Re: [squid-users] TPROXY does not redirect to squid port

From: Madhav V Diwan <mdiwan_at_diwanconsulting.com>
Date: Thu, 30 Jan 2014 08:28:31 -0500

Peter

 You do not by any chance have EBtables (bridge iptables) enabled do
you? Maybe you have a ACL there that is in the way?

Madhav

-----Original Message-----
From: Peter Warasin <peter_at_endian.com>
To: Madhav V Diwan <mdiwan_at_diwanconsulting.com>
Subject: Re: [squid-users] TPROXY does not redirect to squid port
Date: Wed, 29 Jan 2014 10:59:21 +0100

Hi Madhav

Thank you for answers.

Well, I can bind squid on port 18080, that's not the problem, but
packets don't arrive there.
I can use also every other port, it will not work. It works only when I
bind to port 80, just as socket lookup would be made always with the
original port instead of the --on-port 18080 in this case.
but it is not. i see in debug output that it finds the socket on port 18080.

ip address is on the bridge interface, not on the physical interface and
squid is listening on 0.0.0.0

next thing i will do is trying with a more recent kernel,.. also if
3.2.54 should be sufficient. but who knows.

peter

On 01/28/2014 05:09 PM, Madhav V Diwan wrote:
> also
> since this is a bridge .. dose the bridge hold the ip .. or the actual
> physical interface?
> and what interface do you have squid bound to ..
> In this case I would not try binding squid to 0.0.0.0 ..
> that might make squid bind to both the bridge and the eth interface ..
> which would make things interesting
>
>
>
> -----Original Message-----
> From: Madhav V Diwan <mdiwan_at_diwanconsulting.com>
> To: Peter Warasin <peter_at_endian.com>
> Cc: Amos Jeffries <squid3_at_treenet.co.nz>, squid-users_at_squid-cache.org
> Subject: Re: [squid-users] TPROXY does not redirect to squid port
> Date: Tue, 28 Jan 2014 11:04:12 -0500
>
> to clarify: your squid conf and your tproxy iptables rules work when
> you set up squid on port 80
>
> They also work when you bid squid to port 8080 ..
>
> But you dont want to bind squid to port 80 because you want apache
> there ...
>
> sounds like you need to find out why you cant bind to port 18080.. or at
> least whats keeping you from having squid bind there.
>
> try netstat -tulnp as root to see what ports are bound to processes
> and the PIDs
>
> and try lsof and grep for 18080
>
> worst comes to worst .. stop trying to bind to 18080 and use another
> port , like 9090.. tproxy does not care what port squid is on as long as
> it is listening on the port you specify as the destination.
>
>
>
>
> -----Original Message-----
> To: Madhav V Diwan <mdiwan_at_diwanconsulting.com>, Amos Jeffries
> <squid3_at_treenet.co.nz>
>
> Date: Tue, 28 Jan 2014 16:05:25 +0100
>
> hi guys
>
> On 01/28/2014 02:30 PM, Madhav V Diwan wrote:
>> Have you made certain that squid in the squid configuration file
>> ( /etc/squid/squid.conf) is listening on port 80 ( the destination port
>> in your iptables rules)
>
> port 80?
> squid is listening on port 18080, where the tproxy rule "redirects" to:
>
> http_port 0.0.0.0:8080
> http_port 0.0.0.0:18080 tproxy
>
> just tried to make it listen on port 80 (with no apache running there)
> and changing the tproxy rule in order to redirect to port 80. then it
> works. but i need port 80 for apache. also i need to redirct port 443 as
> well later, when this works.
>
>
>> and have you checked tcpwrappers , or selinux?
>
> sure. nothing enabled.
>
> also it works when i remove the tproxy rule and use normal bridge
> forwarding and it works also when i use squid directly on port 8080.
> so squid config should be ok and uplink, routing, forwarding,
> firewalling all should be ok.
>
> seems really that the kernel actually finds the squid socket, assigns it
> to the packet, but the listening process does not get it, either squid
> nor tproxy_example tool.
>
> i was thinking maybe glibc is to old, but i guess IP_TRANSPARENT is only
> a kernel headers thing and there was no change in glibc for it, right?
>
> peter
>
>
>
>
Received on Thu Jan 30 2014 - 13:28:54 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 31 2014 - 12:00:09 MST