Re: [squid-users] fedora12_tproxy

From: z fazli <z.fazli124_at_gmail.com>
Date: Sun, 30 Jun 2013 12:07:13 +0430

When you type "hostname" on the command line of that server what shows up?
localhost.localdomain

I am using virtual machine , and it is network setting is in bridge
mode. squid transparent mode works with this hostname.

 1) how you are testing it... you MUST test it by being a client which
is intercpeted. Send your requests to port 80, *do not* send requests
directly to the Squid listening port.

for testing , in proxy setting of firefax , set http_proxy to
10.1.110.83 and port 3129

when I set port to 80 , brows pages without error but log file do not
change , seems squid not doing anything.

2. the packet routing and TPROXY rules .... ensure that only traffic
*from* the clients or *from* the Internet is being intercepted.
Packets leaving Squid in either direction MUST NOT be intercepted back
into your Squid

I used these rules:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129

On Sun, Jun 30, 2013 at 6:58 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> On 30/06/2013 7:54 a.m., z fazli wrote:
>>
>> my squid version is 3.3.2 and made a mistake when discribed
>>
>> about this part
>>
>> "localhost.localdomain" is in no way a unique name for your proxy.
>>
>> what is the problem? how can I solve it ? I followed steps from squid
>> site and can not understand what is going wrong . can you help more?
>
>
> When you type "hostname" on the command line of that server what shows up?
> It should be a unique name for your server. In Linux it is configured in /etc/hostname, if you use a GUI to configure it may be somewhere else. That name needs to be registered in DNS and pointing at the machines IP address(es), the IPs in turn need to be pointing at that hostname. Squid will check these records when starting.
>
> You can avoid the DNS setup by using visible_hostname directive in squid.conf. But note that on any Internet connected machine there are a lot of software which may require the hostname to be setup in order to work correctly.
>
>
> If the forwarding loop errors remain after you have made your squid hostname unique you will need to double-check:
>  1) how you are testing it... you MUST test it by being a client which is intercpeted. Send your requests to port 80,  *do not* send requests directly to the Squid listening port.
>  2) the packet routing and TPROXY rules .... ensure that only traffic *from* the clients or *from* the Internet is being intercepted. Packets leaving Squid in either direction MUST NOT be intercepted back into your Squid.
>
> Amos
>
>
>> On 6/28/13, Amos Jeffries wrote:
>>>
>>> On 29/06/2013 3:36 a.m., z fazli wrote:
>>>>
>>>> hi
>>>>
>>>> I have fedora 12 that upgraded it's kernel to 2.6.37 , and iptables
>>>> 1.4.19 , i installed squid 3.2.2 in tproxy mod on it use steps from
>>>> this link
>>>>
>>>> http://wiki.squid-cache.org/Features/Tproxy4#Feature:_TPROXY_version_4.1.2B-_Support
>>>>
>>>> everything seems ok but when I run squid and insert url in browser get
>>>> this message
>>>>
>>>>
>>>> ERROR
>>>> The requested URL could not be retrieved
>>>>
>>>> The following error was encountered while trying to retrieve the URL:
>>>> http://google.com/
>>>>
>>>> Access Denied.
>>>>
>>>> Access control configuration prevents your request from being allowed
>>>> at this time. Please contact your service provider if you feel this is
>>>> incorrect.
>>>>
>>>> Your cache administrator is webmaster.
>>>>
>>>> Generated Tue, 25 Jun 2013 12:34:53 GMT by localhost.localdomain
>>>> (squid/3.3.2)
>>>
>>> You say you installed 3.2.2 but some Squid-3.3.2 is responding to you.
>>> Are you sure this is a message from your Squid?
>>>
>>>> and in terminal this message :
>>>>
>>>> 2013/06/26 14:55:35| WARNING: Forwarding loop detected for:
>>>> POST
>>>> /safebrowsing/downloads?client=navclient-auto-ffox&appver=3.5.4&pver=2.2&wrkey=AKEgNivruGNaM449DFDdRiYv81wyGtp5gMSMU4fMMS_g2YKGXmFhYZxbsymSyj14q22Xr7_cCx0nRwFKaCNyKKvMEev0WhcpRg==
>>>> HTTP/1.1
>>>> Host: safebrowsing.clients.google.com
>>>> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4)
>>>> Gecko/20091027 Fedora/3.5.4-1.fc12 Firefox/3.5.4
>>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Language: en-us,en;q=0.5
>>>> Accept-Encoding: gzip,deflate
>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>>> Content-Length: 110
>>>> Content-Type: text/plain
>>>> Cookie:
>>>> PREF=ID=1b085458083db40f:U=8d54b4985abb086f:FF=0:TM=1371881983:LM=1371882262:S=gjQlM4Sqrueu3KHq;
>>>> NID=67=YXYmGeg68fPjuU2-QOne46eStjqotGcE0AZTiWmbRXT2klqJYDLayVduleh1HnEFN-CyfZSTsgJABBKwm3dAP3Cvxi8_yZRnIE5zQSYScyHMc03Tz-37Mu8vur3WU4yH
>>>> Via: 1.1 localhost.localdomain (squid/3.3.2)
>>>> X-Forwarded-For: 10.1.110.83
>>>> Cache-Control: max-age=0
>>>> Connection: keep-alive
>>>
>>> <snip>
>>>>
>>>> also this in my squid access log
>>>>
>>>> 1372164328.471 0 10.1.110.83 TCP_MISS/403 4642 POST
>>>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>>>> HIER_NONE/- text/html
>>>> 1372164328.471 3 10.1.110.83 TCP_MISS/403 4725 POST
>>>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>>>> HIER_DIRECT/10.1.110.83 text/html
>>>
>>> <snip>
>>>>
>>>> what is the problem?
>>>
>>> The DNS records for "safebrowsing.clients.google.com" (aka DIRECT) tell
>>> Squid that safebrowsing.clients.google.com is located at 10.1.110.83 ...
>>>
>>> ... take a guess.
>>>
>>> Secondly. The whole purpose of having a hostname assigned to each
>>> machine is to allow automated systems like forwarding loop detection to
>>> determine the difference between any two hosts on the *entire* Internet.
>>> Combining the host name with the site domain name produces a FQDN which
>>> is unique. "localhost.localdomain" is in no way a unique name for your
>>> proxy.
>>>
>>> Amos
>>>
>
Received on Sun Jun 30 2013 - 07:37:20 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 30 2013 - 12:00:08 MDT