What packages are needed in order to run squid in forward proxy, intercept proxy and TPROXY?

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 27 Dec 2013 23:21:34 +0200

I do see at the configure the output:
configure: Using epoll for the IO loop.
checking if setresuid is actually implemented... yes
checking for constant CMSG_SPACE... yes
checking if strnstr is well implemented... no
checking if va_copy is implemented... yes
checking if __va_copy is implemented... yes
configure: IPF-based transparent proxying enabled: no
configure: Support for Netfilter-based interception proxy requested: yes
configure: WARNING: Missing needed capabilities (libcap 2.09+) for TPROXY
configure: WARNING: Linux Transparent Proxy (version 4+) support WILL
NOT be enabled
configure: WARNING: Reduced support to NAT Interception Proxy
configure: Linux Netfilter Conntrack support enabled: no
configure: ZPH QOS enabled: yes
configure: QOS netfilter mark preservation enabled: no

But there is no basic representation that I can see now about Netfilter
intercept support or ipv6 level support in some levels.
while using "./configure --enable-linux-netfilter"(3.4.1)
I get the output from it:
checking for linux/netfilter_ipv4.h... yes
checking for linux/netfilter_ipv6/ip6_tables.h... no
checking for net/if.h... yes
checking for netinet/if_ether.h... yes
checking for netinet/icmp6.h... yes
checking for netinet/in.h... (cached) yes
checking for netinet/ip.h... yes
checking for netinet/ip6.h... yes
checking for netinet/ip_compat.h... no
checking for netinet/ip_fil_compat.h... (cached) no
checking for netinet/ip_fil.h... no
checking for netinet/ip_icmp.h... yes
checking for netinet/ipl.h... no
checking for netinet/ip_nat.h... no
checking for net/pf/pfvar.h... no
checking for net/pfvar.h... no
checking for sys/mount.h... yes
checking for resolv.h... yes
checking for an ANSI C-conforming const... yes

The whole configure output is at:
http://www1.ngtech.co.il/squid/build6.log

I do not see any direct relationship between Netfilter basic
features\support and NAT interception to Linux Netfilter Conntrack yet.
If there is some connection between them I would be very happy to make
sure I understand what exactly.

Basic squid would be a forward proxy for a simple and small networks.
If the proxy was meant to do Interception it should be better being
compiled manually and tested before real implementation.

The build-node information at:
http://wiki.squid-cache.org/BuildFarm/CentosInstall

Do only support basic build of the proxy software for enterprises With
these packages:
yum install libxml2 expat-devel openssl-devel libcap ccache
libtool-ltdl-devel cppunit cppunit-devel bzr autoconf automake libtool
clang gcc-c++ perl-Pod-MinimumVersion bzip2 ed make openldap-devel
pam-devel db4-devel libxml2-devel libcap-devel

The wiki also contains:
http://wiki.squid-cache.org/KnowledgeBase/CentOS

Which declare that the needed packages are:
yum install -y perl gcc autoconf automake make sudo wget
# and some extra packages
yum install libxml2-devel libcap-devel
# to bootstrap and build from bzr needs also the packages
yum install libtool-ltdl-devel

For now on 6.5 there is a need also for the package:
gcc-c++

The package is needed in order to allow basic compilation and allows a
basic forward proxy to just "run".
Helpers and other software that is "bundled" with the sources will might
be compiled if the related packages will not be installed.

The:
"libcap-devel" is needed in order to compile squid with TPROXY support.
The basic assumption is that squid compiles fine and support TPROXY
unless declared else.

I have seen the need to support old hardware\software in the i686 level
since there are many users around the world that do have these machines
in hands.

For these networks that do need a caching software it is most likely
that they do have i686 level of hardware or virtualization.

Since it is very simple to test these days I will try a bit more to
build these RPMs.
I will need to turn-on a new machine only for these builds manual tests
and operations.

If there is an option to get a list of the packages and build node for
CentOS 5.X and 6.X of a i686 hardware I will be happy to run couple
tests with 3.4.1 and make sure if there is an issue with it at\for
compilation.

One of the major test results for now is that "dns_v4_first on" should
be a default on an ipv4 only enabled host while not disabling on any
other levels such as OS and compilation\configure flags.
A simple administrative FLAG that indicates the system as an IPV4 only
runtime state can help really when implementing networks which from any
reason would be in this state.
The above flag can help a lot but can also be a bit confusing.

Since CentOS 6.5 and many others such as Ubuntu, SUSE, Debian, Fedora
which are the main-stream I know about do support TPROXY and Netfilter
with the basic server installations but do not have the development
packages it is recommended to install them only if needed.

If someone knows about more then that I will be more then just
interested in it.

The current build machine for 6.5 info:
http://www1.ngtech.co.il/squid/build6_node.txt

Eliezer
Received on Fri Dec 27 2013 - 21:22:05 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 28 2013 - 12:00:13 MST