Hi Mohamed, I used this setup for a transparent forward proxy. Its built on Centos and it worked for ATS 4.2.1 but it should still be valid for ATS 6.
Kind regards, Kieron Kieron Robertson Man and Machine Mail: [email protected] Cell: 083 309 3538 On Wed, Aug 5, 2015 at 6:45 PM, Mohamed Marzban <[email protected]> wrote: > Hi, > > I am trying to deploy HTTP transparent proxy cache on Apache Traffic > server. The scenario consists of a client that is connected to the internet > router through the ATS server. > > I am using ATS v.6.0. I configured the record.config file as follows: > -CONFIG proxy.config.url_remap.remap_required INT 0 > -CONFIG proxy.config.http.server_ports STRING 8080:tr-full > -CONFIG proxy.config.log.logging_enabled INT 3 > -CONFIG proxy.config.log.squid_log_enabled INT 1 > > I followed Alan M. Carroll's iptables, ebtables and other networking > commands (http://network-geographics.com/assets/docs/ApacheCon-2013.pdf ) > to route the HTTP traffic through the ATS using the bridge configuration > but it didn't work with me. On tracing using wireshark at the client side, > the handshaking between the server and the client occurs but the data > packets are not received by the client. Can anyone help me with that? > > On the mailing list, I found a previous thread on HTTP transparent caching > that dates back to May 2012. I used iptables DIVERT and networking commands > as recommended by Saraswathi Venkataraman on this thread: > > http://mail-archives.apache.org/mod_mbox/trafficserver-users/201205.mbox/%3CBB345F600CB1164AB82F077B37194D4317337487%40mumEX01.India.XoriantCorp.com%3E > The traffic passes through the ATS and the webpages are displayed properly > at the client side. When I stop the ATS, no traffic is received at the > client side so I am sure it goes through the ATS. However, nothing appears > in the squid logs and most probably nothing is cached at the ATS. How can I > configure the ATS to cache the ongoing traffic and view that in the squid > log files? > > Thanks, > M. Marzban >
Scenario: Firewall:10.0.0.1 <--> eth0:[ATS TPROXY Bridge(br0=10.0.0.200)]:eth1 <--> clients:10.0.0.x/24 Hardware used for test setup: Atom D2700 (Dual core, 2.13GHz, x64 capable) 4GB RAM 160 GB SATA Drive 2 x Broadcom 57788 PCIe 1GB NIC Install Centos (I used 6.4 x64) and choose "Basic Server" on install options. Once it completes, update the distribution using yum update. Check dependencies as mentioned on https://cwiki.apache.org/confluence/display/TS/CentOS The following packages should be installed: yum install gcc gcc-c++ pkgconfig pcre-devel tcl-devel expat-devel openssl-devel On CentOS6, you also need yum install perl-ExtUtils-MakeMaker It's also recommended that the following packages are installed, but they are not required (and they come pre-installed on many systems): yum install libcap libcap-devel hwloc hwloc-devel For building out of source, you also need: yum install autoconf automake libtool I recommend installing all of them to cover all test scenarios. Disable system-config-firewall system-config-firewall-tui Uncheck Enabled => OK Disable SELinux # nano /etc/selinux/config and set SELINUX=enforcing to SELINUX=disabled Disable Zeroconf # nano /etc/sysconfig/network and add the following: NOZEROCONF=true reboot. I. Configure Network interfaces # yum install bridge-utils -Make bridge interface br0 # nano /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 ONBOOT=yes TYPE=Bridge BOOTPROTO=static IPADDR=10.0.0.200 NETMASK=255.255.255.0 GATEWAY=10.0.0.1 DNS1=10.0.0.1 DNS2=8.8.8.8 DNS3=8.8.4.4 Save and exit (ctrl o and then ctrl x) -Setting interface eth0 with no IP # nano /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=none HWADDR=A2:AC:86:64:4C:D4 #note that this will unique to your adapter and should already be inserted automatically NM_CONTROLLED=yes ONBOOT=yes TYPE=Ethernet UUID=cbe96c60-5467-4982-b884-b4aca07a995f #note that this will unique to your adapter and should already be inserted automatically BRIDGE=br0 Save and exit (ctrl o and then ctrl x) -Setting interface eth1 with no IP # nano /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=none HWADDR=B6:49:8A:62:AD:92 #note that this will unique to your adapter and should already be inserted automatically NM_CONTROLLED=yes ONBOOT=yes TYPE=Ethernet UUID=320472d8-755e-4192-b520-da6bc7e8ebb1 #note that this will unique to your adapter and should already be inserted automatically BRIDGE=br0 Save and exit (ctrl o and then ctrl x) -Setting IP DNS: # nano /etc/resolv.conf nameserver 10.0.0.1 nameserver 8.8.8.8 Save and exit (ctrl o and then ctrl x) -Setting /etc/hosts # nano /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0200 cache.local cache Save and exit (ctrl o and then ctrl x) -Restart Network # service network restart Plug the device inline and make sure you can browse and ping through the bridge before continuing. If you can't get traffic through it right now, ATS is not going to work!! III. Routing Configuration The routing features in your kernel also need to be configured to enable correct handling of the intercepted packets. Both arriving and leaving your system. -Routing Configuration if IPv4-only # ip -f inet rule add fwmark 1 lookup 100 # ip -f inet route add local default dev lo table 100 -Routing Configuration if IPv6-only # ip -f inet6 rule add fwmark 1 lookup 100 # ip -f inet6 route add local default dev eth0 table 100 -Put into rc.local so the above scripts run at boot - only add ipv4 or ipv6 - I haven't tested with ipv6 or both as I only have ipv4. IPV4 # nano /etc/rc.d/rc.local ip -f inet rule add fwmark 1 lookup 100 ip -f inet route add local default dev lo table 100 IPV6 ip -f inet6 rule add fwmark 1 lookup 100 ip -f inet6 route add local default dev eth0 table 100 Save and exit (ctrl o and then ctrl x) Note: Every OS has different security and limitations around what you can do here. -some systems require that lo is the interface TPROXY uses. -some systems require that an ethN is the interface TPROXY uses. -some systems require that each receiving interface have its own unique table. -Some OS block multiple interfaces being linked to the table. You will see a rejected route when a second ip -f inet route is added to the table. To erase the custom route entry repeat the rule with del instead of add. Add/Edit the following in /etc/sysctl.conf: # nano /etc/sysctl.conf net.ipv4.ip_forward = 1 # already present, just change to 1 net.ipv4.conf.default.rp_filter = 0 # already present just change to 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.br0.rp_filter = 0 Save and exit (ctrl o and then ctrl x) -Iptables routing for br0 device - enter each one on the command line and press enter after each one: #iptables -t mangle -N DIVERT #iptables -t mangle -A DIVERT -j MARK --set-mark 1 #iptables -t mangle -A DIVERT -j ACCEPT #iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080 -Save iptables command,restart service & make service run at boot service iptables save service iptables restart chkconfig iptables on -Install ebtables yum install ebtables -Setup ebtables ipv4 on a Bridging device - enter each one on the command line and press enter after each one: #ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP #ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP Setup ebtables ipv6 on a Bridging device - enter each one on the command line and press enter after each one: #ebtables -t broute -A BROUTING -i eth1 -p ipv6 --ip6-proto tcp --ip6-dport 80 -j redirect --redirect-target DROP #ebtables -t broute -A BROUTING -i eth0 -p ipv6 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP -Save ebtables commands,restart service & make service run at boot: service ebtables save service ebtables restart chkconfig ebtables on reboot. run the commands as shown below and you should see the outputs to match your system: [root@ats ~]# iptables-save # Generated by iptables-save v1.4.7 on Tue May 6 10:47:25 2014 *mangle :PREROUTING ACCEPT [36:5086] :INPUT ACCEPT [79:10318] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [44:6569] :POSTROUTING ACCEPT [44:6569] :DIVERT - [0:0] -A PREROUTING -p tcp -m socket -j DIVERT -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1 -A DIVERT -j MARK --set-xmark 0x1/0xffffffff -A DIVERT -j ACCEPT COMMIT # Completed on Tue May 6 10:47:25 2014 [root@ats ~]# ebtables-save # Generated by ebtables-save v1.0 on Tue May 6 10:48:05 SAST 2014 *broute :BROUTING ACCEPT -A BROUTING -p IPv4 -i eth1 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP [root@ats ~]# ip route show 10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.150 default via 10.0.0.1 dev br0 [root@ats ~]# ip route show table 100 local default dev lo scope host [root@ats ~]# ip rule show 0: from all lookup local 32765: from all fwmark 0x1 lookup 100 32766: from all lookup main 32767: from all lookup default Now all the plumbing is installed, lets install ATS! Download Apache Traffic Server: # wget http://mirror.reverse.net/pub/apache/trafficserver/trafficserver-4.2.1.tar.bz2 5. Extract the source # tar xf trafficserver-4.2.1.tar.bz2 6. cd to the directory # cd trafficserver-4.2.1 7. Start the install process: # ./configure 8. run make # make 9. Install the package # sudo make install edit the records.config file in /usr/local/etc/trafficserver and set the following options before running ATS: # nano /usr/local/etc/trafficserver/records.config Find the following lines and change them to the values below: CONFIG proxy.config.http.server_ports STRING 8080:ipv4:tr-full CONFIG proxy.config.cluster.ethernet_interface STRING br0 CONFIG proxy.config.reverse_proxy.enabled INT 0 CONFIG proxy.config.url_remap.remap_required INT 0 Save and exit. Change the default cache size by editing the following: # nano /usr/local/etc/trafficserver/storage.config and change the default 256M cache to whatever size you choose. Traffic Server is now installed and can be started/stopped with the following commands: /usr/local/bin/trafficserver start /usr/local/bin/trafficserver stop Refer to the following site for further setup and tweaking: https://cwiki.apache.org/confluence/display/TS/Installation+and+Configuration
