Hello
I got transparent squid 2.6 on Linux box via iptables REDIRECT. All
works fine, but squid actually ignores original DST IP in hijacked
connection and uses Host header to resolve to IP and then connects to
that IP.
On client
$ grep google /etc/hosts
1.1.1.1 google.com www.google.com www.google.com.ua
$ LANG=C wget -Y off -O /dev/null google.com
--09:23:44-- http://google.com/
=> `/dev/null'
Resolving google.com... 1.1.1.1
Connecting to google.com|1.1.1.1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--09:23:45-- http://www.google.com/
=> `/dev/null'
Resolving www.google.com... 1.1.1.1
Reusing existing connection to google.com:80.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.google.com.ua/ [following]
--09:23:45-- http://www.google.com.ua/
=> `/dev/null'
Resolving www.google.com.ua... 1.1.1.1
Reusing existing connection to google.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[
<=>
] 3,322 --.--K/s
09:23:45 (147.99 MB/s) - `/dev/null' saved [3322]
On squid box in squid access_log
1194765865.527 423 192.168.xx.xx TCP_MISS/301 743 GET
http://google.com/ - DIRECT/72.14.207.99 text/html
1194765865.613 85 192.168.xx.xx TCP_MISS/302 597 GET
http://www.google.com/ - DIRECT/64.233.183.99 text/html
1194765865.758 144 192.168.xx.xx TCP_MISS/200 3796 GET
http://www.google.com.ua/ - DIRECT/64.233.183.104 text/html
But I expected, that squid will be connect to 1.1.1.1. Seems, this bug
was absent in 2.5
Here is some info about squid box
# uname -srm
Linux 2.6.23-grsec x86_64
# squid -v
Squid Cache: Version 2.6.STABLE16
configure options: '--prefix=/usr' '--host=x86_64-pc-linux-gnu'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib'
'--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--enable-auth=basic,digest,ntlm' '--enable-removal-policies=lru,heap'
'--enable-digest-auth-helpers=password'
'--enable-basic-auth-helpers=SMB,multi-domain-NTLM,getpwnam,NCSA,MSNT'
'--enable-external-acl-helpers=wbinfo_group,ip_user,session,unix_group'
'--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-ident-lookups'
'--enable-useragent-log' '--enable-cache-digests' '--enable-delay-pools'
'--enable-referer-log' '--enable-arp-acl' '--with-pthreads'
'--with-large-files' '--enable-htcp' '--enable-carp'
'--enable-follow-x-forwarded-for' '--enable-snmp' '--enable-ssl'
'--enable-storeio=ufs,diskd,coss,aufs,null' '--enable-async-io'
'--enable-linux-netfilter' '--enable-epoll' '--libdir=/usr/lib64'
'--build=x86_64-pc-linux-gnu' 'build_alias=x86_64-pc-linux-gnu'
'host_alias=x86_64-pc-linux-gnu' 'CC=x86_64-pc-linux-gnu-gcc'
'CFLAGS=-O2 -march=k8 -pipe'
# iptables -V
iptables v1.3.8
# iptables -nL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
redir ports 3128
# grep 3128 /etc/squid/squid.conf|grep -v ^#|grep -v ^$
http_port 3128 transparent
Regards,
Alex
