On 20/01/2012 6:02 a.m., Sam Beechey wrote:
> Hi All,
>
> I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server..
>
> The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100
> )
>
> SOURCE SERVER:
>
> iptables -t nat -N cache>/dev/null 2>&1
> iptables -t nat -F cache
> iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
> iptables -t nat -N cache_users>/dev/null 2>&1
> iptables -t nat -F cache_users
> iptables -t nat -A PREROUTING -j cache_users
> iptables -t nat -A cache_users -s 10.10.10.100 -j cache
> iptables -t nat -L cache -nvx
>
> Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes:
>
> SQUID SERVER
>
> Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch
>
> ./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy
>
> http_port 3128
> http_port 3129 tproxy
>
> echo 1> /proc/sys/net/ipv4/ip_forward
> echo 2> /proc/sys/net/ipv4/conf/default/rp_filter
> echo 2> /proc/sys/net/ipv4/conf/all/rp_filter
> echo 0> /proc/sys/net/ipv4/conf/eth0/rp_filter
>
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> AND TO THE SOURCE SERVER:
>
> FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
> TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80
>
> Now the redirection is working... But all the requests are producing an error, invalid get request...
NAT and TPROXY are multually exclusive systems.
It is unclear whether this "SOURCE SERVER" is (a) the orign server
providing the responses, or (b) a gateway server between the client and
Squid.
If (a), then the NAT happening on "S" will be erasing the IP
addresses setup by TPROXY on the packets. Destroying your idea of
getting the client IP to show up anywhere and bouncing the packets back
to a Squid forward-proxy listening port which cannot handle origin
server (reverse-proxy) formatted HTTP traffic.
If (b), then the NAT is erasing the server IP address which packet
routing relies on to determine where the packet is going once it leaves
Squid. Making the packets go straight back to a Squid forward-proxy
listening port which cannot handle origin server (reverse-proxy)
formatted HTTP traffic.
Either way results in:
client --> ... --(TPROXY)--> Squid -->Squid:3128
> ==> /var/log/squid/cache.log<==
> 2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request
>
> ==> /var/log/squid/access.log<==
> 1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html
These "NONE://" say that Squid received a GET request from client
10.10.10.100 and rejected it as invalid HTTP before even getting to
identify the URL fully.
> ==> /var/log/squid/store.log<==
> 1326987346.801 RELEASE -1 FFFFFFFF 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request
>
>
> Error displayed in browser:
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to process the request:
> GET / HTTP/1.1
The URL "/" is a origin server format relative URL, not valid forward
proxy absolute URL required by proxies. Squid cannot handle this
arriving on port 3128.
Amos
Received on Fri Jan 20 2012 - 01:49:39 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 20 2012 - 12:00:03 MST