rihad wrote:
Looks like I'm the only one trying to use TProxy? Somebody else, please?
To summarize: Squid does NOT spoof client's IP address when initiating
connections on its own. Just as if there weren't a thing named "TProxy".
We have had a fair few trying it with complete success when its the only
thing used. This kind of thing seems to crop up with WCCP, for you and
one other.
I'm not sure yet what the problem seems to be. Can you check your
cache.log for messages about "Stopping full transparency", the rest of
the message says why. I've updated the wiki troubleshooting section to
list the messages that appear when tproxy is turned off automatically
and what needs to be done to fix it.
If you can't see any of those please can you set:
debug_options ALL,1 89,6
to see whats going on?
I know the squid->client link should be 100% spoofed. I'm not fully
certain the quid->server link is actually spoofed in all cases. Though
one report indicates it may be, I have not been able to test it locally yet.
Amos
Original message follows (not to be confused with top-posting):
Hello, I'm trying to get TProxy 4.1 to work as outlined here:
http://wiki.squid-cache.org/Features/Tproxy4
namely under Ubuntu 9.04 stable/testing mix with the following:
linux-image-2.6.28-11-server 2.6.28-11.42
iptables 1.4.3.2-2ubuntu1
squid-3.1.0.7.tar.bz2 from original sources
Squid has been built this way:
$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.1.0.7
configure options: '--enable-linux-netfilter'
--with-squid=/home/guessed/squid-3.1.0.7 --enable-ltdl-convenience
(myself I only gave it --enable-linux-netfilter)
squid.conf is pretty much whatever 'make install' created, with my
changes given at the end, after the blank line:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /usr/local/squid/var/cache
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_mem 16 MB
http_port 3129 tproxy
visible_hostname tproxy
Then I did:
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
#Use DIVERT to prevent existing connections going through TPROXY twice:
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#Mark all other (new) packets and use TPROXY to pass into Squid:
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
#On each boot startup set:
echo 1 > /proc/sys/net/ipv4/ip_forward
ran squid -z and launched squid.
My topology:
desktop where I sit: one link has address 192.168.0.1/24, the other to
the Internet
Squid box: one link: 192.168.0.184/24 (bridged VMware interface on the
same box as desktop), the other link is custom VMware interface
192.168.1.1/24
The "client" box: single interface 192.168.1.2/24
So, the squid box is directly connected to the outside on the one side,
and to the client on the other. My desktop's routing knows to reach the
client through the Squid box, and vice versa, so the port 80 traffic
under consideration flows through the Squid box in both ways.
Now, after I do this on the "client":
$ telnet 192.168.0.1 80
GET / HTTP/1.0
(correct webpage output)
Connection closed by foreign host.
Nevertheless, in 192.168.0.1's webserver's logs I can see 192.168.0.184
connecting, not the TProxied 192.168.1.2, as if working under the plain
ole interception proxying I've been trying to get rid of!
Why?! Counters on the Squid box do get bumped:
$ sudo iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 163 packets, 21851 bytes)
pkts bytes target prot opt in out source
destination
2274 214K DIVERT tcp -- * * 0.0.0.0/0
0.0.0.0/0 socket
16 920 TPROXY tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
...
Chain DIVERT (1 references)
pkts bytes target prot opt in out source
destination
2274 214K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x1/0xffffffff
2274 214K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Thanks for any tips.
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
