Re: [squid-users] tproxy configuration

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Feb 2013 12:10:44 +1300

On 22/02/2013 11:03 a.m., Roman Gelfand wrote:
> Please, find below the network topology, squid.conf and rc.local
> configuration files. It appears that the squid is not routing the
> http requests. I am not sure what I am doing wrong here
> Please note, the same squid.conf works on transparent proxy (non
> tproxy), for the exception of tproxy keyword and service changes.
> Thanks in advance,
>
> WAN
> ||
> ||
> wccp/gre tunnel ||
> squid==============================Fortigate FW/RT Int ip 1 192.168.8.1
> 3.3 || Int ip 2 192.168.11.1
> ip: 192.168.8.21 || Ext ip XX.XX.XXX.24
> ||
> ||
> WLAN Router Int. ip
> 192.168.11.32 Ext. ip 192.168.7.1
> ||
> ||
> ||
> Client Workstation 192.168.7.110
>
>
> #!/bin/sh -e
> #
> # rc.local
> #
> # This script is executed at the end of each multiuser runlevel.
> # Make sure that the script will "exit 0" on success or any other
> # value on error.
> #
> # In order to enable or disable this script just change the execution
> # bits.
> #
> # By default this script does nothing.
> # GRE Tunnel :
> echo "Loading modules.."
> modprobe -a nf_tproxy_core xt_TPROXY xt_socket xt_mark ip_gre
>
> LOCALIP="192.168.8.21"
> FORTIDIRIP="192.168.8.1"
> FORTIIPID="XX.XX.XXX.254"
> echo "changing routing and reverse path stuff.."
> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

What about rp_filter on eth0 where the traffic is actually exiting the
Squid box?

> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo "creating tunnel..."
> iptunnel add wccp0 mode gre remote $FORTIIPID local $LOCALIP dev eth0
> ifconfig wccp0 127.0.1.1/32 up
> echo "creating routing table for tproxy..."
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100

You may need this to be dev eth0 instead of dev lo. Experiment to find
out which.

> echo "creating iptables tproxy rules..."
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> iptables -A FORWARD -i lo -j ACCEPT

What about forwarding of non-localhost traffic? such as the TPROXY
spoofed client IPs.

> iptables -A INPUT -s $FORTIDIRIP -p udp -m udp --dport 2048 -j ACCEPT
> iptables -A INPUT -i wccp0 -j ACCEPT
> iptables -A INPUT -p gre -j ACCEPT
> iptables -t mangle -F
> iptables -t mangle -A PREROUTING -d $LOCALIP -j ACCEPT
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3228
> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 3229
> exit 0
>
> squid.conf
> ---------------
> #debug_options ALL,1 33,2
> #debug_options ALL,1 33,2 28,9
> hierarchy_stoplist cgi-bin
> acl QUERY urlpath_regex cgi-bin
> #cache_effective_user squid
> shutdown_lifetime 1 second
> visible_hostname server
> httpd_suppress_version_string on
> forwarded_for off
> #1GB disk cache
> cache_dir ufs /usr/local/var/cache/squid 1024 16 256
>
> maximum_object_size 5 MB
> cache_mem 1024 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size_in_memory 512 KB
> request_header_access Referer deny all
> reply_header_access Referer deny all
> http_port 80 accel
> acl site1 dstdomain site1.domain.com
> acl site2 dstdomain site2.domain.com
> acl site3 dstdomain site3.domain.com
> acl site4 dstdomain site4.domain.com
> acl site5 dstdomain site5.domain.com
> acl site6 dstdomain site6.domain.com
> acl site7 dstdomain site7.domain.com
> https_port 443 cert=/etc/ssl/certs/domain_sites.crt
> key=/etc/ssl/private/domain.key accel vport
> # never_direct allow site1
> always_direct allow site1
> http_access allow site1
> http_access deny site1
> always_direct allow site2
> http_access allow site2
> http_access deny site2
> always_direct allow site3
> http_access allow site3
> http_access deny site3
> always_direct allow site4
> http_access allow site4
> http_access deny site4
> always_direct allow site5
> http_access allow site5
> http_access deny site5
> always_direct allow site6
> http_access allow site6
> http_access deny site6
> always_direct allow site7
> http_access allow site7
> http_access deny site7
> #
> # Recommended minimum configuration:
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src {WAN Network} # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
> acl SSL_ports port 443
> acl SSL_ports port 4435
> acl SSL_ports port 8443
> acl Safe_ports port 80 # http
> acl Safe_ports port 8080 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl pictures url_regex -i .*\.jpg$
> http_access allow pictures
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> # And finally deny all other access to this proxy
> http_access deny all
> # Squid normally listens to port 3128
> http_port 3228 tproxy
> https_port 3229 tproxy ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
> key=/etc/ssl/private/domain.key
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
> key=/etc/ssl/private/domain.key
> always_direct allow all
> ssl_bump server-first all
> #ssl_bump allow all
> # the following two options are unsafe and not always necessary:
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/local/libexec/ssl_crtd -s
> /usr/local/var/lib/squid/ssl_db -M 4MB
> sslcrtd_children 5
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_encode off
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service_failure_limit -1
> icap_service_revival_delay 30
> icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
> icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
> icap_service squidclamav1 reqmod_precache bypass=0
> icap://127.0.0.1:1345/squidclamav
> icap_service squidclamav2 respmod_precache bypass=0
> icap://127.0.0.1:1345/squidclamav
> adaptation_service_chain svcRequest squidclamav1 qlproxy1
> adaptation_service_chain svcResponse squidclamav2 qlproxy2
> adaptation_access svcRequest allow all
> adaptation_access svcResponse allow all
> # FortiGate interface of wccp
> wccp2_router 192.168.8.1
> # wccp version 2 configuration for standard service HTTP on tcp port
> 80 (service 0) with authentication password 'fortinet'
> wccp2_service dynamic 90
> wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443
> wccp2_service dynamic 95
> wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80,443
> # tunneling method GRE for forward traffic
> wccp2_forwarding_method 1
> # tunneling method GRE for return traffic
> wccp2_return_method 1
> # Assignemment method (default), only relevant if multiple caches used
> wccp2_assignment_method 1
> # wccp weight (default) ,only relevant if multiple caches used
> wccp2_weight 10000
> # which interface to use for WCCP (0.0.0.0 determines the interface
> from routing)
> wccp2_address 0.0.0.0
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /usr/local/var/cache/squid 100 16 256
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/var/cache/squid
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
Received on Thu Feb 21 2013 - 23:10:56 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 22 2013 - 12:00:04 MST