adding nameserver 168.95.1.1 from /etc/resolv.conf 2010/03/08 12:27:44| Unlinkd pipe opened on FD 9 2010/03/08 12:27:44| Store logging disabled 2010/03/08 12:27:44| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2010/03/08 12:27:44| Target number of buckets: 1008 2010/03/08 12:27:44| Using 8192 Store buckets 2010/03/08 12:27:44| Max Mem size: 262144 KB 2010/03/08 12:27:44| Max Swap size: 0 KB 2010/03/08 12:27:44| Using Least Load store dir selection 2010/03/08 12:27:44| Current Directory is /usr/local/squid 2010/03/08 12:27:44| Loaded Icons. 2010/03/08 12:27:44| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 10. 2010/03/08 12:27:44| HTCP Disabled. 2010/03/08 12:27:44| IcmpSquid.cc(253) Open: Pinger socket opened on FD 12 2010/03/08 12:27:44| Squid modules loaded: 0 2010/03/08 12:27:44| Ready to serve requests. 2010/03/08 12:27:45| storeLateRelease: released 0 objects #http_port 3128 tproxy transparent this syntax is not support or http_port 3128 transparent http_port 3129 tproxy i'm so confuse everything is fine when i use squid 3.0 i just modify conf add visible_hostname and #cache_dir null /tmp http_port 3129 tproxy thanks for any advice
Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working
Dong-Yuan Shih wrote: 2010/3/8 Henrik Nordstrom hen...@henriknordstrom.net: mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih: when i start my squid proxy the traffic is via ppp0 to internet but url filter rule is notworking ! Is there anything in access.log? Regards Henrik there is nothing access.log Therefore requests are not arriving at Squid. Your iptables rules are not working. cache log 2010/03/08 12:27:44| WARNING: -D command-line option is obsolete. 2010/03/08 12:27:44| Warning: empty ACL: acl exempt src Strangely there is no such ACL in the config you told us you were running... 2010/03/08 12:27:44| Starting Squid Cache version 3.1.0.14 for i686-pc-linux-gnu... 2010/03/08 12:27:44| Process ID 29452 2010/03/08 12:27:44| With 1024 file descriptors available 2010/03/08 12:27:44| Initializing IP Cache... 2010/03/08 12:27:44| DNS Socket created at [::], FD 4 2010/03/08 12:27:44| Adding nameserver 168.95.1.1 from /etc/resolv.conf 2010/03/08 12:27:44| Unlinkd pipe opened on FD 9 2010/03/08 12:27:44| Store logging disabled 2010/03/08 12:27:44| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2010/03/08 12:27:44| Target number of buckets: 1008 2010/03/08 12:27:44| Using 8192 Store buckets 2010/03/08 12:27:44| Max Mem size: 262144 KB 2010/03/08 12:27:44| Max Swap size: 0 KB 2010/03/08 12:27:44| Using Least Load store dir selection 2010/03/08 12:27:44| Current Directory is /usr/local/squid 2010/03/08 12:27:44| Loaded Icons. 2010/03/08 12:27:44| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 10. TPROXY is up and running as far as Squid can tell. However, note that 3.1.0.14 does not have the upgrade to warn properly when libcap2 is missing or not working properly. You will need the to build Squid from the current snapshot to get that. We had a bug that broke TPROXY for 3.1.0.16 and 3.1.0.17 release bundles sorry. 2010/03/08 12:27:44| HTCP Disabled. 2010/03/08 12:27:44| IcmpSquid.cc(253) Open: Pinger socket opened on FD 12 2010/03/08 12:27:44| Squid modules loaded: 0 2010/03/08 12:27:44| Ready to serve requests. 2010/03/08 12:27:45| storeLateRelease: released 0 objects #http_port 3128 tproxy transparent this syntax is not support Yes, that is broken syntax above. or http_port 3128 transparent http_port 3129 tproxy # Receive DNAT or REDIRECT traffic (for squid 3.1) http_port 3128 intercept # Receive TPROXY traffic http_port 3129 tproxy i'm so confuse everything is fine when i use squid 3.0 i just modify conf add visible_hostname and #cache_dir null /tmp http_port 3129 tproxy thanks for any advice 3.0 does not support TPROXY so it will not work, even if it looks fine and requests happen. Your logs will be garbage and no spoofing will happen. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24 Current Beta Squid 3.1.0.17