Search squid archive

Transparent squid ignores client-side /etc/hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello

I got transparent squid 2.6 on Linux box via iptables REDIRECT. All works fine, but squid actually ignores original DST IP in hijacked connection and uses Host header to resolve to IP and then connects to that IP.

On client
$ grep google /etc/hosts
1.1.1.1 google.com www.google.com www.google.com.ua

$ LANG=C wget -Y off -O /dev/null google.com
--09:23:44--  http://google.com/
          => `/dev/null'
Resolving google.com... 1.1.1.1
Connecting to google.com|1.1.1.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--09:23:45--  http://www.google.com/
          => `/dev/null'
Resolving www.google.com... 1.1.1.1
Reusing existing connection to google.com:80.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.google.com.ua/ [following]
--09:23:45--  http://www.google.com.ua/
          => `/dev/null'
Resolving www.google.com.ua... 1.1.1.1
Reusing existing connection to google.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 3,322 --.--K/s

09:23:45 (147.99 MB/s) - `/dev/null' saved [3322]

On squid box in squid access_log

1194765865.527 423 192.168.xx.xx TCP_MISS/301 743 GET http://google.com/ - DIRECT/72.14.207.99 text/html 1194765865.613 85 192.168.xx.xx TCP_MISS/302 597 GET http://www.google.com/ - DIRECT/64.233.183.99 text/html 1194765865.758 144 192.168.xx.xx TCP_MISS/200 3796 GET http://www.google.com.ua/ - DIRECT/64.233.183.104 text/html

But I expected, that squid will be connect to 1.1.1.1. Seems, this bug was absent in 2.5

Here is some info about squid box
# uname -srm
Linux 2.6.23-grsec x86_64

# squid -v
Squid Cache: Version 2.6.STABLE16
configure options: '--prefix=/usr' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--enable-auth=basic,digest,ntlm' '--enable-removal-policies=lru,heap' '--enable-digest-auth-helpers=password' '--enable-basic-auth-helpers=SMB,multi-domain-NTLM,getpwnam,NCSA,MSNT' '--enable-external-acl-helpers=wbinfo_group,ip_user,session,unix_group' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests' '--enable-delay-pools' '--enable-referer-log' '--enable-arp-acl' '--with-pthreads' '--with-large-files' '--enable-htcp' '--enable-carp' '--enable-follow-x-forwarded-for' '--enable-snmp' '--enable-ssl' '--enable-storeio=ufs,diskd,coss,aufs,null' '--enable-async-io' '--enable-linux-netfilter' '--enable-epoll' '--libdir=/usr/lib64' '--build=x86_64-pc-linux-gnu' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CC=x86_64-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=k8 -pipe'

# iptables -V
iptables v1.3.8
# iptables -nL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

# grep 3128 /etc/squid/squid.conf|grep -v ^#|grep -v ^$
http_port 3128 transparent

Regards,
Alex

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux