[squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working

2010-03-08 Thread Dong-Yuan Shih
 hi all
 i setup my squid proxy follow this url
 kernel version  iptables all match Minimum Requirements
 
http://wiki.squid-cache.org/Features/Tproxy4#Feature:_TPROXY_version_4.1.2B-_Support
 some diffenernt
 ip route add default via isp'gateway dev ppp0 table 100

 my squid.conf
 #Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network


acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


#url filter
acl badDomain dstdomain  yahoo.com
acl keyword url_regex -i plurk

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow myDomain

# And finally deny all other access to this proxy
http_access deny all

icp_access allow localnet
icp_access deny all

#Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access deny all

visible_hostname testlab

# Squid normally listens to port 3128
#http_port 3128 transparent
http_port 3129 tproxy
#http_port 3128 tproxy transparent
cache deny all
access_log /usr/local/squid/var/logs/access.log squid
#cache_dir null /tmp
cache_store_log none
cache_effective_user squid
cache_effective_group squid

when i start my squid proxy
the traffic is via ppp0 to internet
but  url filter rule is notworking !

this squid.conf is copy from squid 3.0
i use squid 3.1 because i want ctrol the traffic out going multi wan

please give me any advice
thank a lot


Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working

2010-03-08 Thread Henrik Nordstrom
mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih:
  
 when i start my squid proxy
 the traffic is via ppp0 to internet
 but  url filter rule is notworking !

Is there anything in access.log?

Regards
Henrik



Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working

2010-03-08 Thread Dong-Yuan Shih
2010/3/8 Henrik Nordstrom hen...@henriknordstrom.net:
 mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih:

 when i start my squid proxy
 the traffic is via ppp0 to internet
 but  url filter rule is notworking !

 Is there anything in access.log?

 Regards
 Henrik


there is nothing access.log
cache log
2010/03/08 12:27:44| WARNING: -D command-line option is obsolete.
2010/03/08 12:27:44| Warning: empty ACL: acl exempt src
2010/03/08 12:27:44| Starting Squid Cache version 3.1.0.14 for
i686-pc-linux-gnu...
2010/03/08 12:27:44| Process ID 29452
2010/03/08 12:27:44| With 1024 file descriptors available
2010/03/08 12:27:44| Initializing IP Cache...
2010/03/08 12:27:44| DNS Socket created at [::], FD 4
2010/03/08 12:27:44| Adding nameserver 168.95.1.1 from /etc/resolv.conf
2010/03/08 12:27:44| Unlinkd pipe opened on FD 9
2010/03/08 12:27:44| Store logging disabled
2010/03/08 12:27:44| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2010/03/08 12:27:44| Target number of buckets: 1008
2010/03/08 12:27:44| Using 8192 Store buckets
2010/03/08 12:27:44| Max Mem  size: 262144 KB
2010/03/08 12:27:44| Max Swap size: 0 KB
2010/03/08 12:27:44| Using Least Load store dir selection
2010/03/08 12:27:44| Current Directory is /usr/local/squid
2010/03/08 12:27:44| Loaded Icons.
2010/03/08 12:27:44| Accepting  spoofing HTTP connections at
0.0.0.0:3129, FD 10.
2010/03/08 12:27:44| HTCP Disabled.
2010/03/08 12:27:44| IcmpSquid.cc(253) Open: Pinger socket opened on FD 12
2010/03/08 12:27:44| Squid modules loaded: 0
2010/03/08 12:27:44| Ready to serve requests.
2010/03/08 12:27:45| storeLateRelease: released 0 objects


#http_port 3128 tproxy transparent
this syntax is not support
or
http_port 3128 transparent
http_port 3129 tproxy

i'm so confuse
everything is fine when i use squid 3.0
i just modify conf
add visible_hostname
and #cache_dir null /tmp
http_port 3129 tproxy

thanks for any advice


Re: [squid-users] squid 3.1 + tproxy + iptables 1.4.3 -url filter not working

2010-03-08 Thread Amos Jeffries

Dong-Yuan Shih wrote:

2010/3/8 Henrik Nordstrom hen...@henriknordstrom.net:

mån 2010-03-08 klockan 19:56 +0800 skrev Dong-Yuan Shih:

when i start my squid proxy
the traffic is via ppp0 to internet
but  url filter rule is notworking !

Is there anything in access.log?

Regards
Henrik



there is nothing access.log


Therefore requests are not arriving at Squid.
Your iptables rules are not working.


cache log
2010/03/08 12:27:44| WARNING: -D command-line option is obsolete.
2010/03/08 12:27:44| Warning: empty ACL: acl exempt src


Strangely there is no such ACL in the config you told us you were running...


2010/03/08 12:27:44| Starting Squid Cache version 3.1.0.14 for
i686-pc-linux-gnu...
2010/03/08 12:27:44| Process ID 29452
2010/03/08 12:27:44| With 1024 file descriptors available
2010/03/08 12:27:44| Initializing IP Cache...
2010/03/08 12:27:44| DNS Socket created at [::], FD 4
2010/03/08 12:27:44| Adding nameserver 168.95.1.1 from /etc/resolv.conf
2010/03/08 12:27:44| Unlinkd pipe opened on FD 9
2010/03/08 12:27:44| Store logging disabled
2010/03/08 12:27:44| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2010/03/08 12:27:44| Target number of buckets: 1008
2010/03/08 12:27:44| Using 8192 Store buckets
2010/03/08 12:27:44| Max Mem  size: 262144 KB
2010/03/08 12:27:44| Max Swap size: 0 KB
2010/03/08 12:27:44| Using Least Load store dir selection
2010/03/08 12:27:44| Current Directory is /usr/local/squid
2010/03/08 12:27:44| Loaded Icons.
2010/03/08 12:27:44| Accepting  spoofing HTTP connections at
0.0.0.0:3129, FD 10.


TPROXY is up and running as far as Squid can tell.

However, note that 3.1.0.14 does not have the upgrade to warn properly 
when libcap2 is missing or not working properly.  You will need the to 
build Squid from the current snapshot to get that. We  had a bug that 
broke TPROXY for 3.1.0.16 and 3.1.0.17 release bundles sorry.



2010/03/08 12:27:44| HTCP Disabled.
2010/03/08 12:27:44| IcmpSquid.cc(253) Open: Pinger socket opened on FD 12
2010/03/08 12:27:44| Squid modules loaded: 0
2010/03/08 12:27:44| Ready to serve requests.
2010/03/08 12:27:45| storeLateRelease: released 0 objects


#http_port 3128 tproxy transparent
this syntax is not support


Yes, that is broken syntax above.


or
http_port 3128 transparent
http_port 3129 tproxy


 # Receive DNAT or REDIRECT traffic (for squid 3.1)
http_port 3128 intercept

 # Receive TPROXY traffic
http_port 3129 tproxy



i'm so confuse
everything is fine when i use squid 3.0
i just modify conf
add visible_hostname
and #cache_dir null /tmp
http_port 3129 tproxy

thanks for any advice



3.0 does not support TPROXY so it will not work, even if it looks fine 
and requests happen. Your logs will be garbage and no spoofing will happen.



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
  Current Beta Squid 3.1.0.17