Re: [squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 Feb 2011 02:16:09 +1300

On 02/02/11 01:27, Pandu Poluan wrote:
> On Tue, Feb 1, 2011 at 18:15, Amos Jeffries wrote:
>> On 01/02/11 19:58, Pandu Poluan wrote:
>>>
>>> On Tue, Feb 1, 2011 at 13:36, Amos Jeffries wrote:
>>>>
>>>> On 01/02/11 16:29, Pandu Poluan wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I want to configure SQUID as a transparent proxy, but on a separate
>>>>> box from the Linux gateway (both boxes using Ubuntu Server 10.04)
>>>>>
>>>>> I found this howto:
>>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html
>>>>>
>>>>> Now, my questions are:
>>>>>
>>>>> 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the
>>>>> latest SQUID version?
>>>>
>>>> The whole of section 6.1 is a major security vulnerability "don't do it!"
>>>> situation. Read CVE-2009-0801 for an explanation of what malware can do
>>>> to
>>>> trivially spread themselves across your whole client base.
>>>>
>>>> The currently available Squid do permit it with loud failure warnings in
>>>> cache.log. We are planning on fully disabling the security hole in the
>>>> near
>>>> future.
>>>>
>>>>
>>>> Section 6.2 and 6.3 are the recommended way if you have to do NAT
>>>> interception.
>>>>
>>>> The real transparent proxy (TPROXY) in the more recent Squid does not
>>>> work
>>>> reliably on Ubuntu 10.04.
>>>>
>>>>
>>>
>>> I don't really understand about TPROXY. Do I really need TPROXY for
>>> Squid to do transparent/intercepting proxy?
>>
>> No its not required. Just useful and nicer than NAT since it operates in
>> both IPv4 and IPv6 and avoids websites with badly designed IP-based security
>> systems (aka hotmail.com and some popular download sites).
>>
>>>
>>> If I do, what Linux distro do you recommend?
>>
>> For TPROXY the best distro seem to be CentOS 5.5+ or Debian Squeeze or
>> Ubuntu 10.10 all with a 3.1.10 self-built Squid.
>>
>
> Ahhh, I see...
>
> More questions, then. But first, a description of my situation.
>
> I need to have 2 Squid boxes separate from the Linux firewall. The
> reason is that the users of the Squid boxes are different:
>
> Squid A is used by Management -- traffic must go through Internet-A
> Squid B is used by Rest Of Staff -- traffic must go through Internet-B
>
> There's a single Linux firewall connected to Internet-A and
> Internet-B; it performs SNAT and routing, currently using "ip rule"s
> to route based on source address.
>
> Now, my questions:
>
> 1. Where must I apply the TPROXY patches? The firewall, or Squid boxes?
>

No patches. Just new'ish versions of certain software:
   http://wiki.squid-cache.org/Features/Tproxy4

> 2. What configurations should be applied on the firewall and the Squid boxes?
>
> If you can point me to a HOWTO suitable for my situation, I'd
> appreciate it. I've been searching and it seems that most HOWTO on
> TPROXY assumes an intercepting Squid on the same box as the firewall.

That is because they are. The OS which support TPROXY all provide their
own internal firewall. This is the only firewall involved.

Outside of a TPROXY box the packets are indistinguishable from client
packets that were merely relayed/bridged through the box. There is maybe
at most some special routing-level config to pass them out without
looping and the replies to come back through the box.

>
> Again, thanks for your kind assistance. Apologies if I trouble you in any way.
>

Welcome.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Tue Feb 01 2011 - 13:16:18 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST